ETH will need ZK-SNARKs to move forward

1 Like

It’s very interesting to see how Ethereum might do this. I found this article by Vitalik here: https://medium.com/@VitalikButerin/zk-snarks-under-the-hood-b33151a013f6, where he discusses the trusted setup (among other parts of zk-SNARKs) and his proposed solution. Some interesting quotes from the article are:

Unfortunately we can’t make it completely trustless; the KoE assumption itself precludes making independent pairs (P_i, P_i * k) without knowing what k is. However, we can increase security greatly by using N-of-N multiparty computation - that is, constructing the trusted setup between N parties in such a way that as long as at least one of the participants deleted their toxic waste then you’re okay.

This seems like a wonderful green flag, but as with everything it has its drawbacks. He mentions that “not just anybody” can join in on this party:

Doing this for the complete trusted setup is quite a bit harder, as there are several values involved, and the algorithm has to be done between the parties in several rounds […] It’s reasonable to see why a trusted setup between six participants who all know and work with each other might make some people uncomfortable, but a trusted setup with thousands of participants would be nearly indistinguishable from no trust at all.

However, even with that drawback he says it’s a very active area of research (and it is), and he hopes in the future you could parallelize more of it. The article was also written 16 months ago before Sapling, so maybe there’s a better solution now!

1 Like

It’s also exactly what we did for both Sprout and Sapling :slightly_smiling_face:

We made it significantly more scalable for Sapling. Sprout had six participants who all had to work closely together to perform the MPC (as the article alluded to). Sapling had two separate rounds, each with roughly 90 participants (one from each round needs to succeed), and the full participant list was not decided before starting the MPC - you could sign up at any point (the second round even had a calendar interface for scheduling yourself a slot).

What was it like for the participants in this? Did they need to send a giant file around to eachother?

Also, a slightly less educated question - how do these participants verify they were actually included in the final product?