Pairing based SNARKs require the generation of certain parameters in order to achieve high efficiency (small proof sizes, fast proving and verifying time). These parameters are generated by another set of parameters which MUST remain secret. We call these secret parameters the "toxic waste". If a prover knows these secrets, then they can generate valid proofs for invalid statements, breaking soundness. This is undesired!
In order to guarantee that no prover will ever know these secrets, we can generate them in a distributed manner. Each participant in this so-called "ceremony" will contribute to the generation of the parameters with their own secret. If at least 1 participant is honest and destroys their secret, then there should be no way for a malicious prover to create fake proofs.
This repository contains implementations for the BGM17 multi party computation. The ceremony is split in two phases, one which generates the Powers of Tau, and one which "specializes" them to the provided arithmetic circuit for the Groth16 SNARK.
Note that the generated Powers of Tau can be re-used for any other Phase 2 setup, or for instantiating other mechanisms, such as the KZG10 polynomial commitment scheme.
For instructions on how to ensure that the ceremony is executed properly, refer to RECOMMENDATIONS.md
- A coordinator generates an accumulator
- Participant downloads the latest accumulator
- Participant contributes their randomness to the accumulator (randomness is permantently deleted after this step)
- Participant uploads the accumulator back to the coordinator
- Coordinator verifies the accumulator was transformed correctly and produces a new challenge
The notable part about this procedure, is that it _never_has to end. This is what allows SNARKs utilizing KZG10 to have a "continuous" setup. If a participant does not trust the setup, they themselves can contribute to the Powers of Tau, and instantiate KZG10 with the new parameters.
- Coordinator "prepares" the parameters from Phase 1 and converts them to Lagrange Coefficients
- Participant downloads the latest state of the parameters
- Participant contributes their randomness to the parameters (randomness is permantently deleted after this step)
- Participant uploads the parameters back to the coordinator
- Coordinator verifies the accumulator was transformed correctly
- Loop from 2 for all participants
This produces parameters which can then be used for constructing Groth16 SNARKs for that circuit. The setup is sound so long as 1 party was honest and destroyed their "toxic waste" in step 3.
Build with cargo build (--release). You will receive a phase1 and prepare_phase2 binary in the target/ directory.
Test with cargo test --all.
Benchmark with cargo bench --all (uses criterion)
If contributing, do not forget to run cargo fmt and cargo clippy --all-targets --all-features -- -D warnings
All crates require Rust 2018 edition and are tested on the following channels:
1.39.0stable
If you do not have Rust installed, run: curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
This repository contains several Rust crates that implement the different building blocks of the MPC. The high-level structure of the repository is as follows:
phase1: Rust crate that provides an accumulator for Powers of Tau. It runs multithreaded and works in "batches", allowing large powers to be calculated in resource constrained environmentsphase2: Rust crate that provides a wrapper over Groth16's parameters which also contains a verifiable transcript of the so-far contributions to the specialization phasesetup1-contributor: Rust crate for the Aleo Setup I contributorsetup1-verifier: Rust crate for the Aleo Setup I verifiersetup2: Rust crate for running Aleo Setup IIsetup-utils: Utility functions shared across crates, involving i/o, mathematical operations and errors.
This library is a collection of repositories licensed under different standard licenses. Please refer to each individual repository for its respective license.