1 Introduction

On July 17, 2023, zkSync’s official twitter Say hello to Boojum announced that zkSync Era would be migrated to the Boojum proof system without regenesis.

Boojum is a STARK proof system (Plonk+FRI), see the open source code:

https://github.com/matter-labs/era-boojum/tree/main（Rust）

Its characteristics are:

Arithmetic representation in the form of PLONK: makes ZK circuits relatively easy to develop, audit, maintain and upgrade.
Adopt FRI polynomial commitment scheme: based on Goldilocks field $p=2^{64}-2^{32}+1$ 。
Provides automatic parallelization of witness generation, and the definition of witness generation function is concise, eg |(a, b)| a + b. The use of witness generation cannot be ignored when considering Prover performance.
Easy to expand: users can add custom gate types in various ways, such as adding some special polynomials, or reusing some "common columns". According to the extended interface of the custom circuit, the prover, verifier, and recursive verifier can be automatically generated. This provides an efficient development process.
Single technology stack: expressed in Rust language. For the recalculation part of the GPU prover, it is written in CUDA C++, but provides Rust bindings.
Excellent performance, Prover only requires 16GB RAM, thus promoting the decentralization of Prover in the future.

In https://github.com/celer-network/zk-benchmark of Celer Network , a benchmark is specially made for SHA256. The specific scenarios are:

Define a circuit for computing $N=2^k$ bytes of data, where:
- A private input $x$ : where $\text{len}(x)=N=2^k$
- A public input: $h=\text{sha256}(x)$

func benchmark(x, h):
    assert(sha256(x) == h)

In the test report , the following schemes are compared: [GPU acceleration is not enabled in this round of testing]

1）Circom + snarkjs/rapicsnark：
2）gnark：
3）arkwroks：
4）Halo2(KZG)：
5) Plonky2
6）Starky
7）Boojum

The parameters of the different schemes are:

frame	Arithmetic representation	Commitment Program	area	other configuration
Circom + snarkjs/rapicsnark	R1CS	Groth16	BN254 Scalar range
gnark	R1CS	Groth16	BN254 Scalar range
arkworks	R1CS	Groth16	BN254 Scalar range
Halo2(KZG)	Plonkish	KZG	BN254 Scalar range
Plonky2	Plonk	FRI	Goldilocks domain	blowup factor = 8proof of work bits = 16query rounds = 28num_of_wires = 60 num_routed_wires = 60
Starky	AIR	FRI	Goldilocks domain	blowup factor = 2proof of work bits = 10query rounds = 90
Boojum	Plonk	FRI	Goldilocks domain

When N=64KB, the number of constraints of each scheme is:

proof system	Number of constraints (SHA256 of 64KB input)
Circom	32 million
gnark	45 million
arkworks	43 million
Halo2	4 million rows (K=22)
Plonky2	8 million rows (K=23)
Starky	$2^{16}$ transition steps
Boojum	500,000 rows (K=19)

There are 2 types of test machines:

Linux Server: 20 Cores @2.3 GHz, 384GB memory: simulates a server with multiple CPU cores and abundant memory.
Macbook M1 Pro: 10 Cores @3.2Ghz, 16GB memory: Analog development machine

The comparison result is:

1) The comparison of proof duration is as follows:
2) The comparison of the memory peak situation is as follows:
3) The comparison of CPU usage is:

proof system	CPU usage (average usage per core) (Linux server)	CPU usage (average usage per core) (Mac development machine)
snarkjs	557% (27.85%)	486% (48.6%)
rapidsnark	1542% (77.1%)	N/A
gnark	1624% (81.2%)	720% (72%)
arkworks	935% (46.75%)	504% (50.4%)
Halo2(KZG)	1227% (61.35%)	588% (58.8%)
Plonky2	892% (44.6%)	429% (42.9%)
Starky	849% (42.45%)	335% (33.5%)

References

[1] July 17, 2023 zkSync official twitter Say hello to Boojum
[2] Boojum Upgrade: zkSync Era's New High-performance Proof System for Radical Decentralization
[3] Celer Network July 14, 2023 Bouke The Pantheon of Zero Knowledge Proof Development Frameworks (Updated!)

Boojum: zkSync's high-performance decentralized STARK proof system

1 Introduction

References

zkSync series blog

Guess you like