Lecture 12

zkEVM design, optimization and applications
Guest Lecturer: Ye Zhang
Zero Knowledge Proofs

Instructors: Dan Boneh, Shafi Goldwasser, Dawn Song, Justin Thaler, Yupeng Zhang
What is Scroll?
A scaling solution for Ethereum
2 ZKP MOOC
What is Scroll?
An EVM-equivalent zk-Rollup
3 ZKP MOOC
Outline
• Background & motivation
• Build a zkEVM from scratch
• Interesting research problems
• Other applications using zkEVM
4 ZKP MOOC
The diagram of Layer 1 blockchain
5 ZKP MOOC
root
6 ZKP MOOC
Layer 1
𝑇𝑋!
𝑇𝑋"
……
root
𝑇𝑋#
7 ZKP MOOC
Layer 1
𝑇𝑋!
𝑇𝑋"
……
root
𝑇𝑋#
8 ZKP MOOC
Layer 1
𝑇𝑋!
𝑇𝑋"
……
root
𝑇𝑋#
9 ZKP MOOC
Layer 1
𝑇𝑋!
• Secure
𝑇𝑋"
• Decentralized
……
• Expensive L
𝑇𝑋#
• Slow L
10 ZKP MOOC
Zk-Rollup
Layer 1
Layer 2 data 𝝅
𝑇𝑋!
𝑇𝑋"
…… prover
𝑇𝑋#
11 ZKP MOOC
However, …
Layer 1
Layer 2 data 𝝅
𝑇𝑋!
𝑇𝑋"
…… prover
𝑇𝑋#
12 ZKP MOOC
However, …
Layer 1
Layer 2 data 𝝅 data 𝝅
𝑇𝑋! 𝑇𝑋!
𝑇𝑋" 𝐏𝐫𝐨𝐯𝐞𝐫𝟏 𝐏𝐫𝐨𝐯𝐞𝐫𝟐 𝑇𝑋"
…… ……
𝑇𝑋# 𝑇𝑋#
13 ZKP MOOC
Scroll: a native zkEVM solution
Layer 1
Layer 2 data 𝝅
𝑇𝑋!
• Developer friendly
𝑇𝑋"
• Composability
…… zkEVM
𝑇𝑋#
14 ZKP MOOC
Layer 1
Layer 2 data 𝝅
𝑇𝑋!
• Developer friendly
𝑇𝑋"
• Composability
…… zkEVM • Hard to build L
𝑇𝑋#
• Large proving overhead L
15 ZKP MOOC
Layer 1
Layer 2 data 𝝅
𝑇𝑋!
• Polynomial commitment
𝑇𝑋"
• Lookup + Custom gate
…… zkEVM • Hardware acceleration
𝑇𝑋#
• Recursive proof
16 ZKP MOOC
zkEVM flavors (by Justin Drake)
• Language level
Transpile an EVM-friendly language (Solidity or Yul) to a SNARK-friendly VM which differs from the
EVM. This is the approach of Matter Labs and Starkware.
• Bytecode level
Interpret EVM bytecode directly, though potentially producing different state roots than the EVM, e.g.
if certain implementation-level data structures are replaced with SNARK-friendly alternatives. This is
the approach taken by Scroll, Hermez, and Consensys.
• Consensus level
Target full equivalence with EVM as used by Ethereum L1 consensus. That is, it proves validity of L1
Ethereum state roots. This is part of the "zk-SNARK everything" roadmap for Ethereum.
17 ZKP MOOC
zkEVM flavors (by Justin Drake)
• Language level
Transpile an EVM-friendly language (Solidity or Yul) to a SNARK-friendly VM which differs from the
EVM. This is the approach of Matter Labs and Starkware.
• Bytecode level
Interpret EVM bytecode directly, though potentially producing different state roots than the EVM, e.g.
if certain implementation-level data structures are replaced with SNARK-friendly alternatives. This is
the approach taken by Scroll, Hermez, and Consensys.
• Consensus level
Target full equivalence with EVM as used by Ethereum L1 consensus. That is, it proves validity of L1
Ethereum state roots. This is part of the "zk-SNARK everything" roadmap for Ethereum.
18 ZKP MOOC
Outline
19 ZKP MOOC
The workflow of zero-knowledge proof
Program Constraints Proof
R1CS Polynomial IOP

Plonkish +
AIR PCS
R1CS Polynomial IOP

Plonkish +
AIR PCS
R1CS Plonk IOP

Plonkish +
AIR KZG
Let’s start with R1CS
𝒘
𝒘11 𝒘
𝒘𝟐𝟐 𝒘
𝒘𝟑𝟑 𝒘
𝒘𝟒𝟒 𝒘
𝒘𝟓𝟓 𝒘𝒏 − ……
𝟏 𝒘𝒏 𝒘𝒏 − 𝟏 𝒘𝒏
𝒘
𝒘11 𝒘
𝒘𝟐𝟐 𝒘
𝒘𝟑𝟑 𝒘
𝒘𝟒𝟒 𝒘
𝒘𝟓𝟓 𝒘𝒏 − ……
𝑎# 𝑤# + ⋯ + 𝑎$ 𝑤$ ∗ 𝑏# 𝑤# + ⋯ + 𝑏$ 𝑤$ == 𝑐# 𝑤# + ⋯ + 𝑐$ 𝑤$
𝒘
𝒘11 𝒘
𝒘𝟐𝟐 𝒘
𝒘𝟑𝟑 𝒘
𝒘𝟒𝟒 𝒘
𝒘𝟓𝟓 𝒘𝒏 − ……
𝑎# 𝑤# + ⋯ + 𝑎$ 𝑤$ ∗ 𝑏# 𝑤# + ⋯ + 𝑏$ 𝑤$ == 𝑐# 𝑤# + ⋯ + 𝑐$ 𝑤$
2𝑤# + 1 ∗ 3𝑤# + 4𝑤% == 𝑤$&% + 2

