Maze is a cli based tool to build aggregation circuits and generate aggregated proofs for snarkjs circom-plonk proofs.
That means using Maze you can take a bunch of plonk proofs that you generate using snarkjs and aggregate them into a single proof using proof aggregation circuit.
Install this fork of Snarkjs
Note: this will override existing installation of snarkjs on your system.
git clone https://github.com/Janmajayamall/snarkjs
cd snarkjs
npm install
npm run build
npm run buildcli
npm install -g .The fork implements two changes to original snarkjs
- replaces hash function in transcript of plonk proofs from keccak to poseidon.
- adds
snarkjs plonk setupmazecli command that generates plonk proof of circuit for several inputs and outputs necessary files (i.e. plonk verification key, proofs, and public signals of each proof) for building aggregation circuit using maze.
You must have rust installed to build and install maze
git clone https://github.com/privacy-scaling-explorations/maze
cd maze/maze-cli
cargo build
cargo install --path .You can check correctness of installation by running
maze --helpMaze can build aggregation circuit to aggregate a pre-defined number of plonk-proofs. To generate individual plonk proofs for a circuit on different inputs we use fork of snarkjs we installed above. After which we use maze tool to necessary commands.
cat <<EOT > circuit.circom
pragma circom 2.0.0;
template Multiplier(n) {
signal input a;
signal input b;
signal output c;
signal int[n];
int[0] <== a*a + b;
for (var i=1; i<n; i++) {
int[i] <== int[i-1]*int[i-1] + b + 3;
}
c <== int[n-1];
}
component main = Multiplier(1000);
EOTcurl https://hermez.s3-eu-west-1.amazonaws.com/powersOfTau28_hez_final_15.ptau --output hez_15.ptauThe command above downloads and save powersOfTau28_hez_final_15.ptau as hez_15.ptau. You can find more info about file here.
You can instead choose to download a file with different max. constraints.
Note that
tauvalue used incommon reference string (CRS)of commitment scheme in individual plonk proofs must be same as the one used in commitment scheme of aggregation circuit.
circom circuit.circom --r1cs --wasm
snarkjs plonk setup circuit.r1cs hez_15.ptaucat <<EOT > inputs.json
[
{
"a": 312,
"b": 64
},
{
"a": 344,
"b": 21
}
]
EOTinputs.json file contains an array of inputs for which we desire to generate plonk proofs of the circuit. Here we limit to building aggregation circuit for 2 proofs.
snarkjs plonk setupmaze inputs.json circuit_js/circuit.wasm circuit.zkeyThe command generates
verification_key.json: plonk verification key for the circuit.proofs.json: array of proofs for inputs ininputs.json.public_signals.json: array of public signals corresponding to proofs inproofs.json.
All three files are necessary for building aggregation circuit using maze.
maze mock-setup verification_key.json proofs.json public_signals.jsonMock setup does the following
- builds an aggregation circuit for the circom circuit with plonk verification key as
verification_key.json. The maximum number of proofs that you can aggregate with this aggregation circuit equals number of proofs inproofs.json. - runs mock prover on the aggregation circuit to check that all constraints satisfy.
- Outputs
k.2^kare the maximum number of rows your circuit needs, thus your CRS must of degree2^k.
maze gen-evm-verifier verification_key.json proofs.json public_signals.json hez_22.srs outputshez_22.srs contains same CRS as powersOfTau28_hez_final_22.ptau. You can either use .srs or .ptau as PARAMS, but .srs files are smaller in size than .ptau files thus faster to read in memory.
Notice that we are using CRS file of k = 22.
gen-evm-verifier generates evm verifier bytecode for the aggregation circuit and stores it inside outputs directory.
maze create-proof verification_key.json proofs.json public_signals.json hez_22.srs outputscreate-proof generates proof for the aggregation circuit. Validation of the proof (followed by the pairing check of the final accumulator) by the verifier confirms the validity of plonk proofs inside proofs.json.
create_proof creates two files
halo2-agg-proof.txt: Contains only the proof in bytes of the aggregation circuit.halo2-agg-evm-calldata.txt: Contains proof of aggregation circuit and instance values in bytes encoded as calldata input to evm verifier contract.
maze verify-proof verification_key.json proofs.json public_signals.json outputs/halo2-agg-proof.txt hez_22.srsverify-proof verifies the aggregated proof (stored in halo2-agg-proof.txt) generated using create-proof
maze evm-verify-proof outputs/halo2-agg-evm-calldata.txt outputs/evm-verifier.txtevm-verify-proof simulates execution of EVM bytecode in evm-verifier.txt with calldata in halo2-agg-evm-calldata.txt.
.ptau and .srs are both file formats for storing CRS. .srs files are smaller in size than .ptau file. You can convert .ptau file to .srs file using this repo.
Machine used:
| individual circuit | aggregation circuit | no. of proofs | proving time (in seconds) | peak RAM (GB) | machine used |
|---|---|---|---|---|---|
| PI = 1; k = 15 | k = 24 | 25 | 1621 | 107 GB | r5a.16xlarge ec2 instance |
| PI = 1; k = 15 | k = 25 | 50 | 3422 | 214 GB | r5a.16xlarge ec2 instance |
Join our telegram group for questions and discussions.
- Han: For implementing plonk-verifier that maze heavily uses for building aggregation circuits. Also, for their discussions around several implementation details.
- PSE zKEVM team: For implementing halo2wrong and fork of halo2 that replaces IPA commitment scheme with KZG.
- Halo2 team: For implementing Halo2 library without which developing aggregation circuits will a lot harder.