commit 5e7222e4bc0401ef8c6d8049b12a62d4854ac85c
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Thu Mar 1 21:20:51 2018 +0200
Cleanup
commit 2e1bc7a7cd6c72e7c3d2ff74cb30f7a56515006c
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Thu Mar 1 21:19:53 2018 +0200
Cleanup
commit edd7fa87fb2c839c17457ff004d258a049df832f
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Thu Mar 1 21:18:57 2018 +0200
Cleanup
commit ee34e1433806655a7123f0617802aa4771507dff
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Thu Mar 1 21:18:10 2018 +0200
Cleanup
commit 20779e4021b8ab95a87289d2741ad2f0fbc7fb39
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Thu Mar 1 21:16:52 2018 +0200
Cleanup
commit 084e1aa563807f5625ad3aaff376b598e139f2a7
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 18:42:49 2018 +0200
Fix typo
commit c61a7c2319d3b9b96d1b5ad52ecf9d4f2fd92658
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 18:37:43 2018 +0200
Cleanup
commit e435c0229b0cbe3f4a77f43b01ca87ed0552d405
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 18:17:58 2018 +0200
Fix typos
commit e05bff3fea8915e95a473fe3266b2b1f727deca0
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 17:59:32 2018 +0200
Fix typo
commit 8c55c7840232cef7fa4389a12f6f220e86f5f581
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 17:46:33 2018 +0200
Fix typos
commit a1edfcc5cc29d815ba7e8c4baaf14c23ef93af64
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 17:39:41 2018 +0200
Fix typos
commit 2ce2c4d180e936ccc5c10745a6430fda5de38a9b
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 17:14:10 2018 +0200
Fix typo
commit 5bdc6cd5bc9cff93aa48fbdeda36d4d9774bfa18
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 17:12:14 2018 +0200
Fix typo
commit d08749f549575efc6f44a7f80850bc439c12ad5c
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 16:54:06 2018 +0200
Revert one change
commit a734bb1191c692f09f58bcc8e85160ce7c839905
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 16:52:45 2018 +0200
Fix typo
commit 95fbc8d94bbefc0db989c83d0f053111bfed45e7
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 16:51:33 2018 +0200
Fix typos
commit d17d540a83d035cf9a200f9a8b19f0fab6084728
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 16:49:36 2018 +0200
Fix typo
commit c4bf4402210bcb926ccfb3928afeb3a8a7490b42
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 16:48:09 2018 +0200
Fix typo
commit 25e7990848a1d723702e2d041c04bc68a6c1275f
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 16:47:01 2018 +0200
Fix typo
commit d72ffb5b0253e0d7b992ffe13c40695421378dc3
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 16:45:20 2018 +0200
Fix typo
commit 705e6f271192a575cc99d794545b0efe75d964c4
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 16:41:19 2018 +0200
Revert one change
commit 4fd26cd29e21c42b027e37da2616761ebc399d16
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 16:39:41 2018 +0200
Revert commit
commit 8a5cc627b1048368fe8807973d1f542bab2e045f
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 16:28:56 2018 +0200
Fix typo
commit 0a24baa7258c0ae0f244d82af8d0831b148ab012
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 16:15:45 2018 +0200
Fix typo
commit 38f93ecd90171fb881243f0de55b3452daccff20
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 15:56:49 2018 +0200
Fix typos
commit 15446fd62400c36c2a51f7e6f13725cc8adfd924
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 15:48:00 2018 +0200
Fix typos
commit 76533b41986bbc5826070a1e644215a74757c1db
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 15:04:38 2018 +0200
Fix typo
commit aea330c2b0bf76975ec69142a732288cc8b192bd
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 14:46:29 2018 +0200
Fix typo
commit 8b1b1d0be1dc44f36c22c54d1a3d56d84d456b92
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 14:40:23 2018 +0200
Fix typo
commit 46ea76785a26cf20a664ed211c8f3fb9a283e127
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 14:14:17 2018 +0200
Fix typo
commit e0d7c5748545dd0975507ad603623072fcc6bdea
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 14:08:24 2018 +0200
Fix typo
commit 604d5a244323b17ba596b12d245407e1cf63a375
Merge: 6c081ca 1c65b2b
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 09:03:23 2018 +0200
Merge pull request #36 from rex4539/patch-36
Fix typo
commit 6c081caf28b7cef9e62ed523284dff90e4add16d
Merge: 899e5d2 88fa2d9
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 09:02:49 2018 +0200
Merge pull request #35 from rex4539/patch-35