𝑤' + 2 ∗ 𝑤( == 𝑤$ + 1
……
……
𝒘
𝒘11 𝒘
𝒘𝟐𝟐 𝒘
𝒘𝟑𝟑 𝒘
𝒘𝟒𝟒 𝒘
𝒘𝟓𝟓 𝒘𝒏 − ……
𝒊𝒏𝒑𝒖𝒕𝟎 𝒊𝒏𝒑𝒖𝒕𝟏 𝒊𝒏𝒑𝒖𝒕𝟐 𝒗𝒂𝟏 𝒗𝒃𝟏 …… 𝒗𝒄𝟏 𝒗𝒅𝟏
𝑎# 𝑤# + ⋯ + 𝑎$ 𝑤$ ∗ 𝑏# 𝑤# + ⋯ + 𝑏$ 𝑤$ == 𝑐# 𝑤# + ⋯ + 𝑐$ 𝑤$
2𝑤# + 1 ∗ 3𝑤# + 4𝑤% == 𝑤$&% + 2

𝑤' + 2 ∗ 𝑤( == 𝑤$ + 1
……
……
I know a vector {input, va, vb, vc, …} that satisfies all those constraints
Plonkish Arithmetization
a0 a1 a2 a3 a4 T0 T1 T2 T3 T4
witness Table 1 Table 2
27 ZKP MOOC
Plonkish Arithmetization
a0 a1 a2 a3 a4 T0 T1 T2 T3 T4
𝒊𝒏𝒑𝒖𝒕𝟎 𝒊𝒏𝒑𝒖𝒕𝟏 𝒊𝒏𝒑𝒖𝒕" 𝒐𝒖𝒕𝒑𝒖𝒕

𝒗𝒂𝟏 𝒗𝒃𝟏 𝒗𝒄𝟏 𝒗𝒅𝟏
𝒗𝒂𝟐 𝒗𝒃𝟐 𝒗𝒄𝟐 𝒗𝒅𝟐
𝒗𝒂𝟑 𝒗𝒃𝟑 𝒗𝒄𝟑 𝒗𝒅𝟑
𝒗𝒂𝟒 𝒗𝒃𝟒 𝒗𝒄𝟒 …… 𝒗𝒅𝟒
𝒗𝒂𝟓 𝒗𝒃𝟓 𝒗𝒄𝟓 𝒗𝒅𝟓

𝒗𝒂𝟔 𝒗𝒃𝟔 𝒗𝒄𝟔 𝒗𝒅𝟔
𝒗𝒂𝟕 𝒗𝒃𝟕 𝒗𝒄𝟕 𝒗𝒅𝟕

28 ZKP MOOC
Plonkish Arithmetization – Custom gate
a0 a1 a2 a3 a4 T0 T1 T2 T3 T4


𝒗𝒂𝟑 ∗ 𝒗𝒃𝟑 ∗ 𝒗𝒄𝟑 − 𝒗𝒃𝟒 = 𝟎

29 ZKP MOOC
a0 a1 a2 a3 a4 T0 T1 T2 T3 T4


𝒗𝒂𝟑 ∗ 𝒗𝒃𝟑 ∗ 𝒗𝒄𝟑 − 𝒗𝒃𝟒 = 𝟎

• High degree
𝒗𝒂𝟕 𝒗𝒃𝟕 𝒗𝒄𝟕 𝒗𝒅𝟕 • More customized
30 ZKP MOOC
a0 a1 a2 a3 a4 T0 T1 T2 T3 T4


𝒗𝒃𝟏 ∗ 𝒗𝒄𝟏 + 𝒗𝒄𝟐 − 𝒗𝒄𝟑 = 𝟎

• High degree
31 ZKP MOOC
a0 a1 a2 a3 a4 T0 T1 T2 T3 T4


𝒗𝒄𝟏 + 𝒗𝒂𝟐 ∗ 𝒗𝒃𝟒 − 𝒗𝒄𝟒 = 𝟎

• High degree
32 ZKP MOOC
Plonkish Arithmetization – Permutation
a0 a1 a2 a3 a4 T0 T1 T2 T3 T4


𝒗𝒃𝟒 = 𝒗𝒄𝟔 = 𝒗𝒃𝟔 = 𝒗𝒂𝟔

33 ZKP MOOC
Plonkish Arithmetization – Lookup argument
a0 a1 a2 a3 a4 T0 T1 T2 T3 T4


𝒗𝒂𝟔 𝒗𝒃𝟔 𝒗𝒄𝟔 𝒗𝒅𝟔 𝒗𝒂𝟕 , 𝒗𝒃𝟕 , 𝒗𝒄𝟕 ∈ (𝑻𝟎 , 𝑻𝟏 , 𝑻𝟐 )
𝒗𝒂𝟕 𝒗𝒃𝟕 𝒗𝒄𝟕 Lookup
𝒗𝒅𝟕
34 ZKP MOOC
a0 a1 a2 a3 a4 T0 T1 T2 T3 T4
𝒊𝒏𝒑𝒖𝒕𝟎 𝒊𝒏𝒑𝒖𝒕𝟏 𝒊𝒏𝒑𝒖𝒕" 𝒐𝒖𝒕𝒑𝒖𝒕 𝟎𝟎𝟎𝟎

