Try   HackMD

Trusted Setup: KZG and PST

KZG trusted setup

First Player

First player has secret

s and generates
[s]1,[s2]1...
as well as the "check" point
[s]2

Second Player

then second player generates secret

t and takes the first sequence and generates
[ts]1,[t2s2]1...[ts]1,[(ts)2]1,...
and also update a running "check" point
[t]2,[st]2

Verifications

Then contribution of second player can be checked:

Tau update check:

Check second player really took last valid contribution:

e([s]1,[t]2)==e([ts]1,G2)

Consecutive powers check

Check second player really updated each consecutive term by multiplying by his secret again (t, t², etc)

e([(st)2,G2)==e([st]1,[st]2)e([(st)3,G2)==e([(st)2]1,[st]2)...

Optional: G2 check

If needed, (and in Testudo we will need), players can also submit a full "chain" on G2 as well. In this case, we can simply check the pairing between
the element in G1 and elements in G2, like:

e([st]1,G2)==e(G1,[st]2)e([(st)2]1,G2)==e(G1,[(st)2]2)...

PST trusted setup

Notation: Let

s1,,sn be in
Zq or
s=[s1,,sn] Let
i{0,1}n, we can denote
i=[i1in] with
ij{0,1}. Then with
si we denote the value
jsjij. We note
<tisi> the Hadamard product between vectors
{[si]1}i=0n and
{[ti]1}i=0n (in other words, generate all possible polynomials from
2n possibilities on
s and
t and compute the product entry-wise.)

On both

G1 and
G2

First player

First player with random coefficeints

t generates:
A1=[s1]1,[s1s2]1,[s2]1...={[si]1}i=0nA2=[s1]2,[s1s2]2,[s2]2...={[si]2}

Second player

Second player generates:

B1=[(t1)s1]1,[(t1t2)s1s2]1,[(t2)s2]1...={[<tisi>]1}B2=[(t1)s1]2,[(t1t2)s1s2]2,[(t2)s2]2...={[<tisi>]2}
which is the entry wise multiplication of the two random vectors

Also for verification it is needed to share:

T=[ti]1

Verification steps

Tau update check

Check new player really used last valid contribution (from first player) to build its chain of

G1 elements (
B):

i{0,1}n:e([ti]1,[si]2)==e(<tisi>,G2)
or written differently
e(T[i],A2[i])==e(B1[i],G2)

G2 / G1 check: same element are used in both groups

i0...n:e(B1[i],G2)==e(G1,B2[i])
or written differently
i0...n:e([<tisi>]1,G2)==e(G1,[<tisi>]2)

Doing it efficiently

  • Second verification should not perform 2 * n pairings, but rather use linear combination of pairings results

Derive randomness

u, then
Q=i([si]2)uiP=i([ti]1)uiR=iB1[i]uiS=iB2[i]ui
then do
e(R,G2)==e(G1,S)

The second check will resolve to:

e(iB1[i]ui,G2)==e(G1,iB2[i]ui)e([iui<tisi>[i]]1,G2)=e(G1,[iui<tisi>[i]]2)

TODO: How to do for first check ? linear comb doesn't work - only batch millerloop + final exponentiation will make it work ?

Last changed by 
Nicolas Gailly
4
358

Read more

Lagrange ZKsync Prover

Setup instructions to run a Lagrange ZKsync prover

Dec 23, 2024
Groth16 aggregation with public input trick

Regular Groth 16 CRS Random $\tau$ chosen during trusted setup as well as $\alpha$, $\beta$ $n$ is number of gates. $u_i$, $v_i$ and $w_i$ are the QAP polynomials created from the R1CS circuit $SRS = {g_1^\alpha, g_1^\beta, g_1^\delta, {{ g_1^{\tau^i}}, {g_1^{\alpha \tau^i}}, {g_1^{\beta \tau^i}}}{i=0}^{n-1}, {g_1^{\beta u_i(\tau) + \alpha v_i(\tau) + w_i(\tau)}}{i=0}^n}, {g^{\frac{\tau^it(x)}{\delta}}}{i=0}^{n-1},\g_2^\beta, g_2^\delta, {g_2^{\tau ^i}}{i=0}^{n-1}}$ Prover Settings:

Apr 15, 2023
Efficient threshold BLS & Encryption

This post explains an inherent tension between threshold BLS signature and Elgamal encryption for onchain verification, and then presents a way to augment such threshold network such that a smart contract can efficiently verify a signature and decrypt/verify encryption onchain. 21/03/23, Nicolas Gailly, Cryptonet team, Protocol Labs. Introduction For encryption/decryption and signing, we (usually) require a group, i.e. a single elliptic curve. However, using pairings, we have to choose between $\mathbb{G_1}$ and $\mathbb{G_2}$ (and even $\mathbb{G_t}$), each group have their pros and cons depending on the cryptographic protocol we want to use. In practice, $\mathbb{G_1}$ is usually preferred given it is much shorter and faster to compute in it, than its counter-parties. This choice of group comes up when designing threshold networks. Indeed, there is a distributed key lying in a group $\mathbb{G}$ which could be any of the three groups aforementioned. In particular, when using pairing equipped curves, a threshold network can be used to create threshold BLS signatures but it can also be used as a decryption oracle. In the latter, users encrypts towards the threshold network and push the encryption on-chain. This posts shows the pros and cons of using $\mathbb{G_1}$ and $\mathbb{G_2}$ for each and shows there is a tension between the two. This posts then shows a simple solution to get the best of both worlds. The technique is heavily inspired by a post by Kobi Gurkan on efficient multisignature verification onchain, translated to the threshold setting.

Mar 21, 2023
DKG Share Recovery

DKG in a few lines Each node $i$: has a private polynomial $$f_i(x) = a_0 + ... + a_{t-1}x^{t-1}$$ From that get the public poly $$F_i(x) = f_i(x) * G$$ generate shares for others $$s_{i,j} = f_i(j)$$ then sum each share it receives (from QUALified participants) + its own: final share is $$s_i = \sum_j s_{j,i}$$ final public polynomial $$F(x) = \sum_i F_i(x)$$

Oct 27, 2022
Read more from Nicolas Gailly
Published on HackMD