How We Are Bringing ZK Verification to the Nervos Network

If you grew up in Eastern Europe like I did, you probably have a vivid memory of your grandmother’s living room. Specifically, that one glass cabinet where she kept the "good", only for guests porcelain and, inevitably, a set of Matryoshka dolls.
‍

You know the ones. The wooden Russian nesting dolls. As a kid, you were only allowed to play with them on special occasions. There was something deeply satisfying about opening the big doll to find a smaller one, and then a smaller one, all the way down to that tiny, solid piece of wood in the center.
‍

Recently, our R&D team at LimeChain got to play with that concept again. But instead of painted wood, we were working with virtual machines.
‍

The Nervos Fоundation engaged us to answer a complex question: Is it possible to build a Zero-Knowledge Virtual Machine (zkVM) solution for block verification on Nervos’ blockchain the Common Knowledge Base (CKB)? And if so, how do we actually do it?
‍

Here is the story of how we found the answer by nesting one machine inside another.

‍

The Promise: Two Machines, One Language

‍

Nervos (CKB) stands apart in the blockchain landscape. It is a network with architectural similarities to Bitcoin, based on the UTXO model, but it extends this foundation with smart contract capabilities implemented as scripts. While Ethereum relies on the EVM—a virtual machine custom-built for the chain—Nervos is built on RISC-V, the same open-standard architecture that powers physical hardware. This alignment makes CKB inherently efficient and flexible, allowing it to execute complex logic without relying on precompiles (hardcoded shortcuts) common in other systems. If you’re new to precompilers, I recommend checking out Nervos article: What are Precompiles in Blockchain Technology?

‍

The Goal

‍

Our goal was to figure out how to generate Zero-Knowledge proofs for CKB blocks. If we could do this, we could prove that a block is valid without everyone needing to re-run the transactions.

‍

The Search for the Right Tool

‍

Our journey began by looking at the Reth Succinct Processor (RSP) for inspiration. RSP proves Ethereum blocks using a zkVM, and we wanted to see if we could structure a similar solution for CKB.
‍

We evaluated two leading contenders: RISC Zero and SP1. While RISC Zero is a robust platform, we hit a wall: it lacked native 64-bit support. CKB is a 64-bit RISC-V interpreter, so that was a dealbreaker.
‍

That led us to SP1 Hypercube, the latest iteration of Succinct's zkVM. It supports 64-bit RISC-V architecture and has even been formally verified by the Nethermind Security team.

‍

The Hypothesis: Native Execution

‍

Can we leverage this shared DNA to prove CKB blocks directly inside SP1?
‍

Practically, this meant checking if CKB scripts could run natively within SP1. Think of it this way: EVM contracts are written in a 'foreign language' to the hardware, requiring translation. CKB scripts, however, are compiled directly to RISC-V—the exact language SP1 speaks.
‍

If this worked, we could bypass emulation entirely. We envisioned a scenario where CKB scripts executed natively inside SP1, achieving near-native performance without the overhead.

‍

The "Dialect" Problem
‍

As is often the case in engineering, the devil was in the details. If there are any "vibe coders" reading this, write this down: you cannot simply vibe your way through a missing instruction set extension, no matter how immaculate the architectural synergy feels.
‍

‍

The Instruction Set Mismatch
‍

CKB relies on Bit Manipulation (B) and Compressed Instructions (C) extensions for efficiency. SP1, however, currently only supports the base Integer (I) and Multiplication (M) sets.
‍

All supported instructions in SP1 are executed directly at the circuit level, which is a key reason for its fast proof-generation performance. However, the absence of the B and C extensions in SP1 creates a fundamental incompatibility. When encountering an unsupported instruction, the proving process fails because the circuit cannot resolve unknown instructions.
‍

Since we don’t want to go into modifying the circuit-level behaviour of SP1 (for example, by adding trap handlers or emulation logic for missing instructions), these discrepancies must be addressed at the software level. We considered 'expanding' the incompatible 16-bit instructions into 32-bit ones that SP1 could understand. But here is the catch: changing the instructions changes the binary. Changing the binary changes the transaction hash. And in a blockchain, if the hash changes, the consensus breaks. It was a dead end.