𝒗𝒂𝟏 𝒗𝒃𝟏 𝒗𝒄𝟏 𝒗𝒅𝟏 𝟎𝟎𝟎𝟏
𝒗𝒂𝟐 𝒗𝒃𝟐 𝒗𝒄𝟐 𝒗𝒅𝟐 𝟎𝟎𝟏𝟎
𝒗𝒂𝟑 𝒗𝒃𝟑 𝒗𝒄𝟑 𝒗𝒅𝟑 𝟎𝟎𝟏𝟏 𝒗𝒄𝟕 ∈ [𝟎, 𝟏𝟓]
𝒗𝒂𝟒 𝒗𝒃𝟒 𝒗𝒄𝟒 …… 𝒗𝒅𝟒 𝟎𝟏𝟎𝟎
𝒗𝒂𝟓 𝒗𝒃𝟓 𝒗𝒄𝟓 𝒗𝒅𝟓 𝟎𝟏𝟎𝟏

𝒗𝒂𝟔 𝒗𝒃𝟔 𝒗𝒄𝟔 𝒗𝒅𝟔 ……
𝒗𝒅𝟕 𝟏𝟏𝟎𝟏
𝒗𝒂𝟔 𝒗𝒃𝟔 𝒗𝒄𝟔 𝒗𝒅𝟔 𝟏𝟏𝟏𝟎
𝒗𝒂𝟕 𝒗𝒃𝟕 𝒗𝒄𝟕 𝒗𝒅𝟕 𝟏𝟏𝟏𝟏
35 ZKP MOOC
a0 a1 a2 a3 a4 T0 T1 T2 T3 T4
𝒊𝒏𝒑𝒖𝒕𝟎 𝒊𝒏𝒑𝒖𝒕𝟏 𝒊𝒏𝒑𝒖𝒕" 𝒐𝒖𝒕𝒑𝒖𝒕 𝟎𝟎𝟎𝟎 𝟎𝟎𝟎𝟎 𝟎𝟎𝟎𝟎

𝒗𝒂𝟏 𝒗𝒃𝟏 𝒗𝒄𝟏 𝒗𝒅𝟏 𝟎𝟎𝟎𝟎 𝟎𝟎𝟎𝟏 𝟎𝟎𝟎𝟏
𝒗𝒂𝟐 𝒗𝒃𝟐 𝒗𝒄𝟐 𝒗𝒅𝟐 𝟎𝟎𝟎𝟎 𝟎𝟎𝟏𝟎 𝟎𝟎𝟏𝟎
𝒗𝒂𝟑 𝒗𝒃𝟑 𝒗𝒄𝟑 𝒗𝒅𝟑 𝟎𝟎𝟎𝟎 𝟎𝟎𝟏𝟏 𝟎𝟎𝟏𝟏 𝒗𝒄𝟕 ∈ [𝟎, 𝟏𝟓]
𝒗𝒂𝟒 𝒗𝒃𝟒 𝒗𝒄𝟒 …… 𝒗𝒅𝟒 𝟎𝟎𝟎𝟎 𝟎𝟏𝟎𝟎 𝟎𝟏𝟎𝟎
𝒗𝒂𝟕 ⊕ 𝒗𝒃𝟕 = 𝒗𝒄𝟕
𝒗𝒂𝟓 𝒗𝒃𝟓 𝒗𝒄𝟓 𝒗𝒅𝟓 𝟎𝟎𝟎𝟎 𝟎𝟏𝟎𝟏 𝟎𝟏𝟎𝟏
𝒗𝒂𝟔 𝒗𝒃𝟔 𝒗𝒄𝟔 𝒗𝒅𝟔 …… …… ……
𝒗𝒅𝟕 𝟏𝟏𝟏𝟏 𝟏𝟏𝟎𝟏 𝟎𝟎𝟏𝟎
𝒗𝒂𝟔 𝒗𝒃𝟔 𝒗𝒄𝟔 𝒗𝒅𝟔 𝟏𝟏𝟏𝟏 𝟏𝟏𝟏𝟎 𝟎𝟎𝟎𝟏
𝒗𝒂𝟕 𝒗𝒃𝟕 𝒗𝒄𝟕 𝒗𝒅𝟕 𝟏𝟏𝟏𝟏 𝟏𝟏𝟏𝟏 𝟎𝟎𝟎𝟎
36 ZKP MOOC
a0 a1 a2 a3 a4 T0 T1 T2 T3 T4
𝒊𝒏𝒑𝒖𝒕𝟎 𝒊𝒏𝒑𝒖𝒕𝟏 𝒊𝒏𝒑𝒖𝒕" 𝒐𝒖𝒕𝒑𝒖𝒕 𝟎𝟎𝟎𝟎 𝟎𝟎𝟎𝟎 𝟎𝟎𝟎𝟎

𝒗𝒂𝟏 𝒗𝒃𝟏 𝒗𝒄𝟏 𝒗𝒅𝟏 𝟎𝟎𝟎𝟎 𝟎𝟎𝟎𝟏 𝟎𝟎𝟎𝟏
𝒗𝒂𝟐 𝒗𝒃𝟐 𝒗𝒄𝟐 𝒗𝒅𝟐 𝟎𝟎𝟎𝟎 𝟎𝟎𝟏𝟎 𝟎𝟎𝟏𝟎
𝒗𝒂𝟑 𝒗𝒃𝟑 𝒗𝒄𝟑 𝒗𝒅𝟑 𝟎𝟎𝟎𝟎 𝟎𝟎𝟏𝟏 𝟎𝟎𝟏𝟏 𝒗𝒄𝟕 ∈ [𝟎, 𝟏𝟓]
𝒗𝒂𝟒 𝒗𝒃𝟒 𝒗𝒄𝟒 …… 𝒗𝒅𝟒 𝟎𝟎𝟎𝟎 𝟎𝟏𝟎𝟎 𝟎𝟏𝟎𝟎
𝒗𝒂𝟕 ⊕ 𝒗𝒃𝟕 = 𝒗𝒄𝟕
𝒗𝒂𝟓 𝒗𝒃𝟓 𝒗𝒄𝟓 𝒗𝒅𝟓 𝟎𝟎𝟎𝟎 𝟎𝟏𝟎𝟏 𝟎𝟏𝟎𝟏
𝒗𝒂𝟔 𝒗𝒃𝟔 𝒗𝒄𝟔 𝒗𝒅𝟔 …… …… …… 𝐑𝐀𝐌 𝐨𝐩𝐞𝐫𝐚𝐭𝐢𝐨𝐧
𝒗𝒅𝟕 𝟏𝟏𝟏𝟏 𝟏𝟏𝟎𝟏 𝟎𝟎𝟏𝟎
𝒗𝒂𝟔 𝒗𝒃𝟔 𝒗𝒄𝟔 𝒗𝒅𝟔 𝟏𝟏𝟏𝟏 𝟏𝟏𝟏𝟎 𝟎𝟎𝟎𝟏
𝒗𝒂𝟕 𝒗𝒃𝟕 𝒗𝒄𝟕 𝒗𝒅𝟕 𝟏𝟏𝟏𝟏 𝟏𝟏𝟏𝟏 𝟎𝟎𝟎𝟎
37 ZKP MOOC
Plonkish Arithmetization – Constraints
a0 a1 a2 a3 a4 T0 T1 T2 T3 T4

