►
Description
In this ConsenSys workshop, join Gautam Botrel as he walks you through the basics of gnark, a zero knowledge proof library. This includes:
Get a high level overview of what are zkSNARKs and how to use gnark
Write a simple zkSNARK circuit: assert(hash(secret) == h)
Use that circuit, off-chain, to create a proof
Use that circuit, on-chain, to verify the proof
Watch on Crowdcast:
https://www.crowdcast.io/e/consensys-workshop-prove-knowledge-secret-gnark
Visit us on the web: http://www.consensys.net
A
Welcome
everyone
to
another
consensus,
cypherpunk
hackathon
workshop
today
we
have
gatum
going
over
prove
knowledge
of
a
secret
using
gnark.
If
I'm
saying
that
right,
gary
gnome
gnar
the
zk
snark,
that's
right,
so
just
a
quick
housekeeping
around
crowdcast.
This
is
the
platformer
we're
using
today.
On
the
right
hand,
side
we
have
the
chat
area,
which
you
can
of
course
have
conversation
there
we'll
keep
an
eye
on
that.
I'll
keep
an
eye
on
that.
A
A
It
will
be
an
easier
way
for
us
to
know
that
you
have
a
question
and
then,
when
that
happens,
we
can
also
allow
you
to
come
on
stage
and
ask
the
question
yourself
if
you'd
like
to
interact,
sometimes
that's
a
great
way
to
kind
of
have
more
of
a
conversation
around
your
question
and
if
you
start
to
type
the
question
you
put
a
question
mark
in
the
chat
area
and
then
you
wait
to
hit
return.
A
The
other
thing,
that's
the
benefit
of
adding
to
the
queue
is
that
I
can
also
record
that
specific
answer
to
that
question
so
that
later
you
can
replay
just
you
can
kind
of
go
through
and
see
where
those
questions
were
answered.
Of
course,
speaking
of
that
this
is
available
for
replay
almost
immediately
after
the
broadcast.
At
the
exact
same
link,
all
the
workshops
are,
as
a
matter
of
fact,
to
make
it
nice
and
convenient.
A
A
Of
course,
please
join
us
on
the
consensus,
hackathon
2021
channel,
that's
where
we'll
repost,
all
the
replays,
all
the
links,
all
the
good
stuff
from
these
workshops
as
well
as
you
can
still
rsvp
for
upcoming
workshops.
I
know
we're
getting
close
to
the
end
of
the
month,
but
we
do
have
a
few
more
and,
of
course,
we'd
love
for
you
to
sign
up
for
the
actual
hackathon,
which
is
june
7th
through
11th
and
there's
a
sign
up
form
at
the
at
the
shiny,
green
link.
A
There
it's
on
our
confluence
page,
if
you
have
an
idea
and
a
team
or
if
you
need
a
team
for
your
idea
or
if
you
just
want
to
jump
on
a
team
to
hack
out
an
idea
during
that
week,
we
can
help,
get
that
sorted
for
you
and
also
minimum
requirement
for
our
teams,
just
because
it
was
short
notice,
and
we
know
a
lot
of
people
are
tough
on.
Time
is
two
people.
A
So
really
you
can
have
a
team
two
people
and
you're
really
good
to
go
and
there's
some
great
prizes
to
win.
So
I'm
shay
and
without
further
ado
I'll
hand
the
mic
over
to
the
time.
B
All
right,
thanks
for
the
intro,
so
quick
intro
of
myself,
I've
been
with
consensus.
Now
I
think.
Almost
four
years,
the
last
two
years
I've
been
working
on
the
gnar
project,
which
is
a
zika
snack
library
and
I'm
particularly
interested
in
how
to
use
zika
snark
on
ethereum
to
improve.
B
So
the
goal
of
this
talk
is
to
kind
of
take
a
bit
more
time
than
previous
talk
we
did
to
to
explicit.
Why
is
the
case
now
are
very
interesting
for
blockchain
and
ethereum
in
particular,
and
then
to
see
how
to
concretely
use
a
library
that
we
develop,
which
is
not
to
to
implement
circuits
and
to
verify
that
on
chain
in
a
solidity,
smart
contract,
so
the
first
part
is
kind
of
going
to
go
into
an
overview
of.
B
And
finally,
we
have
a
slide
just
to
not
make
like
the
title
of
the
presentation
and
to
to
see
how
to
actually
use
that
something
all
right.
