Zcash Sapling Update brings BLS12-381, new multi-exponentiation algorithm and more

Zcash Sapling Update

The new Zcash Sapling update is here and it is being touted as the next major protocol upgrade. It will bring a slew of improvements to the performance, security and usability of Zcash’s shielded transactions. In this update, BLS12-381 curve is being implemented which will be an upgrade to the Zcash’s elliptic curve. This curve targets 128-bit security using more conservative recommendations suggested by several recent papers.

In the paper, they say that Zcash developers have made available rust-language implantation of this BLS12-381 curve and it brings strong memory-safety guarantees as it does not use any unsafe{} code or assembly optimizations. Despite being a larger curve, this new implementation is more efficient than the implementation of BN254 that we currently use in Zcash.

Also new in this update is the new multi-exponentiation algorithm where they are using libsnark’s implementation of the Bos-Coster algorithm.

libsnark has recently implemented a variant of Pippenger’s algorithm which splits the multi-exponentiation into bitwise regions of the exponent, accumulating bases into buckets and performing summation by parts. This algorithm is not only more efficient than Bos-Coster, but is very convenient in the context of streamed proving. With this algorithm, we can avoid loading the proving key into memory before constructing a proof, which is a primary source of memory usage in our system.

Also new in this Zcash Sapling update is new proving system which would improve runtime performance in a big way. The team is on the verge of considering using new zk-SNARK proving system to replace PGHR (Pinnochio). This will allow the team to design cheaper multi-party computations and other really interesting features.