TL;DR

The proof generation for a privacy-preserving zk-rollup differs a lot from that of a general-purpose zk-rollup. The reason for this is that there is specific data in a given transaction (processed by private functions) that we want to stay completely private. In this article, we explore the client-side proof generation used for proving private functions’ correct execution and explain how it differs from proof generation in general-purpose rollups.

Contents

• What proofs are and how they work in general-purpose zk-rollups
• How proofs work in Aztec
• Proving functions’ correct execution
• For public functions: rollup-side proof generation
• For private functions: client-side proof generation
• An example proof
• How client-side proof generation decreases memory requirements
• Appendix: other details of client-side proof generation.
• Summary

What proofs are and how they work in general-purpose zk-rollups

Disclaimer: If you’re closely familiar with how zk-rollups work, feel free to skip this section.

Before we dive into proofs on Aztec, specifically the privacy-first nature of Aztec’s zk-rollup, let’s recap how proofs work on general-purpose zk-rollups.

When a stateful blockchain executes transactions, it conducts a state transition. If the state of the network was originally A, then a set of transactions (a block) is executed on the network, the state of the network is now B.

Rollups are stateful blockchains as well. They use proofs to ensure that the state transition was executed correctly. The proof is generated and verified for every block. All proofs are posted on L1, and anyone can re-verify them to ensure that the state transition was done correctly.

For a general-purpose zk-rollup, proof generation is very straightforward, as all data is public. Both the sequencer and the prover see all the transaction data, public states are public, and the data necessary to reconstruct each state transition is posted on L1.

How proofs work in Aztec

Aztec’s zk-rollups are a different story. As we mentioned in the previous article, in the Aztec network, there are two types of state: public and private.

Aztec smart contracts (written in Noir) are composed of two types of functions: private and public.

• Private functions – user-owned state, client-side proof generation
• Public functions – global/public state, rollup-side proof generation

For both of these, we need proof of correct execution. However, as the anatomy of private and public functions is pretty different, their proof generation is pretty different too.

‍As a brief overview of how Aztec smart contracts are executed: first, all private functions are executed and then all public functions are executed.

However, diving into the anatomy of Aztec smart contracts is outside the scope of this piece. To learn more about it, check the previous article.

Here, we will focus on the correct proof generation execution of private functions and why it is a crucial element of a privacy-first zk-rollup.

The concepts of private state and private functions in blockchain might seem a little unusual. The following map describes the path of this article, where we will shed some light on the difference between how proofs work for private and public states respectively.

Proving functions’ correct execution

For public functions: rollup-side proof generation

Let’s start by looking at public function execution, as it is more similar to other general-purpose zk-rollups.

Public state is the global state available to everyone. The sequencer executes public functions, while the prover generates the correct execution proof. In particular, the last step means that the function (written in Noir) is compiled in a specific type of program representation, which is then evaluated by a virtual machine (VM) circuit. Evaluated means that it will execute the set of instructions one by one, resulting in either a proof of correct execution or failure. The rollup-side prover can handle heavy computation as it is run on powerful hardware (i.e. not a smartphone or a computer browser as in the client-side case).

For private functions: client-side proof generation

Private state on the other hand is owned by users. When generating proof of a private transaction's correct execution, we want all data to stay private. It means we can’t have a third-party prover (as in the case of public state) because data would be subsequently exposed to the prover and thus no longer be private.

‍In the case of a private transaction, the transaction owner (the only one who is aware of the transaction data) should generate the proof on their own. That is, the proof of a private transaction's correct execution has to be generated client-side.

That means that every Aztec network user should be able to generate a proof on their smartphone or laptop browser. Furthermore, as an Aztec smart contract might be composed of a number of private functions, every Aztec network user should be able to generate a number of proofs (one proof for each private function).

On the rollup side, block proofs are generated using ZK-VM (ZK virtual machine). On the private side, there is no VM.

Instead, each private function is compiled into a static circuit on its own.

When we say “a circuit”, we’re referring to a table with some precomputed values filled in. This table describes the sequence of instructions (like MUL and ADD) to be executed during a particular run of the code.

There are a bunch of predefined relations between the rows and columns of the table, for example, copy constraints that state that the values of a number of wires are expected to be the same.

