be17138e (main)
and
914485a5 (PR)
+2 -0
+2 -0
{
"creator": "Matter Labs",
"projectsForTvs": [
{
"projectId": "adi",
"sinceTimestamp": 1764107759
}
],
"proofSystemInfo": "\n ## Description\n\n Airbender is the most advanced zkVM developed by Matter Labs. It operates on RISC-V ISA and is designed to prove state transition function of [zk stack](https://zkstack.io) chains in combination with [ZKsync OS](https://github.com/matter-labs/zksync-os), but also more general RISC-V programs. Airbender proofs could be [wrapped into Fflonk SNARK](https://github.com/matter-labs/zkos-wrapper) for efficient onchain verification. Airbender initial release [targets 81 bits of security](https://x.com/eth_proofs/status/1942468407896543694).\n\n ## Proof system\n\n Airbender implements a rather standard zkVM: AIR constraints, [DEEP-FRI](https://eprint.iacr.org/2019/336) polynomial testing, RISC-V instructions with the program being stored in read-only memory and accessed by lookup arguments, recursive proving. \n\n Many parts of the stack are optimized for speed and efficiency, including a small Mersenne31 field over which the computation trace is generated and a simple degree 2 AIR constraints. Airbender prover could also be run in application mode without signed multiplication and division operations, thus reducing circuit complexity.\n\n ### Recursion circuits\n\n Airbender targets proving batches of size 2**22 (~4 M) clock cycles. The proofs of such batches are pairwise recursively aggregated using zkVM in recursion mode. For onchain verification, the final Airbender STARK is [compressed using Boojum compressor](https://github.com/matter-labs/zkos-wrapper) and then wrapped into a Fflonk SNARK with KZG. The KZG commitment is done over BN254 curve and it uses Aztec Ignition trusted setup ceremony, see [below](#trusted-setups) for more details.\n ",
"techStack": {
"zkVM": [
{
"id": "Airbender",
"type": "STARK",
"name": "Airbender",
"description": "zkVM STARK proving system operating on RISC-V ISA, developed by Matter Labs."
},
{
"id": "RISCV32",
"type": "ISA",
"name": "RISC-V 32bit",
"description": "Free and open-source universal 32-bit ISA used across a variety of hardware and software."
},
{
"id": "Mersenne31",
"type": "Field",
"name": "Mersenne31",
"description": "Prime field of order p = 2**31 - 1."
}
],
"finalWrap": [
{
"id": "Zksync",
"type": "Fflonk",
"name": "Zksync",
"description": "Matter Labs Rust implementation of Fflonk improvement over standard Plonk proving system."
},
{
"id": "BN254",
"type": "curve",
"name": "BN254",
"description": "BN254, aka BN256, aka alt_bn128 pairing-friendly 254-bit prime field Weierstrass elliptic curve."
}
]
},
"trustedSetups": [
{
"proofSystem": {
"id": "Bellman",
"type": "Plonk",
"name": "Bellman",
"description": "Bellman Rust library for Plonk proving system, originally developed for ZCash."
},
"id": "AztecIgnition",
"name": "Aztec Ignition",
"risk": "green",
"shortDescription": "Aztec Ignition is a trusted setup ceremony that was run by Aztec for KZG commitment over BN254 curve in 2019. It included 176 participants and was publicly open for participation.",
"longDescription": " \n Aztec Ignition is a trusted setup ceremony for KZG commitments over BN254 curve that was run by Aztec for KZG commitment over BN254 curve in 2019. \n It included 176 participants and was publicly open for participation.\n \n - Github repo to download and verify the ceremony artifacts: [https://github.com/AztecProtocol/ignition-verification](https://github.com/AztecProtocol/ignition-verification).\n - Github repo with instructions for ceremony participants: [https://github.com/AztecProtocol/Setup](https://github.com/AztecProtocol/Setup).\n - Ceremony announcement with a call to participate: [https://aztec.network/blog/announcing-ignition](https://aztec.network/blog/announcing-ignition).\n "
},
{
"proofSystem": {
"id": "Zksync",
"type": "Fflonk",
"name": "Zksync",
"description": "Matter Labs Rust implementation of Fflonk improvement over standard Plonk proving system."
},
"id": "AztecIgnition",
"name": "Aztec Ignition",
"risk": "green",
"shortDescription": "Aztec Ignition is a trusted setup ceremony that was run by Aztec for KZG commitment over BN254 curve in 2019. It included 176 participants and was publicly open for participation.",
"longDescription": " \n Aztec Ignition is a trusted setup ceremony for KZG commitments over BN254 curve that was run by Aztec for KZG commitment over BN254 curve in 2019. \n It included 176 participants and was publicly open for participation.\n \n - Github repo to download and verify the ceremony artifacts: [https://github.com/AztecProtocol/ignition-verification](https://github.com/AztecProtocol/ignition-verification).\n - Github repo with instructions for ceremony participants: [https://github.com/AztecProtocol/Setup](https://github.com/AztecProtocol/Setup).\n - Ceremony announcement with a call to participate: [https://aztec.network/blog/announcing-ignition](https://aztec.network/blog/announcing-ignition).\n "
}
],
"verifierHashes": [
{
"hash": "0x6f36a08c517b060fa97308cdb3e23b04842ff839d451a753ec8fae1a5408304a",
"name": "Airbender Fflonk Adi verifier",
"proofSystem": {
"id": "Zksync",
"type": "Fflonk",
"name": "Zksync",
"description": "Matter Labs Rust implementation of Fflonk improvement over standard Plonk proving system."
},
"knownDeployments": [
{
"address": "0xF6b3708BE4192CE4526c2F87D4c3eABA79230E6A",
"chain": "ethereum"
}
],
"verificationStatus": "notVerified"
},
{
"hash": "0x124ebcd537a1e1c152774dd18f67660e35625bba0b669bf3b4836d636b105337",
"name": "Airbender Plonk Adi verifier",
"proofSystem": {
"id": "Bellman",
"type": "Plonk",
"name": "Bellman",
"description": "Bellman Rust library for Plonk proving system, originally developed for ZCash."
},
"knownDeployments": [
{
"address": "0x5E7cF1C310F9E0BF8DbFe70D5cC8021a2109D0AE",
"chain": "ethereum"
}
],
"verificationStatus": "notVerified",
"attesters": [
{
"id": "l2beat",
"name": "L2BEAT",
"link": "https://l2beat.com"
}
]
}
]
}+2 -0
+2 -0
{
"creator": "Aztec",
"projectsForTvs": [
{
"projectId": "aztec",
"sinceTimestamp": 1615762800
}
],
"proofSystemInfo": "\n ## Proof system\n\n Aztec v1 prover is a [monolithic zk-SNARK proving system](https://github.com/AztecProtocol/aztec-v1/tree/develop/packages/aztec.js) over BN254 curve for proving state transitions of Aztec v1 (Zk.money) L2. It implements the following custom circuits and contains verifiers for them: [joinsplit](https://github.com/AztecProtocol/aztec-v1/blob/a47d3d9ea38cd1363ede730998145da663df6091/packages/protocol/contracts/ACE/validators/joinSplit/JoinSplit.sol#L9) for proving private token transfers in a UTXO-like note model, [swap](https://github.com/AztecProtocol/aztec-v1/blob/a47d3d9ea38cd1363ede730998145da663df6091/packages/protocol/contracts/ACE/validators/swap/Swap.sol) for proving exchange of two notes between counterparties, [dividend](https://github.com/AztecProtocol/aztec-v1/blob/a47d3d9ea38cd1363ede730998145da663df6091/packages/protocol/contracts/ACE/validators/dividend/Dividend.sol) for proving that a note is equal to a public percentage of a second note, [public](https://github.com/AztecProtocol/aztec-v1/blob/a47d3d9ea38cd1363ede730998145da663df6091/packages/protocol/contracts/ACE/validators/publicRange/PublicRange.sol) and [private](https://github.com/AztecProtocol/aztec-v1/blob/a47d3d9ea38cd1363ede730998145da663df6091/packages/protocol/contracts/ACE/validators/privateRange/PrivateRange.sol) range for proving comparison of a note with either a public value or with another note.\n",
"techStack": {
"snark": [
{
"id": "AztecV1",
"type": "Plonk",
"name": "AztecV1",
"description": "First version of Aztec implementation of Plonk proving system, originally developed for zk.money (AZTEC v1)."
},
{
"id": "BN254",
"type": "curve",
"name": "BN254",
"description": "BN254, aka BN256, aka alt_bn128 pairing-friendly 254-bit prime field Weierstrass elliptic curve."
},
{
"id": "CustomCircuits",
"type": "Other",
"name": "App-specific circuits",
"description": "This project uses custom app-specific ZK circuits."
}
]
},
"trustedSetups": [
{
"proofSystem": {
"id": "AztecV1",
"type": "Plonk",
"name": "AztecV1",
"description": "First version of Aztec implementation of Plonk proving system, originally developed for zk.money (AZTEC v1)."
},
"id": "AztecIgnition",
"name": "Aztec Ignition",
"risk": "green",
"shortDescription": "Aztec Ignition is a trusted setup ceremony that was run by Aztec for KZG commitment over BN254 curve in 2019. It included 176 participants and was publicly open for participation.",
"longDescription": " \n Aztec Ignition is a trusted setup ceremony for KZG commitments over BN254 curve that was run by Aztec for KZG commitment over BN254 curve in 2019. \n It included 176 participants and was publicly open for participation.\n \n - Github repo to download and verify the ceremony artifacts: [https://github.com/AztecProtocol/ignition-verification](https://github.com/AztecProtocol/ignition-verification).\n - Github repo with instructions for ceremony participants: [https://github.com/AztecProtocol/Setup](https://github.com/AztecProtocol/Setup).\n - Ceremony announcement with a call to participate: [https://aztec.network/blog/announcing-ignition](https://aztec.network/blog/announcing-ignition).\n "
}
],
"verifierHashes": [
{
"hash": "0x7c8a64f644c60e33445be862185b65bf2096c00c9691f49bd03df5f3ce6b6abf",
"name": "Aztec v1 verifier",
"sourceLink": "https://github.com/AztecProtocol/aztec-v1/tree/develop",
"proofSystem": {
"id": "AztecV1",
"type": "Plonk",
"name": "AztecV1",
"description": "First version of Aztec implementation of Plonk proving system, originally developed for zk.money (AZTEC v1)."
},
"knownDeployments": [
{
"address": "0x48Cb7BA00D087541dC8E2B3738f80fDd1FEe8Ce8",
"chain": "ethereum"
}
],
"verificationStatus": "notVerified",
"description": "Custom verifier ID: SHA256 hash of the abi packed array of uint256 obtained from flattening VerificationKey structure returned by get_verification_key() of Rollup1x2Vk library."
}
]
}+17 -0
+17 -0
{
"creator": "Matter Labs",
"projectsForTvs": [
{
"projectId": "zklinknova",
"sinceTimestamp": 1709217961
},
{
"projectId": "zksync2",
"sinceTimestamp": 1689544800
},
{
"projectId": "abstract",
"sinceTimestamp": 1737932400
},
{
"projectId": "sophon",
"sinceTimestamp": 1734476400
},
{
"projectId": "cronoszkevm",
"sinceTimestamp": 1723672800
},
{
"projectId": "zeronetwork",
"sinceTimestamp": 1731366000
},
{
"projectId": "lens",
"sinceTimestamp": 1743717600
},
{
"projectId": "wonder",
"sinceTimestamp": 1746741600
},
{
"projectId": "zkcandy",
"sinceTimestamp": 1743976800
},
{
"projectId": "grvt",
"sinceTimestamp": 1734649200
},
{
"projectId": "lachain",
"sinceTimestamp": 1747692000
},
{
"projectId": "sxt",
"sinceTimestamp": 1746741600
}
],
"proofSystemInfo": "\n ## Description\n\n Boojum is a proving system operating on [EraVM](https://matter-labs.github.io/zksync-era/core/latest/guides/advanced/12_alternative_vm_intro.html) ISA and supporting [zk stack](https://zkstack.io) chains. It includes recursive STARK proving of zkVM execution, as well as the final wrap with [Plonk](https://github.com/matter-labs/franklin-crypto/tree/dev/src/plonk) or [Fflonk](https://github.com/matter-labs/zksync-crypto/blob/main/crates/fflonk/docs/spec.pdf) SNARK proving system. Boojum targets [100 bits of security](https://github.com/matter-labs/era-boojum?tab=readme-ov-file#for-curions-in-benchmarks-only).\n\n ## Proof system\n\n ### zkVM component\n\n [Boojum](https://github.com/matter-labs/era-boojum/tree/main)'s core is an implementation of the [**Redshift**](https://eprint.iacr.org/2019/1400.pdf) protocol which uses the Plonk IOP with a polynomial commitment scheme based on List Polynomial Commitments (LPCs), which is in turn based on FRI, making the scheme transparent. The scheme makes use of the Goldilocks field, which is much smaller than BN254's field. This part of boojum implements a zkVM for EraVM, which is closely aligned with EVM but has essential differences like 16 registers.\n\n ### Recursion circuits\n\n The protocol makes use of several layers of recursive proof aggregation for 15 types of [circuits](https://github.com/matter-labs/era-zkevm_test_harness/blob/3cd647aa57fc2e1180bab53f7a3b61ec47502a46/circuit_definitions/src/circuit_definitions/recursion_layer/mod.rs#L29). In particular, node and scheduler circuits aggregate zk proofs and compressor and wrapper circuits reduce the final proof size. Further information about the aggregation architecture can be found [**here**](https://github.com/matter-labs/zksync-era/blob/1b61d0797062ab8b0aa2c1e92b23a3a0d8fd2c61/docs/guides/advanced/15_prover_keys.md#circuits).\n\n ### Final wrap\n\n The final proof could either be wrapped into a [Plonk](https://github.com/matter-labs/era-zkevm_test_harness/blob/3cd647aa57fc2e1180bab53f7a3b61ec47502a46/circuit_definitions/src/circuit_definitions/aux_layer/wrapper.rs)+KZG proof, or into [Fflonk](https://github.com/matter-labs/zksync-crypto/tree/main/crates/fflonk)+KZG for cheap verification. The KZG commitment is done over BN254 curve and it uses Aztec Ignition trusted setup ceremony, see [below](#trusted-setups) for more details.\n ",
"techStack": {
"zkVM": [
{
"id": "Boojum",
"type": "STARK",
"name": "Boojum",
"description": "zkVM STARK proving system developed by Matter Labs for proving state transition of ZKsync Era."
},
{
"id": "EraVM",
"type": "ISA",
"name": "EraVM",
"description": "Instruction language for ZKsync Era virtual machine."
},
{
"id": "Goldilocks",
"type": "Field",
"name": "Goldilocks",
"description": "Prime field of order p = 2**64 - 2**32 + 1."
}
],
"finalWrap": [
{
"id": "Bellman",
"type": "Plonk",
"name": "Bellman",
"description": "Bellman Rust library for Plonk proving system, originally developed for ZCash."
},
{
"id": "Zksync",
"type": "Fflonk",
"name": "Zksync",
"description": "Matter Labs Rust implementation of Fflonk improvement over standard Plonk proving system."
},
{
"id": "BN254",
"type": "curve",
"name": "BN254",
"description": "BN254, aka BN256, aka alt_bn128 pairing-friendly 254-bit prime field Weierstrass elliptic curve."
}
]
},
"trustedSetups": [
{
"proofSystem": {
"id": "Bellman",
"type": "Plonk",
"name": "Bellman",
"description": "Bellman Rust library for Plonk proving system, originally developed for ZCash."
},
"id": "AztecIgnition",
"name": "Aztec Ignition",
"risk": "green",
"shortDescription": "Aztec Ignition is a trusted setup ceremony that was run by Aztec for KZG commitment over BN254 curve in 2019. It included 176 participants and was publicly open for participation.",
"longDescription": " \n Aztec Ignition is a trusted setup ceremony for KZG commitments over BN254 curve that was run by Aztec for KZG commitment over BN254 curve in 2019. \n It included 176 participants and was publicly open for participation.\n \n - Github repo to download and verify the ceremony artifacts: [https://github.com/AztecProtocol/ignition-verification](https://github.com/AztecProtocol/ignition-verification).\n - Github repo with instructions for ceremony participants: [https://github.com/AztecProtocol/Setup](https://github.com/AztecProtocol/Setup).\n - Ceremony announcement with a call to participate: [https://aztec.network/blog/announcing-ignition](https://aztec.network/blog/announcing-ignition).\n "
},
{
"proofSystem": {
"id": "Zksync",
"type": "Fflonk",
"name": "Zksync",
"description": "Matter Labs Rust implementation of Fflonk improvement over standard Plonk proving system."
},
"id": "AztecIgnition",
"name": "Aztec Ignition",
"risk": "green",
"shortDescription": "Aztec Ignition is a trusted setup ceremony that was run by Aztec for KZG commitment over BN254 curve in 2019. It included 176 participants and was publicly open for participation.",
"longDescription": " \n Aztec Ignition is a trusted setup ceremony for KZG commitments over BN254 curve that was run by Aztec for KZG commitment over BN254 curve in 2019. \n It included 176 participants and was publicly open for participation.\n \n - Github repo to download and verify the ceremony artifacts: [https://github.com/AztecProtocol/ignition-verification](https://github.com/AztecProtocol/ignition-verification).\n - Github repo with instructions for ceremony participants: [https://github.com/AztecProtocol/Setup](https://github.com/AztecProtocol/Setup).\n - Ceremony announcement with a call to participate: [https://aztec.network/blog/announcing-ignition](https://aztec.network/blog/announcing-ignition).\n "
}
],
"verifierHashes": [
{
"hash": "0xe4503cf38485e3d728a7362155d53d3d63293e2fa48dca4f5588aa4625de251f",
"name": "Boojum Fflonk Lens verifier",
"sourceLink": "https://github.com/matter-labs/zksync-era/tree/f57999997f581b557cf8e36e3a9be5650d992022/prover",
"proofSystem": {
"id": "Zksync",
"type": "Fflonk",
"name": "Zksync",
"description": "Matter Labs Rust implementation of Fflonk improvement over standard Plonk proving system."
