ZKVAULT

Compression Pipeline

The ZKVAULT compression pipeline reduces proof size through recursive SNARK composition and byte-level optimizations, minimizing on-chain storage and transaction costs.

Recursive SNARK Composition

Recursive SNARKs enable proving statements about proof verification itself:

Basic Idea:
• Original proof π₁ proves: "Statement S is true"
• Recursive proof π₂ proves: "I verified π₁ correctly"
• π₂ has constant size regardless of complexity of S

Key Insight:
Instead of verifying N proofs on-chain → Verify 1 recursive proof that
certifies N proofs were verified correctly off-chain

Verification Circuit

We construct a circuit that implements Groth16 verification:

circuit Groth16Verifier:
  public inputs:
    - vk_hash          // Hash of verification key
    - public_inputs_hash
    - proof_valid       // Boolean output
  
  private inputs:
    - proof: { A, B, C }
    - public_inputs: [x₁, x₂, ..., xₙ]
    - vk: VerificationKey
  
  constraints:
    // 1. Verify VK matches hash
    assert hash(vk) == vk_hash
    
    // 2. Verify public inputs match hash
    assert hash(public_inputs) == public_inputs_hash
    
    // 3. Compute pairing equation (in-circuit)
    lhs = pairing(proof.A, proof.B)
    rhs = pairing(vk.alpha, vk.beta) *
          pairing(compute_linear_combination(public_inputs, vk), vk.gamma) *
          pairing(proof.C, vk.delta)
    
    // 4. Check pairing equation holds
    proof_valid = (lhs == rhs)

Pairing Arithmetic in-Circuit

Implementing elliptic curve operations inside a circuit requires careful optimization:

// BN254 field arithmetic in circuit
// Base field Fq (curve coordinates)
// Scalar field Fr (exponents, proof elements)

Constraint costs:
• Field addition: 1 constraint
• Field multiplication: 1 constraint  
• Curve point addition: ~15 constraints
• Curve scalar multiplication: ~2500 constraints (256-bit scalar)
• Pairing computation: ~50,000 constraints

Optimization: Use lookup tables and windowed methods to reduce constraints

Aggregation Tree

Multiple proofs can be aggregated using a binary tree structure:

Aggregation Tree (8 proofs example):

         π_root (final aggregated proof)
         /              \
     π_{0-3}          π_{4-7}
     /    \           /    \
  π_{0-1} π_{2-3}  π_{4-5} π_{6-7}
   / \    / \      / \    / \
  π₀ π₁  π₂ π₃    π₄ π₅  π₆ π₇

Each internal node proves:
"I verified my left child proof AND my right child proof"

Depth: log₂(N)
Final proof size: Constant (128 bytes)
Verification cost on-chain: O(1) pairings

Aggregation Algorithm

function aggregateProofs(proofs):
  // Base case: single proof
  if len(proofs) == 1:
    return proofs[0]
  
  // Recursive case: aggregate pairs
  mid = len(proofs) / 2
  left_proofs = proofs[0:mid]
  right_proofs = proofs[mid:]
  
  // Recursively aggregate each half
  left_agg = aggregateProofs(left_proofs)
  right_agg = aggregateProofs(right_proofs)
  
  // Create aggregation circuit
  circuit = AggregationCircuit(
    public: {
      left_vk_hash: hash(left_agg.vk),
      right_vk_hash: hash(right_agg.vk),
      aggregated_valid: true
    },
    private: {
      left_proof: left_agg,
      right_proof: right_agg
    }
  )
  
  // Generate proof of aggregation
  agg_proof = Prove(circuit, private_inputs)
  
  return agg_proof

Byte-Level Minimization

Additional optimizations reduce proof size beyond recursive composition:

Point Compression

Elliptic curve points can be compressed using y-coordinate recovery:

Standard BN254 Point Encoding:
• G₁ point: (x, y) = 64 bytes (two 32-byte field elements)
• G₂ point: (x, y) = 128 bytes (two 64-byte Fq² elements)

Compressed Encoding:
• G₁ point: (x, sign_bit) = 33 bytes
  - Given x, compute y² = x³ + 3
  - Take square root: y = ±√(y²)
  - sign_bit determines which root
  