Fix typo
commit 899e5d2c343ac7ea5069b8548e5df86c8e963e21
Merge: 6380c7f 40e73e2
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 09:02:16 2018 +0200
Merge pull request #34 from rex4539/patch-34
Fix typo
commit 6380c7f740246474c69d8145bde61688551efe83
Merge: f592274 4567667
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 09:01:47 2018 +0200
Merge pull request #33 from rex4539/patch-33
Fix typos
commit f592274a713162da0083bd6d22fb47cb1afcdba9
Merge: d86ef7e 4aeaa3a
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 09:01:14 2018 +0200
Merge pull request #32 from rex4539/patch-32
Fix typo
commit d86ef7e5e4f7e9c2014358ec5b647d1815eb304d
Merge: fe0b432 5cdd1b2
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 09:00:41 2018 +0200
Merge pull request #31 from rex4539/patch-31
Fix typo
commit fe0b432ee125ae0b876af2c26139dfc979005a3b
Merge: 6fd6d0d 70130d0
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 09:00:12 2018 +0200
Merge pull request #30 from rex4539/patch-30
Fix typos
commit 6fd6d0dcf3714118a623c0d8d84aabb4578410a8
Merge: 389660f 3377426
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 08:59:42 2018 +0200
Merge pull request #29 from rex4539/patch-29
Fix typo
commit 389660f856cb60ff475a8757aad3873b99213cc0
Merge: a0b85ce 40643eb
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 08:59:15 2018 +0200
Merge pull request #28 from rex4539/patch-28
Fix typo
commit a0b85ce3b4d2e6596da0727e05c1fe15c289b1e7
Merge: 6f9a1c7 23ead80
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 08:58:42 2018 +0200
Merge pull request #27 from rex4539/patch-27
Fix typo
commit 6f9a1c71a680bb3ed1c249dd42bf0a54663d0af3
Merge: b880547 3612eab
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 08:58:06 2018 +0200
Merge pull request #26 from rex4539/patch-26
Patch 26
commit b880547415afeae36bd19867388e60a3040a15ca
Merge: a3b7da2 5c3177f
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 08:57:24 2018 +0200
Merge pull request #25 from rex4539/patch-25
Fix typo
commit a3b7da2c6d6691f38751292e1aea63498a325788
Merge: edd8586 60026ef
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 08:56:52 2018 +0200
Merge pull request #24 from rex4539/patch-24
Fix typo
commit edd8586fdf8c112f4c513804610c237d7e2e80ef
Merge: 0c28eb7 f979c00
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 08:56:12 2018 +0200
Merge pull request #23 from rex4539/patch-23
Fix typo
commit 0c28eb7717821b1d68016f40911d07f2a7231b4f
Merge: 775beb6 c900722
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 08:55:42 2018 +0200
Merge pull request #22 from rex4539/patch-22
Fix typo
commit 775beb625beb1fc5f72388c076b295de4b8ff039
Merge: a0cf889 1027543
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 08:55:16 2018 +0200
Merge pull request #21 from rex4539/patch-21
Fix typo
commit a0cf88971e756c37c406bab3066c11d6fc7f6d74
Merge: 4504b48 f3fa89b
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 08:54:44 2018 +0200
Merge pull request #20 from rex4539/patch-20
Fix typo
commit 4504b4824b3438e931ca8d24a56b1887657e87cd
Merge: dd0bcbf 2699eca
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 08:54:20 2018 +0200
Merge pull request #19 from rex4539/patch-19
Fix typo
commit dd0bcbfc89293e9760156d5534f3a558451e1f29
Merge: abfb65a f02ef2e
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 08:53:46 2018 +0200
Merge pull request #18 from rex4539/patch-18
Fix typos
commit abfb65afaed49c34b9875df79f6fe6eb2b7bf769
Merge: 68b46b7 6485c90
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 08:53:08 2018 +0200
Merge pull request #17 from rex4539/patch-17
Fix typo
commit 68b46b75d2e5b7ae97e83fc5541c46b4907a7899
Merge: a131e84 fcc0828
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 08:52:39 2018 +0200
Merge pull request #16 from rex4539/patch-16
Fix typo
commit a131e844652e58aff78fa8952e7547a9ba82b8a1
Merge: 8487c0e 8a688ff
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 08:51:54 2018 +0200
Merge pull request #15 from rex4539/patch-15
Fix typo
commit 8487c0e39092b74e977c7a60f4a07a27606756a8
Merge: bcc4cb4 bb60b83
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 08:51:28 2018 +0200
Merge pull request #14 from rex4539/patch-14
Fix typos
commit bcc4cb46130e789faa9adae9b159ca818f67ec52
Merge: 23e66e9 53539bb
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 08:51:00 2018 +0200
Merge pull request #13 from rex4539/patch-13
Fix typos
commit 23e66e956bff2d6935c7a4dd570d457294018a77
Merge: 56956cf 0808445
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 08:50:27 2018 +0200
