Milestones Overview
We are building Aztec 3 as transparently as we can. The documents published here are merely an entry point to understanding. These documents are largely complete, but unpolished.
If you would like to help us build Aztec 3, consider reviewing our GitHub to contribute code and joining our forum to participate in discussions.
The milestones are written as sets of user stories to make it clear what functionality will be available as we work through each one.
Development Strategy
The goal is that all software components of Aztec3 can be developed as independent modules (e.g. private client, public client, simulators, data sources/sinks, circuit architecture, RPC, cryptography).
When modules need to communicate across module boundaries, they do so via clearly defined APIs.
When developing a module, these external API calls can be mocked. Each module's suite of unit tests ideally are completely independent of other module implementations (i.e. all external API calls are mocked).
The goal is to enable parallel development of these milestones, where teams are not bottlenecked by the progress of other teams.
For a milestone to be complete, full integration tests must be implemented that interact across module boundaries.
1.0 - Repo setup ✅
Separate Barretenberg into its own repository.
Create a monorepo (aztec3-packages
) for the Local Developer Testnet codebase.
1.1 - Deploy a contract ✅
See granular tasks here.
As a developer, I can write a Noir contract
scope, which contains a collection of pure functions (circuits) and a noop constructor
function (no state variables yet).
I can compile my contract with Noir, and receive a contract ABI JSON.
I can deploy my new Noir Contract via aztec.js
.
I can verify, via aztec.js
, that my Noir Contract has been deployed successfully to the Local Developer Testnet.
1.2 - Nullifier functionality ✅
We need nullifier infrastructure, and it's complex enough to be its own milestone. It makes most sense to develop it at this stage. Here's an attempt to shoe-horn it into a user story:
As a developer, I can only deploy to an Aztec contract address once. Attempts to duplicate a contract address will be rejected by the network.
Each tx request contains a nonce. For private functions, such a nonce will be emitted as a nullifier (to prevent re-use of that nonce).
1.3 - Private Constructor ✅
As a developer, I can declare private state variables in the global contract
scope of my Noir Contract.
I can write a constructor
function in Noir, which initialises private states within my contract (i.e. which pushes new commitments to the network). For this milestone, these private states will only be owned by the deployer.
I can deploy my new contract, which calls a constructor function to initialise private state.
Note: the constructor arguments could be included in the abi.json, similar to a Solidity ABI.
I can verify, via aztec.js
, that my private state(s) were initialised correctly. (Note: obviously a user can only do this if they own the state at that storage slot).
1.4 - A single Private Function Call ✅
As a developer, I can write a secret
function in Noir. This function can read private states, modify (nullify) private states, and store updates to private states.
I can deploy a contract containing such functions to the network.
As a user, I can create a tx request to execute any external, private function (by name, via aztec.js
). I can generate a zk-proof of having executed the private function, then a private kernel proof that the execution adheres to network rules, and send that kernel proof to the network. In the Local Developer Testnet, that tx will be included in the next block. The private function can initially only create commitments owned by the caller.
I can view the status of my transaction on the local network, via aztec.js
.
1.5 - A single Private Function Call (editing others' states) ⚙️
As per the previous milestone, but with the ability to call a function which edits other people's private states.
As a developer, I can write unconstrained
functions in Noir, which allow me to query Aztec state variables without broadcasting a tx to the network (much like the getBalance()
function of an ERC20 contract).
As a user, I can share the preimages of private state edits with the owners of those private states (e.g. by broadcasting the encrypted preimage on-chain).
As a recipient of an edited state, my RPC Client can update it's DB with this state update (e.g. via trial-decryption).
As a recipient of an edited state, I can query the current value of my state variable(s) via unconstrained
function(s), to verify that they've been edited.
2: L1-L2 Communication
2.1 - Deploy a Portal Contract
As a developer, I can write a Portal Contract to accompany my Noir++ contract.
I can deploy the Portal Contract to Ethereum, and then deploy and Aztec L2 contract which links with the Portal Contract.
I can make a query to the Private Client to learn the Portal Contract address of an L2 contract.
I can make a query to L1 to learn the L2 address for a particular Portal Contract.
Components: l1-contracts, kernel-circuit, aztec-rpc,
2.2 - L1->L2 Calls
As a developer, I can deploy a 'Portal Contract' to Ethereum (L1), which allows me to write logic across L1 and L2 for my dapp.
I can write Solidity code in my Portal Contract which can 'send messages' to a particular function of the linked L2 contract.
I can write Noir code which can 'read' messages from the L1->L2 message box.
I can send an Ethereum tx which calls a function of the Portal Contract, which in-turn sends an L1->L2 message.
I can then send an L2 tx which calls an L2 function, which 'reads' (consumes) the message.
2.3 - L2->L1 Calls
As a developer, I can write Noir code (in my Noir Contract) which can 'send messages' to my Noir Contract's corresponding Portal Contract (on L1).