Let’s take a look at a quick example:

In the diagram above, we have two gates, Gate 1 (+) and Gate 2 (x). As we can see, z is both the output of Gate 1 (denoted as w3, wire 3) and the left input to Gate 2 (denoted as w4, wire 4). So, we need to ensure that the value of the output of Gate 1 is the same as the value of the left input of Gate 2. That is, that w3 = w4. That’s exactly what we call “checking copy constraints”.

When we say that the verifier verifies the circuit, we mean it checks that these predefined relations hold for all rows and columns.

An example proof

Disclaimer: the following example reflects the general logic in a simplified way. The real functions are much more complex.

Assume we have a function a²+b²=c². The goal is to prove that equality holds for specific inputs and outputs. Assume a = 3, b = 4, c = 5.

As a piece of code, we can represent the function as the following:

When the function is executed, the result of each step is written down in a table. When this table is filled with the results of the specific function execution on specific values, it’s called an execution trace.

This is just a fragment of the table, with values and opcode names. However, to instruct the computer about which operation should be executed in which specific row, the opcode name is not enough; we need selectors.

Selectors are gates that refer to toggling operations (like an on/off switch). In our example, we will use a simplified Plonk equation with two selectors: q_ADD for the addition gate and q_MUL for the multiplication gate. The simplified Plonk equation is: q_MUL(a*b)+q_ADD(a+b)-c=0.

Turning them on and off, that is, assigning values 1 and 0, the equation will transform into different operations. For example, to perform the addition of a and b, we put q_ADD= 1, q_MUL=0, so the equation is a+b-c =0.

So, for each performed operation, we also store in the table its selectors:

How client-side proof generation decrease memory requirements

In the case of private functions, as each function is compiled into a static circuit, all the required selectors are put into the table in advance. In particular, when the smart contract function is compiled, it outputs a verification key containing a set of selectors.

In the case of a smart contract, the circuit is orders of magnitude larger as it contains more columns with selectors for public function execution. Furthermore, there are more relation checks to be done. For example, one needs to check that the smart contract bytecode really does what it is expected to do (that is, that the turned selectors are turned according to the provided bytecode commitment).

As a mental model, you can think about a smart contract circuit as a table where 50 out of 70 columns are reserved for the selectors' lookup table. Storing the entire table requires a lot of memory.

Now you see the difference between circuit size for client-side and rollup-side proof generation: on the client-side, circuits are much smaller with lower memory and compute requirements. This is one of the key reasons why the proofs of private functions' correct execution can be generated on users’ devices.

Appendix: other details of client-side proof generation

• To further decrease memory and computation requirements for the prover, we use a specific proving system, Honk, which is a highly optimized Plonk developed by Aztec Labs. Honk is a combination of Plonk-ish arithmetization, the sum-check protocol (which has some nice memory tricks), and a multilinear polynomial commitment scheme.
• Some gadgets that may be added to Honk to make it even more efficiet include Goblin Plonk, a specific type of recursion developed by Aztec Labs, and ProtoGalaxy, developed by Liam Eagen and Ariel Gabizon.
• Goblin Plonk allows a resource-constrained prover to construct a zk-snark with multiple layers of recursion. That perfectly fits the case of client-side proof generation, where a proof of each private function in a smart contract is an additional layer of the recursion. The trick is that expensive operations (such as Elliptic Curve operations) at each recursion layer are postponed to the last step instead of being executed at each. The recursion ends in one single proof for all the private functions in a smart contract.
• This proof is then verified by the rollup circuit. The recursive verification of this proof is pretty resource intensive. However, as it is performed rollup-side, it has enough computation and memory resources.
• ProtoGalaxy is a folding scheme that optimizes the recursive verifier work. It allows for folding multiple instances in one step, decreasing the verifier’s work in each folding step to a constant.
• Diving into Honk and its optimizations is outside the scope of this article, but we promise to cover it soon in upcoming pieces.

Summary

Client-side proof generation is a pretty novel approach for the blockchain domain. However, for privacy-preserving solutions, it is an absolute must-have. Aztec Labs has spent years developing the protocol and cryptography architecture that make client-side proof generation performance feasible for the production stage.

You can help build it further.

