1 Introduction
On July 17, 2023, zkSync’s official twitter Say hello to Boojum announced that zkSync Era would be migrated to the Boojum proof system without regenesis.
Boojum is a STARK proof system (Plonk+FRI), see the open source code:
Its characteristics are:
- Arithmetic representation in the form of PLONK: makes ZK circuits relatively easy to develop, audit, maintain and upgrade.
- Adopt FRI polynomial commitment scheme: based on Goldilocks field p = 2 64 − 2 32 + 1 p=2^{64}-2^{32}+1p=264−232+1。
- Provides automatic parallelization of witness generation, and the definition of witness generation function is concise, eg
|(a, b)| a + b
. The use of witness generation cannot be ignored when considering Prover performance. - Easy to expand: users can add custom gate types in various ways, such as adding some special polynomials, or reusing some "common columns". According to the extended interface of the custom circuit, the prover, verifier, and recursive verifier can be automatically generated. This provides an efficient development process.
- Single technology stack: expressed in Rust language. For the recalculation part of the GPU prover, it is written in CUDA C++, but provides Rust bindings.
- Excellent performance, Prover only requires 16GB RAM, thus promoting the decentralization of Prover in the future.
In https://github.com/celer-network/zk-benchmark of Celer Network , a benchmark is specially made for SHA256. The specific scenarios are:
- Define a circuit for computing N = 2 k N=2^kN=2sha256 of k bytes of data, where:
- A private input xxx : wherelen ( x ) = N = 2 k \text{len}(x)=N=2^konly ( x )=N=2k
- A public input: h = sha256 ( x ) h=\text{sha256}(x)h=sha256(x)
func benchmark(x, h):
assert(sha256(x) == h)
In the test report , the following schemes are compared: [GPU acceleration is not enabled in this round of testing]
- 1)Circom + snarkjs/rapicsnark:
- 2)gnark:
- 3)arkwroks:
- 4)Halo2(KZG):
- 5) Plonky2
- 6)Starky
- 7)Boojum
The parameters of the different schemes are:
frame | Arithmetic representation | Commitment Program | area | other configuration |
---|---|---|---|---|
Circom + snarkjs/rapicsnark | R1CS | Groth16 | BN254 Scalar range | |
gnark | R1CS | Groth16 | BN254 Scalar range | |
arkworks | R1CS | Groth16 | BN254 Scalar range | |
Halo2(KZG) | Plonkish | KZG | BN254 Scalar range | |
Plonky2 | Plonk | FRI | Goldilocks domain | blowup factor = 8proof of work bits = 16query rounds = 28num_of_wires = 60 num_routed_wires = 60 |
Starky | AIR | FRI | Goldilocks domain | blowup factor = 2proof of work bits = 10query rounds = 90 |
Boojum | Plonk | FRI | Goldilocks domain |
When N=64KB, the number of constraints of each scheme is:
proof system | Number of constraints (SHA256 of 64KB input) |
---|---|
Circom | 32 million |
gnark | 45 million |
arkworks | 43 million |
Halo2 | 4 million rows (K=22) |
Plonky2 | 8 million rows (K=23) |
Starky | 2 16 2^{16} 216 transition steps |
Boojum | 500,000 rows (K=19) |
There are 2 types of test machines:
- Linux Server: 20 Cores @2.3 GHz, 384GB memory: simulates a server with multiple CPU cores and abundant memory.
- Macbook M1 Pro: 10 Cores @3.2Ghz, 16GB memory: Analog development machine
The comparison result is:
- 1) The comparison of proof duration is as follows:
- 2) The comparison of the memory peak situation is as follows:
- 3) The comparison of CPU usage is:
proof system | CPU usage (average usage per core) (Linux server) | CPU usage (average usage per core) (Mac development machine) |
---|---|---|
snarkjs | 557% (27.85%) | 486% (48.6%) |
rapidsnark | 1542% (77.1%) | N/A |
gnark | 1624% (81.2%) | 720% (72%) |
arkworks | 935% (46.75%) | 504% (50.4%) |
Halo2(KZG) | 1227% (61.35%) | 588% (58.8%) |
Plonky2 | 892% (44.6%) | 429% (42.9%) |
Starky | 849% (42.45%) | 335% (33.5%) |
References
[1] July 17, 2023 zkSync official twitter Say hello to Boojum
[2] Boojum Upgrade: zkSync Era's New High-performance Proof System for Radical Decentralization
[3] Celer Network July 14, 2023 Bouke The Pantheon of Zero Knowledge Proof Development Frameworks (Updated!)