From cf39e666b24f6a0ca292ad8c03eb52660d6b6840 Mon Sep 17 00:00:00 2001 From: Zaki Manian Date: Wed, 21 Feb 2024 12:46:41 +0100 Subject: [PATCH 01/15] Initial Draft CIP 18 --- cips/cip-18.md | 108 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 108 insertions(+) create mode 100644 cips/cip-18.md diff --git a/cips/cip-18.md b/cips/cip-18.md new file mode 100644 index 00000000..ccca1936 --- /dev/null +++ b/cips/cip-18.md @@ -0,0 +1,108 @@ +--- +title: Support ZK-SNARKS via GNARK in the Celestia Core cryptography +description: Add the GNARK library to the Celestia Core codebase and make it available as an implementation tool for future CIPs. +author: Sam Hart (@hxrts), Barry Plunkett (@bpiv400),Kristi Poldsam (@poldsam), Zaki Manian (@zmanian) +discussions-to: +status: Draft +type: Standards Track +category: Core +created: 2024-02-20 +--- + + +## Abstract + +This CIP proposes to add the GNARK library which contains the implementation of multiple pairing based Elleptic curves, the GROTH16 and PLONK proof systems. Adding this function to Celestia Core enables future CIPS to develop protocols that rely on proof generatated with these tools. + + + +## Motivation + +A more expressive Celestia base layer will enable rollup developers to more tightly integrate their protocols with the TIA asset and interoperate with core protocol features like staking, slashing, governance. Celestia's core value is keep the the base layer as minimal as possible. This precludes integrating an expressive smart contract language for integrating with the base layer. Snarks provide a useful compromise. The succinctness property of a SNARK means that a developer can extend the Celestia base layer with an extremely small state footprint. + +## Specification + +Future CIPs that leverage SNARKs MUST use the following proof systems [GROTH16](https://eprint.iacr.org/2016/260) or [PlonK](https://eprint.iacr.org/2019/953). Future CIP SHOULD use either the BN254 or the BLS-12-377 pairing elleptic curves to instantiate the proof system. + +To implement these future CIPs, the [GNARK library](https://github.com/Consensys/gnark) is reccomended as a GO implementation. celestia-core SHOULD add a release that conforms to the Security Considerations section. + +Implement a new SNARK interface in the crypto package. + +```golang + +type SNARK interface{ + Verify{[]bytes Proof} bool +} + +``` + +Implement implementations of this inteface for + +Groth16-BN254, Groth16-BLS12377 +PlonK-BN254, PlonK-BLS12377. + + + + + + + +The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 and RFC 8174. + +## Rationale + +The authors prefer these solutions. + +1. GNARK is the most mature SNARK implementation in Go. Rust is by far the most popular language for ZK cryptography development. Other implementations would require embedding rust code in the celestia-core build system and making FFI calls. This will have cascading implications for the entire build, test, deploy process for Celestia. The authors prefer to defer these burdens until a future CIP. + +2. BN254 is available as a Ethereum precompile as a result there a wide range of tools, trusted setup artifacts and more that target this curve. + +3. BLS12-377 has the property of enabling effecient depth 1 recursions. This makes it a compelling choice for protocols that benefit from either privacy or aggregation of proofs. There is a also a wide range of tools available for this curve because of prior usage in protocols like Celo. + +4. GROTH16 has been in production since ZCash's sapling protocol. It represents the MVP of SNARK proof systems. It can also act as "universal adapter" for other proof systems because there circuits that verify other proof systems available. GROTH16 requires a two phase trusted setup. The first phase is universal for a given circuit size but the second phase + +5. PlonK is a widely adapted SNARK that features a "universal" trusted setup. This means that for a target circuit size the trusted setup needs to only be performed once. This is a differentiator from Groth16 that might be of substantial interest to future CIP authors. + + + + + + +## Backwards Compatibility + + *"No backward compatibility issues found."* + + +## Test Cases + +Add test vectors here. + +**TODO: Add test vectors here.