Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Lite-PoT: Practical Powers-of-Tau Setup Ceremony

Lucien K. L. Ng, Pedro Moreno-Sanchez, Mohsen Minaei, Panagiotis Chatzigiannis, Adithya Bhat, Duc V. Le

TL;DR

Lite-PoT tackles the bottleneck of decentralized Powers-of-Tau ceremonies by introducing two key ideas: a fraud-proof on-chain mechanism that reduces per-update cost to $O(1)$ and an off-chain aggregation protocol that batches $m$ contributions into a single on-chain update with $O(d)$ cost. The approach achieves strong censorship-resistance, data availability, and validity guarantees while enabling PoT degrees up to $2^{15}$, vastly expanding practical ceremony scales. Security is grounded in AGM with reductions to the $(n,k)$-SDH assumption and PoP-based rogue-key defenses, ensuring sound randomness inclusion and fraud-proof robustness. Empirically, Lite-PoT yields about 16x gas savings over prior work and enables parallel off-chain verification, making large-scale, permissionless PoT ceremonies feasible on Ethereum with BN254 and vector commitments.

Abstract

Zero-Knowledge Succinct Non-Interactive Argument of Knowledge (zk-SNARK) schemes have gained significant adoption in privacy-preserving applications, decentralized systems (e.g., blockchain), and verifiable computation due to their efficiency. However, the most efficient zk-SNARKs often rely on a one-time trusted setup to generate a public parameter, often known as the ``Powers of Tau" (PoT) string. The leakage of the secret parameter, $τ$, in the string would allow attackers to generate false proofs, compromising the soundness of all zk-SNARK systems built on it. Prior proposals for decentralized setup ceremonies have utilized blockchain-based smart contracts to allow any party to contribute randomness to $τ$ while also preventing censorship of contributions. For a PoT string of $d$-degree generated by the randomness of $m$ contributors, these solutions required a total of $O(md)$ on-chain operations (i.e., in terms of both storage and cryptographic operations). These operations primarily consisted of costly group operations, particularly scalar multiplication on pairing curves, which discouraged participation and limited the impact of decentralization In this work, we present Lite-PoT, which includes two key protocols designed to reduce participation costs: \emph{(i)} a fraud-proof protocol to reduce the number of expensive on-chain cryptographic group operations to $O(1)$ per contributor. Our experimental results show that (with one transaction per update) our protocol enables decentralized ceremonies for PoT strings up to a $2^{15}$ degree, an $\approx 16x$ improvement over existing on-chain solutions; \emph{(ii)} a proof aggregation technique that batches $m$ randomness contributions into one on-chain update with only $O(d)$ on-chain operations, independent of $m$. This significantly reduces the monetary cost of on-chain updates by $m$-fold via amortization.

Lite-PoT: Practical Powers-of-Tau Setup Ceremony

TL;DR

Lite-PoT tackles the bottleneck of decentralized Powers-of-Tau ceremonies by introducing two key ideas: a fraud-proof on-chain mechanism that reduces per-update cost to and an off-chain aggregation protocol that batches contributions into a single on-chain update with cost. The approach achieves strong censorship-resistance, data availability, and validity guarantees while enabling PoT degrees up to , vastly expanding practical ceremony scales. Security is grounded in AGM with reductions to the -SDH assumption and PoP-based rogue-key defenses, ensuring sound randomness inclusion and fraud-proof robustness. Empirically, Lite-PoT yields about 16x gas savings over prior work and enables parallel off-chain verification, making large-scale, permissionless PoT ceremonies feasible on Ethereum with BN254 and vector commitments.