𝒗𝒂𝟏 𝒗𝒃𝟏 𝒗𝒄𝟏 𝒗𝒅𝟏 𝒗𝒃𝟏 ∗ 𝒗𝒄𝟏 + 𝒗𝒄𝟐 − 𝒗𝒄𝟑 = 𝟎
𝒗𝒂𝟑 ∗ 𝒗𝒃𝟑 ∗ 𝒗𝒄𝟑 − 𝒗𝒃𝟒 = 𝟎
𝒗𝒃𝟒 + 𝒗𝒄𝟔 ∗ 𝒗𝒃𝟔 − 𝒗𝒂𝟔 = 𝟎
𝒗𝒂𝟓 𝒗𝒃𝟓 𝒗𝒄𝟓 𝒗𝒅𝟓 ……

𝒗𝒂𝟔 𝒗𝒃𝟔 𝒗𝒄𝟔 𝒗𝒅𝟔 𝒗𝒃𝟒 = 𝒗𝒄𝟔 = 𝒗𝒃𝟔 = 𝒗𝒂𝟔
𝒗𝒂𝟕
𝒗𝒂𝟔
𝒗𝒃𝟕
𝒗𝒃𝟔
𝒗𝒄𝟕
𝒗𝒄𝟔
𝒗𝒅𝟕
𝒗𝒅𝟔
……
𝒗𝒂𝟕 𝒗𝒃𝟕 𝒗𝒄𝟕 𝒗𝒅𝟕 𝒗𝒂𝟕 , 𝒗𝒃𝟕 , 𝒗𝒄𝟕 ∈ (𝑻𝟎 , 𝑻𝟏 , 𝑻𝟐 )
38 ZKP MOOC
How should we choose “front-end”?
Computation
𝑆𝑡𝑎𝑡𝑒 𝑟𝑜𝑜𝑡
Ethereum Virtual Machine (EVM)
Stack
𝑇𝑋!
State Machine
Memory
𝑇𝑋"
……
𝑇𝑋#
Storage bytecode
Computation
• EVM word size is 256bit
• Efficient range proof
• EVM has zk-unfriendly opcodes
Stack
State Machine • Efficient way to connect circuits
𝑇𝑋!
Memory
• Read & Write consistency
𝑇𝑋"
……
• Efficient mapping
𝑇𝑋# • EVM has a dynamic execution trace

Storage bytecode
• Efficient on/off selectors
Computation
Stack
𝑇𝑋!
Memory
𝑇𝑋"
……

Storage bytecode
Computation
Stack
𝑇𝑋!
Memory
𝑇𝑋"
……

Storage bytecode
What you need to prove
World State (t)

Root
Transaction:
{
from: "0xEA674fdDe714fd979de3EdF0F56AA9716B898ec8",
to: "0xac03bb73b6a9e108530aff4df5077c2b3d481e5a",
gasLimit: "21000", maxFeePerGas: "300",
maxPriorityFeePerGas: "10", nonce: "0",
value: "10000000000"
}
43 ZKP MOOC
World State (t) Computation

Root
EVM bytecode
State Stack
Machine Memory Storage
Transaction:
{
value: "10000000000"
}
44 ZKP MOOC
World State (t) Computation Execution trace

Root Step Opcode
0 PUSH1 80
EVM bytecode
1 PUSH1 40
State Stack
2 MSTORE
Machine Memory Storage 3 CALLVALUE
Transaction:
{
from: "0xEA674fdDe714fd979de3EdF0F56AA9716B898ec8", ... ...
maxPriorityFeePerGas: "10", nonce: "0", n RETURN
value: "10000000000"
}
World State (t+1)

Root’
45 ZKP MOOC

Root Step Opcode
0 PUSH1 80
EVM bytecode
1 PUSH1 40
State Stack
2 MSTORE
Transaction:
{
value: "10000000000"
spec
}
World State (t+1)

Root’
zkEVM
46 ZKP MOOC

Root Step Opcode
0 PUSH1 80
EVM bytecode
1 PUSH1 40
State Stack
2 MSTORE
Transaction:
{
value: "10000000000"
spec
}
World State (t+1)

input data Root’
zkEVM
47 ZKP MOOC

Root Step Opcode
0 PUSH1 80
EVM bytecode
1 PUSH1 40
State Stack
2 MSTORE
Transaction:
{
value: "10000000000"
spec
}
prove
World State (t+1)
input data Root’
zkEVM
48 ZKP MOOC
EVM circuit
Step 1
Execution trace
step opcode
1 PUSH1 80 Step 2
2 PUSH1 40
3 ADD
... ...
Step 3
... ...
n RETURN
...
Step n
49 ZKP MOOC
EVM circuit
Step 1
Execution trace
step opcode
1 PUSH1 80 Step 2
2 PUSH1 40
3 ADD step context
... ... case switch

