Polygon Hermez
Suyash Bagad
Zero Knowledge Proofs
Zero Knowledge Proofs
Reveal!
Zero Knowledge Proofs
Zero Knowledge Proofs
Zero Knowledge Proofs
Zero Knowledge Proofs
Reveal!
Zero Knowledge Proofs
Zero Knowledge Proofs
On repeating the experiment a number of times,
- If the prover is honest, verifier accepts!
- If the prover is cheating, verifier will catch it!
- No information about 3-colouring is revealed!
\(\text{Completeness,}\)
\(\text{Soundness,}\)
\(\text{Zero-Knowledge!}\)
Merkle Tree
\(0101\)
\(A\)
\(F\)
\(N\)
\(0\)
\(1\)
\(2\)
\(3\)
\(4\)
\(5\)
\(6\)
\(7\)
\(8\)
\(9\)
\(10\)
\(11\)
\(12\)
\(13\)
\(14\)
\(15\)
\(\text{root}\)
\(\text{nodes}\)
\(\text{leaves}\)
\(\text{hash path}\)
\(\text{depth} = 4\)
A Bank Ledger
Mayur
Name
Customer ID
3769...9201
Currency
USD
Nonce
0
Balance
20,00,000
Account no.
0160...8621
Mayur
3769...9201
INR
4
70,000
0160...8621
Mayur
1282...5092
AED
2
15,000
0289...9013
Prof. SV
2842...0911
INR
97
5,00,000
1902...6765
Suyash
7507...1220
USD
5
10,000
8903...0474
Suyash
7507...1220
BTC
1
2
8903...0474
Saurav
1167...1825
INR
8
50,000
0152...8814
Saurav
2461...9460
ETH
0
1.5
9102...0019
+ 5000
- 5000
19,95,000
15,000
1
6
A Bank Ledger
Customer ID
376...201
Currency
USD
Nonce
1
Balance
19,95,000
Account no.
016...621
376...201
INR
4
70,000
016...621
028...013
128...092
AED
2
15,000
190...765
284...911
INR
97
5,00,000
890...474
750...220
USD
6
15,000
890...474
750...220
BTC
1
2
015...814
116...825
INR
8
50,000
910...019
246...460
ETH
0
1.5
ETH Addr
HEZ Addr
Token ID
Hermez Circuits
RollupTx
HermezWithdraw
Regular accounts
Internal accounts
User
Coordinator
\(\textsf{CreateAccountDeposit}\)
\(\textsf{CreateAccountDepositTransfer}\)
\(\textsf{Deposit}\)
\(\textsf{DepositTransfer}\)
\(\textsf{ForceTransfer}\)
\(\textsf{ForceExit}\)
\(\textsf{CreateAccountEth}\)
\(\textsf{CreateAccountBjj}\)
\(\textsf{Transfer}\)
\(\textsf{Exit}\)
\(\textsf{TransferToEthAddress}\)
\(\textsf{TransferToBjj}\)
Example
- Let's look at the constraints in \(\textsf{CreateAccountDepositTransfer}\)
\(A_{\text{ETH}}\)
\(i_{\text{from}}\)
\(d\)
\(a\)
\(t_{\text{id}}\)
\(i_{\text{to}}\)
\(\underbrace{\hspace{4.4cm}}\)
- Check if sender account index is null: \(i_{\text{from}} == 0\)
- Create a new account at index \(\texttt{auxFromIdx}\):
- \(\texttt{ethAddr} = A_{\text{ETH}}\)
- \(\texttt{bjjAddr} = A_{\text{BJJ}}\)
- \(\texttt{tokenID} = t_{\text{id}}\)
- \(\texttt{balance} = d\)
- \(\texttt{nonce} =\) 0
- Recipient account must exist at index \(i_{\text{to}}\)
- Token ids of the sender and recipient must match
- Sender account must have enough balance: \(d > a\)
- Update the sender account: \(\texttt{balance} \leftarrow (\texttt{balance} - a)\)
- Update the recipient account: \(\texttt{balance} \leftarrow (\texttt{balance} + a)\)
\(A_{\text{BJJ}}\)
Withdrawal
- Withdrawal is a two-step process
- Step 1: Add withdrawal data to the exit tree at the index \(i_{\text{from}}\)
- Step 2: User proves that they own a leaf in the exit tree using the \(\textsf{HermezWithdraw}\) circuit
- Funds are held on the smart contract once a user exits
- Exit tree allows users to cheaply accumulate withdrawals over time
- Delayed withdrawal mechanism to avoid infinite withdrawal in case of a hack
Smart Contracts
- The smart contract design of Hermez is simple and intuitive
\(\texttt{Hermez.sol}\)
\(\textsf{AddToken}\)
\(\textsf{L1UserTx}\)
\(\textsf{Withdraw}\)
\(\textsf{forgeBatch}\)
Users
Coordinator
\(\textsf{bid}\)
\(\pi\)
\(\{0,1\}\)
\(\texttt{Consensus.sol}\)
\(\textsf{processForge}\)
\(\texttt{Verifier.sol}\)
\(\textsf{verify}(\pi)\)
\(\{0,1\}\)
Smart Contracts
- The \(\textsf{forgeBatch}\) allows two types of batches:
- L2 batch: Internal txs and coordinator's account creation txs
- L1-L2 batch: Additionally contains L1 user txs
- How do we ensure that the coordinator does not ignore the L1-L2 batch?
\(\underbrace{\hspace{4.2cm}}\)
\(\textsf{forgeL1Timeout}\)
\(\underbrace{\hspace{4.2cm}}\)
\(\textsf{forgeL1Timeout}\)
\(\textsf{L1-L2 batch}\)
\(\textsf{L2 batch}\)
Takeaways
- Simplicity in the overall system design of Hermez allows an excellent UX
- Clear and detailed user, coordinator and developer documentation
- Focus on data availability, decentralization and security
- Based on the Groth16 zk-SNARK - circuit specific trusted setup
- Idea of an account-based zk-Rollup can be useful for Arcana
Polygon Hermez
By Suyash Bagad
