-
Notifications
You must be signed in to change notification settings - Fork 294
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document Setup Ceremony Math #2855
Changes from 9 commits
1c917db
78e1e1b
b24aa0e
8d80c6c
388f441
4659958
98c9beb
ef8fc17
c561aee
65243b0
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
# Groth16 Setup | ||
|
||
The proving system we use, [Groth16](https://eprint.iacr.org/2016/260), | ||
requires a per-circuit trusted setup: each circuit requires some public | ||
parameters, called a *CRS* (common reference string), and generating | ||
these public parameters involves the creation of *private* parameters. | ||
Knowing these private parameters would allow for forging proofs; | ||
ensuring their destruction is paramount. | ||
|
||
To that end, systems don't simply generate these parameters, | ||
but instead go through a *setup ceremony*, involving many participants, | ||
such that the setup is secure so long as *at least one* participant | ||
destroys the private parameters they've used to contribute to the ceremony. | ||
|
||
This chapter describes the technical aspects of a ceremony | ||
setting up these parameters, based off of | ||
[KMSV21](https://eprint.iacr.org/2021/219) (Snarky Ceremonies), | ||
itself based off of [BGM17](https://eprint.iacr.org/2017/1050). | ||
We organize the information herein as follows: | ||
- The [Groth16 Recap](./setup/groth16_recap.md) section provides a brief recap of how the formulas and CRS structure for Groth16 work. | ||
- The [Discrete Logarithm Proofs](./setup/dlog_proofs.md) section describes a simple discrete logarithm proof we need for setup contributions. | ||
- The [Contributions](./setup/contributions.md) section describes | ||
the crux of the ceremony: how users make contributions to the parameters. | ||
|
||
## Notation | ||
|
||
We work with a triplet of groups $\mathbb{G}_1, \mathbb{G}_2, \mathbb{G}_T$, with an associated field of scalars $\mathbb{F}$, equipped with a pairing operation: | ||
$$ | ||
\odot : \mathbb{G}_1 \times \mathbb{G}_2 \to \mathbb{G}_T | ||
$$ | ||
We also have designated generator elements $G_1, G_2, G_T$ | ||
for each of the respective groups, with $G_T = G_1 \odot G_2$. | ||
In the case of Penumbra, the concrete groups used are from [BLS12-377](https://neuromancer.sk/std/bls/BLS12-377). | ||
|
||
We take the convention that lowercase letters (e.g. $x, a$) | ||
are taken to be scalars in $\mathbb{F}$, | ||
and uppercase letters (e.g. $X, A$) are taken to be elements | ||
of $\mathbb{G}_1$, $\mathbb{G}_2$, or $\mathbb{G}_2$. | ||
|
||
For $i \in \{1, 2, T\}$, we use the shorthand: | ||
$$ | ||
[x]_i := x \cdot G_i | ||
$$ | ||
for scalar multiplication using one of the designated | ||
generators. | ||
|
||
All of the groups we work with being commutative, we use | ||
additive notation consistently. | ||
|
||
As an example of this use of additive notation, | ||
consider the following equation: | ||
$$ | ||
([a]_1 + [b]_1) \odot [c]_2 = [ac + bc]_T | ||
$$ | ||
|
||
As a somewhat unfortunate conflict of notation, we use $[n]$ to denote | ||
the set $\{1, \ldots, n\}$, and ${[s_i \mid i \in S]}$ to denote | ||
a list of elements, with $i$ ranging over a set $S$. |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,191 @@ | ||
# Contributions | ||
|
||
In this section, we describe the contributions that make up a setup ceremony | ||
in more detail. | ||
We describe: | ||
- the high level idea behind the ceremony, | ||
