owned this note
owned this note
Published
Linked with GitHub
# Project MoPerf: ZK Mobile Perf Shape Up
**Updated 2024-02-21: We consider this to be derisked enough to warrant the start of Anon-Aadhaar v1 Showcase App. See Conclusion below.**
## Problem
For ZK-ID solutions like Anon-Aadhaar to be useful in the real world they need: (a) a significant amount of constraints (~1m) and (b) to work reliably on mobile for many users.
Currently PoC written for anon-aadhaar and mopro (pocket-aadhaar), while better than the status quo, only target ~160k constraints. As this gets increased to 1.7m (current status of Anon-Aadhaar circuits; can possibly be optimized to ~1m) many independent technical risks related to performance arise.
This is also true for other ZK Identity solutions. Without going into too much detail, this is due to having to perform a SHA256 hash, of the signed identity data. This is to ensure that the data used for computing the nullifier (approximately 800k constraints) is not corrupted. Additionally, this process involves an RSA verification check (about 160k constraints).
Currently, we don't know exactly what is feasible on mobile. This means projects such as an Anon-Aaadhaar Showcase App ([link](https://hackmd.io/321WjevGRBWMSPYe6g7mcw?both=)) come with too many technical risks to execute in a short time period with confidence.
The big question we want answer is: *What is a reasonable size of a circuit (primarily number of constraints, but other factors too) that we can run on mobile?*
## Appetite
We imagine spending 1-3 weeks on this bet to get clarity on a set of questions. Roughly Jan 29 - Feb ~16-23.
*Note: Feb 8 - Feb 14 is Chinese New Year in Taiwan. Oskar is expected to be away Feb 5 - Feb 12, and Vivian Feb 14 - Feb 20.*
## Solution
We want to do try differently sized circuits to understand the limits of proving on mobile with currently available technology.
We want to test:
- Circuits of increasing complexity: ~100/200/400/800/1600k constraints.
- Circuits with realistic witnesses (recent anon-aadhaar solutions)
We want to run the tests on realistic but modern hardware:
- Recent iPhones (last 3 years)
- Recent Android phones (last 3 years)
- Sanity check on laptop with `mopro-core` and/or simulator
Here are dimensions we want to gain clarity on:
- Does it work at all? (No crashes)
- What is memory consumption like?
- How long does witness generation take?
- How long does prover time take?
- How big is the zkey file?
- How long does it take to load the zkey file?
- How big is the app file?
- Can we load the zkey file after app launch?
We have some preliminary results for above, but these are mostly for ~150k size circuits.
We also want to either address or check feasibility of some low-hanging fruit:
- Native witness generation https://github.com/oskarth/mopro/issues/32
- Improve (ark)zkey load time https://github.com/oskarth/mopro/issues/25
- Loading (ark)zkey file after app launch
Based on our findings above, we want to write and publish a report. With this, we'll have a more informed view on on what future work would be most useful (showcase app, further optimizations, alternative proof systems, etc) and limitations in terms of hardware requirements, etc.
## No-gos
- Fundamental architecture changes (different prover stack, different proving system)
## Rabbit holes
- Spending too much time on improvements vs checking feasibility
- Too detailed measurements vs rough back of the envelope checks
## Notes
- We can create a benchmark folder in mopro and work from there
- Should be able to use keccak256 example to change number of constraints
- However this wouldn't impact witness size
- Best is still using AA circuits, but need scaffolding for this
- What devices do people have?
- Want modern hardware ideally
- Oskar: iPhone 14 Max Pro
- Vivian: iPhone 12 mini, Samsung Galaxy S23 Ultra (can also borrow an iPhone 13 Max Pro)
- Yanis: iPhone XR (3Gb RAM)
- Exact order of operations and divison of work?
- TBD
See https://github.com/oskarth/mopro/issues/57 for latest GH milestone issue.
## Results
**Last updated 2024-02-19**.
Benchmarks to answer question: *The big question we want answer is: What is a reasonable size of a circuit (primarily number of constraints, but other factors too) that we can run on mobile?)*
## iPhone 14 Pro Max (2022)
Oskar's phone, 6GB RAM.
Constraints: Console/App prover time, Stable/High memory usage.
- 100k: 1.4/1.6s, 144/194mb
- 200k: 2.6/3s, 304/365mb
- 400k: 5.4/6.2s, 511/628mb
- 800k: 9.4/11s, 682/1060mb
- 1600k: 19.8/23s, 1670/2000mb
(Currently unable to run 3200k constraints due to trusted setup memory limits).