** + +## Reference Implementation + +This section is optional. + +The Reference Implementation section should include a minimal implementation that assists in understanding or implementing this specification. It should not include project build files. The reference implementation is not a replacement for the Specification section, and the proposal should still be understandable without it. + +If the reference implementation is too large to reasonably be included inline, then consider adding it as one or more files in `../assets/cip-####/`. External links will not be allowed. + +**TODO: Remove the previous comments before submitting** + +## Security Considerations + +GNARK has only had a limited audit that covers only a portion of functionality. + +``` +The scope of this work is a code audit of the Product written in Go, with a particular attention to safe implementation of hashing, randomness generation, protocol verification, and potential for misuse and leakage of secrets. The client has noted that constant-time analysis of the Product is out of scope of this audit. The target of the audit was the cryptographic code related to the elliptic curves BLS12- 381 and BN254 at https://github.com/ConsenSys/gnark-crypto. The BN254 curve is also named alt_bn128 in different context [6]. We audited the commit number: 450e0206211eea38bbb5b5ffddf262efe65bd011 of the repository/ +``` + +The Audit scope required to deploy GNARK on celestia would require auditing the BLS-12-377 implementation, the GROTH16 verifier and PLONK verifier. + +Production deployment should be blocked until such an audit is completed. + + + +## Copyright + +Copyright and related rights waived via [CC0](../LICENSE). From 703f7355281feb8aa231509704af2e3928aae6fa Mon Sep 17 00:00:00 2001 From: Zaki Manian Date: Thu, 22 Feb 2024 10:39:41 +0100 Subject: [PATCH 02/15] Update cips/cip-18.md Co-authored-by: Rootul P --- cips/cip-18.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cips/cip-18.md b/cips/cip-18.md index ccca1936..19c900b8 100644 --- a/cips/cip-18.md +++ b/cips/cip-18.md @@ -12,7 +12,7 @@ created: 2024-02-20 ## Abstract -This CIP proposes to add the GNARK library which contains the implementation of multiple pairing based Elleptic curves, the GROTH16 and PLONK proof systems. Adding this function to Celestia Core enables future CIPS to develop protocols that rely on proof generatated with these tools. +This CIP proposes to add the GNARK library which contains the implementation of multiple pairing based Elleptic curves, the GROTH16 and PLONK proof systems. Adding this function to Celestia Core enables future CIPS to develop protocols that rely on proofs generated with these tools. From c5efdc2566564ee141588a721f6b4d12f85b4cc9 Mon Sep 17 00:00:00 2001 From: Zaki Manian Date: Thu, 22 Feb 2024 10:39:50 +0100 Subject: [PATCH 03/15] Update cips/cip-18.md Co-authored-by: Rootul P --- cips/cip-18.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cips/cip-18.md b/cips/cip-18.md index 19c900b8..8306f987 100644 --- a/cips/cip-18.md +++ b/cips/cip-18.md @@ -18,7 +18,7 @@ This CIP proposes to add the GNARK library which contains the implementation of ## Motivation -A more expressive Celestia base layer will enable rollup developers to more tightly integrate their protocols with the TIA asset and interoperate with core protocol features like staking, slashing, governance. Celestia's core value is keep the the base layer as minimal as possible. This precludes integrating an expressive smart contract language for integrating with the base layer. Snarks provide a useful compromise. The succinctness property of a SNARK means that a developer can extend the Celestia base layer with an extremely small state footprint. +A more expressive Celestia base layer will enable rollup developers to more tightly integrate their protocols with the TIA asset and interoperate with core protocol features like staking, slashing, governance. Celestia's core value is keep the the base layer as minimal as possible. This precludes integrating an expressive smart contract language for integrating with the base layer. SNARKs provide a useful compromise. The succinctness property of a SNARK means that a developer can extend the Celestia base layer with an extremely small state footprint. ## Specification From 3a632032518effa24b538eadf475416382a70de7 Mon Sep 17 00:00:00 2001 From: Zaki Manian Date: Thu, 22 Feb 2024 10:40:06 +0100 Subject: [PATCH 04/15] Update cips/cip-18.md Co-authored-by: Rootul P --- cips/cip-18.