{"id":13592760,"url":"https://github.com/iden3/snarkjs","last_synced_at":"2025-05-13T00:21:37.602Z","repository":{"id":37413021,"uuid":"144108814","full_name":"iden3/snarkjs","owner":"iden3","description":"zkSNARK implementation in JavaScript \u0026 WASM","archived":false,"fork":false,"pushed_at":"2025-05-09T14:24:41.000Z","size":146034,"stargazers_count":1871,"open_issues_count":104,"forks_count":455,"subscribers_count":32,"default_branch":"master","last_synced_at":"2025-05-09T14:59:34.323Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/iden3.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2018-08-09T06:16:06.000Z","updated_at":"2025-05-09T14:23:28.000Z","dependencies_parsed_at":"2023-09-28T01:16:45.233Z","dependency_job_id":"54e7dd54-2750-4832-b251-7dc0cd45badb","html_url":"https://github.com/iden3/snarkjs","commit_stats":{"total_commits":616,"total_committers":52,"mean_commits":"11.846153846153847","dds":"0.37662337662337664","last_synced_commit":"d90fa782d1098e5083241ffc152206d9894550b7"},"previous_names":["iden3/zksnark"],"tags_count":139,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iden3%2Fsnarkjs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iden3%2Fsnarkjs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iden3%2Fsnarkjs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iden3%2Fsnarkjs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/iden3","download_url":"https://codeload.github.com/iden3/snarkjs/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253273342,"owners_count":21881967,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T16:01:12.900Z","updated_at":"2025-05-13T00:21:37.581Z","avatar_url":"https://github.com/iden3.png","language":"JavaScript","funding_links":[],"categories":["Index","JavaScript","Libraries and Frameworks","Uncategorized","Tools","Provers"],"sub_categories":["Projects","Uncategorized","Circuit Building Library","Cryptographic primitives in other languages"],"readme":"\n![tests](https://github.com/iden3/snarkjs/workflows/tests/badge.svg)![Check%20snarkjs%20tutorial](https://github.com/iden3/snarkjs/workflows/Check%20snarkjs%20tutorial/badge.svg)\n\n# snarkjs\n\nThis is a **JavaScript and Pure Web Assembly implementation of zkSNARK and PLONK schemes.** It uses the Groth16 Protocol (3 points only and 3 pairings), PLONK, and FFLONK.\n\nThis library includes all the tools required to perform trusted setup multi-party ceremonies: including the universal [*powers of tau*](https://medium.com/coinmonks/announcing-the-perpetual-powers-of-tau-ceremony-to-benefit-all-zk-snark-projects-c3da86af8377) ceremony, and the second phase circuit-specific ceremonies.\n\n\u003e Any zk-snark project can pick a round from the common phase 1 to start their circuit-specific phase 2 ceremony.\n\nThe formats used in this library for the multi-party computation are compatible with the ones used in [Semaphore's Perpetual Powers of Tau](https://github.com/weijiekoh/perpetualpowersoftau) and [other implementations](https://github.com/kobigurk/phase2-bn254).\n\nThis library uses the compiled circuits generated by the [circom](https://github.com/iden3/circom) compiler.\n\nIt works in [`node.js`](#using-node) as well as directly in the [browser](#in-the-browser).\n\nIt's an [ES module](https://hacks.mozilla.org/2018/03/es-modules-a-cartoon-deep-dive/), so it can be directly imported into bigger projects using [Rollup](https://rollupjs.org/guide/en/) or [Webpack](https://webpack.js.org/).\n\nThe low-level cryptography is performed directly in `wasm`, and uses worker threads to parallelize the computations. The result is a high-performance library with benchmarks comparable to host implementations.\n\n## Preliminaries\n\n### Install node\nFirst off, make sure you have a recent LTS version of Node.js installed. Non-LTS and versions prior to v18 are not guaranteed to work.