Hermez Zero-Knowledge Proofs

2 years ago   •   4 min read

By Polygon Hermez

The Hermez Network leverages the power of zero-knowledge proofs in order to create a secure Layer 2 scalability solution for the Ethereum Network.

Hermez will use zk-SNARKs, a proven technology already underpinning the ZCash blockchain and JPMorgan Chase’s blockchain-based payment system, as well as other Ethereum projects like Tornado Cash or Semaphore.

Zk-SNARK stands for Zero Knowledge-Succinct Non-interactive ARgument of Knowledge, and it is a form of cryptography that allows us to create very small and quickly verifiable proofs that all transactions in the Hermez rollup are valid. Succinctly put, zk-SNARKs allow for:

  1. Creating a validity proof for all transactions within the Hermez Network so only valid transactions can be included. This makes it mathematically impossible to include a non-valid transaction
  2. Anyone to validate this proof with minimal effort

Because of the two properties above, we can “roll-up” a lot of Ethereum transactions into one validity proof.  Instead of including signatures on-chain, we send a zk-SNARK which proves that 1000’s of signature verifications and other transaction validation checks have been correctly done off-chain.

Since signatures make up a large percentage of transaction costs (gas), in practice zk-rollup has the effect of significantly reducing the average cost per transaction. This allows us to fit more transactions per block, which results in a greater overall throughput.

We compress the amount, receiver and sender information and can dispense with the signature data thanks to the zk-SNARK proof

The Hermez Trusted Setup

Zk-SNARK circuits require what is called a “trusted setup” in order to be deployed with proving and verifying keys. Why is it called “trusted”? Because the generation of such keys produces a piece of data that must be destroyed: this data would allow anyone to produce fake proofs, much like a “master key” for generating proofs. Since this would defy the security purpose of zk-SNARKS, these numbers are called “toxic waste” and must be eliminated. Hence, we call the process “trusted” because we are trusting whoever generated the circuit to have eliminated these numbers and for nobody else to have acquired them.

As the thorough engineers we are at Hermez, we are not expecting anyone to trust us with the “trusted setup”, even if we can assure you we can be trusted. We are not taking any chances. What follows next is a description of all the steps we are taking to provide the highest standards of security for our trusted setup.

First Multi-Party Computation Phase

To minimize the security concerns around eliminating the toxic waste, a Multi-Party Computation procedure can be used. Specifically, we are going to use the Perpetual Powers of Tau Ceremony, which allows multiple participants to perform a trusted setup sequentially, and adding their results to a public transcript. By publishing the results openly, the protocol can be entirely verified, creating a “chain of trusted setups” that can be used as a whole. If only one of the participants has successfully eliminated the toxic waste, the whole protocol can be considered secure.

In the list of participants there are two members of the team, Eduardo Antuña and Jordi Baylina, but also prominent names like Vitalik Buterin, or completely anonymous cryptographers. You can see the whole list here. These individuals have taken different approaches to their ceremony: the more people who participate using a variety of countermeasures to secure the elimination of toxic waste, the more likely the protocol can be used safely. This is because it becomes harder to successfully attack or to maliciously coordinate with everyone in an open ceremony that anyone can join without disclosing who they are.

We have used the ceremony in its current state (at the moment of writing), with 54 contributions. For extra measure, we will repeat the process one more time applying a random beacon. This step might not be strictly necessary according to this article, but as we said, we are not taking any chances and for the moment it is considered best practise to do it.

For that, we have done a mock 55th ceremony using as input the result of round 100.000 of drand:


which you can also find here. We ran this process with two different implementations, our own snarkjs and the rust implementation by Kobi Gurkan.

The process for applying this random beacon was detailed and notarized in the Ethereum blockchain as described in our tweet here.

For those interested in the actual cryptography behind it and for the sake of transparency, the blake2b hash of the response after applying the random beacon (round #100000 of drand) to contribution #54 is:

6e61deb8 4491e9f6 e31287ca 05655fd6
3a1bcde7 43f2157b 63464ccc 6bcd83f3
78f466af dcefdc3d 867ff75f deef53b9
998aa5d9 5818732a 98e4eaf3 98a1ce05

And the blake2b hash of the next challenge would be:

74ba2bca c21fad58 bf413799 d5ac962a
c4a344fb 1b4c1e88 0bd89e4b b4221270
113cb4c4 8aa8cd37 eb4fa234 904ff959
f726e785 ce7c5608 bb061b2e 0d7480be

You can verify this with snarkjs and with bn254-phase2.

After that, we can launch the preparePhase2 process, which is a very computationally intensive step that precompiles the circuit. This process is happening right now and even in a powerful 64 core server we estimate it will be running for more than a week. We encourage anyone to do the same in order to check the correctness of our results.

Once that’s done, we will use our own library, circom, to finally compile the finished circuit.

Second Multi Party Computation Phase

So now that we have the compiled circuit, are we ready to use it for Hermez Network? Not at all! I told you we were not cutting corners in order to secure the Hermez Network.

On top of that compilation, we will run a second Multi-Party Computation. The idea is the same as the Perpetual Powers of Tau: different people will apply different inputs sequentially, each contribution increasing the cryptographic security. Once the MPC is finished, we will apply a second random beacon following a similar process than the first.

After this long process, the resulting keys will be ready to be used in the Hermez Network.

The “trusted setup”, only one part of the puzzle

With the steps described above we can be reasonably sure that any potential vulnerabilities will not come from the cryptographic side of Hermez.

The same approach to security will be applied to the rest of the pieces of Hermez, including the code. We will never publish anything on mainnet that hasn’t been thoroughly tested, audited and debugged, so if you have a keen eye for security flaws, stay tuned for our Bug Bounty, more details to be announced soon!

Follow our progress towards layer 2 scaling on twitter at @Hermez_network and join our Telegram here!

Spread the word

Keep reading