|
1 | 1 | # Coprocessor |
2 | 2 |
|
3 | | -The coprocessor is the compute engine of FHEVM, designed to handle resource-intensive homomorphic operations. |
| 3 | +The Coprocessor is the FHEVM protocol’s off-chain computation engine. It performs the heavy cryptographic |
| 4 | +operations—specifically, fully homomorphic encryption (FHE) computations—on behalf of smart contracts that operate on |
| 5 | +encrypted data. Acting as a decentralized compute layer, the coprocessor bridges symbolic on-chain logic with real-world |
| 6 | +encrypted execution. |
4 | 7 |
|
5 | | -### **Key functions**: |
| 8 | +It works in tandem with the Gateway, verifying encrypted inputs, executing FHE instructions, and maintaining |
| 9 | +synchronization of access permissions. |
6 | 10 |
|
7 | | -1. **Execution**: Performs encrypted operations (e.g., _add_, _mul_) on ciphertexts using the evaluation key. |
8 | | -2. **Ciphertext management**: Stores and retrieves ciphertexts securely in an off-chain database. Only handles are |
9 | | - returned on-chain. |
| 11 | +## What is the Coprocessor? |
10 | 12 |
|
11 | | -## **Computation** |
| 13 | +The Coprocessor is an off-chain service that: |
12 | 14 |
|
13 | | -Encrypted computations are performed using the **evaluation key** on the coprocessor. |
| 15 | +- Listens to events emitted by host chains and the Gateway. |
| 16 | +- Executes FHE computations (`add`, `mul`, `div`, `cmp`, etc.) on ciphertexts. |
| 17 | +- Validates encrypted inputs and ZK proofs of correctness. |
| 18 | +- Maintains and updates a replica of the host chain’s Access Control Lists (ACLs). |
| 19 | +- Stores and serves encrypted data for decryption or bridging. |
14 | 20 |
|
15 | | -- **How it works**: |
16 | | - 1. The smart contract emits FHE operation events as symbolic instructions. |
17 | | - 2. These events are picked up by the coprocessor, which evaluates each operation individually using the evaluation |
18 | | - key, without ever decrypting the data. |
19 | | - 3. The resulting ciphertext is persisted in the coprocessor database, while only a handle is returned on-chain. |
20 | | -- **Data flow**: |
21 | | - - **Source**: Blockchain smart contracts (via symbolic execution). |
22 | | - - **Processing**: Coprocessor (using the evaluation key). |
23 | | - - **Destination**: Blockchain (updated ciphertexts). |
| 21 | +Each coprocessor independently executes tasks and publishes verifiable results, enabling a publicly auditable and |
| 22 | +horizontally scalable confidential compute infrastructure . |
24 | 23 |
|
25 | | -<figure><img src="../.gitbook/assets/computation.png" alt="computation"><figcaption></figcaption></figure> |
| 24 | +## Responsibilities of the Coprocessor |
| 25 | + |
| 26 | +### Encrypted Input Verification |
| 27 | + |
| 28 | +When users submit encrypted values to the Gateway, each coprocessor: |
| 29 | + |
| 30 | +- Verifies the associated Zero-Knowledge Proof of Knowledge (ZKPoK). |
| 31 | +- Extracts and unpacks individual ciphertexts from a packed submission. |
| 32 | +- Stores the ciphertexts under derived handles. |
| 33 | +- Signs the verified handles, embedding user and contract metadata. |
| 34 | +- Sends the signed data back to the Gateway for consensus. |
| 35 | + |
| 36 | +This ensures only valid, well-formed encrypted values enter the system . |
| 37 | + |
| 38 | +### FHE Computation Execution |
| 39 | + |
| 40 | +When a smart contract executes a function over encrypted values, the on-chain logic emits symbolic computation events. |
| 41 | +Each coprocessor: |
| 42 | + |
| 43 | +- Reads these events from the host chain node it runs. |
| 44 | +- Fetches associated ciphertexts from its storage. |
| 45 | +- Executes the required FHE operations using the TFHE-rs library (e.g., add, mul, select). |
| 46 | +- Stores the resulting ciphertext under a deterministically derived handle. |
| 47 | +- Optionally publishes a commitment (digest) of the ciphertext to the Gateway for verifiability. |
| 48 | + |
| 49 | +This offloads expensive computation from the host chain while maintaining full determinism and auditability . |
| 50 | + |
| 51 | +### ACL Replication |
| 52 | + |
| 53 | +Coprocessors replicate the Access Control List (ACL) logic from host contracts. They: |
| 54 | + |
| 55 | +- Listen to Allowed and AllowedForDecryption events. |
| 56 | +- Push updates to the Gateway. |
| 57 | + |
| 58 | +This ensures decentralized enforcement of access rights, enabling proper handling of decryptions, bridges, and contract |
| 59 | +interactions . |
| 60 | + |
| 61 | +### Ciphertext Commitment |
| 62 | + |
| 63 | +To ensure verifiability and mitigate misbehavior, each coprocessor: |
| 64 | + |
| 65 | +- Commits to ciphertext digests (via hash) when processing Allowed events. |
| 66 | +- Publishes these commitments to the Gateway. |
| 67 | +- Enables external verification of FHE computations. |
| 68 | + |
| 69 | +This is essential for fraud-proof mechanisms and eventual slashing of malicious or faulty operators . |
| 70 | + |
| 71 | +### Bridging & Decryption Support |
| 72 | + |
| 73 | +Coprocessors assist in: |
| 74 | + |
| 75 | +- Bridging encrypted values between host chains by generating new handles and signatures. |
| 76 | +- Preparing ciphertexts for public and user decryption using operations like Switch-n-Squash to normalize ciphertexts |
| 77 | + for the KMS. |
| 78 | + |
| 79 | +These roles help maintain cross-chain interoperability and enable privacy-preserving data access for users and smart |
| 80 | +contracts . |
| 81 | + |
| 82 | +## Security and Trust Assumptions |
| 83 | + |
| 84 | +Coprocessors are designed to be minimally trusted and publicly verifiable. Every FHE computation or input verification |
| 85 | +they perform is accompanied by a cryptographic commitment (hash digest) and a signature, allowing anyone to |
| 86 | +independently verify correctness. |
| 87 | + |
| 88 | +The protocol relies on a majority-honest assumption: as long as more than 50% of coprocessors are honest, results are |
| 89 | +valid. The Gateway aggregates responses and accepts outputs only when a majority consensus is reached. |
| 90 | + |
| 91 | +To enforce honest behavior, coprocessors must stake $ZAMA tokens and are subject to slashing if caught |
| 92 | +misbehaving—either through automated checks or governance-based fraud proofs. |
| 93 | + |
| 94 | +This model ensures correctness through transparency, resilience through decentralization, and integrity through economic |
| 95 | +incentives. |
| 96 | + |
| 97 | +## Architecture & Scalability |
| 98 | + |
| 99 | +The coprocessor architecture includes: |
| 100 | + |
| 101 | +- Event listeners for host chains and the Gateway |
| 102 | +- A task queue for FHE and ACL update jobs |
| 103 | +- Worker threads that process tasks in parallel |
| 104 | +- A public storage layer (e.g., S3) for ciphertext availability |
| 105 | + |
| 106 | +This modular setup supports horizontal scaling: adding more workers or machines increases throughput. Symbolic |
| 107 | +computation and delayed execution also ensure low gas costs on-chain . |
0 commit comments