- what contributions look like, and how to check their correctness, | ||
- how to check the correctness of the setup as a whole. | ||
|
||
## High Level Overview | ||
|
||
We break the CRS described [previously](./groth16_recap.md) into two parts: | ||
|
||
First, we have: | ||
|
||
- $[\alpha]_1, [\beta]_1, [\beta]_2$ | ||
|
||
- $\displaystyle \left[x^i\right]_1\quad (i \in [0, \ldots, 2d - 2])$ | ||
|
||
- $\displaystyle \left[x^i\right]_2\quad (i \in [0, \ldots, d - 1])$ | ||
|
||
- $\displaystyle \left[\alpha x^i\right]_1\quad (i \in [0, \ldots, d - 1])$ | ||
|
||
- $\displaystyle \left[\beta x^i\right]_1\quad (i \in [0, \ldots, d - 1])$ | ||
|
||
|
||
Second, we have: | ||
|
||
- $[\delta]_1, [\delta]_2$ | ||
|
||
- $\displaystyle \left[\frac{1}{\delta} p^{\alpha, \beta}_i(x)\right]_1\quad (i \geq s)$ | ||
|
||
- $\displaystyle \left[\frac{t(x)}{\delta} x^i \right]_1\quad (i \in [0, \ldots, d - 2])$ | ||
|
||
We split the ceremony into two phases, to calculate the first and second | ||
part of the CRS, respectively. | ||
The general idea in each ceremony is that the secret values of interest | ||
(e.g. $\alpha, x$ etc.) are shared multiplicatively, as | ||
$\alpha_1 \cdot \alpha_2 \ldots$, with each party having | ||
one of the shares. | ||
Because of this structure, given the current value of the CRS elements | ||
in a given phase, it's possible for a new party to add their contribution. | ||
For example, in the first phase, one can multiply each element | ||
by some combination $\alpha^{d_1} \cdot \beta^{d_2} \cdot x^{d_3}$, | ||
depending on the element, | ||
to get a new CRS element. | ||
|
||
Each contribution will come with a proof of knowledge for the new secret | ||
values contributed, which can also partially attest to how these secret | ||
values were used. | ||
However, this is not enough to guarantee that the resulting elements | ||
are a valid CRS: for this, we have a consistency check | ||
allowing us to check that the elements in a given phase | ||
have the correct internal structure. | ||
|
||
Each party can thus contribute one after the other, until | ||
enough contributions have been gathered through that phase. | ||
|
||
In order to link phase 1 and phase 2, | ||
we use the fact that with $\delta = 1$, the CRS elements of phase 2 | ||
are linear combinations of those in phase 1. | ||
If we consider $t(x)x^i$, with $i$ up to $d - 2$, | ||
the largest monomial we'll find is $2d - 2$, since $t$ has degree at most $d$. | ||
In the first phase, we calculated these powers of $x$, and so can | ||
calculate these values by linear combination. | ||
We can do the same for: | ||
$$ | ||
p_i^{\alpha, \beta}(x) = \alpha u_i(x) + \beta v_i(x) + w_i(x) | ||
$$ | ||
since we have access to $\alpha x^i$ and $\beta x^i$ for sufficiently | ||
high degrees. | ||
|
||
## Phase 1 | ||
|
||
Assuming we have the CRS elements of phase 1, a contribution involves | ||
fresh random scalars $\hat{\alpha}, \hat{\beta}, \hat{x}$, and produces | ||
the following elements: | ||
|
||
- $\hat{\alpha} \cdot [\alpha]_1, \hat{\beta} \cdot [\beta]_1, \hat{\beta} \cdot [\beta]_2$ | ||
|
||
- $\hat{x}^i \cdot [x^i]_1\quad (i \in [0, \ldots, 2d - 2])$ | ||
- $\hat{x}^i \cdot [x^i]_2\quad (i \in [0, \ldots, 2d - 2])$ | ||
- $\hat{\alpha}\hat{x}^i \cdot [\alpha x^i]_1\quad (i \in [0, \ldots, d - 1])$ | ||
- $\hat{\beta}\hat{x}^i \cdot [\beta x^i]_1\quad (i \in [0, \ldots, d - 1])$ | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Doesn't need to be in this PR but at some point we should document where we deviate from KMSV21 (e.g. when I was looking at this I was comparing with Fig. 6 in the paper) |