\n\nIf you’re not sure which version of Node you have installed, you can run:\n\n```sh\nnode -v\n```\n\nTo download the latest version of Node, see [here](https://nodejs.org/en/download/).\n\n### Install snarkjs\n\nTo install `snarkjs` run:\n\n```sh\nnpm install -g snarkjs@latest\n```\n\nIf you're seeing an error, try prefixing both commands with `sudo` and running them again.\n\n### Understand the `help` command\n\nTo see a list of all `snarkjs` commands, as well as descriptions of their inputs and outputs, run:\n\n```sh\nsnarkjs --help\n```\n\n\nYou can also use the `--help` option with specific commands:\n\n```sh\nsnarkjs groth16 prove --help\n```\n\nMost of the commands have an alternative shorter alias (which you can discover using `--help`).\n\nFor example, the previous command can also be invoked with:\n\n```sh\nsnarkjs g16p --help\n```\n\n### Debugging tip\n\nIf you feel a command is taking longer than it should, re-run it with a `-v` or `--verbose` option to see more details about how it's progressing and where it's getting blocked.\n\n### Install circom\n\nTo install `circom`, follow the instructions at [installing circom](https://docs.circom.io/getting-started/installation).\n\n## Guide\n\n### 0. Create and move into a new directory\n```sh\nmkdir snarkjs_example\ncd snarkjs_example\n```\n\n### 1. Start a new powers of tau ceremony\n```sh\nsnarkjs powersoftau new bn128 14 pot14_0000.ptau -v\n```\n\nThe `new` command is used to start a powers of tau ceremony.\n\nThe first parameter after `new` refers to the type of curve you wish to use. At the moment, we support both `bn128` and `bls12-381`.\n\nThe second parameter, in this case `14`, is the power of two of the maximum number of constraints that the ceremony can accept: in this case, the number of constraints is `2 ^ 14 = 16,384`. The maximum value supported here is `28`, which means you can use `snarkjs` to securely generate zk-snark parameters for circuits with up to `2 ^ 28` (≈268 million) constraints.\n\n\n### 2. Contribute to the ceremony\n```sh\nsnarkjs powersoftau contribute pot14_0000.ptau pot14_0001.ptau --name=\"First contribution\" -v\n```\n\nThe `contribute` command creates a ptau file with a new contribution.\n\nYou'll be prompted to enter some random text to provide an extra source of entropy.\n\n`contribute` takes as input the transcript of the protocol so far, in this case `pot14_0000.ptau`, and outputs a new transcript, in this case `pot14_0001.ptau`, which includes the computation carried out by the new contributor (`ptau` files contain a history of all the challenges and responses that have taken place so far).\n\n`name` can be anything you want, and is just included for reference (it will be printed when you verify the file (step 5).\n\n### 3. Provide a second contribution\n```sh\nsnarkjs powersoftau contribute pot14_0001.ptau pot14_0002.ptau --name=\"Second contribution\" -v -e=\"some random text\"\n```\n\nBy letting you write the random text as part of the command, the `-e` parameter allows `contribute` to be non-interactive.\n\n### 4. Provide a third contribution using third-party software\n```sh\nsnarkjs powersoftau export challenge pot14_0002.ptau challenge_0003\nsnarkjs powersoftau challenge contribute bn128 challenge_0003 response_0003 -e=\"some random text\"\nsnarkjs powersoftau import response pot14_0002.ptau response_0003 pot14_0003.ptau -n=\"Third contribution name\"\n```\n\nThe challenge and response files are compatible with [this software](https://github.com/kobigurk/phase2-bn254).\n\nThis allows you to use different types of software in a single ceremony.\n\n### 5. Verify the protocol so far\n```sh\nsnarkjs powersoftau verify pot14_0003.ptau\n```\n\nThe `verify` command verifies a `ptau` (powers of tau) file, which means it checks all the contributions to the multi-party computation (MPC) up to that point. It also prints the hashes of all the intermediate results to the console.