DEV Community: Peter Horvath

Niftyzk Tutorials 5 - CosmWasm

Peter Horvath — Sat, 11 Jan 2025 04:41:37 +0000

This tutorial is the continuation of the series to explain Niftyzk for ZKP development and you should check out the previous tutorials to understand everything that’s going on here.

in Tutorials 4, we completed a Phase-2 ceremony for Groth-16 proving system, now we will continue that and export a CosmWasm contract

Previous tutorial

First, to export a cosmwasm contract, you will need a verification_key using niftyzk vkey and the unit tests need to pass.. You don’t need to finalize the circuits to create a verifier contract from it, however you will need to reexport your contract after finalization to match the new verification key.

Usage: niftyzk gencontract [options]

Generate a cosmwasm verifier smart contract

Options:
  --circuit        The full name of the circuit file to use. Defaults to circuit.circom
  --ark            Use the Arkworks Groth-16 verifier implementation
  --bellman        Use the Bellman Groth-16 verifier implementation
  --overwrite      If a contract directory already exists, you are required use this option to overwrite
                   it.
  --folder [name]  Specify the name of the generated contract's folder
  -h, --help       display help for command

The niftyzk gencontract command accepts the above arguments. You can specify the name of the circuit if your using one with a different name. The --ark and --bellman allows you to select a Rust library and the --folder [name] lets you name the folder where you export the contract to. If the folder exists already, you need to explicitly overwrite it with the --overwrite flag.

Let’s export a contract now from a compiled circuit.

$ niftyzk gencontract --ark --folder contract
Writing .cargo/config.toml
Writing Cargo.toml
Writing .gitignore
Writing src/lib.rs
Writing src/msg.rs
Writing src/contract.rs
Writing src/verify.rs
Done

You need to have rust installed. To compile the contract, the rust compiler backed must be installed: rustup target add wasm32-unknown-unknown and then run cargo test inside the directory, that will install the dependencies and runs the generated tests.

Build the contracts using cargo wasm and if you have installed cosmwasm-check with cargo insall cosmwasm-check you can verify that these are valid cosmwasm contracts cosmwasm-check ./target/wasm32-unknown-unknown/release/contract.wasm

now we verified that the contracts are correct. Let’s see what we got in the source code.

src/lib.rs is the entry point of our contract and /src/contract.rs contains the implementations. The zkp verification is found inside src/verify.rs

You are free to modify all code however if you change the inlined parameters your verification will fail.

To trigger the smart contract, you call the Query function with a VerifyProof message.
For the accepted proof format see the lib/contract.rs unit test test_verify

The proof_str variable is a json string that is serialized directly from the snarkjs groth16.fullProve proof , while the pub_input_str is the stringified publicSignals variable. Using it is pretty straight forward, which is the benefit of choosing Arkworks implementation. However while easy to use, the Arkworks library is not fully audited.
See the documentation to learn more:

arkworks.rs

arkworks github source code

Bellman

The Bellman library was originally developed for ZCash by Matter Labs and we are importing the DoraFactory fork, the old version has been archived.

$ niftyzk gencontract --bellman --folder secondcontract         
Writing .cargo/config.toml
Writing .gitignore
Writing Cargo.toml
Writing src/lib.rs
Writing src/msg.rs
Writing src/parser.rs
Writing src/types.rs
Writing src/verify.rs
Writing src/contract.rs
Writing lib/adapter.js
Done

We generate a new contract inside the secondcontract directory and as you can see there are more things going on. It not only created a new contract directory with the rust code, but added a lib/adapter.js file to our lib!

The Bellman library uses uncompressed vkey and proofs which are in a different format.
Let’s see the adapter.
lib/adapter.js

/**
 * The verification key adapter transforms the verification key into a format usable by the Bellman_ce based verifier
 * @param {string} verification_key_string - The verification_key.json as a string
 * @returns {string} uncompressed_vkey - Returns an uncompressed version of the verificaiton_key.json which can be parsed inside the rust verifier contract
 */
export async function verificationKeyAdapter(verification_key_string);

You need to adapt the verification key for use, this was done for you by the code generating process and the adapted vkey is inlined into the rust code.

/**
 * The proofAdapter adapts proofs generated with snarkjs into a format parsable by a bellman verifier.
 * Use this function on the front-end, to adapt proofs generated by the client for on-chain use
 * @param {string} verification_key_string - The contents of the verification_key.json as a string
 * @param {string} proof_string - The snarkjs generated proof as a string
 * @returns {string} - Returns the adapted proof to use inside rust bellman verifier
 */
export async function proofAdapter(verification_key_string, proof_string);

The proof adapter is a function you will need to use on the client or server after you have created the proofs and want to call a smart contract with them.

If you check out the tests in src/contract.rs you will see an example of a adapted proof string and a adapted public input string.

The bellman library is more mature and recommended to use over the arkworks implementation, you should evaluate which fits your use-case better.

You can again run cargo wasm and use cosmwasm-check ./target/wasm32-unknown-unknown/release/contract.wasm

Once you have verified the contracts are valid they are ready for deployment.

I hope you like niftyzk and the tutorial series and keep on building!

Niftyzk tutorial 4 - Ceremony

Peter Horvath — Sat, 11 Jan 2025 04:28:13 +0000

In this tutorial, we will create a circuit, compile it and then deploy our ceremony server on a VPS to accept anonymous contributions. After this we will finalize the circuit and export the final Verification key

Let’s run niftyzk init projectname to create a new project

Creating a new directory with name projectname
? What project do you want to scaffold? Commit-Reveal Scheme
? Choose the hashing algorithm to use:  poseidon
? Do you wish to add tamperproof public inputs? (E.g: walletaddress):  no
Generating circuits
Generating javascript
Done
Run npm install in your project folder

So run npm install and let’s download the ptau files

niftyzk ptaufiles , we are going to grab a smaller file for our commit-reveal scheme

? Select a ptau file to download powersOfTau28_hez_final_14.ptau
Connecting to download powersOfTau28_hez_final_14.ptau
Starting to download 18.08 MiB
downloading [====================] 100% 0.0s

Now just run niftyzk compile and select the ptau file, so far so good.

Now run git init and do a git add .