||
|
||
Additionally, a contribution includes three proofs: | ||
|
||
1. $\pi_1 \gets P_{\text{DL}}(\text{ctx}, \hat{\alpha} \cdot [\alpha]_1, [\alpha]_1; \hat{\alpha})$ | ||
2. $\pi_2 \gets P_{\text{DL}}(\text{ctx}, \hat{\beta} \cdot [\beta]_1, [\beta]_1; \hat{\beta})$ | ||
3. $\pi_3 \gets P_{\text{DL}}(\text{ctx}, \hat{x} \cdot [x]_1, [x]_1; \hat{x})$ | ||
|
||
### Checking Correctness | ||
|
||
Given purported CRS elements: | ||
|
||
- $G_{\alpha}, G_{\beta}, H_{\beta}$ | ||
|
||
- $G_{x^i}\quad (i \in [0, \ldots, 2d - 2])$ | ||
|
||
- $H_{x^i}\quad (i \in [0, \ldots, 2d - 2])$ | ||
|
||
- $\displaystyle G_{\alpha x^i}\quad (i \in [0, \ldots, d - 1])$ | ||
|
||
- $\displaystyle G_{\beta x^i}\quad (i \in [0, \ldots, d - 1])$ | ||
|
||
We can check their validity by ensuring the following checks hold: | ||
|
||
1. Check that each element is $G_\alpha, G_\beta, H_{\beta}, G_x, H_x \neq 0$ (the identity element in the respective groups). | ||
2. Check that $G_\beta \odot [1]_2 = [1]_1 \odot H_\beta$. | ||
3. Check that $G_{x^i} \odot [1]_2 = [1]_1 \odot H_{x^i} \quad (\forall i \in [0, \ldots, 2d - 2])$. | ||
4. Check that $G_{\alpha} \odot G_{x^i} = G_{\alpha x^i} \odot [1]_2 \quad (\forall i \in [0, \ldots, d- 1])$. | ||
4. Check that $G_{\beta} \odot G_{x^i} = G_{\beta x^i} \odot [1]_2 \quad (\forall i \in [0, \ldots, d- 1])$. | ||
4. Check that $G_{x} \odot G_{x^i} = G_{x^{i + 1}} \odot [1]_2 \quad (\forall i \in [0, \ldots, 2d - 3])$. | ||
|
||
### Checking Linkedness | ||
|
||
To check that CRS elements $G'_{\ldots}$ build off a prior CRS $G_{\ldots}$, | ||
one checks the included discrete logarithm proofs $\pi_1, \pi_2, \pi_3$, via: | ||
|
||
1. $V_{\text{DL}}(\text{ctx}, G'_\alpha, G_\alpha, \pi_1)$ | ||
2. $V_{\text{DL}}(\text{ctx}, G'_\beta, G_\beta, \pi_2)$ | ||
3. $V_{\text{DL}}(\text{ctx}, G'_x, G_x, \pi_3)$ | ||
|
||
## Phase 2 | ||
|
||
Assuming we have the CRS elements of phase 2, a contribution involves | ||
a fresh random scalar $\hat{\delta}$, and produces | ||
the following elements: | ||
|
||
- $\hat{\delta} \cdot [\delta]_1, \hat{\delta} \cdot [\delta]_2$ | ||
|
||
- $\displaystyle \frac{1}{\hat{\delta}} \cdot \left[\frac{1}{\delta}p_i^{\alpha, \beta}(x)\right]_1\quad (i \geq s)$ | ||
|
||
- $\displaystyle \frac{1}{\hat{\delta}} \cdot \left[\frac{1}{\delta}t(x)x^i\right]_1\quad (i \in [0, \ldots, d - 2])$ | ||
|
||
Additionally, a contribution includes a proof: | ||
|
||
$$ | ||
\pi \gets P_{\text{DL}}(\text{ctx}, \hat{\delta} \cdot [\delta]_1, [\delta]_1; \hat{\delta}) | ||
$$ | ||
|
||
### Checking Correctness | ||
|
||
Assume that the elements $[p_i^{\alpha, \beta}(x)]_1\ (i \geq s)$ and $[t(x) x^i]_1\ (i \in [0, \ldots, d - 2])$ are known. | ||
|
||
Then, given purported CRS elements: | ||
|
||
- $G_\delta, H_\delta$ | ||
- $G_{\frac{1}{\delta}p_i}\quad(i \geq s)$ | ||
- $G_{\frac{1}{\delta}t_i}\quad(i \in [0, \ldots, d - 2])$ | ||
|
||
We can check their validity by ensuring the following checks hold: | ||
|
||
1. Check that each element is $G_\delta, H_\delta \neq 0$ (the identity element in the respective groups). | ||
2. Check that $G_\delta \odot [1]_2 = [1]_1 \odot H_\delta$. | ||
3. Check that $G_{\frac{1}{\delta}p_i} \odot H_\delta = [p_i^{\alpha, \beta}]_1 \odot [1]_1\quad (\forall i \geq s)$. | ||
4. Check that $G_{\frac{1}{\delta}t_i} \odot H_\delta = [t(x) x^i]_1 \odot [1]_1\quad (\forall i \in [0, \ldots, d - 2])$. | ||
|
||
### Checking Linkedness | ||
|
||
To check that CRS elements $G'_{\ldots}$ build off a prior CRS $G_{\ldots}$, | ||
one checks the included discrete logarithm proof $\pi$, via: | ||
|
||
$$ | ||
V_{\text{DL}}(\text{ctx}, G'_\delta, G_\delta, \pi) | ||
$$ | ||
|
||
## Batched Pairing Checks | ||
|
||
Very often, we need to check equations of the form: | ||
$$ | ||
\forall i.\ A_i \odot B = C \odot D_i | ||
$$ | ||
(this would also work if the right hand side is of the form $D_i \odot C$, and vice versa). | ||
|
||
This equation is equivalent to checking: | ||
$$ | ||
\forall i.\ A_i \odot B - C \odot D_i = 0 | ||
$$ | ||
If you pick random scalars $r_i$ from a set $S$, then except with probability | ||
$|S|^{-1}$, this is equivalent to checking: | ||
$$ | ||
\sum_i r_i \cdot (A_i \odot B - C \odot D_i) = 0 | ||
$$ | ||
By the homomorphic properties of a pairing, this is the same as: | ||
$$ | ||
\left(\sum_i r_i \cdot A_i\right) \odot B - C \odot \left(\sum_i r_i \cdot D_i\right) | ||
$$ | ||
|
||
Instead of checking $2N$ pairings, we can instead perform $2$ MSMs | ||
of size $N$, and then $2$ pairings, which is more performant. |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
# Discrete Logarithm Proofs | ||
|
||
One gadget we'll need is a way to have ZK proofs for the following relation: | ||
$$ | ||
\{(W, X; w) \mid W = w \cdot X\} | ||
$$ | ||
(with $w$ kept secret). | ||
|
||
In other words, one needs to prove knowledge of the discrete logarithm | ||
of $W$ with regards to $X$. | ||
|
||
The notation we'll use here is | ||
$$ | ||
\pi \gets P_{\text{DL}}(\text{ctx}, W, X; w) | ||
$$ | ||
for generating a proof (with some arbitrary context string $\text{ctx}$), using the public statement $(W, X)$ and the witness $w$, | ||
as well as: | ||
$$ | ||
V_{\text{DL}}(\text{ctx}, W, X, \pi) | ||
$$ | ||
for verifying that proof, using the same context and statement. | ||
|
||
The proof should fail to verify if the context or statement | ||
don't match, or if the proof wasn't produced correctly, of course. | ||
|
||
## How They Work | ||
|
||
(You can safely skip this part, if you don't actually | ||
need to know how they work). | ||
|
||
These are standard Maurer / Schnorr-esque proofs, making use of | ||
a hash function | ||
$$ | ||
H : \{0, 1\}^* \times \mathbb{G}^3 \to \mathbb{F} | ||
$$ | ||
modelled as a random oracle. | ||
|
||
**Proving** | ||
|
||
$$ | ||
\begin{aligned} | ||
&P_{\text{DL}}(\text{ctx}, X, Y; w) :=\cr | ||
&\quad k \xleftarrow{\$} \mathbb{F}\cr | ||
&\quad K \gets k \cdot Y\cr | ||
&\quad e \gets H(\text{ctx}, (X, Y, K))\cr | ||
&\quad (K, k + e \cdot x)\cr | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Should there be a step in the proving stage where we generate There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I don't think this is necessary. What you care about is the link between these two specific elements, and the proof here is sufficient to get knowledge extraction for x, which is the other property you want out of this for the security proof of the ceremony; if my understanding of snarky ceremonies is accurate. |
||
\end{aligned} | ||
$$ | ||
|
||
**Verification** | ||
|
||
$$ | ||
V_{\text{DL}}(\text{ctx}, X, Y, \pi = (K, s)) := s \cdot G \overset{?}{=} K + H(\text{ctx}, (X, Y, K)) \cdot X | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is it a correct understanding that |
||
$$ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
last one should be target group, i.e.
$\mathbb{G}_2$ -> $\mathbb{G}_T$