This tool allows users to run an MPC ceremony for generating the proving and verifying keys for the Groth16 protocol as presented in BGM17. It does not include the beacon contribution since it was proved in KMSV21 that the security of the generated SRS still holds without it.
SMTB is a service for batch processing of Merkle tree updates. It is designed to be used in conjunction with the World ID contracts which use Semaphore as a dependency. It accepts Merkle tree updates and batches them together into a single one. This is useful for reducing the number of transactions that need to be submitted to the blockchain. The correctness of the batched Merkle tree update is assured through the generation of a SNARK (generated through gnark).
Each groth16 proof of a circuit requires a trusted setup that has 2 parts: a phase 1 which is also known as a "Powers of Tau ceremony" which is universal (the same one can be used for any circuit) and a phase2 which is circuit-specific, meaning that you need to a separate phase2 for every single circuit. In order to create an SRS to generate verifying keys for SMTB we would like many different members from different organizations to participate in the phase 2 of the trusted setup.
For the phase 1 we will be reusing the setup done by the joint effort of many community members, it is a powers of tau ceremony with 54 different contributions (more info here). A list of downloadable .ptau
files can be found here.
- Install git https://github.com/git-guides/install-git
- Install Go https://go.dev/doc/install
- Minimum RAM requirement is 16GB
This phase is circuit-specific, so if you have n
circuits, then you need to run this phase n
times.
Download the Powers of Tau () (.ptau
) file you need corresponding to the amount of constraints in your circuit from the snarkjs
repository.
Remember that you need sufficiently high powers of tau ceremony to generate a proof for a circuit with a given amount of constraints (
Import phase 1 by deserializing a .ptau file: semaphore-mtb-setup p1i <ceremony.ptau> <lastPhase1Contribution.ph1>
.
To get a sample r1cs file from semaphore-mtb
, checkout the semaphore-mtb
repository and run the following command:
cd ..
git clone https://github.com/worldcoin/semaphore-mtb.git
cd semaphore-mtb
go build
./gnark-mbu r1cs --mode <insertion/deletion> --tree-depth=<TREE_DEPTH> --batch-size=<BATCH_SIZE> --output=demo_smtb.r1cs
cd ..
Move the file into the semaphore-mtb-setup
directory:
mv ./semaphore-mtb/demo_smtb.r1cs ./semaphore-mtb-setup/smtb.r1cs
Depending on the R1CS file, the coordinator runs one of the following commands:
- Regular R1CS:
semaphore-mtb-setup p2n <lastPhase1Contribution.ph1> <r1cs> <initialPhase2Contribution.ph2>
. - Parted R1CS:
semaphore-mtb-setup p2np <phase1Path> <r1csPath> <outputPhase2> <#constraints> <#nbR1C> <batchSize>
This process is similar to phase 1, except we use commands p2c
and p2v
This is a sequential process that will be repeated for each contributor.
- The coordinator sends the latest
*.ph2
file to the current contributor - The contributor runs the command
semaphore-mtb-setup p2c <input.ph2> <output.ph2>
. - Upon successful contribution, the program will output contribution hash which must be attested to
- The contributor sends the output file back to the coordinator
- The coordinator verifies the file by running
semaphore-mtb-setup p2v <output.ph2> <initialPhase2Contribution.ph2>
. - Upon successful verification, the coordinator asks the contributor to attest to their contribution.
Security Note It is important for the coordinator to keep track of the contribution hashes output by semaphore-mtb-setup p2v
to determine whether the user has maliciously replaced previous contributions or re-initiated one on its own
At the end of the ceremony, the coordinator runs semaphore-mtb-setup key <lastPhase2Contribution.ph2>
which will output Groth16 bn254 curve pk
and vk
files
This phase is to generate a universal structured reference string (SRS) based on a power p
.
The value of 2ᵖ
determines the maximum number of constraints for circuits set up in the second phase.
This process will be skipped for the actual ceremony as we will be using the universal SRS generated by the community.
- Coordinator is responsible for initializing, coordinating, and verifying contributions.
- Contributors are chosen sequentially by the coordinator to contribute randomness to SRS. More importantly, contributors are requested to attest their contributions to the ceremony (e.g. social media announcements).
Note Values between <>
are arguments replaced by actual values during the setup
- Coordinator run the command
semaphore-mtb-setup p1n <p> <output.ph1>
.
This is a sequential process that will be repeated for each contributor.
- The coordinator sends the latest
*.ph1
file to the current contributor - The contributor runs the command
semaphore-mtb-setup p1c <input.ph1> <output.ph1>
. - Upon successful contribution, the program will output contribution hash which must be attested to
- The contributor sends the output file back to the coordinator
- The coordinator verifies the file by running
semaphore-mtb-setup p1v <output.ph1>
. - Upon successful verification, the coordinator asks the contributor to attest to their contribution.
Security Note It is important for the coordinator to keep track of the contribution hashes output by semaphore-mtb-setup p1v
to determine whether the user has maliciously replaced previous contributions or re-initiated one on its own
This repository is a fork of the zkbnb-setup repository. We would like to thank the authors of the original repository for their work as this project is a slight tweak of the original work to fit our needs.
We appreciate the community efforts to generate a good universal SRS for everyone's benefit to use and for the [iden3 team for building snarkjs.
Also a special thank you to Kobi Gurkan for his contributions to the ptau-deserialzier tool and his advice on the trusted setup process.