Google Drive
Gist
Clipboard
Updated 2024-02-21: We consider this to be derisked enough to warrant the start of Anon-Aadhaar v1 Showcase App. See Conclusion below.
For ZK-ID solutions like Anon-Aadhaar to be useful in the real world they need: (a) a significant amount of constraints (~1m) and (b) to work reliably on mobile for many users.
Currently PoC written for anon-aadhaar and mopro (pocket-aadhaar), while better than the status quo, only target ~160k constraints. As this gets increased to 1.7m (current status of Anon-Aadhaar circuits; can possibly be optimized to ~1m) many independent technical risks related to performance arise.
This is also true for other ZK Identity solutions. Without going into too much detail, this is due to having to perform a SHA256 hash, of the signed identity data. This is to ensure that the data used for computing the nullifier (approximately 800k constraints) is not corrupted. Additionally, this process involves an RSA verification check (about 160k constraints).
Currently, we don't know exactly what is feasible on mobile. This means projects such as an Anon-Aaadhaar Showcase App (link) come with too many technical risks to execute in a short time period with confidence.
The big question we want answer is: What is a reasonable size of a circuit (primarily number of constraints, but other factors too) that we can run on mobile?
We imagine spending 1-3 weeks on this bet to get clarity on a set of questions. Roughly Jan 29 - Feb ~16-23.
Note: Feb 8 - Feb 14 is Chinese New Year in Taiwan. Oskar is expected to be away Feb 5 - Feb 12, and Vivian Feb 14 - Feb 20.
We want to do try differently sized circuits to understand the limits of proving on mobile with currently available technology.
We want to test:
We want to run the tests on realistic but modern hardware:
mopro-core and/or simulatorHere are dimensions we want to gain clarity on:
We have some preliminary results for above, but these are mostly for ~150k size circuits.
We also want to either address or check feasibility of some low-hanging fruit:
Based on our findings above, we want to write and publish a report. With this, we'll have a more informed view on on what future work would be most useful (showcase app, further optimizations, alternative proof systems, etc) and limitations in terms of hardware requirements, etc.
See https://github.com/oskarth/mopro/issues/57 for latest GH milestone issue.
Last updated 2024-02-19.
Benchmarks to answer question: The big question we want answer is: What is a reasonable size of a circuit (primarily number of constraints, but other factors too) that we can run on mobile?)
Oskar's phone, 6GB RAM.
Constraints: Console/App prover time, Stable/High memory usage.
(Currently unable to run 3200k constraints due to trusted setup memory limits).
Anon-Aadhaar 1700k constraints works fine too.
Conclusion: On a modern high-end iPhone (2y old) memory isn't an issue up to ~1.6-1.7m constraints, and likely long way to go until memory becomes a problem.
Oskar's phone, 4GB RAM.
Still plenty of free memory available.
Conclusion: On a modern low-end iPhone (2y old) memory isn't an issue up to 1.6-1.7m constraints. It is unlikely that above 2m constraint would work.
Yanis's phone, 3GB RAM.
I wasn't able to continue the tests as my phone crashes when number of constraints is higher than 800k.
Conclusion: On a old low-end iPhone (6y old) memory is an issue up to 1m constraints. But we don't considred it as a blocker for the project.
Vivian's phone, 12GB RAM
Conclusion: On a modern high-end android phone memory isn't an issue up to 1.6m constraints. It takes more memory usage than iPhone but still plenty of memory available.
Briefly on other dimensions.
Does it work at all? (No crashes)
Yes, assuming sufficient memory (~4GB).
- What is memory consumption like?
- How long does witness generation take?
The increased complexity of Anon-Aadhaar hasn't significantly increased the duration of witness generation. That being said, it still takes a while, on the order of ~10s.
We've started integrating native witness generation, see https://github.com/oskarth/mopro/issues/32, but we ran into some problems integrating it. While we still want to do this, this is not a hard blocker for an Anon-Aadhaar showcase app.
- How long does prover time take?
See above. Around ~20s. This is above 10s, but for some use cases this is acceptable. Speeding this up is likely non-trivial.
- How big is the zkey file?
➜ target git:(main) ✗ ls -lhS *final*zkey | awk '{print $5, $9}'
751M complex-circuit-1600k-1600k_final.zkey
455M complex-circuit-1600k-1600k_final.arkzkey
375M complex-circuit-800k-800k_final.zkey
227M complex-circuit-800k-800k_final.arkzkey
188M complex-circuit-400k-400k_final.zkey
114M complex-circuit-400k-400k_final.arkzkey
94M complex-circuit-200k-200k_final.zkey
57M complex-circuit-200k-200k_final.arkzkey
47M complex-circuit-100k-100k_final.zkey
28M complex-circuit-100k-100k_final.arkzkey
arkzkey is ~500mb for 1.6-1.7m constraints.
- How long does it take to load the zkey file?
~80s on a modern iPhone. This is definitely quite a long time and we want to reduce this. At the same time, from a UX POV we can work around this as the user is performing the initial setup.
Work to improve this has been identified but not done yet, se https://github.com/oskarth/mopro/issues/25. This is not a hard blocker for showcase app, but something that we want to improve.
- How big is the app file/apk?
For a 800k circuit the apk size is 252mb. For a 1600k circuit, the apk size is 482.4mb. This is with embedded proving key. The dominant factor is the proving key size.
There might be more work to do here in terms of shaking out dependencies.
- Can we load the zkey file after app launch?
This seems doable. See https://github.com/oskarth/mopro/issues/65 and https://github.com/oskarth/mopro/pull/69 for initial research spike. The main concern here is App Store policy, but initial reading of their policies seems to suggest it is OK.
We now have confidence that we can run Anon-Aaadhaar's new protocol (1.7m vs 170k constraints) on mobile. While there's more work to be done on the performance side, there are no major concerns.
In terms of performance numbers, with complex circuits like Anon-Aadhaar,it seems like we are looking at (1) loading proving key in background (<1.5 minutes) (2) embed or download ~500mb prover key (3) total prover time of ~30s (incl witness generation). We expect 1 can be improved, 2 to be a fundamental limit of proving system with this number of constraints (and it only has to be done once), and 3 to be marginally improved (reducing witness generation time).
The main requirement to be concerned with at this stage is memory of the device. We recommend devices to have at least 4GB RAM for Anon-Aaadhar v1 to be able to run. With this amount of memory, it seems like we can run circuits of size up to 1.6-1.7m constraints without running out of memory.
-
Any changes
Be notified of any changes
-
Mention me
Be notified of mention me
-
Unsubscribe
Subscribe