Setting ceremonies can provide opportunities for collaborative communities and projects that are implementing these. They represent an opportunity worth embracing, not a necessary sin that needs to be overcome.
Original title: “The Power of Tao: How I Stop Worrying and Fall in Love with Trusted Settings”
Written by: Sam Parker and Alex Pruden
Translation: Kurt Pan
Since its first implementation in Zerocoin and Zerocash, Zero Knowledge Proof (ZKP) has a particularly important history in the cryptocurrency field. Early implementations were aimed at general privacy. ZKP is now just beginning to be used for many more powerful functions than just obfuscation. For example, zkRollups has achieved greater transaction throughput on Ethereum, and recursive proof structures such as Halo are being used to create compressed blockchains; proposals such as ” Proof of Necessary Work” take advantage of the features of zkSNARK Security is provided at the consensus layer of the network; with the help of structures such as Zexe, ZKP makes it possible to perform off-chain calculations and even new programming models.
“Zero-Knowledge Proof” is usually cited as a whole, but it is important to remember that there are many different types of ZKP. Strictly speaking, the ZKP scheme is a scheme that provides a “zero-knowledge” nature. In this scheme, the verifier of the proof does not get any knowledge about how the statement to be proved is proven. ZKP can be interactive, in which the verifier can directly interact with the prover; it can also be non-interactive, in which the prover can independently generate proofs. There are several types of non-interactive ZKP that meet this condition, including:
- Non-interactive Zero Knowledge Argument (NIZK)
- Concise non-interactive zero-knowledge argument (SNARG)
- Concise non-interactive zero-knowledge argumentation (SNARK or zkSNARK)
Because of its simplicity and efficiency, zkSNARK is most relevant to cryptocurrencies. The first SNARK used in a production environment was based on Pinocchio, which was originally used in Zcash. Later, Zcash and several other projects adopted the zkSNARK described by Jens Groth in his 2016 paper “Groth16”.
Although zkSNARK is quite popular, it has two main disadvantages.
First, the non-generic zkSNARK (eg Groth16) is specific to a given NP relationship. In other words, the proof is specific to a fixed program, which limits the flexibility of the scheme.
Second, the generation and verification of any zkSNARK proof requires the generation of a public reference string (CRS) in advance. You can think of this process as creating a secret that only the system “knows”. Anyone who knows how to generate a CRS can forge the certificate, thus destroying reliability.
Academic research on general SNARKs (such as Marlin, PLONK, etc.) has largely solved the first problem, but even these solutions still require CRS. It does have zero-knowledge proof structures that do not require CRS, such as STARKs (Extensible Transparent Knowledge Demonstration) and Bulletproofs. However, although they have good applications, zkSNARK (especially non-universal SNARKs such as Groth16) cannot be surpassed from the perspective of proof size and verification speed. The verification of zkSNARK is constant time, which is particularly useful for cryptocurrencies. This means that regardless of the size of the statement to be proven, the amount of work that the verifier must complete to check the proof remains the same.
Therefore, zkSNARK is still the tool of choice for many privacy-oriented blockchain applications. However, the security of these systems largely comes down to the security generated by CRS. Therefore, the method of safely generating CRS in so-called “setup ceremonies” will continue to be of great significance. Of course, it is possible to generate these parameters in a trusted centralized manner, but it is not compatible with the goal of decentralization. So far, the preferred technology used in the zkSNARK setup ceremony is Multi-Party Computing (MPC).
The MPC scheme attempts to ensure that no one party can generate or acquire knowledge about the underlying mathematical structure of the CRS. It achieves this by requiring the generation process to be shared among as many independent participants as possible, with only a few people (or even one person) needing to act honestly to ensure the security of the setup. In 2015, Eli Ben-Sasson, Alessandro Chiesa, Matthew Green, Eran Tromer and Madars Virza proposed an improved MPC structure that can generate security parameters even if all participants except one are corrupted . Zcash uses this solution to generate CRS for the first version of ZCash, “Sprout”. Despite its novelty, attending the ceremony is cumbersome and is limited to experts who can perform the ceremony correctly and with confidence. In addition, due to the limited level of participation, it is generally believed that the required level of trust is still too high and contradicts zkSNARK’s ideals of a secure decentralized system.
Since then, the goal of setting up the ceremony has been to maximize the number of honest and independent participants who can participate in the program. Because if there are many independent participants, then intuitively speaking, the possibility of all being dishonest will be reduced to a negligible level. Therefore, the goal of technological innovation is to expand the capabilities of these ceremonies to support as many participants as possible.
One problem with the earlier schemes described above is that the number of participants must be known in advance. In their 2017 MMORPG paper, Sean Bowe, Ariel Gabizon and Ian Miers described a variant of the MPC ceremony set by Groth16, which included two stages. Now we call the first stage “Powers of Tau”, which is a common setting for all circuits below a given size. The second stage converts the output of the Powers of Tau stage into a relationship-specific CRS. In this scheme, the coordinator is used to manage messages between participants. This expands the processing flow, theoretically enabling it to support hundreds or even thousands of participants. Despite the presence of the coordinator, the output of the MPC can still be independently verified, thereby maintaining security. Since the paper was first published, the Powers of Tau ceremony has become the industry standard. Such as Filecoin, Ethereum (Semaphore) and Zcash (“Sapling”) all use it to generate CRS for their systems. Figure 1 (below) visually depicts the Powers of Tau ceremony.