‍
‍

System-Level Conflicts
‍

Beyond instruction set mismatches, we encountered three major system-level conflicts:
‍

• The ecal Conflict: CKB uses the ecall instruction to load cells (data storage), but SP1 reserves this exact instruction for internal tasks like reading stdin. Resolving this would require rewiring SP1's core behavior, undermining the goal of seamless integration.
  ‍
• Memory Management: A CKB script expects to own the entire memory space starting at address 0x0. However, when executed inside SP1, the script is forced to share memory with the host environment (including the host stack), potentially leading to immediate crashes.
  ‍
• The "Closed System" Limit: CKB scripts access blockchain state via syscall interfaces. SP1 operates as a closed system with no native way to fetch external data during execution. To fix this, we would need to supply all data upfront and build custom cryptographic 'chips' to mock CKB syscalls—a massive engineering overhead.
  ‍

Taken together, these limitations prevent CKB scripts from being executed natively within SP1 to achieve performance gains, unless the CKB or SP1 codebases are significantly modified or adapted to accommodate these differences.
‍

‍

The Matryoshka Solution: VM-in-VM

‍

This is where the nesting dolls came back to me.
‍

If the "outer doll" (SP1) couldn't understand the tiny doll (the CKB script) directly, maybe we needed a middle doll to translate.
‍

We looked at how the Ethereum ecosystem handles this. We studied the RSP (Reth Succinct Processor) implementation. Instead of trying to make the zkVM understand smart contracts directly, they compiled the entire execution engine (reth) into RISC-V and ran that inside the zkVM. Because SP1 provides circuit-level implementations for most EVM cryptographic primitives, a large portion of execution happens directly in the circuit, significantly reducing proof-generation time.
‍

We applied this same logic to Nervos. We took the ckb-vm crate (the actual CKB interpreter) and compiled it to run inside SP1. This solves the dialect problem instantly. The ckb-vm (our Middle Doll) executes the script, presenting simple instructions that SP1 (the Outer Doll) can prove.
‍

The resulting architecture effectively runs an interpreter (ckb-vm) inside another interpreter (SP1). Instead of executing RISC-V scripts natively, transactions and their associated scripts are emulated. Consequently, block validation is performed as a sequence of RISC-V instructions interpreted by the zkVM. By definition, emulating CKB in this way cannot match the performance of native RISC-V execution, but it works out of the box and allows all required logic for CKB block verification to be expressed and proven inside the zkVM.
‍

Here is the "nesting" in action:
‍

1. The Outer Doll: SP1 (The zkVM platform).
   ‍
2. The Middle Doll: CKB-VM (The interpreter, running as a program inside SP1).
   ‍
3. The Inner Doll: The CKB Script (The actual script validation logic being executed by the CKB-VM).
   ‍

Side note: While this VM-in-VM approach successfully proved the concept, Nervos’ work  has since advanced. The team has now moved toward directly targeting CKB to the RV64IM instruction set, bypassing the emulation overhead to achieve much better efficiency.

‍

Why Does This Matter?
‍

You might be asking, "That’s a cool engineering trick, but what does it actually do for the network?".
‍

This research opens the door to three major possibilities:
‍

• Fully Verifying Light Clients: Right now, if you want to be 100% sure of the state of a blockchain, you usually have to run a full node, which requires serious hardware and storage.
  
  Now, to be fair, CKB nodes are famously lightweight. The Nervos team shared that there is even a developer running one on a tiny 4GB Arduino board.
  
  With this zkVM implementation, a light client (like a mobile wallet) could receive a tiny cryptographic proof that says, "This block and all its transactions are valid." Your phone doesn't need to do the heavy mathematical lifting of re-executing the entire transaction history; it simply verifies the lightweight proof.
  ‍

• Trustless Bridges: This lays the groundwork for generating proofs of CKB state that other blockchains can verify mathematically. This eliminates the need to rely on a trusted set of validators or multisigs when moving assets between chains.
  ‍
  ‍
• Extending the Common Knowledge Base: Nervos is called the "Common Knowledge Base." By proving CKB inside a zero-knowledge environment, we are essentially extending that common knowledge into new domains. A great example of this is RGB++, a system that verifies Bitcoin transactions on CKB. If we can generate ZK proofs of CKB's state, networks like Ethereum could theoretically verify Bitcoin (or Litecoin) transactions through CKB.
  ‍
  ‍
• Building the Case for CKB-VM in the ZK Space: Currently, the EVM is the most commonly used machine in zkVMs, but there is a growing conversation around what might come after it. While WebAssembly, Cairo VM, and a few others are fighting the battle for a standard, RISC-V is the clear forerunner right now.
  ‍
  ‍