},
"knownDeployments": [
{
"address": "0xE3743181a4b0A0C1260826105c6BBA4b6e18D79d",
"chain": "ethereum"
}
],
"verificationStatus": "successful",
"attesters": [
{
"id": "l2beat",
"name": "L2BEAT",
"link": "https://l2beat.com"
}
],
"verificationSteps": "\nVerification requires an Ubuntu 22.04 machine with an NVIDIA GPU. We used a g6.4xlarge aws instance with 24 GiB GPU memory and 64 GiB RAM. \nThe setup part is based on [this guide](https://paragraph.com/@zksync/from-integration-to-verification-completing-the-first-steps-in-zksync-s-prover-network) with modifications, the verification is done using [this script](https://github.com/matter-labs/zksync-era/tree/main/prover/crates/bin/vk_setup_data_generator_server_fri).\n\n1. Install rust, yarn, some essential libraries, docker and cmake:\n\n```\ncurl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh\n. .cargo/env\n\ncurl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash\nexport NVM_DIR=$HOME/.nvm\n. .bashrc\nnvm install 20\nnpm install -g yarn\nyarn set version 1.22.19\n\nsudo apt-get update\nsudo apt-get install -y build-essential pkg-config cmake clang lldb lld libssl-dev postgresql apt-transport-https ca-certificates curl software-properties-common\ncargo install sqlx-cli --version 0.8.1\n\n# install the latest version of cmake\nsudo apt remove cmake\ncurl -fsSL https://apt.kitware.com/kitware-archive.sh | sudo sh\nsudo apt-get install cmake\n```\n\n2. Install CUDA drivers and toolkit 12.2, export necessary env vars. On Ubuntu 22.04 this requires updating gcc to version 12.\n\n```\nsudo apt-get install gcc-12 g++-12\nsudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-12 100\nsudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-12 100\n\nwget https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2204/x86_64/cuda-keyring_1.1-1_all.deb\nsudo dpkg -i cuda-keyring_1.1-1_all.deb\nsudo apt-get update\nsudo apt-get install -y cuda-drivers-535\nsudo apt-get install -y cuda-toolkit-12-2\n```\n\nReboot the machine to apply the drivers.\n\n3. Install `foundryup-zksync`.\n\n```\ncurl -L https://raw.githubusercontent.com/matter-labs/foundry-zksync/main/install-foundry-zksync | bash\n. ~/.bashrc\nfoundryup-zksync\n```\n\n4. Build bellman-cuda. We used the tag version `prerelease-dev-a87a309`, commit hash `a87a309e7c07ef6b3fc5532e50d5d244aab9f4d0`.\n```\nexport CUDA_HOME=/usr/local/cuda\nexport LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/cuda/lib64:/usr/local/cuda/extras/CUPTI/lib64\nexport PATH=$PATH:$CUDA_HOME/bin\n\ngit clone https://github.com/matter-labs/era-bellman-cuda.git\ncd era-bellman-cuda\ngit checkout prerelease-dev-a87a309\ngit submodule update --init --recursive\ncmake -B./build -DCMAKE_BUILD_TYPE=Release\ncmake --build ./build\nexport BELLMAN_CUDA_DIR=$HOME/era-bellman-cuda\n```\n\n5. Run all scripts to regenerate verification keys. The correct commit hash is `f57999997f581b557cf8e36e3a9be5650d992022`.\n```\ncd ~ \ngit clone https://github.com/matter-labs/zksync-era.git\ncd zksync-era/\ngit checkout f57999997f581b557cf8e36e3a9be5650d992022\n\n# Download compact CRS for the compressor data step, put in repo root\ncurl -o setup_compact.key https://storage.googleapis.com/matterlabs-setup-keys-us/setup-keys/setup_compact.key\nexport COMPACT_CRS_FILE=~/zksync-era/setup_compact.key\n\ncd prover/crates/bin/vk_setup_data_generator_server_fri\nCRS_FILE=https://storage.googleapis.com/matterlabs-setup-keys-us/setup-keys/setup_2^24.key ZKSYNC_HOME=$HOME \n\n# Run regeneration steps\ncargo run --release --bin key_generator generate-vk\ncargo run --features gpu --release --bin key_generator generate-compressor-data\n```\n\nThe output of the last command will contain the required `fflonk_snark_wrapper` value.\n "
},
{
"hash": "0x6f36a08c517b060fa97308cdb3e23b04842ff839d451a753ec8fae1a5408304a",
"name": "Boojum Fflonk core-v29.1.0",
"sourceLink": "https://github.com/matter-labs/zksync-era/tree/core-v29.1.0/prover",
"proofSystem": {
"id": "Zksync",
"type": "Fflonk",
"name": "Zksync",
"description": "Matter Labs Rust implementation of Fflonk improvement over standard Plonk proving system."
},
"knownDeployments": [
{
"address": "0x1AC4F629Fdc77A7700B68d03bF8D1A53f2210911",
"chain": "ethereum"
}
],
"verificationStatus": "successful",
"attesters": [
{
"id": "l2beat",
"name": "L2BEAT",
"link": "https://l2beat.com"
}
],
"verificationSteps": "\nVerification requires an Ubuntu 22.04 machine with an NVIDIA GPU. We used a g6.4xlarge aws instance with 24 GiB GPU memory and 64 GiB RAM. \nThe setup part is based on [this guide](https://paragraph.com/@zksync/from-integration-to-verification-completing-the-first-steps-in-zksync-s-prover-network) with modifications, the verification is done using [this script](https://github.com/matter-labs/zksync-era/tree/main/prover/crates/bin/vk_setup_data_generator_server_fri).\n\n1. Install rust, yarn, some essential libraries, docker and cmake:\n\n```\ncurl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh\n. .cargo/env\n\ncurl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash\nexport NVM_DIR=$HOME/.nvm\n. .bashrc\nnvm install 20\nnpm install -g yarn\nyarn set version 1.22.19\n\nsudo apt-get update\nsudo apt-get install -y build-essential pkg-config cmake clang lldb lld libssl-dev postgresql apt-transport-https ca-certificates curl software-properties-common\ncargo install sqlx-cli --version 0.8.1\n\n# install the latest version of cmake\nsudo apt remove cmake\ncurl -fsSL https://apt.kitware.com/kitware-archive.sh | sudo sh\nsudo apt-get install cmake\n```\n\n2. Install CUDA drivers and toolkit 12.2, export necessary env vars. On Ubuntu 22.04 this requires updating gcc to version 12.\n\n```\nsudo apt-get install gcc-12 g++-12\nsudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-12 100\nsudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-12 100\n\nwget https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2204/x86_64/cuda-keyring_1.1-1_all.deb\nsudo dpkg -i cuda-keyring_1.1-1_all.deb\nsudo apt-get update\nsudo apt-get install -y cuda-drivers-535\nsudo apt-get install -y cuda-toolkit-12-2\n```\n\nReboot the machine to apply the drivers.\n\n3. Install `foundryup-zksync`.\n\n```\ncurl -L https://raw.githubusercontent.com/matter-labs/foundry-zksync/main/install-foundry-zksync | bash\n. ~/.bashrc\nfoundryup-zksync\n```\n\n4. Build bellman-cuda. We used the tag version `prerelease-dev-a87a309`, commit hash `a87a309e7c07ef6b3fc5532e50d5d244aab9f4d0`.\n```\nexport CUDA_HOME=/usr/local/cuda\nexport LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/cuda/lib64:/usr/local/cuda/extras/CUPTI/lib64\nexport PATH=$PATH:$CUDA_HOME/bin\n\ngit clone https://github.com/matter-labs/era-bellman-cuda.git\ncd era-bellman-cuda\ngit checkout prerelease-dev-a87a309\ngit submodule update --init --recursive\ncmake -B./build -DCMAKE_BUILD_TYPE=Release\ncmake --build ./build\nexport BELLMAN_CUDA_DIR=$HOME/era-bellman-cuda\n```\n\n5. Run all scripts to regenerate verification keys. The correct tag version of the repo is `core-v29.1.0`, commit hash `3b61f62b3361404c0c94635caee68c855ce2b9f8`.\n```\ncd ~ \ngit clone https://github.com/matter-labs/zksync-era.git\ncd zksync-era/\ngit checkout core-v29.1.0\n\n# Download compact CRS for the compressor data step, put in repo root\ncurl -o setup_compact.key https://storage.googleapis.com/matterlabs-setup-keys-us/setup-keys/setup_compact.key\nexport COMPACT_CRS_FILE=~/zksync-era/setup_compact.key\n\ncd prover/crates/bin/vk_setup_data_generator_server_fri\nCRS_FILE=https://storage.googleapis.com/matterlabs-setup-keys-us/setup-keys/setup_2^24.key ZKSYNC_HOME=$HOME \n\n# Run regeneration steps\ncargo run --release --bin key_generator generate-vk\ncargo run --features gpu --release --bin key_generator generate-compressor-data\n```\n\nThe output of the last command will contain the required `fflonk_snark_wrapper` value.\n "
},
{
"hash": "0x93e83aa1ec05a2ac4de1f0b241394efb9f94a4e7c1784a5a9bf6b85eb930c62a",
"name": "Boojum Plonk Lens verifier",
"sourceLink": "https://github.com/matter-labs/zksync-era/tree/f57999997f581b557cf8e36e3a9be5650d992022/prover",
"proofSystem": {
"id": "Bellman",
"type": "Plonk",
"name": "Bellman",
"description": "Bellman Rust library for Plonk proving system, originally developed for ZCash."
},
"knownDeployments": [
{
"address": "0xB3f4396C2040e502d0556Cbb16C0B22fE777A026",
"chain": "ethereum"
}
],
"verificationStatus": "successful",
"attesters": [
{
"id": "l2beat",
"name": "L2BEAT",
"link": "https://l2beat.com"
}
],
"verificationSteps": "\nVerification requires an Ubuntu 22.04 machine with an NVIDIA GPU. We used a g6.4xlarge aws instance with 24 GiB GPU memory and 64 GiB RAM. \nThe setup part is based on [this guide](https://paragraph.com/@zksync/from-integration-to-verification-completing-the-first-steps-in-zksync-s-prover-network) with modifications, the verification is done using [this script](https://github.com/matter-labs/zksync-era/tree/main/prover/crates/bin/vk_setup_data_generator_server_fri).\n\n1. Install rust, yarn, some essential libraries, docker and cmake:\n\n```\ncurl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh\n. .cargo/env\n\ncurl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash\nexport NVM_DIR=$HOME/.nvm\n. .bashrc\nnvm install 20\nnpm install -g yarn\nyarn set version 1.22.19\n\nsudo apt-get update\nsudo apt-get install -y build-essential pkg-config cmake clang lldb lld libssl-dev postgresql apt-transport-https ca-certificates curl software-properties-common\ncargo install sqlx-cli --version 0.8.1\n\n# install the latest version of cmake\nsudo apt remove cmake\ncurl -fsSL https://apt.kitware.com/kitware-archive.sh | sudo sh\nsudo apt-get install cmake\n```\n\n2. Install CUDA drivers and toolkit 12.2, export necessary env vars. On Ubuntu 22.04 this requires updating gcc to version 12.\n\n```\nsudo apt-get install gcc-12 g++-12\nsudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-12 100\nsudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-12 100\n\nwget https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2204/x86_64/cuda-keyring_1.1-1_all.deb\nsudo dpkg -i cuda-keyring_1.1-1_all.deb\nsudo apt-get update\nsudo apt-get install -y cuda-drivers-535\nsudo apt-get install -y cuda-toolkit-12-2\n```\n\nReboot the machine to apply the drivers.\n\n3. Install `foundryup-zksync`.\n\n```\ncurl -L https://raw.githubusercontent.com/matter-labs/foundry-zksync/main/install-foundry-zksync | bash\n. ~/.bashrc\nfoundryup-zksync\n```\n\n4. Build bellman-cuda. We used the tag version `prerelease-dev-a87a309`, commit hash `a87a309e7c07ef6b3fc5532e50d5d244aab9f4d0`.\n```\nexport CUDA_HOME=/usr/local/cuda\nexport LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/cuda/lib64:/usr/local/cuda/extras/CUPTI/lib64\nexport PATH=$PATH:$CUDA_HOME/bin\n\ngit clone https://github.com/matter-labs/era-bellman-cuda.git\ncd era-bellman-cuda\ngit checkout prerelease-dev-a87a309\ngit submodule update --init --recursive\ncmake -B./build -DCMAKE_BUILD_TYPE=Release\ncmake --build ./build\nexport BELLMAN_CUDA_DIR=$HOME/era-bellman-cuda\n```\n\n5. Run all scripts to regenerate verification keys. The correct commit hash is `f57999997f581b557cf8e36e3a9be5650d992022`.\n```\ncd ~ \ngit clone https://github.com/matter-labs/zksync-era.git\ncd zksync-era/\ngit checkout f57999997f581b557cf8e36e3a9be5650d992022\n\n# Download compact CRS for the compressor data step, put in repo root\ncurl -o setup_compact.key https://storage.googleapis.com/matterlabs-setup-keys-us/setup-keys/setup_compact.key\nexport COMPACT_CRS_FILE=~/zksync-era/setup_compact.key\n\ncd prover/crates/bin/vk_setup_data_generator_server_fri\nCRS_FILE=https://storage.googleapis.com/matterlabs-setup-keys-us/setup-keys/setup_2^24.key ZKSYNC_HOME=$HOME \n\n# Run regeneration steps\ncargo run --release --bin key_generator generate-vk\ncargo run --features gpu --release --bin key_generator generate-compressor-data\n```\n\nThe output of the last command will contain the required `snark_wrapper` value.\n "
},
{
"hash": "0x64b347c642ea60114c98b3976124ea8a7e0bb778bd7e479aedc02f994486c8a1",
"name": "Boojum Plonk prover-v22.0.0",
"sourceLink": "https://github.com/matter-labs/zksync-era/tree/prover-v22.0.0/prover",
"proofSystem": {
"id": "Bellman",
"type": "Plonk",
"name": "Bellman",
"description": "Bellman Rust library for Plonk proving system, originally developed for ZCash."
},
"knownDeployments": [
{
"address": "0x2db2ffdecb7446aaab01FAc3f4D55863db3C5bd6",
"chain": "ethereum"
}
],
"verificationStatus": "successful",
"attesters": [
{
"id": "l2beat",
"name": "L2BEAT",
"link": "https://l2beat.com"
}
],
"verificationSteps": "\nVerification requires an Ubuntu 22.04 machine with an NVIDIA GPU. We used a g6.4xlarge aws instance with 24 GiB GPU memory and 64 GiB RAM. \nThe setup part is based on [this guide](https://paragraph.com/@zksync/from-integration-to-verification-completing-the-first-steps-in-zksync-s-prover-network) with modifications, the verification is done using [this script](https://github.com/matter-labs/zksync-era/tree/main/prover/crates/bin/vk_setup_data_generator_server_fri).\n\n1. Install rust, yarn, some essential libraries, docker and cmake:\n\n```\ncurl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh\n. .cargo/env\n\ncurl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash\nexport NVM_DIR=$HOME/.nvm\n. .bashrc\nnvm install 20\nnpm install -g yarn\nyarn set version 1.22.19\n\nsudo apt-get update\nsudo apt-get install -y build-essential pkg-config cmake clang lldb lld libssl-dev postgresql apt-transport-https ca-certificates curl software-properties-common\ncargo install sqlx-cli --version 0.8.1\n\n# install the latest version of cmake\nsudo apt remove cmake\ncurl -fsSL https://apt.kitware.com/kitware-archive.sh | sudo sh\nsudo apt-get install cmake\n```\n\n2. Install CUDA drivers and toolkit 12.2, export necessary env vars. On Ubuntu 22.04 this requires updating gcc to version 12.\n\n```\nsudo apt-get install gcc-12 g++-12\nsudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-12 100\nsudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-12 100\n\nwget https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2204/x86_64/cuda-keyring_1.1-1_all.deb\nsudo dpkg -i cuda-keyring_1.1-1_all.deb\nsudo apt-get update\nsudo apt-get install -y cuda-drivers-535\nsudo apt-get install -y cuda-toolkit-12-2\n```\n\nReboot the machine to apply the drivers.\n\n3. Install `foundryup-zksync`.\n\n```\ncurl -L https://raw.githubusercontent.com/matter-labs/foundry-zksync/main/install-foundry-zksync | bash\n. ~/.bashrc\nfoundryup-zksync\n```\n\n4. Build bellman-cuda. We used the tag version `prerelease-dev-a87a309`, commit hash `a87a309e7c07ef6b3fc5532e50d5d244aab9f4d0`.\n```\nexport CUDA_HOME=/usr/local/cuda\nexport LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/cuda/lib64:/usr/local/cuda/extras/CUPTI/lib64\nexport PATH=$PATH:$CUDA_HOME/bin\n\ngit clone https://github.com/matter-labs/era-bellman-cuda.git\ncd era-bellman-cuda\ngit checkout prerelease-dev-a87a309\ngit submodule update --init --recursive\ncmake -B./build -DCMAKE_BUILD_TYPE=Release\ncmake --build ./build\nexport BELLMAN_CUDA_DIR=$HOME/era-bellman-cuda\n```\n\n5. Run all scripts to regenerate verification keys. The correct tag version of the repo is `prover-v22.0.0`, commit hash `157045b4f67546629fc2f7fb32cbbcb4daa2054d`.\n```\ncd ~ \ngit clone https://github.com/matter-labs/zksync-era.git\ncd zksync-era/\ngit checkout prover-v22.0.0\n\n# Download compact CRS for the compressor data step, put in repo root\ncurl -o setup_compact.key https://storage.googleapis.com/matterlabs-setup-keys-us/setup-keys/setup_compact.key\nexport COMPACT_CRS_FILE=~/zksync-era/setup_compact.key\n\ncd prover/crates/bin/vk_setup_data_generator_server_fri\nCRS_FILE=https://storage.googleapis.com/matterlabs-setup-keys-us/setup-keys/setup_2^24.key ZKSYNC_HOME=$HOME \n\n# Run regeneration steps\ncargo run --release --bin key_generator generate-vk\ncargo run --features gpu --release --bin key_generator generate-compressor-data\n```\n\nThe output of the last command will contain the required `snark_wrapper` value.\n "
},
{
"hash": "0x8574e152c41dc39a2ecab984545e1cf21cb3ec250b919018a8053f2fa270784f",
"name": "Boojum Plonk zkLinkNova verifier",
"proofSystem": {
"id": "Bellman",
"type": "Plonk",
"name": "Bellman",
"description": "Bellman Rust library for Plonk proving system, originally developed for ZCash."
},
"knownDeployments": [
{
"address": "0x902C3806A84f4e855a8746e92d7F1C9a51400458",
"chain": "linea"
}
],
"verificationStatus": "notVerified"
},
{
"hash": "0x49eae0bf5c7ea580f4979b366e52b386adc5f42e2ce50fc1d3c4de9a86052bff",
"name": "Boojum Fflonk core-v29.4.0",
"sourceLink": "https://github.com/matter-labs/zksync-era/tree/core-v29.4.0/prover",
"proofSystem": {
"id": "Zksync",
"type": "Fflonk",
"name": "Zksync",
"description": "Matter Labs Rust implementation of Fflonk improvement over standard Plonk proving system."
},
"knownDeployments": [
{
"address": "0xD324a7c8556A059371B207fB96FD77bE24E2042c",
"chain": "ethereum"
}
],
"verificationStatus": "successful",
"attesters": [
{
"id": "l2beat",
"name": "L2BEAT",
"link": "https://l2beat.com"
}
],
"verificationSteps": "\nVerification requires an Ubuntu 22.04 machine with an NVIDIA GPU. We used a g6.4xlarge aws instance with 24 GiB GPU memory and 64 GiB RAM. \nThe setup part is based on [this guide](https://paragraph.com/@zksync/from-integration-to-verification-completing-the-first-steps-in-zksync-s-prover-network) with modifications, the verification is done using [this script](https://github.com/matter-labs/zksync-era/tree/main/prover/crates/bin/vk_setup_data_generator_server_fri).\n\n1. Install rust, yarn, some essential libraries, docker and cmake:\n\n```\ncurl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh\n. .cargo/env\n\ncurl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash\nexport NVM_DIR=$HOME/.nvm\n. .bashrc\nnvm install 20\nnpm install -g yarn\nyarn set version 1.22.19\n\nsudo apt-get update\nsudo apt-get install -y build-essential pkg-config cmake clang lldb lld libssl-dev postgresql apt-transport-https ca-certificates curl software-properties-common\ncargo install sqlx-cli --version 0.8.1\n\n# install the latest version of cmake\nsudo apt remove cmake\ncurl -fsSL https://apt.kitware.com/kitware-archive.sh | sudo sh\nsudo apt-get install cmake\n```\n\n2. Install CUDA drivers and toolkit 12.2, export necessary env vars. On Ubuntu 22.04 this requires updating gcc to version 12.\n\n```\nsudo apt-get install gcc-12 g++-12\nsudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-12 100\nsudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-12 100\n\nwget https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2204/x86_64/cuda-keyring_1.1-1_all.deb\nsudo dpkg -i cuda-keyring_1.1-1_all.deb\nsudo apt-get update\nsudo apt-get install -y cuda-drivers-535\nsudo apt-get install -y cuda-toolkit-12-2\n```\n\nReboot the machine to apply the drivers.\n\n3. Install `foundryup-zksync`.\n\n```\ncurl -L https://raw.githubusercontent.com/matter-labs/foundry-zksync/main/install-foundry-zksync | bash\n. ~/.bashrc\nfoundryup-zksync\n```\n\n4. Build bellman-cuda. We used the tag version `prerelease-dev-a87a309`, commit hash `a87a309e7c07ef6b3fc5532e50d5d244aab9f4d0`.\n```\nexport CUDA_HOME=/usr/local/cuda\nexport LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/cuda/lib64:/usr/local/cuda/extras/CUPTI/lib64\nexport PATH=$PATH:$CUDA_HOME/bin\n\ngit clone https://github.com/matter-labs/era-bellman-cuda.git\ncd era-bellman-cuda\ngit checkout prerelease-dev-a87a309\ngit submodule update --init --recursive\ncmake -B./build -DCMAKE_BUILD_TYPE=Release\ncmake --build ./build\nexport BELLMAN_CUDA_DIR=$HOME/era-bellman-cuda\n```\n\n5. Run all scripts to regenerate verification keys. The correct tag version of the repo is `core-v29.4.0`, commit hash `fe0a73730853b291c3c1dd514a42a45625704b7b`.\n```\ncd ~ \ngit clone https://github.com/matter-labs/zksync-era.git\ncd zksync-era/\ngit checkout core-v29.4.0\n\n# Download compact CRS for the compressor data step, put in repo root\ncurl -o setup_compact.key https://storage.googleapis.com/matterlabs-setup-keys-us/setup-keys/setup_compact.key\nexport COMPACT_CRS_FILE=~/zksync-era/setup_compact.key\n\ncd prover/crates/bin/vk_setup_data_generator_server_fri\nCRS_FILE=https://storage.googleapis.com/matterlabs-setup-keys-us/setup-keys/setup_2^24.key ZKSYNC_HOME=$HOME \n\n# Run regeneration steps\ncargo run --release --bin key_generator generate-vk\ncargo run --features gpu --release --bin key_generator generate-compressor-data\n```\n\nThe output of the last command will contain the required `fflonk_snark_wrapper` value.\n "
},
{
"hash": "0x1ffc56111a5cfaf5db387f6a31408ad20217e9bc1f31f2f5c1bd38b0d6d7968b",
"name": "Boojum Plonk prover-v23.2.0",
"sourceLink": "https://github.com/matter-labs/zksync-era/tree/prover-v23.2.0/prover",
"proofSystem": {
"id": "Bellman",
"type": "Plonk",
"name": "Bellman",
"description": "Bellman Rust library for Plonk proving system, originally developed for ZCash."