So
I'd
like
to
express
this
as
a
problem
that,
as
was
presented
in
other
workshops,
I
think
it
was
an
etlm
tube
workshop.
B
What
we
want
to
do
is
the
blockchain
to
be
secured,
centralized
permissionless
and
censorship
resistant
and
whatnot,
and
we
want
to
transact
on
that,
but
we
are
really
not
happy
and
about
the
transaction
throughput.
So
we
want
to
do
more
than
five
or
ten
transactions
per
second,
and
also
it's
probably
not
a
very
good
idea
to
broadcast
all
the
private
data
on
a
public
network.
B
So
the
strategy
here
to
to
put
that,
in
other
words,
is
to
ensure
the
computational
integrity
of
the
state
transition
function,
all
the
actors,
so
many
actors
on
the
network
is
going
to
execute
the
exact
same
computation
and
obviously
it
has
some
issues
because
it's
slow
and
you
have
to
wait
for
the
last
one
and
also
because
you
want
to
execute
the
computation.
B
B
B
This
is
going
to
guarantee
them
with
overwhelming
probabilities,
that
sort
of
described
and
the
second
property
that
we
are
interested
in
and
it
comes
from
the
zika
part
of
the
case
snack,
which
is
called
zero
knowledge,
is
that
this
proof
can
actually
part
can
hide
part
of
the
inputs
and
that's
a
much
stronger
properties
than
conventional
encryption
where
you
encrypt
the
input,
but
the
inputs
still
go
encrypted
on
the
network.
B
Here's
inputs
don't
even
go
on
the
network,
they
are
completely
omitted
from
the
network
and
that's
what
makes
them
very
unique
in
that
respect
so
to
to
talk
about
what
are
the
case
now
understood,
I'm
going
to
make
a
small
detour
and
sorry
if
there
are
cryptographers
in
the
audience.
This
is
very
high
level.
Don't
hate
me,
I'm
going
to
make
a
lot
of
imprecision
and
approximation
onto
that.
B
B
This
is
not
a
valid
signature
and
the
whole
signature
scheme
in
between
the
proving
and
the
verifying
of
the
signature
is
basically
just
a
specific
mathematical
statement
and-
and
the
statement
says
somehow
here
is
my
proof
of
knowledge
that
I
know
this
categorism
of
a
point
so
again
not
going
to
go
into
too
much
detail,
but
just
to
say
that
the
signatures
that
you
see
everywhere
is
a
proof
of
knowledge,
but
it
doesn't
match
the
description
of
the
zika
snack
per
se,
and
I
will
go
into
more
detail
into
that
on
the
following
slide.
B
So
now
why
I
introduced
that
through.
That
is
that
with
zk
snarks
you
can
actually
encode
any
and
many
of
these
mathematical
statements
into
circuits
and
by
that
instead
of
ali,
is
just
proving
that
she
knows
the
discretionary
point.
She
can
also
prove
that
she
knows
the
input
of
a
hash
function
or
that
she
knows
a
solution
to
an
equation
or
any
kind
of
mathematical
statement
that
you
want.
B
Typically
in
typography
and
blockchain,
we
are
interested
in
things
like
she
can
prove
that
she
verified
the
signature
of
chain
and
verify
it
onto
him,
or
she
can
prove
that
a
miracle
proof
is
valid
and,
what's
even
more
interesting
is
you
can
actually
combine
all
of
this
into
a
single
proof
and
into
a
single
circuit.
So
it's
much
more
general
than
signatures
in
a
sense,
and
it
has
also
interesting
properties
on
success,
and
I
will
go
to
that
on
blockchain
stuff.
B
So
the
example
I
want
to
use
here
to
to
finish
this
introduction
is:
let's
assume
that
you
want
to
prove
that
the
instagram
transaction
went
correctly
and
by
eternal
transaction
I
mean
that
alice
wants
to
send,
say:
10
is
here
to
to
bob
and
to
do
that.
Typically,
on
the
network,
you
do
have
to
check
that
easily.
We
have
to
check
that
the
balance
of
alice
is
enough
and
do
this
transaction,
but
she
also
has
to
the
the
network.