... ...
n RETURN opcode specific witness
...
Step n
50 ZKP MOOC
EVM circuit
• Step context
Step 1
Execution trace • Codehash
step opcode • Gas left
1 PUSH1 80 Step 2 • Program counter, Stack pointer
2 PUSH1 40
Codehash gas PC SP root
3 ADD
... ... case switch
... ...
...
Step n
51 ZKP MOOC
EVM circuit
• Step context
Step 1
2 PUSH1 40
3 ADD Codehash gas PC SP root • Case switch
... ...
sADD sSUB sMUL …… …… ……
• Select opcodes & error cases
... ...
sErr1 sErr2 sErr3 …… …… ……
• Exactly one is switched on
...
Step n
52 ZKP MOOC
EVM circuit
• Step context
Step 1
2 PUSH1 40
3 ADD Codehash gas PC SP root • Case switch
... ...
• Select opcodes & error cases
... ...
sErr1 sErr2 sErr3 …… …… ……
• Exactly one is switched on
a_lo a_hi b_lo b_hi c_lo c_hi
n RETURN …… …… …… …… …… ……
• Opcode specific witness
...
• Extra witness used for opcodes
• i.e. operands, carry, limbs, …
Step n
53 ZKP MOOC
EVM circuit - ADD
• Step context
Step 1
sADD * (pc’ – pc – 1) == 0
sADD * (sp’ – sp – 1) == 0
Step 2 sADD * (gas’ – gas – 3) == 0
Codehash gas PC SP root • Case switch

sADD * (1 – sADD) == 0
sErr1 sErr2step
sErr3context
…… …… ……
sMUL * (1 – sMUL) == 0
…… …… …… …… …… ……
...
sADD + sMUL + ... + sERRk == 1
codehash’ gas’ PC’ SP’ root’
Step n sADD*(a_lo+b_lo-c_lo – carry0* 2^128)== 0

sADD*(a_hi+b_hi+carry0-c_hi – carry1*2^128)== 0
54 ZKP MOOC
EVM circuit - ADD
Step 1
idx tag addr R/W value
1 STACK 1023 1 …
Step 2
5 STACK 1022 0 word_a
sADD sSUB sMUL …… …… …… 6 STACK 1023 0 word_b
sErr1 sErr2step
sErr3context
…… …… ……
7 STACK 1023 1 word_c
…… …… …… …… …… …… … STACK … … …
... … MEMORY 0x40 1 …
… MEMORY … … …
Step n … STORAGE … … …
55 ZKP MOOC
EVM circuit - ADD
Step 1
idx tag addr R/W value
1 STACK 1023 1 …
Step 2
5 STACK 1022 0 word_a
sADD sSUB sMUL …… …… …… 6 STACK 1023 0 word_b
sErr2step
sErr3context
sErr1
a_lo a_hi b_lo
…… ……
b_hi c_lo
……
c_hi
7 STACK 1023 1 word_c RAM circuit
…… …… …… …… …… …… … STACK … … …
... … MEMORY 0x40 1 …
… MEMORY … … …
Step n … STORAGE … … …
56 ZKP MOOC
EVM circuit - Hash
Step 1
Step 2
step context
case switch
Hash
input Hash(input) lookup
... table
Step n
57 ZKP MOOC
EVM circuit - Hash
Step 1
Step 2
step context
case switch
Hash
input Hash(input) lookup Hash circuit
... table
Step n
58 ZKP MOOC
The architecture of zkEVM circuits
EVM circuit
circuit constrain
lookup lookup
table
59 ZKP MOOC
EVM circuit
bitwise opcodes,
range check
stack/memory/etc. pc,opcode transaction & block context
SHA3
Bytecode Transaction Block context

Fixed table Keccak table RAM table
table table table
circuit constrain
lookup lookup
table
60 ZKP MOOC
EVM circuit
bitwise opcodes,
range check
stack/memory/etc. pc,opcode transaction & block context
SHA3
Bytecode Transaction Block context

Fixed table Keccak table RAM table
table table table
Keccak Bytecode Transaction Block

MPT circuit RAM circuit
circuit circuit circuit circuit
circuit constrain Signature ECDSA

