penumbra-zone · cronokirby · Jul 25, 2023 · Jul 20, 2023 · Jul 21, 2023 · Jul 21, 2023
diff --git a/docs/protocol/src/SUMMARY.md b/docs/protocol/src/SUMMARY.md
@@ -34,6 +34,10 @@
     - [The `eddy` construction](./crypto/flow/eddy.md)
     - [Distributed Key Generation](./crypto/flow-encryption/dkg.md)
     - [Homomorphic Threshold Encryption](./crypto/flow-encryption/threshold-encryption.md)
+- [Groth 16 Setup Ceremony](./setup.md)
+  - [Groth16 Recap](./setup/groth16_recap.md)
+  - [Discrete Logarithm Proofs](./setup/dlog_proofs.md)
+  - [Contributions](./setup/contributions.md)
 - [Addresses and Keys](./protocol/addresses_keys.md)
   - [Spending Keys](./protocol/addresses_keys/spend_key.md)
   - [Viewing Keys](./protocol/addresses_keys/viewing_keys.md)

diff --git a/docs/protocol/src/setup.md b/docs/protocol/src/setup.md
@@ -0,0 +1,58 @@
+# Groth16 Setup
+
+The proving system we use, [Groth16](https://eprint.iacr.org/2016/260),
+requires a per-circuit trusted setup: each circuit requires some public
+parameters, called a *CRS* (common reference string), and generating
+these public parameters involves the creation of *private* parameters.
+Knowing these private parameters would allow for forging proofs;
+ensuring their destruction is paramount.
+
+To that end, systems don't simply generate these parameters,
+but instead go through a *setup ceremony*, involving many participants,
+such that the setup is secure so long as *at least one* participant
+destroys the private parameters they've used to contribute to the ceremony.
+
+This chapter describes the technical aspects of a ceremony
+setting up these parameters, based off of
+[KMSV21](https://eprint.iacr.org/2021/219) (Snarky Ceremonies),
+itself based off of [BGM17](https://eprint.iacr.org/2017/1050).
+We organize the information herein as follows:
+- The [Groth16 Recap](./setup/groth16_recap.md) section provides a brief recap of how the formulas and CRS structure for Groth16 work.
+- The [Discrete Logarithm Proofs](./setup/dlog_proofs.md) section describes a simple discrete logarithm proof we need for setup contributions.
+- The [Contributions](./setup/contributions.md) section describes
+the crux of the ceremony: how users make contributions to the parameters.
+
+## Notation
+
+We work with a triplet of groups $\mathbb{G}_1, \mathbb{G}_2, \mathbb{G}_T$, with an associated field of scalars $\mathbb{F}$, equipped with a pairing operation:
+$$
+\odot : \mathbb{G}_1 \times \mathbb{G}_2 \to \mathbb{G}_T
+$$
+We also have designated generator elements $G_1, G_2, G_T$
+for each of the respective groups, with $G_T = G_1 \odot G_2$.
+In the case of Penumbra, the concrete groups used are from [BLS12-377](https://neuromancer.sk/std/bls/BLS12-377).
+
+We take the convention that lowercase letters (e.g. $x, a$)
+are taken to be scalars in $\mathbb{F}$,
+and uppercase letters (e.g. $X, A$) are taken to be elements
+of $\mathbb{G}_1$, $\mathbb{G}_2$, or $\mathbb{G}_2$.
+
+For $i \in \{1, 2, T\}$, we use the shorthand:
+$$
+[x]_i := x \cdot G_i
+$$
+for scalar multiplication using one of the designated
+generators.
+
+All of the groups we work with being commutative, we use
+additive notation consistently.
+
+As an example of this use of additive notation,
+consider the following equation:
+$$
+([a]_1 + [b]_1) \odot [c]_2 = [ac + bc]_T
+$$
+
+As a somewhat unfortunate conflict of notation, we use $[n]$ to denote
+the set $\{1, \ldots, n\}$, and ${[s_i \mid i \in S]}$ to denote
+a list of elements, with $i$ ranging over a set $S$.
diff --git a/docs/protocol/src/setup/contributions.md b/docs/protocol/src/setup/contributions.md
@@ -0,0 +1,191 @@
+# Contributions
+
+In this section, we describe the contributions that make up a setup ceremony
+in more detail.
