Benchmarks on TurboPLONK from AZTEC
We’re excited to present some early benchmarks for TurboPLONK, the supercharged version of the PLONK ZK-SNARK. At last a Universal SNARK that can compete with, and in certain instances outperform, the single-circuit Groth16.
This is a huge step towards AZTEC’s ambition for scalable privacy on Ethereum.
{{blog_divider}}
What is PLONK?
PLONK is a new type of SNARK — a highly efficient Universal SNARK, created in a collaboration between Zac Williamson and Ariel Gabizon. PLONK uses a new circuit description which consists of gates, of two kinds: multiplications (×) and additions (+).
R1CS uses ‘constraints’, whilst PLONK uses ‘gates’. Gates are just particular types of constraints. But more importantly, R1CS and PLONK’s Circuit describe exactly the same universe of computations — Arithmetic Circuits.
{{blog_divider}}
And TurboPLONK?
TurboPLONK is Zac Williamson’s idea to supercharge the PLONK circuit —by introducing certain ‘custom gates’ that appear many times in a circuit, you can hugely reduce the number of gates whilst maintaining efficiency.
{{blog_divider}}
The Benchmarks
AZTEC is aiming for something very ambitious — to make Universal SNARKs as fast as single-circuit Groth16
Hashes dominate the computation requirements in SNARKs — we discuss in our Primer why Merkle Trees are so important for private assets. So we are testing PLONK against the toughest benchmark out there (Groth16), and we’re doing it over the most important type of computation — the hash.
For any given circuit, Groth16 sets the pace. It’s:
- Fast to Prove
- Cheap to Verify
- Succinct
Unfortunately, Groth16 is not universal — i.e. if you change the circuit (modify your private smart contract), you need to do a new trusted setup. AZTEC Protocol took over 6 weeks to run its secure MPC Ceremony — you can’t run this process every time you want to update your Solidity code.
{{blog_divider}}
The Results
1. Prover Time
We need you to be able to make private transactions locally on your phone or computer, and fast. We benchmark performance on two different hashes:
|| MiMC Winner: PLONK
TurboPLONK performs at extraordinary speed on MiMC, outpacing even Groth16 by a factor of ~2.5x
|| SHA-256 Winner: Groth16
However, on SHA-256, PLONK remains ~4 times slower than Groth16.
2. Verifier Time (Gas Cost)
Groth16 is fast to verify — that’s well known.
But in PLONK we have a fully universal SNARK, capable of verifying any arithmetic circuit with one setup — yet it costs just 10% more gas than Groth16 — the same order of magnitude.
Groth16 Gas: 203,000 approx (1m gates)
PLONK Gas: 223,000 approx (1m gates)
|| Verifier Time Winner: Dead heat
3. Proof Sizes
We all know you can’t beat Groth16 — with a proof comprising 2 × 𝔾₁ elements and 1× 𝔾₂ element. Compressed, this is 4 × 𝔽 elements (each group element is a pair of coordinates x and y, which are both numbers in 𝔽, but we can compress this by sending just one of the coordinates, with a boolean to indicate which ‘root’ to take — however, 𝔾₂ field elements are twice the size of 𝔾₁ field elements. So, totting up, two 𝔾₁ points count for 1 × 𝔽 each, and the compressed 𝔾₂ point counts for 2× 𝔽 not 1× 𝔽 — that’s 4 × 𝔽 in all).
But PLONK comes astonishingly close for a universal SNARK — 9× 𝔾₁ elements and 7 𝔽 (field) elements. Now, recall that each 𝔾₁ point is composed of an x coordinate and a y coordinate, each of which is an 𝔽 element. So you can think of this as “16 × 𝔽” elements if you like.
Groth16 Proof Size: 0.13kB
PLONK Proof Size: 0.51kB
|| Proof Size Winner: Groth16
4. What’s Happening on SHA-256?
The MiMC block cipher began life as a method of encrypting data — it can be adapted into a hash function, though there is some debate over its security properties.
MiMC does however demonstrate TurboPLONK’s incredible efficiency over certain kinds of mathematical processes — and given MiMC’s popularity in Ethereum-based SNARKs, it’s an important metric.
But here’s why SHA-256 is still > 4 times quicker in Groth16 vs PLONK:
- The Impact of Booleans: In PLONK, the amount of time that a single wire value will contribute to the overall proof construction time is constant. More wires = longer proofs. But in Groth16, if the value of a wire is 1 or 0, it will contribute far less to overall proof-construction time than a larger wire value. This is because, for a wire value that is = 1, what traditionally is an elliptic curve scalar multiplication in the proof construction algorithm — this becomes an elliptic curve point addition. Not so in PLONK, because a) in PLONK there are 9 polynomial commitments, of which only 3 of them reflect wire values, and b) PLONK encodes wire values as the value of a polynomial at a given evaluation point. When transformed into coefficient form, a ‘1’ or ‘0’ wire value will not map to a small coefficient. For an algorithm like SHA256, the overwhelming majority of wires in the Groth16 circuit are 1 or 0.
- Custom Gates do Better in MiMC: For MiMC, we can leverage a custom gate that makes our circuit significantly more gate-efficient than Groth16. This is less of a factor for SHA-256 (though custom gates still contribute efficiency gains of 3× over ‘Standard PLONK’ for SHA-256).
{{blog_divider}}
Final Thoughts
PLONK still has some way to go to knock Groth16 off its spot on every metric. But these results have nonetheless astounded us — in PLONK, we have a Universal SNARK that:
- Beats Groth16 on MiMC-hash verifier time
- Has verifier time (gas cost) only slightly larger than Groth16
- Has a proof size just 4x that of Groth16, which itself is nearly at the theoretical limit (3 group points vs a theoretical minimum of 2)
Universal SNARKs have made spectacular strides in 2019!
{{blog_divider}}
Join the Team
We’re on the lookout for talented engineers and applied cryptographers. If joining our mission to bring scalable privacy to Ethereum excites you — get in touch with us at hello@aztecprotocol.com.
{{blog_divider}}
Join our Community
{{blog_divider}}
Further reading
{{blog_divider}}