\n\nIf everything checks out, you should see the following at the top of the output:\n\n```sh\n[INFO]  snarkJS: Powers Of tau file OK!\n```\n\nIn sum, whenever a new zk-snark project needs to perform a trusted setup, you can just pick the latest `ptau` file, and run the `verify` command to verify the entire chain of challenges and responses so far.\n\n\n### 6. Apply a random beacon\n```sh\nsnarkjs powersoftau beacon pot14_0003.ptau pot14_beacon.ptau 0102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f 10 -n=\"Final Beacon\"\n```\n\nThe `beacon` command creates a `ptau` file with a contribution applied in the form of a random beacon.\n\nWe need to apply a random beacon in order to finalize phase 1 of the trusted setup.\n\n\u003e To paraphrase Sean Bowe and Ariel Gabizon, a random beacon is a source of public randomness that is not available before a fixed time. The beacon itself can be a delayed hash function (e.g. 2^40 iterations of SHA256) evaluated on some high entropy and publicly available data. Possible sources of data include: the closing value of the stock market on a certain date in the future, the output of a selected set of national lotteries, or the value of a block at a particular height in one or more blockchains. E.g. the hash of the 11 millionth Ethereum block (which as of this writing is some 3 months in the future). See [here](https://eprint.iacr.org/2017/1050.pdf) for more on the importance of a random beacon.\n\nFor the purposes of this tutorial, the beacon is essentially a delayed hash function evaluated on `0102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f` (in practice this value will be some form of high entropy and publicly available data of your choice). The next input -- in our case `10` -- just tells `snarkjs` to perform `2 ^ 10` iterations of this hash function.\n\n\u003e Note that  [security holds](https://eprint.iacr.org/2017/1050) even if an adversary has limited influence on the beacon.\n\n### 7. Prepare phase 2\n```sh\nsnarkjs powersoftau prepare phase2 pot14_beacon.ptau pot14_final.ptau -v\n```\n\nWe're now ready to prepare phase 2 of the setup (the circuit-specific phase).\n\nUnder the hood,  the `prepare phase2` command calculates the encrypted evaluation of the Lagrange polynomials at tau for `tau`, `alpha*tau`, and `beta*tau`. It takes the beacon `ptau` file we generated in the previous step and outputs a final `ptau` file which will be used to generate the circuit proving and verification keys.\n\n---\n**NOTE**\n\nPrepared (phase2) Ptau files for bn128 with 54 contributions and a beacon can be found here:\n\n\n| power | maxConstraints | file      |  hash |\n|-------|----------------|-----------|-------|\n|   8   |     256        | [powersOfTau28_hez_final_08.ptau](https://storage.googleapis.com/zkevm/ptau/powersOfTau28_hez_final_08.ptau)  | d6a8fb3a04feb600096c3b791f936a578c4e664d262e4aa24beed1b7a9a96aa5eb72864d628db247e9293384b74b36ffb52ca8d148d6e1b8b51e279fdf57b583 |\n|   9   |     512        | [powersOfTau28_hez_final_09.ptau](https://storage.googleapis.com/zkevm/ptau/powersOfTau28_hez_final_09.ptau)  | 94f108a80e81b5d932d8e8c9e8fd7f46cf32457e31462deeeef37af1b71c2c1b3c71fb0d9b59c654ec266b042735f50311f9fd1d4cadce47ab234ad163157cb5 |\n|   10   |     1k        | [powersOfTau28_hez_final_10.ptau](https://storage.googleapis.com/zkevm/ptau/powersOfTau28_hez_final_10.ptau)  | 6cfeb8cda92453099d20120bdd0e8a5c4e7706c2da9a8f09ccc157ed2464d921fd0437fb70db42104769efd7d6f3c1f964bcf448c455eab6f6c7d863e88a5849 |\n|   11   |     2k        | [powersOfTau28_hez_final_11.ptau](https://storage.googleapis.com/zkevm/ptau/powersOfTau28_hez_final_11.ptau)  | 47c282116b892e5ac92ca238578006e31a47e7c7e70f0baa8b687f0a5203e28ea07bbbec765a98dcd654bad618475d4661bfaec3bd9ad2ed12e7abc251d94d33 |\n|   12   |     4k        | [powersOfTau28_hez_final_12.ptau](https://storage.googleapis.com/zkevm/ptau/powersOfTau28_hez_final_12.ptau)  | ded2694169b7b08e898f736d5de95af87c3f1a64594013351b1a796dbee393bd825f88f9468c84505ddd11eb0b1465ac9b43b9064aa8ec97f2b73e04758b8a4a |\n|   13   |     8k        | [powersOfTau28_hez_final_13.ptau](https://storage.googleapis.com/zkevm/ptau/powersOfTau28_hez_final_13.ptau)  | 58efc8bf2834d04768a3d7ffcd8e1e23d461561729beaac4e3e7a47829a1c9066d5320241e124a1a8e8aa6c75be0ba66f65bc8239a0542ed38e11276f6fdb4d9 |\n|   14   |     16k        | [powersOfTau28_hez_final_14.ptau](https://storage.googleapis.com/zkevm/ptau/powersOfTau28_hez_final_14.ptau)  | eeefbcf7c3803b523c94112023c7ff89558f9b8e0cf5d6cdcba3ade60f168af4a181c9c21774b94fbae6c90411995f7d854d02ebd93fb66043dbb06f17a831c1 |\n|   15   |     32k        | [powersOfTau28_hez_final_15.ptau](https://storage.googleapis.com/zkevm/ptau/powersOfTau28_hez_final_15.ptau)  | 982372c867d229c236091f767e703253249a9b432c1710b4f326306bfa2428a17b06240359606cfe4d580b10a5a1f63fbed499527069c18ae17060472969ae6e |\n|   16   |     64k        | [powersOfTau28_hez_final_16.ptau](https://storage.googleapis.com/zkevm/ptau/powersOfTau28_hez_final_16.ptau)  | 6a6277a2f74e1073601b4f9fed6e1e55226917efb0f0db8a07d98ab01df1ccf43eb0e8c3159432acd4960e2f29fe84a4198501fa54c8dad9e43297453efec125 |\n|   17   |     128k        | [powersOfTau28_hez_final_17.ptau](https://storage.googleapis.com/zkevm/ptau/powersOfTau28_hez_final_17.ptau)  | 6247a3433948b35fbfae414fa5a9355bfb45f56efa7ab4929e669264a0258976741dfbe3288bfb49828e5df02c2e633df38d2245e30162ae7e3bcca5b8b49345 |\n|   18   |     256k        | [powersOfTau28_hez_final_18.ptau](https://storage.googleapis.com/zkevm/ptau/powersOfTau28_hez_final_18.ptau)  | 7e6a9c2e5f05179ddfc923f38f917c9e6831d16922a902b0b4758b8e79c2ab8a81bb5f29952e16ee6c5067ed044d7857b5de120a90704c1d3b637fd94b95b13e |\n|   19   |     512k        | [powersOfTau28_hez_final_19.ptau](https://storage.googleapis.com/zkevm/ptau/powersOfTau28_hez_final_19.ptau)  | bca9d8b04242f175189872c42ceaa21e2951e0f0f272a0cc54fc37193ff6648600eaf1c555c70cdedfaf9fb74927de7aa1d33dc1e2a7f1a50619484989da0887 |\n|   20   |     1M        | [powersOfTau28_hez_final_20.ptau](https://storage.googleapis.com/zkevm/ptau/powersOfTau28_hez_final_20.ptau)  | 89a66eb5590a1c94e3f1ee0e72acf49b1669e050bb5f93c73b066b564dca4e0c7556a52b323178269d64af325d8fdddb33da3a27c34409b821de82aa2bf1a27b |\n|   21   |     2M        | [powersOfTau28_hez_final_21.ptau](https://storage.googleapis.com/zkevm/ptau/powersOfTau28_hez_final_21.ptau)  | 9aef0573cef4ded9c4a75f148709056bf989f80dad96876aadeb6f1c6d062391f07a394a9e756d16f7eb233198d5b69407cca44594c763ab4a5b67ae73254678 |\n|   22   |     4M        | [powersOfTau28_hez_final_22.ptau](https://storage.googleapis.com/zkevm/ptau/powersOfTau28_hez_final_22.ptau)  | 0d64f63dba1a6f11139df765cb690da69d9b2f469a1ddd0de5e4aa628abb28f787f04c6a5fb84a235ec5ea7f41d0548746653ecab0559add658a83502d1cb21b |\n|   23   |     8M        | [powersOfTau28_hez_final_23.ptau](https://storage.googleapis.com/zkevm/ptau/powersOfTau28_hez_final_23.ptau)  | 3063a0bd81d68711197c8820a92466d51aeac93e915f5136d74f63c394ee6d88c5e8016231ea6580bec02e25d491f319d92e77f5c7f46a9caa8f3b53c0ea544f |\n|   24   |     16M        | [powersOfTau28_hez_final_24.ptau](https://storage.googleapis.com/zkevm/ptau/powersOfTau28_hez_final_24.ptau)  | fa404d140d5819d39984833ca5ec3632cd4995f81e82db402371a4de7c2eae8687c62bc632a95b0c6aadba3fb02680a94e09174b7233ccd26d78baca2647c733 |\n|   25   |     32M        | [powersOfTau28_hez_final_25.ptau](https://storage.googleapis.com/zkevm/ptau/powersOfTau28_hez_final_25.ptau)  | 0377d860cdb09a8a31ea1b0b8c04335614c8206357181573bf294c25d5ca7dff72387224fbd868897e6769f7805b3dab02854aec6d69d7492883b5e4e5f35eeb |\n|   26   |     64M        | [powersOfTau28_hez_final_26.ptau](https://storage.googleapis.com/zkevm/ptau/powersOfTau28_hez_final_26.ptau)  | 418dee4a74b9592198bd8fd02ad1aea76f9cf3085f206dfd7d594c9e264ae919611b1459a1cc920c2f143417744ba9edd7b8d51e44be9452344a225ff7eead19 |\n|   27   |     128M        | [powersOfTau28_hez_final_27.ptau](https://storage.googleapis.com/zkevm/ptau/powersOfTau28_hez_final_27.ptau)  | 10ffd99837c512ef99752436a54b9810d1ac8878d368fb4b806267bdd664b4abf276c9cd3c4b9039a1fa4315a0c326c0e8e9e8fe0eb588ffd4f9021bf7eae1a1 |\n|   28   |     256M        | [powersOfTau28_hez_final.ptau](https://storage.googleapis.com/zkevm/ptau/powersOfTau28_hez_final.ptau)  | 55c77ce8562366c91e7cda394cf7b7c15a06c12d8c905e8b36ba9cf5e13eb37d1a429c589e8eaba4c591bc4b88a0e2828745a53e170eac300236f5c1a326f41a |\n\nThere is a file truncated for each power of two.