If you check git status You should see:

$ git status
On branch master

No commits yet

Changes to be committed:
  (use "git rm --cached <file>..." to unstage)
    new file:   .gitignore
    new file:   circuits/circuit.circom
    new file:   circuits/commitment_hasher.circom
    new file:   circuits/compiled/circuit.r1cs
    new file:   circuits/compiled/circuit.sym
    new file:   circuits/compiled/circuit_js/circuit.wasm
    new file:   circuits/compiled/circuit_js/generate_witness.js
    new file:   circuits/compiled/circuit_js/witness_calculator.js
    new file:   circuits/compiled/zkeys/circuit_0000.zkey
    new file:   lib/index.js
    new file:   package-lock.json
    new file:   package.json
    new file:   readme.md
    new file:   test/index.test.js
    new file:   test/input.js

These are the files that were created during the scaffold and compilation. You can see the circuits/compiled directory contains all the artifacts outputted by the compiler and there is the zkey which will be used for contributions during the ceremony. The ptau files are not commited due to their size but you can always just download them again.

Let’s commit the files

$ git commit -m "initial commit"
[master (root-commit) 946c8e7] initial commit
 15 files changed, 7212 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 circuits/circuit.circom
 create mode 100644 circuits/commitment_hasher.circom
 create mode 100644 circuits/compiled/circuit.r1cs
 create mode 100644 circuits/compiled/circuit.sym
 create mode 100644 circuits/compiled/circuit_js/circuit.wasm
 create mode 100644 circuits/compiled/circuit_js/generate_witness.js
 create mode 100644 circuits/compiled/circuit_js/witness_calculator.js
 create mode 100644 circuits/compiled/zkeys/circuit_0000.zkey
 create mode 100644 lib/index.js
 create mode 100644 package-lock.json
 create mode 100644 package.json
 create mode 100644 readme.md
 create mode 100644 test/index.test.js
 create mode 100644 test/input.js

Go over to your favorite git hosting solution, I’m using github but you can use whatever you want and push the repository. We will clone it to a VPS later, but you can also copy the whole directory there manually, that’s up to you.

The repository is here for reference:

https://github.com/NiftyZk/projectname

Manual Deployment

For the VPS, I’m creating a Hetzner server. You can use any hosting solution, or even self-host on a raspberry pi. You will need SSH to log in. We will configure Nginx and even configure a domain using namecheap.

On console.hetzner.cloud I created a 2VCPU, 4 GB Ram X86 VPS for €4.11/month running Ubuntu, and configured it with my SSH keys. If you are new to SSH you should invest some time to learn about it.

ssh root@serverip

So I’m connecting to the remote VPS I created with the SSH client, I’m connecting as root as there are no other users configured. You can configure that for yourself, it’s out of scope for now for showcasing the ceremony.

sudo apt update

sudo apt upgrade

sudo apt install nginx

We install snap for certbot

sudo apt install snapd

sudo snap install --classic certbot

sudo ln -s /snap/bin/certbot /usr/bin/certbot

sudo certbot --nginx

You should configure your domain to have an A record with host @ pointing to the IP of your VPS for certbot to issue the certificate. Your DNS changes will take time to propagate but if you did everything well, the IP address should already show NGINX is running.

Next we are going to install nodejs using the official docs
https://nodejs.org/en/download

curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.1/install.sh | bash

This installs nvm and you might need to restart the ssh session after installation. Install a new node version using nvm

nvm install 22

We are going to install pm2, this will help keep the ceremony server open when the ssh session is closed.

npm install -g pm2

pm2 startup systemd

Clone the repository we created earlier using Git to your home directory and don’t forget to install niftyzk

npm install -g git+https://github.com/NiftyZk/niftyzk.git

Next step is to configure nginx to proxy the port 3000 to 443 SSL and upgrade all non-SSL connections to use it.You need to copy this file to /etc/nginx/sites-available/default and make sure to edit YOURDOMAIN parts to use your configured domain name!

server {
        #SSL only
        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;
        client_max_body_size 200M;

        ssl_certificate /etc/letsencrypt/live/YOURDOMAIN/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/YOURDOMAIN/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


        server_name YOURDOMAIN;

        location / {
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-NginX-Proxy true;
                proxy_set_header Host $host;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header Connection ‘upgrade’;
                proxy_pass http://127.0.0.1:3000; #port where you are serving your express app.
                proxy_http_version 1.1;
                proxy_cache_bypass $http_upgrade;
                proxy_ssl_server_name on;
                proxy_pass_header Server;
                proxy_cache_bypass $http_upgrade;
                proxy_redirect off;
        }
}

server {
        listen 80;
        listen [::]:80;
        server_name _;

        return 301 https://$host$request_uri;

}

Then after editing the file, reload nginx

sudo systemctl reload nginx

Now, we are going to create a shell script to execute niftyzk ceremony, that can be ran by pm2

cd into your cloned project’s directory and npm install then touch run.sh and open it with an editor.

#!/usr/bin/bash
niftyzk ceremony

Download the used ptau file with niftyzk ptaufiles , we used the 14th for compiling, you must select the same.To finally run the ceremony, pm2 start run.sh

Congrats, you got the ceremony server running on your domain.When you visit it you should see this:

How does it work?

Anyone can visit your ceremony, the participation is public. They enter a name and then they are placed in a queue. When it’s their turn to contribute, they will be prompted to enter some entropy and on the client side they run SnarkJS to make a contribution to the last zkey.

The participation in the ceremony can be verified by downloading the log file and comparing the entries in the log file with the sha256 hash of your name.

A directory have been added to your repository called contributions, that contains the log.csv file.

So let’s enter the name: helloworld and add some random entropy.What happened? A contribution was added to the /circuits/compiled/zkeys/ directory called circuit_0001.zkey and the log file has a csv entry added

Contribution,936a185caaa266bb9cbe981e9e05cb78cd732b0b3280eb944412bb6f8f8f07af,087ec9f31cc05fa8db3c46ed360a5294fd6c99aaa97e244044ca936c3e302e35cd34080e86eaa4a67d1e2c717d25b90759f46cb4af692ac5b3e2d17f04bacbfa,circuit_0001.zkey

The first hash is a sha256 hash of the name entered, the second is the blake2b hash of the circuit which will be later logged on circuit finalization.

 echo -n helloworld | sha256sum 
936a185caaa266bb9cbe981e9e05cb78cd732b0b3280eb944412bb6f8f8f07af  -

The ceremony can be online indefinitely and as long as one of the contributors don’t cheat, it’s secure. The largest PTAU file the ceremony server supports can be logged with niftyzk ptaufiles

powersOfTau28_hez_final_15.ptau blake2b hash: 982372c867d229c236091f767e703253249a9b432c1710b4f326306bfa2428a17b06240359606cfe4d580b10a5a1f63fbed499527069c18ae17060472969ae6e Power: 15, Max Constraints: 32K Size: 36.08 MiB Supports built in ceremony server: YES

The reason for this is the networking bottleneck. Any circuits that require more than max 32k constraints will need to do a ceremony manually using snarkjs.