• Build with the Aztec Sandbox: A local developer testnet of Aztec’s privacy-first L2 on Ethereum
• Build with Noir: A privacy programming language developed by Aztec Labs
• Join the Aztec Labs team – we’re hiring on our cryptography, growth, and operations teams

The following is written by Zac Williamson, with inspiration and advice from Arnaud Schenk.

My fellow companions, my decentralized brothers and sisters. I wish to tell you a story, about complicated people and their struggles to resolve the wreckage of their contradictions. It is a story of humanity.

We are at a unique point in history and stand at the threshold of two worlds. One world is a propagation of our present, a status quo antebellum with all of its associated joys and sorrows.

There is another door, one hidden from view except for those with the sight to see it. You and I are here because we see a unique vision of the future, one of high technology and high ideals, that advance human beings from their status as a commodity resource in a globalized world, to free actors imbued with autonomy and purpose, who bow to no one.

I want to articulate this vision and examine the forces that drive us. Despite our successes and dedication it is clear that our current achievements fall short of our aspirations. We must reconcile this.

Bitcoin is not yet a credible threat to traditional currencies. Paying for goods and services with cryptocurrency is a niche luxury for the technologically well-connected. Decentralized autonomous organizations (DAOs) are yet to govern anything that is not a cryptocurrency project. A notable exception was ConstitutionDAO, which immediately failed in its goals due to the intrinsic limitations of trustless blockchain networks.

There are missing pieces in the technological armaments we have fashioned. I want to show you the missing pieces. I want to go back to the roots: what are the systems and frameworks we want to disrupt? Which properties do blockchain networks need for us to forge a conspiracy against the present, and fight for our vision of the future?

Control Factions

Reaching back into prehistory, humanity has been waging a war against itself – a war that pits the freedom and autonomy of individuals against the safety and control of institutions.

We want to be free. We want to be safe. This is the eternal contradiction.

To acquire safety we bind ourselves to institutions. Within these institutions, control factions form. They metastasize and act to entrench their power and influence by monopolizing human agency. This triggers inevitable conflict and revolt, which acts to reset the equilibrium.

How best we can resolve the contradiction between freedom and safety is a function of social organization, the quality of which is gated behind technological innovation.

Blockchain is one such technology. To identify what we need, we must identify the weaknesses of the institutions we seek to undermine, and tailor our strengths against them.

The competency crisis

Control factions have a fatal weakness: they reject competence.

Competent people threaten individuals within entrenched power structures. A competent subordinate is a threat to your power and privileges. This is the so-called “dictator trap”, but the mechanics at play extend to all power structures, from the boards of mega-corporations to the local residents association. But it’s not a dictator trap, it is an institution trap.

Power craves legibility and predictability and will act on these desires by exerting control – limiting agency and freedom of action.

Re-distributing institutional control

We want to undermine institutional control, and redistribute control down to smaller units of organization.

Blockchain technology enables such radical new forms of social organization that fall outside the frameworks of traditional institutions.

We possess a keystone technology that enables mass peer-to-peer coordination, initially of cryptocurrency assets but this can be generalized to anything with perceived value that can be given a digital fingerprint.

Blockchain networks have radically different incentive mechanisms to traditional modes of social organization.

Because blockchains are coordination engines. They enable individuals to coordinate on how to deploy their collective resources. This type of mass-coordination of personal resources is unique and will subtly act to profoundly re-distribute the existing power structures of the present.

Why? Blockchains weaken the fundamental value propositions of vertically integrated companies that extract a profit from information asymmetries. Individuals whose skills serve large institutions can more easily decide for themselves how best to apply their skills, without the need for the institution’s support frameworks. As a coordination engine, blockchain networks can efficiently combine the skills and capital required to execute grand ideas, as well as provide a digital market for resulting products.

A global marketplace of programmable money is one with profound information transparency. The ability of independent groups to analyze the market enables great efficiency and reduces information asymmetries. Though, does not delete them entirely.

In short, blockchain networks are pro-competency. They allow individuals to decide for themselves how their skills can best be utilized and deployed, instead of having that decided for them by a control faction. Competent people add value to the network and in doing so, provide another composable brick that others can use in their constructions. The raw incentives create a positive-sum game.

Missing pieces

What are the missing pieces?

