New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feat/add zk snark support using alt bn 128 precompiles #148
Feat/add zk snark support using alt bn 128 precompiles #148
Conversation
As we're using the go-ethereum/crypto/bn256 package, it already inherits the test cases they have on the go implementation. We've only created a wrapper around those core functions, and exposed via "chainscore" system contract. We've created a Java Context API to call the altBN128 pre-compile. As the java API makes a chainscore contract call, I think it requires blockchain node to be running in background to interact with the go based chainscore API. Can someone please guide us through a process on how we can implement a test coverage for the newly added code? |
Hello @bisbist, First of all, I think it would have been better if you had discussed your goals and design decision with us before creating this PR. By the way, I have a fundamental question. Why should we adopt another curve for zk-SNARK, where we already have a more efficient and secure pairing curve, i.e., BLS12-381? [1] https://electriccoin.co/blog/new-snark-curve/ According to [3], it clearly states that
Therefore, I don't think it's necessary to add the legacy and less secure BN pairing curve to the engine at this moment. |
Hi @sink772, Thanks for your response. We definitely agree with most of your points, and the reasoning behind them. We understand that these kinds of changes are delicate and should be approached with great care. We're planning to add BLS12-381 curve operations in the future: Point addition, Scalar multiplication, and Pairing checks, just like BN254 in this PR. But it might have to be through pre-compiles on go code, rather than a native Java implementation. This is so that we use an already audited code from go-ethereum crypto library. The reason that we started with BN254 curve is that a lot of existing applications use BN254 on ethereum for circom based ZK circuits. Circom/SnarkJS has been supporting BN254 (or alt-bn128) curve since the beginning. It is a simple curve, which is obviously less secure than BLS12-381, but it's a familiar curve and easier to get started with available tooling in the existing ZK ecosystem. There are a lot of applications that have already been built that we can easily port to ICON, including frontends if we support BN254 curve. We can make a general recommendation for developers to use BLS12-381 whenever they can, but don't want to limit the support to just BLS12-381. This PR is part of a general improvements in support of better crypto primitives on-chain. We're starting with The primary reason we submitted this PR is to get a suggestion on how we could expose Besides, we also want to hear your thoughts on how we could add a proper testing for the added pre-compiles, as well as on deciding appropriate gas costs for these operations. |
|
|
Let's discuss about how we should expose BLS12-381 curve operations. Is it okay, if we expose multiple functions for BLS curve operations? As done for aggregation, and verification via We'll add following methods in particular:
|
I think it's better to open another issue ticket for the additional BLS curve operations APIs. And please note that you need to design a draft APIs by referencing EIP-2537 and others, in order to make them sufficiently general to use. Also the draft APIs format should follows the existing conventions in score.Context. |
Thanks for the suggestions. We'll open a new issue to add BLS12-381 curve operations. We may not have to add all operations as specified in the given EIP at the moment, as we're mostly focusing on supporting ZKSNARK for the CPS proposal. But, we can add them gradually with multiple PRs. One question I have about the Context AIP spec is whether we can return an array of BigInteger. I don't see any function doing that. If we can add that, it would be very easy to use vs encoding/decoding these large integers into bytearray. |
I would recommend to use |
This PR is a part of following CPS grant.
https://cps.icon.community/proposals/bafybeih5njxsqe7nxfvw4b2lms7mg7cxy6jeeeaveg2q5sh24cptjucegm
Here's also a forum post that adds some context.
https://forum.icon.community/t/bringing-zero-knowledge-proofs-to-icon-platform-with-zksnark/3293
We're adding pre-compiles for alt-bn128 curve from ethereum crypto package, bn256. We've not yet added test cases and need a feedback from
goloop
core devs on how to proceed. Also, please suggest any changes necessary for the PR to be accepted.We've already deployed a separate testnet that is open to public. You can try out the pre-compiles exposed at:
Blockchain: https://node.iconzkp.io/api/v3
Tracker: https://tracker.iconzkp.io
Faucet: https://faucet.iconosphere.io/ (iconzkp)
We've also released a fork of iden3/snarkjs, which is used to generate a java verification key for a circom circuit. All the necessary details are in the README.md.
We'll soon release a demo app with relevant circom circuits, corresponding java verifier contracts along with a frontend. We'll keed adding various circuits for example use cases.