Designing an API for ZK-Snark proof verification in Aiken – Eryx

Blockchain technology’s firsthand benefits are increased trust, security, and transparency in digital interactions. This innovation has helped businesses and individuals to operate on cost-effective, efficient, streamlined digital experiences through improved data traceability across a shared network like Cardano.  Although this transparency breeds advantages in many situations, there are occasions when smart contracts demand privacy either for business, legal, or even personal reasons. For example, consider a case where proprietary data inputs activate a smart contract’s execution. 

Zero-knowledge proofs, not to be mistaken for zero trust (a cybersecurity data protection mechanism), are a cryptographic technique that facilitates verification in that a piece of information can be validated without revealing the information — taking place between a prover and a verifier. Surprisingly, zero-knowledge proofs can be used as part of security measures in the zero-trust framework, but the leading use case is in blockchain technology and cryptocurrencies.

For their practical use cases, zero-knowledge proofs target applications prioritizing security, as is the foundation of the Cardano blockchain, among its other building blocks. To give more perspective, consider authentication systems where zero-knowledge proofs verify credentials and digital identities without exposing private information. A good example is proving ownership of a computer password without disclosing it. 

The Cardano community introduced zero-knowledge proof (ZKP) and zk-rollups through the zkFold project to achieve this functionality. While the zkFold is developing scaling and interoperability solutions on Cardano with its three main products (zkFold Symbolic, zkFold UPLC Converter, and zkFold Rollup; more about these in a future post), most developers are still locked out because the implementation uses Haskell, Cardano’s native programming language, a main pain point for developers getting started with Cardano. Even with other existing on-chain proving solutions, there is still a need for easy ways to use them in smart contracts.

In this article, we will introduce a new API coming to the world of Aiken to aid with ZK-Snark proof verification. We start with a recap of Aiken and the underlying challenges of working with zero-knowledge proofs on Cardano and introduce the proposed solution. We will then dive into the technical details of the solution, the step-by-step build, project funding and timelines, and the development team before closing out with the impact of this project on the overall Cardano ecosystem.

An Overview of Aiken

Since its initialization, the Aiken programming language has been a response to the ever-growing demand for a simple, functional alternative approach to writing Cardano decentralized applications (DApps). What began as an idea between two passionate engineers in the Cardano blockchain has now evolved into a well-polished developer kit, accompanied by lots of tutorials and easily accessible documentation for a smooth kick-off.

As one of the biggest challenges, smart contracts in Cardano were initially written in Plutus, creating a big barrier for developers unfamiliar with Haskell’s syntax. Additionally, Plutus’s code needs auxiliary developer tools to compile, which is challenging for new developers to set up. 

Aiken features modern programming styles like in TypeScript to open up new developers’ opportunities. Aiken has its own compiler, which ensures a smooth development workflow. It follows that using Aiken, you still need to write off-chain code that triggered transactions in your native, such as JavaScript, Python, Rust, etc.

Its primary goal is to shorten developers’ time for building solutions by eliminating the need to study advanced programming languages like Haskell. Inspired by modern programming languages like Gleam, Rust, Elm, and TypeScript command excellence in developer experience, Aiken writes on-chain validation scripts, leaving you to write off-chain code (e.g., the frontend of your application) in your native language, for instance, Python, JavaScript, Rust, etc. 

Aiken has a robust testing framework built in and provides friendly error messages. It also has an extension for VS Code, one of the developers’ best programming IDEs. Solidifying its position in Cardano, Aiken is powering a significant number of smart contracts. Some notable projects using Aiken are Lenfi — an automatic lending solution development SDK, JPG Store — Cardano’s largest NFT marketplace, and Sundae Swap and Minswap — two popular decentralized exchanges in Cardano. 

If you would like to start writing applications with Aiken, Emurgo, a core founding entity on Cardano, maintains a hands-on smart contract development course with live mentorship and support.

The Challenge in Cardano Zero Knowledge Proofs

Earlier, we mentioned that there are already existing on-chain proving systems, citing the zkFold project as an example on Cardano. Let’s list a few more by the numbers outside Cardano: Groth16, Plonk — available in several versions — and Bulletproofs. These solutions, too, need to be easy and intuitive to use in smart contracts, and the solution is to build appropriate tooling that abstracts all the technical zk jargon under the hood.