table circuit
lookup lookup
table
61 ZKP MOOC
Plonk IOP
R1CS
+
Plonkish
KZG
AIR
The proof system for zkEVM
zkEVM
EVM Circuit
RAM Circuit
Storage Circuit
Other Circuits
The proof system for zkEVM
zkEVM
EVM Circuit
RAM Circuit
Aggregation
Circuit
Storage Circuit
Other Circuits
Two-layer architecture
zkEVM
• The first layer needs to handle large computation
• Custom gate, Lookup support (“expressive”, customized)
EVM Circuit
• Hardware friendly prover (parallelizable, low peak memory)
• The verification circuit is small
RAM Circuit
Aggregation • Transparent or Universal trusted setup
Circuit
Storage Circuit
• Some promising candidates
• Plonky2/Starky /eSTARK
• Halo2/Halo2-KZG
Other Circuits
• New IOP without FFTs (i.e. HyperPlonk, Plonk without FFT)
• If Spartan/Virgo/… (sumcheck based) or Nova can support Plonkish
zkEVM
• The second layer needs to be verifier efficient (in EVM)
• Proof is efficiently verifiable on EVM (small proof, low gas cost)
EVM Circuit
• Prove the verification circuit of the former layer efficiently
• Ideally, hardware friendly prover
RAM Circuit
Aggregation • Ideally, transparent or universal trusted setup
Circuit
Storage Circuit
• Some promising candidates
• Groth16
• Plonk with very few columns
Other Circuits
• KZG/Fflonk/Keccak FRI (larger code rate)
zkEVM
• The first layer is Halo2-KZG (Poseidon hash transcript)
• Custom gate, Lookup support
EVM Circuit
• Good enough prover performance (GPU prover)
• The verification circuit is “small”
RAM Circuit
Aggregation • Universal trusted setup
Circuit
Storage Circuit
• The second layer is Halo2-KZG (Keccak hash transcript)
• Custom gate, Lookup support (express non-native efficiently)
• Good enough prover performance (GPU prover)
Other Circuits
• The final verification cost can be configured to be really small
The layout
zkEVM
• The first layer needs to be “expressive”
• EVM circuit has 116 columns, 2496 custom gates, 50 lookups
EVM Circuit
• Highest custom gate degree: 9
• For 1M gas, EVM circuit needs 2^18 rows (more gas, more rows)
RAM Circuit
Aggregation
Circuit
Storage Circuit • The second layer needs to aggregate proofs into one proof
• Aggregation circuit has 23 columns, 1 custom gate, 7 lookups
• Highest custom gate degree: 5
Other Circuits
• For aggregating EVM, RAM, Storage circuits, it needs 2^25 rows
68 ZKP MOOC
The performance
zkEVM
• Our GPU prover optimization
• MSM, NTT and quotient kernel
EVM Circuit
• Pipeline and overlap CPU and GPU computation
• Multi-card implementation, memory optimization
RAM Circuit
Aggregation
Circuit • The Performance
Storage Circuit
• For EVM circuit
• CPU prover takes 270.5s, GPU prover takes 30s (9x speedup!)
Other Circuits
• For Aggregation circuit
• CPU prover takes 2265s, GPU prover takes 149s (15x speedup!)
• For 1M gas, first layer takes 2 minutes, second layer takes 3 minutes
69 ZKP MOOC
Outline
70 ZKP MOOC
Circuit - Randomness
Step 1
Step 2
step context
case switch
opcode specific witness
...
Step n
71 ZKP MOOC
Step 1 • Break down 256-bit word into 32 8-bit limbs.

𝐴 = 𝑎! + 𝑎" ∗ 256 + 𝑎# ∗ 256# + ⋯ + 𝑎$" ∗ 256$"
Step 2
step context
case switch
a_0 a_1 …… a_30 a_31
...
Step n
72 ZKP MOOC

𝐴 = 𝑎! + 𝑎" ∗ 256 + 𝑎# ∗ 256# + ⋯ + 𝑎$" ∗ 256$"
Step 2 • Encode EVM word using RLC (Random Linear Combination)

𝐴%&' ≡ 𝑎! + 𝑎" ∗ 𝜃 + 𝑎# ∗ 𝜃# + ⋯ + 𝑎$" ∗ 𝜃$" (mod 𝐹( )
step context
case switch
a_0 a_1 …… a_30 a_31 RLC
...
Step n
73 ZKP MOOC

𝐴 = 𝑎! + 𝑎" ∗ 256 + 𝑎# ∗ 256# + ⋯ + 𝑎$" ∗ 256$"

𝐴%&' ≡ 𝑎! + 𝑎" ∗ 𝜃 + 𝑎# ∗ 𝜃# + ⋯ + 𝑎$" ∗ 𝜃$" (mod 𝐹( )
step context
case switch • 𝜃 should be computed after 𝑎8 , … , 𝑎9: are fixed

a_0 a_1 …… a_30 a_31 RLC • Multi-phase prover: synthesis part of witness, derive witness
...
Step n
74 ZKP MOOC

𝐴 = 𝑎! + 𝑎" ∗ 256 + 𝑎# ∗ 256# + ⋯ + 𝑎$" ∗ 256$"

𝐴%&' ≡ 𝑎! + 𝑎" ∗ 𝜃 + 𝑎# ∗ 𝜃# + ⋯ + 𝑎$" ∗ 𝜃$" (mod 𝐹( )
step context

... • RLC is useful in many places

• Compress EVM word into one value
Step n • Encode dynamic length input
• Lookup layout optimization
75 ZKP MOOC

𝐴 = 𝑎! + 𝑎" ∗ 256 + 𝑎# ∗ 256# + ⋯ + 𝑎$" ∗ 256$"

𝐴%&' ≡ 𝑎! + 𝑎" ∗ 𝜃 + 𝑎# ∗ 𝜃# + ⋯ + 𝑎$" ∗ 𝜃$" (mod 𝐹( )
step context

... • RLC is useful in many places, remove it?

• Compress EVM word into one value à high, low for EVM word
Step n • Encode dynamic length input à fixed chunk, dynamic times
• Lookup layout optimization
76 ZKP MOOC
Circuit - Layout
Step 1
Execution trace
step opcode
1 PUSH1 80 Step 2
2 PUSH1 40
3 ADD
... ...
Step 3
... ...
n RETURN
...
Step n
77 ZKP MOOC
Circuit - Layout
Execution trace
Step 1 • The execution trace is dynamic
step opcode à enable different constraints
1 PUSH1 80 Step 2 à permutation is not fixed
2 PUSH1 40
3 ADD
à hard to use standard gates
... ...
Step 3
... ...
n RETURN
...
Step n
78 ZKP MOOC
Circuit - Layout
Execution trace
Step 1 • The execution trace is dynamic
step opcode à enable different constraints
1 PUSH1 80 Step 2 à permutation is not fixed
2 PUSH1 40
3 ADD
à hard to use standard gates
... ...
Step 3
... ...
• Better way to layout?
n RETURN
• We have 2000+ custom gates
...
• Different rotation to access cells