B
Node
also
has
to
check
that
the
transaction
is
properly
formatted
and
the
signature
is
the
one
of
alice
and
she
actually
owns
the
account
and
so
on
before,
and
if
we
wanted
to
do
that
in
the
slack,
what
we
would
do
ultimately
and
what
we
will
see
on
the
blockchain
is
alice
sent
to
bob
the
state
of
the
blockchain
before
the
state
after
a
transaction,
and
she
sends
this
proof.
That,
basically,
is
this
three
elliptic
curve
points.
B
So
you
pick
three
points
on
the
curve
to
bob,
and
bob
is
going
to
use
this
point
to
convince
himself
that
the
transaction
is
valid.
And,
admittedly
this
is
a
very
high
level
view
of
the
thing,
but
what's
mind-blowing
about
that
is,
if
alice
decided
not
to
send
only
one,
but
one
thousand
is
transferred
to
sorry
to
prove
the
execution
of
not
only
one,
but
one
thousand
different
is
transfer
the
proof
size
and
the
verification
size
is
the
same.
B
So
the
first
s
in
zika
snark
is,
is
succinct
and
that's
a
very
powerful
compression
technique,
because
you
can
basically
do
a
lot
of
computation
of
chain
and
the
way
to
verify
that
function
is
always
going
to
be
short
and
small
and
neat,
and
that's
the
basis
of
something
that
most
of
you
probably
heard
about,
which
are
zika
roll-ups,
where,
basically,
you
will
have
an
operator
operating
nodes
outside
of
the
layer,
one
of
side
of
the
main
ethereum
blockchain.
B
He
can
aggregate
a
lot
of
transactions
and
then,
instead
of
posting,
all
this
transaction
and
all
the
states
relating
to
that
on
the
main
net
he's
just
going
to
push
the
post
to
publish
a
proof
on
a
smart
contract.
On
the
mainnet
saying
I
did
in
fact
process
this
transaction
here
is
the
state
before
easier
state.
After
this
more
or
less,
you
have
some
details
and
variation
of
pull-ups
on
all
this.
B
B
A
And
get
some
before
you
continue
just
real
quick.
So
if
there's
any,
if
you
have
any
links
in
your
slide
deck
or
anything
for
what
you're
going
through,
is
it
possible
for
you
to
post
those
into
the
chat
just
for
people
as
it
comes
up?
I
don't
know
if
you
have
any
just
wanted
to
remind
you
just
so
that
they
can
follow.
B
B
All
right
so
under
the
wood,
what
do
we
need
to
understand
to
actually
kind
of
know
what
we
are
talking
about
when
we
say
we
are
going
to
implement
a
zika
accelerator
to
a
zika
soundproof,
so
I'm
not
going
to
go
into
how
the
mathematical
scheme
works,
but
we
have
some
slides
on
that.
If
you
are
curious,
we
are
happy
in
the
question
session
too.
B
B
The
main
idea
that
you
have
to
keep
in
mind
is
you
are
going
to
write
a
program
which
is
your
mathematical
statement
that
I,
as
I
mentioned
it,
few
slides
earlier,
for
example,
in
your
program
you
can
say:
hey,
let's
verify
that
my
transaction
is
valid,
that
my
ash
is
valid,
that
my
marker
proof
is
valid
or
or
that
no
question
is
valid
or
that
the
balance
from
alice
accounts
to
bob
account
is
matching
some
rules,
and
this
program
is
encoded
into
a
graph,
and
the
graph
is
what
you
see
here
on
the
right
side
of
the
slide,
where
each
of
the
operations
are
going
to
be
gates
and
each
of
the
inputs
are
going
to
be
nodes.
B
B
You
have
this
type
of
circuit
presentation,
which
is
a
graph.
You
have
numbers
everywhere,
you
build
some
polynomials
and
you
want
to
prove
that
you
know
the
polynomial
a
polynomial
here
and
you
have
different
ways
of
doing
this
knowledge.
Proof
of
I
know
polynomial
and
that's
kind
of
the
variation
that
that
goes
into
the
z
case.
Now
proof.
A
B
Two
names
of
proving
system,
as
you
can
see,
on
the
right
there
is
cross-16
and
plonk,
and
I'm
just
going
to
give
brief
intro
on
that.
So
gross
16
is
the
zk
snark
scheme,
that's
used
in
zcash
blockchain
and
the
ones
actually
that's
probably
the
most
popular
ethereum
to
to
use
the
pre-compiled
to
verify
proofs,
and
it
has
very
interesting
properties.