Merge pull request #12 from rex4539/patch-12
Fix typo
commit 56956cf23ba1208aa39cb3ab1ef60375c6630263
Merge: 77007d4 7a4f064
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 08:49:59 2018 +0200
Merge pull request #11 from rex4539/patch-11
Fix typo
commit 77007d49fa1d8cb80aef02bea1dd15e522a47c90
Merge: e78ad0c 48c33fb
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 08:49:16 2018 +0200
Merge pull request #10 from rex4539/patch-10
Fix typo
commit e78ad0cf0d91955a848f5e953a042eabdcdac198
Merge: 38a3e08 809f01c
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 08:48:33 2018 +0200
Merge pull request #9 from rex4539/patch-9
Fix typo
commit 38a3e08699fe4c4ec715b1783dba18bff6b829fb
Merge: eee3c28 fec279c
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 08:48:05 2018 +0200
Merge pull request #8 from rex4539/patch-8
Fix typo
commit eee3c286eb84f994310142a9e7fdbd36a671e593
Merge: 702635b cf81b4e
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 08:47:33 2018 +0200
Merge pull request #7 from rex4539/patch-7
Fix typo
commit 702635bb34abb2f83ded27ae95deefd5b6e7df93
Merge: d7497ea 3bbcc3d
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 08:47:01 2018 +0200
Merge pull request #6 from rex4539/patch-6
Fix typo
commit d7497ea070e03380cf1d4f533b7dc4b881f724f8
Merge: bfcc1e8 f639727
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 08:45:33 2018 +0200
Merge pull request #5 from rex4539/patch-5
Fix typos
commit bfcc1e8ae2094ca4e9837f623999705f538aff04
Merge: f4440ec 55262fe
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 08:45:05 2018 +0200
Merge pull request #4 from rex4539/patch-4
Remove space for word "backup"
commit f4440ecd4a7367e6bc4a5f75bea112290017ed2b
Merge: f8b487f 61d5279
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 08:44:31 2018 +0200
Merge pull request #3 from rex4539/patch-3
Fix typos in zmq.md
commit f8b487f5699990fabc7fc383d02bc728db3cb9aa
Merge: 60104a7 f2ce50f
Author: Dimitris Apostolou <dimitris.apostolou@icloud.com>
Date: Tue Feb 27 08:42:51 2018 +0200
Merge pull request #2 from rex4539/patch-2
Fix typo in security-warnings.md
commit 60104a7034f55284afb814e81a1430a8b2b0d8d1
Merge:
|
||
---|---|---|
.. | ||
libsnark | ||
.gitignore | ||
AUTHORS | ||
LICENSE | ||
Makefile | ||
README.md | ||
doxygen.conf |
README.md
libsnark: a C++ library for zkSNARK proofs
Authors
The libsnark library is developed by the [SCIPR Lab] project and contributors and is released under the MIT License (see the [LICENSE] file).
Copyright (c) 2012-2014 SCIPR Lab and contributors (see [AUTHORS] file).
[TOC]
Overview
This library implements zkSNARK schemes, which are a cryptographic method for proving/verifying, in zero knowledge, the integrity of computations.
A computation can be expressed as an NP statement, in forms such as the following:
- "The C program foo, when executed, returns exit code 0 if given the input bar and some additional input qux."
- "The Boolean circuit foo is satisfiable by some input qux."
- "The arithmetic circuit foo accepts the partial assignment bar, when extended into some full assignment qux."
- "The set of constraints foo is satisfiable by the partial assignment bar, when extended into some full assignment qux."
A prover who knows the witness for the NP statement (i.e., a satisfying input/assignment) can produce a short proof attesting to the truth of the NP statement. This proof can be verified by anyone, and offers the following properties.
- Zero knowledge: the verifier learns nothing from the proof beside the truth of the statement (i.e., the value qux, in the above examples, remains secret).
- Succinctness: the proof is short and easy to verify.
- Non-interactivity: the proof is a string (i.e. it does not require back-and-forth interaction between the prover and the verifier).
- Soundness: the proof is computationally sound (i.e., it is infeasible to fake a proof of a false NP statement). Such a proof system is also called an argument.
- Proof of knowledge: the proof attests not just that the NP statement is true, but also that the prover knows why (e.g., knows a valid qux).
These properties are summarized by the zkSNARK acronym, which stands for Zero-Knowledge Succinct Non-interactive ARgument of Knowledge (though zkSNARKs are also knows as succinct non-interactive computationally-sound zero-knowledge proofs of knowledge). For formal definitions and theoretical discussions about these, see
BCCT12], \[BCIOP13], and the references therein.