I can send an Aztec tx which calls a private (or public) function, which can send the intended message to L1, via the Rollup Contract.
I can then send an Ethereum tx to my Portal Contract (or some other contract), which can 'read' (consume) the message.
Note: We might need to submit an encryption of L2->L1 messages to the
unverifiedData
on-chain (so that a user can re-sync and still find the messages they sent!)
3: Private call stacks
3.1 - Inter-contract Private -> Private Calls ⚙️
Note: intRA private->private calls can be inlined, in most cases.
As a developer, I can deploy 2 Noir Contracts. One contract can import
the interface of the other.
A private
function of the importing contract can call a private
function of the imported contract, passing arguments, and receive return values.
As a user, I send a tx which calls the function described.
I can view the status of my transaction on the local network.
Note: both functions which are executed in the one tx will need to use the same snapshot of the network's state, so pause/ignore tree updates whilst the tx is being generated.
3.2 - Recursive private calls
As a developer, I can write a private function which calls itself.
Note: this requires changes to the private kernel circuit, to allow notes to be 'read' even before they've been finalised on L1.
🚀 First release candidate for the local developer testnet
4: Public Functions
4.1 - Public Constructor
As a developer, I can declare public
state variablesin the global contract
scope of my Noir Contract.
I can write a public
function in Noir, which can read and write state from/to the public data tree.
I can write a constructor
function in Noir, which can make a call to a public
function in the same contract
scope, which can be used to initialise public
state.
I can deploy a contract (via aztec.js
) which calls a constructor function (which in-turn calls a public function) to initialise public state.
Note: the constructor arguments could be included in the abi.json, similar to a Solidity ABI.
I can call and unconstrained
function to verify that the state was set correctly for public state.
4.2 - A single Public Function Call ⚙️
As a developer, I can write a public
function in Noir. This function can do public state_reads
, and push new state_transitions
to the public data tree.
I can send a tx request to the network, which calls a single public function, to be included in the next block.
I can view the status of my transaction on the local network.
🚀 New release of the local developer testnet
5: More Composability
5.1 - IntRA-contract Private->Public Calls
A private
function can call a public
function of the same contract, passing arguments, but NOT receiving return values.
5.2 - IntER-contract Private->Public Calls
A private
function of the importing contract can call a public
function of the imported contract, passing arguments, but NOT receiving return values.
5.3 - IntER-contract Public->Public Calls
A public
function of the importing contract can call a public
function of the imported contract, passing arguments, and receiving return values.
5.4 - IntRA-contract Public->Private calls
(Note: intRA private->private calls can just be inlined).
As a developer, I can write Noir++ code to call a private
function from a public
function; within the same contract scope.
I can write a private
function which can 'read' a message from a public
function.
I can call a public function, which adds a message to some message box, for a particular private function to consume.
I can call a private function (in a later rollup) which consumes that message.
🚀 New release of the local developer testnet
6: Introducing fees
NOTE: these milestones might change, as we think more about fees, and the best things to tackle first.
6.1 - Estimating Gas - L1->L2 message
As a developer, I can estimate the L2 gas costs associated with posting a message to the L1->L2 message box.
Note: This might need further discussion. The L1 component is forcing the Sequencer to add data to the message tree in the next rollup, so ought to cover that L2 cost somehow by providing a payment to the Sequencer (rather than the L1 validator). Tricky.
6.2 - Estimating Gas - Private Kernel
As a developer, I can estimate the L2 gas costs associated with a private kernel snark's submission to the local test blockchain.
6.3 - Estimating Gas - Public Function
As a developer, I can estimate the L2 gas costs associated with executing a public circuit.
6.4 - Fees from L1
As a developer, I must now pay for the 'L2 component' of an L1->L2 tx.
I can pay for the 'L2 component' of an L1->L2 tx using L1 ETH.
I can pay for the 'L2 component' of an L1->L2 tx using any ERC20 token.
6.5 - Fees from Public L2
As a developer, I can write a public L2 token contract.
As a user, I can pay for L2 txs using some public L2 token.
6.6 - Fees from Private L2
As a developer, I can write a private L2 token contract.
As a user, I can pay for L2 txs using some private L2 token.
🚀 New release of the local developer testnet
7: Introduce actual circuits, proofs and verifiers
Up until now, milestones will have been using "simulated circuits", which contain the logic (checks and calculations) we'll need from our circuits, but without any of the computational overhead of actual circuits. This decision was intentional, to make the Local Developer Testnet as fast as possible, so that users (devs) can play and iterate as quickly as possible.
But ultimately, we need all these transactions to be actual proofs which can be verified. We have most of the code and expertise (from Aztec Connect), we just need to plug it in!
7.1 Actual Kernel & Rollup circuits
Write circuit versions of the Private and Public Kernel circuits, and the Base, Merge and Root Rollup circuits.