},
"knownDeployments": [
{
"address": "0xe201837d151E5aC33Af3305f287Ad6F6a7Dfccd7",
"chain": "ethereum"
}
],
"verificationStatus": "successful",
"attesters": [
{
"id": "l2beat",
"name": "L2BEAT",
"link": "https://l2beat.com"
}
],
"verificationSteps": "\nVerification requires an Ubuntu 22.04 machine with an NVIDIA GPU. We used a g6.4xlarge aws instance with 24 GiB GPU memory and 64 GiB RAM. \nThe setup part is based on [this guide](https://paragraph.com/@zksync/from-integration-to-verification-completing-the-first-steps-in-zksync-s-prover-network) with modifications, the verification is done using [this script](https://github.com/matter-labs/zksync-era/tree/main/prover/crates/bin/vk_setup_data_generator_server_fri).\n\n1. Install rust, yarn, some essential libraries, docker and cmake:\n\n```\ncurl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh\n. .cargo/env\n\ncurl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash\nexport NVM_DIR=$HOME/.nvm\n. .bashrc\nnvm install 20\nnpm install -g yarn\nyarn set version 1.22.19\n\nsudo apt-get update\nsudo apt-get install -y build-essential pkg-config cmake clang lldb lld libssl-dev postgresql apt-transport-https ca-certificates curl software-properties-common\ncargo install sqlx-cli --version 0.8.1\n\n# install the latest version of cmake\nsudo apt remove cmake\ncurl -fsSL https://apt.kitware.com/kitware-archive.sh | sudo sh\nsudo apt-get install cmake\n```\n\n2. Install CUDA drivers and toolkit 12.2, export necessary env vars. On Ubuntu 22.04 this requires updating gcc to version 12.\n\n```\nsudo apt-get install gcc-12 g++-12\nsudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-12 100\nsudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-12 100\n\nwget https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2204/x86_64/cuda-keyring_1.1-1_all.deb\nsudo dpkg -i cuda-keyring_1.1-1_all.deb\nsudo apt-get update\nsudo apt-get install -y cuda-drivers-535\nsudo apt-get install -y cuda-toolkit-12-2\n```\n\nReboot the machine to apply the drivers.\n\n3. Install `foundryup-zksync`.\n\n```\ncurl -L https://raw.githubusercontent.com/matter-labs/foundry-zksync/main/install-foundry-zksync | bash\n. ~/.bashrc\nfoundryup-zksync\n```\n\n4. Build bellman-cuda. We used the tag version `prerelease-dev-a87a309`, commit hash `a87a309e7c07ef6b3fc5532e50d5d244aab9f4d0`.\n```\nexport CUDA_HOME=/usr/local/cuda\nexport LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/cuda/lib64:/usr/local/cuda/extras/CUPTI/lib64\nexport PATH=$PATH:$CUDA_HOME/bin\n\ngit clone https://github.com/matter-labs/era-bellman-cuda.git\ncd era-bellman-cuda\ngit checkout prerelease-dev-a87a309\ngit submodule update --init --recursive\ncmake -B./build -DCMAKE_BUILD_TYPE=Release\ncmake --build ./build\nexport BELLMAN_CUDA_DIR=$HOME/era-bellman-cuda\n```\n\n5. Run all scripts to regenerate verification keys. The correct tag version of the repo is `prover-v23.2.0`, commit hash `2b188cd7ac139430d3cb1f27babc9693a2c83df6`.\n```\ncd ~ \ngit clone https://github.com/matter-labs/zksync-era.git\ncd zksync-era/\ngit checkout prover-v23.2.0\n\n# Download compact CRS for the compressor data step, put in repo root\ncurl -o setup_compact.key https://storage.googleapis.com/matterlabs-setup-keys-us/setup-keys/setup_compact.key\nexport COMPACT_CRS_FILE=~/zksync-era/setup_compact.key\n\ncd prover/crates/bin/vk_setup_data_generator_server_fri\nCRS_FILE=https://storage.googleapis.com/matterlabs-setup-keys-us/setup-keys/setup_2^24.key ZKSYNC_HOME=$HOME \n\n# Run regeneration steps\ncargo run --release --bin key_generator generate-vk\ncargo run --features gpu --release --bin key_generator generate-compressor-data\n```\n\nThe output of the last command will contain the required `snark_wrapper` value.\n "
},
{
"hash": "0xb2f50340e0edbe49dc657d4eb298e07f13860c1be0fe2e438e44ef8fad133d84",
"name": "Boojum Plonk core-v29.11.1",
"sourceLink": "https://github.com/matter-labs/zksync-era/tree/core-v29.11.1/prover",
"proofSystem": {
"id": "Bellman",
"type": "Plonk",
"name": "Bellman",
"description": "Bellman Rust library for Plonk proving system, originally developed for ZCash."
},
"knownDeployments": [
{
"address": "0x7f33D100f482093182111d69a4a457289e99f4ec",
"chain": "ethereum"
}
],
"verificationStatus": "successful",
"attesters": [
{
"id": "l2beat",
"name": "L2BEAT",
"link": "https://l2beat.com"
}
],
"verificationSteps": "\n Verification requires an Ubuntu 22.04 machine with an NVIDIA GPU. We used a g6.4xlarge aws instance with 24 GiB GPU memory and 64 GiB RAM. \n The setup part is based on [this guide](https://paragraph.com/@zksync/from-integration-to-verification-completing-the-first-steps-in-zksync-s-prover-network) with modifications, the verification is done using [this script](https://github.com/matter-labs/zksync-era/tree/main/prover/crates/bin/vk_setup_data_generator_server_fri).\n \n 1. Install rust, yarn, some essential libraries, docker and cmake:\n \n ```\n curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh\n . .cargo/env\n \n curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash\n export NVM_DIR=$HOME/.nvm\n . .bashrc\n nvm install 20\n npm install -g yarn\n yarn set version 1.22.19\n \n sudo apt-get update\n sudo apt-get install -y build-essential pkg-config cmake clang lldb lld libssl-dev postgresql apt-transport-https ca-certificates curl software-properties-common\n cargo install sqlx-cli --version 0.8.1\n \n # install the latest version of cmake\n sudo apt remove cmake\n curl -fsSL https://apt.kitware.com/kitware-archive.sh | sudo sh\n sudo apt-get install cmake\n ```\n \n 2. Install CUDA drivers and toolkit 12.2, export necessary env vars. On Ubuntu 22.04 this requires updating gcc to version 12.\n \n ```\n sudo apt-get install gcc-12 g++-12\n sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-12 100\n sudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-12 100\n \n wget https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2204/x86_64/cuda-keyring_1.1-1_all.deb\n sudo dpkg -i cuda-keyring_1.1-1_all.deb\n sudo apt-get update\n sudo apt-get install -y cuda-drivers-535\n sudo apt-get install -y cuda-toolkit-12-2\n ```\n \n Reboot the machine to apply the drivers.\n \n 3. Install `foundryup-zksync`.\n \n ```\n curl -L https://raw.githubusercontent.com/matter-labs/foundry-zksync/main/install-foundry-zksync | bash\n . ~/.bashrc\n foundryup-zksync\n ```\n \n 4. Build bellman-cuda. We used the tag version `prerelease-dev-a87a309`, commit hash `a87a309e7c07ef6b3fc5532e50d5d244aab9f4d0`.\n ```\n export CUDA_HOME=/usr/local/cuda\n export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/cuda/lib64:/usr/local/cuda/extras/CUPTI/lib64\n export PATH=$PATH:$CUDA_HOME/bin\n \n git clone https://github.com/matter-labs/era-bellman-cuda.git\n cd era-bellman-cuda\n git checkout prerelease-dev-a87a309\n git submodule update --init --recursive\n cmake -B./build -DCMAKE_BUILD_TYPE=Release\n cmake --build ./build\n export BELLMAN_CUDA_DIR=$HOME/era-bellman-cuda\n ```\n \n 5. Run all scripts to regenerate verification keys. The correct tag version of the repo is `core-v29.11.1`, commit hash `3f71cb2230fb9c365c095ce7bcf3373ea63fbec2`.\n ```\n cd ~ \n git clone https://github.com/matter-labs/zksync-era.git\n cd zksync-era/\n git checkout core-v29.11.1\n \n # Download compact CRS for the compressor data step, put in repo root\n curl -o setup_compact.key https://storage.googleapis.com/matterlabs-setup-keys-us/setup-keys/setup_compact.key\n export COMPACT_CRS_FILE=~/zksync-era/setup_compact.key\n \n cd prover/crates/bin/vk_setup_data_generator_server_fri\n CRS_FILE=https://storage.googleapis.com/matterlabs-setup-keys-us/setup-keys/setup_2^24.key ZKSYNC_HOME=$HOME \n \n # Run regeneration steps\n cargo run --release --bin key_generator generate-vk\n cargo run --features gpu --release --bin key_generator generate-compressor-data\n ```\n \n The output of the last command will contain the required `snark_wrapper` value.\n "
},
{
"hash": "0xc8cd705a0db89577146137de78eba6bd1f1c9c3f66dc52f7627e7c2df30895b2",
"name": "Boojum Fflonk core-v29.11.1",
"sourceLink": "https://github.com/matter-labs/zksync-era/tree/core-v29.11.1/prover",
"proofSystem": {
"id": "Zksync",
"type": "Fflonk",
"name": "Zksync",
"description": "Matter Labs Rust implementation of Fflonk improvement over standard Plonk proving system."
},
"knownDeployments": [
{
"address": "0xa38a0Df579F9eCA29fbA560b9885B1113b1Df442",
"chain": "ethereum"
}
],
"verificationStatus": "successful",
"attesters": [
{
"id": "l2beat",
"name": "L2BEAT",
"link": "https://l2beat.com"
}
],
"verificationSteps": "\nVerification requires an Ubuntu 22.04 machine with an NVIDIA GPU. We used a g6.4xlarge aws instance with 24 GiB GPU memory and 64 GiB RAM. \nThe setup part is based on [this guide](https://paragraph.com/@zksync/from-integration-to-verification-completing-the-first-steps-in-zksync-s-prover-network) with modifications, the verification is done using [this script](https://github.com/matter-labs/zksync-era/tree/main/prover/crates/bin/vk_setup_data_generator_server_fri).\n\n1. Install rust, yarn, some essential libraries, docker and cmake:\n\n```\ncurl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh\n. .cargo/env\n\ncurl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash\nexport NVM_DIR=$HOME/.nvm\n. .bashrc\nnvm install 20\nnpm install -g yarn\nyarn set version 1.22.19\n\nsudo apt-get update\nsudo apt-get install -y build-essential pkg-config cmake clang lldb lld libssl-dev postgresql apt-transport-https ca-certificates curl software-properties-common\ncargo install sqlx-cli --version 0.8.1\n\n# install the latest version of cmake\nsudo apt remove cmake\ncurl -fsSL https://apt.kitware.com/kitware-archive.sh | sudo sh\nsudo apt-get install cmake\n```\n\n2. Install CUDA drivers and toolkit 12.2, export necessary env vars. On Ubuntu 22.04 this requires updating gcc to version 12.\n\n```\nsudo apt-get install gcc-12 g++-12\nsudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-12 100\nsudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-12 100\n\nwget https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2204/x86_64/cuda-keyring_1.1-1_all.deb\nsudo dpkg -i cuda-keyring_1.1-1_all.deb\nsudo apt-get update\nsudo apt-get install -y cuda-drivers-535\nsudo apt-get install -y cuda-toolkit-12-2\n```\n\nReboot the machine to apply the drivers.\n\n3. Install `foundryup-zksync`.\n\n```\ncurl -L https://raw.githubusercontent.com/matter-labs/foundry-zksync/main/install-foundry-zksync | bash\n. ~/.bashrc\nfoundryup-zksync\n```\n\n4. Build bellman-cuda. We used the tag version `prerelease-dev-a87a309`, commit hash `a87a309e7c07ef6b3fc5532e50d5d244aab9f4d0`.\n```\nexport CUDA_HOME=/usr/local/cuda\nexport LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/cuda/lib64:/usr/local/cuda/extras/CUPTI/lib64\nexport PATH=$PATH:$CUDA_HOME/bin\n\ngit clone https://github.com/matter-labs/era-bellman-cuda.git\ncd era-bellman-cuda\ngit checkout prerelease-dev-a87a309\ngit submodule update --init --recursive\ncmake -B./build -DCMAKE_BUILD_TYPE=Release\ncmake --build ./build\nexport BELLMAN_CUDA_DIR=$HOME/era-bellman-cuda\n```\n\n5. Run all scripts to regenerate verification keys. The correct tag version of the repo is `core-v29.11.1`, commit hash `3f71cb2230fb9c365c095ce7bcf3373ea63fbec2`.\n```\ncd ~ \ngit clone https://github.com/matter-labs/zksync-era.git\ncd zksync-era/\ngit checkout core-v29.11.1\n\n# Download compact CRS for the compressor data step, put in repo root\ncurl -o setup_compact.key https://storage.googleapis.com/matterlabs-setup-keys-us/setup-keys/setup_compact.key\nexport COMPACT_CRS_FILE=~/zksync-era/setup_compact.key\n\ncd prover/crates/bin/vk_setup_data_generator_server_fri\nCRS_FILE=https://storage.googleapis.com/matterlabs-setup-keys-us/setup-keys/setup_2^24.key ZKSYNC_HOME=$HOME \n\n# Run regeneration steps\ncargo run --release --bin key_generator generate-vk\ncargo run --features gpu --release --bin key_generator generate-compressor-data\n```\n\nThe output of the last command will contain the required `fflonk_snark_wrapper` value.\n "
}
]
}+2 -0
+2 -0
{
"creator": "Espresso Systems",
"projectsForTvs": [
{
"projectId": "espresso",
"sinceTimestamp": 1730830799
}
],
"proofSystemInfo": "\n ## Description\n\n Espresso proof system implements a light client of HotShot consensus of Espresso network, i.e. it verifies that a sufficient number of Espresso nodes have correctly signed consensus message. It is implemented by a [Jellyfish Plonk](https://github.com/EspressoSystems/jellyfish) proof system on a [custom circuit](https://github.com/EspressoSystems/espresso-network/blob/2c166fe13a730733d18198d3989d3be2b4c42da8/hotshot-state-prover/src/v3/circuit.rs) that checks all necessary conditions. Jellyfish is a Rust implementation of [Plonk system](https://eprint.iacr.org/2019/953.pdf) without significant modifications. [This code](https://github.com/EspressoSystems/espresso-network/blob/2c166fe13a730733d18198d3989d3be2b4c42da8/contracts/rust/gen-vk-contract/src/main.rs) generates a Solidity verifier to check zk proofs within EVM.\n ",
"techStack": {
"snark": [
{
"id": "Jellyfish",
"type": "Plonk",
"name": "Jellyfish",
"description": "Open-source toolkit of various cryptographic primitives, including an implementation of Plonk SNARK, developed in Rust by Espresso Systems."
},
{
"id": "BN254",
"type": "curve",
"name": "BN254",
"description": "BN254, aka BN256, aka alt_bn128 pairing-friendly 254-bit prime field Weierstrass elliptic curve."
},
{
"id": "CustomCircuits",
"type": "Other",
"name": "App-specific circuits",
"description": "This project uses custom app-specific ZK circuits."
}
]
},
"trustedSetups": [
{
"proofSystem": {
"id": "Jellyfish",
"type": "Plonk",
"name": "Jellyfish",
"description": "Open-source toolkit of various cryptographic primitives, including an implementation of Plonk SNARK, developed in Rust by Espresso Systems."
},
"id": "AztecIgnition",
"name": "Aztec Ignition",
"risk": "green",
"shortDescription": "Aztec Ignition is a trusted setup ceremony that was run by Aztec for KZG commitment over BN254 curve in 2019. It included 176 participants and was publicly open for participation.",
"longDescription": " \n Aztec Ignition is a trusted setup ceremony for KZG commitments over BN254 curve that was run by Aztec for KZG commitment over BN254 curve in 2019. \n It included 176 participants and was publicly open for participation.\n \n - Github repo to download and verify the ceremony artifacts: [https://github.com/AztecProtocol/ignition-verification](https://github.com/AztecProtocol/ignition-verification).\n - Github repo with instructions for ceremony participants: [https://github.com/AztecProtocol/Setup](https://github.com/AztecProtocol/Setup).\n - Ceremony announcement with a call to participate: [https://aztec.network/blog/announcing-ignition](https://aztec.network/blog/announcing-ignition).\n "
}
],
"verifierHashes": [
{
"hash": "0x060faa7957cb2ffdc75de8ea20d1eb50277c7fb0d2f48ecb7e2db7956d0bdad4",
"name": "Espresso verifier v3",
"sourceLink": "https://github.com/EspressoSystems/jellyfish",
"proofSystem": {
"id": "Jellyfish",
"type": "Plonk",
"name": "Jellyfish",
"description": "Open-source toolkit of various cryptographic primitives, including an implementation of Plonk SNARK, developed in Rust by Espresso Systems."
},
"knownDeployments": [
{
"address": "0x098C593361d12DD638Ce7dBf34c8C6a655f8274c",
"chain": "ethereum"
}
],
"verificationStatus": "notVerified",
"description": "Custom verifier ID: SHA256 hash of the abi packed flattened VerifyingKey structure returned by _getVk() function on the Espresso Light Client contract (0x95Ca91Cea73239b15E5D2e5A74d02d6b5E0ae458)."
