[ZK Learning Group 2] Trusted setup workshop

Background: Secure Multi-Party Computation

  • Multiple people have different parts of the inputs

  • They do not want to reveal their component of input

  • But must come together to jointly compute f(x,y,z)

Trusted Setup

The setup is a process where the CRS (Common Reference String) is generated, or more publicly known as the pair of proving and verification keys. These “keys” are used by the prover and verifer to generate and verify proofs for a specific problem (or constraint system), respectively.

In this process, there are random elements which are sampled and must be kept secret — if the prover knows them, they will be able to create proofs which are verified successfully, without using an actual solution to the problem during the proving process. In other words, to forge proofs and break soundness. This randomness is also known as “toxic waste”. There are ways to avoid this worry and not put trust in a single entity. For public circuits, these usually involve a Multi-Party Computation — a process in which multiple players donate their own randomness, which they destroy afterwards. The interesting fact is that it’s enough that one player is honest and destroys their randomness for the whole process to be secure.

everyone in MPC contributes a shard that gets put together to form the CRS.

Trusted setup can be split into 2 phases:

  1. Phase 1: Circuit agnostic

  2. Phase 2: Circuit dependent

Trusted setup Phase 1: Powers of Tau

  • Since circuit agnostic, or "common work", we can simply crowdsource the data in an on-going fashion, making it publicly available for anyone to use.

  • Anyone can use the contributions of powers of tau as phase 1 input to their circuit trusted setup.

We need participants to be acting honestly in both phase 1 and 2. If we didn't then there would be no need to have MPC in phase 2.

Example

Last updated

Was this helpful?