Try   HackMD

Groth16 aggregation with public input trick

Regular Groth 16

CRS

  • Random
    τ     chosen during trusted setup as well as
    α    ,
    β
  • n     is number of gates.
  • ui    ,
    vi     and
    wi     are the QAP polynomials created from the R1CS circuit

SRS={g1αg1β,g1δ,{{g1τi},{g1ατi},{g1βτi}}i=0n1,{g1βui(τ)+αvi(τ)+wi(τ)}i=0n},{gτit(x)δ}i=0n1,g2β,g2δ,{g2τi}i=0n1}

Prover

Settings:

  • Regular proof is
    π=(A,B,C)    .
  • l+1     is number of public inputs (+1 as first public input is "1" in R1CS)
  • Vector of public inputs
    ϕ=(a0,,al)

Extension:
Prover computes the regular proof and computes the following additionally

  • S=g1i=0lai(βui(τ)+αvi(τ)+wi(τ))

  • Derive random challenge

    z=H(ϕ,π,S)

  • Compute the three following elements.

    • U=g2i=0lai(ui(τ)ui(z)τz)
    • V=g2i=0lai(vi(τ)vi(z)τz)
    • W=g2i=0lai(wi(τ)wi(z)τz)

  • Proof is

    (π,S,U,V,W)

Verifier

  • Compute the following three elements
    uz,vz,wzFr    :
    • uz=i=0lui(z)
    • vz=i=0lvi(z)
    • wz=i=0lwi(z)
  • Check as usual
    • e(A,B)=e(g1α,g2β)e(S,g2)e(C,g2δ)
  • Check public input construction
    • e(Sg1βuzαvzwz,g2)=e(g1βτβz,U)e(g1αταz,V)e(g1τz,W)
    • These computations are done using the CRS
Last changed by 
Nicolas Gailly
0
1
992

Read more

Lagrange ZKsync Prover

Setup instructions to run a Lagrange ZKsync prover

Dec 23, 2024
Efficient threshold BLS & Encryption

This post explains an inherent tension between threshold BLS signature and Elgamal encryption for onchain verification, and then presents a way to augment such threshold network such that a smart contract can efficiently verify a signature and decrypt/verify encryption onchain. 21/03/23, Nicolas Gailly, Cryptonet team, Protocol Labs. Introduction For encryption/decryption and signing, we (usually) require a group, i.e. a single elliptic curve. However, using pairings, we have to choose between $\mathbb{G_1}$ and $\mathbb{G_2}$ (and even $\mathbb{G_t}$), each group have their pros and cons depending on the cryptographic protocol we want to use. In practice, $\mathbb{G_1}$ is usually preferred given it is much shorter and faster to compute in it, than its counter-parties. This choice of group comes up when designing threshold networks. Indeed, there is a distributed key lying in a group $\mathbb{G}$ which could be any of the three groups aforementioned. In particular, when using pairing equipped curves, a threshold network can be used to create threshold BLS signatures but it can also be used as a decryption oracle. In the latter, users encrypts towards the threshold network and push the encryption on-chain. This posts shows the pros and cons of using $\mathbb{G_1}$ and $\mathbb{G_2}$ for each and shows there is a tension between the two. This posts then shows a simple solution to get the best of both worlds. The technique is heavily inspired by a post by Kobi Gurkan on efficient multisignature verification onchain, translated to the threshold setting.

Mar 21, 2023
Trusted Setup: KZG and PST

KZG trusted setup First Player First player has secret $s$ and generates $$ [s]_1, [s^2]_1 ... $$ as well as the "check" point $$ [s]_2 $$

Jan 31, 2023
DKG Share Recovery

DKG in a few lines Each node $i$: has a private polynomial $$f_i(x) = a_0 + ... + a_{t-1}x^{t-1}$$ From that get the public poly $$F_i(x) = f_i(x) * G$$ generate shares for others $$s_{i,j} = f_i(j)$$ then sum each share it receives (from QUALified participants) + its own: final share is $$s_i = \sum_j s_{j,i}$$ final public polynomial $$F(x) = \sum_i F_i(x)$$

Oct 27, 2022
Read more from Nicolas Gailly
Published on HackMD