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cips/cip-18.md b/cips/cip-18.md index 8306f987..3d2dcf02 100644 --- a/cips/cip-18.md +++ b/cips/cip-18.md @@ -26,7 +26,7 @@ Future CIPs that leverage SNARKs MUST use the following proof systems [GROTH16]( To implement these future CIPs, the [GNARK library](https://github.com/Consensys/gnark) is reccomended as a GO implementation. celestia-core SHOULD add a release that conforms to the Security Considerations section. -Implement a new SNARK interface in the crypto package. +Implement a new SNARK interface in the crypto package. ```golang From e5d5897b8a21fe433604f744adb2ba678d520c7a Mon Sep 17 00:00:00 2001 From: Zaki Manian Date: Thu, 22 Feb 2024 10:41:06 +0100 Subject: [PATCH 05/15] Update cips/cip-18.md Co-authored-by: Rootul P --- cips/cip-18.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cips/cip-18.md b/cips/cip-18.md index 3d2dcf02..88124a15 100644 --- a/cips/cip-18.md +++ b/cips/cip-18.md @@ -24,7 +24,7 @@ A more expressive Celestia base layer will enable rollup developers to more tigh Future CIPs that leverage SNARKs MUST use the following proof systems [GROTH16](https://eprint.iacr.org/2016/260) or [PlonK](https://eprint.iacr.org/2019/953). Future CIP SHOULD use either the BN254 or the BLS-12-377 pairing elleptic curves to instantiate the proof system. -To implement these future CIPs, the [GNARK library](https://github.com/Consensys/gnark) is reccomended as a GO implementation. celestia-core SHOULD add a release that conforms to the Security Considerations section. +To implement these future CIPs, the [GNARK library](https://github.com/Consensys/gnark) is recommended as a Go implementation. Celestia-core SHOULD add a release that conforms to the Security Considerations section. Implement a new SNARK interface in the crypto package. From e4119fe97caa7c007bc3f6b0d4cec4d601b13e71 Mon Sep 17 00:00:00 2001 From: Zaki Manian Date: Thu, 22 Feb 2024 10:41:14 +0100 Subject: [PATCH 06/15] Update cips/cip-18.md Co-authored-by: Rootul P --- cips/cip-18.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cips/cip-18.md b/cips/cip-18.md index 88124a15..5c20016c 100644 --- a/cips/cip-18.md +++ b/cips/cip-18.md @@ -22,7 +22,7 @@ A more expressive Celestia base layer will enable rollup developers to more tigh ## Specification -Future CIPs that leverage SNARKs MUST use the following proof systems [GROTH16](https://eprint.iacr.org/2016/260) or [PlonK](https://eprint.iacr.org/2019/953). Future CIP SHOULD use either the BN254 or the BLS-12-377 pairing elleptic curves to instantiate the proof system. +Future CIPs that leverage SNARKs MUST use the following proof systems [GROTH16](https://eprint.iacr.org/2016/260) or [PlonK](https://eprint.iacr.org/2019/953). Future CIPs SHOULD use either the BN254 or the BLS-12-377 pairing elliptic curves to instantiate the proof system. To implement these future CIPs, the [GNARK library](https://github.com/Consensys/gnark) is recommended as a Go implementation. Celestia-core SHOULD add a release that conforms to the Security Considerations section. From c96ca7b98b85cdf57e832be2cc547760ce72766e Mon Sep 17 00:00:00 2001 From: Zaki Manian Date: Thu, 22 Feb 2024 10:41:20 +0100 Subject: [PATCH 07/15] Update cips/cip-18.md Co-authored-by: Rootul P --- cips/cip-18.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/cips/cip-18.md b/cips/cip-18.md index 5c20016c..fd86dbd8 100644 --- a/cips/cip-18.md +++ b/cips/cip-18.md @@ -100,9 +100,6 @@ The scope of this work is a code audit of the Product written in Go, with a part The Audit scope required to deploy GNARK on celestia would require auditing the BLS-12-377 implementation, the GROTH16 verifier and PLONK verifier. Production deployment should be blocked until such an audit is completed. - - - ## Copyright Copyright and related rights waived via [CC0](../LICENSE). From c568d89f2d83be8bd3b432741cdf42f6c363c6ae Mon Sep 17 00:00:00 2001 From: Zaki Manian Date: Thu, 22 Feb 2024 10:41:28 +0100 Subject: [PATCH 08/15] Update cips/cip-18.md Co-authored-by: Rootul P --- cips/cip-18.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cips/cip-18.md b/cips/cip-18.md index fd86dbd8..624967f3 100644 --- a/cips/cip-18.md +++ b/cips/cip-18.md @@ -1,7 +1,7 @@ --- title: Support ZK-SNARKS via GNARK in the Celestia Core cryptography description: Add the GNARK library to the Celestia Core codebase and make it available as an implementation tool for future CIPs. -author: Sam Hart (@hxrts), Barry Plunkett (@bpiv400),Kristi Poldsam (@poldsam), Zaki Manian (@zmanian) +author: Sam Hart (@hxrts), Barry Plunkett (@bpiv400), Kristi Poldsam (@poldsam), Zaki Manian (@zmanian) discussions-to: status: Draft type: Standards Track From bccb5844d52ee806d72832c1e058b314bde3e2b4 Mon Sep 17 00:00:00 2001 From: Zaki Manian Date: Thu, 22 Feb 2024 10:41:34 +0100 Subject: [PATCH 09/15] Update cips/cip-18.md Co-authored-by: Rootul P --- cips/cip-18.