Overview

Need to do packed secret sharing w/ randomness. Find and identify where in the paper or how that should be done in practice.

Liveness

Currently the code aborts if any party goes offline/sends the wrong share. Given that we use packed secret sharing, the degree of the polynomial used when secret sharing ist+l-1. When shares are multiplied the degree increases to 2(t+l-1). Thus if n>2(t+l)-1, we can tolerate parties dropping out.

Currently we use t=n/4, l=n/4, which means we can tolerate exactly one party dropping out, but this can be tuned based on network reliability, etc.

This requires some changes to the secret-sharing and mpc-net crates.

• Implement a time out for send_to_king(). When the king party is waiting to receive shares, they currently wait indefinitely to receive all the shares. Instead we should have a time out (can be chosen depending on network conditions etc.) When timeout occurs, there are two possible situations:
  1. fewer than threshold shares were received. In this case, we are forced to abort. Note that threshold needs to be specified by the calling function as sometimes, the threshold is t+l and at other times it is 2(t+l)-1.
  2. a threshold number of shares were received. In this case, we run the erasure correction algorithm with the shares that we have.
• Implement erasure correction in the secret-sharing crate.

Note about error correction: There is a lowerbound (Error Correction in the Exponent) showing that error correction in the exponent is not possible (apart from the naive exponential time solution). For small number of parties (10-20) we can potentially just carry out the brute force approach without too much overhead as the number of group elements we reconstruct is independent of the circuit size (at least in groth16).

Once we upgraded the networking, we were able to use intra-process tests instead of inter-process testing. Whereas the inter-process testing left room for errors not propagating, the intra-process tests did not. This allowed us to catch errors in the existing functions.

The DPP test (dist-primitives/examples/dpp_test.rs) works, and uses both the overhauled send_to_king and recv_from_king async functions. Thus, based on this test, we know these two functions work. However, the dFFT and dMSM tests (dist-primitives/examples/dfft_test.rs and dist-primitives/examples/dmsm_test.rs, respectively) fail at the very end when the assertions are made between expected and obtained results. Both these tests also use send_to_king and recv_from_king, which lead me to further believe that the issue lies not in the networking, but rather, the underlying mathematics somewhere.

Overview

Depends on #10, #11, #12

Computation

Paper

Page 38: https://eprint.iacr.org/2023/905

Log:

error[E0596]: cannot borrow `*rng` as mutable, as it is a captured variable in a `Fn` closure
  --> /Users/shady/.cargo/git/checkouts/zk-saas-ea01b41c4efcba93/66c89b5/groth16/src/proving_key.rs:61:59
   |
61 |             .map(|chunk| pp.pack::<E::G1>(chunk.to_vec(), rng))
   |                                                           ^^^ cannot borrow as mutable

error[E0596]: cannot borrow `*rng` as mutable, as it is a captured variable in a `Fn` closure
  --> /Users/shady/.cargo/git/checkouts/zk-saas-ea01b41c4efcba93/66c89b5/groth16/src/proving_key.rs:64:59
   |
64 |             .map(|chunk| pp.pack::<E::G1>(chunk.to_vec(), rng))
   |                                                           ^^^ cannot borrow as mutable

error[E0596]: cannot borrow `*rng` as mutable, as it is a captured variable in a `Fn` closure
  --> /Users/shady/.cargo/git/checkouts/zk-saas-ea01b41c4efcba93/66c89b5/groth16/src/proving_key.rs:67:59
   |
67 |             .map(|chunk| pp.pack::<E::G1>(chunk.to_vec(), rng))
   |                                                           ^^^ cannot borrow as mutable

error[E0596]: cannot borrow `*rng` as mutable, as it is a captured variable in a `Fn` closure
  --> /Users/shady/.cargo/git/checkouts/zk-saas-ea01b41c4efcba93/66c89b5/groth16/src/proving_key.rs:70:59
   |
70 |             .map(|chunk| pp.pack::<E::G1>(chunk.to_vec(), rng))
   |                                                           ^^^ cannot borrow as mutable

error[E0596]: cannot borrow `*rng` as mutable, as it is a captured variable in a `Fn` closure
  --> /Users/shady/.cargo/git/checkouts/zk-saas-ea01b41c4efcba93/66c89b5/groth16/src/proving_key.rs:73:59
   |
73 |             .map(|chunk| pp.pack::<E::G2>(chunk.to_vec(), rng))
   |                                                           ^^^ cannot borrow as mutable

Overview

There's likely a lot in this repo that doesn't mesh with our existing architecture. We should identify them and implement what we can.

• https://github.com/guruvamsi-policharla/zksaas

Tasks

• Identify existing networking zkSaaS uses (it's likley for demo purposes)
• Identify if we want to implement MpcNet
• Implement MpcNet or solution.
• Identify how the existing distributed protocols work, and how we can best architect them for the future.

This would unify the secret-sharing methods for both field elements and group elements avoiding packexp and unpackexp

Basically the title of this issue.
In our test here proving_key::tests::packed_pk_from_arkworks_pk creating the PackedSharingParams with L=4 works, however, changing that to 2 makes this test panic with the following error message:

thread 'proving_key::tests::packed_pk_from_arkworks_pk' panicked at 'index out of bounds: the len is 14911 but the index is 14911', groth16/src/proving_key.rs:94:31

The error message clearly indicates a bug here:

Expected Beauvoir:
Test should work with any value of L.

