# ZK programming using Arkworks

## Arithmetic circuits

In the process of generating ZK-SNARKs for arbitrary computation there is one key step, called `arithmetization`

. This is where this computation, written in some high level language like Aleo instructions, is turned into an `arithmetic circuit`

, a graph where each node is an operation (addition, multiplication, etc) and each edge/arrow is some input or output to/from that gate. Below is an example:

Here, the circuit has four inputs $a_1$, $a_2$, $a_3$, and $a_4$ and two outputs $a_5$ and $a_6$, that encode the following computation:

$$ a_5 = (a_1 + 7a_2) * (a_2 - a_3) \ a_6 = (a_2 - a_3) * (a_4 + 1) $$

## R1CS

Arithmetic circuits can be expressed in a different but equivalent way, called a `Rank One Constraint System`

. We're not going to go into much detail about it, but the high level idea is an `R1CS`

is an equation of the form

$$ (\sum a_k x_k) * (\sum b_k x_k) = (\sum c_k x_k) $$

where the $x_k$ can roughly be thought of as the inputs to the circuit. More compactly, this can be written as

$$ Ax * Bx = Cx $$

for some appropriate `A`

, `B`

and `C`

.

Arkworks circuits are expressed in `R1CS`

form, so a circuit is just referred to as a `constraint system`

or just a set of `constraints`

.

## Arkworks circuit API

Arkworks exposes an API to create circuits through the `ark_r1cs_std`

and `ark_relations`

packages. In Arkworks, a circuit is any struct that implements the `ConstraintSynthetizer`

trait:

`#![allow(unused)] fn main() { pub trait ConstraintSynthesizer<F: Field> { /// Drives generation of new constraints inside `cs`. fn generate_constraints(self, cs: ConstraintSystemRef<F>) -> crate::r1cs::Result<()>; } }`

Because all calculations inside a circuit are done on a finite field, this trait is generic over it.

Implementing `ConstraintSynthetizer`

amounts to implementing the function `generate_constraints`

. To give an idea of how this works, let's go through an example.

### Simple circuit

We are going to write a circuit that just takes two numbers as input and checks if they are equal. We define a struct called `TestCircuit`

`#![allow(unused)] fn main() { #[derive(Clone)] pub struct TestCircuit { /// Private input pub a: u8, /// Private input pub b: u8, } }`

As the comments suggest, circuit inputs can be either `public`

or `private`

. Private inputs are hidden to the verifier, i.e., after constructing a proof, the verifier does not have access to them; the proof itself proves that we know a value for it that satisfies the circuit without revealing it.

Now we need to write the constraints for this circuit:

`#![allow(unused)] fn main() { use ark_r1cs_std::prelude::*; use ark_relations::r1cs::{ConstraintSynthesizer, ConstraintSystemRef, SynthesisError}; impl ConstraintSynthesizer<ark_ed_on_bls12_381::Fq> for TestCircuit { fn generate_constraints( self, cs: ConstraintSystemRef<ark_ed_on_bls12_381::Fq>, ) -> Result<(), SynthesisError> { let a = UInt8::new_witness(ark_relations::ns!(cs, "a"), || Ok(self.a))?; let b = UInt8::new_witness(ark_relations::ns!(cs, "b"), || Ok(self.b))?; a.enforce_equal(&b)?; Ok(()) } } }`

For the generic `F`

type, we are using a finite field defined in the `ark_ed_on_bls12_381`

crate. This is a crate implementing the `bls 12-381`

elliptic curve that we'll use later on for proving.

To make our lives easier for now, we are using what Arkworks calls a `Gadget`

. These are pre-generated circuits that we can use as building blocks for coding our constraints. You can sort of think of them as a standard library for circuits. In our example, we are using the `UInt8`

gadget, a way of defining and manipulating unsigned 8 bit integers in this context. Later on we will be showing how to do this without gadgets, defining our constraint manually.

With the `UInt8`

gadget, we define two private inputs (also called `witnesses`

) `a`

and `b`

, and then call the `enforce_equal`

function between them (again, this function is provided by the gadget, we'll see below how to enforce this constraint by hand).

To instantiate a circuit and check if the constraints are satisfied for a given set of inputs, we do the following:

`#![allow(unused)] fn main() { use ark_relations::r1cs::{ConstraintSynthesizer, ConstraintSystem}; let circuit = TestCircuit { a: 1, b: 1 }; let cs = ConstraintSystem::new_ref(); circuit.generate_constraints(cs.clone()).unwrap(); let is_satisfied = cs.is_satisfied().unwrap(); assert!(is_satisfied); }`

Doing the same with the `a`

and `b`

inputs being different should fail.

