Asset proof experiment

A simple experiment of asset ownership proof. Uses two different fields in the same circuit. Uses Plonk-ish arithmetization to make universal parameters used for different circuits. Requires no trusted setup.

Asset proof is to declare you have e.g. "X" amount of asset in your wallet without revealing which address that is.

This experiment seeks to combine recent works from a few different projects to see if a proof could be created in zero-knowledge. Referenced projects include Halo2, Halo2wrong, zkevm-circuits.

There currently are two different versions of Halo2 in the scene: the one that is originally written by Zcash foundation and the other which was forked by Ethereum foundation. One of the significant differences between the two is the curves and commitment schemes they support.

EF's project promotes BN254 curve and KZG commitment scheme to be used as well as the Pasta curves and Inner Product Argument supported by the original version. KZG commitment scheme involves toxic waste and BN254 curve is said to have a rather questionable security guarantee. However, we found that an earlier work by EF in dealing with a foreign (wrong) field arithmetic interesting and wanted to test how fast and realistic this can be applied to real-world settings.

We learned that wrong field arithmetization, Pasta curves, Poseidon hash function and IOP can all come together to create an asset proof of a tree depth 32. Creating a proof takes over 60 seconds in the consumer-grade machine (outside of web browser) and a size of the proving key exceeds 6GB.

Although it is remarkable that the proof could be made in such a condition where the number of constraints was over 600,000, we found that it is still a few steps away from being used as in a consumer's device. The major culprit seems to be the use of foreign fields. It seems that we either have to use only a single field in a circuit or come up with a more performant way of dealing with multiple fields.