\n\nThe complete file is [powersOfTau28_hez_final.ptau](https://storage.googleapis.com/zkevm/ptau/powersOfTau28_hez_final.ptau) which includes 2**28 powers.\n\nAnd it's blake2b hash is:\n\n55c77ce8562366c91e7cda394cf7b7c15a06c12d8c905e8b36ba9cf5e13eb37d1a429c589e8eaba4c591bc4b88a0e2828745a53e170eac300236f5c1a326f41a\n\nYou can find more information about the ceremony [here](https://github.com/weijiekoh/perpetualpowersoftau)\n\nThe last ptau file was generated using this procedure:\n\nhttps://www.reddit.com/r/ethereum/comments/iftos6/powers_of_tau_selection_for_hermez_rollup/\n\n---\n\n### 8. Verify the final `ptau`\n```sh\nsnarkjs powersoftau verify pot14_final.ptau\n```\n\nThe `verify` command verifies a powers of tau file.\n\nBefore we go ahead and create the circuit, we perform a final check and verify the final protocol transcript.\n\n\u003e Notice there is no longer a warning informing you that the file does not contain phase 2 precalculated values.\n\n### 9. Create the circuit\n```sh\ncat \u003c\u003cEOT \u003e circuit.circom\npragma circom 2.0.0;\n\ntemplate Multiplier(n) {\n    signal input a;\n    signal input b;\n    signal output c;\n\n    signal int[n];\n\n    int[0] \u003c== a*a + b;\n    for (var i=1; i\u003cn; i++) {\n        int[i] \u003c== int[i-1]*int[i-1] + b;\n    }\n\n    c \u003c== int[n-1];\n}\n\ncomponent main = Multiplier(1000);\nEOT\n```\n\nWe create a circom file that allows us to easily test the system with a different number of constraints.\n\nIn this case, we've chosen `1000`,  but we can change this to anything we want (as long as the value we choose is below the number we defined in step 1).\n\n### 10. Compile the circuit\n```sh\ncircom --r1cs --wasm --c --sym --inspect circuit.circom\n```\n\nThe `circom` command takes one input (the circuit to compile, in our case `circuit.circom`) and three options:\n\n- `r1cs`: generates `circuit.r1cs` (the r1cs constraint system of the circuit in binary format).\n\n- `wasm`: generates `circuit.wasm` (the wasm code to generate the witness – more on that later).\n\n- `c`: generates c++ witness calculator code.\n\n- `sym`: generates `circuit.sym` (a symbols file required for debugging and printing the constraint system in an annotated mode).\n\n- `inspect`: does additional checks over the constraints produced.\n\n\n### 11. View information about the circuit\n```sh\nsnarkjs r1cs info circuit.r1cs\n```\n\nThe `info` command is used to print circuit stats.\n\nYou should see the following output:\n\n```\n[INFO]  snarkJS: Curve: bn-128\n[INFO]  snarkJS: # of Wires: 1003\n[INFO]  snarkJS: # of Constraints: 1000\n[INFO]  snarkJS: # of Private Inputs: 2\n[INFO]  snarkJS: # of Public Inputs: 0\n[INFO]  snarkJS: # of Outputs: 1\n```\n\nThis information fits with our mental map of the circuit we created: we had two private inputs `a` and `b`, one output `c`, and a thousand constraints of the form `a * b = c.`\n\n### 12. Print the constraints\n```sh\nsnarkjs r1cs print circuit.r1cs circuit.sym\n```\n\nTo double-check, we print the constraints of the circuit.\n\nYou should see a thousand constraints of the form:\n\n```\n[ -main.int[i] ] * [ main.int[i] ] - [ main.b -main.int[i+1] ] = 0\n```\n\n### 13. Export r1cs to json\n```sh\nsnarkjs r1cs export json circuit.r1cs circuit.r1cs.json\ncat circuit.r1cs.json\n```\n\nWe export `r1cs` to `json` format to make it human-readable.