}
]
}+2 -0
+2 -0
{
"creator": "INTMAX",
"projectsForTvs": [
{
"projectId": "intmax",
"sinceTimestamp": 1750888800
}
],
"proofSystemInfo": "\n \n ## Description\n\n INTMAX prover is a zk proving system for privacy-preserving INTMAX L2 based on [Plonky2](https://github.com/0xPolygonZero/plonky2/tree/main) circuits, optimized for client side proving and using not only succinctness, but also zero knowledge properties of Plonky2. INTMAX circuits are proven with a STARK which is wrapped into a Plonk SNARK before settling onchain.\n\n ## Proof system\n\n Plonky2 implements a circuit aritmetization based on TurboPlonk over Goldilocks field, but it replaces KZG polynomial commitment scheme with a FRI-based polynomial testing scheme. In this way proving Plonky2 circuits requires no trusted setup, i.e. it is a STARK. However the circuit design is different from zkVM STARKs, so INTMAX custom logic is implemented as custom circuits rather than a zkVM program.\n\n ### Circuits\n\n INTMAX prover works with [several different circuits](https://github.com/InternetMaximalism/intmax2-zkp/blob/main/README.md) that could be proven by different entities in the network (e.g. [users, validity provers, aggregators](https://docs.network.intmax.io/developers-hub/intmax-nodes/provers)). This design support local proving and enables private transactions on the L2.\n\n Available circuits are: [validity](https://github.com/InternetMaximalism/intmax2-zkp/tree/main/src/circuits/validity) for proving public state transition, [balance](https://github.com/InternetMaximalism/intmax2-zkp/tree/main/src/circuits/balance) for proving correct updates of individual user accounts based on private information, [withdrawal](https://github.com/InternetMaximalism/intmax2-zkp/tree/main/src/circuits/withdrawal) for proving the validity of withdrawing funds from L2 to the host chain, [claim](https://github.com/InternetMaximalism/intmax2-zkp/tree/main/src/circuits/claim) for proving user eligibility for privacy mining program and [proof of innocence](https://github.com/InternetMaximalism/intmax2-zkp/tree/main/src/circuits/proof_of_innocence) for proving certain claims about deposits and withdrawals.\n\n ### Recursion and final wrap\n\n INTMAX circuits are based on recursive architecture, where generating a new STARK requires validating a previous STARK proof (e.g. processing a new balance update requires validating all previous balance updates). Several entities are responsible for providing these recursive proofs: users or [balance provers](https://docs.network.intmax.io/developers-hub/intmax-nodes/provers#balance-prover) for balance updates, [validity provers](https://docs.network.intmax.io/developers-hub/intmax-nodes/validity-prover) for validity circuit, [claim](https://docs.network.intmax.io/developers-hub/intmax-nodes/claim-aggregator) and [withdrawal](https://docs.network.intmax.io/developers-hub/intmax-nodes/withdrawal-aggregator) aggregators for processing claim and withdrawal proofs.\n\n Only claim and withdrawal proofs are posted onchain to be verified, all other proofs are verified only by the nodes in INTMAX network. Onchain proofs are wrapped in a [gnark](https://github.com/Consensys/gnark) implementation of Plonk over BN254 curve, which requires a trusted setup (see [below](#trusted-setups) for more details).\n ",
"techStack": {
"snark": [
{
"id": "Plonky2",
"type": "Plonk",
"name": "Plonky2",
"description": "Toolkit for developing transparent SNARKs based on PLONK and FRI developed by Polygon Zero team."
},
{
"id": "Goldilocks",
"type": "Field",
"name": "Goldilocks",
"description": "Prime field of order p = 2**64 - 2**32 + 1."
},
{
"id": "CustomCircuits",
"type": "Other",
"name": "App-specific circuits",
"description": "This project uses custom app-specific ZK circuits."
}
],
"finalWrap": [
{
"id": "Gnark",
"type": "Plonk",
"name": "Gnark",
"description": "Consensys implementation of Plonk proving system written in Go."
},
{
"id": "BN254",
"type": "curve",
"name": "BN254",
"description": "BN254, aka BN256, aka alt_bn128 pairing-friendly 254-bit prime field Weierstrass elliptic curve."
}
]
},
"trustedSetups": [
{
"proofSystem": {
"id": "Gnark",
"type": "Plonk",
"name": "Gnark",
"description": "Consensys implementation of Plonk proving system written in Go."
},
"id": "AztecIgnition",
"name": "Aztec Ignition",
"risk": "green",
"shortDescription": "Aztec Ignition is a trusted setup ceremony that was run by Aztec for KZG commitment over BN254 curve in 2019. It included 176 participants and was publicly open for participation.",
"longDescription": " \n Aztec Ignition is a trusted setup ceremony for KZG commitments over BN254 curve that was run by Aztec for KZG commitment over BN254 curve in 2019. \n It included 176 participants and was publicly open for participation.\n \n - Github repo to download and verify the ceremony artifacts: [https://github.com/AztecProtocol/ignition-verification](https://github.com/AztecProtocol/ignition-verification).\n - Github repo with instructions for ceremony participants: [https://github.com/AztecProtocol/Setup](https://github.com/AztecProtocol/Setup).\n - Ceremony announcement with a call to participate: [https://aztec.network/blog/announcing-ignition](https://aztec.network/blog/announcing-ignition).\n "
}
],
"verifierHashes": [
{
"hash": "0x664dceea25b57766a5b550cf25cca24a7305f36fd60a5835f9e0505bec14ce8e",
"name": "Intmax verifier",
"sourceLink": "https://github.com/InternetMaximalism/intmax2-zkp",
"proofSystem": {
"id": "Gnark",
"type": "Plonk",
"name": "Gnark",
"description": "Consensys implementation of Plonk proving system written in Go."
},
"knownDeployments": [
{
"address": "0x1d38545a33740Ab3480d9035bB3126914404423d",
"chain": "scroll"
}
],
"verificationStatus": "notVerified",
"description": "Custom verifier ID: SHA256 hash of all VK_... values from the smart contract, abi packed in the same order they are defined."
}
]
}+3 -0
+3 -0
{
"creator": "Lighter",
"projectsForTvs": [
{
"projectId": "lighter",
"sinceTimestamp": 1759356000
}
],
"proofSystemInfo": "\n## Description\n\nLighter prover is a zk proving system for Lighter L2 based on [Plonky2](https://github.com/0xPolygonZero/plonky2/tree/main) circuits. It verifies the logic for regular state transition of Lighter L2, as well as state transitions in the “desert mode” when L2 is shut down and users exit, using different sets of circuits. The circuits are proven with a STARK which is wrapped into a Plonk SNARK before settling onchain.\n\n## Proof system\n\n[Plonky2](https://github.com/0xPolygonZero/plonky2) implements a circuit aritmetization based on TurboPlonk over Goldilocks field, but it replaces KZG polynomial commitment scheme with a FRI-based polynomial testing scheme. In this way proving Plonky2 circuits requires no trusted setup, i.e. it is a STARK. \n\nHowever Lighter wraps these STARK in a [gnark](https://github.com/Consensys/gnark) implementation of Plonk over BN254 curve, which requires a trusted setup.\n\n### Circuits\n\nThe proof system operates on Lighter STF circuits and desert mode circuits. All published circuits are available [here](https://github.com/elliottech/lighter-prover/tree/053ceda7c59a9a0e05997661ca5a1bb7a92bb267/circuit), note that the Lighter team has not published the desert circuits yet. \n\nLighter proof system defines circuits for proving all transactions, including internal, L1 and L2 transactions. The full list of available transactions that define Lighter STF can be seen [here](https://github.com/elliottech/lighter-prover/tree/053ceda7c59a9a0e05997661ca5a1bb7a92bb267/circuit/src/transactions). \n\nTransaction circuits use custom implementations for arithmetic operations ([bigint](https://github.com/elliottech/lighter-prover/tree/053ceda7c59a9a0e05997661ca5a1bb7a92bb267/circuit/src/bigint), [uint](https://github.com/elliottech/lighter-prover/tree/053ceda7c59a9a0e05997661ca5a1bb7a92bb267/circuit/src/uint)), cryptographic primitives ([ecdsa](https://github.com/elliottech/lighter-prover/tree/053ceda7c59a9a0e05997661ca5a1bb7a92bb267/circuit/src/ecdsa) on the Secp256k1 curve, [eddsa](https://github.com/elliottech/lighter-prover/tree/053ceda7c59a9a0e05997661ca5a1bb7a92bb267/circuit/src/eddsa) on the ECgFp5 curve, [keccak](https://github.com/elliottech/lighter-prover/tree/053ceda7c59a9a0e05997661ca5a1bb7a92bb267/circuit/src/keccak), [poseidon_bn128](https://github.com/elliottech/lighter-prover/tree/053ceda7c59a9a0e05997661ca5a1bb7a92bb267/circuit/src/poseidon_bn128)) and other helper circuits.\n\n### Recursion\n\nLighter prover implements recursive aggregation of transaction proofs to make the whole pipeline more efficient and parallelizable. First, fixed-size blocks of consecutive transactions are processed and proven by [BlockTx circuit](https://github.com/elliottech/lighter-prover/blob/053ceda7c59a9a0e05997661ca5a1bb7a92bb267/circuit/src/block_tx_constraints.rs), which can be done on separate machines. Next, arbitrary number of BlockTx proofs are aggregated into a single proof by [BlockTxChain circuit](https://github.com/elliottech/lighter-prover/blob/053ceda7c59a9a0e05997661ca5a1bb7a92bb267/circuit/src/block_tx_chain_constraints.rs), which includes continuity checks across all BlockTx proofs.\n",
"techStack": {
"snark": [
{
"id": "Plonky2",
"type": "Plonk",
"name": "Plonky2",
"description": "Toolkit for developing transparent SNARKs based on PLONK and FRI developed by Polygon Zero team."
},
{
"id": "Goldilocks",
"type": "Field",
"name": "Goldilocks",
"description": "Prime field of order p = 2**64 - 2**32 + 1."
},
{
"id": "CustomCircuits",
"type": "Other",
"name": "App-specific circuits",
"description": "This project uses custom app-specific ZK circuits."
}
],
"finalWrap": [
{
"id": "Gnark",
"type": "Plonk",
"name": "Gnark",
"description": "Consensys implementation of Plonk proving system written in Go."
},
{
"id": "BN254",
"type": "curve",
"name": "BN254",
"description": "BN254, aka BN256, aka alt_bn128 pairing-friendly 254-bit prime field Weierstrass elliptic curve."
}
]
},
"trustedSetups": [
{
"proofSystem": {
"id": "Gnark",
"type": "Plonk",
"name": "Gnark",
"description": "Consensys implementation of Plonk proving system written in Go."
},
"id": "AztecIgnition",
"name": "Aztec Ignition",
"risk": "green",
"shortDescription": "Aztec Ignition is a trusted setup ceremony that was run by Aztec for KZG commitment over BN254 curve in 2019. It included 176 participants and was publicly open for participation.",
"longDescription": " \n Aztec Ignition is a trusted setup ceremony for KZG commitments over BN254 curve that was run by Aztec for KZG commitment over BN254 curve in 2019. \n It included 176 participants and was publicly open for participation.\n \n - Github repo to download and verify the ceremony artifacts: [https://github.com/AztecProtocol/ignition-verification](https://github.com/AztecProtocol/ignition-verification).\n - Github repo with instructions for ceremony participants: [https://github.com/AztecProtocol/Setup](https://github.com/AztecProtocol/Setup).\n - Ceremony announcement with a call to participate: [https://aztec.network/blog/announcing-ignition](https://aztec.network/blog/announcing-ignition).\n "
}
],
"verifierHashes": [
{
"hash": "0x8dcfa8132726f2dcc75e6b791c48f5e5b375e6ea78a5e161e75b657195192b9d",
"name": "Lighter verifier",
"sourceLink": "https://github.com/elliottech/lighter-prover/tree/main",
"proofSystem": {
"id": "Gnark",
"type": "Plonk",
"name": "Gnark",
"description": "Consensys implementation of Plonk proving system written in Go."
},
"knownDeployments": [
{
"address": "0x840b49E7d53699C7eC4333ffFe27Dc679B171Db8",
"chain": "ethereum"
}
],
"verificationStatus": "unsuccessful",
"attesters": [
{
"id": "l2beat",
"name": "L2BEAT",
"link": "https://l2beat.com"
}
],
"verificationSteps": "At the time of writing, the sources for this version of the verifier circuits are not published and thus the verifier cannot be independently regenerated."
},
{
"hash": "0xc3d58029fabf2a93d6cb9b96315c484e4bea2e238aaa081460c9027863c650e7",
"name": "Lighter Desert verifier",
"proofSystem": {
"id": "Gnark",
"type": "Plonk",
"name": "Gnark",
"description": "Consensys implementation of Plonk proving system written in Go."
},
"knownDeployments": [
{
"address": "0xd4460475F00307845082d3a146f36661354FBc67",
"chain": "ethereum"
}
],
"verificationStatus": "unsuccessful",
"verificationSteps": "The sources for desert verifier circuits are not published and thus the verifier cannot be independently regenerated.",
"description": "Custom verifier ID: SHA256 hash of all VK_... values from the smart contract, abi packed in the same order they are defined."
}
]
}+3 -0
+3 -0
{
"creator": "Consensys",
"projectsForTvs": [
{
"projectId": "linea",
"sinceTimestamp": 1689112800
}
],
"proofSystemInfo": "\n \n ## Description\n\n [Linea prover](https://github.com/Consensys/linea-monorepo/tree/main/prover) implements a zkEVM by creating a custom arithmetization of EVM state transition and proving it in a series of recursive SNARKs (i.e. without implementing a zkVM). The proof is wrapped into a Plonk with KZG for efficient onchain verification. Linea prover targets 128 bits of security.\n\n ## Proof system\n\n Linea prover includes Wizard-IOP framework for extending polynomial IOPs with more powerful queries, Arcane compiler of Wizard-IOP into polynomial IOP and Vortex list polynomial commitment (LPC) scheme.\n\n Wizard-IOP represents an extension of polynomial IOP with a wider range of queries, including inclusion check, permutation check, range check etc. Vortex LPC is a batchable polynomial commitment that is based on [Ligero](https://eprint.iacr.org/2022/1608) with lattice-based hash functions. To achieve succinct proof size, Linea prover performs multiple rounds of self-recursion by arithmetizing the Vortex verifier in the Wizard-IOP framework. During these rounds Plonk+KZG schemes over curves BW6, BLS12-377, and BN254 are used, creating a dependency on 3 trusted setups, see [below](#trusted-setups) for more details.\n\n ### EVM circuits\n\n This level of Linea prover produces execution proof and compression proof after several rounds of self-recursive compression. Both of these are Plonk based proofs over BLS12-377 curve.\n\n Execution proof validates the correct execution of transactions within the EVM, including knowledge of correct EVM traces, correctness of precompiles and consistency of public inputs.\n\n Compression proof verifies effective and correct compression of inputs for EVM execution circuits.\n\n ### Aggregation circuits\n\n At this stage several proofs generated by execution and compression circuits are recursively verified within the finalization (or aggregation) circuit, which also checks the “connection” of all public inputs across all circuits. It leverages a composite proof system that combines several Plonk circuits on the BW6, BLS12-377, and BN254 curve with a goal of performant recursion.\n\n ### Final wrap\n\n In the end the Linea proof is wrapped in a [gnark](https://github.com/Consensys/gnark) implementation of Plonk over BN254 curve for even more efficiency onchain. For Plonk, Aztec Ignition trusted setup ceremony is used.\n ",
"techStack": {
"zkVM": [
{
"id": "linea",
"type": "Plonk",
"name": "Linea",
"description": "Prover system of Linea written in Go, includes Vortex polynomial commitment and Arcane compiler."
},
{
"id": "EVM",
"type": "ISA",
"name": "EVM",
"description": "Instruction language for Ethereum VM."
},
{
"id": "BLS12-377",
"type": "curve",
"name": "BLS12-377",
"description": "Pairing-friendly 377-bit prime field Weierstrass elliptic curve."
},
{
"id": "BW6-761",
"type": "curve",
"name": "BW6-761",
"description": "Pairing-friendly 761-bit prime field elliptic curve introduced by Housni and Guillevic."
}
],
"finalWrap": [
{
"id": "Gnark",
"type": "Plonk",
"name": "Gnark",
"description": "Consensys implementation of Plonk proving system written in Go."
},
{
"id": "BN254",
"type": "curve",
"name": "BN254",
"description": "BN254, aka BN256, aka alt_bn128 pairing-friendly 254-bit prime field Weierstrass elliptic curve."
}
]
},
"trustedSetups": [
{
"proofSystem": {
"id": "Gnark",
"type": "Plonk",
"name": "Gnark",
"description": "Consensys implementation of Plonk proving system written in Go."
},
"id": "AztecIgnition",
"name": "Aztec Ignition",
"risk": "green",
"shortDescription": "Aztec Ignition is a trusted setup ceremony that was run by Aztec for KZG commitment over BN254 curve in 2019. It included 176 participants and was publicly open for participation.",
"longDescription": " \n Aztec Ignition is a trusted setup ceremony for KZG commitments over BN254 curve that was run by Aztec for KZG commitment over BN254 curve in 2019. \n It included 176 participants and was publicly open for participation.\n \n - Github repo to download and verify the ceremony artifacts: [https://github.com/AztecProtocol/ignition-verification](https://github.com/AztecProtocol/ignition-verification).\n - Github repo with instructions for ceremony participants: [https://github.com/AztecProtocol/Setup](https://github.com/AztecProtocol/Setup).\n - Ceremony announcement with a call to participate: [https://aztec.network/blog/announcing-ignition](https://aztec.network/blog/announcing-ignition).\n "
},
{
"proofSystem": {
"id": "Gnark",
"type": "Plonk",
"name": "Gnark",
"description": "Consensys implementation of Plonk proving system written in Go."
},
"id": "Aleo",
"risk": "yellow",
"name": "Aleo stage I trusted setup",
"shortDescription": "Trusted setup for KZG commitments over BLS12-377 curve, initially run as Aleo's Stage I setup. Ceremony has 106 participants and was publicly open for participation.",
"longDescription": "\n Ceremony generated trusted setup for KZG commitments over BLS12-377 curve, it was originally run as stage I setup\n for Aleo blockchain and later reused for Linea prover. Ceremony has 106 participants.\n\n - Repo with ceremony instructions [https://github.com/AleoNet/aleo-setup](https://github.com/AleoNet/aleo-setup)\n - Link to the ceremony details: [https://setup.aleo.org](https://setup.aleo.org/)\n "
},
{
"proofSystem": {
"id": "Gnark",
"type": "Plonk",
"name": "Gnark",
"description": "Consensys implementation of Plonk proving system written in Go."
},
"id": "CeloPlumo",
"name": "Celo Plumo",
"risk": "yellow",
"shortDescription": "Trusted setup for KZG commitments over BW6-761 curve, initially run for Celo Plumo. Ceremony has 55 participants and was publicly open for participation.",
"longDescription": "\n Ceremony generated trusted setup for KZG commitments over BW6-761 curve, it was originally run for Celo\n Plumo and later reused for Linea prover. Ceremony has 55 participants.\n\n - Repo with ceremony instructions: [https://github.com/celo-org/snark-setup?tab=readme-ov-file](https://github.com/celo-org/snark-setup?tab=readme-ov-file)\n - Link to the ceremony details: [https://celo.org/plumo](https://celo.org/plumo) (it is broken. Archived version here: [https://web.archive.org/web/20221201203227/https://celo.org/plumo](https://web.archive.org/web/20221201203227/https://celo.org/plumo))\n - Links to ceremony transcript: [https://console.cloud.google.com/storage/browser/plumoceremonyphase1/chunks](https://console.cloud.google.com/storage/browser/plumoceremonyphase1/chunks)\n - Link to ceremony verification code: [https://github.com/Consensys/gnark-ignition-verifier/blob/feat/celo_parser/celo/main.go](https://github.com/Consensys/gnark-ignition-verifier/blob/feat/celo_parser/celo/main.go)\n "
}
],
"verifierHashes": [
{
"hash": "0x4434516bbfeb1e4fca34d295be3926880f0a918360f218ce78bbecbd6095eb6f",
"name": "Linea Plonk",
"proofSystem": {
"id": "Gnark",
"type": "Plonk",
"name": "Gnark",
"description": "Consensys implementation of Plonk proving system written in Go."
},
"knownDeployments": [
{
"address": "0xC83ed08E2262fBa264D528C749c051f8fC526897",
"chain": "ethereum"
}
],
"verificationStatus": "notVerified",
"description": "Custom verifier ID: SHA256 hash of all VK_... values from the smart contract, abi packed in the same order they are defined."