Proof
of
small,
the
proving
the
verifying
time
is
small,
but
it
has
an
issue
which
is
this
first
algorithm
that
I'm
going
to
mention.
The
setup
needs
to
be
done
very
carefully.
B
B
B
So
the
second
algorithm
that
you
are
usually
going
to
run
off
chain,
which
is
the
most
compute
insensitive,
is
a
proof
proving
time.
So
you
are
going
to
submit
to
a
pro
algorithm
your
program,
your
input
x,
which
is
private,
your
input
y,
which
is
public,
and
I'm
going
to
go
into
more
concrete
example
of
that
soon.
Don't
worry
just
again
to
to
keep
the
terms
and
the
project
is
going
to
put
objects
that
we
mentioned
already.
B
That
has
38
curve
point
in
it,
which
is
called
a
proof
and
what
will
happen
on-chain
again,
usually
in
a
normal
blockchain
workflow
is
the
verified
algorithm
where,
as
explicitly
here,
it
takes
a
program,
a
public
input.
The
proof
in
the
verifying
key
and
is
similar
to
signature
is
going
to
say
this
is
valid.
This
is
not
valid
and
just
to
give
an
estimate
order
of
what
takes
so
long.
B
So
the
setup
is
run
only
one
time
and
it
takes
a
lot
of
time
to
run,
but
you
don't
care
so
much
because
you
run
it
one
time.
The
proving
time
depends
on
the
number
of
constraints,
so
the
size
of
your
program
that
you
are
going
to
to
want
to
prove
and
is
the
most
computing
sensitive
task
here.
It
takes
a
lot
of
cpu
and
a
lot
of
memory,
but,
for
example,
for
zcash
transaction,
which
is
a
something
that
we
that
is
going
to
do
a
private
transaction
on
blockchain
network.
B
It
takes
about
one
or
two
seconds
on
the
mod
on
the
modern
laptop
to
generate
the
proof.
So
it's
not
that
crazy.
It's
practical
right
for
for
many
use
cases
for
rollups.
You
can
actually
batch
many
many
transactions
and
even
if
it
takes
20
minutes
to
compute
a
big
proof,
because
you
want
to
batch
proof,
50
000
transactions.
It
doesn't
matter
so
much
because
you're
going
to
put
this
50
000
transaction
on
one
single
proof
on
on
the
network
and
the
verify
algorithm
in
terms
of
performances
and
runtime
footprint
is
very
fast.
B
It's
constant
time,
but
it's
almost
constant
times
logarithmic
with
the
size
of
the
input
doesn't
matter.
Let's
say
it's
constant
time
as
it's
basically
running
a
pairing
which
takes
about
five
to
six
milliseconds
on
a
normal
laptop.
B
B
So
the
two
interesting
properties
that
I
have
there
is
dozens
of
them
on
the
crypto
level
that
are
high
level
that
we're
interested
in
the
first
one
is
computational
integrity,
and
the
key
part
here
is
to
verify
the
execution
of
a
program
it's
much
smaller
than
to
actually
execute
the
program
itself.
So
typically
for
roll-ups,
where
verifying
10
000
transactions
that
are
valid
and
putting
them
in
a
block,
could
take
you
a
few
minutes
of
cpu
time.
It
will
take
only
six
milliseconds
to
verify
that
on
the
blockchain.
B
The
second
one
is
the
zk
part,
and
when
you
check
the
previous
side,
you
have
this
notion
of
public
and
secret
inputs,
and
you
can
not,
when
the
verifier
don't
actually
need
the
private
input
to
verify
the
proof.
Everything
is
done
by
the
scheme.
So
you
you
don't
need
to
submit
your
private
private
input
and
one
high-level
metaphor:
that's
often
used
to
to
do.
B
That
is,
if
you
guys
know
about
the
probably
most
of
you
know
about
the:
where
is
waldo
book
or
game
where
you
know
you
have
this
book
with
a
lot
of
characters
and
you
have
to
find
this
guy
waldo
with
the
stripes
of
white
and
red,
and
you
want
to
prove
to
your
friends
that
you
know
where
he's
welded
on
the
page.
But
you
you
don't
want
to
give.
