iden3: Introducing a new set of tools for mastering zkSNARKs
Recently, an association called 0KIMS was created to develop and launch a new distributed blockchainbased identity management solution: iden3.
iden3 is a very ambitious open source project which enables a new model and identity management platform with the objective to solve some of the problems and limitations current identity management solutions have, by providing: decentralized architecture, privacy of the user data, scalability on public blockchain, usability improvements, openness, etc.
The idea of this set of posts is to provide a detailed description of the project. We will also give a talk about the project at DEVCON4 which will take place from October 30 to Nov 2 in Prague (https://devcon4.ethereum.org/).
In this first post we present two new tools: “circom” and “zksnark”. These packages have been developed to work with zeroknowledge technology, which is the core of iden3.
The software package consists of a circom
circuit compiler and zksnark
, a full implementation of zkSNARKs protocol in JavaScript. Both tools can be very useful in many other projects and have many applications. In particular, they are key in decentralized identity management platforms such as iden3 where these technologies are critical to solve the user data privacy challenge and to provide the required scalability to the system.
Zeroknowledge proofs are methods by which one party (prover) can prove to another party (verifier) that he/she knows a secret without revealing any information about it apart from the fact that he/she knows it. In the last few years, these protocols have gained a lot of interest, especially in field of cryptography. In particular, the zeroknowledge protocol we have implemented, zkSNARK, was introduced in 2012, and its appeal is based on its noninteraction, meaning that interaction between prover and verifier is not required, and its succinctness, that is, that the prover can easily verify the proof within few milliseconds.
The circuit can be designed in ‘circom’ and then be used in ‘zksnark’ to create the trusted setup, generate the proof and verify it.
Circom
The circuit compiler “circom” is a programming language that simplifies the creation of complex circuits compatible with the “zksnark” JavaScript library.
The main characteristics are described below:
Templates and component based design
The language allows the representation of components using templates in the same manner that objects are represented by classes in objectoriented programming languages such as Java or C++. For instance, in circom one can create a template that defines an nbits comparator and then use it to represent many comparators in a circuit each with a different number of bits. This way, one can create a set of standard templates and reuse them in different circuits and even in other projects.
The language also allows the creation of topdown designs of complex circuits with reusable components.
Constraints and witness calculation
The output circom
consists of two elements:

A set of constraints of the form R1CS that the signals must satisfy.

A program that calculates all the intermediary and output signals given a set of specific values as input signals. This specific set of values matching the constraints of a circuit is called the witness. Calculating this witness is a necessary step before calculating a proof.
These are the normal steps that are followed in a live cycle of a circuit.
Done once per circuit.

Design of a circuit with ‘circom’.

Compilation of the circuit.

Usage of the compiled circuit to run the trusted setup. The result is a proving key and a verification key. ‘zksnark’ JavaScript library is used to do this step.
Done each time a proof is generated.

Calculation of the witness. One of the outputs of
circom
is a code to calculate the output and all the intermediate signals for a given input (witness). In this step we use this generated code to calculate all the signals for a given input. All the signals will satisfy the constraints of the circuit. 
With this witness and the proving key a proof is generated.
Done when a proof needs to be verified.

Verification of a proof given a public input, an output and a verification key.
It is important to note that if the proof is valid, it implies that whoever generated the proof knew the whole witness. Moreover, the proof does not reveal any information about the private input nor the rest of the intermediate signals, so this is why the protocol is considered a zero knowledge proof.
zkSnarks JavaScript implementation
This second repository, called ‘zksnark’, contains a full implementation of zkSNARK schemes in JavaScript. In particular, it provides the creation of a trusted setup (although no multiparty ceremony is implemented yet), the generation of proofs and verifications of proofs.
This library avoids the dependencies of libsnark and it also allows the creation and verification of proofs from the browser, bringing this technology closer to the end user.
One has to keep in mind that JavaScript does not have the optimal performance characteristics C language has, specially when dealing with big numbers. Nevertheless, the recent introduction of native BigNum support in the latest versions of JavaScript (so far, Node10 and Chrome) brings the level of performance high enough for most practical cases.
In fact, the current version of the library makes uses of the native BigNum when available. We are also studying using webAssembly in the near future to improve the performance without losing the portability.
Status of the project
This technology is key to bring the idea of “privacy by design and by default” to the upcoming set of applications that will constitute the new internet we are building together. So, from here we are making a call to the community to help and support this library to bring zero knowledge proofs to the mainstream.
The project is in a very early stage, but we believe it to be very useful in many other projects. That’s why we accelerated its release. We expect that the open source spirit of the project will give us feedback and contributions from many other teams that find this work useful.
Links
For more technical details, please take look at our github repositories and start using the libraries today.
Circom: https://github.com/iden3/circom
zkSNARK: https://github.com/iden3/zksnark
Iden3 web page: https://iden3.io
Follow us also on twitter: @Identhree
Other interesting links:
Original zkSnarks paper: https://eprint.iacr.org/2017/013.pdf
ZCash: https://z.cash/
Vitalik post: https://medium.com/@VitalikButerin/zksnarksunderthehoodb33151a013f6
Libsnark: https://github.com/sciprlab/libsnark