The great difficulty in realizing our vision is the limited ability of current blockchains to reach into the real world.

We are not our online avatars. We exist in a physical space and we have physical needs that must be satisfied. We are bound to networks of obligation and responsibility that societies depend upon to maintain social order. We cannot live in an NFT.

The real world matters. Without a way of linking real-world identities to blockchains, the grand cypherpunk vision for blockchain can never be fully realized – only a neutered form of primitive electronic sovereignty.

The new information networks: composable privacy

The new information networks we are building lack a key ingredient: composable privacy.

By using novel cryptography, we can turn blockchains into encrypted ledgers where transactions hide their execution from observers. Identities can be encrypted, but still used to prove statements about the user, and without involving an additional institutional third party. e.g. “I have a U.S. passport”, “I have a digital driving license”, “I have a Twitter account with over 1,000 followers”, “I signed in with a Google account”.

The effect of this is to build trust infrastructure that allows human beings to iteratively build trust between themselves and to do so rapidly and at scale.

Programmable private blockchains stand to usher in a revolution in how distributed systems can be used. Without strong identity guarantees, the only workable governance mechanisms for distributed on-chain organizations are autocracy and plutocracy.

However, if past actions can be uniquely tied to a cryptocurrency account, it is possible to identify key stakeholders and to give them an accelerated role in governance. That enables a much more democratic architecture of governance systems.

Privacy technology is required to turn blockchains into the coordination engines they were always destined to be.

The future we are building does not outright destroy existing systems of control – it breaks them apart and replicates these systems on a smaller scale. Lower barriers to entry lead to greater competition and market fragmentation and act to limit the ability of distributed organizations to consolidate power.

Because coordination engines are pro-competency.

Privacy for the user, transparency for the protocol

There is a phrase I think we will hear much of over the coming years: privacy for the user, transparency for the protocol.

The capabilities of private programmable blockchains and the outcomes they enable are not commonly understood. A private blockchain is not one where all information and data are intrinsically hidden. They are hybrid systems where public and private data coexist. Application designers and users can choose which data is hidden.  

Efficient markets require data transparency. Data relating to identity requires data confidentiality. The solution is applications where information that relates to assets is public, and information relating to users (e.g. who owns said assets) is private.

To create a privacy-preserving ecosystem it must be possible for confidential, transparent, and hybrid applications to directly interact with one another. Privacy is not an aftermarket add-on to be bolted onto a few select applications. Full composability is essential to develop a rich ecosystem.

Composability enables trust-building networks by allowing individuals to put core aspects of themselves on-chain, disclosing it only selectively and enabling distributed protocols to use these capabilities in a composable permissionless manner, without leaking information. Who are you? What have you done? What do you want to do? With privacy, we can disclose this information to smart contracts and hide it from people. These will form core primitives of our new information networks.

I have spent the last 6 years building exactly this, through building Aztec. Crafting the missing ingredient, privacy, via cutting-edge cryptography, zero-knowledge proofs, and raw engineering.  

Values of the new information networks

Networks have values that are independent of their creators. Networks live or die on the quality of their network effects. This incentive gives network participants a shared motivation to expand the network. The more nodes that exist, the greater the value individual nodes can extract from the network. The manner in which the network changes itself to act on these motivations defines its intrinsic values.

What are the intrinsic values of permissionless programmable privacy networks like Aztec? We can derive these from the fundamental value proposition – to expose a rich ecosystem of composable, confidential applications, and to do this as a permissionless, decentralized network. This enables individuals and small groups to compete in industries dominated by large players leveraging large information asymmetries.

Such networks are, at their very core, pro-competency. If you have something useful to add to the network, you can. If you want to use existing network components in your product, go right ahead. No need to ask for permission from the network.

From this starting point we can anticipate the cycles of action and reaction that will drive networks like Aztec to adopt the following values over their lives:

• They are pro-emergence and pluralistic.
• They strongly desire individual autonomy and freedom of action.
• They are fiercely anti-elite, but not necessarily anti-elitism.
• Finally, they seek to undermine traditional frameworks of control and subjugation used to promote institutional stability.

Blockchain networks grow by harnessing the industry and enterprise of as many human souls as they can get their hands on.  