B
B
B
B
So
the
past
two
years
we
we
developed
a
library
in
frances
is
called
narc.
It's
written
in
go
actually
have
a
slide
on
that.
It's
going
to
be
there,
so
it's
written
in
glow.
It's
it's
very
fast!
So
it's
it's
faster
than
what's
out
there
in
the
state
of
the
art
I
think
for
for
cross,
16
and
and
we're
getting
there
for
plonk,
which
is
the
other
proving
scheme
that
I
mentioned,
developed
by
aztec
compared
to
other
zika
library
out
there
we
didn't
introduce
a
specific
language.
B
We
think
that
in
between
solidity
and
and
whatever
language
you
use
for
your
backend
and
javascript
and
and
whatnot,
you
have
enough
language,
compilers
and
tools
and
ways
to
manage
your
package
and
dependencies
that
we
don't
need
to
introduce
one
day.
Yet
we
we
may
evaluate
that
in
the
future
for
more
programmability.
But
for
now
we
are
pretty
happy
where,
where
we
are
at
one.
B
Advantages
actually
is
just
use.
Go
as
a
language
is,
you
can
do
things
like
you
know,
unit,
testing
or
benchmarking,
or
doing
package
management,
and
all
this
kind
of
good
circuits
without
you
know
having
to
implement
all
that
and
maintain
all
that
and
multiplication
and
whatnot
and
and
moreover,
you
can
also
when
you
integrate
gnar
circuit
into
your
solutions.
B
It's
kind
of
easy
to
you
know,
add
some
logging
or
some
monitoring
or
to
plug
that
behind
the
grpc
or
http
api.
You,
you
don't
need
to.
You
know,
have
a
lot
of
plumbing
to
connect
to
processes
that
run
like
in
other
libraries
and
again,
the
goal
is
to
have
a
very
simple
api,
so
you
can
easily
call
this
three
function.
Setup
proven
verify
on
on
on
your
circuit.
B
A
B
B
The
upper
layer
has
two
main
components,
one
which
is
called
the
front,
and
it
has
nothing
to
do
with
the
front
end
in
web
development.
It
says
it
is
bored
from
the
compiler
lingo,
where
content
is
actually
going
to
translate
a
program
written
in
a
language
or
with
an
api
into
a
different
representation.
So
that's
the
role
of
content,
you
you
write
a
program
in
some
language
and
we
translate
that
into
some
mathematical
representation
and
then.
B
I
have
some
links
here,
but
again
I
I
don't
have
access
to
the
chat,
but
we
we
have
a
nice
user
doc,
you
can
access
it
on
docs.consensus.net
and
we
have
a
github
repo
and
I'm
going
to
pause
that
later
on
the
chat
or
if
you
said,
maybe,
if
you're
in
the
audience
you
want
to
post
them,
please
feel
free
to
do
so.
B
All
right,
so
I
think
it's
time
to
do
some
code.
Continuous
talk,
good,
seeing
what
the
circuit
would
look
like,
so
I'm
going
to
use
an
example.
That's
used
by,
I
think,
in
vital
blog
posts
and
that's
been
taken
in
many
other
projects.
As
an
illustration,
the
idea
is,
I.
B
B
B
Constraints
and
you
are
going
to
give
inputs
to
the
constraint
and
and
the
solver
which
is
going
to
to
engineer
the
proof,
must
say
that
all
the
constraints
are
satisfied
or
some
of
them
are
not
satisfied,
in
which
case
you
cannot
create
a
valid
proof.
So
it's
a
bit
different
than
imperative
programming,
it's
more
declarative
programming
and
and
it's
it's.
A
B
Look
like,
as
I
mentioned
on
the
first
side
of
this
section,
where
you
will
kind
of
you-
can
see
graphically
this
representation
of
this
circuit,
where
you
have
x
and
here
there's
x,
missing,
but
first
you
do
x
times
x.
Then
you
use
this
result
so
x,
squared
times
x
to
compute
x,
cub,
which
will
be
here
and
then
you
add
that
and-
and
you
add
that
to
constant,
that's
five
and
you
check
the
result
step.
B
Five
last
thing
about
the
slide
that
I
need
to
mention
is:
when
you
declare
your
circuit
and
you
so
you
can
name
it.
B
So
all
this
thing,
if
you
use
other
libraries
lips
now
for
bellman
using
zcash,
that
you
have
this
nomenclature
about
assigning
instantiating
all
this
is
done
beyond
behind
the
scenes
for
you
for
in
our
library
all
right.
So
what
does
the
code
look
like
for
these
simple
circuits?
So
first
you
declare
it.
You
declare
your
circuit,
so
here
it's
actually
yeah,
it's
the
same
circuit,
so
dedicated
circuit,
you'll,
first
compile
it
with
the
front-end
package.
B
A
B
In
z,
cache,
for
example,
and
and
we
support
all
a
couple
of
other
curves
that
have
interesting
properties,
for
example,
the
enable
some
precaution
impulse,
but
we
can
get
to
that
in
the
question.
If
you
have
more
details,
we
support
two
back-end
for
now,
so
two
proof
systems.
Again.
If
you
have
more
questions,
I
can
go
a
bit
more
into
what
are
the
differences
and
when
you
run
a
compile
on
your
circuit,
it
will
output
you
this
intermediate
representation.
B
Then
you
can
use
you
go
like
your
test
files.
You
can.
We
have
a
wrapper
that
enables
you
to
test
your
circuits,
so
you
don't
have
any
specific
stuff
to
do
like
you.
Do
it
like
other
testing
framework,
you
just
create
the
input
that
you
want
to
give
to
your
circuit,
which
is
called
a
witness
and-
and
you
can
use
some
assertion
to
ensure
that
proverbs
excel
with
these
inputs
or
those
prover
failed
with
symbols.
B
B
Last
but
not
least
so
gnar
supports
exporting
the
verifying
key
into
solid
c
contract
to
verify
your
proof
on
html
blockchain.
So
it
only.
B
Eccbn
254
curve,
and
the
reason
for
that
is
that
the
only
pre-compile
that
you
bought
it
for
for
pairing
verification
on
ethereum
today
and
ideas.
You
are
just
going
to
pass
a
I
o
writer
here,
which
can
be
a
file
or
buffer
whatever
you
want
here,
when
you
have
your
verifying
key,
it's
going
to
put
you
a
standalone
solidity
file
with
all
the
code
needed
to
call
the
pre-compile
with
the
correct
inputs
for
your
contract
and
I'm
going
to
to
walk
through
an
example
a
little
bit
later
on.
B
All
right,
so
I
promise
I'm
not
going
to
go
into
the
formulas
of
that.
I
just
wanted
to
demystify
a
bit
what's
happening
behind
the
back
end,
for
example
the
zika
snacks
that
most
people
know
as
zika
snap,
which
is
the
one.
This
is
a
cache,
this
two
algorithm
that
we're
talking
about
the
proverb
and
the
very
fire
they
are
not
actually
so
so
crazy
and
moon,
mouth
or
so
complicated
to
implement
the
prover
is
basically
259
of
code
and
the
verifier
is
less
than
109
of
code.
B
B
Is
actually
quite
small,
and
just
has
this
pairing
check,
which
is
implemented
through
pre-compiling
in
a
minute
I.
A
B
The
last
slide
I
have
about
how
to
write
circuits
and
getting
started
is:
is
this
kind
of
disclaimer
on
what
you
can
actually
prove
in
circuits,
because
it's
each
time
you
see
a
presentation
or
read
a
blog
post
about
that?
It
always
starts
with
this
mathematical
function
or
things
or
very
simple
things,
and
and
sometimes
can
be
hard
to
do
gymnastics.
You
can
say
hey
my
business
logic
and
you
know
I
want
to
prove
some
something
much
more
complicated
into
myself.
B
How
do
I
do
it
and-
and
the
key
part
is,
if
you
remember
the
the
the
graph
representations
that
I
showed
your
program.
Each
edge
of
the
graph
is
a
number,
but
these
numbers
are
not
numbers
like
insta
floats,
they
are
called
field
elements
which
are
basically
big
numbers,
modular,
prime
and-
and
you
cannot
do
anything
manipulating
these
numbers.
B
Not
only
cannot
you,
you
cannot
do
float,
arithmetic
very
easily
or
entire
metic,
so
you
have
to
worry,
for
example,
about
field
overflow
and
these
kind
of
things.
So
you
really
have
to
understand
that
when
you
write
a
snark
circuit,
your
key
citizen
is
not
insist.
Not
float
is
filled.
Elements
and
some
things
like,
for
example,
doing
conditional
like
if-else
statement
like
you
are
used
to
do.
B
Basically,
when
you
are
using
a
declarative
language,
what
you
are
going
to
do
in
your
circuit,
you
are
going
to
say
if
my
predicate
is
true.
I
want
this
constraint
to
be
satisfied.
If
my
predicate
is
false,
I
want
this
constraint
to
be
satisfied
and
concretely
in
the
arithmetic
representation.
What
happens
beneath
this
is
each
constraint
is
going
to
be
instantiated
twice.
So
when
you
do
a
if-else
statement,
you
actually
multiply
your
number
of
constraints
by
two
and
you
can
do
it.
B
It's
just
good
to
know
that
when
you
do
it,
it's
it's
not
really
efficient.
To
do
that,
so
it's
better
to
have
that
in
mind.
There
are
some
stuff
also
that
are
challenges
that
we
are
working
on
and
other
projects
are
working
on
like
doing
virtual
machine
like
the
evm
is
a
virtual
machine
and
doing
that
into
a
snark,
for
example,
to
prove
it
like
transaction.
B
B
B
Mimc
is
one
ash
function
designed
to
work
on
field
elements,
and
that's
why
it
works
well
in
snarks,
and
you
see
that
similarly
signature
verification,
you
have
some
specific
signature.
Verification
algorithm,
like
edd,
says
it
works
in
snaps
and
others
that
don't
and
again
the
idea
is
not
that
you
cannot
do
the
others.
It's
just
that
the
number
of
constraints
and
the
size
of
your
program
and
arithmetic
representation
is
going
to
be
so
big
that
it's
not
going
to
be
very
efficient
to
actually
do,
for
example,
256
in
a
smart
circuit.
B
And
now
that
again
there
are
things
like
plonk
and
and
custom
gates,
and
things
like
this
is
going
to
improve
on
that,
but
yeah
just
again
something
to
keep
in
mind
and.
A
B
I've
concluded
that,
where
is
the
community
at
right
now
on
that
is,
I
would
say,
the
ground
for
most
project
is
to
come
up
with
a
this
thing,
called
zika
roll
up
where
what
you
want
to
do
is
you
want
to
write
a
solid
second,
smart
contract,
say
or
in
a
certain
language,
and
you
want
your
rollup
to
actually
prove
proofs
that
your
contract
is
valid.
B
You
need
to
be
able,
in
the
snark
circuit,
to
verify
all
the
snaps,
which
is
called
thinking,
snarks
and
and
that's
quite
powerful,
and
if
you're
interested
into
that,
we
can
give
you
some
pointers
to
project
like
mina,
for
example,
which
has
a
world
blockchain,
which
is
basically
the
idea.
It's
blocked
constrained
a
zero
which
proof.
That's
verified
the
serial
number
for
the
previous
block
and
so
on
and
forth
and
and
so
the
the
final
block
only
has
basically
one
theoretical
saying
all
the
blockchains
value
all
right
last
slide.
B
B
Using
now,
can
I
actually
have
a
repo,
a
github
repo
pencil,
sweet
solution
on
that,
but
just
going
to
write
to
the
point
so
to
prove
a
secret
on
a
blockchain.
What
you
can
do
is
you
can
pick
a
secret
of
chain
right
and
you
can
create
a
hash
of
the
secret,
so
we
are
going
to
use
m-I-m-c
as
this
hash
function,
as
I
mentioned,
because
it's
much
more
efficient
to
do
in
zika,
smart
circuit,
so
you
do
that
of
chain.
B
So
often
you
have
your
secret
and
your
ash,
and
what
you're
going
to
publish
on
chain
is
just
the
hash
of
this
secret,
so
nobody
can
learn
anything
from
the
ash
of
the
second.
Nobody
can
deduce
your
secret
once
you
have
that
your
circuit
is
just
going
to
assess
that
you
know
how
to
compute
the
hash
of
a
private
input,
which
is
called
secret,
such
that
the
result
equals
that
is
public
and
the
workflow
is.
I
mentioned.
B
The
first
thing
you
are
going
to
do
is
you
are
going
to
run
setup
that
are
going
to
generate
a
key
pair
pulling
the
key?
Then
you
export
this
verifying
key
to
a
3d
smart
contract,
and
then
you
compute
and
verify
the
proof
so
from
there.
