LighterLighter

Description

Lighter prover is a zk proving system for Lighter L2 based on Plonky2 circuits. It verifies the logic for regular state transition of Lighter L2, as well as state transitions in the “desert mode” when L2 is shut down and users exit, using different sets of circuits. The circuits are proven with a STARK which is wrapped into a Plonk SNARK before settling onchain.

Proof system

Plonky2 implements a circuit aritmetization based on TurboPlonk over Goldilocks field, but it replaces KZG polynomial commitment scheme with a FRI-based polynomial testing scheme. In this way proving Plonky2 circuits requires no trusted setup, i.e. it is a STARK.

However Lighter wraps these STARK in a gnark implementation of Plonk over BN254 curve, which requires a trusted setup.

Circuits

The proof system operates on Lighter STF circuits and desert mode circuits. All published circuits are available here, note that the Lighter team has not published the desert circuits yet.

Lighter proof system defines circuits for proving all transactions, including internal, L1 and L2 transactions. The full list of available transactions that define Lighter STF can be seen here.

Transaction circuits use custom implementations for arithmetic operations (bigint, uint), cryptographic primitives (ecdsa on the Secp256k1 curve, eddsa on the ECgFp5 curve, keccak, poseidon_bn128) and other helper circuits.

Recursion

Lighter prover implements recursive aggregation of transaction proofs to make the whole pipeline more efficient and parallelizable. First, fixed-size blocks of consecutive transactions are processed and proven by BlockTx circuit, which can be done on separate machines. Next, arbitrary number of BlockTx proofs are aggregated into a single proof by BlockTxChain circuit, which includes continuity checks across all BlockTx proofs.