Use official KZG ceremony output trusted setups #3521
Conversation
It now creates 6 random proofs instead of all 4096.
jtraglia
left a comment
jtraglia
left a comment
There was a problem hiding this comment.
I know this is just a draft, but I'd like to suggest we rename a few variables. Nit picky stuff.
There was a problem hiding this comment.
Regarding the roots of unity, @hwwhww mentions that "Client teams don't need it if the KZG libraries compute it."
My understanding is that none of the KZG libraries are planning on loading in these points manually. (C-KZG is planning on calculating them too now.) It takes longer to parse the JSON and load in the
elements than it does to just calculate them. I think we should just specify the primary root and leave it at that.
It allows us to remove the scripts/gen_roots_of_unity.py in addition to all the *_roots_of_unity.json files (in the interests of keeping this repo small
|
Yes, agreed. I think it would be best to have a method in the spec for this. Something like: PRIMITIVE_ROOT = 7
def get_roots_of_unity() -> List[int]:
"""
Return roots of unity of order ``FIELD_ELEMENTS_PER_BLOB``.
"""
assert (BLS_MODULUS - 1) % FIELD_ELEMENTS_PER_BLOB == 0
root_of_unity = pow(PRIMITIVE_ROOT, (BLS_MODULUS - 1) // FIELD_ELEMENTS_PER_BLOB, BLS_MODULUS)
return compute_powers(root_of_unity, FIELD_ELEMENTS_PER_BLOB) |
|
@jtraglia @CarlBeek thanks for the reviews! 1. For executable pyspecFor pyspec, 2.
|
Hey. That code looks good to me. No strong opinion on whether the func should be generic (to also work with |
|
I think it might make sense to go with the flexible roots of unity implementation. Since we are now looking into implementing some form of DAS much sooner, we will need it anyway so the very minor complication won't hurt. |
|
(Also, I noticed that the spec is currently under-defined in this respect: While the group of roots of unity with a certain order is unique, the order is not. So we do really need to include the function to compute the actual list for it to be complete) |
…y(FIELD_ELEMENTS_PER_BLOB)`
…_G2` to `KZG_SETUP_G2_MONOMIAL`
By the way, I did a survey a couple months ago to assess if there was interest in creating an efficient serialization format for trusted setups:
The |
|
@jtraglia @asn-d6 |
These reference tests pass with the official trusted setup (converted to c-kzg's format) 👍 |
jtraglia
left a comment
jtraglia
left a comment
There was a problem hiding this comment.
I think we can delete a few things now that we're computing the roots at runtime.
djrtwo
left a comment
djrtwo
left a comment
There was a problem hiding this comment.
did a high level review, looks good
| The trusted setup is part of the preset: during testing a `minimal` insecure variant may be used, | ||
| but reusing the `mainnet` settings in public networks is a critical security requirement. |
There was a problem hiding this comment.
Should add some info/references for the KZG ceremony here? @CarlBeek's https://github.com/CarlBeek/kzg-ceremony-verifier repo makes sense to me; should we move that repo to @ethereum org?
|
not sure if it's too late to change but would it be possible to not use the "trusted setup" terminology? comes with more baggage from a time when all setup participants could be counted on two hands =) maybe something like "kzg_setup" might be better? |
|
Hi @tvanepps Our team had a discussion about this topic yesterday. The specs use IIRC client software and KZG libraries have provided I'm going to merge this PR for testgen now, but a post-merge (or post this release) clean-up PR is welcome. :) |
This PR changed our
testing_trusted_setups.jsonto the official KZG ceremony output trusted setups for both minimal and mainnet presets. Two files intrusted_setupsfolder:trusted_setup_4096.jsonis from https://github.com/CarlBeek/kzg-ceremony-verifier/blob/master/output_setups/trusted_setup_4096.jsong1_lagrange:KZG_SETUP_LAGRANGEg2_monomial:KZG_SETUP_G20229b43f4fac9b17374809520eb621b5ee1a7f74547e7d36918e7d4b122e178d2.trusted_setup_4096_roots_of_unity.jsoncontains the roots of unity that pyspec needs forpolynomial-commitments.md. Client teams don't need it if the KZG libraries compute it.-
roots_of_unity:ROOTS_OF_UNITYThis PR is based on the #3255 proposal, which changed the minimal preset
FIELD_ELEMENTS_PER_BLOBto4096.Updated: now we use a
compute_roots_of_unity(order: uint64) -> Sequence[BLSFieldElement]to compute the roots of unity inpolynomial-commitments.mdrather than defining aROOTS_OF_UNITYpreset.