awesome-zero-knowledge-proofs icon indicating copy to clipboard operation
awesome-zero-knowledge-proofs copied to clipboard

Published 20 hours ago verified publisher icon matter-labs

SNARK Trusted Setup

Open wisefool769 opened this issue 2 years ago • 6 comments

The comparison chart between SNARK / STARK / Bullet suggests that SNARK's require a trusted setup, but this is no longer true with proving systems like Halo. This is the paper: https://eprint.iacr.org/2019/1021.pdf

wisefool769 avatar Oct 07 '22 03:10 wisefool769

Right and with discrete log assumption over normal cycles of elliptic curves.

alfredonodo avatar Dec 27 '22 09:12 alfredonodo

I'd say that the chart is not wrong since here and other references differentiate zk-SNARKs and bulletproof systems, and Halo would be in the latter classification.

htadashi avatar Dec 29 '22 00:12 htadashi

Halo protocol is used by Zcash with zk-SNARK https://vitalik.ca/general/2021/11/05/halo.html

alfredonodo avatar Dec 29 '22 06:12 alfredonodo

Thanks for the reference @alfredonodo. It was very interesting to read Vitalik's text.

I disagree however that the row "Trusted setup required?" of the first column of the chart should be updated to "no". My rationale is that even if Halo has a constant verification time, the proof size is still O(log(N)) (please correct me if I am wrong, as I am not an expert). Thus, the protocol is not as succint as the ~O(1) alternatives.

In my opinion, it would be best to update the first column with the explicit names of the zk-SNARK proof systems (e.g. Pinocchio, Groth16, Plonk, etc.) to avoid confusion. Additionally, it might be helpful to add a note to the "algorithm complexity: verifier" row in the bulletproof column indicating that Halo aggregation can reduce the verification time.

htadashi avatar Dec 29 '22 23:12 htadashi

I miss the point. The table entry is about the need of trusted setup, not its efficiency. So, in my opinion, one should add no, with the associated computational cost.

Buterin https://vitalik.ca/general/2021/11/05/halo.html Much of the initial work on this was done as part of designing the Halo protocol which is going into Zcash. These merging techniques are cheap, and a merged proof takes no longer to verify than a single one of the proofs that it's merging. This opens a way forward for IPAs to be useful: instead of verifying a size-n computation with a proof that takes still takes O(n) time to verify, break that computation up into smaller size-k steps, maken/k proofs for each step, and merge them together so the verifier's work goes down to a little more than O(k).

Zcash https://electriccoin.co/blog/explaining-halo-2/ There are a few polynomial commitment schemes described in the literature. The most efficient of them requires a trusted setup and was the focus of Sonic. However, a folklore technique for building a polynomial commitment scheme based on the inner product argument — famously used in Bulletproofs — did not require a trusted setup and had relatively small proof sizes, at the cost of poor verification performance.

In our Halo paper, we fully described this polynomial commitment scheme and realized that a special kind of aggregation technique existed in it that had not been spotted before. The technique allows a large number of independently created proofs to be verified nearly as quickly as verifying a single proof.

I am no expert, but I see no significant difference between halo and bulletproof in this respect.

alfredonodo avatar Dec 30 '22 07:12 alfredonodo

The comparison chart between SNARK / STARK / Bullet suggests that SNARK's require a trusted setup, but this is no longer true with proving systems like Halo. This is the paper: https://eprint.iacr.org/2019/1021.pdf

Vtalike avatar Feb 24 '24 16:02 Vtalike