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/cips/cip-18.md b/cips/cip-18.md index 624967f3..80d20e66 100644 --- a/cips/cip-18.md +++ b/cips/cip-18.md @@ -29,11 +29,9 @@ To implement these future CIPs, the [GNARK library](https://github.com/Consensys Implement a new SNARK interface in the crypto package. ```golang - type SNARK interface{ Verify{[]bytes Proof} bool } - ``` Implement implementations of this inteface for From a05806bf9f239d962500a506ec0f2f2f128688fc Mon Sep 17 00:00:00 2001 From: Zaki Manian Date: Thu, 22 Feb 2024 10:41:40 +0100 Subject: [PATCH 10/15] Update cips/cip-18.md Co-authored-by: Rootul P --- cips/cip-18.md | 6 ------ 1 file changed, 6 deletions(-) diff --git a/cips/cip-18.md b/cips/cip-18.md index 80d20e66..f01673d1 100644 --- a/cips/cip-18.md +++ b/cips/cip-18.md @@ -39,12 +39,6 @@ Implement implementations of this inteface for Groth16-BN254, Groth16-BLS12377 PlonK-BN254, PlonK-BLS12377. - - - - - - The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 and RFC 8174. ## Rationale From b5408ae6c1f7387e66e59907ce6d3abfaefd7706 Mon Sep 17 00:00:00 2001 From: Zaki Manian Date: Thu, 22 Feb 2024 10:41:46 +0100 Subject: [PATCH 11/15] Update cips/cip-18.md Co-authored-by: Rootul P --- cips/cip-18.md | 1 - 1 file changed, 1 deletion(-) diff --git a/cips/cip-18.md b/cips/cip-18.md index f01673d1..0d7dde0d 100644 --- a/cips/cip-18.md +++ b/cips/cip-18.md @@ -9,7 +9,6 @@ category: Core created: 2024-02-20 --- - ## Abstract This CIP proposes to add the GNARK library which contains the implementation of multiple pairing based Elleptic curves, the GROTH16 and PLONK proof systems. Adding this function to Celestia Core enables future CIPS to develop protocols that rely on proofs generated with these tools. From f9ac2d150b40f318ad61d382bfc3f4a3ad879bb9 Mon Sep 17 00:00:00 2001 From: Zaki Manian Date: Thu, 22 Feb 2024 13:38:10 +0100 Subject: [PATCH 12/15] Apply suggestions from code review Co-authored-by: Rootul P --- cips/cip-18.md | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/cips/cip-18.md b/cips/cip-18.md index 0d7dde0d..3c1c48d5 100644 --- a/cips/cip-18.md +++ b/cips/cip-18.md @@ -44,9 +44,9 @@ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "S The authors prefer these solutions. -1. GNARK is the most mature SNARK implementation in Go. Rust is by far the most popular language for ZK cryptography development. Other implementations would require embedding rust code in the celestia-core build system and making FFI calls. This will have cascading implications for the entire build, test, deploy process for Celestia. The authors prefer to defer these burdens until a future CIP. +1. GNARK is the most mature SNARK implementation in Go. Rust is by far the most popular language for ZK cryptography development. Other implementations would require embedding Rust code in the celestia-core build system and making foreign function interface (FFI) calls. This will have cascading implications for the entire build, test, deploy process for Celestia. The authors prefer to defer these burdens until a future CIP. -2. BN254 is available as a Ethereum precompile as a result there a wide range of tools, trusted setup artifacts and more that target this curve. +2. BN254 is available as a Ethereum precompile; as a result there a wide range of tools, trusted setup artifacts and more that target this curve. 3. BLS12-377 has the property of enabling effecient depth 1 recursions. This makes it a compelling choice for protocols that benefit from either privacy or aggregation of proofs. There is a also a wide range of tools available for this curve because of prior usage in protocols like Celo. @@ -54,11 +54,6 @@ The authors prefer these solutions. 5. PlonK is a widely adapted SNARK that features a "universal" trusted setup. This means that for a target circuit size the trusted setup needs to only be performed once. This is a differentiator from Groth16 that might be of substantial interest to future CIP authors. - - - - - ## Backwards Compatibility *"No backward compatibility issues found."