Shulou(Shulou.com)06/01 Report--

Today, I will talk to you about the example analysis of circom/snarkjs actual combat zk rollup, which may not be well understood by many people. in order to make you understand better, the editor has summarized the following for you. I hope you can get something according to this article.

In the past year, there have been a lot of zero-knowledge proof applications. In this course, we will first learn the basic concepts of zero-knowledge proof, use circom to build arithmetic circuits, use snarkjs to realize the whole process of zero-knowledge proof, and use this knowledge to implement the two-layer expansion scheme zk rollup.

The implementation of zero-knowledge programs is different from that of other programs. First of all, the problem you want to solve needs to be converted into a polynomial and then into a circuit. For example, the polynomial x ³+ x + 5 can be represented as the following circuit:

Sym_1 = x * x / / sym_1 = x ²sym_2 = sym_1 * x / / sym_2 = x ³y = sym_2 + x / / y = x ³+ x ~ out = y + 5

The Circom compiler converts logic into circuits. Usually we don't need to design the basic circuits ourselves. If you need a hash function or signature function, you can find it in circomlib.

2. The generation and verification of evidence: the process of zero knowledge proof.

Before running the zero knowledge proof program, we need to create a trusted setting, which requires a circuit and some random numbers. Once the setup is complete, a proof key and an authentication key are generated, which are used to generate evidence and perform verification, respectively.

Once the proof / verification key pair is created, the evidence can be generated.

There are two types of input: public input and private input. For example, if A transfers money to B but does not want to disclose the account balance, then A's account balance is private input, also known as Witness. Public input can be the address of An and B or the amount of the transfer, depending on your specific design.

The reference can then use the proof key, public input and witness to generate evidence:

The final step is verification. The verifier uses public input, evidence, and verification keys to verify the evidence.

The basic concepts of public input, witness (private input), proof key, authentication key, circuit, evidence and the relationship between them are the basic concepts of zero-knowledge proof that we need to understand before continuing with the following tutorial.

3. Basic concept of Circom: arithmetic circuit language

First of all, let's look at the syntax of Circom. The syntax of Circom is similar to javascript and C, providing some basic data types and operations, such as for, while, > >, array, and so on.

Let's look at a concrete example.

Assuming that x and y are confidential (that is, witness), we don't want to expose the specific values of x and y, but we want to prove (x * y) + z = = out, where zjingout is a public input. Let's assume that out = 30 and z = 10, then it is obvious that x = 20, but this does not expose the specific values of x and y.

Circom provides the following keywords to describe arithmetic circuits:

Signal: signal variable, to be converted to a circuit variable, can be private or public

Template: template for function definition, like function in Solidity or func in golang

Component: component variable, which can be thought of as an object, and signal variable is a public member of the object

Circom also provides some operators for manipulating signal variables:

These two operators are used to connect signal variables and define constraints

←, →: these operators assign values to signal variables, but do not generate constraints

=: this operator is used to define constraints

Well, these are the circom keywords we need to know to continue the zero-knowledge proof practice.

4. Realize the whole process of zero knowledge proof application with circom and snarkjs.

STEP 1: compile the circuit file to generate circuit.json:

Circom sample1.circom

STEP 2: create trusted settings and generate proving_key.json and verification_key.json using groth protocol

Snarkjs setup-protocol groth

STEP 3: generate witness (private input). This step requires input, so you should store your input in input.json, like this:

/ / input.json {"x": 3, "y": 5, "z": 100}

Generate the witness file witness.json using the following command:

Snarkjs calculatewitness

STEP 4: generate evidence using the following snarkjs command:

Snarkjs proof

The result is proof.json and public.json. Public input is included in the public.json, for example:

/ / public.json {115,100,100,100,100,100,100,100,100,100,115,100,100,115,100,100,100,100,115,100,100,100,100,115,100,100,115,100,100,100,115,100,100,100,100,115,100,100,100,100,100,100,100,115,100,100,100,100,100,115,115,100,100,100,100,100,100,100,100,100,100,100,100,115,115,100,100,100,100,115,115,100,100,100,100,115,100,100,100,100,100,100,100,100,100,100,100,100,100,100,

STEP 5: verify using the following snarkjs command:

Snarkjs verify5, Zero knowledge proof practice case: zk rollup implementation

Zk rollup is a two-tier solution, but it is different from other two-tier solutions. Zk roolup puts all the data on the chain and validates it using zk-snark. Therefore, there is no need for complex challenge games. In zk rollup, the user's address is recorded on the merkle tree of the intelligent contract, and a 3-byte index is used to represent the user's address (the original size of the address is 20 bytes), so zk rollup can increase the transaction throughput by reducing the data size.

To make it easier to understand, we deliberately omitted some details in the following zk rollup implementation, and the original zk rollup tutorial can refer to ZKRollup Tutorial.

First of all, there is a merkle tree that records the account, and the content of the account record is (public key, balance). The content of each transaction is (sender index, receiver index, amount). The process is as follows:

1. Check whether the sender account is on the merkle tree 2, verify the sender's signature 3, update the sender's balance and verify the intermediate merkle root 4, update the receiver's balance and update the merkle root

The variables of the circom circuit program are defined as follows:

/ / account treesignal input account_root;signal private input account_pubkey [2]; signal private input account_balance; / / new account root after sender's balance is updatedsignal private input new_sender_account_root / / txsignal private input tx_sender_pubkey [2] signal private input tx_sender_balancesignal private input tx_amountsignal private input tx_sender_sig_r [2] signal private input tx_sender_sig_ssignal private input tx_sender_path_ element[levels] signal private input tx_sender_path_ idx[levels] signal private input tx_receiver_pubkey [2] signal private input tx_receiver_balancesignal private input tx_receiver_path_ element[levels] signal private input tx_receiver_path_ idx[levels] / / output new merkle rootsignal output new_root

In this case, almost all the variables are private, whether it's the public key, account balance, signature, etc., only the merkle root and the updated merkle root are public. Path_element is the intermediate value for building the merkle root, and path_idx is an indexed array that holds the index for each layer of the merkle tree-- this is a binary tree, so there are only two branches left and right, with 0 for the left and 1 for the right. The final path is like a binary string: 001011.

The following circom code checks to see if the sender exists:

/ / _ 1. Verify sender account existencecomponent senderLeaf = HashedLeaf (); senderLeaf.pubkey [0]

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.