Overview

Currently, we do compute the crs shares in the king and send the shares to the parties. However, to lower the set-up costs and the networking overhead, each party could just compute their share from the full proving key.

Task Checklist

• Refactor the code to compute the Proving Key share from the proving key
• Test the workflow with the new changes

Overview

Computation

Assumptions

• Give every party the same $t(x)$. We don't need to worry about privacy right now.

Paper

Page 37: https://eprint.iacr.org/2023/905

Overview

The foundation of the protocol is implemented but we may not have all parts of privacy handled, i.e. the f_rand protocol for secret sharing r,s of the Groth16 proof. We should audit/and task out what's remaining within this document and/or implement it if its not too challenging.

• Identify missing implementations for privacy purposes
• Update integration tests

Overview

From earlier discussions with @guruvamsi-policharla, we should implement a batched version of the protocol.

Overview

Computation

Paper

Page 38: https://eprint.iacr.org/2023/905

Overview

We have the packed process for the arkworks proving key, we should also add one for the circom key.

The groth16 prover has been implemented end-to-end when using the circom wtiness map. When using the libsnark version, there is a slight difference in what is computed in the what's output, which requires a modification in the later "MSM" section of groth16.

Overview

Add start and end timers to the process for sharing each portion so we can get idea of how long it takes wrt to the size of the proving key.

The FFT2, packing/unpacking of shares should make use of multi-threading available at the king party. This should be trivially parallelizable (for the many secret being packed) and we can use the parallel implementation of FFT directly from arkworks for FFT2.

Currently, we do use h generated by the client on the preprocessing step and just PSS that to the parties. Instead, the goal of this task that we also have a way to compute h using the QAP, and it must match the h value from arkworks.

Task checklist

1. Make sure that P, Q, and W values are correctly computed.
2. Make sure we use a valid value of t(x) (refer to arkworks repo on how that gets generated)
3. Compare the generated h to the one from arkworks.
4. try to get the RHS to match the LHS somehow
   $$A.B - C = h(x).t(x)$$

https://www.notion.so/hicommonwealth/zkSaaS-2f24ee23b31a449a9773f1e4c7756db9?pvs=4

Very possible Guru will add this this week although it might not be production worthy.

https://github.com/mikelodder7/vsss-rs (could be good to look into).

Overview

Learn what the extended witness is and benchmark packed secret sharing

Packed secret sharing extended witness

• Witness are secret inputs
• Extended witness are the wire values of every single wire in the circuit.
• (Long-term optional MPC protocol) Many round computation
  • Secret share witness
  • Use MPC to compute the wire values

We added a Simple sha256 circom circuit example for testing, we need to generate the proving key (zkey) for this circuit and put it in the solidity fixtures S3 so we can use during testing.

Use the scripts for phase 2 from https://github.com/webb-tools/protocol-solidity/blob/main/scripts/bash/groth16/phase2_circuit_groth16.sh or follow the instructions directly from https://github.com/iden3/snarkjs#7-prepare-phase-2

Tasks

• Bring in solidity-fixtures to this repo
• Use scripts to generate the setups
• Upload sha256 circuit fixtures
• PSS and setup the PackedProvingKeyShare structs.

Overview

Our stack relies on async networking so we ought to convert these distributed operations into async rust. All dist-primitives would be candidates for conversion.

First-order tasks

Make the networking usable and safe to operate in a production environment

• Async each distributed function
• Use cfg iter on iterators and parallelize as much as possible for multi-threaded performance
• Work over any Arkworks field and hash digest
• Streaming-friendly interfaces/functions. Large messages (millions of group elements) should be able to be streamed to receivers.
• Secure the transport layer (mTLS)

Second-order tasks

Integrate the ProdNet into a zkGadget

• Create a JobManager repository that can be used by both the DKG gadget and this repo
• Design protocol for handling job requests from a source (later, this source will be the blockchain)
• Combine both the job protocol and the ProdNet implementation to create a zkGadget

Misc tasks

• Benchmark and wrap long-running computations (>10ms) inside tokio::task::spawn_blocking to improve performance

The current version is insecure because the extended witness is reveal in the clear to the King. The correct way to do this can be found at https://github.com/arkworks-rs/groth16/blob/c7e8adec6101f0c51a042fa73f0e31dc344d1ab4/src/r1cs_to_qap.rs#L150.

• Cleanup the distributed FFT implementation and implement a coset FFT
• Fix how h is computed as described in the arkworks implemenation of groth16

The tests could be organized better. Currently, we have them spread across dist-primitives/examples and individual modules such as dist-primitives/dfft/tests.rs. This was an artifact of the original zksaas repo needing a shell script to enable networking.

Given that we are no longer constrained by this, we can place all of the tests within individual modules -- dfft/dmsm/dpp and get rid of dist-primitives/examples entirely.

Also, dist-primitives/examples/dfft_test.rs is redundant in light of the more extensive set of tests in dist-primitives/dfft/tests.rs.

Overview

Computation

Paper

Page 37: https://eprint.iacr.org/2023/905

Overview

The remaining steps to implement before we have a proof actually verifying (with/without privacy) in this repo is to compute h, A, B, and C. We can likely split this down separately and deliver separately.

Tasks

• #10
• #11
• #12
• #13
• #14