ZkRollup and RedJubjub Prototype

ZkRollup and RedJubjub Prototype

Abstract

ZkRollup prototype implementation which collect the transfer transaction and synchronize it on-chain at once.
RedJubjub prototype implementation which divide key permission and prove the relationship of keys.
These functionalities are implemented as pallet in order to run it on Substrate runtime and totally compatible with no_std and parity-scale-codec.

Use Case

Operator collects transfer transactions and synchronize the state transition with on-chain at once.
Signer generate the one-time encryption key which doesn't have permission to migrate asset but encrypt transaction.
The one-time encryption key corresponds decryption key and it can be used for audit.

Significant Changes

Divide Pairing and Jubjub Curve Trait.

New Libraries

This release includes following libraries implementation.

Primitives

• zkstd
• jub-jub
• bls-12-381
• she-elgamal
• ec-pairing
• poly-commit
• red-jubjub
• zksnarks
• zkplonk
• zkrollup

Pallets

• confidential_transfer
• encrypted_balance
• plonk
• zkrollup

Benchmark

Benchmark

Bls12 381

_	add	sub	double	scalar / mul	square	invert	pow
g1_affine	714.20 ns 717.54 ns 720.93 ns	737.37 ns 739.75 ns 742.30 ns	848.32 ns 850.93 ns 853.75 ns	327.94 µs 329.21 µs 330.41 µs
g1_projective	1.3477 µs 1.3517 µs 1.3561 µs	1.3215 µs 1.3280 µs 1.3349 µs	847.98 ns 851.55 ns 854.92 ns	323.29 µs 324.52 µs 325.68 µs
g2_affine	2.8349 µs 2.8518 µs 2.8683 µs	2.9519 µs 2.9560 µs 2.9591 µs	3.3792 µs 3.3911 µs 3.4030 µs	1.2352 ms 1.2392 ms 1.2438 ms
g2_projective	5.5165 µs 5.5350 µs 5.5538 µs	5.4515 µs 5.4753 µs 5.4981 µs	3.3105 µs 3.3270 µs 3.3440 µs	1.2990 ms 1.3015 ms 1.3038 ms
fr	8.7629 ns 8.7929 ns 8.8236 ns	8.3257 ns 8.3504 ns 8.3758 ns	8.1719 ns 8.1975 ns 8.2238 ns	41.645 ns 41.818 ns 41.968 ns	34.843 ns 35.000 ns 35.163 ns	15.079 µs 15.138 µs 15.200 µs	10.222 µs 10.246 µs 10.270 µs
fq	14.625 ns 14.680 ns 14.736 ns	12.624 ns 12.657 ns 12.691 ns	13.567 ns 13.640 ns 13.710 ns	90.736 ns 91.281 ns 91.834 ns	76.947 ns 77.076 ns 77.205 ns	44.666 µs 44.784 µs 44.911 µs
Fq2	31.117 ns 31.188 ns 31.253 ns	29.603 ns 29.659 ns 29.701 ns	32.138 ns 32.277 ns 32.430 ns	378.35 ns 380.17 ns 381.97 ns	271.52 ns 271.85 ns 272.14 ns	44.086 µs 44.282 µs 44.478 µs
Fq6	146.06 ns 146.60 ns 147.12 ns	134.37 ns 134.77 ns 135.12 ns	129.85 ns 130.49 ns 131.16 ns	2.6791 µs 2.6931 µs 2.7079 µs	1.8952 µs 1.8973 µs 1.8992 µs	48.959 µs 49.066 µs 49.168 µs
Fq12	353.21 ns 354.92 ns 356.55 ns	324.66 ns 326.38 ns 328.51 ns	314.77 ns 316.04 ns 317.36 ns	8.6387 µs 8.6738 µs 8.7050 µs	6.1444 µs 6.1606 µs 6.1755 µs	57.105 µs 57.419 µs 57.741 µs

