Cultivating Sapling: Faster zk-SNARKs
Sean Bowe | Sep 13, 2017
Zcash's next major upgrade, codenamed Sapling, will feature a set of groundbreaking performance improvements for our shielded transactions. In the last blog post of this series, we talked about a new elliptic curve for zk-SNARKs called BLS12-381, as well as new proving systems and other algorithms.
Matthew Green, Ian Miers and I are happy to announce that we have made significant performance improvements to the zk-SNARKs that Zcash uses. These improvements are being published open source, free of patents, for the broader crypto community.
We have designed an elliptic curve called Jubjub which is efficient to perform operations on inside of zk-SNARK circuits built over our new BLS12-381 curve. These kinds of "embedded" curves have been explored in previous works such as Kosba et al.. We achieve record-breaking performance for fixed-based exponentiation.
Fast elliptic-curve cryptography in this context allows us to use more efficient primitives for commitment schemes and collision-resistant hashes. Combining the various techniques we've discussed in previous posts, we can get a rough idea of the performance improvements:
This rough estimate indicates an 80% reduction of proving time, and a 98% reduction in memory usage which is a key requirement for opening up mobile support for Zcash shielded addresses.
What's more, there are more optimizations and improvements that reduce these costs further that we plan to explore in future blog posts.