So after a few contributions, you can take down the server. For testing now we can add contributions manually.

Then do a git add .

root@niftyzk-ceremony:/home/nifty/projectname# git status
On branch master
Your branch is up to date with 'origin/master'.

Changes to be committed:
  (use "git restore --staged <file>..." to unstage)
    new file:   circuits/compiled/contributions/log.csv
    new file:   circuits/compiled/zkeys/circuit_0001.zkey
    new file:   circuits/compiled/zkeys/circuit_0002.zkey
    new file:   circuits/compiled/zkeys/circuit_0003.zkey
    new file:   run.sh

And commit these zkeys and push to your repository.You can turn off your webserver now.

Finalize the circuit

You can finalize the ceremony locally, just pull the changes and select a random beacon to use.

niftyzk finalize --beacon 0000000000000000000102b8a74a6e9b9344f0abb3ba25dea7f847c7296fb21d

Niftyzk finalize will complete the ceremony, I used a bitcoin block hash for a beacon. It should be a verifiable hexadecimal number.

When the finalization finished, you should see the contributions are logged.It will be always verifiable that your contribution is in the final zkey as long as you know the name you entered.

[INFO]  niftyzk: contribution #1 936a185caaa266bb9cbe981e9e05cb78cd732b0b3280eb944412bb6f8f8f07af:
                087ec9f3 1cc05fa8 db3c46ed 360a5294
                fd6c99aa a97e2440 44ca936c 3e302e35
                cd34080e 86eaa4a6 7d1e2c71 7d25b907
                59f46cb4 af692ac5 b3e2d17f 04bacbfa
[INFO]  niftyzk: ZKey Ok!

This creates the circuit.final.zkey

Now you can run niftyzk vkey --final and create the final verification_key.json
now your circuit is secure and ready for production.

Niftyzk tutorials 3 - Edwards-curve Digital Signatures

Peter Horvath — Sat, 11 Jan 2025 04:16:54 +0000

Niftyzk supports EdDSA which is a public cryptography digital signature scheme.This tutorial will contain information about the generated code and you will need to read the previous tutorials to understand everything.

Let’s start with niftyzk init

Setting up your current directory
? What project do you want to scaffold? EdDSA signature verification
? Choose the hashing algorithm to use:  mimc7
? Do you wish to add public inputs to sign? (E.g: address,amount) yes
? Enter the name of the public inputs in a comma separated list (no numbers or special characters):  address,amount
Generating circuits
Generating javascript
Done

So we selected EdDSA with mimc7 and added some inputs to sign, address, amount

Using MiMC7 hash means we will have to use a key to create hashes which is kept secret. However for signing with EdDSA using MiMC, the key is not used. That decision to not use the key for signing was made by the developers of circomlib, as using a default key is not an issue, the signed data is a public hash.

Let’s see the generated circuits, you see there is a circuit.circom file

pragma circom 2.0.0;

include "../node_modules/circomlib/circuits/eddsamimc.circom";
include "../node_modules/circomlib/circuits/mimc.circom";

template VerifySignature(){
    signal input message;
    signal input address;
    signal input amount;

    signal input k;

    signal input Ax;
    signal input Ay;
    signal input S;
    signal input R8x;
    signal input R8y;

    component eddsa = EdDSAMiMCVerifier();

    component mimc7Hash = MultiMiMC7(3, 91);
    mimc7Hash.k <== k;
    mimc7Hash.in[0] <== message;
    mimc7Hash.in[1] <== address;
    mimc7Hash.in[2] <== amount;


    eddsa.enabled <== 1;
    eddsa.Ax <== Ax;
    eddsa.Ay <== Ay;
    eddsa.S <== S;
    eddsa.R8x <== R8x;
    eddsa.R8y <== R8y;
    eddsa.M <== mimc7Hash.out;

    }

component main {public [message,address,amount]}  = VerifySignature();

So we import the required dependencies, we use the same hashing algorithm for the signatures and the message hash.

So we got a message input, address and amount which were extra and these are our public inputs that will be revealed on-chain for verification.

k is the secret used for the mimc hashing

Ax,Ay are the points used for the public key, S, R8x,R8y are signature parameters returned by the signing function.

We compute a MiMC7 hash using k and then just assign the inputs to the eddsa template input signals. By specifying eddsa.enabled <== 1; we assert that the signature must be valid for the hash.Now let’s look at some javascript
Accounts are created using EdDSA:

/**
 * The signature parameters used for verifying pedersen hash signed EdDSA
 * @typedef {Object} Account
 * @property {Buffer} prvKey - Private key buffer
 * @property {Uint8Array[]} pubKey - Public key is a tuple of 32 bit Uint8Array
 */

/**
 * @param {any} eddsa - The EdDSA object
 * @returns {Account}
 * Generate a new account which composes of a private and public key
*/
export function generateAccount(eddsa) {
    const prvKey = rbytes();
    const pubKey = eddsa.prv2pub(prvKey);
    return {
        prvKey,
        pubKey
    }
}

We use 32 bytes for the account, the rbytes() returns a random buffer. It uses crypto.randomBytes(32)The public keys are a tuple of Uint8Array, 32 bits in size each.

/**
 * 
 * @param {Array<bigint>} pubKey - Used for computing an address
 * @param {bigin | number} key -The key used for the mimc7 hash
 * @returns 
 */

export async function getAddressFromPubkey(pubKey, key) {
    return mimc7(pubKey, key);
}

We compute “addresses” from the public key by hashing it. These addresses are not valid blockchain addresses but usable for account abstraction. You can derive addresses from a public key using different schemes and derivation paths. It’s up to you what you choose.

/**
 * @typedef {Object} Message
 * @property {string | bigint} message
 * @property {string | bigint} address
 * @property {string | bigint} amount
 */

/**
 * 
 * @param {Message} data - The data content of the message. The hash of the data object will be signed
 * @param key {number | bigint} - The key used for the mimc7 hash
 * @returns {bigint} Returns a mimc7 hash
 */
export async function computeMessageHash(data, key) {
    return await mimc7(
        [
            BigInt(data.message),
            BigInt(data.address),
            BigInt(data.amount)
        ], key)
}

The message hash is computed using mimc7, it’s the same hashing that happens inside the circuit for verification.

