The motivation for this base layer is to build a fast, anonymous-by-default L2 that can support a zero-knowledge scripting language for custom financial applications.

It is NOT designed to be a new cryptocurrency but rather a safe haven for other cryptocurrencies to be exchanged privately amongst non-cooperative parties.

Twilight builds on 4 key constructions:

  1. QuisQuis: An account-based system, that works like a UTXO model, where every account is one-time use. Every transaction creates new accounts and moves value from the previous account to the new one.

  2. ZkVM: A stack machine for encrypted values. It is originally built for a UTXO-based network, taking a covenant-like approach for locking UTXO with some spending condition in a contract.

  3. Utreexo: A hash based accumulator proposed for Bitcoin. It allows you to reference to the global state with under a kilobyte proof.

  4. Tendermint core: A BFT-style state replication engine, that allows ledger-based apps to use custom cryptography.


These constructions allow the base layer to achieve:

  • Cryptographic finality: State transition is immediately finalized without waiting for a prover to submit a proof at some delay. This allows every block to update the accumulator for instant interoperability with other chains.

  • Confidentiality + anonymity + not a delegated prover: Confidentialtity hides your amount with a commitment. Anonymity hides your identity with an anonymity set. And since proof generation is not computationally demanding, it can be generated in your browser without delegating and revealing secret witness to a prover.

  • Parallelizable Verification LockTx can be verified in parallel in 1-2ms on a single core. QuisQuis/UnlockTx can be parallelized too and takes about 10ms for verification.

What it doesn't achieve:

  • Succinct Verification Zk-S*arks are succinct to verify, though the proof generation is relatively slow, which hinders trading experience on an exchange when the price moves every 300~350ms. Bulletproofs prover is pretty fast, though verifier has a linear verification time, which can be parallelized.

  • EVM Compatibility The base layer does not support EVM and is designed to be stateless by supporting a stack-based scripting language.

Last updated