Groth16 Tweaks

$$ \gdef\F{\mathbb{F}} \gdef\G{\mathbb{G}} \gdef\g{\mathrm{G}} \gdef\h{\mathtt{H}} \gdef\e{\mathrm{e}} \gdef\Z{\mathrm{Z}} $$

Ethereum cost model

See and the yellow paper. Calldata costs $16$ gas per zero bytes with a discounted price of $4$ for zero bytes. So the expected cost of a uniformly random byte is $15.95$ gas. On L1 calldata-gas and gas are the same, on L2s the latter is substantially cheaper.

A Groth16 verification with $p$ public inputs (excluding constant $w_0 = 1$) costs

$$ 181\,150 + p ⋅ 6150 \text{ gas} + 4096 \text{ calldata gas} $$

This excludes overhead and cost of transferring/computing the public input. This includes the $4$ pairings currently required.

Does it make sense to use point compression on L2s?

Hash public inputs?

What if we use Keccak or SHA256 to hash all public inputs to a single field element, basically fixing $p = 1$.

3 P

Groth16 is well-known to only require 3 pairings, yet Ethereum implementations require 4, this costs an extra $34\,000$ gas that seems avoidable.

            Pairing.negate(proof.A), proof.B,
            vk.alfa1, vk.beta2,
            vk_x, vk.gamma2,
            proof.C, vk.delta2

Can we instead get the $α⋅β⋅\g_3$ term (and add $L_0$) through trusted setup?

$$ L' = γ^{-1} ⋅ \p{α ⋅ β + L_0(τ)} ⋅ \g_1 $$

$$ \begin{aligned} {\overline L} &= \sum_{i ∊ [1, p)} w_i ⋅ \p{γ^{-1} ⋅ L_i(τ) ⋅ \g_1} \\ \end{aligned} $$

then check

$$ \e(A, B) = \e(L' + {\overline L}, γ ⋅ \g_2) + \e(C, δ ⋅ \g_2) $$

Shorter proofs?

Groth16 contains an argument setting lower bounds on proof sizes and structure, but these all assume non-interactive proofs. If we allow for Fiat-Shamir constructions, can we create cheaper proofs?

Remco Bloemen
Math & Engineering