Step n
79 ZKP MOOC
Circuit - Dynamic size
Step 1 Precompile
Execution trace
circuit
step opcode
1 PUSH1 80 Step 2 Hash
2 PUSH1 40
circuit
3 ADD
... ...
Step 3
... ...
n RETURN
...
Step n
80 ZKP MOOC
Step 1 Precompile
Execution trace
circuit
step opcode
1 PUSH1 80 Step 2 Hash
2 PUSH1 40
circuit
3 ADD
... ...
Step 3
... ...
n RETURN
...
Step n
81 ZKP MOOC
Step 1
Execution trace • Some bad influences
step opcode
i.e. Maximum number of Keccaks
1 PUSH1 80 Step 2
2 PUSH1 40
• i.e. Mload is more costly (more rows)
3 ADD i.e. Pay larger proving cost for padding
... ...
Step 3
... ...
n RETURN • Can we make zkEVM dynamic?
...
Step n
82 ZKP MOOC
Prover – Hardware & Algorithm
EVM Circuit
RAM Circuit
Aggregation
Circuit
Storage Circuit
Other Circuits
83 ZKP MOOC
• Our prover
EVM Circuit
• GPU can make MSM & NTT really fast
Bottleneck moves to witness generation & data copy
RAM Circuit • Need large CPU memory (1TB -> 300GB+)
Aggregation
Circuit
Storage Circuit • Hardware friendly prover?
• Parallelizable & Low peak memory
Other Circuits • Don’t ignore the witness generation

• Run on cheap machines, more decentralized
84 ZKP MOOC
• Best way to compose different proof system?
EVM Circuit
• The first layer needs to be “expressive”
• The second layer needs to be verifier efficient (in EVM)
RAM Circuit • Should we move to smaller field?
Aggregation (Breakdown/FRI with Goldilocks, Mersenne prime)
Circuit
Storage Circuit • Should we stick to EC-based constructions?
(SuperNova, Cyclic elliptic curve with fast MSM)
Other Circuits • More options waiting for you à Reach out to us!
85 ZKP MOOC
Security – Audit & Soundness
Screenshot From Vitalik
86 ZKP MOOC
Security – Audit & Soundness
• The best way to audit zkEVM circuit?

(In general, VM circuit based on IR)
• Audit Manually
• Formal verification for some opcodes
87 ZKP MOOC
Outline
88 ZKP MOOC
Applications – zkRollup
Layer 1
Layer 2 data 𝝅
𝑇𝑋!
• Prove n Txs on layer 2 are valid
𝑇𝑋"
• Verify proof in smart contract
…… zkEVM
𝑇𝑋#
89 ZKP MOOC
Application - Enshrine blockchain
Layer 1
𝑇𝑋!
𝑇𝑋"
……
𝑇𝑋#
90 ZKP MOOC
𝝅 𝝅 𝝅 𝝅 𝝅
Layer 1
• Prove layer 1 block directly

𝑇𝑋!
𝑇𝑋"
……
𝑇𝑋#
91 ZKP MOOC
𝝅 𝝅 𝝅 𝝅 𝝅
Layer 1
• Prove layer 1 block directly

• Recursive proof
• One proof for blockchain
92 ZKP MOOC
Applications – Proof of exploit
World State (t) Computation

Root
World State (t+1)
EVM bytecode Root’
State Stack
Machine Memory Storage
Transaction:
{
value: "10000000000"
}
• Prove I know a Tx that can change the state root to state root’
(Prove I know a bug that can change your balance, etc)
93 ZKP MOOC
Applications – Attestation (”zk oracle”)
Layer 1
Verify proofs on-chain
• Read state, compute and verify

World State (t)
Root i.e. Axiom (a zk co-processor)
ZK circuits
Trustlessly read historic on-chain data

(Need state proof of zkEVM)
94 ZKP MOOC
Finally, …
• We are building cool things at Scroll!

• Scroll is a general purpose scaling solution for Ethereum based on zkRollup
• Building a native zkEVM using very advanced circuit arithmetization + proof system
• Building fast prover through hardware acceleration (GPU in production) + proof recursion
• We are live on the testnet with a production-level robust infrastructure
• There are a bunch of interesting problems to be solved!

• Protocol design and mechanism design
• Zk engineer & research for practical efficiency
95 ZKP MOOC
Thank you!
@yezhang1998
96 ZKP MOOC
Credit: Faithie/Shutterstock

Lecture 12

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lecture 12

Uploaded by

Copyright:

Available Formats

zkEVM design, optimization and applications

Guest Lecturer: Ye Zhang

Zero Knowledge Proofs

• Background & motivation

• Build a zkEVM from scratch

• Interesting research problems

• Other applications using zkEVM

Layer 2 data 𝝅 data 𝝅

𝑇𝑋" 𝐏𝐫𝐨𝐯𝐞𝐫𝟏 𝐏𝐫𝐨𝐯𝐞𝐫𝟐 𝑇𝑋"