},
{
"hash": "0xa2d1e02fe3b174b3b039ed8e33e7d9cb57b2b4990b5e4b22d634872e4d9e9325",
"name": "Linea Plonk v6.1.1",
"sourceLink": "https://github.com/Consensys/linea-monorepo/blob/456c3a8b8c4c1dd0659057237476bf507bae1860/prover",
"proofSystem": {
"id": "Gnark",
"type": "Plonk",
"name": "Gnark",
"description": "Consensys implementation of Plonk proving system written in Go."
},
"knownDeployments": [
{
"address": "0x8f8EC9608223C0b8D13238950c03F5D42ceeBb9b",
"chain": "ethereum"
}
],
"verificationStatus": "unsuccessful",
"attesters": [
{
"id": "l2beat",
"name": "L2BEAT",
"link": "https://l2beat.com"
}
],
"verificationSteps": "The steps provided by the Linea team [here](https://github.com/Consensys/linea-monorepo/blob/94d0554912ab9f570b8b60e985a788ac7f78f96d/prover/prover-assets/Readme.md) do \n not produce the same verifier smart contract as deployed onchain. According to the Linea team, this is caused by nondeterminism in one of the optimization routine that is used for the vanishing constraints verifier of Vortex.",
"description": "Custom verifier ID: SHA256 hash of all VK_... values from the smart contract, abi packed in the same order they are defined."
}
]
}+10 -0
+10 -0
{
"creator": "Loopring",
"projectsForTvs": [
{
"projectId": "loopring",
"sinceTimestamp": 1582758000
}
],
"proofSystemInfo": "\n ## Proof system\n\n Loopring prover is a monolithic Groth16 SNARK proving system over BN254 curve that generates validity proofs for the state transition of Loopring L2. This system has [custom R1CS circuits](https://github.com/Loopring/protocol3-circuits.git) designed to prove the specific state transition function of the L2, including deposits and withdrawals, transfers, spot trades and curve AMM swaps, NFT operations. Loopring uses [Ethsnarks prover library](https://github.com/HarryR/ethsnarks). \n ",
"techStack": {
"snark": [
{
"id": "EthSnarks",
"type": "Groth16",
"name": "EthSnarks",
"description": "EthSnarks implementation of Groth16 proving system written in C++."
},
{
"id": "BN254",
"type": "curve",
"name": "BN254",
"description": "BN254, aka BN256, aka alt_bn128 pairing-friendly 254-bit prime field Weierstrass elliptic curve."
},
{
"id": "CustomCircuits",
"type": "Other",
"name": "App-specific circuits",
"description": "This project uses custom app-specific ZK circuits."
}
]
},
"trustedSetups": [
{
"proofSystem": {
"id": "EthSnarks",
"type": "Groth16",
"name": "EthSnarks",
"description": "EthSnarks implementation of Groth16 proving system written in C++."
},
"id": "Loopring",
"name": "Loopring Stack",
"risk": "red",
"shortDescription": "Two circuit-specific trusted setups for Groth16 verifiers of two L2s built with Loopring zk rollup stack. One contains 5 contributions, another 16 contributions.",
"longDescription": "\n This entry incorporates two different trusted setups with very similar properties. Namely, these are \n circuit-specific trusted setups for Groth16 circuits over BN254 curve of DeGate and Loopring app chains \n that are built with Loopring zk tech stack. DeGate trusted setup includes 5 phase 2 (i.e. circuit-specific) \n contributions, Loopring trusted setup includes 16 phase 2 contributions. Circuit-specific phase builds on top \n of the [Perpetual Powers of Tau ceremony](https://github.com/privacy-scaling-explorations/perpetualpowersoftau).\n\n - Repo for Loopring trusted setup: [https://github.com/Loopring/trusted_setup/tree/master](https://github.com/Loopring/trusted_setup/tree/master), repo for DeGate trusted setup: [https://github.com/degatedev/trusted_setup/tree/master](https://github.com/degatedev/trusted_setup/tree/master)\n - Post for DeGate ceremony: [https://medium.com/degate/degate-completes-zk-trusted-setup-ceremony-4752301e379f](https://medium.com/degate/degate-completes-zk-trusted-setup-ceremony-4752301e379f)\n "
}
],
"verifierHashes": [
{
"hash": "0x4c18cccb70be9bd6c438cc6d558d3451114af2fcd2e45a4286afecf2f327b80d",
"name": "Loopring verifier block size 16",
"sourceLink": "https://github.com/Loopring/protocols/tree/master/packages/loopring_v3",
"proofSystem": {
"id": "EthSnarks",
"type": "Groth16",
"name": "EthSnarks",
"description": "EthSnarks implementation of Groth16 proving system written in C++."
},
"knownDeployments": [
{
"address": "0x6150343E0F43A17519c0327c41eDd9eBE88D01ef",
"chain": "ethereum"
}
],
"verificationStatus": "notVerified",
"description": "Custom verifier ID: SHA256 hash of the abi packed vk array obtained by calling getVerificationKey(blockType = 0, blockSize = 16, blockVersion = 17) on the verifier smart contract."
},
{
"hash": "0xf29dd53bbc041a71ed0ce5812b2795151a93d233f0b3d73205eaf1e3b5ebbb18",
"name": "Loopring verifier block size 32",
"sourceLink": "https://github.com/Loopring/protocols/tree/master/packages/loopring_v3",
"proofSystem": {
"id": "EthSnarks",
"type": "Groth16",
"name": "EthSnarks",
"description": "EthSnarks implementation of Groth16 proving system written in C++."
},
"knownDeployments": [
{
"address": "0x6150343E0F43A17519c0327c41eDd9eBE88D01ef",
"chain": "ethereum"
}
],
"verificationStatus": "notVerified",
"description": "Custom verifier ID: SHA256 hash of the abi packed vk array obtained by calling getVerificationKey(blockType = 0, blockSize = 32, blockVersion = 17) on the verifier smart contract."
},
{
"hash": "0xc1b762cee5cb2d339e88e5fc7ef9b3ab62887b150929f6e3599fef289838bae0",
"name": "Loopring verifier block size 64",
"sourceLink": "https://github.com/Loopring/protocols/tree/master/packages/loopring_v3",
"proofSystem": {
"id": "EthSnarks",
"type": "Groth16",
"name": "EthSnarks",
"description": "EthSnarks implementation of Groth16 proving system written in C++."
},
"knownDeployments": [
{
"address": "0x6150343E0F43A17519c0327c41eDd9eBE88D01ef",
"chain": "ethereum"
}
],
"verificationStatus": "notVerified",
"description": "Custom verifier ID: SHA256 hash of the abi packed vk array obtained by calling getVerificationKey(blockType = 0, blockSize = 64, blockVersion = 17) on the verifier smart contract."
},
{
"hash": "0x998a7b6031386f1ce64bbbfc9375b341ee4385289c1d4f121a62f1e3c73d3efb",
"name": "Loopring verifier block size 128",
"sourceLink": "https://github.com/Loopring/protocols/tree/master/packages/loopring_v3",
"proofSystem": {
"id": "EthSnarks",
"type": "Groth16",
"name": "EthSnarks",
"description": "EthSnarks implementation of Groth16 proving system written in C++."
},
"knownDeployments": [
{
"address": "0x6150343E0F43A17519c0327c41eDd9eBE88D01ef",
"chain": "ethereum"
}
],
"verificationStatus": "notVerified",
"description": "Custom verifier ID: SHA256 hash of the abi packed vk array obtained by calling getVerificationKey(blockType = 0, blockSize = 128, blockVersion = 17) on the verifier smart contract."
},
{
"hash": "0x765eff9d78d1abfe496040f999714d58df54c49753db801633762dd48b74f9ae",
"name": "Loopring verifier block size 256",
"sourceLink": "https://github.com/Loopring/protocols/tree/master/packages/loopring_v3",
"proofSystem": {
"id": "EthSnarks",
"type": "Groth16",
"name": "EthSnarks",
"description": "EthSnarks implementation of Groth16 proving system written in C++."
},
"knownDeployments": [
{
"address": "0x6150343E0F43A17519c0327c41eDd9eBE88D01ef",
"chain": "ethereum"
}
],
"verificationStatus": "notVerified",
"description": "Custom verifier ID: SHA256 hash of the abi packed vk array obtained by calling getVerificationKey(blockType = 0, blockSize = 256, blockVersion = 17) on the verifier smart contract."
}
]
}+4 -0
+4 -0
{
"creator": "Axiom",
"projectsForTvs": [
{
"projectId": "scroll",
"sinceTimestamp": 1697493600
}
],
"proofSystemInfo": "\n \n ## Description\n\n [OpenVM](https://github.com/openvm-org/openvm?tab=readme-ov-file) is a STARK proving system based on [Plonky3 proving library](https://github.com/Plonky3/Plonky3), that has “no-CPU” design paradigm and allows adding new custom instructions to its instruction set architecture (ISA). It supports [recursive STARK aggregation](https://docs.openvm.dev/book/guest-libraries/verify-stark) and provides an [SDK](https://github.com/openvm-org/openvm-solidity-sdk) for creating Solidity verifier smart contracts. \n\n ## Proof system\n\n The proof system is split into ZK frontend, i.e. arithmetization, and ZK backend, i.e. a polynomial IOP with the Fiat-Shamir heuristic. In practice, a batched FRI-based polynomial commitment is used as the backend. OpenVM backend relies on Plonky3 prover system.\n\n OpenVM arithmetizes the execution trace using AIR with Interactions over BabyBear prime field. Interactions which include LogUp, permutation check and others.\n\n ### zkVM design\n\n OpenVM uses read-only program memory, read/write data memory as well as inputs and hints from host to enable non-deterministic computation. The execution logic is organized into a set of system chips and custom chips, without any centralized CPU-like chip. Interactions between chips are managed by program, execution and memory buses.\n\n Currently OpenVM ISA supports RISC-V instructions, keccak-256 and SHA256 hash functions, int256 arithmetic, modular arithmetic over arbitrary fields, some elliptic curve operations for the secp256k1 and secp256r1 curves and pairing operations on the BN254 and BLS12-381 curves.\n\n ### Recursion circuits\n\n OpenVM supports recursive proving and continuations, i.e. splitting a single execution trace into several rather independent ones, by recursive verification of generated STARK proofs in a specialized OpenVM program optimized for efficient proof verification (called native VM).\n\n ### Final wrap\n\nThe STARK proof is wrapped in Halo2 SNARK with KZG commitments over BN254 curve for efficient onchain processing. KZG commitment relies on Perpetual Powers of Tau trusted setup ceremony, see [below](#trusted-setups) for more details.\n",
"techStack": {
"zkVM": [
{
"id": "Plonky3",
"type": "STARK",
"name": "Plonky3",
"description": "Toolkit that implements a set of primitives for STARK-based zkVMs developed by Polygon Zero team."
},
{
"id": "OpenVM",
"type": "ISA",
"name": "OpenVM",
"description": "Extensible instruction set for OpenVM zkVM developed by Axiom."
},
{
"id": "BabyBear",
"type": "Field",
"name": "Baby Bear",
"description": "Prime field of order p = 15 * 2**27 + 1."
}
],
"finalWrap": [
{
"id": "Halo2",
"type": "Plonk",
"name": "Halo2",
"description": "Rust implementation of Halo2 SNARK proving system, originally developed for ZCash."
},
{
"id": "BN254",
"type": "curve",
"name": "BN254",
"description": "BN254, aka BN256, aka alt_bn128 pairing-friendly 254-bit prime field Weierstrass elliptic curve."
},
{
"id": "KZG",
"type": "PCS",
"name": "KZG",
"description": "Polynomial commitment scheme that requires a universal trusted setup, introduced by Kate, Zaverucha and Goldberg."
}
]
},
"trustedSetups": [
{
"proofSystem": {
"id": "Halo2",
"type": "Plonk",
"name": "Halo2",
"description": "Rust implementation of Halo2 SNARK proving system, originally developed for ZCash."
},
"id": "Halo2KZG",
"name": "Halo2 KZG over BN254",
"risk": "yellow",
"shortDescription": "Trusted setup for KZG commitments managed by Halo2 team on the base of the first 71 contributions to the Perpetual Powers of Tau contributions.",
"longDescription": "\n A trusted setup used for KZG commitments over BN254 curve for Halo2 SNARK proving system \n (when it is set up not in a transparent way). De-facto it is the first 71 entries in the Perpetual Powers of Tau\n ceremony that were converted to a particular format.\n\n - The main coordination point is this Halo2 KZG repo to convert pptau format into Halo2-suitable format: [https://github.com/han0110/halo2-kzg-srs?tab=readme-ov-file#perpetual-powers-of-tau](https://github.com/han0110/halo2-kzg-srs?tab=readme-ov-file#perpetual-powers-of-tau)\n - Ceremony is [Perpetual Powers of Tau](https://github.com/weijiekoh/perpetualpowersoftau): [https://github.com/scroll-tech/scroll-prover/blob/main/circuit-assets.md](https://github.com/scroll-tech/scroll-prover/blob/main/circuit-assets.md)\n "
}
],
"verifierHashes": [
{
"hash": "0x30af8474d8e13b8ce6a96eae63293310e7c1072b890bde77f96786497a9e5f4b",
"name": "OpenVM Feynman",
"sourceLink": "https://github.com/scroll-tech/zkvm-prover/tree/v0.5.0/crates/prover",
"proofSystem": {
"id": "Halo2",
"type": "Plonk",
"name": "Halo2",
"description": "Rust implementation of Halo2 SNARK proving system, originally developed for ZCash."
},
"knownDeployments": [
{
"address": "0x39854DF30b3482Ef546F68B8981Fae5A2C426eA4",
"chain": "ethereum"
}
],
"verificationStatus": "successful",
"attesters": [
{
"id": "l2beat",
"name": "L2BEAT",
"link": "https://l2beat.com"
}
],
"verificationSteps": "\nThe verification steps are based on [this guide](https://github.com/scroll-tech/scroll-sc-tools/tree/feat/feynman?tab=readme-ov-file), with slight adjustments to resolve build failures. Memory usage peaks around 60 GiB on an ubuntu machine.\n\n1. Install dependency packages: `sudo apt-get update && sudo apt-get install build-essential pkg-config libssl-dev`.\n2. Install specifically required rust toolchain and solidity compiler:\n```\ncurl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh\n. .cargo/env\nrustup toolchain install nightly-2025-02-14\n\ncargo install svm-rs\nsvm install 0.8.19\nsolc --version # should be 0.8.19\n```\n3. Check out the correct version of the [scroll-sc-tools](https://github.com/scroll-tech/scroll-sc-tools) repo: `git checkout feat/feynman`. The commit hash should be `74c0bd1994171dcb69c6da82e93cf6d273f9b984`.\n4. Modify the script to download all required trusted setup params: line 8 of `scripts/download-params.sh` should be changed to `degrees=(\"22\" \"24\")`.\n5. Download trusted setup params (around 3 GiB): `bash scripts/download-params.sh`.\n6. Generate the verifier file and output its code hash: `RUST_MIN_STACK=16777216 cargo run --release -- generate-verifier`.\n7. Verify that the deployed verifier smart contract has the same codehash: `cast keccak $(cast code 0x39854DF30b3482Ef546F68B8981Fae5A2C426eA4 --rpc-url )`.\n ",
"description": "Custom verifier ID: solidity codehash of the verifier smart contract, i.e. keccak256 of the EVM bytecode."
},
{
"hash": "0xf86ce35d4f5b1478f21194d9c6fc825f8d8afc0468425c981dc017149f0cac5e",
"name": "OpenVM Galileo",
"sourceLink": "https://github.com/scroll-tech/zkvm-prover/tree/v0.7.0/crates/prover",
"proofSystem": {
"id": "Halo2",
"type": "Plonk",
"name": "Halo2",
"description": "Rust implementation of Halo2 SNARK proving system, originally developed for ZCash."
},
"knownDeployments": [
{
"address": "0x749fC77A1a131632a8b88e8703E489557660C75e",
"chain": "ethereum"
}
],
"verificationStatus": "successful",
"attesters": [
{
"id": "l2beat",
"name": "L2BEAT",
"link": "https://l2beat.com"
}
],
"description": "Custom verifier ID: solidity codehash of the verifier smart contract, i.e. keccak256 of the EVM bytecode.",
"verificationSteps": "\nThe verification steps are based on [this guide](https://github.com/scroll-tech/scroll-sc-tools/tree/feat/galileo?tab=readme-ov-file), with slight adjustments to resolve build failures. Memory usage peaks around 50 GiB on an ubuntu machine.\n\n1. Install dependency packages: `sudo apt-get update && sudo apt-get install build-essential pkg-config libssl-dev`.\n2. Install specifically required rust toolchain and solidity compiler:\n```\ncurl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh\n. .cargo/env\nrustup toolchain install nightly-2025-02-14\n\ncargo install svm-rs\nsvm install 0.8.19\nsolc --version # should be 0.8.19\n```\n3. Check out the correct version of the [scroll-sc-tools](https://github.com/scroll-tech/scroll-sc-tools) repo: `git checkout feat/galileo`. The commit hash should be `f880a705954dc205cae7e1add474bd9e6cad1610`.\n4. Modify the script to download all required trusted setup params: line 8 of `scripts/download-params.sh` should be changed to `degrees=(\"22\" \"23\" \"24\")`.\n5. Download trusted setup params (around 4 GiB): `bash scripts/download-params.sh`.\n6. Generate the verifier file and output its code hash: `RUST_MIN_STACK=16777216 cargo run --release -- generate-verifier --recompute`. If this step produces a build failure because of `SOLC_VERSION_0_8_31_CHECKSUM` duplication, open the problematic `builds.rs` file and remove all occurances of the duplicate (second version of `SOLC_VERSION_0_8_31_CHECKSUM`). This requires altering several lines, including changing the hardcoded length of `ALL_SOLC_VERSIONS` array. Rerun the command after altering the file.\n7. Verify that the deployed verifier smart contract has the same codehash: `cast keccak $(cast code 0x749fC77A1a131632a8b88e8703E489557660C75e --rpc-url )`.\n "
}
]
}+3 -0
+3 -0
{
"creator": "RISC Zero",
"projectsForTvs": [
{
"projectId": "taiko",
"sinceTimestamp": 1730452800
},
{
"projectId": "bob",
"sinceTimestamp": 1752703200
},
{
"projectId": "megaeth",
"sinceTimestamp": 1763954183
},
{
"projectId": "soon",
"sinceTimestamp": 1765180787
}
],
"proofSystemInfo": "\n \n ## Description\n\n RISC Zero is the first zkVM proving RISC-V ISA programs. Its STARK proving system is based on a rather standard theoretical construction of [Ben-Sasson et al paper](https://eprint.iacr.org/2018/046) and [DEEP-ALI version of FRI](https://eprint.iacr.org/2019/336). The proof of zkVM execution is wrapped in Groth16 SNARK for efficient onchain verification. RISC Zero onchain verifier targets [96 bits of security](https://dev.risczero.com/api/security-model#cryptographic-security).\n\n ## Proof system\n\n ### RISC-V circuit\n\n RISC Zero implements a [circuit that proves RISC-V RV32IM instruction set](https://github.com/risc0/risc0/tree/main/risc0/circuit/rv32im) (see [here](https://dev.risczero.com/api/zkvm/zkvm-specification#the-zkvm-execution-model) for more details). Arithmetization of this circuit has different types of columns: control, data and accumulator. Control columns contain public data that describes the RISC-V program being executed and proven. Data and accumulator columns contain private data (accessible only to prover), data represents the running state of the processor and memory and accumulator is auxiliary data for the PLOOKUP argument.\n\n ### Recursion circuit\n\n RISC Zero prover supports recursive proving of RISC-V programs using [recursion circuit](https://github.com/risc0/risc0/tree/main/risc0/circuit/recursion). This is a separate STARK circuit that is designed to efficiently generate proofs for the verification of STARK proofs, it uses the same proving system as the RISC-V circuit.\n\n Big programs are split into several segments that are executed and proven in parallel. Segment receipts (i.e. proofs of correct execution) are verified with recursion circuits and succinct receipts are produced. These succinct receipts could be recursively joined in pairs of two until a single succinct proof of the whole execution is produced. \n\n ### Final wrap\n\n RISC Zero [implements a SNARK wrapping](https://github.com/risc0/risc0/tree/main/risc0/groth16) of a recursive succinct receipt into a Groth16 proof over BN254 curve for onchain verification. This Groth16 R1CS circuit uses a circuit-specific trusted setup, the ceremony was run by RISC Zero, see [below](#trusted-setups) for more details. \n\n The final wrap circuit has a [control root](https://dev.risczero.com/terminology#control-root) public input that depends on the RISC-V and recursion circuit versions. This design allows upgrading RISC Zero proving system without changing the final wrapper and thus without running a new trusted setup ceremony.\n ",
"techStack": {
"zkVM": [
{
"id": "RISC0",
"type": "STARK",
"name": "Risc0",
"description": "zkVM STARK proving system developed by RISC ZERO for RISC-V programs."
