Try   HackMD

Introducing gnark: a fast zero-knowledge proof library

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

We are proud to introduce gnark-a fast, open-source library for zero-knowledge proof protocols written in Go.

gnark at a glance:

  • gnark offers a high-level API and CLI that makes it easy for developers to write functions and produce zero-knowledge proofs for those functions.
  • gnark currently supports the Groth16 zk-SNARK protocol. We intend to add support for other protocols in the future.
  • gnark is faster than bellman, which is a popular state-of-the-art implementation of Groth16. (See our benchmarks below.)
  • The source code for gnark is available on GitHub under the Apache 2.0 License.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Warning
Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

gnark has not been independently audited and is provided "as-is". Use gnark at your own risk. gnark offers no security guarantees such as constant-time implementation or side-channel attack resistance.

Zero-knowledge proofs in 2020

A zero-knowledge proof (ZKP) provides cryptographic assurance of computational integrity and privacy.

Let's unpack those terms:

  1. Computational integrity. Alice wishes to convince Bob that she executed a program
    P     correctly on input
    x    , obtaining output
    y=P(x)    . The cost to Bob must be far smaller than the cost of simply executing
    P     himself.
  2. Privacy. Alice wishes to convince Bob that she knows a secret input
    x     that leads to the output
    y=P(x)     without revealing any information about
    x     to Bob.

These features are well-suited to decentralized finance. For example:

  • Computational integrity enables incredible advances in scalability-up to thousands of transactions per second!-as exemplified by projects such as ZK-Rollup for Ethereum.
  • Privacy enables confidential, anonymous transactions as exemplified by projects such as ZCash.

You may have heard the term zk-SNARK (zero-knowledge Succinct Non-interactive ARgument of Knowledge). It refers to a class of ZKPs that meet certain specific conditions on the costs borne by the parties in a ZKP protocol. For simplicity in this article we prefer the term zero-knowledge proof (ZKP).

ZKP is a very active area of academic research with improvments and new protocols announced week-by-week. For example, according to this overview article we saw the following new ZKP protocols in 2019: Libra, Sonic, SuperSonic, PLONK, SLONK, Halo, Marlin, Fractal, Spartan, Succinct Aurora, RedShift, AirAssembly.

There are many good expositions of ZKPs. We recommend this explainer by the fine people behind ZCash and this curated list of references.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Why gnark ?

In our discussions on ZKPs with clients, solutions architects, and applied cryptographers we consistently heard:

  1. ZKPs are complicated, hard to understand
  2. ZKPs are hard to use
  3. ZKPs are too slow

gnark aims to address these issues and propose an enterprise-grade library, enabling a normal development cycle for ZKPs, with flexible integration into complex solutions.

How to use gnark: a simple example

The gnark source code includes several examples.

In the /examples/cubic directory you'll find an implementation of the very simple example used by Vitalik Buterin in his ZKP explainer from 2016. Given some publicly known number

y, Alice wishes to prove to Bob that she knows a number
x satisfying the cubic equation
x3+x+5=y.

You'll find here a code walkthrough, but here is what this circuit definition looks like:

// CubicCircuit defines a simple circuit
// x**3 + x + 5 == y
type CubicCircuit struct {
	// struct tags on a variable is optional
	// default uses variable name and secret visibility.
	X frontend.Variable `gnark:"x"`
	Y frontend.Variable `gnark:",public"`
}

// Define declares the circuit constraints
// x**3 + x + 5 == y
func (circuit *CubicCircuit) Define(curveID gurvy.ID, cs *frontend.ConstraintSystem) error {
	x3 := cs.Mul(circuit.X, circuit.X, circuit.X)
	cs.AssertIsEqual(circuit.Y, cs.Add(x3, circuit.X, 5))
	return nil
}

gnark exposes the conventional ZKP algorithms (Setup, Prove, Verify) through a command-line interface (gnark setup, gnark prove, gnark verify) and through a Go API as follows:

APIs

pk, vk := groth16.Setup(r1cs)
proof, err := groth16.Prove(r1cs, pk, solution)
err := groth16.Verify(proof, vk, solution)

Command line interface

cd examples/cubic
go run cubic.go
gnark setup circuit.r1cs
gnark prove circuit.r1cs --pk circuit.pk --input input.json
gnark verify circuit.proof --vk circuit.vk --input input.json

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Visit our GitHub for more details on:

  • How to use the CLI and API to generate ZKPs for your own custom functions.
  • How to leverage our standard library of ZKPs for common building blocks such as hash functions, Merkle paths, digital signatures, etc.
  • How to integrate gnark in your project.

gnark is fast!