Without mechanisms of coercion to fall back on, the network must ensure a positive-sum game for network participants who add value. These also happen to be values that I believe I strongly hold. This is not a coincidence. I started in web3 seven years ago building a marketplace for corporate debt on Ethereum and by degrees ended up building a distributed programmable privacy network on Ethereum. This was not due to some grand design but, I think, the cumulative effects of seven years of following my impulses. To find a place of belonging.

This feeling is something you may share – that the frameworks and systems produced by our societies offer none of us a true sense of belonging and purpose. But here, amongst our companions, we have found belonging through building a shared vision of a radical new world.

The road ahead

There is a long road to walk to realize the ambitions of the new information networks. The technology is barely capable and challenging to build. The architecture is novel and challenging to design. Convincing people to build on radical foundations to bootstrap a market is challenging. Building competitive infrastructure and tooling is challenging.

The challenge is irrelevant. We cannot become a generation scorned by our descendants for squandering the opportunity of a lifetime.

We will build and deploy the new information networks and by degrees will learn how to use them to chip away at the inequities of the status quo, and the social order that upholds it.

Equipped with such armaments and driven by our ideals, we will pull our ideas into reality. Together, we will forge our digital Eden.

Kev Wedderburn is the father, architect, and team lead of Noir, a universal zero knowledge circuit writing language funded by Aztec Labs.

We're excited to bring you this interview and profile of the man and mystery behind the DSL creating a step-function change in the accessibility of ZK programs.

‍Alyssa: Hey Kev! Thanks so much for your time, I’d love to give readers a snapshot of your journey into web3 and Aztec Labs, as well as your focus on the Noir team.

Kev: Sure! Let’s jump in.

Alyssa: Can you start by sharing your web2 background?

Kev: Yes. I started out as a front-end developer, then moved into app development.

I built a social media site for books. Then, a janky music-sharing app that would check your playlist, then check my playlist, then if our playlists overlapped enough, it would recommend each of us songs on each other's playlist (this was before Spotify became Spotify I think).

Alyssa: How’d app development lead you to going full-time web3?

Kev: While transitioning to crypto, I made a tax app that scanned your bitcoin QR code and told you how much tax you owed.

From there, I started doing tutorial videos focused on smart contracts. I wanted to do one for a particular blockchain, and it turned out that they didn’t have a well-functioning wallet. So that’s actually what led to my entry into the web3 space. I didn’t end up finishing that tutorial, I just went on to build the wallet myself.

Alyssa: And this work led to your first formal web3 role?

Kev: Eventually, yes. While I was working on an improved wallet, I noticed the node that the original wallet was interacting with wasn’t that great either. So once the new wallet was finished, I moved on to creating a node in Golang (the wallet was also originally built in Golang).

After I finished the node, I got recruited by a privacy-focused project. And they asked me to build a node for their privacy network.

Once I dug deeper, it turned out they didn’t have a proving system. So then I started learning cryptography to implement a type of ZK proof called bulletproofs — state of the art at the time.

Alyssa: And you’ve primarily worked on privacy within web3 ever since, is that right?

Kev: Yes, I worked for several other privacy blockchains prior to Aztec, such as Monero. At Monero, I pivoted from implementing Bulletproofs to Plonk for increased proving speed, but noticed it was very challenging to program on top of Plonk.

The Plonk constraint system and proving system both have nice properties, but the UX was really bad. So Kobi Gurkan from Geometry Research, and Barry Whitehat from the Ethereum Foundation asked if I wanted to make a compiler — I guess they saw that I was pretty active within Plonk and cryptography in general.

Alyssa: Had you built one before?

Kev: At the time, I didn’t know much about compilers at all, so it was exciting to figure out what the compiler I’d build would look like, what other compilers were doing, and how to make a compiler with the safety guarantees needed for zero knowledge proofs.

That was the beginning of what we now call Noir, and I’ve been at Aztec since.

Alyssa: Wow, okay, so you’ve been with the Noir project since the beginning of Noir’s existence?

Kev: Yeah, exactly.

Alyssa: Amazing, congrats on all the progress you and the team have made. And what about getting into web3 in the first place? Was it through engineering, or your own interest in cryptocurrency? How did that look?

