The costs are calculated using the opcode costs set by [update However we expect significant cost reduction once the potential optimisations mentioned in the next section are considered.Ĭompared to the Circomlib implementation, we note an additional benefit: the use of `EVM384` opcodes, which pack multiple parameters (memory offsets) into a single stack item, greatly improves readability of the () by removing the need for stack manipulation.įor a fair comparison of gas savings within Tornado Cash we must clarify a few details. This implementation uses a slightly modified EVM384-v7 with smaller offsets, to save on code size, among other reasons. **Table 1.** The cost of a single call to MiMC's cipher. Additionally a significant portion of the EVM overhead comes from stack manipulation using `DUP/SWAP` to keep parameters in the correct ordering for the current and subsequent round. The EVM bytecode is produced by a Javascript ().Ī look at the () shows a reliance on `ADDMOD`/`MULMOD` which are priced according to a generic algorithm. The implementation of MiMC used by Tornado Cash is in Iden3's Circomlib library. According to (), this greatly dominates the cost of deposits (1,088,354 gas), which are ~3x more expensive than withdrawals from the system. A notable use-case is in decentralized coin-mixers such as Tornado Cash where the MiMC cipher is currently invoked 40 times per deposit. MiMC is a snark-friendly hash function that has seen considerable use on Ethereum. Limitations of the EVM384 spec discovered as a result of this work are also discussed. **TLDR** This post presents potential cost reductions for on-chain computation of the MiMC hash function implemented using opcodes.
0 Comments
Leave a Reply. |