Confidential Transfer

_	Time
setup	6.2983 s 6.3533 s 6.4040 s
gen_proof	6.7157 s 6.7444 s 6.7776 s
verify_proof	16.033 ms 16.226 ms 16.479 ms

Jubjub

_	add	sub	double	scalar / mul	square	invert	pow
affine	421.54 ns 423.65 ns 425.96 ns	427.31 ns 429.03 ns 430.80 ns	399.37 ns 400.58 ns 401.84 ns	133.24 µs 133.83 µs 134.38 µs
extended	478.96 ns 481.22 ns 483.33 ns	497.09 ns 497.88 ns 498.57 ns	365.74 ns 366.97 ns 368.22 ns	131.00 µs 131.50 µs 132.02 µs
fp	8.5002 ns 8.5156 ns 8.5316 ns	7.9557 ns 7.9951 ns 8.0340 ns	7.7814 ns 7.8354 ns 7.8903 ns	41.881 ns 41.951 ns 42.020 ns	34.631 ns 34.749 ns 34.869 ns	13.367 µs 13.391 µs 13.416 µs	10.443 µs 10.469 µs 10.494 µs

Plonk

• msm

_	Time
8	9.0083 ms 9.1812 ms 9.4171 ms
9	13.195 ms 13.255 ms 13.328 ms
10	22.831 ms 22.925 ms 23.051 ms
11	41.207 ms 41.385 ms 41.623 ms
12	67.315 ms 67.763 ms 68.308 ms
13	123.13 ms 123.82 ms 124.64 ms
14	231.91 ms 232.80 ms 233.83 ms

• pairing

_	Time
tate	2.4814 ms 2.4909 ms 2.5003 ms
final_exp	1.4885 ms 1.4921 ms 1.4959 ms
miller_loop	1.0106 ms 1.0153 ms 1.0202 ms
multi_miller_loop	2.3763 ms 2.3851 ms 2.3937 ms

Next

Nova Folding and Horizontal Integration of Layer 2

Confidential Transfer Prototype

Confidential Transfer Prototype

Abstract

Confidential transfer prototype implementation which conceals the transfer amount of transactions.
These functionalities are implemented as pallet in order to run it on Substrate runtime and totally compatible with no_std and parity-scale-codec.
Confidential transfer mainly consists of ElGamal encryption and plonk.
Users balances are encrypted by default.

Use Case

Alice and Bob decrypt the transfer amount and Alice generate proof which proves following things.

• Transfer amount is encrypted by Alice and Bob correctly
• Transfer amount and Alice remaining balance are in range
• Additive homomorphic arithmetic is done correctly

Bob can decrypt his balance by brute force using $g^r$ and his public key.

Significant Changes

Nothing because this is first release.

New Libraries

This release includes following libraries implementation.

• zero-crypto
• zero-jubjub
• zero-bls12-381
• zero-elgamal
• zero-pairing
• zero-kzg
• zero-plonk
• confidential_transfer
• pallet-plonk
• pallet-encrypted-balance

Benchmark

Benchmark
Benchmark(msm)