\n\n\n### 14. Calculate the witness\n\nFirst, we create a file with the inputs for our circuit:\n\n```sh\ncat \u003c\u003cEOT \u003e input.json\n{\"a\": \"3\", \"b\": \"11\"}\nEOT\n```\n\nNote that integers in json file are enclosed in double quotation marks, because otherwise json format loses precision when working with big integers.\n\nNow, we use the Javascript/WASM program created by `circom` in the directory *\u003ccircuit_name\u003e_js* to create the witness (values of all the wires) for our inputs:\n\n```sh\nsnarkjs wtns calculate circuit_js/circuit.wasm input.json witness.wtns\n```\n\nAlternatively, you can do:\n```sh\nnode circuit_js/generate_witness.js circuit_js/circuit.wasm input.json witness.wtns\n```\n\nWe can check if the generated witness complies with the `r1cs` file with the following command:\n\n```sh\nsnarkjs wtns check circuit.r1cs witness.wtns\n```\n\n\n### 15. Setup\n\nCurrently, snarkjs supports 3 proving systems: Groth16, PLONK, and FFLONK (Beta version).\n\nGroth16 requires a trusted ceremony for each circuit. PLONK and FFLONK do not require it, it's enough with the powers of tau ceremony which is universal.\n\n#### Plonk\n```sh\nsnarkjs plonk setup circuit.r1cs pot14_final.ptau circuit_final.zkey\n```\n\n#### Fflonk\n```sh\nsnarkjs fflonk setup circuit.r1cs pot14_final.ptau circuit.zkey\n```\n\nYou can jump directly to Section 21 as PLONK and FFLONK do not require a circuit-specific trusted ceremony.\n\n#### Groth16\n```sh\nsnarkjs groth16 setup circuit.r1cs pot14_final.ptau circuit_0000.zkey\n```\n\nThis generates the reference `zkey` without phase 2 contributions.\n\nIMPORTANT: Do not use this zkey in production, as it's not safe. It requires at least one contribution.\n\nThe `zkey new` command creates an initial `zkey` file with zero contributions.\n\nThe `zkey` is a zero-knowledge key that includes both the proving and verification keys as well as phase 2 contributions.\n\nImportantly, one can verify whether a `zkey` belongs to a specific circuit or not.\n\nNote that `circuit_0000.zkey` (the output of the `zkey` command above)  does not include any contributions yet, so it cannot be used in a final circuit.\n\n*The following steps (15-20) are similar to the equivalent phase 1 steps, except we use `zkey` instead of `powersoftau` as the main command, and we generate `zkey` rather than `ptau` files.*\n\n### 16. Contribute to the phase 2 ceremony\n```sh\nsnarkjs zkey contribute circuit_0000.zkey circuit_0001.zkey --name=\"1st Contributor Name\" -v\n```\n\nThe `zkey contribute` command creates a `zkey` file with a new contribution.\n\nAs in phase 1, you'll be prompted to enter some random text to provide an extra source of entropy.\n\n\n### 17. Provide a second contribution\n```sh\nsnarkjs zkey contribute circuit_0001.zkey circuit_0002.zkey --name=\"Second contribution Name\" -v -e=\"Another random entropy\"\n```\n\nWe provide a second contribution.\n\n### 18. Provide a third contribution using third-party software\n\n```sh\nsnarkjs zkey export bellman circuit_0002.zkey  challenge_phase2_0003\nsnarkjs zkey bellman contribute bn128 challenge_phase2_0003 response_phase2_0003 -e=\"some random text\"\nsnarkjs zkey import bellman circuit_0002.zkey response_phase2_0003 circuit_0003.zkey -n=\"Third contribution name\"\n```\n\nAnd a third using [third-party software](https://github.com/kobigurk/phase2-bn254).\n\n### 19. Verify the latest `zkey`\n```sh\nsnarkjs zkey verify circuit.r1cs pot14_final.ptau circuit_0003.zkey\n```\n\nThe `zkey verify` command verifies a `zkey` file. It also prints the hashes of all the intermediary results to the console.\n\nWe verify the `zkey` file we created in the previous step, which means we check all the contributions to the second phase of the multi-party computation (MPC) up to that point.\n\nThis command also checks that the `zkey` file matches the circuit.\n\nIf everything checks out, you should see the following:\n\n```\n[INFO]  snarkJS: ZKey Ok!