However, RISC-V is just a low-level hardware spec, while CKB-VM is a mature implementation with tooling already built up around a blockchain context. If we can prove the "no precompiles" design is highly feasible, it will strongly strengthen the case that builders in the wider ZK space should be taking a serious look at CKB-VM.
‍

We are currently in the R&D phase, focused on optimizing the cryptographic overhead—ensuring our "dolls" nest together as smoothly as possible. But the path forward is clear. Sometimes, when you hit a wall, the solution isn't to break through it—it's to build a container that fits through the door.

‍

What is the primary objective of implementing ZK verification on the Nervos Network (CKB)?

The goal is to generate Zero-Knowledge (ZK) proofs for Nervos Common Knowledge Base (CKB) blocks. This allows the network to cryptographically prove that a block is valid without requiring network participants (nodes) to re-run and re-execute all the underlying transactions.
‍
‍

Why was SP1 chosen over RISC Zero for generating ZK proofs on CKB?

SP1 Hypercube was selected because it supports 64-bit RISC-V architecture, which is a fundamental requirement for the CKB interpreter. RISC Zero was evaluated but rejected because it lacked native 64-bit support.
‍
‍

Why couldn't Nervos CKB scripts be executed natively within the SP1 zkVM?

Attempting native execution revealed four critical system and dialect incompatibilities:

1. Instruction Set Mismatch: CKB relies on RISC-V Bit Manipulation (B) and Compressed (C) extensions. SP1 only supports the base Integer (I) and Multiplication (M) sets. Modifying binaries to fix this would alter transaction hashes, breaking blockchain consensus.
2. The ecall Conflict: CKB uses the ecall instruction to load data cells, whereas SP1 reserves it for internal tasks like reading standard input (stdin).
3. Memory Management: CKB scripts expect exclusive memory ownership starting at address 0x0, but SP1 forces scripts to share memory with the host environment, causing crashes.
4. Closed System Limitations: CKB requires syscall interfaces to access external blockchain state, while SP1 operates as a closed system requiring all data to be supplied upfront.
   ‍

What is the "Matryoshka" or "VM-in-VM" solution developed by LimeChain?

To bypass the native execution incompatibilities, the team utilized a "VM-in-VM" emulation approach inspired by Ethereum's RSP. The architecture involves three nested layers:

• Outer Doll: SP1 (The zkVM proving platform).
• Middle Doll: ckb-vm(The Nervos RISC-V interpreter compiled to run inside SP1).
• Inner Doll: The CKB Script (The transaction logic executed by the ckb-vm).This allows block validation to be interpreted as simple RISC-V instructions that SP1 can successfully prove, albeit with the performance overhead of emulation.
  ‍

What is the future technical direction for Nervos ZK execution?

While the VM-in-VM approach successfully proved the concept, the Nervos team is advancing toward targeting CKB directly to the RV64IM instruction set. This will eventually bypass the emulation overhead and achieve highly efficient, native execution.
‍

How does CKB ZK verification benefit Light Clients?

It enables "Fully Verifying Light Clients." Devices with low hardware and storage capacity (like mobile wallets or IoT devices) can receive a tiny cryptographic proof confirming a block's validity. They can mathematically verify the state of the blockchain without downloading or re-executing the entire transaction history.
‍

What are the broader blockchain interoperability use cases for CKB ZK proofs?

There are three major interoperability and ecosystem benefits:

1. Trustless Bridges: Assets can be moved across chains using mathematical proofs rather than relying on trusted validators or multisig setups.
2. Extending RGB++: By generating ZK proofs of CKB's state, networks like Ethereum could theoretically verify Bitcoin or Litecoin transactions that have been routed through CKB.
3. Promoting ckb-vm in the ZK Space: It positions the mature, RISC-V based ckb-vm as a highly viable, "no precompiles" alternative to the widely used EVM within the broader zkVM development ecosystem.

‍