Information about security of Concordium's zkSNARKs

siusum · September 27, 2023, 5:38am

I would like to know more about the zkSNARKs that Concordium uses in its identity layer. For example:

What proof methodology is used? (Groth16 or PLONK, for example)
Was there a trusted set-up and if so, who participated? Is there any documentation about security measures taken during the ceremony?

Many thanks-

abizjak · September 27, 2023, 6:17am

Concordium does not use zkSNARKs at present.

Our ID layer uses only sigma protocols and bulletproofs.

Consequently there was no ceremony. There are some common constants (group elements) that are needed in this setup, and they are generated from a public seed (1000 digits of pi or so) via hashing to group.

siusum · September 28, 2023, 3:10am

Thanks, that is very good to know. I have three simple follow-ups:

Was the primary motivation to use Bulletproofs their lack of a trusted setup?
Concordium’s identity layer includes anonymity revokers (ARs) and from my understanding, a threshold of ARs can derive a user’s ‘real’ identity from their Concordium identity. Because of this, we must assume that not all ARs are malicious. This seems to make ARs a natural set of parties to run a trusted zkSNARK set-up. Was this considered, considering that zkSNARKs have appealing qualities (related to proof size and verifier complexity)?
In the Concordium FAQ, I see mention of a ‘curated list’ of ARs. Could you please tell me where I could find this list?

Thanks!

abizjak · September 28, 2023, 7:00am

No, I would not say that was the primary motivation. We needed a very specific proof (range proof specifically) for which the much simpler bulletproof was well suited.
The ARs are trusted for a very specific operation. Even if they are all malicious the most they can do on their own is link accounts together and see hidden balances. But they cannot cause any disruption on the chain such as minting new CCD. While they could be repurposed for generating SRS as well, it is not obvious taht that is the best idea. When we were considering snarks, we were considering using an updatable SRS and allowing different parties (e.g., bakers) to contribute to it. The property this would have then is that as long as one party does not collude with the rest we’d have soundness.
You can get the current list of ARs by querying the chain, specifically GetAnonymityRevokers. With concordium-client you can query concordium-client identity show anonymity-revokers