0

Normally, in zk-SNARK, we need to generate two public keys: one for prover and one for verifier. However, the input parameter of this generator algorithm must be secret, meaning that it must be hidden for both prover and verifier.

And because of this, the process of those public generation is done by a trusted third party.

Since using a trusted third party is not desirable for decentralized blockchain, I am looking for a decentralized approach of those public key generation. Is there ? or it's impossible to have a decentralized zk-SNARK ?

P.S. More information about zk-SNARK is found here: https://media.consensys.net/introduction-to-zksnarks-with-examples-3283b554fc3b

Questioner
  • 1,151
  • 8
  • 22

1 Answers1

1

Here's Zcash's multi-party parameter calculation code, which...

... used a multi-party computation protocol with the property that the resulting parameters are secure unless all of the participants were dishonest or compromised during the ceremony.

By the way, you might find Bulletproofs more interesting which is newer and doesn't require a trusted setup.

MCCCS
  • 10,097
  • 5
  • 27
  • 55
  • Thank you, Do you mean **Bulletproofs** is an alternative to **zk-SNARK** ? And is there any usage of **Bulletproofs** in **Blockchain** ? Thanks – Questioner Aug 28 '18 at 14:34
  • 1
    Yes, it's an alternative. It can be used everywhere snarks can be used. It's currently only on Monero testnet. – MCCCS Aug 28 '18 at 14:37
  • 1
    Bulletproofs can be used for any purpose where zkSNARKs are used, though it has very different size/performance tradeoffs. Bulletproofs are larger than zkSNARKs, and for anything but the simplest statements, also slower to verify. However, they aggregate well (verifying multiple at once can be faster), and most importantly, they have no trusted setup at all. – Pieter Wuille Aug 28 '18 at 15:17