Powers of Tau
How do I perform the Powers of Tau ceremony?
Last updated
How do I perform the Powers of Tau ceremony?
Last updated
In both PlonK and Groth16, there is a universal trusted setup stage known as the Powers of Tau ceremony. In order to utilize a Circom-bourne zkSNARK, you will need to consider how your trusted setup was constructed in order to ensure security and integrity in your cryptosystem.
This preparatory phase can be completed independent of the circuit - completing the trusted setup before completing the circuit, and vice versa, is inconsequential.
A powers of tau ceremony can be run yourself. This may be convenient for testing purposes, but a powers of tau ceremony's security comes from multiple parties making commitments. Therefore, you should not put anything into production using your own ceremony. The following shows the process used in developing BattleZips V1:
#!/bin/sh
set -e
# --------------------------------------------------------------------------------
# Phase 1
# ... non-circuit-specific stuff
# if zk/ptau does not exist, make folder
[ -d zk/ptau ] || mkdir zk/ptau
# Starts Powers Of Tau ceremony, creating the file pot15_0000.ptau
# If you run into circuit size errors, you need a larger powers of tau ceremony
yarn snarkjs powersoftau new bn128 15 zk/ptau/pot15_0000.ptau -v
# Contribute entropy from the system to the powers of tau ceremony
yarn snarkjs powersoftau contribute zk/ptau/pot15_0000.ptau zk/ptau/pot15_0001.ptau \
--name="First contribution" -v -e="$(head -n 4096 /dev/urandom | openssl sha1)"
For development purposes, you can generate your own circuits. However, in production, you should use an existing ceremony for maximal trust. You can find .ptau files for each circuit size here. For larger circuits, you will also save a lot of time downloading a pre-computed ceremony rather than computing it yourself. BattleZips has more than 16384 constraints but less than 32768 constraints, so in our case we download powersOfTau28_hez_final_15.ptau and rename it to "pot15_final.ptau"
@TODO: Add your own commitment to the Hermez ceremony
If your proofs use Groth-16, there is an additional circuit-specific setup phase that you must do. Just like the above Powers of Tau ceremony, commitment to this trusted setup must be done by many parties to derive any semblance of true security. See Theory > Groth16 for more information.
This step is not run at the same time as the universal setup of the pot_xx.ptau file- it is run separately, only once you have the rank-one constraint system auto-generated by Circom.
The following bash script demonstrates the application of the trusted setup to the BattleZips circuits:
yarn snarkjs groth16 setup zk/board.r1cs zk/ptau/pot15_final.ptau zk/zkey/board_final.zkey
yarn snarkjs groth16 setup zk/shot.r1cs zk/ptau/pot15_final.ptau zk/zkey/shot_final.zkey
# # Generate reference zkey
yarn snarkjs zkey new zk/board.r1cs zk/ptau/pot15_final.ptau zk/zkey/board_0000.zkey
yarn snarkjs zkey new zk/shot.r1cs zk/ptau/pot15_final.ptau zk/zkey/shot_0000.zkey
# # Ceremony just like before but for zkey this time
yarn snarkjs zkey contribute zk/zkey/board_0000.zkey zk/zkey/board_0001.zkey \
--name="First board contribution" -v -e="$(head -n 4096 /dev/urandom | openssl sha1)"
yarn snarkjs zkey contribute zk/zkey/shot_0000.zkey zk/zkey/shot_0001.zkey \
--name="First shot contribution" -v -e="$(head -n 4096 /dev/urandom | openssl sha1)"
yarn snarkjs zkey contribute zk/zkey/board_0001.zkey zk/zkey/board_0002.zkey \
--name="Second board contribution" -v -e="$(head -n 4096 /dev/urandom | openssl sha1)"
yarn snarkjs zkey contribute zk/zkey/shot_0001.zkey zk/zkey/shot_0002.zkey \
--name="Second shot contribution" -v -e="$(head -n 4096 /dev/urandom | openssl sha1)"
yarn snarkjs zkey contribute zk/zkey/board_0002.zkey zk/zkey/board_0003.zkey \
--name="Third board contribution" -v -e="$(head -n 4096 /dev/urandom | openssl sha1)"
yarn snarkjs zkey contribute zk/zkey/shot_0002.zkey zk/zkey/shot_0003.zkey \
--name="Third shot contribution" -v -e="$(head -n 4096 /dev/urandom | openssl sha1)"
# # Verify zkey
yarn snarkjs zkey verify zk/board.r1cs zk/ptau/pot15_final.ptau zk/zkey/board_0003.zkey
yarn snarkjs zkey verify zk/shot.r1cs zk/ptau/pot15_final.ptau zk/zkey/shot_0003.zkey
# # Apply random beacon as before
yarn snarkjs zkey beacon zk/zkey/board_0003.zkey zk/zkey/board_final.zkey \
0102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f 10 -n="Board FinalBeacon phase2"
yarn snarkjs zkey beacon zk/zkey/shot_0003.zkey zk/zkey/shot_final.zkey \
0102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f 10 -n="Shot Final Beacon phase2"
Upon successful generation of the x_final.zkey files, we have the artifacts needed to proceed with usage of our Circom circuit to generate zero knowledge proofs.