+We describe:
+- the high level idea behind the ceremony,
+- what contributions look like, and how to check their correctness,
+- how to check the correctness of the setup as a whole.
+
+## High Level Overview
+
+We break the CRS described [previously](./groth16_recap.md) into two parts:
+
+First, we have:
+
+- $[\alpha]_1, [\beta]_1, [\beta]_2$
+
+- $\displaystyle \left[x^i\right]_1\quad (i \in [0, \ldots, 2d - 2])$
+
+- $\displaystyle \left[x^i\right]_2\quad (i \in [0, \ldots, d - 1])$
+
+- $\displaystyle \left[\alpha x^i\right]_1\quad (i \in [0, \ldots, d - 1])$
+
+- $\displaystyle \left[\beta x^i\right]_1\quad (i \in [0, \ldots, d - 1])$
+
+
+Second, we have:
+
+- $[\delta]_1, [\delta]_2$
+
+- $\displaystyle \left[\frac{1}{\delta} p^{\alpha, \beta}_i(x)\right]_1\quad (i \geq s)$
+
+- $\displaystyle \left[\frac{t(x)}{\delta} x^i \right]_1\quad (i \in [0, \ldots, d - 2])$
+
+We split the ceremony into two phases, to calculate the first and second
+part of the CRS, respectively.
+The general idea in each ceremony is that the secret values of interest
+(e.g. $\alpha, x$ etc.) are shared multiplicatively, as
+$\alpha_1 \cdot \alpha_2 \ldots$, with each party having
+one of the shares.
+Because of this structure, given the current value of the CRS elements
+in a given phase, it's possible for a new party to add their contribution.
+For example, in the first phase, one can multiply each element
+by some combination $\alpha^{d_1} \cdot \beta^{d_2} \cdot x^{d_3}$,
+depending on the element,
+to get a new CRS element.
+
+Each contribution will come with a proof of knowledge for the new secret
+values contributed, which can also partially attest to how these secret
+values were used.
+However, this is not enough to guarantee that the resulting elements
+are a valid CRS: for this, we have a consistency check
+allowing us to check that the elements in a given phase
+have the correct internal structure.
+
+Each party can thus contribute one after the other, until
+enough contributions have been gathered through that phase.
+
+In order to link phase 1 and phase 2,
+we use the fact that with $\delta = 1$, the CRS elements of phase 2
+are linear combinations of those in phase 1.
+If we consider $t(x)x^i$, with $i$ up to $d - 2$,
+the largest monomial we'll find is $2d - 2$, since $t$ has degree at most $d$.
+In the first phase, we calculated these powers of $x$, and so can
+calculate these values by linear combination.
+We can do the same for:
+$$
+p_i^{\alpha, \beta}(x) = \alpha u_i(x) + \beta v_i(x) + w_i(x)
+$$
+since we have access to $\alpha x^i$ and $\beta x^i$ for sufficiently
+high degrees.