},
{
"id": "RISCV32",
"type": "ISA",
"name": "RISC-V 32bit",
"description": "Free and open-source universal 32-bit ISA used across a variety of hardware and software."
},
{
"id": "BabyBear",
"type": "Field",
"name": "Baby Bear",
"description": "Prime field of order p = 15 * 2**27 + 1."
}
],
"finalWrap": [
{
"id": "Snarkjs",
"type": "Groth16",
"name": "Snarkjs",
"description": "Circom / iden3 implementation of Groth16 proving system written in JS."
},
{
"id": "BN254",
"type": "curve",
"name": "BN254",
"description": "BN254, aka BN256, aka alt_bn128 pairing-friendly 254-bit prime field Weierstrass elliptic curve."
}
]
},
"trustedSetups": [
{
"proofSystem": {
"id": "Snarkjs",
"type": "Groth16",
"name": "Snarkjs",
"description": "Circom / iden3 implementation of Groth16 proving system written in JS."
},
"id": "Risc0",
"name": "Risc0 Groth16",
"risk": "green",
"shortDescription": "Circuit-specific trusted setup for Risc0 final wrap Groth16 onchain verifier. It was publicly announced and run with 238 participants.",
"longDescription": "\n Ceremony for a circuit-specific trusted setup run by Risc0 for Groth16 circuits verifying Risc0 STARK proof. \n It was publicly announced and run with 238 participants. Ceremony transcript, as well as instructions for participation and verification \n are publicly available.\n\n - Ceremony instructions: [https://risczero.com/blog/ceremony-contribution-public-instructions](https://risczero.com/blog/ceremony-contribution-public-instructions)\n - Link to the verification: [https://dev.risczero.com/api/trusted-setup-ceremony#the-transcript-matches-the-circuit](https://dev.risczero.com/api/trusted-setup-ceremony#the-transcript-matches-the-circuit)\n - Post with a call to community to participate: [https://x.com/RiscZero/status/1781110200923275769](https://x.com/RiscZero/status/1781110200923275769)\n "
}
],
"verifierHashes": [
{
"hash": "0x0000000000000000000000000000000000000000000000000000000000000000",
"name": "RiscZero Soon verifier",
"proofSystem": {
"id": "Snarkjs",
"type": "Groth16",
"name": "Snarkjs",
"description": "Circom / iden3 implementation of Groth16 proving system written in JS."
},
"knownDeployments": [
{
"address": "0x455218fa82e96A6adCcf182EE8A90A93BE7a6Bc6",
"chain": "ethereum"
}
],
"verificationStatus": "unsuccessful",
"attesters": [
{
"id": "l2beat",
"name": "L2BEAT",
"link": "https://l2beat.com"
}
],
"description": "Verifier smart contract sources are not available on Etherscan, hash value is set to 0x0 to indicate that it is not known."
},
{
"hash": "0x1dcf73cbd51c9eba43c437c5a5ebc5328ca2d7a590c701a9a9bc1136eceeeea7",
"name": "RiscZero v2.2.0",
"proofSystem": {
"id": "Snarkjs",
"type": "Groth16",
"name": "Snarkjs",
"description": "Circom / iden3 implementation of Groth16 proving system written in JS."
},
"knownDeployments": [
{
"address": "0xafB31f5b70623CDF4b20Ada3f7230916A5A79df9",
"chain": "ethereum"
}
],
"verificationStatus": "notVerified",
"description": "Custom verifier ID: SHA256 hash of the following values abi packed together: the bytes32 value of internal pure function verifier_key_digest() of the RiscZeroGroth16Verifier.sol, bytes16 value of CONTROL_ROOT_0, bytes16 value of CONTROL_ROOT_1."
},
{
"hash": "0xc6fcb1951eb5b45a669431346a01577df99f30d72baa9d5c7eea40ec6cccfab9",
"name": "RiscZero v3.0.0",
"proofSystem": {
"id": "Snarkjs",
"type": "Groth16",
"name": "Snarkjs",
"description": "Circom / iden3 implementation of Groth16 proving system written in JS."
},
"knownDeployments": [
{
"address": "0x2a098988600d87650Fb061FfAff08B97149Fa84D",
"chain": "ethereum"
},
{
"address": "0x7CCA385bdC790c25924333F5ADb7F4967F5d1599",
"chain": "ethereum"
},
{
"address": "0x411e56a890c5fe0712f6F345977815Ba8E7785C3",
"chain": "ethereum"
}
],
"verificationStatus": "notVerified",
"description": "Custom verifier ID: SHA256 hash of the following values abi packed together: the bytes32 value of internal pure function verifier_key_digest() of the RiscZeroGroth16Verifier.sol, bytes16 value of CONTROL_ROOT_0, bytes16 value of CONTROL_ROOT_1."
}
]
}+4 -0
+4 -0
{
"creator": "Succinct",
"projectsForTvs": [
{
"projectId": "celo",
"sinceTimestamp": 1771445567
},
{
"projectId": "vector",
"sinceTimestamp": 1771445567
},
{
"projectId": "sophon",
"sinceTimestamp": 1771445567
},
{
"projectId": "lens",
"sinceTimestamp": 1771445567
},
{
"projectId": "galxegravity",
"sinceTimestamp": 1771445567
},
{
"projectId": "rari",
"sinceTimestamp": 1771445567
},
{
"projectId": "blobstream",
"sinceTimestamp": 1771445567
},
{
"projectId": "molten",
"sinceTimestamp": 1771445567
},
{
"projectId": "winr",
"sinceTimestamp": 1771445567
},
{
"projectId": "phala",
"sinceTimestamp": 1771445567
},
{
"projectId": "kroma",
"sinceTimestamp": 1771445567
}
],
"proofSystemInfo": "\n## Description\n\nSP1 Hypercube is the latest Succint's RISC-V zkVM using the [Plonky3](https://github.com/Plonky3/Plonky3) stack. The zkVM execution is proven recursively and is wrapped into a SNARK for final verification. It provides tools to generate onchain Groth16 or Plonk verifiers. SP1 Hypercube provides 98 bits of proven security, as per [Ethereum Foundation’s soundcalc evaluation](https://github.com/ethereum/soundcalc/blob/main/reports/sp1.md).\n\n## Proof system\n\nSP1 Hypercube is an iteration of the previous zkVM version, SP1 Turbo, introducing architectural changes that improve prover performance and memory efficiency.\n\nHypercube proves execution of a 64-bit RISC-V VM using several ZK circuits, or chips, connected by lookup arguments ([LogUp based on GKR protocol](https://docs.succinct.xyz/docs/sp1/hypercube/logupgkr)). VM execution trace is split into several shards of size approximately 2^22, that could be proven in parallel with a STARK proving system. Additional arguments prove memory consistency across shards. \n\nThe parallelized proofs are recursively checked by the next layer of STARK circuits. The correctness of the final STARK proof is verified with the final wrap SNARK program, the wrap SNARK proof is verified onchain.\n\n### Hypercube vs. Turbo\n\nProving time and memory optimizations of SP1 Hypercube are based on several design improvements compared to SP1 Turbo.\n\nHypercube implements a [multilinear polynomial](https://github.com/succinctlabs/sp1/tree/v6.0.0/slop/crates/multilinear) STARK compared to univariate polynomials in Turbo. Multilinear polynomial based proving systems are more efficient than univariate because manipulating them reduces usage of log-linear FFT algorithm.\n\nMultilinear polynomials also allow Hypercube to innovate on a polynomial commitment scheme, implementing [Jagged PCS](https://docs.succinct.xyz/docs/sp1/hypercube/jagged) (defined in [this preprint](https://eprint.iacr.org/2025/917)). Jagged PCS allows efficient packing of computation traces of zkVM chips with different lengths, optimizing the prover memory requirement. More efficient LogUp based on GKR is also made possible because of multilinear polynomials.\n\n### Recursion circuits\n\nSP1 Hypercube provides tools for recursive proof generation by [verifying proofs in a zkVM](https://docs.succinct.xyz/docs/sp1/writing-programs/proof-aggregation#verifying-proofs-inside-the-zkvm). This uses the same toolkit as top-level proof system, but proves the correct verification of all proofs generated on the previous step.\n\nFirst, proofs for correctness of separate shards are generated. These shards may have different trace shape, so in the next step they are normalized. Finally, normalized shard proofs are recursively compressed in batches of 3-4 to a single zkVM proof. For further details see [this page](https://docs.succinct.xyz/docs/sp1/hypercube/recursion).\n\n### Final wrap\n\nSP1 Hypercube supports Plonk (with KZG polynomial commitments) or Groth16 final SNARK wrap of the STARK proof for performant onchain proof verification ([link](https://docs.succinct.xyz/docs/sp1/generating-proofs/proof-types#compressed)). The implementation of these proof systems over BN254 curve is used. For Plonk, Aztec Ignition trusted setup ceremony is used, for Groth16 Succinct run internal circuit-dependent phase 2 trusted setup (todo: link to trusted setups section).\n \n ",
"techStack": {
"zkVM": [
{
"id": "Plonky3",
"type": "STARK",
"name": "Plonky3",
"description": "Toolkit that implements a set of primitives for STARK-based zkVMs developed by Polygon Zero team."
},
{
"id": "RISCV64",
"type": "ISA",
"name": "RISC-V 64bit",
"description": "Free and open-source universal 64-bit ISA used across a variety of hardware and software."
},
{
"id": "BabyBear",
"type": "Field",
"name": "Baby Bear",
"description": "Prime field of order p = 15 * 2**27 + 1."
},
{
"id": "KoalaBear",
"type": "Field",
"name": "Koala Bear",
"description": "Prime field of order p = 2**31 - 2**24 + 1."
}
],
"finalWrap": [
{
"id": "Gnark",
"type": "Plonk",
"name": "Gnark",
"description": "Consensys implementation of Plonk proving system written in Go."
},
{
"id": "Gnark",
"type": "Groth16",
"name": "Gnark",
"description": "Consensys implementation of Groth16 proving system written in Go."
},
{
"id": "BN254",
"type": "curve",
"name": "BN254",
"description": "BN254, aka BN256, aka alt_bn128 pairing-friendly 254-bit prime field Weierstrass elliptic curve."
}
]
},
"trustedSetups": [
{
"proofSystem": {
"id": "Gnark",
"type": "Plonk",
"name": "Gnark",
"description": "Consensys implementation of Plonk proving system written in Go."
},
"id": "AztecIgnition",
"name": "Aztec Ignition",
"risk": "green",
"shortDescription": "Aztec Ignition is a trusted setup ceremony that was run by Aztec for KZG commitment over BN254 curve in 2019. It included 176 participants and was publicly open for participation.",
"longDescription": " \n Aztec Ignition is a trusted setup ceremony for KZG commitments over BN254 curve that was run by Aztec for KZG commitment over BN254 curve in 2019. \n It included 176 participants and was publicly open for participation.\n \n - Github repo to download and verify the ceremony artifacts: [https://github.com/AztecProtocol/ignition-verification](https://github.com/AztecProtocol/ignition-verification).\n - Github repo with instructions for ceremony participants: [https://github.com/AztecProtocol/Setup](https://github.com/AztecProtocol/Setup).\n - Ceremony announcement with a call to participate: [https://aztec.network/blog/announcing-ignition](https://aztec.network/blog/announcing-ignition).\n "
},
{
"proofSystem": {
"id": "Gnark",
"type": "Groth16",
"name": "Gnark",
"description": "Consensys implementation of Groth16 proving system written in Go."
},
"id": "SP1HypercubeGroth16",
"name": "SP1 Hypercube Groth16 circuit-specific setup",
"risk": "red",
"shortDescription": "Trusted setup ceremony for SP1 Hypercube (release v6.0.0) Groth16 final wrap circuits. Ceremony was organized by Succinct and includes 12 participants from 7 different organizations, without public calls to participate.",
"longDescription": "\nCeremony was run among 12 participants affiliated with Across Protocol, OP Labs, Offchain Labs, Succinct Labs, Conduit, Ethrealize and 1 independent participant. It generated circuit-specific setup parameters for Groth16 wrapper of SP1 Hypercube zkVM.\n\n- Ceremony info on Succinct docs page: .\n- Ceremony instructions and verification instructions: [https://github.com/succinctlabs/semaphore-gnark-11/tree/main](https://github.com/succinctlabs/semaphore-gnark-11/tree/main).\n- Link to transcript and other artifacts (Note: will immediately start downloading .tar.gz file): .\n "
}
],
"verifierHashes": [
{
"hash": "0xbb1a6f2930e94bfe8b35e794faf43133214534a17d2ad8e51358cad437b3c317",
"name": "SP1 Hypercube Plonk v6.0.0",
"sourceLink": "https://github.com/succinctlabs/sp1/tree/v6.0.0/crates/prover",
"proofSystem": {
"id": "Gnark",
"type": "Plonk",
"name": "Gnark",
"description": "Consensys implementation of Plonk proving system written in Go."
},
"knownDeployments": [
{
"address": "0x8a0fd5e825D14368d90Fe68F31fceAe3E17AFc5C",
"chain": "ethereum"
}
],
"verificationStatus": "successful",
"attesters": [
{
"id": "l2beat",
"name": "L2BEAT",
"link": "https://l2beat.com"
}
],
"verificationSteps": "\n The regeneration process consumed around 70 GiB of memory on the peak.\n \n 1. Install necessary dependencies: rust, docker, sp1 toolkit, go.\n \n ```\n sudo apt update\n sudo apt install build-essential golang-go protobuf-compiler\n \n curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh\n . .cargo/env\n cargo install --debug --locked cargo-make\n \n curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -\n sudo add-apt-repository \"deb [arch=amd64] https://download.docker.com/linux/ubuntu focal stable\"\n sudo apt install -y docker-ce\n sudo usermod -aG docker ${USER}\n \n curl -L https://sp1up.succinct.xyz/ | bash\n source ~/.bashrc\n sp1up\n ```\n \n 2. Clone [sp1 repo](https://github.com/succinctlabs/sp1), set `SP1_ALLOW_DEPRECATED_HOOKS` for correct compilation and run the script to regenerate verifiers.\n \n ```\n git clone https://github.com/succinctlabs/sp1.git\n cd sp1/crates/prover\n git checkout v6.0.0 # commit should be f87f8d6ff005d542db22e241928319f5e96a4609\n export SP1_ALLOW_DEPRECATED_HOOKS=true # fixes compilation errors\n \n make build-circuits\n ```\n \n The script will generate Plonk verifier smart contract with verification keys and the verifier hash in `build/plonk` dir.\n "
},
{
"hash": "0x0e78f4db7a6771a3a6a7d9c3b0de6fe73d58781368967a7fe84d87aefffec896",
"name": "SP1 Hypercube Groth16 v6.0.0",
"sourceLink": "https://github.com/succinctlabs/sp1/tree/v6.0.0/crates/prover",
"proofSystem": {
"id": "Gnark",
"type": "Groth16",
"name": "Gnark",
"description": "Consensys implementation of Groth16 proving system written in Go."
},
"knownDeployments": [
{
"address": "0x99A74A05a0FaBEB217C1A329b0dac59a1FA52508",
"chain": "ethereum"
}
],
"verificationStatus": "successful",
"attesters": [
{
"id": "l2beat",
"name": "L2BEAT",
"link": "https://l2beat.com"
}
],
"verificationSteps": "\n The regeneration process consumed around 70 GiB of memory on the peak.\n \n 1. Install necessary dependencies: rust, docker, sp1 toolkit, go.\n \n ```\n sudo apt update\n sudo apt install build-essential golang-go protobuf-compiler\n \n curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh\n . .cargo/env\n cargo install --debug --locked cargo-make\n \n curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -\n sudo add-apt-repository \"deb [arch=amd64] https://download.docker.com/linux/ubuntu focal stable\"\n sudo apt install -y docker-ce\n sudo usermod -aG docker ${USER}\n \n curl -L https://sp1up.succinct.xyz/ | bash\n source ~/.bashrc\n sp1up\n ```\n \n 2. Clone [sp1 repo](https://github.com/succinctlabs/sp1), set `SP1_ALLOW_DEPRECATED_HOOKS` for correct compilation and run the script to build groth16 circuit file.\n \n ```\n git clone https://github.com/succinctlabs/sp1.git\n cd sp1/crates/prover\n git checkout v6.0.0 # commit should be f87f8d6ff005d542db22e241928319f5e96a4609\n export SP1_ALLOW_DEPRECATED_HOOKS=true # fixes compilation errors\n \n make build-circuits\n ```\n \n This script will generate `groth16_circuit.bin` file in the `prover/build/groth16` directory, however it will not generate correct prover and verifier keys.\n \n 3. Generate correct pk and vk using the correct SP1 trusted setup. This will require [semaphore-gnark-11](https://github.com/succinctlabs/semaphore-gnark-11/tree/main) repo.\n \n ```\n cd\n git clone https://github.com/succinctlabs/semaphore-gnark-11.git # tested on commit hash 6d6ebc3608e609ec879e9ba99abee6b6b97d937d\n cd semaphore-gnark-11\n # Download the trusted setup transcript\n curl \"https://sp1-circuits.s3-us-east-2.amazonaws.com/v6.0.0-trusted-setup.tar.gz\" -o trusted-setup.tar.gz\n \n # Extract trusted setup transcript.\n tar -xzf trusted-setup.tar.gz\n \n # Build the binary.\n go build\n \n # Generate keys. They are outputted to the files pk and vk in the root directory.\n ./semaphore-gnark-11 key trusted-setup/phase1 trusted-setup/phase2-11 trusted-setup/evals /path/to/sp1/crates/prover/build/groth16/groth16_circuit.bin\n ```\n The last step will take several hours to complete.\n \n 4. Compute the hash of generated `vk` file: `shasum vk -a 256`.\n "
}
]
}+5 -0
+5 -0
{
"creator": "Succinct",
"projectsForTvs": [
{
"projectId": "forknet",
"sinceTimestamp": 1753882500
},
{
"projectId": "katana",
"sinceTimestamp": 1751328000
},
{
"projectId": "blobstream",
"sinceTimestamp": 1717608107
},
{
"projectId": "vector",
"sinceTimestamp": 1720128227
},
{
"projectId": "sophon",
"sinceTimestamp": 1745341091
},
{
"projectId": "lens",
"sinceTimestamp": 1745359200
},
{
"projectId": "plumenetwork",
"sinceTimestamp": 1746735060,
"untilTimestamp": 1763420400
},
{
"projectId": "galxegravity",
"sinceTimestamp": 1745880540
},
{
"projectId": "rari",
"sinceTimestamp": 1734562800
},
{
"projectId": "winr",
"sinceTimestamp": 1747088280
},
{
"projectId": "molten",
"sinceTimestamp": 1731480840
},
{
"projectId": "taiko",
"sinceTimestamp": 1730452800
},
{
"projectId": "lumia",
"sinceTimestamp": 1753882500
},
{
"projectId": "polygonzkevm",
"sinceTimestamp": 1753882500
},
{
"projectId": "xlayer",
"sinceTimestamp": 1753882500
},
{
"projectId": "silicon",
"sinceTimestamp": 1753882500
},
{
"projectId": "facet",
"sinceTimestamp": 1751407200
},
{
"projectId": "ethscriptions",
"sinceTimestamp": 1767735587
},
{
"projectId": "ternoa",
"sinceTimestamp": 1753882500
},
{
"projectId": "wirex",
"sinceTimestamp": 1753882500
},
{
"projectId": "penchain",
"sinceTimestamp": 1753882500
},
{
"projectId": "phala",
"sinceTimestamp": 1736290800
},
{
"projectId": "mantle",
"sinceTimestamp": 1757973600
},
{
"projectId": "zircuit",
"sinceTimestamp": 1756072800
},
{
"projectId": "morph",
"sinceTimestamp": 1737359447
},
{
"projectId": "gpt",
"sinceTimestamp": 1753882500
},
{
"projectId": "astarzkevm",
"sinceTimestamp": 1753882500
},
{
"projectId": "witness",
"sinceTimestamp": 1753882500
},
{
"projectId": "kroma",
"sinceTimestamp": 1739228400
},
{
"projectId": "haust",
"sinceTimestamp": 1756808195
},
{
"projectId": "celo",
"sinceTimestamp": 1765324800
}
],
"proofSystemInfo": "\n ## Description\n\n SP1 Turbo is a RISC-V zkVM using the [Plonky3](https://github.com/Plonky3/Plonky3) stack. The zkVM execution is proven recursively and is wrapped into a SNARK for final verification. It provides tools to generate onchain Groth16 or Plonk verifiers. SP1 targets [100 bits of security based on unproven proximity gaps conjecture](https://docs.succinct.xyz/docs/v5/sp1/security/security-model#conjectures-for-fris-security), so the actual security is likely lower.\n\n ## Proof system\n\n SP1 Turbo proves execution of a 32 bit RISC-V VM (RV32IM) using several ZK circuits connected by lookup arguments, as implemented in Plonky3. VM execution trace is split into several chunks that could be proven in parallel with a STARK proving system. The parallelized proofs are recursively checked by the next layer of STARK circuits. The correctness of the final STARK proof is verified with the final wrap SNARK program, the wrap SNARK proof is verified onchain.\n\n ### zkVM component\n\n Verifies execution of a RISC-V program in a zkVM. See [here](https://docs.succinct.xyz/docs/v5/sp1/security/rv32im-implementation) for more details on the exact RISC-V standard implemented. Uses [Plonky3](https://github.com/Plonky3/Plonky3) STARK toolkit with AIR arithmetization and FRI-based polynomial commitment scheme within the [BabyBear field](https://docs.succinct.xyz/docs/v5/sp1/security/security-model#hash-functions-and-the-random-oracle-model).\n\n ### Recursion circuits\n\n SP1 provides tools for recursive proof generation by [verifying proofs in a zkVM](https://docs.succinct.xyz/docs/v5/sp1/writing-programs/proof-aggregation#verifying-proofs-inside-the-zkvm). This uses the same toolkit as top-level proof system, but proves the correct verification of all proofs generated on the previous step.\n\n ### Final wrap\n\n SP1 supports Plonk (with KZG polynomial commitments) or Groth16 final SNARK wrap of the STARK proof for performant onchain proof verification ([link](https://docs.succinct.xyz/docs/v5/sp1/generating-proofs/proof-types#compressed)). The [gnark](https://github.com/Consensys/gnark) implementation of these proof systems over BN254 curve is used. For Plonk, Aztec Ignition trusted setup ceremony is used, for Groth16 Succinct run internal circuit-dependent phase 2 trusted setup, see [below](#trusted-setups) for more details.\n ",
"techStack": {
"zkVM": [
{
"id": "Plonky3",
"type": "STARK",
"name": "Plonky3",
"description": "Toolkit that implements a set of primitives for STARK-based zkVMs developed by Polygon Zero team."
