Polygon Hermez

Zero Knowledge Proofs

Zero Knowledge Proofs

Reveal!

Zero Knowledge Proofs

Zero Knowledge Proofs

Zero Knowledge Proofs

Zero Knowledge Proofs

Reveal!

Zero Knowledge Proofs

Zero Knowledge Proofs

On repeating the experiment a number of times,

If the prover is honest, verifier accepts!
If the prover is cheating, verifier will catch it!
No information about 3-colouring is revealed!

$\text{Completeness,}$

$\text{Soundness,}$

$\text{Zero-Knowledge!}$

Merkle Tree

$0101$

$A$

$F$

$N$

$0$

$1$

$2$

$3$

$4$

$5$

$6$

$7$

$8$

$9$

$10$

$11$

$12$

$13$

$14$

$15$

$\text{root}$

$\text{nodes}$

$\text{leaves}$

$\text{hash path}$

$\text{depth} = 4$

A Bank Ledger

Mayur

Name

Customer ID

3769...9201

Currency

USD

Nonce

0

Balance

20,00,000

Account no.

0160...8621

Mayur

3769...9201

INR

4

70,000

0160...8621

Mayur

1282...5092

AED

2

15,000

0289...9013

Prof. SV

2842...0911

INR

97

5,00,000

1902...6765

Suyash

7507...1220

USD

5

10,000

8903...0474

Suyash

7507...1220

BTC

1

2

8903...0474

Saurav

1167...1825

INR

8

50,000

0152...8814

Saurav

2461...9460

ETH

0

1.5

9102...0019

+ 5000

- 5000

19,95,000

15,000

1

6

A Bank Ledger

Customer ID

376...201

Currency

USD

Nonce

1

Balance

19,95,000

Account no.

016...621

376...201

INR

4

70,000

016...621

028...013

128...092

AED

2

15,000

190...765

284...911

INR

97

5,00,000

890...474

750...220

USD

6

15,000

890...474

750...220

BTC

1

2

015...814

116...825

INR

8

50,000

910...019

246...460

ETH

0

1.5

ETH Addr

HEZ Addr

Token ID

Hermez Circuits

RollupTx

HermezWithdraw

Regular accounts

Internal accounts

User

Coordinator

$\textsf{CreateAccountDeposit}$

$\textsf{CreateAccountDepositTransfer}$

$\textsf{Deposit}$

$\textsf{DepositTransfer}$

$\textsf{ForceTransfer}$

$\textsf{ForceExit}$

$\textsf{CreateAccountEth}$

$\textsf{CreateAccountBjj}$

$\textsf{Transfer}$

$\textsf{Exit}$

$\textsf{TransferToEthAddress}$

$\textsf{TransferToBjj}$

Example

Let's look at the constraints in $\textsf{CreateAccountDepositTransfer}$

$A_{\text{ETH}}$

$i_{\text{from}}$

$d$

$a$

$t_{\text{id}}$

$i_{\text{to}}$

$\underbrace{\hspace{4.4cm}}$

Check if sender account index is null: $i_{\text{from}} == 0$
Create a new account at index $\texttt{auxFromIdx}$ :
- $\texttt{ethAddr} = A_{\text{ETH}}$
- $\texttt{bjjAddr} = A_{\text{BJJ}}$
- $\texttt{tokenID} = t_{\text{id}}$
- $\texttt{balance} = d$
- $\texttt{nonce} =$ 0
Recipient account must exist at index $i_{\text{to}}$
Token ids of the sender and recipient must match
Sender account must have enough balance: $d > a$
Update the sender account: $\texttt{balance} \leftarrow (\texttt{balance} - a)$
Update the recipient account: $\texttt{balance} \leftarrow (\texttt{balance} + a)$

$A_{\text{BJJ}}$

Withdrawal

Withdrawal is a two-step process
- Step 1: Add withdrawal data to the exit tree at the index $i_{\text{from}}$
- Step 2: User proves that they own a leaf in the exit tree using the $\textsf{HermezWithdraw}$ circuit
Funds are held on the smart contract once a user exits
Exit tree allows users to cheaply accumulate withdrawals over time
Delayed withdrawal mechanism to avoid infinite withdrawal in case of a hack

Smart Contracts

The smart contract design of Hermez is simple and intuitive

$\texttt{Hermez.sol}$

$\textsf{AddToken}$

$\textsf{L1UserTx}$

$\textsf{Withdraw}$

$\textsf{forgeBatch}$

Users

Coordinator

$\textsf{bid}$

$\pi$

$\{0,1\}$

$\texttt{Consensus.sol}$

$\textsf{processForge}$

$\texttt{Verifier.sol}$

$\textsf{verify}(\pi)$

$\{0,1\}$

Smart Contracts

The $\textsf{forgeBatch}$ allows two types of batches:
- L2 batch: Internal txs and coordinator's account creation txs
- L1-L2 batch: Additionally contains L1 user txs
How do we ensure that the coordinator does not ignore the L1-L2 batch?

$\underbrace{\hspace{4.2cm}}$

$\textsf{forgeL1Timeout}$

$\underbrace{\hspace{4.2cm}}$

$\textsf{forgeL1Timeout}$

$\textsf{L1-L2 batch}$

$\textsf{L2 batch}$

Takeaways

Simplicity in the overall system design of Hermez allows an excellent UX
Clear and detailed user, coordinator and developer documentation
Focus on data availability, decentralization and security
Based on the Groth16 zk-SNARK - circuit specific trusted setup
Idea of an account-based zk-Rollup can be useful for Arcana

Polygon Hermez

Suyash Bagad

Zero Knowledge Proofs

Zero Knowledge Proofs

Zero Knowledge Proofs

Zero Knowledge Proofs

Zero Knowledge Proofs

Zero Knowledge Proofs

Zero Knowledge Proofs

Zero Knowledge Proofs

Merkle Tree

A Bank Ledger

A Bank Ledger

Hermez Circuits

Example

Withdrawal

Smart Contracts

Smart Contracts

Takeaways

Polygon Hermez

Polygon Hermez

Suyash Bagad

Polygon Hermez

Suyash Bagad

Polygon Hermez

More from Suyash Bagad