* @@ -88,7 +83,7 @@ GNARK has only had a limited audit that covers only a portion of functionality. The scope of this work is a code audit of the Product written in Go, with a particular attention to safe implementation of hashing, randomness generation, protocol verification, and potential for misuse and leakage of secrets. The client has noted that constant-time analysis of the Product is out of scope of this audit. The target of the audit was the cryptographic code related to the elliptic curves BLS12- 381 and BN254 at https://github.com/ConsenSys/gnark-crypto. The BN254 curve is also named alt_bn128 in different context [6]. We audited the commit number: 450e0206211eea38bbb5b5ffddf262efe65bd011 of the repository/ ``` -The Audit scope required to deploy GNARK on celestia would require auditing the BLS-12-377 implementation, the GROTH16 verifier and PLONK verifier. +The Audit scope required to deploy GNARK on Celestia would require auditing the BLS-12-377 implementation, the GROTH16 verifier and PLONK verifier. Production deployment should be blocked until such an audit is completed. ## Copyright From 515956a63ea5ef40429f88daf661b1c0e5f7f2f2 Mon Sep 17 00:00:00 2001 From: Zaki Manian Date: Fri, 15 Mar 2024 09:20:47 -0400 Subject: [PATCH 13/15] Rename cip-18.md to cip-19.md --- cips/{cip-18.md => cip-19.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename cips/{cip-18.md => cip-19.md} (100%) diff --git a/cips/cip-18.md b/cips/cip-19.md similarity index 100% rename from cips/cip-18.md rename to cips/cip-19.md From 73f1bf0dee13b7140a5b7b29dc12c7fce17f93da Mon Sep 17 00:00:00 2001 From: Zaki Manian Date: Wed, 22 May 2024 09:55:20 -0400 Subject: [PATCH 14/15] Update CIP-19 with the current consensus --- cips/cip-19.md | 55 +++++++++++++++++--------------------------------- 1 file changed, 18 insertions(+), 37 deletions(-) diff --git a/cips/cip-19.md b/cips/cip-19.md index 3c1c48d5..86534d63 100644 --- a/cips/cip-19.md +++ b/cips/cip-19.md @@ -2,7 +2,7 @@ title: Support ZK-SNARKS via GNARK in the Celestia Core cryptography description: Add the GNARK library to the Celestia Core codebase and make it available as an implementation tool for future CIPs. author: Sam Hart (@hxrts), Barry Plunkett (@bpiv400), Kristi Poldsam (@poldsam), Zaki Manian (@zmanian) -discussions-to: +discussions-to: status: Draft type: Standards Track category: Core @@ -11,53 +11,41 @@ created: 2024-02-20 ## Abstract -This CIP proposes to add the GNARK library which contains the implementation of multiple pairing based Elleptic curves, the GROTH16 and PLONK proof systems. Adding this function to Celestia Core enables future CIPS to develop protocols that rely on proofs generated with these tools. - - +This CIP proposed to standardize the use of succinct zero knowledge proofs in the Celestia core codebase. The CIP defines a set of cryptographic components that should be available to future CIPs that leverage zero knowledge proofs. The CIP also defines a set of proof systems that should be used in future CIPs. The CIP also defines a set of elliptic curves that should be used in future CIPs. The CIP also defines a set of security considerations that should be used in future CIPs. ## Motivation -A more expressive Celestia base layer will enable rollup developers to more tightly integrate their protocols with the TIA asset and interoperate with core protocol features like staking, slashing, governance. Celestia's core value is keep the the base layer as minimal as possible. This precludes integrating an expressive smart contract language for integrating with the base layer. SNARKs provide a useful compromise. The succinctness property of a SNARK means that a developer can extend the Celestia base layer with an extremely small state footprint. - -## Specification +A more expressive Celestia baselayer will enable rollup developers to more tightly integrate their protocols with the TIA asset and interoperate with core protocol features like staking, slashing, governance. Celestia's core value is keep the the base layer as minimal as possible. This precludes integrating an expressive smart contract language for integrating with the base layer. SNARKs provide a useful compromise. The succinctness property of a SNARK means that a developer can extend the Celestia base layer with an extremely small state footprint. -Future CIPs that leverage SNARKs MUST use the following proof systems [GROTH16](https://eprint.iacr.org/2016/260) or [PlonK](https://eprint.iacr.org/2019/953). Future CIPs SHOULD use either the BN254 or the BLS-12-377 pairing elliptic curves to instantiate the proof system. +The selections made in this CIP were driven by availability and compatibility of tools and libraries. Another factor was stability and maturity of the proof systems and elliptic curves. The authors believe that the selections made in this CIP will provide a solid foundation for future CIPs that leverage zero knowledge proofs. -To implement