{
"creator": "Polygon Zero",
"proofSystemInfo": "\n \n ## Description\n\n zkProver is a STARK proving system designed to implement the zkEVM component of Polygon zkEVM. It proves the execution of EVM transactions in a zkVM running on [zkASM](https://docs.polygon.technology/zkEVM/architecture/zkprover/#zero-knowledge-assembly) ISA. zkProver allows recursive STARK aggregation as well as the final wrap in a [Fflonk](https://hecmas.github.io/talk/fflonk-for-the-polygon-zkevm/) SNARK for efficient onchain verification. zkProver onchain verifier targets 128 bits of security.\n\n ## Proof system\n\n zkProver toolkit introduces two new domain specific languages: zkASM and PIL. zkASM is the instruction language of the internal zkVM, and the execution of EVM transactions is proven with a specific zkASM program called [ROM](https://docs.polygon.technology/zkEVM/architecture/zkprover/main-state-machine/?h=zkevm+rom#the-rom). PIL is a language for creating circuits, conceptually similar to [circom](https://docs.circom.io).\n\n zkProver is based on [eSTARK paper](https://eprint.iacr.org/2023/474), meaning that it implements a FRI-based STARK with AIR arithmetization extended with additional arguments. It also [provides tools](https://docs.polygon.technology/zkEVM/architecture/zkprover/stark-recursion/composition-recursion-aggregation/#setup-phase) to automatically generate circom arithmetic circuits for verifying the STARK proof, which plays an essential role in proof compression and recursive proving. \n\n ### Polynomial Identity Language (PIL)\n\n The polynomial constraints that define circuits within zkProver are specified using a language called [polynomial identity language](https://github.com/0xPolygon/pilcom) (PIL). PIL supports complicated and powerful polynomial constraints, like [permutation](https://docs.polygon.technology/zkEVM/spec/pil/permutation-arguments/), [inclusion](https://docs.polygon.technology/zkEVM/spec/pil/inclusion-arguments/) and [connection](https://docs.polygon.technology/zkEVM/spec/pil/connection-arguments/) arguments. PIL was designed to be applicable in other zk tools as well. The next iteration of PIL called PIL2 could be found [here](https://github.com/0xPolygonHermez/pil2-compiler).\n\n ### State machine\n\n zkProver state machine (zkVM) consists of [13 separate state machines](https://github.com/0xPolygon/zkevm-prover/tree/main/src/sm) specified in PIL, including [main SM](https://docs.polygon.technology/zkEVM/architecture/zkprover/main-state-machine/), [arithmetic SM](https://docs.polygon.technology/zkEVM/architecture/zkprover/arithmetic-sm/), [binary SM](https://docs.polygon.technology/zkEVM/architecture/zkprover/binary-sm/), etc. Each state machine creates its own execution trace, which is connected to the rest using connection argument. The state machine has access to EVM state trie, EVM memory and the ROM program that implements verification of EVM transactions in zkASM language. \n\n ### Recursion circuits\n\n [Proving architecture](https://docs.polygon.technology/zkEVM/architecture/zkprover/stark-recursion/proving-architecture/) of zkProver consists of several stages. Compression stage reduces the size of STARK proofs of zkEVM batch execution for efficiency of further computations. Normalization stage prepares for aggregation by correctly aligning public inputs across several batches. Aggregation stage repeatedly joins pairs of STARK proofs to produce a single proof of multiple zkEVM batches. Final STARK stage changes the field over which the proof is generated to prepare for the SNARK wrap. Finally, SNARK stage produces a Fflonk proof to be posted onchain.\n\n Each recursion step uses a circom R1CS arithmetic circuit to verify input PIL-STARK proofs (see [here](https://docs.polygon.technology/zkEVM/architecture/zkprover/stark-recursion/composition-recursion-aggregation/#stark-to-circuit-or-s2c-sub-process)). The proof of verification is a PIL-STARK that is generated on the Plonkish arithmetization of this circom circuit.\n ",
"techStack": {
"zkVM": [
{
"id": "PIL-STARK",
"type": "STARK",
"name": "PIL-STARK",
"description": "zkVM STARK proving system that works with Polynomial Identity Language (PIL) developed by Polygon Zero team."
},
{
"id": "ZkASM",
"type": "ISA",
"name": "zkASM",
"description": "Instruction language for Polygon zkEVM virtual machine."
},
{
"id": "Goldilocks",
"type": "Field",
"name": "Goldilocks",
"description": "Prime field of order p = 2**64 - 2**32 + 1."
}
],
"finalWrap": [
{
"id": "Snarkjs",
"type": "Fflonk",
"name": "Snarkjs",
"description": "Circom / iden3 implementation of Fflonk improvement over standard Plonk proving system written in JS."
},
{
"id": "BN254",
"type": "curve",
"name": "BN254",
"description": "BN254, aka BN256, aka alt_bn128 pairing-friendly 254-bit prime field Weierstrass elliptic curve."
}
]
},
"trustedSetups": [
{
"proofSystem": {
"id": "Snarkjs",
"type": "Fflonk",
"name": "Snarkjs",
"description": "Circom / iden3 implementation of Fflonk improvement over standard Plonk proving system written in JS."
