Numerous AZTEC customers have multiple issues, one of which is the expense of elliptic curve cryptography on Ethereum. AZTEC uses elliptic curve cryptography extensively. It serves as the basis for its protocol. The private transactions that AZTEC makes possible are written in elliptic curve arithmetic. Furthermore, it is an annoyingly costly language. Any transaction that is processed by the Ethereum protocol is subject to a gas cost, the amount of which is directly proportional to the amount of time it takes to complete the transaction. This increases the cost of smart contracts that validate zero-knowledge proofs.
To counteract this, the Ethereum protocol provides a small number of precompiled ‘smart contracts’ that execute elliptic curve arithmetic. These are not smart contracts in the conventional sense, as the Ethereum node executing the transaction executes a hard-coded algorithm when prompted. Compiling these algorithms into machine code makes them significantly faster than understanding a program represented as opcodes for the Ethereum Virtual Machine (EVM).
In most cases, the gas cost of these precompiles is significantly lower than that of an analogous implementation of their logic in the form of a standard smart contract by more than an order of magnitude. Validating zero-knowledge cryptography within an Ethereum smart contract remains an expensive proposition. This presents an issue. However, there is an EIP now under development by AZTEC that will cut down on the amount of money that these precompiles cost for gas. How may the expense of this issue be decreased without protocol upgrades? This is where Weierstrudel comes into play.
What Exactly Is Weierstrudel?
Weierstrudel is a smart contract that conducts elliptic curve scalar multiplication on the short Weierstrass curve y² = x³ + 3, which is the same curve as is used by the precompile and AZTEC. More specifically, it engages in the process of repeated scalar multiplication. If you need to perform many multiplications, you will have to do them one at a time because the precompile only allows you to multiply one point by one scalar at a time.
Weierstrudel is a high-performance smart contract that conducts elliptic curve scalar multiplication on the compact Weierstrass 254-bit Barreto-Naehrig curve. This smart contract was formerly utilized by ZCash and is now accessible as a precompile smart contract in the AZTEC protocol. The contract stipulates the multiplication of up to 15 elliptic curve points by up to 15 distinct scalars.
40,000 gas are required to complete the current gas schedule for the scalar multiplication precompile smart contract on Ethereum. Weierstrudel is a considerably more effective method than the precompile contract for multiplying by more than one point. The entire Weierstrudel program is written in Huff, which is a low-level domain-specific language that can be compiled to opcodes for the Ethereum Virtual Machine.
The Cost & Efficiency Of Weierstrudel
Weierstrudel is marginally more expensive when applied to a single point on an elliptic curve. But who needs to multiply only a single insignificant point? Not the AZTEC protocol. That much is certain. Weierstrudel becomes considerably more efficient when multiple points are combined, around 45% more efficient at the extreme.
Weierstrudel delivers savings ranging from 15 to 40% for typical use scenarios. It should cut the gas expenses of AZTEC’s smart contract verifiers by 15 to 20% once completed. Obviously, certain restrictions apply: the algorithm requires additional development and testing before it is ready for prime time, and a few more optimizations must be made.
It is also limited to 15 points; any more would cause the method to exceed the EVM’s maximum stack depth. You must additionally submit 1 wei to the smart contract if you do not want it to throw an error. This is the case for a reason. The method requires the integer 1 approximately 500 times each execution, and the callvalue opcode is 1 gas less expensive than push1(0x01). Weierstrudel is also handy for zk-SNARK verifiers, despite the fact that zk-SNARK gas costs are more heavily weighted toward bilinear pairings, which this thing does not do…yet.
Optimized EVM Assembly Programming With Huff
This previously described language is Huff. It is composed of composable chunks including EVM assembly and other macros. It also allows a rudimentary type of templating in which macro invocations can receive format parameters that are macros. It permits the decomposition of complex algorithms into macros that can then be extensively evaluated.
However, it lacks variables, functions, and around 90% of the syntactic sugar of more complex languages. Still, it may be useful for those who wish to build highly efficient EVM code, albeit at the cost of making your development experience resemble an Edvard Munch painting.
The Way Forward
Essentially, that’s it. If you are interested in viewing a version of Weierstrudel that has been deployed, you should look for one on Ropsten. Because it uses bit shift opcodes, the main network must first fork to Constantinople before it can function there. Weierstrudel is open-source software that is released under the LGPL-3.0 license, thus, you are free to use it in any of your projects if you so choose. However, AZTEC would advise caution until it has validated Weierstrudel’s Huff macros fully.