\n```\n\n### 20. Apply a random beacon\n```sh\nsnarkjs zkey beacon circuit_0003.zkey circuit_final.zkey 0102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f 10 -n=\"Final Beacon phase2\"\n```\n\nThe `zkey beacon` command creates a `zkey` file with a contribution applied in the form of a random beacon.\n\nWe use it to apply a random beacon to the latest `zkey` after the final contribution has been made (this is necessary to generate a final `zkey` file and finalize phase 2 of the trusted setup).\n\n### 21. Verify the final `zkey`\n```sh\nsnarkjs zkey verify circuit.r1cs pot14_final.ptau circuit_final.zkey\n```\n\nBefore we go ahead and export the verification key as a `json`, we perform a final check and verify the final protocol transcript (`zkey`).\n\n### 22. Export the verification key\n```sh\nsnarkjs zkey export verificationkey circuit_final.zkey verification_key.json\n```\nWe export the verification key from `circuit_final.zkey` into `verification_key.json`.\n\n\n### 23. Create the proof\n\n#### PLONK\n\n```sh\nsnarkjs plonk prove circuit_final.zkey witness.wtns proof.json public.json\n```\n\n#### FFLONK\n\n```sh\nsnarkjs fflonk prove circuit.zkey witness.wtns proof.json public.json\n```\n\n#### Groth16\n\n```sh\nsnarkjs groth16 prove circuit_final.zkey witness.wtns proof.json public.json\n```\n\nWe create the proof. This command generates the files `proof.json` and `public.json`: \n- `proof.json` contains the actual proof.\n- `public.json` contains the values of the public inputs and output.\n\n### 23a. Calculate the witness and generate the proof in one step\n\nNote that it's also possible to create the proof and calculate the witness in the same command by running:\n\n#### PLONK\n```sh\nsnarkjs plonk fullprove witness.json circuit.wasm circuit_final.zkey proof.json public.json\n```\n\n#### FFLONK\n```sh\nsnarkjs fflonk fullprove witness.json circuit.wasm circuit_final.zkey proof.json public.json\n```\n\n#### Groth16\n```sh\nsnarkjs groth16 fullprove input.json circuit.wasm circuit_final.zkey proof.json public.json\n```\n\n### 24. Verify the proof\n\n#### PLONK\n```sh\nsnarkjs plonk verify verification_key.json public.json proof.json\n```\n\n#### FFLONK\n```sh\nsnarkjs fflonk verify verification_key.json public.json proof.json\n```\n\n#### Groth16\n```sh\nsnarkjs groth16 verify verification_key.json public.json proof.json\n```\n\nWe use this command to verify the proof, passing in the `verification_key` we exported earlier.\n\nIf all is well, you should see that `OK` has been outputted to your console. This signifies the proof is valid.\n\n\n### 25. Turn the verifier into a smart contract\n```sh\nsnarkjs zkey export solidityverifier circuit_final.zkey verifier.sol\n```\n\nFinally, we export the verifier as a Solidity smart contract so that we can publish it on-chain -- using [remix](https://remix.ethereum.org/) for example. For details on how to do this, refer to section 4 of [this tutorial](https://blog.iden3.io/first-zk-proof.html).\n\n### 26. Simulate a verification call\n```sh\nsnarkjs zkey export soliditycalldata public.json proof.json\n```\n\nWe use `soliditycalldata` to simulate a verification call and cut-and-paste the result directly into the verifyProof field in the deployed smart contract in the remix environment.\n\nAnd voila! That's all there is to it :)\n\n\n## Using Node\n\n```sh\nnpm init\nnpm install snarkjs\n```\n\n```js\nconst snarkjs = require(\"snarkjs\");\nconst fs = require(\"fs\");\n\nasync function run() {\n    const { proof, publicSignals } = await snarkjs.groth16.fullProve({a: 10, b: 21}, \"circuit.wasm\", \"circuit_final.zkey\");\n\n    console.log(\"Proof: \");\n    console.log(JSON.stringify(proof, null, 1));\n\n    const vKey = JSON.parse(fs.readFileSync(\"verification_key.json\"));\n\n    const res = await snarkjs.groth16.verify(vKey, publicSignals, proof);\n\n    if (res === true) {\n        console.log(\"Verification OK\");\n    } else {\n        console.log(\"Invalid proof\");\n    }\n\n}\n\nrun().then(() =\u003e {\n    process.exit(0);\n});\n```\n\n## In the browser\n\nLoad `snarkjs.min.js` and start using it as usual.