Skip to content

Latest commit

 

History

History
67 lines (41 loc) · 4.34 KB

README.md

File metadata and controls

67 lines (41 loc) · 4.34 KB

SNARK Multi Party Computation

Overview

Pairing based SNARKs require the generation of certain parameters in order to achieve high efficiency (small proof sizes, fast proving and verifying time). These parameters are generated by another set of parameters which MUST remain secret. We call these secret parameters the "toxic waste". If a prover knows these secrets, then they can generate valid proofs for invalid statements, breaking soundness. This is undesired!

In order to guarantee that no prover will ever know these secrets, we can generate them in a distributed manner. Each participant in this so-called "ceremony" will contribute to the generation of the parameters with their own secret. If at least 1 participant is honest and destroys their secret, then there should be no way for a malicious prover to create fake proofs.

This repository contains implementations for the BGM17 multi party computation. The ceremony is split in two phases, one which generates the Powers of Tau, and one which "specializes" them to the provided arithmetic circuit for the Groth16 SNARK.

Note that the generated Powers of Tau can be re-used for any other Phase 2 setup, or for instantiating other mechanisms, such as the KZG10 polynomial commitment scheme.

For instructions on how to ensure that the ceremony is executed properly, refer to RECOMMENDATIONS.md

Phase 1 (Powers of Tau)

  1. A coordinator generates an accumulator
  2. Participant downloads the latest accumulator
  3. Participant contributes their randomness to the accumulator (randomness is permantently deleted after this step)
  4. Participant uploads the accumulator back to the coordinator
  5. Coordinator verifies the accumulator was transformed correctly and produces a new challenge

The notable part about this procedure, is that it _never_has to end. This is what allows SNARKs utilizing KZG10 to have a "continuous" setup. If a participant does not trust the setup, they themselves can contribute to the Powers of Tau, and instantiate KZG10 with the new parameters.

Phase 2 (Specialization specific to Groth16)

  1. Coordinator "prepares" the parameters from Phase 1 and converts them to Lagrange Coefficients
  2. Participant downloads the latest state of the parameters
  3. Participant contributes their randomness to the parameters (randomness is permantently deleted after this step)
  4. Participant uploads the parameters back to the coordinator
  5. Coordinator verifies the accumulator was transformed correctly
  6. Loop from 2 for all participants

This produces parameters which can then be used for constructing Groth16 SNARKs for that circuit. The setup is sound as long as 1 party was honest and destroyed their "toxic waste" in step 3.

Build Guide

Build with cargo build (--release). You will receive a powersoftau and prepare_phase2 binary in the target/ directory.

Test with cargo test.

Benchmark with cargo bench (uses criterion)

If contributing, do not forget to run cargo fmt and cargo clippy --all-targets --all-features -- -D warnings

All crates require Rust 2018 edition and are tested on the following channels:

  • 1.39.0
  • stable

If you do not have Rust installed, run: curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

Directory Structure

This repository contains several Rust crates that implement the different building blocks of the MPC. The high-level structure of the repository is as follows:

  • powersoftau: Rust crate that provides an accumulator for Powers of Tau. It runs multithreaded and works in "batches", allowing large powers to be calculated in resource constrained environments
  • phase2: Rust crate that provides a wrapper over Groth16's parameters which also contains a verifiable transcript of the so-far contributions to the specialization phase
  • snark-utils: Utility functions shared across crates, involving i/o, mathematical operations and errors.

In addition, there is a test-helpers crate which contains infrastructure for testing.

Disclaimers

This software has not been audited. Use at your own risk.