},
"id": "PolygonZkEVM",
"name": "Polygon zkEVM",
"risk": "yellow",
"shortDescription": "Trusted setup for KZG commitments over BN254 curve used by Polygon zkEVM, includes 55 participants. Is a subset of Perpetual Powers of Tau ceremony.",
"longDescription": "\n Ceremony uses 54 first contributions from the [Perpetual Powers of Tau ceremony](https://github.com/privacy-scaling-explorations/perpetualpowersoftau)\n and adds one more contribution to the total of 55 participants.\n\n - Ceremony used: [https://github.com/privacy-scaling-explorations/perpetualpowersoftau?tab=readme-ov-file](https://github.com/privacy-scaling-explorations/perpetualpowersoftau?tab=readme-ov-file)\n - Public announcement: [https://medium.com/coinmonks/announcing-the-perpetual-powers-of-tau-ceremony-to-benefit-all-zk-snark-projects-c3da86af8377]([https://medium.com/coinmonks/announcing-the-perpetual-powers-of-tau-ceremony-to-benefit-all-zk-snark-projects-c3da86af8377)\n - Final data and verification steps in this repo: [https://github.com/iden3/snarkjs/tree/master?tab=readme-ov-file](https://github.com/iden3/snarkjs/tree/master?tab=readme-ov-file)\n "
}
],
"verifierHashes": [
{
"hash": "0x237bc5d6efad6d844534c4a45f5f19fa86344615ac00054821915c219e9abd81",
"proofSystem": {
"id": "Snarkjs",
"type": "Fflonk",
"name": "Snarkjs",
"description": "Circom / iden3 implementation of Fflonk improvement over standard Plonk proving system written in JS."
},
"knownDeployments": [
{
"address": "0x9B9671dB83CfcB4508bF361942488C5cA2b1286D",
"chain": "ethereum"
}
],
"verificationStatus": "notVerified",
"verificationStatus": "successful",
"attesters": [
{
"id": "l2beat",
"name": "L2BEAT",
"link": "https://l2beat.com"
}
],
"verificationSteps": "\nThe verification steps are based on [this guide](https://github.com/agglayer/agglayer-contracts/blob/b9a795523317eca29319f3dca56f7199a117fb78/verifyMainnetDeployment/verifyMainnetProofVerifier.md).\n\n1. Get a machine with at least 512GB of RAM and 32 cores (e.g. r6a.16xlarge aws instance). This guide assumes Ubuntu 22.04 LTS OS.\n\n2. Do basic OS preparation\n\n```jsx\nsudo apt update\nsudo apt install -y tmux git curl jq\nsudo apt install -y build-essential libomp-dev libgmp-dev nlohmann-json3-dev libpqxx-dev nasm libgrpc++-dev libprotobuf-dev grpc-proto libsodium-dev uuid-dev libsecp256k1-dev\n```\n\n3. Tweak the OS to accept high amount of memory\n\n```jsx\necho \"vm.max_map_count=655300\" | sudo tee -a /etc/sysctl.conf\nsudo sysctl -w vm.max_map_count=655300\nexport NODE_OPTIONS=\"--max-old-space-size=230000\"\n```\n\n4. Install node, npm, python deps\n\n```jsx\ncurl -sL https://deb.nodesource.com/setup_18.x -o nodesource_setup.sh\nsudo bash nodesource_setup.sh\nsudo apt install -y nodejs\nnode -v\napt install python3-pip\npip install z3-solver==4.13.0.0\n```\n\nThe version of node should be: 18 (e.g. 18.19.0 ) Note that hardhat will complain that this node version is not supported byt hardhat. It seems to be just a warning and `v24.8.0` produces the same contract bytecode, so maybe it can be ignored.\n\n5. Download and prepare circom\n\n```jsx\ncd ~\ngit clone https://github.com/iden3/circom.git\ncd circom\ngit checkout v2.1.8\ngit log --pretty=format:'%H' -n 1\n```\n\nThe hash of the commit should be: f0deda416abe91e5dd906c55507c737cd9986ab5.\n\n```jsx\ncurl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh\ncd ~\ncd circom\ncargo build --release\ncargo install --path circom\nexport PATH=$PATH:~/.cargo/bin\necho 'PATH=$PATH:~/.cargo/bin' >> ~/.profile\ncircom --version\n```\n\nThe version of circom should be: 2.1.8.\n\n6. Prepare fast build constant tree tool and fflonk setup\n\n```jsx\ncd ~\ngit clone https://github.com/0xPolygonHermez/zkevm-prover.git\ncd zkevm-prover\ngit checkout v8.0.0-RC9\ngit submodule init\ngit submodule update\nsed -i -E 's|^(SRCS_BCT := .*./src/starkpil/stark_info\\.\\*)|\\1 ./tools/sm/sha256/sha256.cpp ./tools/sm/sha256/bcon/bcon_sha256.cpp|' Makefile\nmake -j bctree fflonk_setup\n```\n\n7. Prepare and launch setup (zkevm-proverjs). This step is quite long, it takes approximately 4.5 hours.\n\n```jsx\ncd ~\ngit clone https://github.com/0xPolygonHermez/zkevm-proverjs.git\ncd zkevm-proverjs\ngit checkout v8.0.0-fork.12\nrm -f package-lock.json\nsed -i -E 's|https://hermez\\.s3-eu-west-1\\.amazonaws\\.com/powersOfTau28_hez_final\\.ptau|https://storage.googleapis.com/zkevm/ptau/powersOfTau28_hez_final.ptau|g' package.json\nnpm install\ntmux -c \"npm run buildsetup --bctree=../zkevm-prover/build/bctree --fflonksetup=../zkevm-prover/build/fflonkSetup --mode=25\"\n```\n\nThe last step generates the `zkevm-proverjs_build_proof_build_final.fflonk.verifier.sol` file which contains the verification keys that can be checked against the onchain deployment.\n ",
"description": "Custom verifier ID: SHA256 hash of the following values from the verifier smart contract, abi packed in the same order they are defined: verification key data, omegas, verifier preprocessed inputs (all values from k1 to X2y2)."
}
]
}