/**
 * @param {any} eddsa - the built EDDSA
 * @param {bigint} messagehash - The poseidon hash of the message
 * @param {Buffer} prvKey - The private key used to sign the message 
 * @returns {Signature} signature
 */
export function signMessage(eddsa, messageHash, prvKey) {
    const signature = eddsa.signMiMC(prvKey, eddsa.F.e(messageHash));
    const pubKey = eddsa.prv2pub(prvKey);
    assert(eddsa.verifyMiMC(eddsa.F.e(messageHash), signature, pubKey))

    return {
        signature,
        pubKey
    }
}

/**
 * @typedef {Object} Signature
 * @property {Uint8Array[]} R8
 * @property {bigint} S
 * /

Message signing uses the above function. You pass an eddsa object, the computed message hash and the private key created for your account. You can see the type of the signature defined with JsDoc.

/**
 * @typedef {Object} SignatureParameters
 * @property {bigint} Ax
 * @property {bigint} Ay
 * @property {bigint} R8x
 * @property {bigint} R8y
 * @property {bigint} S
 */

/**
 * @param {any} eddsa
 * @param {Uint8Array[]} pubKey - The public key of the account
 * @param {Signature} signature - The signature of the signed message
 * @returns {SignatureParameters} - The signature parameters are prepared parameters, ready to use for the circuit
 */
export function getSignatureParameters(eddsa, pubKey, signature) {
    return {
        Ax: eddsa.F.toObject(pubKey[0]),
        Ay: eddsa.F.toObject(pubKey[1]),
        R8x: eddsa.F.toObject(signature.R8[0]),
        R8y: eddsa.F.toObject(signature.R8[1]),
        S: signature.S
    }
}

Now to use this signature in circom, we need to convert it. So we get the signature parameters for verification with the above function. /test/input.js

/**
 * This is a test input, generated for the starting circuit.
 * If you update the inputs, you need to update this function to match it.
 */
export async function getInput(){

    await buildHashImplementation()
    const eddsa = await getEDDSA();

    const account = generateAccount(eddsa);
    const key = 313; // just an example key for tests
    const message = rbigint();
    const address = rbigint()
    const amount = rbigint()
    const messageHash = await computeMessageHash({message,address,amount}, key)

    const signedMessage = signMessage(eddsa, messageHash, account.prvKey);

    const signatureParameters = getSignatureParameters(eddsa, account.pubKey, signedMessage.signature)

    return {
        Ax: signatureParameters.Ax, 
        Ay: signatureParameters.Ay,
        S: signatureParameters.S,
        R8x: signatureParameters.R8x,
        R8y: signatureParameters.R8y,

        k: key,
        address,
        amount,
        message
    }
}

And above you can see how we compute the input for the circuits. it’s used for the hot reload and the tests

Now I’ll show you how the merkle trees work with EdDSA

Setting up your current directory
? What project do you want to scaffold? EdDSA signature verification with Fixed Merkle Tree
? Choose the hashing algorithm to use:  poseidon
? Do you wish to add public inputs to sign? (E.g: address,amount) no

So regenerated the project using niftyzk init and selected different parameters.And this is the circuit.circom file now:

pragma circom 2.0.0;

include "../node_modules/circomlib/circuits/eddsaposeidon.circom";
include "../node_modules/circomlib/circuits/poseidon.circom";
include "./merkletree.circom";


template VerifySignature(levels){

    signal input message;
    signal input root;

    signal input pathIndices[levels];
    signal input pathElements[levels];


    //The parameters for the signature
    //The Ax and Ay parameters are the public key, Ax = pubKey[0], Ay = pubKey[1]
    signal input Ax;
    signal input Ay;
    signal input S;
    signal input R8x;
    signal input R8y;
    component eddsa = EdDSAPoseidonVerifier();

    component poseidon = Poseidon(1);
    poseidon.inputs[0] <== message;

    // Verify the signature on the message hash

    eddsa.enabled <== 1;
    eddsa.Ax <== Ax;
    eddsa.Ay <== Ay;
    eddsa.S <== S;
    eddsa.R8x <== R8x;
    eddsa.R8y <== R8y;
    eddsa.M <== poseidon.out;

    //We compute a public key by hashing Ax and Ay, 
   // this will be later used with the merkle tree
   component pubKeyHasher = Poseidon(2);
   pubKeyHasher.inputs[0] <== Ax;
   pubKeyHasher.inputs[1] <== Ay;

   //Verify the merkle tree
   component tree = MerkleTreeChecker(levels);


  for (var i = 0; i < levels; i++) {
      tree.pathElements[i] <== pathElements[i];
      tree.pathIndices[i] <== pathIndices[i];
  }
  tree.root <== root;
  tree.leaf <== pubKeyHasher.out; 
    }

component main {public [message,root]}  = VerifySignature(20);

So you can see there are some differences. I didn’t add more extra parameters to sign this time, so there is only two public inputs, message and root.

So root is the merkle tree root we going to verify that the public key that signed this message is contained inside the tree. It’s a way of access control, so we know that the signature is valid and the signer public key is allowed to pass the verification because his key is inside the tree.

We compute the address using the pubKeyHasher from Ax and Ay, you can see it does exactly the same as the Javascript code I showed earlier. The MerkleTreeChecker asserts correctness and will fail if the leaf is not contained in the root.

pathIndices and pathElements are the merkle proof. You can explore the merkle tree circuit in the file merkletree.circom I explained it in a previous tutorial.

So to manually create merkle trees using the cli, we can use npm run new that will generate addresses and create a tree using them as leaves.

CREATING A NEW MERKLE TREE

Enter how many accounts would you like to generate:
4
Generating accounts and addresses. Please wait!
Done
Generating merkle tree from addresses!
Done.Root is 21804813178957116268623645093306988559564490743632413729059072914509024611553 
Serializing data.
Writing to file.
Done

The private keys for the corresponding accounts are placed in the private directory while the rest is placed in the public directory. If you chose MiMC7 or MiMCSponge hashes then the key parameter is saved in the private dir and needed for verification, otherwise you don’t need to use the private details to create a merkle proof and verify it.

so let’s run npm run proof and it will ask for a root and an address and spit out a merkle proof

then npm run verify will ask for a root and the proof and if eveything is running correctly the proof will be valid.

You can use EdDSA for Identity, Rollups, Scaling,Voting or Account Abstraction. It’s up to you :)

Niftyzk tutorial 2, The Commit-reveal scheme

Peter Horvath — Sat, 11 Jan 2025 04:08:42 +0000

This tutorial will contain information about the generated code. this is the continuation of the previous tutorial, niftyzk tutorial 1. You should read that one first.

So let’s scaffold a new project using niftyzk init we will select a commit-reveal scheme with poseidon hash and add 2 inputs for tamper proofing, address and amount.

