This directory contains the Halo2 ZK circuit implementation for the Summa Proof of Solvency protocol.
To build, test and print the circuits, execute
cargo build
cargo test --release --features dev-graph -- --nocapture
The documentation for the circuits can be generated by running
cargo doc --no-deps --open
In order to test the circuits with a real trusted setup, you need to download the powers of tau files. The powers of tau files can be downloaded from https://github.com/han0110/halo2-kzg-srs and placed in a ptau folder. For example, by adding hermez-raw-9 to the ptau folder at root level, the circuit tests will take it as a setup to generate the parameters -> see generate_setup_params in utils. If no ptau folder is found, the tests will generate a new setup from a randomly generated value. This latter approach is not recommended for production.
The benchmarking included the following areas:
- Merkle Sum Tree Generation
- Verification Key Gen for MstInclusion Circuit
- Proving Key Gen for MstInclusion Circuit
- ZK Proof Generation for MstInclusion Circuit
- ZK Proof Verification for MstInclusion Circuit
In order to run the benchmarking, we provide a set of dummy username, balances entries formatted in csv files. The csv files can be downloaded as follows
cd benches
mkdir csv
cd csv
wget https://summa-solvency.s3.eu-central-1.amazonaws.com/csv_files.tar.bz2
tar -xjf csv_files.tar.bz2
The csv folder will contain two subfolder namely one_asset and two_assets. Each folders will contain files named as one_asset_entry_2_17.csv or two_assets_entry_2_5.csv. 2^17 or 2^5 is the number of entries in the file that will be used to feed the merkle sum tree and, eventually, the zk prover. These entries represent the number of users of the exchange.
To run the benches
cargo bench
You can set the following parameters to run the benches:
LEVELS-> the number of entries in the merkle sum tree. By default it is set to 15, which means that the benches will run for 2^15 entries.SAMPLE_SIZE-> the number of samples to run for each bench. By default it is set to 10, which is the minimum allowed by criterion.rsN_ASSETS and PATH_NAME-> the number of assets to be used in the benchmarking. By default it is set to 2. For now you can only switch it between 1 and 2 as these are the only csv folder available. More will be added soon.
Note that the k of the circuit may vary based on the LEVELS
Furthermore the benchmarking function verify_zk_proof_benchmark will also print out the proof size in bytes.
Run on MacBook Pro 2023, M2 Pro, 32GB RAM, 12 cores
Benches run after PR #80 (add solidity verifier). In order to achieve small proof size, to be cheap to verify on-chain. We decreased the RANGE_BITS in which the balances should lie to 64 and reduced the rate of the Poseidon hash function to 1.
2^15 entries (32768) users, 2 assets
| MST init |
|---|
| 2.6274 s (+39.91%) |
For Merkle Sum Tree Proof of Inclusion circuit
| VK Gen | Pk Gen | Proof Generation | Proof Verification | Proof Size (bytes) |
|---|---|---|---|---|
| 172.09 ms (- 3.86%) | 98.160 ms (+55.05%.) | 447.11 ms (+56.80%) | 3.2016 ms (-32.22%) | 1760 (-36.05%) |
For Proof of Solvency circuit
| VK Gen | Pk Gen | Proof Generation | Proof Verification | Proof Size (bytes) |
|---|---|---|---|---|
| 60.968 ms (-21.19%) | 30.850 ms (-12.49%) | 129.37ms (-11.09%) | 3.2417 ms (-28.16%) | 1760 (-36.05%) |
Gas cost to verify proof of solvency
403991 gas units (run cargo test --release test_solvency_on_chain_verifier -- --nocapture)