### Constraints without gadgets

Let's write the same `TestCircuit`

as before, but without using the `UInt8`

gadget. The struct definition is the same, but now the constraints are defined as follows:

`#![allow(unused)] fn main() { impl ConstraintSynthesizer<ark_ed_on_bls12_381::Fq> for TestCircuit { fn generate_constraints( self, cs: ConstraintSystemRef<ark_ed_on_bls12_381::Fq>, ) -> Result<(), SynthesisError> { let a = cs.new_witness_variable(|| { Fq::try_from(self.a).map_err(|_| SynthesisError::AssignmentMissing) })?; let b = cs.new_witness_variable(|| { Fq::try_from(self.b).map_err(|_| SynthesisError::AssignmentMissing) })?; cs.enforce_constraint(lc!(), lc!(), lc!() + (ark_ed_on_bls12_381::Fq::one(), a) - (ark_ed_on_bls12_381::Fq::one(), b))?; Ok(()) } } }`

To create the two private inputs, we now use the `new_witness_variable`

method for the `ConstraintSystem`

we get as an argument when generating constraints. Because every calculation inside a circuit actually happens in a finite field, to create the inputs we manually cast our `a`

and `b`

values to be field elements. Of course, the `UInt8`

gadget just does the same behind the scenes (the gadget treats a `u8`

as an array of 8 booleans using the `Boolean`

gadget, which in turn calls this to do the conversion).

Having created our inputs, we now manually define our constraint with the `enforce_constraint`

function. This expects three arguments called `a`

, `b`

, and `c`

, which correspond to the `A`

, `B`

, and `C`

values defined in the high-level `R1CS`

equation we talked about above. Each one of them is of type `LinearCombination<F>`

, which is nothing more than a `Vec<(F, Variable)>`

(variable being either a constant, public/private input or another linear combination). This is just a way of encoding a sum of the form:

$$ \sum a_k x_k $$

The $a_k$s are of type `F`

, the $x_k$s are variables.

Going back to our example, we defined our constraint by passing `a`

, `b`

, and `c`

as:

`#![allow(unused)] fn main() { use ark_std::One; a = lc!() b = lc!() c = lc!() + (ark_ed_on_bls12_381::Fq::one(), a) - (ark_ed_on_bls12_381::Fq::one(), b) }`

The macro `lc!()`

is provided by Arkworks and just generates an empty linear combination, i.e., zero. For our `c`

, we are substracting from variable

`#![allow(unused)] fn main() { (ark_ed_on_bls12_381::Fq::one(), a) }`

the variable

`#![allow(unused)] fn main() { (ark_ed_on_bls12_381::Fq::one(), b) }`

which is just a complicated way of saying `a - b`

inside our finite field. Putting it all together, our constraint is

$$ 0 * 0 = a - b $$

a.k.a.

$$ a = b $$

Note that this is not the only way of writing this constraint, in our case we could have also defined

`#![allow(unused)] fn main() { a = (ark_ed_on_bls12_381::Fq::one(), a) - (ark_ed_on_bls12_381::Fq::one(), b) b = (ark_ed_on_bls12_381::Fq::one(), 1) c = lc!() }`

encoding the equation

$$ (a - b) * 1 = 0 $$

As is clear from this example, it is much easier to work with gadgets if you can, as they abstract a lot of details from the programmer.

## Proving and verifying our computation with the Marlin crate

With our circuit in hand, what we need to create a ZK-SNARK over it is a `proving system`

, a way to obtain a proof that we ran the circuit with the given inputs (both public and private) and it produced the given outputs (again, both public and private). TODO: check if outputs are actually a part of the circuit/proof API or if they are a higher level thing.

Arkworks provides packages for two different proving systems: `Groth16`

and `Marlin`

. For the next example we'll be using `Marlin`

, which Aleo uses for its blockchain.

The API for both generating and verifying proofs is incredibly simple:

`#![allow(unused)] fn main() { use ark_marlin::{Marlin, SimpleHashFiatShamirRng}; use ark_bls12_381::{Bls12_381, Fr}; use ark_poly::univariate::DensePolynomial; use ark_poly_commit::marlin_pc::MarlinKZG10; use blake2::Blake2s; use rand_chacha::ChaChaRng; type MultiPC = MarlinKZG10<Bls12_381, DensePolynomial<Fr>>; type FS = SimpleHashFiatShamirRng<Blake2s, ChaChaRng>; type MarlinInst = Marlin<Fr, MultiPC, FS>; #[test] fn prove_and_verify() { let rng = &mut ark_std::test_rng(); let universal_srs = MarlinInst::universal_setup(100, 25, 300, rng).unwrap(); let circuit = super::TestCircuit { a: 1, b: 1 }; let (index_pk, index_vk) = MarlinInst::index(&universal_srs, circuit.clone()).unwrap(); let proof = MarlinInst::prove(&index_pk, circuit.clone(), rng).unwrap(); let proof_verifies : bool = MarlinInst::verify(&index_vk, &[], &proof, rng).unwrap(); assert!(proof_verifies); } }`

Before going over the code, we'll cover how proofs are carried out.