Despite its relative popularity, the disadvantage of MMORPG is that the setup is still a serial process. More specifically, a single participant of the MPC ceremony can only participate in one at a time. Because the CRS has a linear relationship with the size of the circuit, a single contribution may take a long time, so the setting ceremony is unlikely to attract participants. Recently, Justin Drake of the Ethereum Foundation proposed a scheme called “optimistic pipelining”. The key insight is that contributions can be applied to different parts of the CRS at the same time, allowing participants to contribute to MMORPG rituals concurrently. Therefore, participants can contribute to a given round at the same time without having to wait for their turn. We describe the setup using this method as “optimistic setups”. Celo recent settings ceremony Plumo use the program, set the ceremony that will be used Aleo also use the program.
In addition to pure decentralization and security concerns, the team increasingly sees these rituals as their own products. For example, Tornado.cash ran a setup ceremony that allowed users to contribute directly from a web browser, reaching a record 1,114 participants. The success of Tornado’s setup shows that, compared with previous rituals that were deemed necessary evils, modern setup rituals put the user experience first and centered, not only encouraging more contributions, but also as a product itself.
The operation of these ceremonies has become more simplified. The original MMORPG scheme uses a central “coordinator” to manage messages between participants and to assemble and aggregate communication scripts. Historically, this role was performed manually. But recently, various teams have invested in automating this process (see Celo’s Plumo Ceremony and ESPERO ). This not only reduces the intensity from the perspective of human resources, but also makes the ceremony safer because it reduces the possibility of error. Refer to Figure 2 (below) for an explanation of the optimistic setting working mode.
Although many people argue that the requirement to generate CRS is a key flaw of zkSNARK, at present it cannot ignore its better efficiency advantage over other ZKP schemes. This is why they are still the industry standard, and why so many teams and researchers have developed and improved these rituals to this day. Thanks to increased protocol efficiency, improved user experience, and automation of tasks (such as coordinators), it is now easier than ever to participate in the setup ceremony, as reflected in the number of participants in the recent ceremony. The original Zcash ceremony had only six participants, but the modern ceremony can provide many times more support. Moreover, since only one honest participant is required to ensure the safety of CRS, more participants usually equal higher security, because each independent participant that joins makes complete collusion even more unimaginable.
Indeed, even if CRS is generated through rituals, the security statement cannot be mathematical. However, many cryptographic systems are based on somewhat abstract assumptions. For example, we are confident that SHA-256 is a collision-resistant hash function, because no one has found a collision, not because of any mathematical proof (in fact, mathematics allows us to prove the opposite conclusion: a collision must exist). But SHA256 is widely used because the probability of collision is so low that there is no need to consider it.
Similarly, it is difficult (read: impossible) to try to determine the average probability of honest operation of each participant participating in the setup ceremony, thereby mathematically proving that the resulting system is safe. However, as the number of participants increases, these odds tend to gradually decrease even when compared to widely used cryptographic schemes and extremely pessimistic assumptions about participants. In fact, the number of participants is similar to a security parameter, which is used as an adjustable parameter in cryptography theory to provide different “security levels” for different values.
Innovations to make the setting ceremony more efficient reflect the amazing pace of ZKP research. Solutions become more and more effective, making applications practical, and encouraging further innovation and development. This leads to a ZKP improvement curve similar to Moore’s Law. There are even so-called “transparent” zkSNARKs (such as Fractal and SuperSonic ), which eliminate the requirement for trusted settings. Despite these innovations, the high efficiency of existing zkSNARKs such as Groth16 means that they may continue to be used in the next few years. Setting ceremonies can provide opportunities for collaborative communities and projects that are implementing these. They therefore represent an opportunity worth embracing, rather than a necessary sin that needs to be overcome.
reference
ZeroCash https://ieeexplore.ieee.org/document/6956581
Groth16 https://eprint.iacr.org/2016/260.pdf
Zcash setup ceremony https://electriccoin.co/blog/the-design-of-the-ceremony/
Zcash settings (Radiolab)
https://www.wnycstudios.org/podcasts/radiolab/articles/ceremonyOriginal MPC proposal for CRS
http://www.ieee-security.org/TC/SP2015/papers-archived/6949a287.pdfMPC’s second proposal https://eprint.iacr.org/2017/602.pdf
MMORPG https://eprint.iacr.org/2017/1050.pdf
Optimistic pipeline https://ethresear.ch/t/accelerating-powers-of-tau-ceremonies-with-optimistic-pipelining/6870
Source link: medium.com
Disclaimer: As a blockchain information platform, the articles published on this site only represent the author’s personal views, and have nothing to do with the position of ChainNews. The information, opinions, etc. in the article are for reference only, and are not intended as or regarded as actual investment advice.