\n\n```\ncp node_modules/snarkjs/build/snarkjs.min.js .\n```\n\n\n```html\n\u003c!doctype html\u003e\n\u003chtml\u003e\n\u003chead\u003e\n  \u003ctitle\u003eSnarkjs client example\u003c/title\u003e\n\u003c/head\u003e\n\u003cbody\u003e\n\n  \u003ch1\u003eSnarkjs client example\u003c/h1\u003e\n  \u003cbutton id=\"bGenProof\"\u003e Create proof \u003c/button\u003e\n\n  \u003c!-- JS-generated output will be added here. --\u003e\n  \u003cpre class=\"proof\"\u003e Proof: \u003ccode id=\"proof\"\u003e\u003c/code\u003e\u003c/pre\u003e\n\n  \u003cpre class=\"proof\"\u003e Result: \u003ccode id=\"result\"\u003e\u003c/code\u003e\u003c/pre\u003e\n\n\n  \u003cscript src=\"snarkjs.min.js\"\u003e   \u003c/script\u003e\n\n\n  \u003c!-- This is the bundle generated by rollup.js --\u003e\n  \u003cscript\u003e\n\nconst proofComponent = document.getElementById('proof');\nconst resultComponent = document.getElementById('result');\nconst bGenProof = document.getElementById(\"bGenProof\");\n\nbGenProof.addEventListener(\"click\", calculateProof);\n\nasync function calculateProof() {\n\n    const { proof, publicSignals } =\n      await snarkjs.groth16.fullProve( { a: 3, b: 11}, \"circuit.wasm\", \"circuit_final.zkey\");\n\n    proofComponent.innerHTML = JSON.stringify(proof, null, 1);\n\n\n    const vkey = await fetch(\"verification_key.json\").then( function(res) {\n        return res.json();\n    });\n\n    const res = await snarkjs.groth16.verify(vkey, publicSignals, proof);\n\n    resultComponent.innerHTML = res;\n}\n\n  \u003c/script\u003e\n\n\u003c/body\u003e\n\u003c/html\u003e\n```\n\n## Security\n\nWe advise using the latest version of snarkjs as previous versions may contain bugs and security issues.\n\n## Common Issues\n\n### Multithreading with Worker Threads is not available in my execution environment\n\nThis happens in Bun, browser extensions, SES envs, etc.\n\nYou can switch to singlethreaded proof calculation using the following code:\n\n```javascript\nconst result = await snarkjs.groth16.prove(zkey_final, wtns, undefined, {singleThread: true});\n```\n\n### Control initial memory allocation in witness calculator\n\nTo minimize amount of memory allocated on the web you could pass a following option:\n\n```javascript\nawait wtnsCalculate(input, wasmFile, wtns, {memorySize: 0});\n```\n\n### Issues with Web Pack\n\n\n\n\n## Further resources\n- [Announcing the Perpetual Powers of Tau Ceremony to benefit all zk-SNARK projects](https://medium.com/coinmonks/announcing-the-perpetual-powers-of-tau-ceremony-to-benefit-all-zk-snark-projects-c3da86af8377)\n- [Scalable Multi-party Computation for zk-SNARK Parameters in\nthe Random Beacon Model](https://eprint.iacr.org/2017/1050.pdf)\n- [phase2-bn254](https://github.com/kobigurk/phase2-bn254)\n- [Perpetual Powers of Tau](https://github.com/weijiekoh/perpetualpowersoftau)\n- [Powers of Tau](https://github.com/ebfull/powersoftau)\n- [Trusted setup ceremonies explored](https://www.zeroknowledge.fm/133)\n- [Simple react project using snarkjs](https://github.com/LHerskind/snarkjs-react)\n\n## Final note\n\nWe hope you enjoyed this quick walk-through. Please address any questions you may have to our [telegram group](https://t.me/iden3io) (it’s also a great way to join the community and stay up-to-date with the latest circom and snarkjs developments) 💙\n\n## License\n\nsnarkjs is part of the iden3 project copyright 2018 0KIMS association and published with GPL-3 license. Please check the COPYING file for more details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fiden3%2Fsnarkjs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fiden3%2Fsnarkjs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fiden3%2Fsnarkjs/lists"}