I
think
so.
I
can
just
quickly
give
you
a
walk
through
the
solutions
and
we
can
have
some
time
for
q.
A
let
me
see.
Can
I
click
on
that
amazing?
A
B
Just
before
going
to
that
again,
please
check
the
the
link
of
the
doc.
We
have
a
dog,
that's
that
has
a
lot
of
examples
and
and
go
through
some
concepts
that
I
just
mentioned
into
a
bit
more
detail
about
what
are
the
keys
now,
what
are
the
properties
and
so
on?
It's
it's
very
interesting.
B
B
Is
very,
very
simple:
you
we
have
a
component
into
gnar
that
is
going
to
cause
a
function
for
you.
So
basically
you
just
say.
I
want
to
assure
that
my
the
result
of
my
muemc
hash
call
on
my
secret
equals
to
the
hash
results
that
I
provided
and
that's
it
that's
all
you
need
to
do
and
what
the
verifying
key
in
solidity
looks
like.
Is
this
large
solidify
the
first
one
is
a
pairing
library
which
is
you
can,
which
is
standard
one?
We
didn't
implement
it
right.
It's
we
have
the
copyright
here
on.
B
Who
did
that
and
and
it's
it's
basically
just
a
wrapper
on
the
pre-compile
tool
to
call
the
pairing
appliance
elliptic
curve
on
ethereum.
So
if
you
assume
that
we're
going
to
need
to
call
that
the
contract
that
is
generated
by
gnark
is
called
the
verifier-
and
it
has
a
bunch
of
information
here
which
are
derived
from
the
verifying
key,
don't
need
to
go
into
the
table.
They
are
just
elliptic
of
points
that
we
need
to
go
and
tell
any
points.
B
Then
it
has.
This
function
called
verify
proof
where
you
are
going
to
to
provide
your
proof.
So
your
proof,
a
b
and
c
here
are
the
curve
points
for
the
proof
and
the
input
is
your
ash
that
you
need
to
provide
and
I'm
going
to
show
you
how
that
looks
like
in
go.
I
think
I
have
the
oh
yeah,
it's
in
the
main,
it's
the
main
file,
so
I
used
because
I
didn't
want
for
potential
demo
to
have
too
many
moving
pieces.
I
just
used
something.
A
B
Most
of
some
of
you
probably
know
about
it's
called
me:
okay,
it's
a
simulated
bacon,
bacon
from
death.
So
it's
it's
a
fake
blockchain,
but
that
does
everything
with
the
execution
engine.
What
it
does
is
create
a
simulated
backend
effect
blockchain.
It
deploys
the
valid
failure,
so
the
solidity
smart
contract
on
the
blockchain
and
that's
it.
So
there
is
no
too
much
fancy
part
happening
on
blockchain
and
the
main
flow.
B
B
Then
you
are
going
to
create
your
proof.
So
the
first
step
is
you
have
this
witness
where
you
have
to
sign
your
your
public
input
ash
and
your
secret
input,
which
is
the
secret
which
is
picked
here?
You
create
the
proof
with
the
pro
16
api.
You
verify
just
to
be
sure
that
the
proof
is
valid
right.
It's
not
mandatory
to
do
that.
B
It's
happening
of
chain
and
then
the
most
annoying
part
I
would
say
about
solidity-
call-
is
to
be
able
to
serialize
your
proof
in
in
the
right
format,
and
for
that
I
I
did
a
bit
of
documentation
here
to
explain
what
solidity
expects
as
my
contract
input,
but
basically
the
proof
sterilization
is
standard,
almost
between
all
libraries
and
solidity
and
and
what
we
have.
So
the
order
of
the
point
in
the
proof
is
the
same.
B
So
you
just
need
to
serialize
the
proof
with
our
api
and
then
you
will
pick
each
coordinate
of
each
point
to
the
proof
to
set
the
inputs
of
the
3d
smart
contract
and
that's
how
you,
you
transmit
the
proof
to
the
solution
right
now.
If
you
do
that
in
another
language
like
javascript
or
rust
or
java,
you
have
to
to
to
do
that
with
different
apis.
B
A
B
B
All
right,
so
I'm
going
to
drop
on
the
call,
I
think,
show
your
time.
I
can
come
up
with
that.
Thank
you.
Everyone
for
attending.