The libsnark library currently provides a C++ implementation of:
1. General-purpose proof systems:
1. A preprocessing zkSNARK for the NP-complete language "R1CS"
(_Rank-1 Constraint Systems_), which is a language that is similar to arithmetic
circuit satisfiability.
2. A preprocessing SNARK for a language of arithmetic circuits, "BACS"
(_Bilinear Arithmetic Circuit Satisfiability_). This simplifies the writing
of NP statements when the additional flexibility of R1CS is not needed.
Internally, it reduces to R1CS.
3. A preprocessing SNARK for the language "USCS"
(_Unitary-Square Constraint Systems_). This abstracts and implements the core
contribution of \[DFGK14]
4. A preprocessing SNARK for a language of Boolean circuits, "TBCS"
(_Two-input Boolean Circuit Satisfiability_). Internally, it reduces to USCS.
This is much more efficient than going through R1CS.
5. ADSNARK, a preprocessing SNARKs for proving statements on authenticated
data, as described in \[BBFR15].
6. Proof-Carrying Data (PCD). This uses recursive composition of SNARKs, as
explained in \[BCCT13] and optimized in \[BCTV14b].
2. Gadget libraries (gadgetlib1 and gadgetlib2) for constructing R1CS
instances out of modular "gadget" classes.
3. Examples of applications that use the above proof systems to prove
statements about:
1. Several toy examples.
2. Execution of TinyRAM machine code, as explained in \[BCTV14a] and
\[BCGTV13]. (Such machine code can be obtained, e.g., by compiling from C.)
This is easily adapted to any other Random Access Machine that satisfies a
simple load-store interface.
3. A scalable for TinyRAM using Proof-Carrying Data, as explained in \[BCTV14b]
4. Zero-knowledge cluster MapReduce, as explained in \[CTV15].
The zkSNARK construction implemented by libsnark follows, extends, and
optimizes the approach described in \[BCTV14], itself an extension of
\[BCGTV13], following the approach of \[BCIOP13] and \[GGPR13]. An alternative
implementation of the basic approach is the _Pinocchio_ system of \[PGHR13].
See these references for discussions of efficiency aspects that arise in
practical use of such constructions, as well as security and trust
considerations.
This scheme is a _preprocessing zkSNARK_ (_ppzkSNARK_): before proofs can be
created and verified, one needs to first decide on a size/circuit/system
representing the NP statements to be proved, and run a _generator_ algorithm to
create corresponding public parameters (a long proving key and a short
verification key).
Using the library involves the following high-level steps:
1. Express the statements to be proved as an R1CS (or any of the other
languages above, such as arithmetic circuits, Boolean circuits, or TinyRAM).
This is done by writing C++ code that constructs an R1CS, and linking this code
together with libsnark
2. Use libsnark's generator algorithm to create the public parameters for this
statement (once and for all).
3. Use libsnark's prover algorithm to create proofs of true statements about
the satisfiability of the R1CS.
4. Use libsnark's verifier algorithm to check proofs for alleged statements.
--------------------------------------------------------------------------------
The NP-complete language R1CS
--------------------------------------------------------------------------------
The ppzkSNARK supports proving/verifying membership in a specific NP-complete
language: R1CS (*rank-1 constraint systems*). An instance of the language is
specified by a set of equations over a prime field F, and each equation looks like:
< A, (1,X) > * < B , (1,X) > = < C, (1,X) >
where A,B,C are vectors over F, and X is a vector of variables.
In particular, arithmetic (as well as boolean) circuits are easily reducible to
this language by converting each gate into a rank-1 constraint. See \[BCGTV13]
Appendix E (and "System of Rank 1 Quadratic Equations") for more details about this.
--------------------------------------------------------------------------------
Elliptic curve choices
--------------------------------------------------------------------------------
The ppzkSNARK can be instantiated with different parameter choices, depending on
which elliptic curve is used. The libsnark library currently provides three
options:
* "edwards":
an instantiation based on an Edwards curve, providing 80 bits of security.
* "bn128":
an instantiation based on a Barreto-Naehrig curve, providing 128
bits of security. The underlying curve implementation is
\[ate-pairing], which has incorporated our patch that changes the
BN curve to one suitable for SNARK applications.
* This implementation uses dynamically-generated machine code for the curve
arithmetic. Some modern systems disallow execution of code on the heap, and
will thus block this implementation.
For example, on Fedora 20 at its default settings, you will get the error
`zmInit ERR:can't protect` when running this code. To solve this,
run `sudo setsebool -P allow_execheap 1` to allow execution,
or use `make CURVE=ALT_BN128` instead.
* "alt_bn128":
an alternative to "bn128", somewhat slower but avoids dynamic code generation.
