As a part of the upcoming onerous fork, Qtum will introduce a number of precompiled contracts to the EVM on high of Qtum which can allow extra environment friendly good contracts that supply the creation and switch of confidential belongings.

Sensible Contracts

Ethereum has two sorts of accounts, the externally owned account, and the contract account. Externally Owned Account (EOA) is a form of account managed by non-public keys and with none code related to it. A Contract Account (CA) is an account assigned to a wise contract, managed by contract. An externally owned account can ship a transaction, which is usually a switch transaction or a transaction associated to a wise contract to create or set off a wise contract.

Every transaction of Ethereum might be transformed right into a Message object, which is handed to the EVM for execution, after which EVM will convert the Message object right into a Contract object. If it’s a regular switch transaction, the corresponding account stability might be modified in StateDB. If it’s a transaction that creates or invokes a wise contract, the bytecode is loaded and executed by the interpreter within the EVM, and the StateDB could also be queried or modified throughout execution. As you may see from the determine, the Contract object masses the corresponding contract code from the database in accordance with the tackle of the contract, after which sends it to the interpreter for execution.

Message Object
Contract Object

The EVM interpreter is a stack-based machine with its PC, stack, reminiscence, and gasoline pool. A contract code might be interpreted as a strip of opcodes after which executed. Earlier than executing opcode, the EVM interpreter will examine the required Fuel and the present Fuel remaining for the command. If the Fuel is inadequate, it should return the ErrOutOfGas error. As a result of EVM is a stack-based digital machine, it has no intermediate storage similar to registers. All operations are maintained via a stack, so its operation effectivity is comparatively low, and it might take a very long time to finish a posh operation. Extra complicated operations is probably not accomplished at an efficient time. See [1] for particulars.

EVM interpreter

Confidential belongings

The blockchain is an open distributed transaction ledger, permitting the information on the chain to be publicly seen. Though the sender and receiver of a transaction can not straight be related to real-life patrons and sellers, the information on the chain might be analyzed by Deal with clustering to derive some affiliation details about addresses and identities. Moreover, the quantity of the transaction can also be public on the chain. It may be seen that though the transparency of the information ensures the true and tamper-resistant options of the ledger, it additionally makes many eventualities that require privateness unimaginable to be utilized on the blockchain.

Underneath this situation, the idea of confidential belongings was proposed. The sender, receiver, and transaction quantity of the transaction are hidden through the use of methods similar to cryptography, and the miner (transaction verifier) can confirm the legality of a transaction with out figuring out the particular information. Generally used strategies for implementing confidential belongings embody Mimble-Wimble, zk-SNARKs, and so on.

Because of the widespread use of contract fashions, some tasks similar to Dusk, Zether, AZTEC, and others have considered utilizing good contracts to implement non-public transactions, by deploying good contracts associated to non-public transactions to realize the aim of issuing confidential belongings on the chain.


As a result of the EVM is a stack-based digital machine, it calculates gasoline primarily based on the content material of the operation, so if it entails very difficult calculations, it may be very inefficient to execute the operation in EVM and eat plenty of gasoline. For instance, in zk-snark, the addition and subtraction of the elliptic curve and the pairing operation are required. These operations are very difficult and unrealistic to be executed within the EVM. That is the unique intention of Ethereum to suggest a precompiled contract.

Precompiled contracts are a compromise used within the EVM to supply extra complicated library features (normally used for complicated operations similar to encryption, hashing, and so on.) that aren’t appropriate for writing in opcode. They’re utilized to contracts which are easy however ceaselessly referred to as, or which are logically fastened however computationally intensive. Precompiled contracts are carried out on the client-side with shopper code, and since they don’t require the EVM, they run quick. It additionally prices much less for builders than utilizing features that run straight within the EVM.

The precompiled contracts that Ethereum has carried out now are as follows:

On the code degree, the so-called tackle is definitely the index of the contract array, and an index identifies a precompiled contract. The three precompiled contracts associated to the confidential belongings are bn256Add(), bn256ScalarMul(), bn256Pairing().


