Crate powersoftau [−] [src]
This ceremony constructs the "powers of tau" for Jens Groth's 2016 zk-SNARK proving system using the BLS12-381 pairing-friendly elliptic curve construction.
Participants of the ceremony receive a "challenge" file containing:
- the BLAKE2b hash of the last file entered into the transcript
Accumulator(with curve points encoded in uncompressed form for fast deserialization)
The participant runs a tool which generates a random keypair (
used for modifying the
Accumulator from the "challenge" file. The keypair is then used to
Accumulator, and a "response" file is generated containing:
- the BLAKE2b hash of the "challenge" file (thus forming a hash chain over the entire transcript)
Accumulator(with curve points encoded in compressed form for fast uploading)
This "challenge" file is entered into the protocol transcript. A given transcript is valid
if the transformations between consecutive
Accumulators verify with their respective
PublicKeys. Participants (and the public) can ensure that their contribution to the
Accumulator was accepted by ensuring the transcript contains their "response" file, ideally
by comparison of the BLAKE2b hash of the "response" file.
After some time has elapsed for participants to contribute to the ceremony, a participant is
simulated with a randomness beacon. The resulting
Accumulator contains partial zk-SNARK
public parameters for all circuits within a bounded size.
Abstraction over a reader which hashes the data being read.
Abstraction over a writer which hashes the data being written.
Contains the secrets τ, α and β that the participant of the ceremony must destroy.
Contains terms of the form (s1, s1x, H(s1x)2, H(s1x)2x) for all x in τ, α and β, and some s chosen randomly by its creator. The function H "hashes into" the group G2. No points in the public key may be the identity.
Determines if points should be checked for correctness during deserialization. This is not necessary for participants, because a transcript verifier can check this theirself.
Errors that might occur during deserialization.
Determines if point compression should be used.
The size of the accumulator on disk.
The size of the contribution on disk.
The "public key" is used to verify a contribution was correctly computed.
Constructs a keypair given an RNG and a 64-byte transcript
Verifies a transformation of the