• Background & motivation

• Build a zkEVM from scratch

• Interesting research problems

• Other applications using zkEVM

Program Constraints Proof

R1CS Polynomial IOP

Program Constraints Proof

R1CS Polynomial IOP

Program Constraints Proof

R1CS Plonk IOP

2𝑤# + 1 ∗ 3𝑤# + 4𝑤% == 𝑤$&% + 2

2𝑤# + 1 ∗ 3𝑤# + 4𝑤% == 𝑤$&% + 2

witness Table 1 Table 2

𝒊𝒏𝒑𝒖𝒕𝟎 𝒊𝒏𝒑𝒖𝒕𝟏 𝒊𝒏𝒑𝒖𝒕" 𝒐𝒖𝒕𝒑𝒖𝒕

𝒗𝒂𝟒 𝒗𝒃𝟒 𝒗𝒄𝟒 …… 𝒗𝒅𝟒

𝒗𝒂𝟓 𝒗𝒃𝟓 𝒗𝒄𝟓 𝒗𝒅𝟓

𝒗𝒂𝟕 𝒗𝒃𝟕 𝒗𝒄𝟕 𝒗𝒅𝟕

witness Table 1 Table 2

𝒊𝒏𝒑𝒖𝒕𝟎 𝒊𝒏𝒑𝒖𝒕𝟏 𝒊𝒏𝒑𝒖𝒕" 𝒐𝒖𝒕𝒑𝒖𝒕

𝒗𝒂𝟒 𝒗𝒃𝟒 𝒗𝒄𝟒 …… 𝒗𝒅𝟒

𝒗𝒂𝟓 𝒗𝒃𝟓 𝒗𝒄𝟓 𝒗𝒅𝟓

𝒗𝒂𝟕 𝒗𝒃𝟕 𝒗𝒄𝟕 𝒗𝒅𝟕

witness Table 1 Table 2

𝒊𝒏𝒑𝒖𝒕𝟎 𝒊𝒏𝒑𝒖𝒕𝟏 𝒊𝒏𝒑𝒖𝒕" 𝒐𝒖𝒕𝒑𝒖𝒕

𝒗𝒂𝟒 𝒗𝒃𝟒 𝒗𝒄𝟒 …… 𝒗𝒅𝟒

𝒗𝒂𝟓 𝒗𝒃𝟓 𝒗𝒄𝟓 𝒗𝒅𝟓

𝒗𝒂𝟕 𝒗𝒃𝟕 𝒗𝒄𝟕 𝒗𝒅𝟕

witness Table 1 Table 2

𝒊𝒏𝒑𝒖𝒕𝟎 𝒊𝒏𝒑𝒖𝒕𝟏 𝒊𝒏𝒑𝒖𝒕" 𝒐𝒖𝒕𝒑𝒖𝒕

𝒗𝒂𝟒 𝒗𝒃𝟒 𝒗𝒄𝟒 …… 𝒗𝒅𝟒

𝒗𝒂𝟓 𝒗𝒃𝟓 𝒗𝒄𝟓 𝒗𝒅𝟓

𝒗𝒂𝟕 𝒗𝒃𝟕 𝒗𝒄𝟕 𝒗𝒅𝟕

witness Table 1 Table 2

𝒊𝒏𝒑𝒖𝒕𝟎 𝒊𝒏𝒑𝒖𝒕𝟏 𝒊𝒏𝒑𝒖𝒕" 𝒐𝒖𝒕𝒑𝒖𝒕

𝒗𝒂𝟒 𝒗𝒃𝟒 𝒗𝒄𝟒 …… 𝒗𝒅𝟒

𝒗𝒂𝟓 𝒗𝒃𝟓 𝒗𝒄𝟓 𝒗𝒅𝟓

𝒗𝒂𝟕 𝒗𝒃𝟕 𝒗𝒄𝟕 𝒗𝒅𝟕

witness Table 1 Table 2

𝒊𝒏𝒑𝒖𝒕𝟎 𝒊𝒏𝒑𝒖𝒕𝟏 𝒊𝒏𝒑𝒖𝒕" 𝒐𝒖𝒕𝒑𝒖𝒕

𝒗𝒂𝟒 𝒗𝒃𝟒 𝒗𝒄𝟒 …… 𝒗𝒅𝟒

𝒗𝒂𝟓 𝒗𝒃𝟓 𝒗𝒄𝟓 𝒗𝒅𝟓

𝒗𝒂𝟕 𝒗𝒃𝟕 𝒗𝒄𝟕 𝒗𝒅𝟕

witness Table 1 Table 2

𝒊𝒏𝒑𝒖𝒕𝟎 𝒊𝒏𝒑𝒖𝒕𝟏 𝒊𝒏𝒑𝒖𝒕" 𝒐𝒖𝒕𝒑𝒖𝒕

𝒗𝒂𝟒 𝒗𝒃𝟒 𝒗𝒄𝟒 …… 𝒗𝒅𝟒

𝒗𝒂𝟓 𝒗𝒃𝟓 𝒗𝒄𝟓 𝒗𝒅𝟓

witness Table 1 Table 2

𝒊𝒏𝒑𝒖𝒕𝟎 𝒊𝒏𝒑𝒖𝒕𝟏 𝒊𝒏𝒑𝒖𝒕" 𝒐𝒖𝒕𝒑𝒖𝒕 𝟎𝟎𝟎𝟎

𝒗𝒂𝟓 𝒗𝒃𝟓 𝒗𝒄𝟓 𝒗𝒅𝟓 𝟎𝟏𝟎𝟏

witness Table 1 Table 2

𝒊𝒏𝒑𝒖𝒕𝟎 𝒊𝒏𝒑𝒖𝒕𝟏 𝒊𝒏𝒑𝒖𝒕" 𝒐𝒖𝒕𝒑𝒖𝒕 𝟎𝟎𝟎𝟎 𝟎𝟎𝟎𝟎 𝟎𝟎𝟎𝟎

witness Table 1 Table 2

𝒊𝒏𝒑𝒖𝒕𝟎 𝒊𝒏𝒑𝒖𝒕𝟏 𝒊𝒏𝒑𝒖𝒕" 𝒐𝒖𝒕𝒑𝒖𝒕 𝟎𝟎𝟎𝟎 𝟎𝟎𝟎𝟎 𝟎𝟎𝟎𝟎

witness Table 1 Table 2

𝒊𝒏𝒑𝒖𝒕𝟎 𝒊𝒏𝒑𝒖𝒕𝟏 𝒊𝒏𝒑𝒖𝒕" 𝒐𝒖𝒕𝒑𝒖𝒕

Step n sADD(a_lo+b_lo-c_lo – carry0 2^128)== 0