Within the evm.go file, the working logic of EVM is encapsulated. There are four features for calling good contracts, Name(), CallCode(), DelegateCall(), StaticCall(). The work achieved by these 4 features is to generate contract objects, however the particular particulars similar to parameters could have some variations. After the contract is instantiated, the run perform in evm.go is known as to run the good contract. This perform takes into consideration each the case of precompiled contracts and non-precompiled contract calls. Within the following code, the primary department is to instantiate parameter p by specifying a precompiles index to specify a precompiled contract. The index of the array right here truly corresponds to the idea of the tackle when the precompiled contract array is said. The RunPrecompiledContract perform is then referred to as to execute the precompiled contract. If it’s a non-precompiled contract, you may see from the code that the interpreter of EVM is known as.


// run runs the given contract and takes care of working precompiles with a fallback to the byte code interpreter.
func run(evm *EVM, contract *Contract, enter []byte, readOnly bool) ([]byte, error) {
if contract.CodeAddr != nil {
precompiles := PrecompiledContractsHomestead
if evm.ChainConfig().IsByzantium(evm.BlockNumber) {
precompiles = PrecompiledContractsByzantium
if p := precompiles[*contract.CodeAddr]; p != nil {
return RunPrecompiledContract(p, enter, contract)
for _, interpreter := vary evm.interpreters {
if interpreter.CanRun(contract.Code) {
if evm.interpreter != interpreter {
// Be certain that the interpreter pointer is about again
// to its present worth upon return.
defer func(i Interpreter) {
evm.interpreter = i
evm.interpreter = interpreter
return interpreter.Run(contract, enter, readOnly)
return nil, ErrNoCompatibleInterpreter

Within the RunPrecompiledContract perform, you may see that the p variable implements the bn256 curve addition operation after which returns the consequence. It may be clearly seen that this a part of the operation is calculated throughout the execution on the shopper’s finish.


// RunPrecompiledContract runs and evaluates the output of a precompiled contract.
func RunPrecompiledContract(p PrecompiledContract, enter []byte, contract *Contract) (ret []byte, err error) {
gasoline := p.RequiredGas(enter)
if contract.UseGas(gasoline) {
return p.Run(enter)
return nil, ErrOutOfGas


// bn256Add implements a local elliptic curve level addition.
kind bn256Add struct{}
// RequiredGas returns the gasoline required to execute the pre-compiled contract.
func (c *bn256Add) RequiredGas(enter []byte) uint64 {
return params.Bn256AddGas
func (c *bn256Add) Run(enter []byte) ([]byte, error) {
x, err := newCurvePoint(getData(enter, 0, 64))
if err != nil {
return nil, err
y, err := newCurvePoint(getData(enter, 64, 64))
if err != nil {
return nil, err
res := new(bn256.G1)
res.Add(x, y)
return res.Marshal(), nil


In good contract code, the precompiled contract might be referred to as straight within the contract file identical to a traditional contract, however the calling methodology is considerably completely different. A precompiled contract name is made by an meeting code block within the .sol file. The specification and parameters of the decision are as follows:

meeting {
if iszero(name(gasLimit, contractAddress, worth, enter, inputLength, output, outputLength)) {
revert(0, 0)

An instance of implementing elliptic curve addition is as follows:

perform ecadd(uint256 ax, uint256 ay, uint256 bx, uint256 by) public fixed returns(uint256[2] p) {
uint256[4] reminiscence enter;
enter[0] = ax;
enter[1] = ay;
enter[2] = bx;
enter[3] = by;
meeting {
// ecadd precompile!
if iszero(name(not(0), 0x06, 0, enter, 0x80, p, 0x40)) {
revert(0, 0)

Precompiled contract for elliptic curves

Ethereum’s present answer to privateness is to make use of zk-SNARKs[6][8], however zk-SNARKs require a posh mathematical course of involving many elliptic curve calculations. After the earlier evaluation, this course of could be very unrealistic to be carried out within the EVM, so in an effort to assist the associated operations of zk-SNARKs, Ethereum added three precompiled contracts associated to zk-SNARK operations in EIP196[3] and EIP197[4], which might be referred to as by builders.