Kev: I first looked at Bitcoin in university, but was deterred by the codebase being challenging to read. But I wanted to learn Bitcoin and teach people about it. Back then, everything was a bit scammy. I even created a Bitcoin book…

Alyssa: Going back to Noir, how do you feel about the experience of learning the language you helped build? Is it intuitive for developers?

Kev: I can tend to over-criticize the things I do. But Noir’s in a solid place. There’s not much to really compare it to….there are other zkDSLs, but they give different guarantees for the most part. For example, Noir provides devs with a high-level language that aims not to sacrifice performance and safety, while Circom gives devs very little safety but allows them to do anything. There are pros and cons to both of these approaches.

The more control you give to a developer, the more powerful things they can do, but they can also easily make mistakes because the compiler is no longer holding your hand or stopping you from doing something potentially dangerous.

But yes, Noir is in a good place for developers to use. There’s still a lot we want to put into the language to make it comparable to common programming languages in terms of UX. But we’re well on our way.

Alyssa: And what about just being on the Aztec Labs team in general, and maybe even the Noir team within Aztec Labs? What’s that like? What do you enjoy about it?

Kev: The Aztec team is cross-functional and fluid, meaning that even though you’re on the Noir team, or the tooling team, or the engineering team, you can touch other parts of the stack. So that’s great about being at Aztec.

The fun thing about the Noir team in particular is that there are so many challenges we have yet to solve. We’ve solved quite a lot of them, but there’s still a lot we’re excited to work on like continuing to improve the UX, as I mentioned.

Alyssa: Love that answer as I know there’s a job opening on the Noir team, so someone joining can have exposure beyond understanding their specific role.

Kev: In fact, we encourage that, if you’re on tooling and you want to create something and the compiler just doesn’t seem to be fit to do what you want, feel free to start some print or tasks to modify the compiler. We’re always open to new ideas.

Alyssa: Really cool, that’s great. And what about beyond web3, any general interests or hobbies?

Kev: Generally speaking, I really like maths. I also used to sing and play guitar for quite a while, and I exercise a lot these days.

Alyssa: Thanks again for the chat, great learning a bit more about your work, Kev!

Kev: Thank you!

Get started with Noir

We think Noir has the best syntax, most modularity, and best ecosystem of any ZK language. But don't take our word for it.

Get started with Noir at noir-lang.org.

Aztec achieves Noir alignment

Today Aztec Labs is proud to announce that Aztec’s core circuits have been rewritten in Noir.

Aztec’s core circuits were previously written in C++. The circuits spanning private execution, public execution, and proof recursion are now in Noir. We didn’t undertake this decision lightly, but we made the call based on a single fact:

Writing circuits in Noir is simply better.

It was always our goal to achieve Aztec-Noir alignment, unifying our cryptography stack and making our code safer, simpler, and easier to audit.

We’re there now, in the era of unabashed Noir maximalism.

💻 You can find the open Noir circuit repos here.

The Noir circuits are merged and passing Aztec’s stringent protocol test suite–huge achievement for Noir as a language.

Why Noir at all? Why a DSL?

Writing your code in a domain-specific language (DSL) does not make it safer than writing it in a library.This may not be apparent – a DSL is just a language made for a specific problem. One could create a DSL that makes writing circuits easier, but does not improve on performance. One could even create one that makes writing circuits harder, but it’s very performant. Noir makes writing circuits easier and safer than our cpp library with little sacrifice to performance.

As a startup you want to be able to write code fast, but also safely. If you take too long to ship, you may just die. If you write code that is unsafe or brittle, you may lose the trust of your target audience.

We could say that all developers need to do better. Skill issue. However, this approach doesn’t scale beyond. Developers love to write smart, elegant, clever code, i.e. code that’s subject to bugs. In Noir, you need to opt into writing unsafe code.

The Barretenberg C++ Library

So what’s wrong with using Barretenberg as a C++ library?

Nothing.

In fact, a library inherits a lot of adoption from its host language; a Solidity library can be picked up quickly by Solidity developers, for example.

Aztec’s constraint system library is written in C++, and while this allows developers to do anything they want, it also allows developers to do anything they want.