Anon-Aadhaar 1700k constraints works fine too.
**Conclusion: On a modern high-end iPhone (2y old) memory isn't an issue up to ~1.6-1.7m constraints, and likely long way to go until memory becomes a problem**.
## iPhone SE (3rd gen, 2022)
Oskar's phone, 4GB RAM.
- 1600k: 22.2/25.7s, 1300/1770mb
Still plenty of free memory available.
**Conclusion: On a modern low-end iPhone (2y old) memory isn't an issue up to 1.6-1.7m constraints. It is unlikely that above 2m constraint would work.**
## iPhone XR (2018)
Yanis's phone, 3GB RAM.
- 400k: 8.3s, 349mb
- 800k: 18.93s, 681mb
I wasn't able to continue the tests as my phone crashes when number of constraints is higher than 800k.
**Conclusion: On a old low-end iPhone (6y old) memory is an issue up to 1m constraints. But we don't considred it as a blocker for the project.**
## Samsung Galaxy s23 Ultra (2023)
Vivian's phone, 12GB RAM
- 800k: 12.632s, 1200mb (apk size: 252mb)
- 1600k: 26.759s, 2300mb (apk size: 482.4mb)
**Conclusion: On a modern high-end android phone memory isn't an issue up to 1.6m constraints. It takes more memory usage than iPhone but still plenty of memory available.**
## More details
Briefly on other dimensions.
> Does it work at all? (No crashes)
Yes, assuming sufficient memory (~4GB).
> - What is memory consumption like?
> - How long does witness generation take?
The increased complexity of Anon-Aadhaar hasn't significantly increased the duration of witness generation. That being said, it still takes a while, on the order of ~10s.
We've started integrating native witness generation, see https://github.com/oskarth/mopro/issues/32, but we ran into some problems integrating it. While we still want to do this, this is not a hard blocker for an Anon-Aadhaar showcase app.
> - How long does prover time take?
See above. Around ~20s. This is above 10s, but for some use cases this is acceptable. Speeding this up is likely non-trivial.
> - How big is the zkey file?
```
➜ target git:(main) ✗ ls -lhS *final*zkey | awk '{print $5, $9}'
751M complex-circuit-1600k-1600k_final.zkey
455M complex-circuit-1600k-1600k_final.arkzkey
375M complex-circuit-800k-800k_final.zkey
227M complex-circuit-800k-800k_final.arkzkey
188M complex-circuit-400k-400k_final.zkey
114M complex-circuit-400k-400k_final.arkzkey
94M complex-circuit-200k-200k_final.zkey
57M complex-circuit-200k-200k_final.arkzkey
47M complex-circuit-100k-100k_final.zkey
28M complex-circuit-100k-100k_final.arkzkey
```
arkzkey is ~500mb for 1.6-1.7m constraints.
> - How long does it take to load the zkey file?
~80s on a modern iPhone. This is definitely quite a long time and we want to reduce this. At the same time, from a UX POV we can work around this as the user is performing the initial setup.
Work to improve this has been identified but not done yet, se https://github.com/oskarth/mopro/issues/25. This is not a hard blocker for showcase app, but something that we want to improve.
> - How big is the app file/apk?
For a 800k circuit the apk size is 252mb. For a 1600k circuit, the apk size is 482.4mb. This is with embedded proving key. The dominant factor is the proving key size.
There might be more work to do here in terms of shaking out dependencies.
> - Can we load the zkey file after app launch?
This seems doable. See https://github.com/oskarth/mopro/issues/65 and https://github.com/oskarth/mopro/pull/69 for initial research spike. The main concern here is App Store policy, but initial reading of their policies seems to suggest it is OK.
## Conclusion
We now have confidence that we can run Anon-Aaadhaar's new protocol (1.7m vs 170k constraints) on mobile. While there's more work to be done on the performance side, there are no major concerns.
In terms of performance numbers, with complex circuits like Anon-Aadhaar,it seems like we are looking at (1) loading proving key in background (<1.5 minutes) (2) embed or download ~500mb prover key (3) total prover time of ~30s (incl witness generation). We expect 1 can be improved, 2 to be a fundamental limit of proving system with this number of constraints (and it only has to be done once), and 3 to be marginally improved (reducing witness generation time).
The main requirement to be concerned with at this stage is memory of the device. We recommend devices to have at least 4GB RAM for Anon-Aaadhar v1 to be able to run. With this amount of memory, it seems like we can run circuits of size up to 1.6-1.7m constraints without running out of memory.
Google Drive
Gist
Clipboard
Sign in with Wallet
