Search
Search for projects by name
LineaConsensys
About
Linea proving system is designed for proving EVM code execution and mainly used for proving Linea L2 state transitions.
Tech Stack
About
Linea proving system is designed for proving EVM code execution and mainly used for proving Linea L2 state transitions.
Description
Linea prover implements a zkEVM by creating a custom arithmetization of EVM state transition and proving it in a series of recursive SNARKs (i.e. without implementing a zkVM). The proof is wrapped into a Plonk with KZG for efficient onchain verification. Linea prover targets 128 bits of security.
Proof system
Linea prover includes Wizard-IOP framework for extending polynomial IOPs with more powerful queries, Arcane compiler of Wizard-IOP into polynomial IOP and Vortex list polynomial commitment (LPC) scheme. Wizard-IOP represents an extension of polynomial IOP with a wider range of queries, including inclusion check, permutation check, range check etc. Vortex LPC is a batchable polynomial commitment that is based on Ligero with lattice-based hash functions. To achieve succinct proof size, Linea prover performs multiple rounds of self-recursion by arithmetizing the Vortex verifier in the Wizard-IOP framework. During these rounds Plonk+KZG schemes over curves BW6, BLS12-377, and BN254 are used, creating a dependency on 3 trusted setups, see below for more details.
EVM circuits
This level of Linea prover produces execution proof and compression proof after several rounds of self-recursive compression. Both of these are Plonk based proofs over BLS12-377 curve. Execution proof validates the correct execution of transactions within the EVM, including knowledge of correct EVM traces, correctness of precompiles and consistency of public inputs. Compression proof verifies effective and correct compression of inputs for EVM execution circuits.
Aggregation circuits
At this stage several proofs generated by execution and compression circuits are recursively verified within the finalization (or aggregation) circuit, which also checks the “connection” of all public inputs across all circuits. It leverages a composite proof system that combines several Plonk circuits on the BW6, BLS12-377, and BN254 curve with a goal of performant recursion.
Final wrap
In the end the Linea proof is wrapped in a gnark implementation of Plonk over BN254 curve for even more efficiency onchain. For Plonk, Aztec Ignition trusted setup ceremony is used.
Aztec Ignition
Detailed description
Aztec Ignition is a trusted setup ceremony for KZG commitments over BN254 curve that was run by Aztec for KZG commitment over BN254 curve in 2019. It included 176 participants and was publicly open for participation.
- Github repo to download and verify the ceremony artifacts: https://github.com/AztecProtocol/ignition-verification.
- Github repo with instructions for ceremony participants: https://github.com/AztecProtocol/Setup.
- Ceremony announcement with a call to participate: https://aztec.network/blog/announcing-ignition.
Aleo stage I trusted setup
Detailed description
Ceremony generated trusted setup for KZG commitments over BLS12-377 curve, it was originally run as stage I setup for Aleo blockchain and later reused for Linea prover. Ceremony has 106 participants.
- Repo with ceremony instructions https://github.com/AleoNet/aleo-setup
- Link to the ceremony details: https://setup.aleo.org
Celo Plumo
Detailed description
Ceremony generated trusted setup for KZG commitments over BW6-761 curve, it was originally run for Celo Plumo and later reused for Linea prover. Ceremony has 55 participants.
- Repo with ceremony instructions: https://github.com/celo-org/snark-setup?tab=readme-ov-file
- Link to the ceremony details: https://celo.org/plumo (it is broken. Archived version here: https://web.archive.org/web/20221201203227/https://celo.org/plumo)
- Links to ceremony transcript: https://console.cloud.google.com/storage/browser/plumoceremonyphase1/chunks
- Link to ceremony verification code: https://github.com/Consensys/gnark-ignition-verifier/blob/feat/celo_parser/celo/main.go
List of different onchain verifiers for this proving system. Unique ID distinguishes differents deployments of the same verifier from different verifiers (e.g. different versions).