Ideally, developers write smart contracts in Aiken, defining “off-chain” otherwise known as “private” functionality based on the target privacy settings. In effect, the smart contracts automatically assemble into a set of ZK circuits and Plutus code that allows off-chain provers to run the “private” functions, which are verified on-chain. 

Taking this direction on Aiken comes from the inspiration of similar projects in other ecosystems that have had a notable degree of success. One such example is Noir, a universal, open-source, general-purpose programming language for ZK applications. Like the Rust syntax, this domain-specific language (DSL) lets developers write private functions with public inputs compiled into abstract circuit intermediate representation (ACIR), supporting different proving backends. 

Another example is o1js, an extension of TypeScript used to describe circuit constraints in a straightforward approach in smart contracts. As the last, Cairo is also a DSL whose verifier uses a STARK-based proving system likened to Ethereum’s. All these projects have one goal: helping developers by abstracting the complexity involved in writing provable code. So, how do we achieve this in Aiken?

Building Zero-Knowledge DApps on Cardano

In the spirit of implementing similar and better solutions on Cardano, this project proposal seeks to allow programmers to write smart contracts with some “off-chain” functionality. The goal is to build a library with an application programming interface (API) for constructing and verifying zk circuits. This kind of functionality is seen in popular proving systems such as Plonky2. The requirements can be summarized as follows:

• The ability to focus on business logic rather than proving and verifying it.
• An easy-to-use API that suits users with no knowledge of the subject of ZK.
• Eliminate the need for manual developer optimization of zk circuits
• A modular solution that’s compatible with other proving systems effortlessly

It stands to reason that because the circuit generation (trigger) happens off-chain, it might not be necessary to write it in Aiken. That’s correct, but the ideal user of this API is a smart contract developer, and the aim here is to support developers in using ZK circuits without learning another programming language.

In the design rationale, some important choices include which proving systems to support as a first approach. Considerations include the solution being based on the current ZK primitives in Plutus V3. It should also not need a trusted setup. The solution ought to support the recursive programming paradigm — the ability to pass proof as a private input to an off-chain function and verify it inside the same function. At the time of writing, ZK primitives in Plutus core pose a restriction on this, which makes it impossible to apply fast recursive algorithms like Aztec (Barrentenbeg), Halo2, or Pickles (Mina).

Moreover, the mechanisms invoked to send transactions and generate proofs off-chain, even though out of the scope of this proposal, have been factored into the design. Following the example of o1js, where the library instantiates smart contracts as objects to which you provide the transaction, you can call the prove method on the target transaction before signing it and sending it. The idea here is to integrate MeshJS for ease in support of the ZK-proving counterpart of the on-chain verifiers.

Implementation: Building the API

The key milestones in bringing this project to life are research, circuit library, on-chain verification, gadgets, final polishing, and documentation. We will decompose each step. 

1. Research — Start by comparing the available proving systems and libraries in the ecosystem, evaluating the limitations of each, and choosing one as the first verifier to work with. Features under review include proof size, proving and verifying time, support recursion ease, popularity, and support for optimizations like range checks and look-ups. As an output, we can see the research report in Eryx’s GitHub. The technical report shows that the suitable proving systems are Gorth16 and Plonk, which have been battle-tested for supporting on-chain proving systems. At the time of writing, this is the only completed milestone.

2. Circuit Library — Build a library for constructing circuits in Aiken and ensure it is compatible with the above verifiers; how so? Create a set of primitives that can create basic programs, for instance, simple operations such as assertion, addition, subtraction, negation, multiplication, and conditionals. To put the circuit into practice, write a sample program implementing Fibonacci. This milestone ends with an Aiken library that designs simple circuits.

3. On-chain Verification — Make the circuit compatible with the chosen verifiers once the circuit is ready. By the end of this milestone, the API should be able to verify the execution of a program with simple circuit constraints on the testnet. This phase ends with the ability to verify a simple circuit, such as the Fibonacci test program.

4. Gadgets — Add an array of gadgets to create more complex programs using advanced cryptographic primitives without the need to implement them from scratch. At this time, it’ll also be appropriate to seek community input to build the most impactful gadgets. As such, the gadgets should provide ready-to-use high-level zk-constraints for hashes, Merkle trees, polynomial evaluation, and interpolation. The output of this phase is a list of gadgets for cryptographic primitives implementation built into the library and validated on the testnet.