Note that bn128 requires an x86-64 CPU while the other curve choices
should be architecture-independent; see [portability](#portability).
--------------------------------------------------------------------------------
Gadget libraries
--------------------------------------------------------------------------------
The libsnark library currently provides two libraries for conveniently constructing
R1CS instances out of reusable "gadgets". Both libraries provide a way to construct
gadgets on other gadgets as well as additional explicit equations. In this way,
complex R1CS instances can be built bottom up.
### gadgetlib1
This is a low-level library which expose all features of the preprocessing
zkSNARK for R1CS. Its design is based on templates (as does the ppzkSNARK code)
to efficiently support working on multiple elliptic curves simultaneously. This
library is used for most of the constraint-building in libsnark, both internal
(reductions and Proof-Carrying Data) and examples applications.
### gadgetlib2
This is an alternative library for constructing systems of polynomial equations
and, in particular, also R1CS instances. It is better documented and easier to
use than gadgetlib1, and its interface does not use templates. However, fewer
useful gadgets are provided.
--------------------------------------------------------------------------------
Security
--------------------------------------------------------------------------------
The theoretical security of the underlying mathematical constructions, and the
requisite assumptions, are analyzed in detailed in the aforementioned research
papers.
**
This code is a research-quality proof of concept, and has not
yet undergone extensive review or testing. It is thus not suitable,
as is, for use in critical or production systems.
**
Known issues include the following:
* The ppzkSNARK's generator and prover exhibit data-dependent running times
and memory usage. These form timing and cache-contention side channels,
which may be an issue in some applications.
* Randomness is retrieved from /dev/urandom, but this should be
changed to a carefully considered (depending on system and threat
model) external, high-quality randomness source when creating
long-term proving/verification keys.
--------------------------------------------------------------------------------
Build instructions
--------------------------------------------------------------------------------
The libsnark library relies on the following:
- C++ build environment
- GMP for certain bit-integer arithmetic
- libprocps for reporting memory usage
- GTest for some of the unit tests
So far we have tested these only on Linux, though we have been able to make the library work,
with some features disabled (such as memory profiling or GTest tests), on Windows via Cygwin
and on Mac OS X. (If you succeed in achieving more complete ports of the library, please
let us know!) See also the notes on [portability](#portability) below.
For example, on a fresh install of Ubuntu 14.04, install the following packages:
$ sudo apt-get install build-essential git libgmp3-dev libprocps3-dev libgtest-dev python-markdown libboost-all-dev libssl-dev
Or, on Fedora 20:
$ sudo yum install gcc-c++ make git gmp-devel procps-ng-devel gtest-devel python-markdown
Run the following, to fetch dependencies from their GitHub repos and compile them.
(Not required if you set `CURVE` to other than the default `BN128` and also set `NO_SUPERCOP=1`.)
$ ./prepare-depends.sh
Then, to compile the library, tests, profiling harness and documentation, run:
$ make
To create just the HTML documentation, run
$ make doc
and then view the resulting `README.html` (which contains the very text you are reading now).
To create Doxygen documentation summarizing all files, classes and functions,
with some (currently sparse) comments, install the `doxygen` and `graphviz` packages, then run
$ make doxy
(this may take a few minutes). Then view the resulting [`doxygen/index.html`](doxygen/index.html).
### Using libsnark as a library
To develop an application that uses libsnark, you could add it within the libsnark directory tree and adjust the Makefile, but it is far better to build libsnark as a (shared or static) library. You can then write your code in a separate directory tree, and link it against libsnark.
To build just the shared object library `libsnark.so`, run:
$ make lib
To build just the static library `libsnark.a`, run:
$ make lib STATIC=1
Note that static compilation requires static versions of all libraries it depends on.
It may help to minimize these dependencies by appending
`CURVE=ALT_BN128 NO_PROCPS=1 NO_GTEST=1 NO_SUPERCOP=1`. On Fedora 21, the requisite
library RPM dependencies are then:
`boost-static glibc-static gmp-static libstdc++-static openssl-static zlib-static
boost-devel glibc-devel gmp-devel gmp-devel libstdc++-devel openssl-devel openssl-devel`.
To build *and install* the libsnark library:
$ make install PREFIX=/install/path
This will install `libsnark.so` into `/install/path/lib`; so your application should be linked using `-L/install/path/lib -lsnark`. It also installs the requisite headers into `/install/path/include`; so your application should be compiled using `-I/install/path/include`.
In addition, unless you use `NO_SUPERCOP=1`, `libsupercop.a` will be installed and should be linked in using `-lsupercop`.
