Proofs generated. On-chain.
And just like that, your Noir hello world—x squared minus y equals something funky—morphs from local toy into blockchain-ready cryptography. Part 1 left us with ACIR bytecode and a witness; now Barretenberg (bb) snaps it all into a proof. Skeptical? Good. Most ZK tutorials gloss over the gritty bits. We’re peeling them back.
Here’s the command that kicks it off: bb prove -b ./target/hello_world.json -w ./target/hello_world.gz --write_vk --verifier_target evm -o ./target. Boom—four files spit out: proof (7.5KB), vk (verification key), its hash, public inputs. Memory ticks up to 28 MiB, but that’s peanuts for what you’re getting.
Scheme is: ultra_honk, num threads: 8 (mem: 8.10 MiB) CircuitProve: Proving key computed in 29 ms (mem: 24.21 MiB) Public inputs saved to “./target/public_inputs” (mem: 28.56 MiB) Proof saved to “./target/proof” (mem: 28.56 MiB) VK saved to “./target/vk” (mem: 28.56 MiB)
Ultra_honk. That’s the scheme—Aztec’s tweak on HONK proofs, faster than Plonk variants, leaner on gas. Flags matter: -b feeds the circuit shape, -w the private witness (x=2 here), --verifier_target evm swaps hashes to Keccak (EVM’s baby) and bakes in zero-knowledge. No leaks.
What’s the Verification Key Hiding?
The VK? Circuit’s public skeleton. Gates, wires, constraints—input-agnostic. Reuse it forever for this circuit. Change x to 42? Same VK verifies the new proof. It’s the fingerprint letting third parties trust without recomputing everything. bb prepends public inputs (y=1) to the proof blob—verifier contract slices ‘em off neat.
Run bb verify -p ./target/proof -k ./target/vk --verifier_target evm. No witness needed. Proof checks out in 10ms. That’s the magic: “Someone knows x ≠ y (public y=1)” without spilling x.
But local’s lame. On-chain’s where ZK shines—or flops.
Why Target EVM with Barretenberg?
bb write_solidity_verifier -k ./target/vk --verifier_target evm -o ./target/Verifier.sol. Out pops a 2,449-line HonkVerifier.sol. Hardcoded VK constants, pairing checks via EVM precompiles (ecAdd, ecMul, ecPairing, modexp). Entry point? verify(bytes calldata proof, bytes32[] calldata publicInputs). Gas-efficient, works on mainnet, L2s, testnets.
Here’s the shift: Noir abstracts ZK like Rust abstracts WASM. Compile once (nargo), prove fast (bb), verify cheap (Solidity). No Circom boilerplate nightmares.
Foundry setup’s straightforward—forge init, copy Verifier.sol, tweak foundry.toml for file reads. Deploy script:
HonkVerifier verifier = new HonkVerifier();
console.log("HonkVerifier deployed to:", address(verifier));
Verify script loads proof binary, sets publicInputs[0] = bytes32(1), calls verify. True. On-chain.
My take? This workflow’s underrated parallel to 1970s Unix pipes—circuit | prove | verify—streamlining ZK from PhD toy to dev tool. Noir won’t kill SNARKs, but it’ll flood EVM with privacy apps. Aztec’s not spinning PR; they’re building the stack Ethereum needs for confidential scaling.
How Does Barretenberg Crush Proving Times?
Ultra_honk isn’t hype—it’s recursive, Fiat-Shamir with IPA (inner product arguments). Threads scale linear; 8 cores shave ms off 29ms proves. Memory? Sub-30MiB per proof. Compare to halo2’s bloat or gnark’s Rust overhead. bb’s C++ core (WASM too) eats ‘em.
Public inputs wire directly: y=1 claims “x !=1 and x^2 - something”. Proof asserts it sans x reveal. Verifier trusts VK’s shape match.
On-chain gas? Precompiles slash costs—ecPairing’s 450K gas vs manual BN254 mul. L2s like Optimism? Even cheaper.
But wait—production pitfalls. VK hash pins circuit ID; rotate proofs? New VK, new contract. State bloat if naive.
Is Noir Ready for Real EVM Chains?
Deployed. Verified. But scale it. Hello world laughs at 7KB proofs; real circuits (Merkle proofs, rollups) balloon to MBs. bb compresses via recursion—stack proofs. Aztec’s Noir targets that: type-safe, auditable circuits without assembly hell.
Critique time: Tutorials like this skip error modes. Bad witness? Prove fails silent. EVM target assumes Keccak; switch to Solana? Rewrite. Still, for EVM devs, it’s plug-and-prove.
Unique angle: Noir/Barretenberg echoes WebAssembly’s rise—portable bytecode (ACIR) + fast runtime (bb). Prediction: By 2025, 20% L2s verify Noir proofs natively. No more ZK silos.
Foundry scripts shine for CI/CD. forge script Verify.s.sol --rpc-url sepolia—testnet proof in mins. Prod? Batch proves off-chain, submit on-chain.
Tinker. Fork the repo, swap x*y=42. Prove. Deploy. Feel the architecture click.
🧬 Related Insights
- Read more: I Spent 3 Weeks on a DIY Trading Bot—Here’s Why Your Get-Rich Dream Crashes
- Read more: ClassPilot v2.0.3: Liquid Glass Glow-Up and AI Smarts for Stressed Students
Frequently Asked Questions
What does Barretenberg do in Noir workflows?
Barretenberg proves Noir circuits from ACIR and witnesses, generates EVM-ready verifiers using ultra_honk scheme—fast, low-mem ZK proofs.
How to deploy Noir proof verifier on Ethereum?
Use bb to gen Verifier.sol, Foundry to deploy via script—load proof binary, set public inputs, call verify(). Works on mainnet/L2s.
Are Noir proofs gas-efficient on EVM?
Yes—Keccak hashes, precompile pairings keep verify under 1M gas typically; scales better than Plonk on L2s.
