Skip to content

sdiehl/sonic

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23 Commits

.assets

.assets

 
 

.circleci

.circleci

 
 

.github/workflows

.github/workflows

 
 

bench

bench

 
 

examples

examples

 
 

src/Sonic

src/Sonic

 
 

test

test

 
 

.gitignore

.gitignore

 
 

ChangeLog.md

ChangeLog.md

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

Setup.hs

Setup.hs

 
 

cabal.project

cabal.project

 
 

package.yaml

package.yaml

 
 

sonic.cabal

sonic.cabal

 
 

stack.yaml

stack.yaml

 
 

stack.yaml.lock

stack.yaml.lock

 
 

Repository files navigation

Adjoint Logo

Sonic [1] is a zk-SNARK protocol for general arithmetic circuit satisfiability with universal and updatable Structured Reference String (SRS) proposed by Groth et al. [2] that scales linearly in size. Despite requiring a trusted setup for an SRS, the SRS can be continually strengthened and Sonic only requires a single setup for all circuits.

Sonic allows a prover to demonstrate knowledge of a hidden witness for a given constraint system. It defines its constraint system with respect to the two-variate polynomial equation used in Bulletproofs [3].

Usage

The Sonic protocol can be outlined in three steps: Setup, Prover and Verifier. Due to the universality property of the SRS, the setup phase needs only to be run once. This implementation uses BLS12-381 elliptic curve.

sonicProtocol :: ArithCircuit Fr -> Assignment Fr -> Fr -> IO Bool
sonicProtocol circuit assignment x = do
  -- Setup for an SRS
  srs <- SRS.new <$> randomD n <*> pure x <*> rnd
  -- Prover
  (proof, y, z, ys) <- prove srs assignment circuit
  -- Verifier
  pure $ verify srs circuit proof y z ys
  where
    -- Number of multiplication constraints
    n = length $ aL assignment
    -- Note that 'd' should be large enough to support the circuit depth 'n'
    randomD n = getRandomR (3 * n + 9, 100 * n)

The following example takes an arithmetic circuit of 5 linear constraints and 2 multiplication constraints:

runExample :: IO ()
runExample = do
  pX <- rnd
  pZ <- rnd
  let (arithCircuit, assignment@Assignment{..}) = arithCircuitExample pX pZ
  success <- sonicProtocol arithCircuit assignment pX
  putText $ "Success: " <> show success

The complete code of the example above can be found here.

Disclaimer

This is experimental code meant for research-grade projects only. Please do not use this code in production until it has matured significantly.

References

  1. Maller M., Bowe S., Kohlweiss M. and Meiklejohn S. "Sonic: Zero-Knowledge SNARKs from Linear-Size Universal and Updateable Structured Reference Strings", 2019. https://eprint.iacr.org/2019/099

  2. Groth J., Kohlweiss M., Maller M., Meiklejohn S., Miers M. "Updatable and Universal Common Reference Strings with Applications to zk-SNARKs", 2018. https://eprint.iacr.org/2018/280.pdf

  3. Bunz B., Bootle J., Boneh D., Poelstra A., Wuille P., Maxwell G. "Bulletproofs: Short Proofs for Confidential Transactions and More", 2018. https://eprint.iacr.org/2017/1066.pdf

About

Zero-Knowledge SNARKs from Linear-Size Universal and Updatable Structured Reference Strings

www.adjoint.io

Topics

cryptography privacy srs crs multiparty-computation zksnarks

Resources

Readme

License

MIT license
Activity

Stars

44 stars

Watchers

10 watching

Forks

9 forks
Report repository

Releases 2

0.3 Release Latest
Oct 18, 2019
+ 1 release

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages