-
Notifications
You must be signed in to change notification settings - Fork 2.7k
Getrandom issue even though local execution works #9109
Comments
I'll try out |
@burdges maybe you have an idea, inspecting old discussion here using the same transcripting system? |
Hey Drew, The Wasm execution of the runtime needs to be completely deterministic, so |
Ok, glad that hopefully this provides good feedback @rphmeier. How then could I reasonably instantiate an prng for the verification? I was thinking it would be great if the Beyond that, I'm guessing that even if I use host functions that this functionality would never work in a parachain runtime right? |
Or at least if anyone knows of a |
Do not use RandomnessCoinFlip in production. It's basically not secure for anything.. just useful for tests. |
What is the actual problem? Is this randomness fora proover or a verifier? As a rule, one cannot run proovers from PVFs anyways, but native off chain workers could run them just fine. Assuming it's a batch verifier.. I've not looked into bulletproofs closely recently, and never too closely at the batching, but usually protocols with random batching could actually be deterministically batched via Fiat-Shamir. It requires being careful however.. |
If you need a PRNG you could run ChaCha32 on the BABE VRF or epoch randomness. But this is public info. |
It's verifiers I see.. We should discuss this with someone who looked more closely at bulletproofs, but.. I doubt VRFs help here, he needs Fiat-Shamir. It's likely they're using merlin's transcript rng builder, which takes another
You then pass
What this is doing is making sure that the whole |
Anyways your question is: How do I derandomize a bulletproofs batch verifier with Fiat-Shamir? It probably just works but I cannot dig into the bullet proofs paper right now. |
Ok, I'm not using the batch verifier or range proofs, rather using their R1CS interfaces. I will read through this and continue to debug.. I think I'm finding ChaCha to be in the right direction too. Thanks for the feedback so quickly! |
I think I may have encountered this bug before. |
I think provers require real randomness for zero-knowledge so if you hit https://doc.dalek.rs/src/bulletproofs/r1cs/prover.rs.html#343 then you'll need it to run native on the parachain nodes. You've presumably hit https://doc.dalek.rs/src/bulletproofs/r1cs/verifier.rs.html#374 so likely you could fork the bulletproofs crate and make Actually I only say likely because I've never checked whether this turns out secure. It's ages since I've looked into Bootle's paper or the bulletproofs paper that adds batching. In fact, it'll depend somewhat upon what your circuit actually does. @AlistairStewart could tell you stories about smart contracts that compute their own hash, but that's a story for another day. You're likely find if all your doing is simple asset transfers, not scripting ala smart contracts. |
I think this can be closed, if not please reopen. |
We've pushed some new runtime modules to our testnet and are getting some new errors in execution. These modules deal with zero-knowledge verification and hashing. In particular, an
OsRng
is instantiated to seed random values for the verifier here.Perhaps it is related to
--wasm-execution Compiled
that we have some nodes running with though we're a bit unsure. Any ideas? We're seeing errors such as:An example node execution is:
The system works locally and without problems. Transactions occur in a timely fashion however on the live testnet they take up to 30 seconds and potentially 60 seconds while slowing the chain down throughout the process. Any insight or ways to debug would be appreciated.
The text was updated successfully, but these errors were encountered: