or
or
By clicking below, you agree to our terms of service.
New to HackMD? Sign up
Syntax | Example | Reference | |
---|---|---|---|
# Header | Header | 基本排版 | |
- Unordered List |
|
||
1. Ordered List |
|
||
- [ ] Todo List |
|
||
> Blockquote | Blockquote |
||
**Bold font** | Bold font | ||
*Italics font* | Italics font | ||
~~Strikethrough~~ | |||
19^th^ | 19th | ||
H~2~O | H2O | ||
++Inserted text++ | Inserted text | ||
==Marked text== | Marked text | ||
[link text](https:// "title") | Link | ||
![image alt](https:// "title") | Image | ||
`Code` | Code |
在筆記中貼入程式碼 | |
```javascript var i = 0; ``` |
|
||
:smile: | ![]() |
Emoji list | |
{%youtube youtube_id %} | Externals | ||
$L^aT_eX$ | LaTeX | ||
:::info This is a alert area. ::: |
This is a alert area. |
On a scale of 0-10, how likely is it that you would recommend HackMD to your friends, family or business associates?
Please give us some advice and help us improve HackMD.
Syncing
xxxxxxxxxx
RLN
Membership
Each member has a secret key that is denoted by
a_0
. And identity commitmentq
is the hash of the secret keyTo become a member one must,
Signalling
Members are cryptoeconomically bounded to send only one signal in an epoch. Proof system enforces members to reveal their secret key
a_0
when they go beyond that limit.Membership
For a valid signal identity commitment
q
must be exists in identity tree. Membership is proven by providing a authenticity pathauth_path
.Linear Equation & SSS
Secret key
a_0
which is first coefficient of a linear polynomial.Each member knows a linear polynomial for any
epoch
which is derived from secret keya_0
and theepoch
. So, eachepoch
there is a polynomial with differenta_1
equation but with samea_0
.Each member has a secret line equation for an epoch
Along with a signal members should publicly provide a
(x, y)
share such that satisfies the line equation.With more that one share anyone can derive
a_0
the secret id key. Hash of a signal will be evaluation pointx
. So that a member who sends more that one signal reveails the secret key.Note that shares used in different epoches cannot be used to derive the secret key.
Nullifiers
epoch
is external nullfier.Internal nullifier is calculated as
in = hash(a_1)
. Note thata_1
has already a secret id key ingredienta_1
andepoch
ingredient, so, each epoch a member can signal to only one nullifier.Circuit
Constaints
To send a valid signal member should provide,
These are constraints of RLN circuit.
Public Inputs
share_x
share_y
epoch
membership_tree_root
nullifier
Private Inputs
a_0
auth_path
Slashing
Members reveail a single share of secret key for each signal in an epoch.
A share
(x, y)
is a valid point at the polynomial of a member.If a member signals more than one, secret key is enforced to be exposed. It means that watchtower nodes can calculate coefficients of this line equation, so the secret key
a_0
.Therefore, a member who spams goes under a risk to be slashed that is burn of the deposit. The risk remains until the end of withdrawal period.
We can also dismember the related public key from membership tree.
Implementation
RLN circuit can be found at github.com/kilic/rln
Prototype application is under development and can be found at github.com/kilic/rlnapp
Poseidon Hasher
Poseidon hasher configured with
t = 3, rf = 8, rp = 55
parameters. For details about parameters see Posedion research paper.Performance
With our circuit implementation a single hash costs 314 constaints. Note that there is still room down to ~240 constaints.
Cost per hash in EVM is 20402 gas. *
Construction
Unlike circomlib different round constants are added for each element in a round.Used single constant value per round to reduce gas cost.Benchmarks
Circuit
Results are generated using native bellman on i5 2.7 GHz machine.
Questions
1
With this setup there is nothing prevents a member to use same share for many messages. So, we need to block members to do double-share-revealing. Therefore nullifier hash set shuold be tracked in public and a member should commit in public by paying eth fees for each message in order to prepare a valid signal. Problem with it is that this process itself is already a rate limiting2
Since membership is proven in zero-knowledge, origin of messages cannot be linked. Because of this the fisherman should run a search program with exponential complexity to find a member that violates the limit. This complexity also becomes worse when number of allowed messages per epoch increases.3
One cool feature would be to not reveal previous messages if you get slashed
4
Issues at vacp2p research
Mobile Benchmarks
Results are generated with browserstack.com