},
{
"id": "RISCV32",
"type": "ISA",
"name": "RISC-V 32bit",
"description": "Free and open-source universal 32-bit ISA used across a variety of hardware and software."
},
{
"id": "BabyBear",
"type": "Field",
"name": "Baby Bear",
"description": "Prime field of order p = 15 * 2**27 + 1."
}
],
"finalWrap": [
{
"id": "Gnark",
"type": "Plonk",
"name": "Gnark",
"description": "Consensys implementation of Plonk proving system written in Go."
},
{
"id": "Gnark",
"type": "Groth16",
"name": "Gnark",
"description": "Consensys implementation of Groth16 proving system written in Go."
},
{
"id": "BN254",
"type": "curve",
"name": "BN254",
"description": "BN254, aka BN256, aka alt_bn128 pairing-friendly 254-bit prime field Weierstrass elliptic curve."
}
]
},
"trustedSetups": [
{
"proofSystem": {
"id": "Gnark",
"type": "Plonk",
"name": "Gnark",
"description": "Consensys implementation of Plonk proving system written in Go."
},
"id": "AztecIgnition",
"name": "Aztec Ignition",
"risk": "green",
"shortDescription": "Aztec Ignition is a trusted setup ceremony that was run by Aztec for KZG commitment over BN254 curve in 2019. It included 176 participants and was publicly open for participation.",
"longDescription": " \n Aztec Ignition is a trusted setup ceremony for KZG commitments over BN254 curve that was run by Aztec for KZG commitment over BN254 curve in 2019. \n It included 176 participants and was publicly open for participation.\n \n - Github repo to download and verify the ceremony artifacts: [https://github.com/AztecProtocol/ignition-verification](https://github.com/AztecProtocol/ignition-verification).\n - Github repo with instructions for ceremony participants: [https://github.com/AztecProtocol/Setup](https://github.com/AztecProtocol/Setup).\n - Ceremony announcement with a call to participate: [https://aztec.network/blog/announcing-ignition](https://aztec.network/blog/announcing-ignition).\n "
},
{
"proofSystem": {
"id": "Gnark",
"type": "Groth16",
"name": "Gnark",
"description": "Consensys implementation of Groth16 proving system written in Go."
},
"id": "SP1TurboGroth16",
"name": "SP1 Turbo Groth16 circuit-specific setup",
"risk": "red",
"shortDescription": "Succinct's internally run trusted setup for SP1 Turbo (release v5.0.0) Groth16 final wrap circuits. Ceremony was run among 7 contributors to the SP1 project without public calls to participate.",
"longDescription": "\n Ceremony was run among 7 contributors to the SP1 project without public calls to participate. It generated setup parameters for Groth16 wrapper of SP1 zkVM.\n\n - Ceremony info on Succinct docs page: [https://docs.succinct.xyz/docs/v5/sp1/security/security-model#options](https://docs.succinct.xyz/docs/v5/sp1/security/security-model#options).\n - Ceremony instructions and verification instructions: [https://github.com/succinctlabs/semaphore-gnark-11/tree/main](https://github.com/succinctlabs/semaphore-gnark-11/tree/main).\n - Link to transcript and other artifacts (Note: will immediately start downloading .tar.gz file): [https://sp1-circuits.s3.us-east-2.amazonaws.com/v4.0.0-rc.3-trusted-setup.tar.gz](https://sp1-circuits.s3.us-east-2.amazonaws.com/v4.0.0-rc.3-trusted-setup.tar.gz).\n "
}
],
"verifierHashes": [
{
"hash": "0xd4e8ecd2357dd882209800acd6abb443d231cf287d77ba62b732ce937c8b56e7",
"name": "SP1 Turbo Plonk v5.0.0",
"sourceLink": "https://github.com/succinctlabs/sp1/tree/v5.0.0/crates/prover",
"proofSystem": {
"id": "Gnark",
"type": "Plonk",
"name": "Gnark",
"description": "Consensys implementation of Plonk proving system written in Go."
},
"knownDeployments": [
{
"address": "0x0459d576A6223fEeA177Fb3DF53C9c77BF84C459",
"chain": "ethereum"
},
{
"address": "0xFF5Adab685362DC4C33536a65aF5873738D1216B",
"chain": "ethereum"
}
],
"verificationStatus": "successful",
"attesters": [
{
"id": "l2beat",
"name": "L2BEAT",
"link": "https://l2beat.com"
}
],
"verificationSteps": "\nThe regeneration process consumed around 50 GiB of memory on the peak. Also, due to some os indeterminism, \nthe sp1 repo must be cloned into `/home/aurel/dev/sp1-wip/` directory, so we recommend creating `aurel` user on an Ubuntu 24.04 machine.\n\n1. Create a new `aurel` user on a linux os and login as this user.\n2. Install necessary dependencies: rust, sp1 toolkit, go.\n\n```\nsudo apt update\nsudo apt install build-essential golang-go\n\ncurl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh\n. .cargo/env\ncargo install --debug --locked cargo-make\n\ncurl -L https://sp1up.succinct.xyz/ | bash\nsp1up\n```\n\n3. Clone sp1 repo in the correct directory, set `SP1_ALLOW_DEPRECATED_HOOKS` for correct compilation and run the script to regenerate verifiers.\n\n```\nmkdir -p dev/sp1-wip/\ncd dev/sp1-wip/\ngit clone https://github.com/succinctlabs/sp1.git\ncd sp1/crates/prover\ngit checkout v5.0.0 # commit should be 38f0f143dece864e8bffafad64196a924f190336\nexport SP1_ALLOW_DEPRECATED_HOOKS=true # fixes compilation errors\n\nmake build-circuits\n```\n \nThe script will generate Plonk verifier smart contract with verification keys and the verifier hash in `build/plonk` dir.\n "
},
{
"hash": "0xa4594c59bbc142f3b81c3ecb7f50a7c34bc9af7c4c444b5d48b795427e285913",
"name": "SP1 Turbo Plonk Morph verifier",
"proofSystem": {
"id": "Gnark",
"type": "Groth16",
"name": "Gnark",
"description": "Consensys implementation of Groth16 proving system written in Go."
},
"knownDeployments": [
{
"address": "0x50ACFBEdecf4cbe350E1a86fC6f03a821772f1e5",
"chain": "ethereum"
}
],
"verificationStatus": "unsuccessful",
"attesters": [
{
"id": "l2beat",
"name": "L2BEAT",
"link": "https://l2beat.com"
}
],
"verificationSteps": "\nWe performed the following steps, which according to the Succinct team should have lead to a successful regeneration of the verifier's hash.\nHowever these steps produced a verifier smart contract with `VERIFIER_HASH = 0xf7ba6320608dadd905f3483d51c2fa0fb55473e3136bdfb37c96a10f158ab9fe`, which differs from the value onchain. \n\n1. Create a new `aurel` user on a linux os and login as this user.\n2. Install necessary dependencies: rust, sp1 toolkit, go.\n\n```\nsudo apt update\nsudo apt install build-essential golang-go\n\ncurl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh\n. .cargo/env\ncargo install --debug --locked cargo-make\n\ncurl -L https://sp1up.succinct.xyz/ | bash\nsp1up\n```\n\n3. Clone sp1 repo in the correct directory, set `SP1_ALLOW_DEPRECATED_HOOKS` for correct compilation and run the script to regenerate verifiers.\n\n```\nmkdir -p dev/sp1-wip/\ncd dev/sp1-wip/\ngit clone https://github.com/succinctlabs/sp1.git\ncd sp1/crates/prover\ngit checkout v5.0.0 # commit should be 38f0f143dece864e8bffafad64196a924f190336\nexport SP1_ALLOW_DEPRECATED_HOOKS=true # fixes compilation errors\n\nmake build-circuits\n```\n "
},
{
"hash": "0xffea2d2e12ed24da258af874d77eee7ee91a1e050ee197052908089e57681e67",
"name": "SP1 Turbo Groth16 v5.0.0",
"sourceLink": "https://github.com/succinctlabs/sp1/tree/v5.0.0/crates/prover",
"proofSystem": {
"id": "Gnark",
"type": "Plonk",
"name": "Gnark",
"description": "Consensys implementation of Plonk proving system written in Go."
},
"knownDeployments": [
{
"address": "0x045d4BC73Bd1918192f34e98532A5272Ef620423",
"chain": "ethereum"
},
{
"address": "0x5ff102a4A4Ce2040288a797CE4CCCa85eE1E2d70",
"chain": "ethereum"
}
],
"verificationStatus": "notVerified"
}
]
}+2 -0
+2 -0
{
"creator": "Starkware",
"projectsForTvs": [
{
"projectId": "starknet",
"sinceTimestamp": 1638140400,
"untilTimestamp": 1760824800
},
{
"projectId": "paradex",
"sinceTimestamp": 1696111200,
"untilTimestamp": 1763997779
},
{
"projectId": "immutablex",
"sinceTimestamp": 1617832800,
"untilTimestamp": 1772672831
},
{
"projectId": "sorare",
"sinceTimestamp": 1627250400
},
{
"projectId": "brine",
"sinceTimestamp": 1682546400
},
{
"projectId": "myria",
"sinceTimestamp": 1661464800
},
{
"projectId": "deversifi",
"sinceTimestamp": 1591135200
},
{
"projectId": "dydx",
"sinceTimestamp": 1617660000
},
{
"projectId": "edgex",
"sinceTimestamp": 1722636000
},
{
"projectId": "layer2financezk",
"sinceTimestamp": 1645130774
}
],
"proofSystemInfo": "\n \n ## Description\n\n Stone is a STARK proof system that is designed to prove the execution of programs written in [Cairo language](https://www.starknet.io/cairo-book/title-page.html) and compiled into Cairo assembly (cASM) byte code. This ISA is highly optimized for the performance of zkVM proving. Stone verifies STARK proofs directly onchain without any final SNARK wraps and thus requires no trusted setup. Stone targets 80 bits of security (e.g. see constructor params on [this contract](https://etherscan.io/address/0x3d57526c1C8D63fa2A8704487Df65e9000166c8E#code)).\n\n ## Proof system\n\n Stone is a Cairo-based zkVM with AIR arithmetization over [felt252 field](https://docs.starknet.io/archive/cairo-101/felt/) and FRI-based commitment. The protocol makes use of recursive proof aggregation among many projects utilizing the CairoVM (i.e. Starknet forks and StarkEx systems) using SHARP. Some documentation on the aggregation scheme can be found [here](https://docs.starknet.io/architecture/sharp/) and the Cairo verifier implemented in Cairo can be found [here](https://github.com/starkware-libs/cairo-lang/tree/v0.13.1/src/starkware/cairo/cairo_verifier/layouts/all_cairo).\n\n ### StarkNet Operating System (SNOS)\n\n The base layer of Stone proving is a Cairo program called [SNOS](https://docs.starknet.io/architecture/os/) that proves the correct STF from one state to another given the list of transactions. SNOS execution includes checking transaction inputs (e.g. state), executing transactions and processing state diffs. The source code of the Starknet OS can be found [here](https://github.com/starkware-libs/cairo-lang/tree/ee7ce74e1159a349d4b77a5f952241b50b1692de/src/starkware/starknet/core/os).\n\n ### Recursive aggregation\n\n Proofs of SNOS executions of several consecutive blocks are recursively aggregated. The correctness of this aggregation is checked by [applicative bootloader](https://github.com/starkware-libs/cairo-lang/blob/8e11b8cc65ae1d0959328b1b4a40b92df8b58595/src/starkware/cairo/bootloaders/applicative_bootloader/applicative_bootloader.cairo#L15) program, which also verifies the correct relation of corresponding SNOS inputs and outputs. Applicative bootloader proofs are aggregated across several blockchains and proven by [SHARP](https://docs.starknet.io/architecture/sharp/#what_is_sharp). The SHARP STARK proof is verified onchain without any SNARK wraps.\n ",
"techStack": {
"zkVM": [
{
"id": "Stone",
"type": "STARK",
"name": "Stone",
"description": "zkVM STARK proving system developed by Starkware for Cairo programs, including state transition of Starknet."
},
{
"id": "CASM",
"type": "ISA",
"name": "Cairo ASM",
"description": "Instruction language for Cairo VM developed by Starkware."
},
{
"id": "felt252",
"type": "Field",
"name": "felt252",
"description": "Prime field of order p = 2**251 + 17 * 2**192 + 1."
}
]
},
"trustedSetups": [
{
"id": "TransparentSetup",
"name": "Transparent setup",
"risk": "N/A",
"shortDescription": "No trusted setup and no additional setup-related trust assumptions.",
"longDescription": "Transparent proving systems require no trusted setups and have no additional setup-related trust assumptions.",
"proofSystem": {
"id": "Stone",
"type": "STARK",
"name": "Stone",
"description": "zkVM STARK proving system developed by Starkware for Cairo programs, including state transition of Starknet."
}
}
],
"verifierHashes": [
{
"hash": "0x5ed8957171b466464570ba10b3d5c5adfc54546ba56278129af5ae63a0d4ad22",
"name": "Stone verifier 2024_10",
"sourceLink": "https://etherscan.io/address/0x9fb7F48dCB26b7bFA4e580b2dEFf637B13751942#code",
"proofSystem": {
"id": "Stone",
"type": "STARK",
"name": "Stone",
"description": "zkVM STARK proving system developed by Starkware for Cairo programs, including state transition of Starknet."
},
"knownDeployments": [
{
"address": "0x9fb7F48dCB26b7bFA4e580b2dEFf637B13751942",
"chain": "ethereum",
"overrideUsedIn": [
"edgex",
"myria",
"sorare",
"brine"
]
}
],
"verificationStatus": "successful",
"verificationSteps": "Onchain stone verifier smart contracts contain code that directly checks proofs of correct Cairo program execution. Unlike SNARK final wraps, it does not contain any additional cryptographic components that need to be independently regenerated because it introduces no new zk circuits. The sources are verified on etherscan and can be examined directly to check the correct implementation of STARK verification protocol.",
"description": "Custom verifier ID: SHA256 hash of the address of the immutable verifier smart contract (GpsStatementVerifier) in hex string format '0x...'."
}
]
}+2 -0
+2 -0
{
"creator": "Starkware",
"projectsForTvs": [
{
"projectId": "starknet",
"sinceTimestamp": 1760824800
},
{
"projectId": "paradex",
"sinceTimestamp": 1763997779
}
],
"proofSystemInfo": "\n## Description\n\nStwo is the next iteration of Starkware zkVM STARK system. It is intended to prove the execution of programs written in [Cairo language](https://www.starknet.io/cairo-book/title-page.html) and compiled into Cairo assembly (cASM) byte code, however it also allows writing custom AIR to be proven. Stwo verifies STARK proofs directly onchain without any final SNARK wraps and thus requires no trusted setup. \n\nStwo targets 96 bits of cryptographic security + 30 bits of PoW grinding security (e.g. see constructor params on [this contract](https://etherscan.io/address/0x3d57526c1C8D63fa2A8704487Df65e9000166c8E#code)). Here PoW grinding refers to a challenge that prover needs to compute every time they generate a proof. An honest prover performs the work only once but a malicious prover has additional computational load with every attempted forging of a proof.\n\n## Proof system\n\nStwo proof system is a zkVM working with AIR arithmetizations over Mersenne31 field. [This stwo-cairo toolkit](https://github.com/starkware-libs/stwo-cairo/tree/main) allows compiling Cairo program traces to the AIR arithmetization, however it is possible to create custom AIRs to be proven by Stwo, see more [here](https://zksecurity.github.io/stwo-book/air-development/index.html). \n\nStwo offers several innovations to optimize proving time. Firstly, its use of small Mersenne31 field compared to previous version [felt252 field](https://docs.starknet.io/archive/cairo-101/felt/) is much better aligned with CPU arithmetics, also operations over M31 could be highly optimized as explained [here](https://zksecurity.github.io/stwo-book/how-it-works/mersenne-prime.html). Secondly, Stwo implements a circle STARK as introduced in [this paper](https://eprint.iacr.org/2024/278). Thirdly, Stwo prover now uses Blake2 hash function instead of Poseidon, which is more efficient.\n\n### Circle STARKs\n\nCircle STARKs replace interpolation domain without any structure with an interpolation domain with a structure of a circle domain, where points of interpolation are chosen from a complex unit circle over Mersenne31 field. It allows using Circle FFT algorithm, which speeds up the interpolation step in STARK proving, as well as Circle FRI algorithm for low-degree polynomial testing.\n\n### StarkNet Operating System (SNOS)\n\nThe base layer of Stwo proving L2s is a Cairo program called [SNOS](https://docs.starknet.io/architecture/os/) that proves the correct STF from one state to another given the list of transactions. SNOS execution includes checking transaction inputs (e.g. state), executing transactions and processing state diffs. The source code of the Starknet OS can be found [here](https://github.com/starkware-libs/cairo-lang/tree/ee7ce74e1159a349d4b77a5f952241b50b1692de/src/starkware/starknet/core/os).\n\n### Recursive aggregation\n\nProofs of SNOS executions of several consecutive blocks are recursively aggregated. The correctness of this aggregation is checked by [applicative bootloader](https://github.com/starkware-libs/cairo-lang/blob/8e11b8cc65ae1d0959328b1b4a40b92df8b58595/src/starkware/cairo/bootloaders/applicative_bootloader/applicative_bootloader.cairo#L15) program, which also verifies the correct relation of corresponding SNOS inputs and outputs. Applicative bootloader proofs are aggregated across several blockchains and proven by [SHARP](https://docs.starknet.io/architecture/sharp/#what_is_sharp). The SHARP STARK proof is verified onchain without any SNARK wraps.\n\n## Trusted setup\n\nStwo is a STARK (transparent SNARK) that does not perform a wrap in a SNARK, so it does not require any trusted setup.",
"techStack": {
"zkVM": [
{
"id": "Stwo",
"type": "STARK",
"name": "Stwo",
"description": "State of the art implementation of Circle STARK zkVM, created by Starkware to prove Cairo programs, including state transition of Starknet."