Developers need to be aware of quirks with C++ whenever they use Barretenberg. This can lead to subtle bugs due to the inherent compounding of quirks specific to C++ and quirks specific to the library. In other words, more gotchas or footguns.

Library writers also need to be careful because in some places they are reasoning about constraints. In other places, they are reasoning about unconstrained code or non-constraint system code.

The overarching problem here is that in order to write safe circuits, you need to be able to write C++ code and also be a good circuit writer. These are two different skill sets that Noir reduces to one because Noir is specifically designed as a circuit writing language.

Making the Switch

In March, a team of cryptography engineers developed Aztec’s core cryptography circuits under the guidance of Aztec Labs CEO Zac Williamson. Developing in C++ required significant onboarding and technical overhead, including:

• Developing an embedded C++ DSL
• Dealing with the quirks of C++ plus the quirks of our embedded DSL
• Creating a Frankenstein workflow of CMake and custom build scripts

In the meantime, the Noir team has built a comprehensive toolchain that makes ZK development significantly smoother:

• Syntactic simplicity makes code easier to reason about
• Nargo provides convenient package management
• One-line CLI improves testing

In addition to developer tooling like performance profiling, syntax highlighting, and auto-formatting.

With Noir, we built the fast and safe DevEx we wanted for ourselves, resulting in a full rewrite of all Aztec core circuits from C++ to Noir in less than a month of three engineers’ time.

Here’s a side-by-side code snippet comparison of our private kernelbase rollup circuit in C++ and Noir, highlighting the legibility and simplicity of Noir.

C++:

Noir:

Why did we switch?

• Contributors: developers no longer need to know C++ to write circuits, meaning the number of developers who can now contribute to Aztec’s core circuits has doubled or tripled overnight
• Tooling: Noir tooling only needs to cater to writing circuits, whereas Barretenberg Library tooling will always take into consideration what is written in C++
• Stack integration: contracts on the Aztec network are also written in Noir, leading to tighter integration
• Better optimizations: updates to Noir include new applications that are immediately applied to existing code

Noir Ecosystem

Finally, Aztec Labs gets to more fully participate in Noir’s vibrant ecosystem.

The community continues to develop new tooling that improves code analysis. Developers building in the Noir ecosystem and discovering bugs continuously battle-test the compiler. And Aztec is now fully aligned with the many developers building applications and protocols on Noir.

We too would like to share in the fruits of the Noir community.

Noir maximalism is open-source maximalism.

Build with us toward production

While Noir is still Beta software and isn’t fully production-ready until it is audited, the language is progressing towards an implementation freeze by the first half of 2024, and a completed audit by the back half of the year.

🏗️ Start building with Noir at noir-lang.org.

Next stop: insane crypto

In addition to basic optimizations required for the kernel circuit to run on low-powered mobile devices, we intend on integrating Noir with the arsenal of novel cryptography in our development pipeline:

• Honk: our next-generation proving system
• Protogalaxy: super-fast folding
• Goblin Honk: super-fast recursion
• Super low-memory proving

Building Aztec in Noir has been a long time coming.

As a result of adapting our core circuits to Noir, testing a wide array of features, and having Noir code pass extensive test suites, we have dramatically more confidence in its stability.

The collaborative approach between our internal Aztec and Noir teams demonstrates a commitment to advancing the capabilities of zero-knowledge proof technologies in an integrated fashion.

Improving Noir now improves Aztec.

Now is the time to Noir

The truth of the matter is: you cannot escape potentially dangerous code.

You can still write unsafe code in Noir.

You can only move the responsibility of writing dangerous code to folks who are least likely to make a mistake. And with Noir, you make it Aztec Labs engineers’ responsibility to write compiler code and optimizations. And with our stack, we make it the cryptographers’ responsibility to write absolutely unhinged cryptographic proving systems.

You are free to rebuild all of this yourself in C++. But Noir makes it so you don’t need to.

Where we cannot help you is unsafe business logic. If your application was meant to choose a random number between 1 and 10 and it instead chooses a random number between 0 and 1, then that’s on you.

But that’s as it should be! That’s the sort of code that you should be responsible for, and Noir aims to make it such that that’s the only thing you are responsible for.

If that sounds good to you, you might consider making the switch, as we have.

⭐ Get started with Noir today at noir-lang.org.