From 29f344fd9bbc8cf948ea4ffd9d770e062431c7e9 Mon Sep 17 00:00:00 2001 From: Anna Shaleva Date: Tue, 28 Nov 2023 10:08:43 +0300 Subject: [PATCH 1/2] examples: add one more source of suitable response* files for Groth16 Turns out that Zcash swiched to BLS12-381 since https://github.com/zcash/zcash/issues/2502, thanks to @EdgeDLT for pointing that out. I've checked that our TestCubicCircuit_EndToEnd_Prod test passes with response file downloaded from the attestations page of Zcash ceremony, thus I propose to put theirs attestations link before the link to PPoT, because PPoT attestations contain outdated links and not all responses can be downloaded. Signed-off-by: Anna Shaleva --- examples/zkp/cubic_circuit/README.md | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/examples/zkp/cubic_circuit/README.md b/examples/zkp/cubic_circuit/README.md index a4214ab37..0c8d654d3 100644 --- a/examples/zkp/cubic_circuit/README.md +++ b/examples/zkp/cubic_circuit/README.md @@ -31,20 +31,25 @@ to organize the ceremony and generate proving and verifying keys for a circuit. However, both phases take a significant amount of time and computations to be performed. Luckily for the developers, it is possible to omit a curve-specific part of the MPC and reuse the existing results of Phase 1 got from a trusted -source, e.g. from [Powers of Tau ceremony](https://github.com/filecoin-project/powersoftau/) -held by the [Filecoin project](https://github.com/filecoin-project/phase2-attestations#phase1). +source, e.g. from [Zcash PowersOfTau](https://github.com/ZcashFoundation/powersoftau-attestations) +held by the [Zcash Foundation](https://github.com/ZcashFoundation). `TestCubicCircuit_EndToEnd_Prod` test of the current circuit example demonstrates how to use the `response` output file from the Phase 1 of the Filecoin's Powers of Tau ceremony for BLS12-381 curve: -* [`response8`](./response8) file is the response output from the [Powers of Tau ceremony](https://github.com/filecoin-project/powersoftau/) - with the `REQUIRED_POWER` set to 8 (to reduce computations and response file size) - that was run locally with the help of [testing script](https://github.com/filecoin-project/powersoftau/blob/master/test.sh). +* [`response8`](./response8) file is the response output from the ceremony that was run locally + based on the [Filecoin Powers of Tau](https://github.com/filecoin-project/powersoftau/) + with the `REQUIRED_POWER` set to 8 (to reduce computations and response file size). + The ceremony itself was run with the help of [testing script](https://github.com/filecoin-project/powersoftau/blob/master/test.sh). To get the response file for a production environment, the user has two options: 1. Organize his own ceremony with required number of powers following the [guide](https://github.com/filecoin-project/powersoftau/tree/master#instructions) - from the source repo. - 2. Download the existing suitable `response` file from the - [attestations page](https://github.com/arielgabizon/perpetualpowersoftau#perpetual-powers-of-tau-for-bls381). + from the ceremony source repo. + 2. Download the existing suitable `response` file from the trusted existing ceremony. + Please, be careful while choosing `response` file and ensure that it has enough + powers computed (at least as much as the number of the circuit's constraints requires). + Example of suitable ceremonies: + * Zcash Powers Of Tau [attestations page](https://github.com/ZcashFoundation/powersoftau-attestations) (up to 2^21) + * Filecoin Perpetual Powers Of Tau [attestations page](https://github.com/arielgabizon/perpetualpowersoftau#perpetual-powers-of-tau-for-bls381) (up to 2^27) * [main_test](./main_test.go) contains the `TestCubicCircuit_EndToEnd_Prod` test