We compare our work to bellman, a state-of-the-art implementation of the Groth16 ZKP protocol developed for ZCash and used in multiple projects such as Filecoin, Matter Labs, ZoKrates.

It is difficult to fairly and accurately compare benchmarks among libraries. Some implementations may excel in conditions where others may not: target (web assembly, embedded, ) or available instruction set, CPUs and RAM may have significant impact.

Nonetheless, it appears that gnark is faster than state-of-the-art.

Here are our measurements for the Prover. These benchmarks ran on a AWS c5a.24xlarge instance, with hyperthreading disabled.

The same circuit is benchmarked using gnark, bellman (bls381, ZCash), bellman_ce (bn256, matterlabs).

BN256

nb constraints 100000 32000000 64000000
bellman_ce (s/op) 0.43 106 214.8
gnark (s/op) 0.16 33.9 63.4
speedup x2.6 x3.1 x3.4

On large circuits, that's over 1M constraints per second.

BLS381

nb constraints 100000 32000000 64000000
bellman (s/op) 0.6 158 316.8
gnark (s/op) 0.23 47.6 90.7
speedup x2.7 x3.3 x3.5
Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Some of these performance improvements come from goff, a blazingly fast field arithmetics library we built in Go. For more information check out our announcement article on goff.

Why write in Go?

gnark users write their ZKP functions in plain Go. In contrast to other ZKP libraries, we chose to not develop our own language and compiler. Here's why:

  • Go is a mature and widely used language with a robust toolchain.
  • Developers can debug, document, test and benchmark their circuits as they would with any other Go program.
  • Circuits can be versioned, unit-tested and used in standard continious-delivery workflows.
  • IDE integration (we use VSCode) and all these features come for free and are stable accross platforms.

Moreover, gnark exposes its APIs like any conventional cryptographic library (think aes.encrypt([]byte)). Complex solutions need this flexibility - gRPC/REST APIs, serialization protocols, monitoring, logging, are all few lines of code away!

What's next?

We released gnark in 0.3.0. Expect significant changes as we add new ZKP schemes and complete our preliminary work on security / threat model. Future work includes:

  • documentation and tutorials
  • extensive testing
  • refining developer experience
  • new components in gnark standard library (aka gadgets)
  • easier integration (gRPC APIs , Solidity verifier export, )
  • security audit
  • new constructs (PLONK , )
  • further optimizations

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Issues, new features suggestions and PRs are welcome.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
gnark was written by Gautam Botrel, Gus Gutoski, and Thomas Piellard.

We’re a research team at ConsenSys. If you are interested in our work (fast finite field arithmetic, elliptic curve pairings, zero-knowledge proofs), give us a shout.

Last changed by 
gnark
We’re a research team @Consensys / Linea. We work on zero knowledge proof systems.
0
4
10859

Read more

What changes for BW6-761?

Authors: Youssef El Housni (ConsenSys, GRACE) and Aurore Guillevic (Inria, Aarhus University) Last year in [HG20], we introduced the BW6-761 curve which is a pairing-friendly curve that forms a 2-chain with BLS12-377 (previously introduced in ZEXE). That is, BW6-761 has a subgroup order $r$ precisely equal to the characteristic $q$ of the base field on which BLS12-377 is defined. In a recent work [HG21], we generalised the curve construction, the pairing formulas ($e : \mathbb{G}_1 \times \mathbb{G}_2 → \mathbb{G}_T$) and the group operations to any BW6 curve defined on top of any BLS12 curve, forming a family of 2-chain pairing-friendly curves. We also investigated other possible 2-chain families, and much more (read the paper!). Since BW6-761 is already implemented in few projects (gnark-crypto, arkworks, EY/libff, kilic/bw6 and constantine) and is used in production (Celo, Aleo), natural questions arise: What changes for BW6-761 after this work? Is the new formulas backward-compatible with the current implementations? If not, does it worth switching? The new general construction where BW6-761 would fall, is coherent with the groups operations and pairing formulae found previously in [HG20]. However, we found new pairing algorithms that are faster. In this note, we try to shed light on the differences and the backward compatibilty. Pairing computation Given $P \in \mathbb{G}_1$ and $Q \in \mathbb{G}_2$, a pairing computation for BW6 is

Oct 12, 2022
Yet another curve, but THE curve for your KZG!