### Building on Windows using Cygwin
Install Cygwin using the graphical installer, including the `g++`, `libgmp`
and `git` packages. Then disable the dependencies not easily supported under CygWin,
using:
$ make NO_PROCPS=1 NO_GTEST=1 NO_DOCS=1
### Building on Mac OS X
On Mac OS X, install GMP from MacPorts (`port install gmp`). Then disable the
dependencies not easily supported under CygWin, using:
$ make NO_PROCPS=1 NO_GTEST=1 NO_DOCS=1
MacPorts does not write its libraries into standard system folders, so you
might need to explicitly provide the paths to the header files and libraries by
appending `CXXFLAGS=-I/opt/local/include LDFLAGS=-L/opt/local/lib` to the line
above. Similarly, to pass the paths to ate-pairing you would run
`INC_DIR=-I/opt/local/include LIB_DIR=-L/opt/local/lib ./prepare-depends.sh`
instead of `./prepare-depends.sh` above.
--------------------------------------------------------------------------------
Tutorials
--------------------------------------------------------------------------------
libsnark includes a tutorial, and some usage examples, for the high-level API.
* `src/gadgetlib1/examples1` contains a simple example for constructing a
constraint system using gadgetlib1.
* `src/gadgetlib2/examples` contains a tutorial for using gadgetlib2 to express
NP statements as constraint systems. It introduces basic terminology, design
overview, and recommended programming style. It also shows how to invoke
ppzkSNARKs on such constraint systems. The main file, `tutorial.cpp`, builds
into a standalone executable.
* `src/zk_proof_systems/ppzksnark/r1cs_ppzksnark/profiling/profile_r1cs_ppzksnark.cpp`
constructs a simple constraint system and runs the ppzksnark. See below for how to
run it.
--------------------------------------------------------------------------------
Executing profiling example
--------------------------------------------------------------------------------
The command
$ src/zk_proof_systems/ppzksnark/r1cs_ppzksnark/profiling/profile_r1cs_ppzksnark 1000 10 Fr
exercises the ppzkSNARK (first generator, then prover, then verifier) on an
R1CS instance with 1000 equations and an input consisting of 10 field elements.
(If you get the error `zmInit ERR:can't protect`, see the discussion
[above](#elliptic-curve-choices).)
The command
$ src/zk_proof_systems/ppzksnark/r1cs_ppzksnark/profiling/profile_r1cs_ppzksnark 1000 10 bytes
does the same but now the input consists of 10 bytes.
--------------------------------------------------------------------------------
Build options
--------------------------------------------------------------------------------
The following flags change the behavior of the compiled code.
* `make FEATUREFLAGS='-Dname1 -Dname2 ...'`
Override the active conditional #define names (you can see the default at the top of the Makefile).
The next bullets list the most important conditionally-#defined features.
For example, `make FEATUREFLAGS='-DBINARY_OUTPUT'` enables binary output and disables the default
assembly optimizations and Montgomery-representation output.
* define `BINARY_OUTPUT`
In serialization, output raw binary data (instead of decimal, when not set).
* `make CURVE=choice` / define `CURVE_choice` (where `choice` is one of:
ALT_BN128, BN128, EDWARDS, MNT4, MNT6)
Set the default curve to one of the above (see [elliptic curve choices](#elliptic-curve-choices)).
* `make DEBUG=1` / define `DEBUG`
Print additional information for debugging purposes.
* `make LOWMEM=1` / define `LOWMEM`
Limit the size of multi-exponentiation tables, for low-memory platforms.
* `make NO_DOCS=1`
Do not generate HTML documentation, e.g. on platforms where Markdown is not easily available.
* `make NO_PROCPS=1`
Do not link against libprocps. This disables memory profiling.
* `make NO_GTEST=1`
Do not link against GTest. The tutorial and test suite of gadgetlib2 tutorial won't be compiled.
* `make NO_SUPERCOP=1`
Do not link against SUPERCOP for optimized crypto. The ADSNARK executables will not be built.
* `make MULTICORE=1`
Enable parallelized execution of the ppzkSNARK generator and prover, using OpenMP.
This will utilize all cores on the CPU for heavyweight parallelizable operations such as
FFT and multiexponentiation. The default is single-core.
To override the maximum number of cores used, set the environment variable `OMP_NUM_THREADS`
at runtime (not compile time), e.g., `OMP_NUM_THREADS=8 test_r1cs_sp_ppzkpc`. It defaults
to the autodetected number of cores, but on some devices, dynamic core management confused
OpenMP's autodetection, so setting `OMP_NUM_THREADS` is necessary for full utilization.
* define `NO_PT_COMPRESSION`
Do not use point compression.
This gives much faster serialization times, at the expense of ~2x larger
sizes for serialized keys and proofs.