Turn on proof validation within each of these circuits, and within the Rollup Contract on L1.
The proving scheme might initially be UltraPlonk, which might be a problem in WASM. Benchmarking needed.
7.2 Swap UltraPlonk for Honk
Once ready, we can swap-in the Honk proving scheme, for much faster recursive proofs.
7.3 Public VM Circuit
The opcode-trace of a public function will ultimately need to be verified via a Public VM Circuit. This will be quite a complicated circuit to design and build.
7.4 Public Function bytecode-validation circuit
The opcodes of a public function need to be provably 'linked' with a commitment to those opcodes.
8: Public testnet via a centralised Sequencer
These aren't currently written as developer stories, as the developer's experience shouldn't change much from interacting with the local network. Instead, they're mostly Sequencer stories here.
8.1 - A centralised tx pool
As a Sequencer, I should be able to see all incoming tx requests in a 'stubbed' tx pool (can just be an http endpoint, perhaps).
8.2 - Rollups done by a Sequencer
As a Sequencer, I can rollup a set of private kernel proofs into a single proof, and submit that to L1.
8.3 - Simulating and submitting a public function
As a sequencer, I can simulate a public function's opcodes.
I can then prove execution of that function, run it through a kernel snark, and add it to the rollup.
8.4 - Collecting L1->L2 message fees
As a Sequencer, I can collect a fee for adding an L1->L2 message to the message tree.
8.5 - Collecting L1 fees
As a Sequencer, I can identify when an L2 tx is being paid-for via L1 (e.g. in the case of the L2 tx component of an L1->L2 tx).
I can see the L1 fees being offered for such a tx.
I can convert the L1 currency into ETH.
I can simulate a single-function L2 tx.
I can process the L2 tx, and receive L1 tokens for doing so.
8.6 - Collecting Public L2 fees
As a Sequencer, I can identify when an L2 tx is being paid-for via a public L2 tx.
I can see the L2 fees being offered for such a tx.
I can interpret those fees, based on some Aztec L2 Public fungible token standard.
I can simulate the fee-paying tx, to validate that I'll be paid.
I can simulate the accompanying tx.
I can process the L2 tx, and receive public L2 tokens from the fee-paying tx.
8.8 - Collecting Private L2 fees
As a Sequencer, I can identify when an L2 tx is being paid-for via a private L2 tx.
I can see the L2 fees being offered for such a tx.
I can interpret those fees, based on some Aztec L2 Private fungible token standard.
I can simulate the fee-paying tx, to validate that I'll be paid.
I can simulate the accompanying tx.
I can process the L2 tx, and receive public L2 tokens from the fee-paying tx.
8.8 - Prover client
As a Sequencer, I can delegate proof generation to my own Prover Client (descendant of Halloumi).
8.9 - Actual proof generation!
We actually construct circuits and generate zk-snarks at all stages.
🚀 Launch centralised sequencer testnet
9: 1st Sequencer testnet
9.0 - More Sequencers
Note: depending on Honk progress, this might be UltraPlonk initially.
As a Sequencer (amongst many Sequencers), I can query whether I'm the current Sequencer.
Note: this can be coordinated via some central endpoint at this stage.
I can access a centralised pool of txs, in order to generate rollups when it's my turn.
9.1 - P2P tx pool
As a user, I can connect to a p2p tx pool.
As a user, I can submit a tx to the pool.
As a Sequencer, I can read txs from the tx pool.
As a network participant, my local copy of the tx pool can be maintained: adding new txs, and removing already-processed txs.
🚀 Launch 1st Sequencer testnet
10: 2nd Sequencer testnet
10.0 - Sequencer Selection Protocol
As a Sequencer, I can determine whether I'm the Sequencer in a decentralised way.
I'll know some time in advance that I'll be the sequencer for a particular rollup, so I can prepare in advance.
I can submit a rollup only when I'm the chosen Sequencer.
If I fail to submit a rollup I might (TBD) be penalised.
Other milestones are hazy, until we decide on the sequencer selection protocol.
🚀 Launch 2nd Sequencer testnet
11: Prover testnet
We introduce a new type of network participant: a Prover: someone other than the Sequencer who runs a Prover Client.
11.0 - Prover Selection Protocol
TBD: selection criteria.
11.1 - Proof delegation
As a Sequencer I can delegate proofs to Provers.
As a Prover I can be paid for generating proofs for the current Sequencer.
🚀 Launch Prover testnet
12: Refactoring / Optimisations
- Nullifier Epochs
- Commitment (UTXO) Epochs
- More Efficient Kernel Recursion Topology (in a binary tree)
- Flexible Rollup Topology / Streaming new txs into the rollup
- Decrypting Notes
- OMR? PIR? FMD?
- Plug Honk into the circuits
- Account Abstraction
- More efficient, newer hashes for trees
Participate
Keep up with the latest discussion and join the conversation in the Aztec forum.