04-07, 13:15–13:35 (Europe/Zurich), Verge Stage
In recent years, SNARKs have shown great promise as a tool for building trustless bridges to connect the heterogeneous ecosystem of blockchains. Unfortunately, the parameters for many of the widely used blockchains are incongruous with the conventional SNARKs, which results in unsatisfactory performance. This bottleneck necessitates new proof systems tailored for efficiency in these environments.
The primary focus of this paper is on succinct bridges from Cosmos to Ethereum, which largely boils down to efficient proofs of multiple Ed25519 signatures. But these techniques can be ported to settings that require succinct proofs of multiple secp256k1 or BLS12-381 signatures.
We explore the schemes deVirgo and zkTree, which exploit the parallelization of proof generation and the subsequent aggregation of proofs. We also describe Panther Protocol's new scheme, which uses the field-agnostic SNARK to circumvent the huge overhead of non-native field arithmetic arising from Ed25519 scalar multiplications in the arithmetic circuit.
Our benchmarks indicate that it is crucial to sidestep non-native arithmetic to the extent that it is possible. The need for EVM compatibility makes it impossible to avoid non-native arithmetic. We also found that multiple proof systems need to be securely amalgamated. The schemes customized for Ed25519 scalar multiplications are different from those well-suited for SHA-512 hashes to maximize the efficiency of a succinct bridging scheme.
The Panther cryptography team has been exploring backwards-compatible proof systems that can create succinct proofs of Ed25519 signatures. More precisely, we have been exploring SNARKs that could work in this setting without incurring the enormous overhead of non-native field arithmetic. Unfortunately, Ed25519 is not well-suited to the traditional SNARKs.
We constructed a pairing-based SNARK that is meant to be backwards-compatible with hardwired and widely used parameters. In other words, the SNARK can be instantiated with arbitrary pairing-friendly curves endowed with sufficiently large prime scalar fields.
The scheme is a KZG-based SNARK and, as such, requires a universal updateable common reference string. The CRS is of length linear in the circuit size and is computed via a one-time MPC. The scheme uses Plonkish arithmetization, which allows for custom gates and efficient lookup arguments for subsets and subsequences. It uses the monomial basis and sidesteps the need for smooth-order multiplicative subgroups in the field where the arithmetic circuit is defined. In particular, it is compatible with pairing-friendly outer curves to Ed25519.
Anish is the Co-Founder, CTO, and Chief Scientist of Panther Protocol and has over 20 years of experience in security and cryptography including the design or audit of several blockchain protocols. Anish co-founded the UK Digital Currency Association, was a reviewer of Ethereum’s Orange paper, and served on advisory boards for leading companies including Ripple, Hyperloop, and Adjoint. Anish is a frequent speaker on Blockchain, Cybersecurity, ZK, and AI, with lectures at institutions worldwide including MIT (DCI), Carnegie Mellon, UCL, Imperial, and the University of Coventry.