Skip to content

Commit

Permalink
feat: added multi party computation
Browse files Browse the repository at this point in the history
  • Loading branch information
@mmsaki
mmsaki committed Feb 21, 2023
1 parent 8f81b3c commit 9d847a5
Showing 1 changed file with 112 additions and 0 deletions.
112 changes: 112 additions & 0 deletions examples/power_of_tau/readme.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,112 @@
# Performing a trusted setup using a multi-party computation protocol (MPC)

The zkSNARK schemes supported by ZoKrates require a trusted setup. This procedure must be run to generate the proving and verification keys. This procedure generates some data often referred to as 'toxic waste' which can be used to create fake roofs which will be accepted by the verifier. The entity running the trusted setup is trusted to delete this toxic waste. Using an MPC protocol, we can run the trusted setup in a decentralized way, so that this responsibility is shared among all participants of the setup. If at least one participant is honest and deletes their part of the toxic waste, the so false proofs can be created by anyone. This section if the book describes the steps to perform a trusted setup for the Groth16 scheme.

## Pre-requisites

The trusted setup is done in two steps. The first step, also known as "phase 1", does not depend on the program and is called Powers of Tau. The second step is called "phase 2" and is circuit-specific, so it should e done separately for each different program. The Ethereum community runs a phase 1 setup called [Perpetual Powers of Tau](https://github.com/weijiekoh/perpetualpowersoftau).

## Compiling a circuit

1. Create `circuit.zok` file inside `coordinator/` directory with the following code:

```zokrates
def main(private field a, private field b) -> {
return a * b;
}
```

2. Compile the program:

```bash
zokrates compile -i circuit.zok -o circuit --curve bls12_381
```

3. Grab a file which contains the parameters for our circuit with depth 2:

```bash
wget https://download.z.cash/downloads/powersoftau/phase1radix2m2
```

4. Initialize a phase 2 ceremony:

```bash
zokrates mpc init -i circuit -o mpc.params -r ./phase1radix2m2
```

5. We conduct the ceremony between 3 participants: Alice, Bob and Charlie, who will run the contributions in sequential order, managed by a coordinator (us). We send `mpc.params` to `alice/`.

```bash
mkdir ../alice && mv mpc.params ../alice && cd ../alice
```

5. Alice must give some randomness to the contribution, which is done by the -e flag on the following command:

```bash
zokrates mpc contribute -i mpc.params -o alice.params -e "alice 1" --curve bls12_381
```

Examples of entropy sources:

- `/dev/urandom` from one or more devices
- The most recent block hash
- Randomly mashing keys on the keyboard

6. The output of alice `alice.params` is sent to `bob/`, using `mkdir ../bob && mv alice.params ../bob && cd ../bob`,

```bash
zokrates mpc contribute -i alice.params -o bob.params -e "bob 2" --curve bls12_381
```

7. The output of bob `bob.params` is sent to `charlie/`, using `mkdir ../charlie && mv bob.params ../charlie && cd ../charlie`, and charlie wil run the following command:

```bash
zokrates mpc contribute -i bob.params -o charlie.params -e "charlie 3" --curve bls12_381
```

8. To finalize the ceremony, we (coordinator?)`mv charlie.params ../coordinator && cd ../coordinator`,, can apply a random beacon to get the final parameters:

```bash
zokrates mpc beacon -i charlie.params -o final.params -h b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 -n 10 --curve bls12_381
```

The random beacon is the 2^n iteration of SHA256 over the hash evaluated on some high entropy and publicly available data. Possible sources of data could be:

- The closing value of the stock market on a certain date
- The output of a selected set of national lotteries
- The value of a block at a particular height in one or more blockchains
- [League of Entropy](https://www.cloudflare.com/leagueofentropy/) (drand)

9. At any point in the ceremony we can verify contributions by running the following command:

```bash
zokrates mpc verify -i final.params -c circuit -r ./phase1radix2m2
```

10. Exporting keys. Once the ceremony is finalized, we can export the keys and use them to generate proofs and verify them:

```bash
zokrates mpc export -i final.params
```

Use keys to generate proofs and verify.

```bash
zokrates compute-witness -i circuit -a 123456789 987654321 --verbose
```

Generate proof

```bash
zokrates generate-proof -i circuit -b bellman
```

Verify proof

```bash
zokrates verify -b bellman
```

## Conclusion

The secure generation of parameters for zk-SNARKs is a crucial step in the trustworthiness of the resulting proof system. The security of the ceremony relies entirely on the fact that at least one participant needs to securely delete their "toxic waste" for the resulting parameters to be generated honestly. Opening the ceremony to a large number of participants reduces the probability that the resulting parameters are dishonest. Once the ceremony is finalized, we can generate a verifier smart contract by using the keys we obtained through the trusted setup ceremony. At this point, we can safely deploy the contract and verify proofs on-chain.

0 comments on commit 9d847a5

Please sign in to comment.