these future CIPs, the [GNARK library](https://github.com/Consensys/gnark) is recommended as a Go implementation. Celestia-core SHOULD add a release that conforms to the Security Considerations section. +## Specification -Implement a new SNARK interface in the crypto package. +### Proof Systems -```golang -type SNARK interface{ - Verify{[]bytes Proof} bool -} -``` +Future CIPs that leverage SNARKs MUST use the following proof systems [GROTH16](https://eprint.iacr.org/2016/260) or [PlonK](https://eprint.iacr.org/2019/953). -Implement implementations of this inteface for +Groth16 has two concrete implementations. -Groth16-BN254, Groth16-BLS12377 -PlonK-BN254, PlonK-BLS12377. +There is a hybrid implementation of Groth16 and LegoSNARK developed by the Gnark Consensys team. This implementation is appealing because of the fast prover that exists in the Go language. The authors believe that this implementation is the best choice for the Celestia core codebase. -The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 and RFC 8174. +We also reccomend adoption of a Circom/Arkworks compatible implementation of Groth16. This implementation is appealing because it is compatible with the Circom language and the Arkworks library. This form of Groth16 has seen wide use over many years in Ethereum and blockchain protocols. Circuits that verify other proofs systems like Risc0 and SP1 are available within this proof system. -## Rationale +PlonK is a newer proof system that has a universal trusted setup. This means that for a given circuit size the trusted setup only needs to be performed once. This is a differentiator from Groth16 that might be of substantial interest to future CIP authors. -The authors prefer these solutions. +### Elliptic Curves -1. GNARK is the most mature SNARK implementation in Go. Rust is by far the most popular language for ZK cryptography development. Other implementations would require embedding Rust code in the celestia-core build system and making foreign function interface (FFI) calls. This will have cascading implications for the entire build, test, deploy process for Celestia. The authors prefer to defer these burdens until a future CIP. +Groth16 and Plonk are concretely implemented over pairing friendly elliptic curves. The authors reccomend the use of the BN254 curve and BLS12-377 curve. The BN254 curve is available as an Ethereum precompile. The BLS12-377 curve is appealing because it enables effecient depth 1 recursions. This makes it a compelling choice for protocols that benefit from either privacy or aggregation of proofs. -2. BN254 is available as a Ethereum precompile; as a result there a wide range of tools, trusted setup artifacts and more that target this curve. - -3. BLS12-377 has the property of enabling effecient depth 1 recursions. This makes it a compelling choice for protocols that benefit from either privacy or aggregation of proofs. There is a also a wide range of tools available for this curve because of prior usage in protocols like Celo. +## Rationale -4. GROTH16 has been in production since ZCash's sapling protocol. It represents the MVP of SNARK proof systems. It can also act as "universal adapter" for other proof systems because there circuits that verify other proof systems available. GROTH16 requires a two phase trusted setup. The first phase is universal for a given circuit size but the second phase +Two GROTH16 implementations allow picking between compatibility and state of the art prover performance. These choices are made to ensure that the Celestia core codebase can leverage existing circuits and trusted setups. Fortunately there are readilty available implementations of both Groth16 implementations suitable for integration with Celestia Core. -5. PlonK is a widely adapted SNARK that features a "universal" trusted setup. This means that for a target circuit size the trusted setup needs to only be performed once. This is a differentiator from Groth16 that might be of substantial interest to future CIP authors. +The BN254 curve is a well known curve that is available as an Ethereum precompile. The BLS12-377 curve is a newer curve that is appealing because it enables effecient depth 1 recursions. This makes it a compelling choice for protocols that benefit from either privacy or aggregation of proofs. ## Backwards Compatibility - *"No backward compatibility issues found."* - +_"No backward compatibility issues found."_ ## Test Cases @@ -77,15 +65,8 @@ If the reference implementation is too large to reasonably be included inline, t ## Security Considerations -GNARK has only had a limited audit that covers only a portion of functionality. - -``` -The scope of this work is a code audit of the Product written in Go, with a particular attention to safe implementation of hashing, randomness generation, protocol verification, and potential for misuse and leakage of secrets. The client has noted that constant-time analysis of the Product is out of scope of this audit. The target of the audit was the cryptographic code related to the elliptic curves BLS12- 381 and BN254 at https://github.com/ConsenSys/gnark-crypto. The BN254 curve is also named alt_bn128 in different context [6]. We audited the commit number: 450e0206211eea38bbb5b5ffddf262efe65bd011 of the repository/ -``` - -The Audit scope required to deploy GNARK on Celestia would require auditing the BLS-12-377 implementation, the GROTH16 verifier and PLONK verifier. +These are time tested cryptographic primitives and should be safe to use in the Celestia core codebase. There will be implementation specific security considerations that will need to be addressed in future CIPs. -Production deployment should be blocked until such an audit is completed. ## Copyright Copyright and related rights waived via [CC0](../LICENSE). From 993f7350e4da6b5de72082b5dfa8cd2e8461a6bd Mon Sep 17 00:00:00 2001 From: Zaki Manian Date: Wed, 22 May 2024 12:47:37 -0400 Subject: [PATCH 15/15] Remove plonk and add more information on Groth16-lego snark --- cips/cip-19.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/cips/cip-19.md b/cips/cip-19.md index 86534d63..455696b4 100644 --- a/cips/cip-19.md +++ b/cips/cip-19.md @@ -23,19 +23,19 @@ The selections made in this CIP were driven by availability and compatibility of ### Proof Systems -Future CIPs that leverage SNARKs MUST use the following proof systems [GROTH16](https://eprint.iacr.org/2016/260) or [PlonK](https://eprint.iacr.org/2019/953). +Future CIPs that leverage SNARKs MUST use the following proof systems [GROTH16](https://eprint.iacr.org/2016/260) and [Groth16-LegoSNARK](https://eprint.iacr.org/2019/142) Groth16 has two concrete implementations. -There is a hybrid implementation of Groth16 and LegoSNARK developed by the Gnark Consensys team. This implementation is appealing because of the fast prover that exists in the Go language. The authors believe that this implementation is the best choice for the Celestia core codebase. +There is a hybrid implementation of Groth16 and LegoSNARK developed by the Gnark Consensys team. This implementation is appealing because of the fast prover that exists in the Go language. The authors believe that this implementation is the best choice for the Celestia core codebase. This implemenation adds a commit and prove gadget in the form on an additional Pedersen commitment that enables the construction of a prover that is faster than the original Groth16 prover. This system already has a substantial user base. We also reccomend adoption of a Circom/Arkworks compatible implementation of Groth16. This implementation is appealing because it is compatible with the Circom language and the Arkworks library. This form of Groth16 has seen wide use over many years in Ethereum and blockchain protocols. Circuits that verify other proofs systems like Risc0 and SP1 are available within this proof system. -PlonK is a newer proof system that has a universal trusted setup. This means that for a given circuit size the trusted setup only needs to be performed once. This is a differentiator from Groth16 that might be of substantial interest to future CIP authors. - ### Elliptic Curves -Groth16 and Plonk are concretely implemented over pairing friendly elliptic curves. The authors reccomend the use of the BN254 curve and BLS12-377 curve. The BN254 curve is available as an Ethereum precompile. The BLS12-377 curve is appealing because it enables effecient depth 1 recursions. This makes it a compelling choice for protocols that benefit from either privacy or aggregation of proofs. +Groth16 are concretely implemented over pairing friendly elliptic curves. The authors reccomend the use of the BN254 curve and BLS12-377 curve. The BN254 curve is available as an Ethereum precompile. The BLS12-377 curve is appealing because it enables effecient depth 1 recursions. This makes it a compelling choice for protocols that benefit from either privacy or aggregation of proofs. + +The Authors believe that neither curve will pose a massive challenge to eventually generating proofs for the Celestia state machine. ## Rationale