-
Notifications
You must be signed in to change notification settings - Fork 15
05 Down the rabbit hole
Let's shed some light on the mathematical operations performed by each participant in a multi-party Trusted Setup ceremony for the Groth16 protocol and how we can guarantee its security.
Within the realm of zk-SNARKs, the term 'toxic waste' pertains to the initial random element produced at the onset of the process. Preserving the confidentiality of this randomness is imperative, as an adversary who gets hold of it could potentially fabricate deceptive proofs that would nonetheless pass the verification checks.
- The coordinator generates the inaugural 'toxic waste' and computes the maiden version of the Structured Reference String (SRS).
In mathematical terms, let our 'toxic waste' be a random scalar 's'. The coordinator then computes pairs of elements {(g^s^i, g^(s^i)^(-1))} for 'i' ranging from 0 to 'n' (where 'g' represents the generator of the elliptic curve group and 'n' stipulates the maximum degree of the polynomials at hand). This assortment of pairs forms the initial version of the SRS.
At this point, it's crucial to comprehend the key properties of elliptic curve groups. Given g^x and g^y, one can effortlessly calculate g^(x+y), but deriving 'x' or 'y' separately is computationally infeasible. This property, known as "Discrete Logarithm Problem", shields the 'toxic waste' in the exponents and prevents it from being extracted from the SRS, despite it being incorporated in all computations.
- Contributors, also called participants, sequentially enter the ceremony. Each one generates a new 'toxic waste', uses it to update the SRS, discards it, and passes the updated SRS to the next participant.
Let's consider participant 'j' fabricating their own randomness 'r_j'. They would then take the SRS from the preceding participant and compute {(g^(s^i * r_j), g^((s^i * r_j)^(-1))} for all 'i'. Post this, 'r_j' is discarded and the refreshed SRS is transferred to the next participant.
Even though each contributor is aware of their own injected randomness, the collective 'toxic waste' up until their contribution remains concealed due to the underlying properties of the Discrete Logarithm Problem.
- The computations undertaken by each contributor are deterministic, thereby allowing public verification. For a given input and output SRS, anyone can perform the computations and validate that they align under the contributor's known randomness.
Nevertheless, the correctness of these computations doesn't leak any information about the 'toxic waste' due to the Discrete Logarithm Problem safeguarding it.
- The ceremony concludes once all participants have made their contributions. The final SRS is devoid of any 'toxic waste', having been transformed and discarded by all participants.
For the final SRS to be secure, it's important that all participants act honestly, but the security of the system doesn't solely rely on perfect behavior from everyone. The protocol is designed to be secure even if some participants are dishonest, as long as there's at least one honest participant.
The entire procedure utilizes the properties of the Discrete Logarithm Problem to inhibit any single party from retrieving the 'toxic waste' 's' unless they collude with every other participant. This pivotal attribute ensures the robustness of the ceremony against real-world scenarios where perfect behavior cannot always be guaranteed.