Abstract

Zero-Knowledge Succinct Non-Interactive Argument of Knowledge (zk-SNARK) schemes have gained significant adoption in privacy-preserving applications, decentralized systems (e.g., blockchain), and verifiable computation due to their efficiency. However, the most efficient zk-SNARKs often rely on a one-time trusted setup to generate a public parameter, often known as the ``Powers of Tau" (PoT) string. The leakage of the secret parameter, , in the string would allow attackers to generate false proofs, compromising the soundness of all zk-SNARK systems built on it. Prior proposals for decentralized setup ceremonies have utilized blockchain-based smart contracts to allow any party to contribute randomness to while also preventing censorship of contributions. For a PoT string of -degree generated by the randomness of contributors, these solutions required a total of on-chain operations (i.e., in terms of both storage and cryptographic operations). These operations primarily consisted of costly group operations, particularly scalar multiplication on pairing curves, which discouraged participation and limited the impact of decentralization In this work, we present Lite-PoT, which includes two key protocols designed to reduce participation costs: \emph{(i)} a fraud-proof protocol to reduce the number of expensive on-chain cryptographic group operations to per contributor. Our experimental results show that (with one transaction per update) our protocol enables decentralized ceremonies for PoT strings up to a degree, an improvement over existing on-chain solutions; \emph{(ii)} a proof aggregation technique that batches randomness contributions into one on-chain update with only on-chain operations, independent of . This significantly reduces the monetary cost of on-chain updates by -fold via amortization.

Paper Structure

This paper contains 28 sections, 8 theorems, 58 equations, 4 figures, 5 tables, 5 algorithms.

Table of Contents

  1. Introduction
  2. State-of-the-art and Goals
  3. Our Contributions
  4. Preliminaries
  5. Cryptographic Tools
  6. Prior Decentralized PoT Ceremony Scheme
  7. Comparison With Our Work
  8. Technical Overview
  9. Fraud-Proof Mechanism
  10. Aggregateable Contribution
  11. Strawman Aggregation Protocol
  12. Contribution Inclusion Check
  13. Progressive Key Aggregation
  14. Construction and Security Analysis
  15. Construction
  16. ...and 13 more sections

Key Result

Theorem 1

Suppose $\mathsf{pp}_{t}$ is submitted to $\mathcal{C}$ at stage $t$ and $\mathsf{pp}_t$ is not in the form of for $\tau \in \mathbb{Z}_p^{*}$. There exists a proof $\pi$ derived from $\mathsf{pp}_{t}$ such that $\mathcal{C}$ will rewind itself back to stage $t-1$ after receiving $\pi$ via $\mathtt{FraudProve}\xspace$.

Figures (4)

  • Figure 1: provides an overview of our Fraud-Proof mechanism. For an update, the contract ($\mathcal{C}$) only runs the inexpensive verification for $\mathtt{KnowledgeCheck}$ and $\mathtt{NonDegenCheck}$. Unlike in boneh-pot-2024, $\mathcal{C}$ skips the costly verification $\mathtt{WellformCheck}$. Only when $\mathsf{pp}_t$ is ill-formed, a fraud-proof $\pi_{\mathtt{fraud}}$ will be submitted, and $\mathcal{C}$ can verify $\pi_{\mathtt{fraud}}$ with $O(\log d)$ gas and then revert back to $\mathsf{pp}_{t-1}$. gives an overview of our Aggregatable Contribution Scheme. Here, an operator receives contributions from multiple contributors, verifies them off-chain, aggregates the proofs, and submits the latest $\mathsf{pp}$ with the constant-size proof. Another operator can then take over and aggregate subsequent contributions.
  • Figure 2: The interaction among the entities in our protocol and the supposed invocation sequence of the procedures.
  • Figure 3: Comparison of Gas Costs for Each Update with boneh-pot-2024 for $n\in \{2^{10}, 2^{11}, 2^{12}, 2^{13}, 2^{14}, 2^{15}\}$ and $k = 1$
  • Figure 4: Off-Chain Computation Time for Contributors and Operators for $n\in \{2^{10}, 2^{11}, 2^{12}, 2^{13}, 2^{14}, 2^{15}\}$ and $k = 1$.

Theorems & Definitions (24)

  • Definition 1: Vector Commitment boneh2020graduate
  • Definition 2: $\mathbf{G}_{(n, k)-\mathsf{sdh}}^{\mathcal{A}}$
  • Definition 3: $(n,k)$-strong Diffie-Hellman Assumption
  • Definition 4: BLS Signature asiacrypt/BonehLS01
  • Theorem 1
  • Theorem 2
  • Definition 5: $\mathsf{Game}_{\mathsf{incl\text{-}snd}}$
  • Definition 6: Soundness of Randomness Inclusion
  • Theorem 3
  • proof : Proof sketch
  • ...and 14 more