Crate powersoftau [−] [src]

This ceremony constructs the "powers of tau" for Jens Groth's 2016 zk-SNARK proving system using the BLS12-381 pairing-friendly elliptic curve construction.

Overview

Participants of the ceremony receive a "challenge" file containing:

the BLAKE2b hash of the last file entered into the transcript
an Accumulator (with curve points encoded in uncompressed form for fast deserialization)

The participant runs a tool which generates a random keypair (PublicKey, PrivateKey) used for modifying the Accumulator from the "challenge" file. The keypair is then used to transform the Accumulator, and a "response" file is generated containing:

the BLAKE2b hash of the "challenge" file (thus forming a hash chain over the entire transcript)
an Accumulator (with curve points encoded in compressed form for fast uploading)
the PublicKey

This "challenge" file is entered into the protocol transcript. A given transcript is valid if the transformations between consecutive Accumulators verify with their respective PublicKeys. Participants (and the public) can ensure that their contribution to the Accumulator was accepted by ensuring the transcript contains their "response" file, ideally by comparison of the BLAKE2b hash of the "response" file.

After some time has elapsed for participants to contribute to the ceremony, a participant is simulated with a randomness beacon. The resulting Accumulator contains partial zk-SNARK public parameters for all circuits within a bounded size.

Structs

Accumulator	The `Accumulator` is an object that participants of the ceremony contribute randomness to. This object contains powers of trapdoor `tau` in G1 and in G2 over fixed generators, and additionally in G1 over two other generators of exponents `alpha` and `beta` over those fixed generators. In other words:
HashReader	Abstraction over a reader which hashes the data being read.
HashWriter	Abstraction over a writer which hashes the data being written.
PrivateKey	Contains the secrets τ, α and β that the participant of the ceremony must destroy.
PublicKey	Contains terms of the form (s₁, s₁^x, H(s₁^x)₂, H(s₁^x)₂^x) for all x in τ, α and β, and some s chosen randomly by its creator. The function H "hashes into" the group G2. No points in the public key may be the identity.

Enums

CheckForCorrectness	Determines if points should be checked for correctness during deserialization. This is not necessary for participants, because a transcript verifier can check this theirself.
DeserializationError	Errors that might occur during deserialization.
UseCompression	Determines if point compression should be used.

Constants

ACCUMULATOR_BYTE_SIZE	The size of the accumulator on disk.
CONTRIBUTION_BYTE_SIZE	The size of the contribution on disk.
PUBLIC_KEY_SIZE	The "public key" is used to verify a contribution was correctly computed.

Functions

blank_hash	Compute BLAKE2b("")
keypair	Constructs a keypair given an RNG and a 64-byte transcript `digest`.
verify_transform	Verifies a transformation of the `Accumulator` with the `PublicKey`, given a 64-byte transcript `digest`.