+
+## Phase 1
+
+Assuming we have the CRS elements of phase 1, a contribution involves
+fresh random scalars $\hat{\alpha}, \hat{\beta}, \hat{x}$, and produces
+the following elements:
+
+- $\hat{\alpha} \cdot [\alpha]_1, \hat{\beta} \cdot [\beta]_1, \hat{\beta} \cdot [\beta]_2$
+
+- $\hat{x}^i \cdot [x^i]_1\quad (i \in [0, \ldots, 2d - 2])$
+- $\hat{x}^i \cdot [x^i]_2\quad (i \in [0, \ldots, 2d - 2])$
+- $\hat{\alpha}\hat{x}^i \cdot [\alpha x^i]_1\quad (i \in [0, \ldots, d - 1])$
+- $\hat{\beta}\hat{x}^i \cdot [\beta x^i]_1\quad (i \in [0, \ldots, d - 1])$
+
+Additionally, a contribution includes three proofs:
+
+1. $\pi_1 \gets P_{\text{DL}}(\text{ctx}, \hat{\alpha} \cdot [\alpha]_1, [\alpha]_1; \hat{\alpha})$
+2. $\pi_2 \gets P_{\text{DL}}(\text{ctx}, \hat{\beta} \cdot [\beta]_1, [\beta]_1; \hat{\beta})$
+3. $\pi_3 \gets P_{\text{DL}}(\text{ctx}, \hat{x} \cdot [x]_1, [x]_1; \hat{x})$
+
+### Checking Correctness
+
+Given purported CRS elements:
+
+- $G_{\alpha}, G_{\beta}, H_{\beta}$
+
+- $G_{x^i}\quad (i \in [0, \ldots, 2d - 2])$
+
+- $H_{x^i}\quad (i \in [0, \ldots, 2d - 2])$
+
+- $\displaystyle G_{\alpha x^i}\quad (i \in [0, \ldots, d - 1])$
+
+- $\displaystyle G_{\beta x^i}\quad (i \in [0, \ldots, d - 1])$
+
+We can check their validity by ensuring the following checks hold:
+
+1. Check that each element is $G_\alpha, G_\beta, H_{\beta}, G_x, H_x \neq 0$ (the identity element in the respective groups).
+2. Check that $G_\beta \odot [1]_2 = [1]_1 \odot H_\beta$.
+3. Check that $G_{x^i} \odot [1]_2 = [1]_1 \odot H_{x^i} \quad (\forall i \in [0, \ldots, 2d - 2])$.
+4. Check that $G_{\alpha} \odot G_{x^i} = G_{\alpha x^i} \odot [1]_2 \quad (\forall i \in [0, \ldots, d- 1])$.
+4. Check that $G_{\beta} \odot G_{x^i} = G_{\beta x^i} \odot [1]_2 \quad (\forall i \in [0, \ldots, d- 1])$.
+4. Check that $G_{x} \odot G_{x^i} = G_{x^{i + 1}} \odot [1]_2 \quad (\forall i \in [0, \ldots, 2d - 3])$.
+
+### Checking Linkedness
+
+To check that CRS elements $G'_{\ldots}$ build off a prior CRS $G_{\ldots}$,
+one checks the included discrete logarithm proofs $\pi_1, \pi_2, \pi_3$, via:
+
+1. $V_{\text{DL}}(\text{ctx}, G'_\alpha, G_\alpha, \pi_1)$
+2. $V_{\text{DL}}(\text{ctx}, G'_\beta, G_\beta, \pi_2)$
+3. $V_{\text{DL}}(\text{ctx}, G'_x, G_x, \pi_3)$
+
+## Phase 2
+
+Assuming we have the CRS elements of phase 2, a contribution involves
+a fresh random scalar $\hat{\delta}$, and produces
+the following elements:
+
+- $\hat{\delta} \cdot [\delta]_1, \hat{\delta} \cdot [\delta]_2$
+
+- $\displaystyle \frac{1}{\hat{\delta}} \cdot \left[\frac{1}{\delta}p_i^{\alpha, \beta}(x)\right]_1\quad (i \geq s)$
+
+- $\displaystyle \frac{1}{\hat{\delta}} \cdot \left[\frac{1}{\delta}t(x)x^i\right]_1\quad (i \in [0, \ldots, d - 2])$
+
+Additionally, a contribution includes a proof:
+
+$$
+\pi \gets P_{\text{DL}}(\text{ctx}, \hat{\delta} \cdot [\delta]_1, [\delta]_1; \hat{\delta})
+$$
+
+### Checking Correctness 
+
+Assume that the elements $[p_i^{\alpha, \beta}(x)]_1\ (i \geq s)$ and $[t(x) x^i]_1\ (i \in [0, \ldots, d - 2])$ are known.