* define `MONTGOMERY_OUTPUT` (on by default)
Serialize Fp elements as their Montgomery representations. If this
option is disabled then Fp elements are serialized as their
equivalence classes, which is slower but produces human-readable
output.
* `make PROFILE_OP_COUNTS=1` / define `PROFILE_OP_COUNTS`
Collect counts for field and curve operations inside static variables
of the corresponding algebraic objects. This option works for all
curves except bn128.
* define `USE_ASM` (on by default)
Use unrolled assembly routines for F[p] arithmetic and faster heap in
multi-exponentiation. (When not set, use GMP's `mpn_*` routines instead.)
* define `USE_MIXED_ADDITION`
Convert each element of the proving key and verification key to
affine coordinates. This allows using mixed addition formulas in
multiexponentiation and results in slightly faster prover and
verifier runtime at expense of increased proving time.
* `make PERFORMANCE=1`
Enables compiler optimizations such as link-time optimization, and disables debugging aids.
(On some distributions this causes a `plugin needed to handle lto object` link error and `undefined reference`s, which can be remedied by `AR=gcc-ar make ...`.)
Not all combinations are tested together or supported by every part of the codebase.
--------------------------------------------------------------------------------
Portability
--------------------------------------------------------------------------------
libsnark is written in fairly standard C++11.
However, having been developed on Linux on x86-64 CPUs, libsnark has some limitations
with respect to portability. Specifically:
1. libsnark's algebraic data structures assume little-endian byte order.
2. Profiling routines use `clock_gettime` and `readproc` calls, which are Linux-specific.
3. Random-number generation is done by reading from `/dev/urandom`, which is
specific to Unix-like systems.
4. libsnark binary serialization routines (see `BINARY_OUTPUT` above) assume
a fixed machine word size (i.e. sizeof(mp_limb_t) for GMP's limb data type).
Objects serialized in binary on a 64-bit system cannot be de-serialized on
a 32-bit system, and vice versa.
(The decimal serialization routines have no such limitation.)
5. libsnark requires a C++ compiler with good C++11 support. It has been
tested with g++ 4.7, g++ 4.8, and clang 3.4.
6. On x86-64, we by default use highly optimized assembly implementations for some
operations (see `USE_ASM` above). On other architectures we fall back to a
portable C++ implementation, which is slower.
Tested configurations include:
* Debian jessie with g++ 4.7 on x86-64
* Debian jessie with clang 3.4 on x86-64
* Fedora 20/21 with g++ 4.8.2/4.9.2 on x86-64 and i686
* Ubuntu 14.04 LTS with g++ 4.8 on x86-64
* Ubuntu 14.04 LTS with g++ 4.8 on x86-32, for EDWARDS and ALT_BN128 curve choices
* Debian wheezy with g++ 4.7 on ARM little endian (Debian armel port) inside QEMU, for EDWARDS and ALT_BN128 curve choices
* Windows 7 with g++ 4.8.3 under Cygwin 1.7.30 on x86-64 with NO_PROCPS=1, NO_GTEST=1 and NO_DOCS=1, for EDWARDS and ALT_BN128 curve choices
* Mac OS X 10.9.4 (Mavericks) with Apple LLVM version 5.1 (based on LLVM 3.4svn) on x86-64 with NO_PROCPS=1, NO_GTEST=1 and NO_DOCS=1
--------------------------------------------------------------------------------
Directory structure
--------------------------------------------------------------------------------
The directory structure of the libsnark library is as follows:
* src/ --- main C++ source code, containing the following modules:
* algebra/ --- fields and elliptic curve groups
* common/ --- miscellaneous utilities
* gadgetlib1/ --- gadgetlib1, a library to construct R1CS instances
* gadgets/ --- basic gadgets for gadgetlib1
* gadgetlib2/ --- gadgetlib2, a library to construct R1CS instances
* qap/ --- quadratic arithmetic program
* domains/ --- support for fast interpolation/evaluation, by providing
FFTs and Lagrange-coefficient computations for various domains
* relations/ --- interfaces for expressing statement (relations between instances and witnesses) as various NP-complete languages
* constraint_satisfaction_problems/ --- R1CS and USCS languages
* circuit_satisfaction_problems/ --- Boolean and arithmetic circuit satisfiability languages
* ram_computations/ --- RAM computation languages
* zk_proof_systems --- interfaces and implementations of the proof systems
* reductions --- reductions between languages (used internally, but contains many examples of building constraints)
Some of these module directories have the following subdirectories:
* ...
* examples/ --- example code and tutorials for this module
* tests/ --- unit tests for this module
In particular, the top-level API examples are at `src/r1cs_ppzksnark/examples/` and `src/gadgetlib2/examples/`.