$ niftyzk init

Setting up your current directory
? What project do you want to scaffold? Commit-Reveal Scheme
? Choose the hashing algorithm to use:  poseidon
? Do you wish to add tamperproof public inputs? (E.g: walletaddress):  yes
? Enter the name of the public inputs in a comma separated list (no numbers or special characters):  address,amount
Generating circuits
Generating javascript
Done
Run npm install in your project folder

The circuits directory

Navigate to the /circuits/ directory to see the generated code. It should contain 2 files, circuits.circom which is the entry point and commitment_hasher.circom which contains the hashing implementation.

circuits.circom

pragma circom 2.0.0;
include "./commitment_hasher.circom";

template CommitmentRevealScheme(){
    // Public inputs
    signal input nullifierHash;
    signal input commitmentHash;
    signal input address;
    signal input amount;


    // private inputs
    signal input nullifier;
    signal input secret;

    // Hidden signals to validate inputs so they can't be tampared with
    signal addressSquare;
    signal amountSquare;

    component commitmentHasher = CommitmentHasher();

    commitmentHasher.nullifier <== nullifier;
    commitmentHasher.secret <== secret;

    // Check if the nullifierHash and commitment are valid
    commitmentHasher.nullifierHash === nullifierHash;
    commitmentHasher.commitment === commitmentHash;

    // An extra operation with the public signal to avoid tampering

    addressSquare <== address * address;
    amountSquare <== amount * amount;

}

component main {public [nullifierHash,commitmentHash,address,amount]} = CommitmentRevealScheme();

Let’s see from top to bottom what’s going on.

First, it’s using circom 2.0.0 and imports the commitment_hasher.circom template

Next, as you can see on the bottom we have 4 public inputs, these inputs will be exposed to the blockchain when verifying a circuit there. nullifierHash is used for nullification inside the contract, you can use this variable to make sure the proof is not used twice. commitmentHashis the hash used for the commit-reveal scheme. We prove we know the preimage of this hash with the proof. address and amount are extra public inputs which are added into the circuit. the creator of the proof can add these inputs and submit the proof to the blockchain. A malicious relayer who acquires the proof is unable to modify these inputs if they are made tamper proof as you will see soon.

The private inputs are secret and nullifier , both must be kept private. They are used for nullification and the commit reveal scheme.

Hidden signals make sure our extra public inputs are unalterable after the proof is created.We create the commitment hasher and assert that the output includes the public inputs. That’s it. The commitment hasher looks like:

pragma circom 2.0.0;

include "../node_modules/circomlib/circuits/poseidon.circom";

template CommitmentHasher(){
    signal input nullifier;
    signal input secret;

    signal output commitment;
    signal output nullifierHash;


    component commitmentPoseidon = Poseidon(2);

    commitmentPoseidon.inputs[0] <== nullifier;
    commitmentPoseidon.inputs[1] <== secret;

    commitment <== commitmentPoseidon.out;

    component nullifierPoseidon = Poseidon(1);

    nullifierPoseidon.inputs[0] <== nullifier;

    nullifierHash <== nullifierPoseidon.out;
}

As you can see it combines the inputs and creates new outputs. the commitmentHash is linked to the nullifier, so it’s verifiable that they are related.You could use the commitmentHash for nullification, or keep it like this, it’s up to you. It was designed like this because if you want to have reusable commitments you can add an extra input nonce to the nullifierHash but keep the commitment as is. That way the owner of the secret can create multiple proofs using the same commitment with a slightly different nullification strategy. It’s useful for account abstraction if you want the account to be reusable.

Javascript code

First we look at the library that was scaffolded and then the tests.

The project depends on ffjavascript,snarkjs,circomlib,circomlibjs,circom_tester

lib/index.js contains the source code for the client side code.

First you will the functions for generating circuit inputs:


/**
 * @returns {bigint} Returns a random bigint
 */
export function rbigint() { return utils.leBuff2int(crypto.randomBytes(31)) };

For the inputs, 31 byte sized bigint is used. The reason for 31 bytes is because if we use random 32 bytes it can be higher than the snark scalar field

21888242871839275222246405745257275088548364400416034343698204186575808495617

and that would make our circuits fail. So 31 bytes for max input. Next you see the hashing implementation which depends on what was selected and the computeProof and verifyProoffunctions that call snarkjs

test/input.js

Creating the input for a circuit is very important part of development. This file will be called when the unit tests run and also during hot reload.


import { rbigint, generateCommitmentHash, generateNullifierHash,buildHashImplementation } from "../lib/index.js";

/**
 * This is a test input, generated for the starting circuit.
 * If you update the inputs, you need to update this function to match it.
 */
export async function getInput(){
    await buildHashImplementation();

    const secret = rbigint();
    const nullifier = rbigint();

    let address = rbigint();
    let amount = rbigint();

    const commitmentHash = await generateCommitmentHash(nullifier, secret);
    const nullifierHash = await generateNullifierHash(nullifier);

    return {secret, nullifier, nullifierHash,commitmentHash,address,amount}
}

// Assert the output for hotreload by returning the expected output
// Edit this to fit your circuit
export async function getOutput() {
    return { out: 0 }
}

The getInput() function defines our circuit input and the getOutput function is used for output assertion when running niftyzk dev

Let’s see what’s going on. First we build the hash implementation. It’s because all implementations are wasm and need to be built first. The built wasm is cached for reuse.

Then we assign random numbers for inputs, compute the hashes and return them. The return values are a mix of private and public inputs and they are fed to the circuit directly.

The current circuit template doesn’t have output signals, so the getOutput function is not implemented. You should return values you expect here after changing your circuit.

Merkle tree

Now let’s take a look at a commit-reveal scheme with a merkle tree

niftyzk init will can rebuild the current project into a new one.

Setting up your current directory
? What project do you want to scaffold? Commit-Reveal Scheme with Fixed Merkle Tree
? Choose the hashing algorithm to use:  poseidon
? Do you wish to add tamperproof public inputs? (E.g: walletaddress):  yes
? Enter the name of the public inputs in a comma separated list (no numbers or special characters):  address,amount

Let’s set up one with poseidon hash and merkle tree

You will see that the commitment_hasher.circom file stayed the same but the circuits.circom changed and there is a new merkletree.circom file.

include "./commitment_hasher.circom";
include "./merkletree.circom";

template CommitmentRevealScheme(levels){
    // Public inputs
    signal input nullifierHash;
    signal input commitmentHash;
    signal input address;
    signal input amount;

    signal input root;
    signal input pathElements[levels]; // The merkle proof which is fixed size, pathElements contains the hashes
    signal input pathIndices[levels]; // Indices encode if we hash left or right
    // private inputs
    signal input nullifier;
    signal input secret;

    // Hidden signals to validate inputs so they can't be tampared with
    signal addressSquare;
    signal amountSquare;


    component commitmentHasher = CommitmentHasher();

    commitmentHasher.nullifier <== nullifier;
    commitmentHasher.secret <== secret;

    // Check if the nullifierHash and commitment are valid
    commitmentHasher.nullifierHash === nullifierHash;
    commitmentHasher.commitment === commitmentHash;

    // An extra operation with the public signal to avoid tampering

    addressSquare <== address * address;
    amountSquare <== amount * amount;


    // Check if the merkle root contains the commitmentHash!
    component tree = MerkleTreeChecker(levels);

    tree.leaf <== commitmentHasher.commitment;
    tree.root <== root;

    for (var i = 0; i < levels; i++) {
        tree.pathElements[i] <== pathElements[i];
        tree.pathIndices[i] <== pathIndices[i];
    }


}

component main {public [nullifierHash,commitmentHash,root,address,amount]} = CommitmentRevealScheme(20);

So quite a few things changed. We got new public and private inputs and new templates.

So first we have the merkle tree root as a new public input and pathElements and pathIndices, these contain the merkle proof. The levels variable taken specifies the size of the merkle tree, the default 20 will give a lot of branches to work with.

The new template we use is the MerkleTreeChecker and we just assign the signals to it’s inputs. The MerkleTreeChecker will assert correctness. It’s assumed that the commitment is one of the leaves and the merkle proof is used for proving it. The pathElements contain the leaves and the pathIndices specify if we hash left or right.

Let’s see the other file:

pragma circom 2.0.0;

include "../node_modules/circomlib/circuits/poseidon.circom";

template HashLeftRight(){
  signal input left;
  signal input right;
  signal output hash;

  component poseidonHash = Poseidon(2);

  poseidonHash.inputs[0] <== left;
  poseidonHash.inputs[1] <== right;

  hash <== poseidonHash.out;
}



// if s == 0 returns [in[0], in[1]]
// if s == 1 returns [in[1], in[0]]
template DualMux() {
    signal input in[2];
    signal input s;
    signal output out[2];

    s * (1 - s) === 0;
    out[0] <== (in[1] - in[0])*s + in[0];
    out[1] <== (in[0] - in[1])*s + in[1];
}


// Verifies that a merkle proof is correct for given root and leaf
// pathIndices input in an array of 0/1 selectors telling whether 
// given pathElement is on the left or right side of the merkle path
template MerkleTreeChecker(levels) {
    signal input leaf;
    signal input root;
    signal input pathElements[levels];
    signal input pathIndices[levels];

    component selectors[levels];
    component hashers[levels];

    signal levelHashes[levels];

   levelHashes[0] <== leaf;

    for (var i = 1; i < levels; i++) {
        selectors[i] = DualMux();
        hashers[i] = HashLeftRight();

        selectors[i].in[1] <== levelHashes[i - 1];
        selectors[i].in[0] <== pathElements[i];
        selectors[i].s <== pathIndices[i];

        hashers[i].left <== selectors[i].out[0];
        hashers[i].right <== selectors[i].out[1];

        levelHashes[i] <== hashers[i].hash;
    }

    root === levelHashes[levels -1];
}

Okay, so quite a few things going on. Let me explain.

First we have a hasher that hashes leaves from left to right. It’s uses the implementation we selected.

After this the DualMux is a Multiplexer that will just swap inputs. It works based on pathIndices and aligns the pathElements correctly so we can hash left to right for all cases.

The merkle tree checker takes inputs and computes the merkle root by combining pathElements

I hope this saves you a lot of time developing your circuits.now lets jump to javascript:

lib/merkletree.js

The important changes you will find in a new file, merkletree.js which now contains functions to work with merkle trees.It’s zero extra dependency and everything is implemented from scratch. You can run it in any environment.

You will see new functions to call, generateMerkleTree,generateMerkleProof

You need to supply an array of leaves which are commitments and call generateMerkleTree to obtain the tree. Once you have a commitment you want to create a proof for, you can call generateMerkleProof

To use the merkle proof as pathElements and pathIndices you call encodeForCircuit

Important! Trees with uneven leaves are padded! The padding works by duplicating the last branch. This means that the merkle tree contains duplicate leaves but it never contains zeros. Other padding methods could pad with zeroes, so could use the hash(0) for a leaf, that implementation would be insecure on the blockchain.Every uneven level is padded. If we have 9 leaves on the first level, then the last leaf is duplicated etc.

Merkle tree commands

The project gives you a few commands to work with from the CLI to interact with merkle trees manually.There are many use-cases, for example if you want to manage a tree for withdrawing airdrops, you might just manipulate it manually.

lib/run.js contains that gives you 3 commands, new, proof, verify, you can access them using npm also.

npm run new will create a new merkle tree with a similar output:

CREATING A NEW MERKLE TREE

Enter how many secrets would you like to generate:
8
Generating secrets and hashing commitments. Please wait!
Done
Generating merkle tree from commitments!
Done.Root is 9399890428704023149822996752765634449585627060469866502272705510954136382993 
Serializing data.
Writing to file.
Done

Now you will see it created a private and a public directory.

The public directory contains the merkle tree and commitment hashes, nullifier hashes and the private contains secrets used to compute them.The files are named using the root hashes.

npm run proof

The command will ask you for a root hash and a commitment to verify. It will split out a JSON which contains the merkle proof. I do not copy it here due to it’s size.

npm run verify

This command will ask you for the merkle root and the proof and verifies the proof.

You are free to modify the merkle tree tooling to adjust it to work with your circuits

Niftyzk tutorials 1

Peter Horvath — Sat, 11 Jan 2025 03:53:14 +0000

This is the start of the tutorial series on Niftyzk and will go over installation and the basic commands as of NiftyZK 0.1.4

https://github.com/NiftyZk/niftyzk

Niftyzk is a scaffolding tool and circom development framework with first class support for CosmWasm.

Installation
You can find the documentation on the github repository. The project depends on Circom to be installed which depends on Rust. You also need NPM to install niftyzk the CLI.For the circom installation instructions, visit :

https://docs.circom.io/getting-started/installation

To install niftyzk, install it straight from github

npm install -g git+https://github.com/NiftyZk/niftyzk.git

This will install it and the niftyzk command will be available from the command line.