},
{
"id": "CASM",
"type": "ISA",
"name": "Cairo ASM",
"description": "Instruction language for Cairo VM developed by Starkware."
},
{
"id": "Mersenne31",
"type": "Field",
"name": "Mersenne31",
"description": "Prime field of order p = 2**31 - 1."
}
]
},
"trustedSetups": [
{
"id": "TransparentSetup",
"name": "Transparent setup",
"risk": "N/A",
"shortDescription": "No trusted setup and no additional setup-related trust assumptions.",
"longDescription": "Transparent proving systems require no trusted setups and have no additional setup-related trust assumptions.",
"proofSystem": {
"id": "Stwo",
"type": "STARK",
"name": "Stwo",
"description": "State of the art implementation of Circle STARK zkVM, created by Starkware to prove Cairo programs, including state transition of Starknet."
}
}
],
"verifierHashes": [
{
"hash": "0xf16d320ba0d2087a99ffd465041960fd0aedf5e723c0fb877533876c531191d3",
"name": "Stwo verifier 2025_11",
"sourceLink": "https://etherscan.io/address/0x13e120F6c8E747983F7aaF0f7731796bfcb0D934#code",
"proofSystem": {
"id": "Stwo",
"type": "STARK",
"name": "Stwo",
"description": "State of the art implementation of Circle STARK zkVM, created by Starkware to prove Cairo programs, including state transition of Starknet."
},
"knownDeployments": [
{
"address": "0x13e120F6c8E747983F7aaF0f7731796bfcb0D934",
"chain": "ethereum",
"overrideUsedIn": [
"starknet",
"paradex"
]
}
],
"verificationStatus": "successful",
"verificationSteps": "Onchain stwo verifier smart contracts contain code that directly checks proofs of correct Cairo program execution. Unlike SNARK final wraps, it does not contain any additional cryptographic components that need to be independently regenerated because it introduces no new zk circuits. The sources are verified on etherscan and can be examined directly to check the correct implementation of STARK verification protocol.",
"description": "Custom verifier ID: SHA256 hash of the address of the immutable verifier smart contract (GpsStatementVerifier) in hex string format '0x...'."
}
]
}+2 -0
+2 -0
{
"creator": "Polygon Labs",
"projectsForTvs": [
{
"projectId": "polygonzkevm",
"sinceTimestamp": 1679868000,
"untilTimestamp": 1764716400
},
{
"projectId": "silicon",
"sinceTimestamp": 1724796000
},
{
"projectId": "ternoa",
"sinceTimestamp": 1738105200
},
{
"projectId": "penchain",
"sinceTimestamp": 1749938400
}
],
"proofSystemInfo": "\n \n ## Description\n\n zkProver is a STARK proving system designed to implement the zkEVM component of Polygon zkEVM. It proves the execution of EVM transactions in a zkVM running on [zkASM](https://docs.polygon.technology/tools/zkevm/architecture/zkprover/#zero-knowledge-assembly) ISA. zkProver allows recursive STARK aggregation as well as the final wrap in a [Fflonk](https://hecmas.github.io/events/2023fflonk/) SNARK for efficient onchain verification. zkProver onchain verifier targets 128 bits of security.\n\n ## Proof system\n\n zkProver toolkit introduces two new domain specific languages: zkASM and PIL. zkASM is the instruction language of the internal zkVM, and the execution of EVM transactions is proven with a specific zkASM program called [ROM](https://docs.polygon.technology/tools/zkevm/architecture/zkprover/main-state-machine/#the-rom). PIL is a language for creating circuits, conceptually similar to [circom](https://docs.circom.io).\n\n zkProver is based on [eSTARK paper](https://eprint.iacr.org/2023/474), meaning that it implements a FRI-based STARK with AIR arithmetization extended with additional arguments. It also [provides tools](https://docs.polygon.technology/tools/zkevm/architecture/zkprover/stark-recursion/composition-recursion-aggregation/#setup-phase) to automatically generate circom arithmetic circuits for verifying the STARK proof, which plays an essential role in proof compression and recursive proving. \n\n ### Polynomial Identity Language (PIL)\n\n The polynomial constraints that define circuits within zkProver are specified using a language called [polynomial identity language](https://github.com/0xPolygon/pilcom) (PIL). PIL supports complicated and powerful polynomial constraints, like [permutation](https://docs.polygon.technology/tools/zkevm/spec/pil/permutation-arguments/), [inclusion](https://docs.polygon.technology/tools/zkevm/spec/pil/inclusion-arguments/) and [connection](https://docs.polygon.technology/tools/zkevm/spec/pil/connection-arguments/) arguments. PIL was designed to be applicable in other zk tools as well. The next iteration of PIL called PIL2 could be found [here](https://github.com/0xPolygonHermez/pil2-compiler).\n\n ### State machine\n\n zkProver state machine (zkVM) consists of [13 separate state machines](https://github.com/0xPolygon/zkevm-prover/tree/main/src/sm) specified in PIL, including [main SM](https://docs.polygon.technology/tools/zkevm/architecture/zkprover/main-state-machine/), [arithmetic SM](https://docs.polygon.technology/tools/zkevm/architecture/zkprover/arithmetic-sm/), [binary SM](https://docs.polygon.technology/tools/zkevm/architecture/zkprover/binary-sm/), etc. Each state machine creates its own execution trace, which is connected to the rest using connection argument. The state machine has access to EVM state trie, EVM memory and the ROM program that implements verification of EVM transactions in zkASM language. \n\n ### Recursion circuits\n\n [Proving architecture](https://docs.polygon.technology/tools/zkevm/architecture/zkprover/stark-recursion/proving-architecture/) of zkProver consists of several stages. Compression stage reduces the size of STARK proofs of zkEVM batch execution for efficiency of further computations. Normalization stage prepares for aggregation by correctly aligning public inputs across several batches. Aggregation stage repeatedly joins pairs of STARK proofs to produce a single proof of multiple zkEVM batches. Final STARK stage changes the field over which the proof is generated to prepare for the SNARK wrap. Finally, SNARK stage produces a Fflonk proof to be posted onchain.\n\n Each recursion step uses a circom R1CS arithmetic circuit to verify input PIL-STARK proofs (see [here](https://docs.polygon.technology/tools/zkevm/architecture/zkprover/stark-recursion/composition-recursion-aggregation/#stark-to-circuit-or-s2c-sub-process)). The proof of verification is a PIL-STARK that is generated on the Plonkish arithmetization of this circom circuit.\n ",
"techStack": {
"zkVM": [
{
"id": "PIL-STARK",
"type": "STARK",
"name": "PIL-STARK",
"description": "zkVM STARK proving system that works with Polynomial Identity Language (PIL) developed by Polygon Zero team."
},
{
"id": "ZkASM",
"type": "ISA",
"name": "zkASM",
"description": "Instruction language for Polygon zkEVM virtual machine."
},
{
"id": "Goldilocks",
"type": "Field",
"name": "Goldilocks",
"description": "Prime field of order p = 2**64 - 2**32 + 1."
}
],
"finalWrap": [
{
"id": "Snarkjs",
"type": "Fflonk",
"name": "Snarkjs",
"description": "Circom / iden3 implementation of Fflonk improvement over standard Plonk proving system written in JS."
},
{
"id": "BN254",
"type": "curve",
"name": "BN254",
"description": "BN254, aka BN256, aka alt_bn128 pairing-friendly 254-bit prime field Weierstrass elliptic curve."
}
]
},
"trustedSetups": [
{
"proofSystem": {
"id": "Snarkjs",
"type": "Fflonk",
"name": "Snarkjs",
"description": "Circom / iden3 implementation of Fflonk improvement over standard Plonk proving system written in JS."
},
"id": "PolygonZkEVM",
"name": "Polygon zkEVM",
"risk": "yellow",
"shortDescription": "Trusted setup for KZG commitments over BN254 curve used by Polygon zkEVM, includes 55 participants. Is a subset of Perpetual Powers of Tau ceremony.",
"longDescription": "\n Ceremony uses 54 first contributions from the [Perpetual Powers of Tau ceremony](https://github.com/privacy-scaling-explorations/perpetualpowersoftau)\n and adds one more contribution to the total of 55 participants.\n\n - Ceremony used: [https://github.com/privacy-scaling-explorations/perpetualpowersoftau?tab=readme-ov-file](https://github.com/privacy-scaling-explorations/perpetualpowersoftau?tab=readme-ov-file)\n - Public announcement: [https://medium.com/coinmonks/announcing-the-perpetual-powers-of-tau-ceremony-to-benefit-all-zk-snark-projects-c3da86af8377](https://medium.com/coinmonks/announcing-the-perpetual-powers-of-tau-ceremony-to-benefit-all-zk-snark-projects-c3da86af8377)\n - Final data and verification steps in this repo: [https://github.com/iden3/snarkjs/tree/master?tab=readme-ov-file](https://github.com/iden3/snarkjs/tree/master?tab=readme-ov-file)\n "
}
],
"verifierHashes": [
{
"hash": "0x237bc5d6efad6d844534c4a45f5f19fa86344615ac00054821915c219e9abd81",
"name": "zkProver Fflonk v8.0.0-fork.12",
"sourceLink": "https://github.com/0xPolygon/zkevm-proverjs/tree/v8.0.0-fork.12",
"proofSystem": {
"id": "Snarkjs",
"type": "Fflonk",
"name": "Snarkjs",
"description": "Circom / iden3 implementation of Fflonk improvement over standard Plonk proving system written in JS."
},
"knownDeployments": [
{
"address": "0x9B9671dB83CfcB4508bF361942488C5cA2b1286D",
"chain": "ethereum"
}
],
"verificationStatus": "successful",
"attesters": [
{
"id": "l2beat",
"name": "L2BEAT",
"link": "https://l2beat.com"
}
],
"verificationSteps": "\nThe verification steps are based on [this guide](https://github.com/agglayer/agglayer-contracts/blob/b9a795523317eca29319f3dca56f7199a117fb78/verifyMainnetDeployment/verifyMainnetProofVerifier.md).\n\n1. Get a machine with at least 512GB of RAM and 32 cores (e.g. r6a.16xlarge aws instance). This guide assumes Ubuntu 22.04 LTS OS.\n\n2. Do basic OS preparation\n\n```jsx\nsudo apt update\nsudo apt install -y tmux git curl jq\nsudo apt install -y build-essential libomp-dev libgmp-dev nlohmann-json3-dev libpqxx-dev nasm libgrpc++-dev libprotobuf-dev grpc-proto libsodium-dev uuid-dev libsecp256k1-dev\n```\n\n3. Tweak the OS to accept high amount of memory\n\n```jsx\necho \"vm.max_map_count=655300\" | sudo tee -a /etc/sysctl.conf\nsudo sysctl -w vm.max_map_count=655300\nexport NODE_OPTIONS=\"--max-old-space-size=230000\"\n```\n\n4. Install node, npm, python deps\n\n```jsx\ncurl -sL https://deb.nodesource.com/setup_18.x -o nodesource_setup.sh\nsudo bash nodesource_setup.sh\nsudo apt install -y nodejs\nnode -v\napt install python3-pip\npip install z3-solver==4.13.0.0\n```\n\nThe version of node should be: 18 (e.g. 18.19.0 ) Note that hardhat will complain that this node version is not supported byt hardhat. It seems to be just a warning and `v24.8.0` produces the same contract bytecode, so maybe it can be ignored.\n\n5. Download and prepare circom\n\n```jsx\ncd ~\ngit clone https://github.com/iden3/circom.git\ncd circom\ngit checkout v2.1.8\ngit log --pretty=format:'%H' -n 1\n```\n\nThe hash of the commit should be: f0deda416abe91e5dd906c55507c737cd9986ab5.\n\n```jsx\ncurl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh\ncd ~\ncd circom\ncargo build --release\ncargo install --path circom\nexport PATH=$PATH:~/.cargo/bin\necho 'PATH=$PATH:~/.cargo/bin' >> ~/.profile\ncircom --version\n```\n\nThe version of circom should be: 2.1.8.\n\n6. Prepare fast build constant tree tool and fflonk setup\n\n```jsx\ncd ~\ngit clone https://github.com/0xPolygonHermez/zkevm-prover.git\ncd zkevm-prover\ngit checkout v8.0.0-RC9\ngit submodule init\ngit submodule update\nsed -i -E 's|^(SRCS_BCT := .*./src/starkpil/stark_info\\.\\*)|\\1 ./tools/sm/sha256/sha256.cpp ./tools/sm/sha256/bcon/bcon_sha256.cpp|' Makefile\nmake -j bctree fflonk_setup\n```\n\n7. Prepare and launch setup (zkevm-proverjs). This step is quite long, it takes approximately 4.5 hours.\n\n```jsx\ncd ~\ngit clone https://github.com/0xPolygonHermez/zkevm-proverjs.git\ncd zkevm-proverjs\ngit checkout v8.0.0-fork.12\nrm -f package-lock.json\nsed -i -E 's|https://hermez\\.s3-eu-west-1\\.amazonaws\\.com/powersOfTau28_hez_final\\.ptau|https://storage.googleapis.com/zkevm/ptau/powersOfTau28_hez_final.ptau|g' package.json\nnpm install\ntmux -c \"npm run buildsetup --bctree=../zkevm-prover/build/bctree --fflonksetup=../zkevm-prover/build/fflonkSetup --mode=25\"\n```\n\nThe last step generates the `zkevm-proverjs_build_proof_build_final.fflonk.verifier.sol` file which contains the verification keys that can be checked against the onchain deployment.\n ",
"description": "Custom verifier ID: SHA256 hash of the following values from the verifier smart contract, abi packed in the same order they are defined: verification key data, omegas, verifier preprocessed inputs (all values from k1 to X2y2)."
}
]
}+3 -0
+3 -0
{
"creator": "Matter Labs",
"projectsForTvs": [
{
"projectId": "zksync",
"sinceTimestamp": 1592431200
},
{
"projectId": "zkspace",
"sinceTimestamp": 1639954800
}
],
"proofSystemInfo": "\n ## Proof system\n\n ZKSync Lite prover is a monolithic SNARK proving system that generates validity proofs for the state transition of ZKSync Lite L2. It is a [Plonk system](https://docs.lite.zksync.io/userdocs/security/#primitives) over BN254 curve with [custom circuits](https://github.com/matter-labs/zksync/tree/master/core/lib/circuit/src) designed to prove the specific state transition function of the L2, including deposits and withdrawals, transfers, swaps, NFT operations. The proof system itself is implemented in the [bellman library](https://github.com/matter-labs/bellman), while many base cryptographic primitives are implemented in [franklin library](https://github.com/matter-labs/franklin-crypto/tree/dev). \n ",
"techStack": {
"snark": [
{
"id": "Zksync",
"type": "Plonk",
"name": "Zksync",
"description": "Matter Labs Rust implementation of Plonk proving system, originally developed for ZKsync Lite (old ZKsync)."
},
{
"id": "BN254",
"type": "curve",
"name": "BN254",
"description": "BN254, aka BN256, aka alt_bn128 pairing-friendly 254-bit prime field Weierstrass elliptic curve."
},
{
"id": "CustomCircuits",
"type": "Other",
"name": "App-specific circuits",
"description": "This project uses custom app-specific ZK circuits."
}
]
},
"trustedSetups": [
{
"proofSystem": {
"id": "Zksync",
"type": "Plonk",
"name": "Zksync",
"description": "Matter Labs Rust implementation of Plonk proving system, originally developed for ZKsync Lite (old ZKsync)."
},
"id": "AztecIgnition",
"name": "Aztec Ignition",
"risk": "green",
"shortDescription": "Aztec Ignition is a trusted setup ceremony that was run by Aztec for KZG commitment over BN254 curve in 2019. It included 176 participants and was publicly open for participation.",
"longDescription": " \n Aztec Ignition is a trusted setup ceremony for KZG commitments over BN254 curve that was run by Aztec for KZG commitment over BN254 curve in 2019. \n It included 176 participants and was publicly open for participation.\n \n - Github repo to download and verify the ceremony artifacts: [https://github.com/AztecProtocol/ignition-verification](https://github.com/AztecProtocol/ignition-verification).\n - Github repo with instructions for ceremony participants: [https://github.com/AztecProtocol/Setup](https://github.com/AztecProtocol/Setup).\n - Ceremony announcement with a call to participate: [https://aztec.network/blog/announcing-ignition](https://aztec.network/blog/announcing-ignition).\n "
}
],
"verifierHashes": [
{
"hash": "0xfa15bba967ebf892d9657359fb8ff07aea13e152c0d5160143a494abb4bc9df3",
"name": "ZKsync Lite verifier 1",
"proofSystem": {
"id": "Zksync",
"type": "Plonk",
"name": "Zksync",
"description": "Matter Labs Rust implementation of Plonk proving system, originally developed for ZKsync Lite (old ZKsync)."
},
"knownDeployments": [
{
"address": "0x57B09100e6160503aBDEBC76012b6c358eA4e462",
"chain": "ethereum"
}
],
"verificationStatus": "notVerified",
"description": "Custom verifier ID: SHA256 hash of the abi packed array of uint256 obtained from flattening VerificationKey structure returned by getVkAggregated1()"
},
{
"hash": "0xdfd9cbc5d113efddf3bfe382bcdd2cd67a9548fb62d758e9b18c8d8821ef1f22",
"name": "ZKsync Lite verifier 4",
"proofSystem": {
"id": "Zksync",
"type": "Plonk",
"name": "Zksync",
"description": "Matter Labs Rust implementation of Plonk proving system, originally developed for ZKsync Lite (old ZKsync)."
},
"knownDeployments": [
{
"address": "0x57B09100e6160503aBDEBC76012b6c358eA4e462",
"chain": "ethereum"
}
],
"verificationStatus": "notVerified",
"description": "Custom verifier ID: SHA256 hash of the abi packed array of uint256 obtained from flattening VerificationKey structure returned by getVkAggregated4()"
},
{
"hash": "0xdfd12090ec7d5f3cc8c98dcad49e938e9e33f6807b70679c6bdfe61fdf9fd329",
"name": "ZKsync Lite verifier 8",
"proofSystem": {
"id": "Zksync",
"type": "Plonk",
"name": "Zksync",
"description": "Matter Labs Rust implementation of Plonk proving system, originally developed for ZKsync Lite (old ZKsync)."
},
"knownDeployments": [
{
"address": "0x57B09100e6160503aBDEBC76012b6c358eA4e462",
"chain": "ethereum"
}
],
"verificationStatus": "notVerified",
"description": "Custom verifier ID: SHA256 hash of the abi packed array of uint256 obtained from flattening VerificationKey structure returned by getVkAggregated8()"
}
]
}