5. Final Polishing and Documentation—By the end of the above steps, the community will have access to the GitHub repository. Next, the project codebase will be refactored, testing extended, and comprehensive documentation accompanied by tutorials written. In the end, the final codebase will be up on GitHub, fully optimized, bugs fixed, contribution guidelines well outlined, and the setup should be developer-friendly. 
6. Final Report — To conclude, the project will be available and open-source for community use and contributions. A final report describing the project process and outcomes pends publishing alongside a video demonstration showcasing the library and its features.

Scheme Funding and Timelines

This project takes up to six months to make the API live and available for use. Technically, the implementation spans four months, but we also need to factor in additional input, like reviews from the Eryx team and community suggestions, to ship a reliable developer kit. On to the budget breakdown, it costs a total of ₳200,000, shared as follows:

• Development: ₳180,000 — This budget goes to Aiken development, mathematical and cryptographical research, design, and circuit integration. With three developers taking on the tasks, one handling Cardano and the others working on cryptography development, each gets ₳60,000 for the four-month development timeline.

• Project Management: ₳20,000 — This budget goes to organizing the project execution, creating reports, writing the developer documentation, and maintaining reliable communication with the Cardano community and reviewers at Project Catalyst.

Key Stakeholders: The Project Crew

As part of fund 13 in Project Catalyst, this project is coming to life in the hands of Eryx, a decentralized self-managed software company. Formed by a group of PhD folks with a strong foundation in mathematics and computer science, Eryx has a record of over 10 years in solving complex problems in blockchain development, privacy-first protocols, and cryptography, all of which are testaments to their expertise. 

Eryx has also contributed to the Lambdaworks library (a primitive for building proving systems) and, in collaboration with Nethermind, built the CircleSTARKS protocol in GPU (a layer two efficiency solution). Worth mentioning is that CircleSTARKS implementation is in several ZK primitives, such as field operations and polynomial commitment schemes, on different platforms and programming languages. 

Additionally, the Eryx team built proving solutions based on the Plonk protocol, where they wrote an intuitive interface for designing circuits, including basic operations and conditionals that form the building blocks for more complex cryptographic primitives. And recently, Eryx built a Plonky2-based backend for Aztec’s Noir, funded by the Ethereum Foundation, during which the team learned how domain-specific languages interact with proving systems.

While the whole Eryx team is available to contribute, advise, and provide valuable feedback, below is a list of the members who are actively owning and working on this project:

• Agustín Garassino, ZK Cryptographer — A computer scientist and professor at the University Torcuato Di Tella. As a senior applied ZK cryptographer at Eryx, Augustin has rich experience administering zero-knowledge protocols across different ecosystems.
• Sergio Chouhy, ZK Cryptographer — A math PhD holder and senior applied ZK cryptographer at Eryx. Sergio has extensive experience tooling zero-knowledge protocols from scratch and building their compatibility between established proving systems and libraries.
• Carlo Ferrari, ZK Cryptographer — An applied ZK cryptographer at Eryx, a math PhD holder, and a machine learning engineer. Carlo has implemented cryptographic primitives in low-level languages and zero knowledge and developed blockchain solutions in the Ethereum network.
• Agustin Franchella, Project Manager — A Cardano ambassador and Encoins team player. Augustin is also a funded proposer in Project Catalyst Fund 12. In this project, he will lead the documentation and create educational resources to clearly and effectively communicate the solution’s conceptual, architectural, and application aspects.

A New Era of Privacy and Scalability on Cardano

Aiken is not only a modern programming language but has also segmented and solidified its position as a leader in developing smart contracts on Cardano. This project aims to enable Aiken developers to write on-chain verifiable circuits seamlessly. In the Cardano ecosystem, more accessibility to tools that facilitate zero-knowledge smart contracts means two important aspects: privacy and scalability. 

Zk smart contracts on Cardano allow data and transaction verification without disclosing sensitive information. This is especially valuable to decentralized applications (DApps) with privacy-focused motives, such as decentralized identities and financial transactions. In addition, Zk smart contracts offload computational work (through off-chains), helping scale the Cardano blockchain. Cheers to the internet, where Cardano provides speed, stability, privacy, and reliability. 

To learn more about this project, its progress, and the related intricacies, please check out the official proposal at Project Catalyst, the Eryx project, and Aiken on Cardano.