+
+Then, given purported CRS elements:
+
+- $G_\delta, H_\delta$
+- $G_{\frac{1}{\delta}p_i}\quad(i \geq s)$
+- $G_{\frac{1}{\delta}t_i}\quad(i \in [0, \ldots, d - 2])$
+
+We can check their validity by ensuring the following checks hold:
+
+1. Check that each element is $G_\delta, H_\delta \neq 0$ (the identity element in the respective groups).
+2. Check that $G_\delta \odot [1]_2 = [1]_1 \odot H_\delta$.
+3. Check that $G_{\frac{1}{\delta}p_i} \odot H_\delta = [p_i^{\alpha, \beta}]_1 \odot [1]_1\quad (\forall i \geq s)$.
+4. Check that $G_{\frac{1}{\delta}t_i} \odot H_\delta = [t(x) x^i]_1 \odot [1]_1\quad (\forall i \in [0, \ldots, d - 2])$.
+
+### Checking Linkedness
+
+To check that CRS elements $G'_{\ldots}$ build off a prior CRS $G_{\ldots}$,
+one checks the included discrete logarithm proof $\pi$, via:
+
+$$
+V_{\text{DL}}(\text{ctx}, G'_\delta, G_\delta, \pi)
+$$
+
+## Batched Pairing Checks
+
+Very often, we need to check equations of the form:
+$$
+\forall i.\ A_i \odot B = C \odot D_i
+$$
+(this would also work if the right hand side is of the form $D_i \odot C$, and vice versa).
+
+This equation is equivalent to checking:
+$$
+\forall i.\ A_i \odot B - C \odot D_i = 0
+$$
+If you pick random scalars $r_i$ from a set $S$, then except with probability
+$|S|^{-1}$, this is equivalent to checking:
+$$
+\sum_i r_i \cdot (A_i \odot B - C \odot D_i) = 0
+$$
+By the homomorphic properties of a pairing, this is the same as:
+$$
+\left(\sum_i r_i \cdot A_i\right) \odot B - C \odot \left(\sum_i r_i \cdot D_i\right)
+$$
+
+Instead of checking $2N$ pairings, we can instead perform $2$ MSMs
+of size $N$, and then $2$ pairings, which is more performant.
diff --git a/docs/protocol/src/setup/dlog_proofs.md b/docs/protocol/src/setup/dlog_proofs.md
@@ -0,0 +1,54 @@
+# Discrete Logarithm Proofs
+
+One gadget we'll need is a way to have ZK proofs for the following relation:
+$$
+\{(W, X; w) \mid W = w \cdot X\}
+$$
+(with $w$ kept secret).
+
+In other words, one needs to prove knowledge of the discrete logarithm
+of $W$ with regards to $X$.
+
+The notation we'll use here is
+$$
+\pi \gets P_{\text{DL}}(\text{ctx}, W, X; w)
+$$
+for generating a proof (with some arbitrary context string $\text{ctx}$), using the public statement $(W, X)$ and the witness $w$,
+as well as:
+$$
+V_{\text{DL}}(\text{ctx}, W, X, \pi)
+$$
+for verifying that proof, using the same context and statement.
+
+The proof should fail to verify if the context or statement
+don't match, or if the proof wasn't produced correctly, of course.
+
+## How They Work
+
+(You can safely skip this part, if you don't actually
+need to know how they work).
+
+These are standard Maurer / Schnorr-esque proofs, making use of
+a hash function
+$$
+H : \{0, 1\}^* \times \mathbb{G}^3 \to \mathbb{F}
+$$
+modelled as a random oracle.
+
+**Proving**
+
+$$
+\begin{aligned}
+&P_{\text{DL}}(\text{ctx}, X, Y; w) :=\cr
+&\quad k \xleftarrow{\$} \mathbb{F}\cr
+&\quad K \gets k \cdot Y\cr
+&\quad e \gets H(\text{ctx}, (X, Y, K))\cr
+&\quad (K, k + e \cdot x)\cr
+\end{aligned}
+$$
+
+**Verification**
+
+$$
+V_{\text{DL}}(\text{ctx}, X, Y, \pi = (K, s)) := s \cdot G \overset{?}{=} K + H(\text{ctx}, (X, Y, K)) \cdot X
+$$