1 of 35

Mobile Proving

oskarth

2 of 35

About me

oskarth.com

  • Independent Researcher
  • Previously: Founded Vac Research and created Waku
    • Waku: p2p messaging protocol, spiritual successor to Whisper
    • Using RLN for spam protection in p2p network
    • Recently worked on folding schemes (Nova ZK-VM, HyperNova PoC)
  • Current focus
    • Writing about ZK at zkintro.com
    • Mobile proving: Mopro (focus of this talk)

3 of 35

(i) We want to make proofs on mobile. (ii) Mopro is a toolkit for making proving on mobile simple (and fast). (iii) Let’s make ZKP on mobile great together.

TLDR

4 of 35

We want to make proofs on mobile

5 of 35

For ZKPs to gain widespread adoption, they need to be able to run anywhere prospective users expects them to.

WHY CLIENT-SIDE PROVING?

6 of 35

Zuzalu

Zupass crypto-native identity



7 of 35

Aadhaar

Anon-aadhaar real-world identity

8 of 35

Social graphs, private finances

Mind your own business

9 of 35

Client-side proving

What do we want?

  • Trust-minimized: User should generate claim
  • Accessible: Most users on a mobile phone
  • Robust: KISS, should just work
  • Adoption: Support large groups (and anonymity sets)
  • Speed: For big circuits like ECDSA and RSA verify
  • Developer-friendly: Easy for developers to write apps

10 of 35

What about browsers?

Why bother with native?

  • Security: OS-level security, reduced attack surface
  • Performance: native performance, hardware acceleration
  • Affordances: Better integration with phone, more native experience
  • Tradeoffs: Browser no need for app, potential censorship, complex

11 of 35

mopro is a toolkit for making proving on mobile simple (and fast)

12 of 35

What is mopro?

Toolkit for make proving on mobile simple

  • Set of libraries: mopro-core, mopro-ffi, mopro-ios
  • Goals
    • Modularity
    • Developer-friendly
    • Performance
    • Multi-platform

13 of 35

Architecture

How does it work?

14 of 35

Circom circuit

Most widely used DSL for client-side proving

15 of 35

mopro-core

Core Rust library

  • core: Multiple adapters/middleware
    • First one is circom, but trivial to add new ones (Halo2, Nova, etc)
  • Circom: Use circom-compat to load Circom circuit
    • .wasm/.dylib and .zkey file
    • .wasm/.dylib used for witness calculation with wasmer
    • Proving done natively with ark-groth16
  • Rust native APIs for init/prove/verify, dealing with inputs, serialization

16 of 35

mopro-ffi

Talking across languages barriers

  • Responsible for bridging between Rust and Swift/Kotlin/Python/JS etc
  • Wraps Rust native API and deals with lowering/lifting
  • Uses UniFFI to generate bindings for common languages
  • First focus is on iOS and Swift
    • Easy to add Kotlin and Android; React Native via native modules

17 of 35

UniFFI

How do we build complex cross-platform applications?

18 of 35

Developer Experience

How do we make life easy for developers?

19 of 35

iOS examples

Keccak256 (~150k constraints) on iPhone 14

20 of 35

User?

No patience for your shenanigans

21 of 35

Response Times: The 3 Important Limits

Now that I have your attention

  • 0.1 second: reacting instantaneously
  • 1.0 second: not interrupting user's flow of thought
  • 10 seconds: keeping the user's attention

22 of 35

What about developers?

Developers are human too

  • Can only focus on so much at a time
  • UX, App development, Swift libraries, architectures/linking, Rust, ZK, circuits, proving systems, infra...
  • Requires a lot of people, and doing this takes away from focusing on "business problem"
  • With mopro, we split this up and create tooling to allow developers to focus on their area of expertise

23 of 35

Zooming out again

Make your life as app developer easy

24 of 35

Modularity

Platforms, proof systems and public goods

  • Platforms: Adding support for e.g. Kotlin or Python trivial
  • Proof systems: Adding new proof systems also easy
  • Tooling similar: FFI, serialization, linking, packaging, platform-specific stuff
  • Rust core: Schelling point for ZKP; fast, secure, flexible, developers
  • Built as a public good, not tied to any specific project or business
    • Thanks PSE and 0xPARC for grant!

25 of 35

Where are we now?

zkHack this weekend

  • pocket-aadhaar: ZK Identity for 1B+ users in your pocket
    • RSA verify signed PDF document
    • Portable: JS SDK; used through Webview, native prover
    • DevEx: Yanis from PSE onboarded and dangerous in a weekend
  • pocket-kimchi (bonus project)
    • Accidentally adding Kimchi proof system on mobile in a few hours

26 of 35

pocket-aadhaar

ZK Identity for 1B+ users in your pocket

27 of 35

How fast is it?

On an iPhone 14 Max Pro

  • Keccak256 (150k constraints): 1.5s
    • ~x10-20 faster vs comparable circuit in browser
  • anon-aadhaar / RSA Verify: ~6.5s
    • ~5s for witness generation (still in WASM), ~2s prover time
    • 80% of time on witness generation
    • ~x10 faster vs browser on phone
  • Bottlenecks: loading zkey and wasm witness generation

28 of 35

Briefly on bottlenecks

zkey and witness generation

  • zkey: Loading SnarkJS zkey very slow (large circuits: more than a minute)
    • Converting to Arkworks proving key and matrices for prover
    • Sped up by x10 with custom arkzkey format to ~10s; also 50% file size
    • Load at startup in background; not intrinsic and can do more
  • Witness generation: Still in WASM (80% of full proving time)
    • Moving to native big win
    • Shoutout to Philipp and Remco; expect x10 perf gain
    • Also simplifies distribution (no more dylib)
  • With these two fixed we’ll get to 2-3s proving time for e.g. anon-aadhaar

29 of 35

Let’s make ZK on mobile great together

30 of 35

Where are we going?

There’s work ahead of us

  • Improve API and DevEx
    • More robust API and better docs
    • Minimize time to get started and simplify process
  • Performance
    • Bottlenecks mentioned
    • GPU experimentation
  • More platforms
    • Android support, React Native native modules
  • More proof systems and middleware
    • Halo2, Nova/Folding Schemes, Noir?…

31 of 35

How can you help?

Three ways

  • Developing circuits?
    • Try it out and provide feedback!
  • Developing proof systems?
    • Make it easy to consume from mobile
    • Native clean Rust API; no subprocess; support serialization; small lib size
    • Constant/low memory usage, GPU-friendly (MSMs)
  • Excited about bringing ZKPs to mobile?
    • Help us build this tool!
    • Lots of things to do, see Github issues
  • Come talk to me!

32 of 35

Acknowledgements

We are just getting started

  • Vivian from PSE (Unirep) helping build mopro and improving DevEx
  • Yanis from PSE (anon-aadhaar) building pocket-aadhaar at zkHack
  • Phil and Remco from Worldcoin for some great Rust code + some help
  • Aaryamann and Vac for continuing to build Zerokit and RLN on mobile
  • PSE and 0xPARC for grant and support

33 of 35

Recap

In case you forgot what we were talking about

  • We want to make proofs on mobile
  • mopro is a toolkit for making proving on mobile simple (and fast)
  • Let's make ZK on mobile great together

34 of 35

The future is ZK. The future is mobile. The future is now.

35 of 35

Thank you

Q&A

  • mopro: github.com/mopro (QR1) / t.me/zkmopro (QR2)
  • oskarth.com / @oskarth