* depsrc/ --- created by `prepare_depends.sh` for retrieved sourcecode and local builds of external code
(currently: \[ate-pairing], and its dependency xbyak).
* depinst/ --- created by `prepare_depends.sh` and `Makefile`
for local installation of locally-compiled dependencies.
* doxygen/ --- created by `make doxy` and contains a Doxygen summary of all files, classes etc. in libsnark.
--------------------------------------------------------------------------------
Further considerations
--------------------------------------------------------------------------------
### Multiexponentiation window size
The ppzkSNARK's generator has to solve a fixed-base multi-exponentiation
problem. We use a window-based method in which the optimal window size depends
on the size of the multiexponentiation instance *and* the platform.
On our benchmarking platform (a 3.40 GHz Intel Core i7-4770 CPU), we have
computed for each curve optimal windows, provided as
"fixed_base_exp_window_table" initialization sequences, for each curve; see
`X_init.cpp` for X=edwards,bn128,alt_bn128.
Performance on other platforms may not be optimal (but probably not be far off).
Future releases of the libsnark library will include a tool that generates
optimal window sizes.
--------------------------------------------------------------------------------
References
--------------------------------------------------------------------------------
\[BBFR15] [
_ADSNARK: nearly practical and privacy-preserving proofs on authenticated data_
](https://eprint.iacr.org/2014/617),
Michael Backes, Manuel Barbosa, Dario Fiore, Raphael M. Reischuk,
IEEE Symposium on Security and Privacy (Oakland) 2015
\[BCCT12] [
_From extractable collision resistance to succinct non-Interactive arguments of knowledge, and back again_
](http://eprint.iacr.org/2011/443),
Nir Bitansky, Ran Canetti, Alessandro Chiesa, Eran Tromer,
Innovations in Computer Science (ITCS) 2012
\[BCCT13] [
_Recursive composition and bootstrapping for SNARKs and proof-carrying data_
](http://eprint.iacr.org/2012/095)
Nir Bitansky, Ran Canetti, Alessandro Chiesa, Eran Tromer,
Symposium on Theory of Computing (STOC) 13
\[BCGTV13] [
_SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge_
](http://eprint.iacr.org/2013/507),
Eli Ben-Sasson, Alessandro Chiesa, Daniel Genkin, Eran Tromer, Madars Virza,
CRYPTO 2013
\[BCIOP13] [
_Succinct Non-Interactive Arguments via Linear Interactive Proofs_
](http://eprint.iacr.org/2012/718),
Nir Bitansky, Alessandro Chiesa, Yuval Ishai, Rafail Ostrovsky, Omer Paneth,
Theory of Cryptography Conference 2013
\[BCTV14a] [
_Succinct Non-Interactive Zero Knowledge for a von Neumann Architecture_
](http://eprint.iacr.org/2013/879),
Eli Ben-Sasson, Alessandro Chiesa, Eran Tromer, Madars Virza,
USENIX Security 2014
\[BCTV14b] [
_Scalable succinct non-interactive arguments via cycles of elliptic curves_
](https://eprint.iacr.org/2014/595),
Eli Ben-Sasson, Alessandro Chiesa, Eran Tromer, Madars Virza,
CRYPTO 2014
\[CTV15] [
_Cluster computing in zero knowledge_
](https://eprint.iacr.org/2015/377),
Alessandro Chiesa, Eran Tromer, Madars Virza,
Eurocrypt 2015
\[DFGK14] [
Square span programs with applications to succinct NIZK arguments
](https://eprint.iacr.org/2014/718),
George Danezis, Cedric Fournet, Jens Groth, Markulf Kohlweiss,
ASIACCS 2014
\[GGPR13] [
_Quadratic span programs and succinct NIZKs without PCPs_
](http://eprint.iacr.org/2012/215),
Rosario Gennaro, Craig Gentry, Bryan Parno, Mariana Raykova,
EUROCRYPT 2013
\[ate-pairing] [
_High-Speed Software Implementation of the Optimal Ate Pairing over Barreto-Naehrig Curves_
](https://github.com/herumi/ate-pairing),
MITSUNARI Shigeo, TERUYA Tadanori
\[PGHR13] [
_Pinocchio: Nearly Practical Verifiable Computation_
](http://eprint.iacr.org/2013/279),
Bryan Parno, Craig Gentry, Jon Howell, Mariana Raykova,
IEEE Symposium on Security and Privacy (Oakland) 2013
[SCIPR Lab]: http://www.scipr-lab.org/ (Succinct Computational Integrity and Privacy Research Lab)
[LICENSE]: LICENSE (LICENSE file in top directory of libsnark distribution)
[AUTHORS]: AUTHORS (AUTHORS file in top directory of libsnark distribution)