Run niftyzk --version to verify the installation, it should output:

$ niftyzk --version

0.1.4

The help page should show the following:

Usage: niftyzk [options] [command]

Scaffold a new Circom project and circuits, compile it and run Powers of Tau
Phase-2 ceremonies. Generate a cosmwasm verifier contract. Supports Groth-16
with a BN128 curve

Options:
  -V, --version          output the version number
  -h, --help             display help for command

Commands:
  init                   Initialize and scaffold a new project
  ptaufiles [options]    Display information and download ptau files
  gencircuit             Generate circom circuits and javascript tests for the current directory
  dev [options]          Hot reload for circuit development. input.js must
                         contain a valid circuit input
  compile [options]      Compile the circuits
  ceremony               Runs a phase 2 ceremony server that accepts anonymized contributions via a website. Default port is 3000.
                         Prefix the command with PORT=number to change the
                         default port
  finalize [options]     Finalize the circuit after the phase2 ceremony is
                         finished
  vkey [options]         Generate the verification key for this circuit
  gencontract [options]  Generate a cosmwasm verifier smart contract
  help [command]         display help for command

niftyzk init [folder]

To start a new project, you need to initialize a directory and select the scaffolded project. The init command will either work in the current directory or create a new directory depending if the folder name was specified. The command will enter the scaffolding menu that allows to to configure the generated code

Creating a new directory with name myproject
? What project do you want to scaffold? (Use arrow keys)
❯ Commit-Reveal Scheme
  Commit-Reveal Scheme with Fixed Merkle Tree
  EdDSA signature verification
  EdDSA signature verification with Fixed Merkle Tree

As of 0.1.4 , the following schemes are available to generate. You should use these are templates and roll your own implementation using them.

A commit-reveal scheme allows proving the knowledge of a secret without revealing it. The commitments are implemented using hashing, the scheme allows a proof to be constructed that verifies the knowledge of a hash pre-image without revealing it. This scheme can serve as a basis for account abstraction or games.

A commit-reveal scheme with a fixed merkle tree adds merkle proofs to the commit-reveal scheme and allows the verification that a commitment is contained in the merkle root. The scaffolded project resembles a well known project tornado cash, which uses a similar scheme however caution is advised if in replicating that exact functionality. The scheme is a great starting point for account abstraction, identity verification, privacy and scaling solutions.

The EdDSA signature verification scheme allows for verification of an Edwards digital signature inside the circom circuit, these digital signatures are not supported by blockchains by default but can be efficiently used inside zero-knowledge circuits.The signature verification scheme is a great stating point for account abstraction, voting systems identity verification and rollups.

The EdDSA signature verification comes with an optional merkle tree implementation that allows verification that the public key of a signer is found in the merkle tree. The merkle tree effectively contains the signers that are allowed to pass verification.

? Choose the hashing algorithm to use:  (Use arrow keys)
❯ mimc7
  mimcsponge
  pedersen
  poseidon

The next step is to select the hash algorithm to use with your scheme. This choice is important because each hashing function targets a little different use-caseMiMC7 and MiMCSponge are very effective hashing algorithms developed for verification schemes, however they require an extra key parameter to work. The key is an added secret that should not be revealed and so these work best when used with centralized proving system that doesn’t allow individual users to access the secret variables and computes proofs on their behalf, for example to delegate rights.

Poseidon hash is the most flexible which and simple to implement that doesn’t require a secret key, unlike MiMC implementations. This is a great hashing algorithm if you want decentralized proof compute that runs in the browser.

Pedersen hashing is used to implement Pedersen commitments which are homomorphic. It’s implementation is a bit more advanced and requires working with bits instead of passing bigint values directly like the other hashing algorithms.It is recommended to use Poseidon over Pedersen however it depends on your use-case.

? Do you wish to add tamperproof public inputs? (E.g: walletaddress):  (y/N)

If you select a commit-reveal scheme you will be asked to add tamper proof inputs, you need to type them in a comma separated list. The tamper proof inputs use hidden signals inside the circuit for tamper resistance.When a zero-knowledge proof is computed it contains public inputs which need to be revealed on a blockchain for verification. If some of the inputs are arbitrary and doesn’t partake in the commit-reveal scheme, then an adversary is able to manipulate them.Making public signals tamper proof is essential for security.

? Do you wish to add public inputs to sign? (E.g: address,amount) (y/N)

If you selected EdDSA, you will be asked to add inputs to sign. The purpose is similar to making them tamper proof, however they will be part of the signed message itself. EdDSA signatures always sign hashes, so you can add as many inputs as you like.

When you have completed the scaffolding process you need to npm install the dependencies and ready to start iterating on your circuit.

The contents of the scaffolded projects will be explained in another tutorial, for now we move on to the other commands.

niftyzk dev

Usage: niftyzk dev [options]

Hot reload for circuit development. input.js must contain a valid circuit input

Options:
  --circuit [path]  The circuit to test. Defaults to circuits/circuit.circom
  --assertout       Asserts the output of the circuit. The output must be exported from a getOutput() function
                    from input.js
  --verbose         Show extra information for debugging
  -h, --help        display help for command

This command is used to start the hot reload development environment.The circuits will be compiled and executed with an input. The inputs are defined in /test/input.js file, which must export a getInput() function that will be called by the hot reload. The output of the circuit can be asserted by passing the --assertout flag. The output must be implemented in the getOutput() function in the input.js file. This allows you to iterate compile and test the circuit as you develop it.You can use log(); inside your circuits for debugging. If you run it with the optional --verbose flag, more debugging information will be available.

niftyzk ptaufiles

Usage: niftyzk ptaufiles [options]

Display information and download ptau files

Options:
  -f, --filename [filename]  The file to download
  -h, --help                 display help for command

To compile circuits you will need files created with a powers of tau ceremony. You can opt to create your own files but that’s an insecure solution. The Phase 1 of powers of tau creates reusable files, so we can use them from the Polygon Hermez ceremony. The built in download will get the files for you and place them where the compiler expects them to be. The files get quite large and not all work with the ceremony server. If your circuits are large you need to use big ptaufiles to compile them.

For automated systems, if you know the filename you can pass it as an argument, if not a dropdown menu will appear for you to manually select it.