EIP-196 provides two precompiled contracts, ECADD() and ECMUL(), on the alt_bn128 curve, the place ECADD() consumes 500 gasoline and ECMUL() consumes 40,000 gasoline.

EIP-197 provides a pairing contract on the alt_bn128 curve, consuming gasoline of 80,000*ok+100000 (ok is expounded to the variety of factors).

It’s not onerous to know the addition and multiplication on the elliptic curve. The pairing seems as a result of there’s a KCA (Information of Coefficient Check and Assumption) certification course of in zk-SNARKs [6], which must be proved through the use of bilinear mapping, for particulars, please seek advice from Vitalik’s medium submit[7]. Pairing is the method that might be used within the proof course of. The enter of the Pairing perform is a listing of factors, as a result of completely different zk-snark algorithms could have completely different information quantities, and the gasoline consumed by the pairing perform can also be associated to the variety of pairs of factors.

Many tasks that use precompiled contracts to implement privateness now use the pairing course of, similar to EYBlockchain, AZTEC, and so forth. Pairing is a step that zk-snark should use. The price of gasoline is big, and naturally, the official can also be optimizing. The method of implementing pairing is usually carried out on a pairing-friendly curve. This can be a kind of curve with particular properties, which is especially manifested within the calculation of pairing pace. So if you wish to use the pairing course of, then the generally used curve similar to secp256k1 is clearly not appropriate, you want extra assist for the pairing-friendly curve.

Now the mainstream pairing-friendly curves are Barreto-Naehrig (BN) collection and Barreto-Lynn-Scott (BLS) collection [9], Ethereum makes use of BN collection, zcash makes use of BLS collection, and Ethereum may even add assist for the BLS curve. The general efficiency of the BLS curve is significantly better and the quantity of calculation is comparatively small. However it doesn’t matter what, deciding on a curve has a trade-off between security and effectivity.

It’s value mentioning that if you don’t want to make use of the pairing course of, you don’t want a pairing-friendly curve. An alternative choice is so as to add assist for precompiled contracts for the secp256k1 curve. For instance, though the PGC staff used two precompiled contracts of bn256ADD and bn256MUL, that’s, the curves of the bn collection are used, however their algorithm doesn’t want pairing. If the precompiled contract assist for secp256k1 is changed, the algorithm effectivity might be improved.

For the implementation of the C++ model, there are actually two exterior libraries that encapsulate and implement these operations. The primary is Libff, which is the library at the moment being utilized by Ethereum. LibSnark.cpp within the supply code that calls the related calculation perform of the libff library. There may be additionally an MCL library, which is the library beneficial by EIP-1108.

Confidential Belongings Undertaking

The 4 privateness options that are actually common are EYBlockchain, PGC, Zether, and AZTEC.

EYBlockchain implements confidential belongings primarily based on zk-SNARKs. It performs off-chain zero-knowledge proofing by porting the Ethereum’s beneficial ZoKrates toolkit. The algorithm wants to make use of the add, multiply, and pairing processes of the bn256 curve. The gasoline consumption of a switch transaction is round 2.7M.

Zether is an nameless cost protocol deployed on the Ethereum within the type of a wise contract Zether Sensible Contract (ZSC) with tokens referred to as Zether Tokens (ZTH). Tokens can be utilized because the service for transmission between Zether accounts of ElGamal public keys and assist nameless good contract interactions. The algorithm wants to make use of the add and multiply algorithms of the bn256 curve.

PGC is an improved model of the Zether algorithm. PGC makes use of the unique Elgamal and the unique bulletproof zero-knowledge proof algorithm. PGC makes use of the add, multiply algorithm of the bn256 curve, but when the precompiled contract of the secp256k1 elliptic curve might be carried out, the effectivity of the PGC algorithm might be drastically improved.

AZTEC combines homomorphic proofs and vary proofs to supply zero-knowledge proofs to concern confidential belongings on Ethereum. AZTEC wants to make use of the add, multiply, pairing operations on the bn256 curve. The particular operation quantity is (3n+m-1)add+(2n+2m-2)multiply+1pairing (n and m are the numbers of transaction tickets respectively).


