Groth16

[eerkaijun]

Context (Problem, Motivation, Solution)

Link to issue: https://github.com/0xFableOrg/0xFable/issues/74

Switch ZK proving system from Plonk to Groth16 - major improvement in client side proving time. DrawInitalHand circuit proving reduced from 20s to 1.5s!

Describe Your Changes

Main changes are:

• Update circuits proving key generation
• Update Solidity verifiers
• Update frontend to use Groth16
• Parsing the proof since Groth16 proof has a different format than Plonk

An interesting observation is that when using snarkjs.groth16.fullProve to generate the proof, it uses a different Endian that what the Solidity verifier would take it, so when parsing the proof we have to switch the Endian. Spent so long trying to figure this out LOL and have to dig through their source code.

Checklist

• [x] I have performed a self-review of my code
• [x] I ran make check and fixed resulting issues
• [x] I ran the relevant tests and they all pass
• [ ] I wrote tests for my new features, or added regression tests for the bug I fixed

Testing

Updated some circuit tests and also tested on frontend.

[norswap]

Amazing! How does it work wrt to the trusted setup? I thought groth required a circuit-specific setup, but we're still just using the powers of tau here?

[eerkaijun]

Amazing! How does it work wrt to the trusted setup? I thought groth required a circuit-specific setup, but we're still just using the powers of tau here?

The zkey that is used will be the one involved in the trusted ceremony. Currently in the Makefile we just use a zkey that has no contribution. In production, the final zkey that is used will be the output of the trusted ceremony with contributions by those that participated in the trusted ceremony.