Example file to select

powersOfTau28_hez_final_15.ptau
blake2b hash: 982372c867d229c236091f767e703253249a9b432c1710b4f326306bfa2428a17b06240359606cfe4d580b10a5a1f63fbed499527069c18ae17060472969ae6e
Power: 15, Max Constraints: 32K
Size: 36.08 MiB
Supports built in ceremony server: YES

niftyzk compile

Usage: niftyzk compile [options]

Compile the circuits

Options:
  --circuit [path]  Specify the location for the circuit. Defaults to circuits/circuit.circom
  -h, --help        display help for command

This command invokes the circom compiler which depends on Rust. It must be installed beforehand to proceed with the compilation.The current circuits will be compiled and the output will be in the circuits/compiled directory. You should commit this file to git because it contains the compilation results, recompiling will always yield a different circuit and verification parameters so you should keep this to continue. If you alter the circuit you need o recompile each time.

niftyzk ceremony

Usage: niftyzk ceremony [options]

Runs a phase 2 ceremony server that accepts anonymized contributions via a website. Default port is 3000. Prefix
the command with PORT=number to change the default port

Options:
  -h, --help  display help for command

There will be a dedicated tutorial to explain how to deploy a ceremony server, for now all you need to know is that to secure groth-16 proving circuits the Powers of tau ceremony needs to be repeated, it has a circuit specific phase. The compilation outputs a zkey files into the compiled directory which can be contributed to. The contribution creates a new zkey from the previous one, they are stored indexed. The contribution takes place in the browser and niftyzk contains a webserver. The contributions are anonymous and as long as a single participant remains honest the ceremony is secure.

niftyzk vkey

Usage: niftyzk vkey [options]

Generate the verification key for this circuit

Options:
  --final     Export the final verification key after the phase2 ceremony
  -h, --help  display help for command

You need to export a verification key to run tests, compute proofs or generate a cosmwasm contract. The vkey can be created before or after the ceremony, the final key must be exported after the finalize

niftyzk finalize

Usage: niftyzk finalize [options]

Finalize the circuit after the phase2 ceremony is finished

Options:
  -b, --beacon [string]  A random beacon to use for finalizing the ceremony. For example a block hash or a hex number outputted by a Verifiable Delay Function (VDF)
  -i, --iter [num]       Number of iterations
  -n, --name [string]    The name of the final contribution
  -h, --help             display help for command

The finalize command requires a random beacon to finalize the circuit. This should be ran after the ceremony is finished and all the contributions are done. The beacon is a hex number that should be outputted by a Verifiable Delay Function, often a block hash is used. You need to export a new vkey after the finalization to continue.

niftyzk gencontract

After you acquired the verification key you can generate the contract. The circuits don’t need to be finalized for this, however your verification will be vulnerable without a ceremony and finalization.

Usage: niftyzk gencontract [options]

Generate a cosmwasm verifier smart contract

Options:
  --circuit        The full name of the circuit file to use. Defaults to circuit.circom
  --ark            Use the Arkworks Groth-16 verifier implementation
  --bellman        Use the Bellman Groth-16 verifier implementation
  --overwrite      If a contract directory already exists, you are required use this option to overwrite it.
  --folder [name]  Specify the name of the generated contract's folder
  -h, --help       display help for command

The available libraries to use for the Rust verifier are Arkworks or Bellman. You can find both on crates.io.
You need to specify the folder name and if the folder exists already explicitly overwrite it.

Checking the generated contracts:
Install the wasm rust compiler backend: rustup target add wasm32-unknown-unknown

Run cargo test to run the generated tests

Build the contracts using cargo wasm

Verify the contract.wasm using the cosmwasm-check utility cargo install cosmwasm-check

cosmwasm-check ./target/wasm32-unknown-unknown/release/contract.wasm

And you are done, you created a verifier for a cosmwasm contract from your circuit

*The development pipeline could be drawn with the graph as :
*

I hope you like niftyzk, in the next tutorials I will explain more about the generated code, showcase the merkle tree utils and deploy a ceremony server on a VPS.

Introducing Niftyzk

Peter Horvath — Fri, 10 Jan 2025 23:21:11 +0000

Niftyzk is a circom development tool and framework that targets CosmWasm ecosystem supporting groth-16 proofs with bn128 curve.

https://github.com/NiftyZk/niftyzk

Project scaffolding
Initialize a new project niftyzk init and select from the available templates, the generated code can be configured based on the verification schemes selected. There is support for Poseidon, Pedersen, MiMC and MiMCSponge hashing functions and additional circuit inputs. Niftyzk generates code instead of cloning a repository, so you get the benefit of configuration.

Javascript library
A library will be generated for you with all functions required to interact with the circuits and merkle tree. The javascript is isomorphic and typed using JSDoc so you can run it in the browser and server without modification and use it with Typescript.

Hot reload
Develop your circom circuits using hot reload. niftyzk devIterative development allows you to debug and update your circuits without recompiling them each time which is time consuming. The circuits are rebuilt and the outputs are asserted. Niftyzk expects the circuit inputs and output asserts defined in an input.js file, which allows you to keep your business logic to generate inputs neat and fully tested during development.

Powers of Tau
The powers of tau ceremony is essential for zero knowledge proof circuits for security. niftyzk ptaufilesThe phase 1 ceremony is reusable hence we can use the Polygon Hermez ceremony files. The files are available to download from the CLI with a simple command

Compilation
niftyzk compile uses circom compiler for compilation and so depends on Rust and requires circom to be installed. It wraps and abstracts away complex commands and makes compiling straight forward

Verification Keys
The compiled circuits require the exporting of verification keys, these keys are used for testing in deployment. niftyzk vkey

Phase-2 ceremony
The built in ceremony server allows you to host a phase-2 ceremony.Invoking the command niftyzk ceremony will start up a server that hosts a contribution page.The contribution is anonymous and the contributors are queued using websockets. The project at this stage can be deployed on a VPS using Git and the ceremony can be hosted there.The ceremony server only supports smaller PTAU files due to the netwoking, each client needs to download it to make a contribution.Only a single contributor to the phase-2 ceremony needs to be honest for the process to work.

Finalization
After the ceremony we can finalize the circuit, this means we can’t update our circuits anymore and it will be ready for deployment. niftyzk finalize expects a --beacon argument which is our random beacon used for finalization. The process wraps snarkjs and simplifies the commands used there. If you want to learn more about it, you can read the snarkjs documentation. After finalization, you will need to export a new vkey

Generate CosmWasm contract
And finally we can generate a CosmWasm verifier contract for the circuit. niftyzk gencontact You can generate it before finalization for testing your smart contracts, it requires passing unit tests and the verification key to generate the contract.The gencontract command expects an argument for the Rust library used, which can be Arkworks or Bellman. The Bellman requires an adapter which will be generated in javascript for you.Check the readme for verifying cosmwasm contracts.

Full test coverage
All generated code contains full test coverage, including the CosmWasm contracts. Niftyzk supports test based development and runtime assertions.

Support
You can support this project by using it. Open a issue if you encounter any errors. This is a public good and available for quadratic funding in the Atom Economic Zone, you can contribute Atom on dorahacks
https://dorahacks.io/buidl/14323