Bls12 381

_	add	sub	double	scalar / mul	square	invert	pow
g1_affine	1.3802 µs 1.3856 µs 1.3925 µs	1.3730 µs 1.3738 µs 1.3744 µs	1.0493 µs 1.0498 µs 1.0503 µs	434.38 µs 434.51 µs 434.64 µs	_	_	_
g1_projective	1.3702 µs 1.3706 µs 1.3709 µs	1.3729 µs 1.3736 µs 1.3742 µs	1.0494 µs 1.0498 µs 1.0502 µs	427.97 µs 428.12 µs 428.26 µs	_	_	_
g2_affine	5.6784 µs 5.6795 µs 5.6805 µs	5.6940 µs 5.6953 µs 5.6963 µs	4.2977 µs 4.2981 µs 4.2985 µs	1.8001 ms 1.8007 ms 1.8012 ms	_	_	_
g2_projective	5.6720 µs 5.6751 µs 5.6778 µs	5.6812 µs 5.6857 µs 5.6897 µs	4.2811 µs 4.2859 µs 4.2901 µs	1.7669 ms 1.7688 ms 1.7713 ms	_	_	_
fr	8.9125 ns 8.9551 ns 9.0299 ns	8.4102 ns 8.4159 ns 8.4214 ns	8.1814 ns 8.1863 ns 8.1911 ns	48.537 ns 48.568 ns 48.599 ns	42.951 ns 42.958 ns 42.965 ns	21.729 µs 21.735 µs 21.740 µs	15.083 µs 15.086 µs 15.088 µs
fq	15.142 ns 15.155 ns 15.166 ns	12.897 ns 12.907 ns 12.914 ns	13.669 ns 13.681 ns 13.691 ns	93.201 ns 93.223 ns 93.244 ns	92.196 ns 92.204 ns 92.214 ns	55.277 µs 55.282 µs 55.288 µs	_
fq2	31.849 ns 31.886 ns 31.933 ns	29.618 ns 29.637 ns 29.658 ns	36.221 ns 36.264 ns 36.302 ns	384.25 ns 385.80 ns 387.77 ns	377.49 ns 377.84 ns 378.21 ns	55.623 µs 55.641 µs 55.656 µs	_
fq6	152.50 ns 152.58 ns 152.65 ns	137.74 ns 137.76 ns 137.78 ns	144.41 ns 144.48 ns 144.55 ns	2.7686 µs 2.7725 µs 2.7774 µs	2.1881 µs 2.1896 µs 2.1908 µs	60.240 µs 60.262 µs 60.281 µs	_
fq12	359.73 ns 359.96 ns 360.17 ns	329.51 ns 329.66 ns 329.77 ns	384.40 ns 384.75 ns 385.44 ns	8.8706 µs 8.8997 µs 8.9387 µs	6.1294 µs 6.1326 µs 6.1353 µs	70.075 µs 70.126 µs 70.174 µs	_

Confidential Transfer

_	Time
setup	8.4388 s 8.4458 s 8.4534 s
gen_proof	10.676 s 10.758 s 10.879 s
verify_proof	13.477 ms 13.557 ms 13.680 ms

Jubjub

_	add	sub	double	scalar / mul	square	invert	pow
extended	547.36 ns 548.05 ns 548.78 ns	546.90 ns 547.04 ns 547.16 ns	375.16 ns 375.22 ns 375.29 ns	193.98 µs 194.00 µs 194.02 µs	_	_	_
fp	8.9547 ns 9.0156 ns 9.0807 ns	8.4317 ns 8.4358 ns 8.4426 ns	8.1919 ns 8.1933 ns 8.1945 ns	48.469 ns 48.482 ns 48.494 ns	42.423 ns 42.428 ns 42.432 ns	18.334 µs 18.336 µs 18.338 µs	14.313 µs 14.314 µs 14.316 µs

Plonk

• msm

_	Time
8	15.518 ms 15.528 ms 15.541 ms
9	26.011 ms 26.013 ms 26.015 ms
10	47.973 ms 47.988 ms 48.015 ms
11	86.871 ms 86.875 ms 86.880 ms
12	152.99 ms 152.99 ms 153.00 ms
13	281.96 ms 282.00 ms 282.05 ms
14	523.59 ms 523.63 ms 523.69 ms
15	931.85 ms 931.89 ms 931.93 ms
16	1.8141 s 1.8142 s 1.8142 s
17	3.3891 s 3.3892 s 3.3893 s
18	6.1931 s 6.1937 s 6.1948 s

• pairing

_	Time
tate	2.9226 ms 2.9228 ms 2.9231 ms
final_exp	1.8184 ms 1.8187 ms 1.8189 ms
miller_loop	1.1021 ms 1.1023 ms 1.1025 ms
multi_miller_loop	2.4157 ms 2.4163 ms 2.4168 ms

Issues

• Most parts are implemented by original libraries but it depends on dusk-plonk on plonk part.
• Balance range is $0$ .. $2^{16}$