• G₂ point: (x, sign_bit) = 65 bytes

Savings:
• Proof with 2 G₁ + 1 G₂ point:
  - Uncompressed: 64 + 64 + 128 = 256 bytes
  - Compressed: 33 + 33 + 65 = 131 bytes
  - 49% size reduction

Field Element Encoding

BN254 scalar field: p = 21888242871839275222246405745257275088548364400416034343698204186575808495617

Optimization: Most field elements in proofs have leading zeros
• Standard encoding: 32 bytes (256 bits)
• Compressed encoding: Strip leading zero bytes, include length prefix

Example:
• Value: 0x00000000000000000000000abc123
• Standard: 32 bytes
• Compressed: 1 byte (length) + 6 bytes (value) = 7 bytes
• 78% reduction for this value

Compression Rate Benchmarks

Proof TypeOriginal SizeCompressed SizeCompression Ratio
Single Groth16256 bytes128 bytes2:1
Aggregated (8 proofs)2,048 bytes128 bytes16:1
Aggregated (64 proofs)16,384 bytes128 bytes128:1
Batch (256 proofs)65,536 bytes128 bytes512:1

Solana-Compatible Lightweight Proof Format

ZKVAULT proofs are optimized for Solana's transaction size limits (1232 bytes max):

Proof Structure (128 bytes total):
┌─────────────────────────────────────┐
│ Proof Header (8 bytes)              │
│ - version: u8                       │
│ - flags: u8                         │
│ - circuit_id: u32                   │  
│ - nonce: u16                        │
├─────────────────────────────────────┤
│ Point A (G₁, compressed) (33 bytes) │
│ - x coordinate: 32 bytes            │
│ - y sign bit: 1 byte                │
├─────────────────────────────────────┤
│ Point B (G₂, compressed) (65 bytes) │
│ - x coordinate: 64 bytes            │
│ - y sign bit: 1 byte                │
├─────────────────────────────────────┤
│ Point C (G₁, compressed) (33 bytes) │
│ - x coordinate: 32 bytes            │
│ - y sign bit: 1 byte                │
└─────────────────────────────────────┘

Public Inputs (variable, typically 32-128 bytes):
• Packed field elements
• Length-prefixed encoding

Compression Pipeline Implementation

async function compressProof(proof, options = {}) {
  // Step 1: Apply point compression
  const compressedPoints = {
    A: compressG1Point(proof.A),
    B: compressG2Point(proof.B),
    C: compressG1Point(proof.C)
  }
  
  // Step 2: If batching enabled, aggregate
  if (options.batch && options.batch.length > 1) {
    const aggregated = await aggregateProofs(options.batch)
    return aggregated
  }
  
  // Step 3: Serialize to bytes
  const buffer = new ByteBuffer(128)
  buffer.writeU8(PROOF_VERSION)
  buffer.writeU8(proof.flags)
  buffer.writeU32(proof.circuitId)
  buffer.writeU16(proof.nonce)
  buffer.writeBytes(compressedPoints.A)
  buffer.writeBytes(compressedPoints.B)
  buffer.writeBytes(compressedPoints.C)
  
  return buffer.toBytes()
}

// Decompression (on-chain verifier)
function decompressProof(bytes) {
  const reader = ByteReader(bytes)
  const version = reader.readU8()
  assert(version == PROOF_VERSION)
  
  const flags = reader.readU8()
  const circuitId = reader.readU32()
  const nonce = reader.readU16()
  
  // Decompress points (y-coordinate recovery)
  const A = decompressG1Point(reader.readBytes(33))
  const B = decompressG2Point(reader.readBytes(65))
  const C = decompressG1Point(reader.readBytes(33))
  
  return { A, B, C, circuitId, nonce }
}

Performance Impact

Compression adds minimal overhead to proof generation:

  • Point compression: ~5ms per proof
  • Single proof optimization: ~10ms total
  • Recursive aggregation (8 proofs): ~300ms
  • Decompression on-chain: ~2ms (included in verification)

The compression pipeline achieves 2-512x size reduction with negligible performance cost, making ZKVAULT proofs extremely efficient for Solana's high-throughput environment.

For details on how compressed proofs are verified on-chain, see On-Chain Verifier.