Verifying ZK SNARKS on Ethereum

From SNARKs to EVM

Most of our smart contracts are very simple because the heavy lifting is done in a SNARK. To ensure full trustless-ness, these SNARKs must be verified by the EVM.

We do this by programmatically generating a specialized smart contract for verifying each SNARK that we use. We do this using the snark-verifier library, developed by the Privacy Scaling Explorations group at the Ethereum Foundation, which generates Yul code for verifying any given ZK circuit.

Here is an example of how we generate the Yul code for the AxiomV0 Verifier contract. All of the Yul code we used is open sourced, and we will soon be providing further instructions on how you can check the generation yourself.

We compiled the Yul code to bytecode using the command

solc --yul <YUL FILE> --bin | tail -1 > <BYTECODE FILE>

using solc Version: 0.8.17+commit.8df45f5f.Linux.g++.

We encourage you to check for yourself that the following Yul files match the deployed bytecode!

Contract	Yul Code
AxiomV0 Verifier	https://github.com/axiom-crypto/axiom-eth/blob/ea6bbce119ec3bda2b9b6bfdf5012893c1716bbc/data/headers/mainnet_10_7.yul
AxiomV0 Historical Verifier	https://github.com/axiom-crypto/axiom-eth/blob/ea6bbce119ec3bda2b9b6bfdf5012893c1716bbc/data/headers/mainnet_17_7.yul
AxiomV0StoragePf Verifier	https://github.com/axiom-crypto/axiom-eth/blob/b01155cc930eadb7c86d78cdfd9678c7809fab35/data/storage/storage_ts.yul
AccountAge Verifier	https://github.com/axiom-crypto/axiom-apps/blob/2d1d2125904411e83b992ef7c2d429f6aed49f84/account-age/contracts/yul/mainnet_10.yul
UniswapV2Twap Verifier	https://github.com/axiom-crypto/axiom-apps/blob/0f16ba49d0b5bafeb655fc2325008796a1126327/uniswap-twap/contracts/yul/mainnet.yul

The constructors for AxiomV0, AxiomV0StoragePf, AccountAge, UniswapV2Twap were called with their respective SNARK verifier contract addresses.

When you call a function in one of the latter contracts, such as AccountAge's verifyAge function, you must supply a ZK SNARK proof in the form of a bytes array in the calldata. The contract then calls the above verifier contract to verify the SNARK proof.

Diving Deeper: SNARK Aggregation

Often, our SNARKs are too large to be directly verified on-chain with just one pass of snark-verifier (the contract hits the EVM bytecode limit!). In other cases, to reduce gas costs we would like to verify multiple SNARKs in one contract call simultaneously. We solve both of these problems by recursively aggregating our SNARKs using snark-verifier. This means that we take a batch of SNARKs, create a new SNARK that verifies the previous batch are all correct, and then verify this last SNARK on-chain with Yul code. The concept of recursive aggregation is very complex 🤯, and we refer to this post for a more in-depth exploration.