Summary of "Workshop: Verifying zk-SNARK Proofs (Circom & Noir) on Starknet"
Summary of "Workshop: Verifying zk-SNARK Proofs (Circom & Noir) on Starknet"
This workshop, part of the Starknet Foundation Resolve hackathon series, focuses on building and verifying zero-knowledge SNARK proofs on Starknet using Circom and the Gaga Adapter. The session provides a practical introduction, demo, and resources for developers interested in zero-knowledge proofs (ZKPs), particularly in the context of Starknet’s unique cryptographic environment.
Key Technological Concepts and Features
-
Zero-Knowledge Proofs (ZKPs) Overview
- ZKPs allow proving off-chain computations with private inputs, verified on-chain with minimal gas costs.
- Circuits define the computation with private and public inputs; a witness is generated to prove correctness.
- Use cases include privacy-preserving identity verification (e.g., proving citizenship without revealing a passport), private money transfers, and confidential transactions.
-
Circom Language & Groth16 Proving System
- Circom is a popular domain-specific language (DSL) for writing ZK circuits, using the Groth16 proving system.
- Groth16 requires a trusted setup but is highly efficient and battle-tested (used by Tornado Cash and others).
- The workshop focuses on Groth16; Plonk (which uses a universal setup but is less efficient) is mentioned as an alternative, especially with Noir.
- Starknet and Curve Compatibility Challenges
-
Gaga Adapter
- Gaga is a critical tool that transforms Groth16 proofs (BN254 curve) into a format verifiable on Starknet’s Stark curve.
- It generates a Cairo verifier contract compatible with Starknet, enabling on-chain verification of Groth16 proofs.
- This adapter bridges the gap between Circom-generated proofs and Starknet’s verification environment.
-
Demo Application
- A simple age verification circuit in Circom proves a user is over 18 without revealing the exact age.
- The workflow:
- User inputs age and salt (random number) in the front end.
- Circom generates a Groth16 proof locally (using snarkjs).
- The proof is sent to Gaga, which converts it into Starknet-compatible calldata (~2000 elements).
- The converted proof is sent on-chain to a Gaga-generated verifier contract in Cairo on Starknet.
- Verification occurs on-chain, confirming proof validity with minimal gas cost.
- The demo is deployed on Sepolia testnet and uses Ready wallet for interaction.
-
Project Setup and Tooling
- The workshop provides a GitHub repo with:
- Circuits folder and age verification circuit.
- Scripts for trusted setup, proof generation, verifier generation via Gaga, deployment, and front-end integration.
- Instructions for deploying on Starknet testnets, including account setup and RPC configuration.
- Important libraries and tools include:
- The workshop provides a GitHub repo with:
-
Additional Topics Discussed
- Trusted setup vulnerabilities: mitigated by multi-party computation (MPC) where many participants contribute randomness, making it secure if at least one party is honest.
- Differences between SNARKs and STARKs:
- SNARKs (Groth16) rely on elliptic curves and trusted setup but support zero-knowledge with private inputs.
- STARKs use hash-based polynomial commitments, are post-quantum secure, and do not require trusted setup, but zero-knowledge STARKs are not yet widely available.
- Noir vs Circom:
- Privacy applications like Tornado Cash and Privacy Pools, with distinctions between privacy (mixers) and confidentiality (hiding amounts but revealing sender/receiver).
- Resources and Documentation
Category
Technology