The proposed EIP-196 and EIP-197 allow many zero-knowledge proof algorithms to run on Ethereum. However there may be nonetheless an issue. Though these complicated mathematical processes are carried out utilizing precompiled contracts, the consumption of gasoline continues to be very massive. It’s not an exaggeration to say that in some eventualities, the quantity of gasoline consumed to switch a confidential asset could also be increased than the quantity transferred. The utmost gasoline consumption per block on Ethereum is 8M, which makes many privateness tasks unimaginable to actually stick.

With the intention to scale back the gasoline of the precompiled contract, AZTEC staff proposed enhancements on EIP-1108 [5].

EIP-1108 is an optimization of the three precompiled contracts of add, multiply, and pairing. By optimizing the underlying algorithm of the calling library, the effectivity of the code is improved, thereby lowering the gasoline. The precompiled contract identify for the Golang model additionally turned bn256. Bn256 is alt_bn128, simply with a unique identify. 256 refers back to the size of p within the method, and 128 refers back to the safety degree of the curve. These are two completely different property descriptions of a curve. So the EIP-1108 doesn’t change the curve to scale back the gasoline however optimizes the carried out algorithm. The up to date gasoline comparability chart is as follows. EIP-1108 is at the moment within the draft state, the algorithm a part of the code has been improved, however the worth of gasoline has not been up to date.

With the improved strategy of EIP-1108, many privateness algorithms might be drastically optimized. Fuel consumption on a switch transaction of Zether might be decreased from 7188000 to 170000, that of PGC might be decreased from 6563000 to 1100000, and that of AZTEC might be decreased from 121000n+41000m+219000 to 12200n+6200m+85930.

In case you are deploying a precompiled contract, how one determines the gasoline worth of the precompiled contract is a major problem. The setting of the precompiled contract gasoline is expounded to the calculation quantity of the operation. For instance, the calculation methodology of the Pairing gasoline described in EIP-1108 relies on the effectivity of ecrecover and the established gasoline. An ecrecover name takes 116ms, and its gasoline is about to 3000, which provides the truth that the 1ms run prices 25.86gasoline. As a result of the time spent on pairing calculation is split into two elements, one is the bottom time, base_time, which might be understood as the beginning time of the operation, and the opposite is the floating time per_pair_time, which is expounded to the calculation quantity of the enter. It takes 3037ms to calculate 1 pairing and 14663ms to calculate 10 pairing. Base_time and per_pair_time are derived, multiply by the established 25.86gasoline, and the gasoline consumption of the pairing course of is derived. On this method, the related benchmark might be made in accordance with the particular atmosphere to control the setting of gasoline.

In Qtum, the utmost gasoline consumption per block is 40M, and the utmost gasoline consumption per transaction is 20M, so the confidential belongings working on Qtum are principally not restricted by gasoline. However utilizing EVM to run some computationally intensive privateness algorithms could be very inefficient. Subsequently, we must always implement some fundamental and customary privateness algorithms within the type of pre-compiled contracts, in order that privateness belongings can run on Qtum extra effectively.

For elliptic curves, contemplate including the precompiled contracts of BLS and secp256k1. BLS has higher efficiency and safety than bn256 and is pairing-friendly, so it may be used as an alternative of bn256. And if you wish to deploy the pairing precompiled contract, for its gasoline settings, you too can discover a precompiled contract for reference whose gasoline has been set, then benchmark respectively. Though secp256k1 will not be pairing-friendly, it’s extensively utilized in blockchain signature and encryption algorithms due to its higher efficiency and stronger versatility.

For zero-knowledge proofs, contemplate implementing the Bulletproof algorithm as a precompiled contract. Bulletproof is a extensively used vary proof algorithm within the blockchain, primarily used to show that the hidden transaction quantity in MimbleWimble is a optimistic quantity. Bulletproofs have been carried out and steady within the Grin and Beam tasks. Bulletproof’s verification course of is computationally intensive, so utilizing precompiled contract implementations is a extra applicable possibility. With the Bulletproof precompiled contract, MimbleWimble can run effectively on Qtum in a contractual method.

Supply hyperlink