With my co-authors Aurore Guillevic and Diego F. Aranha, we published on ePrint mid-May a survey of elliptic curves for proof systems (ePrint 2022/586). Recently, there have been many tailored constructions of these curves that aim at efficiently implementing different kinds of proof systems. In that survey we provide the reader with a comprehensive view on existing work and revisit the contributions in terms of efficiency and security. We present an overview at three stages of the process: curves to instantiate a SNARK, curves to instantiate a recursive SNARK, and curves to express an elliptic-curve related statement. In this post, we are only interested in the first case. For pairing-based SNARKs, such as the circuit-specific Groth16 [1], bilinear pairings ($e:\mathbb{G}_1\times \mathbb{G}_2 \rightarrow \mathbb{G}_T$) are needed for the proof verification. For universal SNARKs, such as PLONK [2] or Marlin [3], a polynomial commitment scheme is needed. An example of an efficient one is the Kate-Zaverucha-Goldberg (KZG) scheme [4]. The verifier needs to verify some polynomial openings using bilinear pairings. So far, for both circuit-specific and universal constructions, the verification algorithms boil down mainly to pairing computations. However, the prover work is not the same. For Groth16, it is mainly multi-scalar-multiplications (MSM) in both $\mathbb{G}_1$ and $\mathbb{G}_2$ while for KZG-based schemes it is mainly MSMs in $\mathbb{G}_1$ only. In section 4 of the survey paper, we look at a particular family of pairing-friendly elliptic curves suitable for KZG. We derive algorithm 6 to tailor this family to the SNARK context. Note that KZG is also useful for other compelling applications such as Verkle trees for blockchain stateless clients. Pairing-friendly curves

Jun 14, 2022
BW6 over BLS12-381

Authors: Youssef El Housni (ConsenSys, GRACE) and Aurore Guillevic (inria) Following the recent work on FFT over non-smooth fields (ECFFT), it might be viable to instantiate a SNARK with an elliptic curve of non-smooth subgroup order. Particularly, one layer SNARK composition can be achieved with less constraints for the choice of curves. In this note we propose a 2-chain based on the widely used BL12-381 curve. The outer curve is a BW6 with a subgroup order 2-adicity equal to one. ECFFT For smooth finite fields $\mathbb{F_q}$ (i.e., when $q−1$ factors into small primes) the Fast Fourier Transform (FFT) leads to the fastest known algebraic algorithms for many basic polynomial operations, such as multiplication, division, interpolation and multi-point evaluation. However, the same operations over fields with no smooth order root of unity suffer from an asymptotic slowdown. [In a recent work by Ben-Sasson, Carmon, Kopparty and Levit, called ECFFT, the authors proposed a new approach to fast algorithms for polynomial operations over all large finite fields.] The key idea is to replace the group of roots of unity with a set of points $L \subset F$ suitably related to a well-chosen elliptic curve group (the set $L$ itself is not a group). The key advantage of this approach is that elliptic curve groups can be of any size in the Hasse-Weil interval $[q+1\pm2\sqrt{q}]$ and thus can have subgroups of large, smooth order, which an FFT-like divide and conquer algorithm can exploit. (From the paper's abstract) 2-chains

Jun 2, 2022
Benchmarking pairing-friendly elliptic curves libraries

last benchmark update: 29/01/21 There are several pairing-friendly elliptic curves libraries used in zero-knowledge proofs (ZKP) projects. Typically, the most important elliptic curve operations in ZKP schemes are "multi scalar multiplication" (MSM) and "pairing product" (PP). This writeup is a try to benchmark and compare the building blocks of these operations in two different architechtures. In fact, since MSM and PP are size-dependant, we focus on timings of mixed addition in G1/G2, doubling in G1/G2, Miller loop and Final exponentiation. The libraries are written in different languages with different software and mathematical optimizations, and with more or less assembly code. The target curves are: BN254, BLS12-381, BLS12-377 and BW6-761. The chosen libraries are:

Apr 22, 2021
Read more from gnark
Published on HackMD