boolafish
commented
5 years ago Leaving notes from call with @paulperegud
Notes
- This would limit venue throughput to Ethereum throughput
- To get the snark proof data, the idea is that user can decode transaction and see all inputs (call data)
- Instead of saving hash, we can probably do anything cheaper as long as it requires venue to sign the transaction. What we really need is to prove the connection of venue to the transaction. We don't want random people calling this and accidentally use that as proof.
- Instead of putting data in Root chain, it might be possible to use child chain instead. This might still fulfill the requirement of "restricted custody" which as long as one of child chain or exchange is not rogue then it is fine. However, this would need further analysis to check is this option secure enough.
Gas Cost breakdown
(200 60) + (30 + 6 7) + 20000 + 21000 ~= 53k.
200: size of snark, 60: average gas cost per byte (probably better change to 68) (30 + 6*7): hash gas cost (30 basic cost + 6 gas per word/32 byte) 20000: saving hash 21000: basic transaction cost
whoisjeremylam
Cheapest validation of zkSNARK proof on Ethereum network costs 600k gas. We can go cheaper by moving validation of the snark off-chain - to all of the participants. This, however, creates a problem of data availability. If trader claims that venue has not delivered the proof, has venue failed? Or is trader lying?
We solve this problem by requiring the venue to commit to snark proof data on chain. Contract will take proof as call data, will compute its hash and will save the hash. Everyone else will be able to take the call data and verify the snark on their own. If snark is incorrect, anyone can execute it on Ethereum, proving that venue has failed. How much does that costs? (200 60) + (30 + 6 7) + 20000 + 21000 ~= 53k. Plus the costs of public inputs of the snark. This design creates a 'verifiers dillema', but cost of downloading and verifying a snark is extremely low, so it is not a real concern.