Trusted setup?

Question

Trusted setup?

Opened this issue 3 years ago · 8 comments

I'm wondering how trusted setup works in PySNARK.

When I output a proof, say in Bellman with zkinterface, it outputs both the constraints and the witness. Does that mean that the setup is done by the prover and there is no external trusted setup?

Answer 1 · 2021-06-09T20:06:41.000Z

Never mind. It's in the README.

Answer 2 · 2021-06-10T13:41:31.000Z

Actually, the readme talks about qaptools. How would it work for zkinterface?

Answer 3 · 2021-06-11T21:45:26.000Z

Details would depend on which backend you use for zkinterface, but at a high level it is similar to qaptools. For example, in the bellman case: examples meilof$ PYSNARK_BACKEND=zkifbellman python3 cube.py 33

The cube of 33 is 35937 *** zkinterface: writing circuit *** zkinterface: writing witness *** zkinterface: writing constraints *** zkinterface circuit, witness, constraints written to 'computation.zkif', size 656

This is done both by the prover and the trusted party. Computation.zkif does not need to be distributed.

examples meilof$ cat computation.zkif | zkif_bellman setup Written parameters into /Users/meilof/Subversion/pysnark/examples/bellman-pk

This is done by the trusted party to generate key material bellman-pk, which can then be distributed to prover and verifier.

examples meilof$ cat computation.zkif | zkif_bellman prove Reading parameters from /Users/meilof/Subversion/pysnark/examples/bellman-pk Written proof into /Users/meilof/Subversion/pysnark/examples/bellman-proof

This is done by the prover. Proof can be distributed to verifier.

examples meilof$ cat computation.zkif | zkif_bellman verify Reading parameters from /Users/meilof/Subversion/pysnark/examples/bellman-pk Reading proof from /Users/meilof/Subversion/pysnark/examples/bellman-proof The proof is valid.

This is done by the verifier.

…

On Thu, Jun 10, 2021 at 3:41 PM Glenn Xavier ***@***.***> wrote: Actually, the readme talks about qaptools. How would it work for zkinterface? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#24 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACAJUUZY6ZOE4ACU5A3CAX3TSC6JZANCNFSM46MVT75A> .

-- Meilof -- ***@***.***

Answer 4 · 2021-06-11T21:54:33.000Z

And for bulletproofs, a trusted setup should not be needed... Op vr 11 jun. 2021 om 23:45 schreef Meilof Veeningen ***@***.***>

Details would depend on which backend you use for zkinterface, but at a high level it is similar to qaptools. For example, in the bellman case: examples meilof$ PYSNARK_BACKEND=zkifbellman python3 cube.py 33 > > The cube of 33 is 35937 > > *** zkinterface: writing circuit > > *** zkinterface: writing witness > > *** zkinterface: writing constraints > > *** zkinterface circuit, witness, constraints written to > 'computation.zkif', size 656 > This is done both by the prover and the trusted party. Computation.zkif does not need to be distributed. > examples meilof$ cat computation.zkif | zkif_bellman setup > > Written parameters into > /Users/meilof/Subversion/pysnark/examples/bellman-pk > This is done by the trusted party to generate key material bellman-pk, which can then be distributed to prover and verifier. > examples meilof$ cat computation.zkif | zkif_bellman prove > > Reading parameters from > /Users/meilof/Subversion/pysnark/examples/bellman-pk > > Written proof into /Users/meilof/Subversion/pysnark/examples/bellman-proof > This is done by the prover. Proof can be distributed to verifier. > examples meilof$ cat computation.zkif | zkif_bellman verify > > Reading parameters from > /Users/meilof/Subversion/pysnark/examples/bellman-pk > > Reading proof from /Users/meilof/Subversion/pysnark/examples/bellman-proof > > The proof is valid. > This is done by the verifier. On Thu, Jun 10, 2021 at 3:41 PM Glenn Xavier ***@***.***> wrote: > Actually, the readme talks about qaptools. How would it work for > zkinterface? > > — > You are receiving this because you are subscribed to this thread. > Reply to this email directly, view it on GitHub > <#24 (comment)>, or > unsubscribe > <https://github.com/notifications/unsubscribe-auth/ACAJUUZY6ZOE4ACU5A3CAX3TSC6JZANCNFSM46MVT75A> > . > -- Meilof -- ***@***.***

-- Meilof -- ***@***.***

Answer 5 · 2021-06-13T09:55:50.000Z

I changed the zkinterface backend a bit so that it now generates a zkif file that contains the witness and a file that does not contain the witness (which the trusted party can then freely distributed). I also updated the README.

Answer 6 · 2021-06-25T15:37:25.000Z

I'm having trouble using the new changes with the zkinterface tool. The zkInterface tool says the output violates the specification. Not entirely sure why.

PYSNARK_BACKEND=zkinterface python3 cube.py 10
cat computation.zkif | zkif validate

The statement is NOT COMPLIANT with the specification!
Violations:
- variable_0 was defined but not used.

Answer 7 · 2021-08-07T14:28:05.000Z

As you mentioned, this problem seems to only occur in programs which never use constants (which unfortunately happens to be the case for the cube.py). It may be a bit overkill to fix this in pysnark. Especially since at first glance it seems wrong that the zkinterface specification should demand this.

By the way, I get more error message, do you get these as well?

The statement is NOT COMPLIANT with the specification!
Violations:
- Multiple headers.
- Multiple definition of the value of the instance variable_1
- Multiple definition of the value of the instance variable_2
- variable_0 was defined but not used.

Error: "Found 4 violations."

Answer 8 · 2021-08-09T14:35:17.000Z

Yes, I get the "multiple definition" issue. It looks like the zkinterface tool reads all .zkif files in the working directory. If you remove either circuit.zkif or computation.zkif it fixes the issue.