In Marlin and other proving systems, generating and verifying proofs for a given circuit requires having previously sampled a `proving key`

and a `verifying key`

, respectively. You can think of the proving key as something that homomorphically encrypts the circuit, and the verifying key as something that allows to check whether the circuit computation is correct, without having to run it entirely or decrypt it.

The need for a proving/verifying key-pair for every circuit is an inconvenience, since in a setting like the Aleo blockchain there could be thousands of programs (which are ultimately circuits); executing or verifying any of them would require knowledge of these keys that the program's owner generated. This prompted the need for an agreed-upon, deterministic way of deriving these keys, which is the entire point of `Marlin`

as a proving system.

In `Marlin`

, all proving and verifying keys are deterministically derived from a so called Universal Structured Reference String (SRS), sometimes also called Common Reference String (CRS). This Universal string is generated in a `Universal Setup`

, a scheme in which lots of different people contribute to the SRS. It's crucial that multiple people participate, since this process is essentially nothing more than sampling a (huge) random value, which the SRS is derived from. In a sense, the SRS is like a global public key for every circuit created over it, derived from some private key. Knowledge of this private key allows anyone to forge proofs at will, so it needs to be a secret to everyone in the system.

Back to our code, the first thing we do is sample a universal SRS for our system. In a context like Aleo, this would have already happened and the SRS would be a public value already known to us. The `universal_setup`

function takes a bunch of arguments that control the maximum number of constraints and variables any circuit derived from it can have. Here we keep the values low, but in a real world scenario they would be huge.

With our SRS, we instantiate our circuit and call the `index`

function, passing the `universal_srs`

in addition to our circuit to derive our proving and verifying keys. The reason it's called `index`

goes back to the Marlin paper, but it refers to the key sampling.

Having our keys, all it takes to produce a proof is calling `prove`

passing the `proving_key`

, our circuit and a source of randomness. To verify it, in addition to the `verifying_key`

, our circuit and a source of randomness, we pass a list with the public inputs for the circuit. The `verify`

function will return a `Result<bool>`

.

## Deeper dive into Marlin

In the preceding section we swept under the rug a very important part of the code, namely these three imports:

`#![allow(unused)] fn main() { type MultiPC = MarlinKZG10<Bls12_381, DensePolynomial<Fr>>; type FS = SimpleHashFiatShamirRng<Blake2s, ChaChaRng>; type MarlinInst = Marlin<Fr, MultiPC, FS>; }`

The `Marlin`

struct used for proving and verifying has three generic types which have to be provided when instantiating it:

`#![allow(unused)] fn main() { pub struct Marlin<F: PrimeField, PC: PolynomialCommitment<F, DensePolynomial<F>>, FS: FiatShamirRng> }`

Let's explain what they are. At a high level, `Marlin`

is composed of three distinct parts:

- A Polynomial Interactive Oracle Proof (PIOP), a way of constructing a polynomial for our proof of the computation (i.e. our circuit/R1CS) and a protocol for interactively verifying it.
- A Polynomial commitment scheme, a method for commiting to the polynomial above without revealing it to the verifier, while allowing them to prod into it a bit to convince them that it is correct.
- A source of true randomness required by the
`Fiat-Shamir heuristic`

, which is a way of turning the interactive verification protocol defined by the PIOP into a non-interactive one. This is really important, as without it verification would require live communication between prover and verifier.

Of these three things, the `Marlin`

struct allows us to choose different implementations of the last two. The PIOP is fixed, but the choice of polynomial commitment scheme and source of randomness for `Fiat-Shamir`

can be chosen; that's what the `PC`

and `FS`

generic types are for. The `F`

one is simply the choice of finite field, required by the `PolynomialCommitment`

scheme choice, which uses elliptic curve cryptography underneath.

For our example, we are using polynomial commitment and Fiat-Shamir `rng`

implementations given by Arkworks. `MarlinKZG10`

is a version of the popular `KZG`

commitment scheme; other common PC choices are `FRI`

or `DARK`

.