itself and demonstrates how to properly initialize Phase 2 based on the given response file and make some dummy contributions into it. From d7b84c0b472b3adb34ad6cbc2680ff0c6a1e1ff2 Mon Sep 17 00:00:00 2001 From: Anna Shaleva Date: Tue, 28 Nov 2023 10:34:52 +0300 Subject: [PATCH 2/2] examples: improve ZKP production example Add more detailed errors and comments. Signed-off-by: Anna Shaleva --- examples/zkp/cubic_circuit/main_test.go | 27 ++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/examples/zkp/cubic_circuit/main_test.go b/examples/zkp/cubic_circuit/main_test.go index 9e38c0981..39cc5d61f 100644 --- a/examples/zkp/cubic_circuit/main_test.go +++ b/examples/zkp/cubic_circuit/main_test.go @@ -1,6 +1,7 @@ package cubic import ( + "fmt" "math" "os" "path/filepath" @@ -156,6 +157,12 @@ func TestCubicCircuit_EndToEnd(t *testing.T) { // result for proving/verifying keys generation and demonstrates how to contribute // some randomness into it. func TestCubicCircuit_EndToEnd_Prod(t *testing.T) { + const ( + // Response file generated locally for 2^8 powers. + pathToResponseFile = "./response8" + // The order of Powers of Tau ceremony, it depends on the response file. + orderOfResponseFile = 8 + ) var ( circuit CubicCircuit assignment = CubicCircuit{X: 3, Y: 35} @@ -166,8 +173,10 @@ func TestCubicCircuit_EndToEnd_Prod(t *testing.T) { require.NoError(t, err) // Setup (groth16 zkSNARK), use MPC-based solution for proving and verifying - // keys generation. - pk, vk := setup(t, ccs, "./response8", 8) // the order of Powers of Tau ceremony, depends on the response file. + // keys generation. Please, be careful while adopting this code for your circuit. + // Ensure that response file that you've provided contains enough powers computed + // so that the number of constraints in your circuit can be handled. + pk, vk := setup(t, ccs, pathToResponseFile, orderOfResponseFile) // Intermediate step: witness definition. witness, err := frontend.NewWitness(&assignment, ecc.BLS12_381.ScalarField()) @@ -262,20 +271,21 @@ func setup(t *testing.T, ccs constraint.ConstraintSystem, phase1ResponsePath str beta_coef_g1 := make([]curve.G1Affine, inN) // Accumulator serialization: https://github.com/filecoin-project/powersoftau/blob/ab8f85c28f04af5a99cfcc93a3b1f74c06f94105/src/accumulator.rs#L111 + errMessage := fmt.Sprintf("ensure your response file contains exactly 2^%d powers of tau for BLS12-381 curve", inPow) for i := range coef_g1 { - require.NoError(t, dec.Decode(&coef_g1[i])) + require.NoError(t, dec.Decode(&coef_g1[i]), errMessage) } for i := range coef_g2 { - require.NoError(t, dec.Decode(&coef_g2[i])) + require.NoError(t, dec.Decode(&coef_g2[i]), errMessage) } for i := range alpha_coef_g1 { - require.NoError(t, dec.Decode(&alpha_coef_g1[i])) + require.NoError(t, dec.Decode(&alpha_coef_g1[i]), errMessage) } for i := range beta_coef_g1 { - require.NoError(t, dec.Decode(&beta_coef_g1[i])) + require.NoError(t, dec.Decode(&beta_coef_g1[i]), errMessage) } beta_g2 := &curve.G2Affine{} - require.NoError(t, dec.Decode(beta_g2)) + require.NoError(t, dec.Decode(beta_g2), errMessage) // Transform (take exactly those number of powers that needed for the given number of constraints). var ( @@ -286,6 +296,9 @@ func setup(t *testing.T, ccs constraint.ConstraintSystem, phase1ResponsePath str } outN := int64(math.Pow(2, float64(outPow))) + if len(coef_g1) < int(2*outN-1) { + t.Fatalf("number of circuit constraints is too large for the provided response file: nbConstraints is %d, required at least %d powers to be computed", numConstraints, outN) + } srs1 := mpcsetup.Phase1{} srs1.Parameters.G1.Tau = coef_g1[:2*outN-1] // outN + (outN-1) srs1.Parameters.G2.Tau = coef_g2[:outN] // outN