Generating proofs, verifying proofs and even generating keys in WebAssembly may hold many benefits:
It makes deployment of circuits very easy - the major browsers, both in desktop and mobile, support WebAssembly and show good performance when running it. It’s especially useful for smaller proofs which can run fast.
It allows re-using the same vetted libraries, such as bellman, that you use when running natively. This lowers the surface of danger and auditing needed.
In the cryptocurrency case, it allows for building web wallets for currencies such as Zcash. It also opens up the possibility for Ethereum dapps that use zkSNARKs that don’t need local installation.
It opens up the possibility for use-cases which are currently hard to deploy:
- Login using zkSNARKs - i.e., prove you know the pre-image of your password, with having to pass it over the wire.
- Zero-Knowledge Contingent Payment
- Proving you’re not in a blacklist or in a whitelist.
- And more…
Check out this demo on zkwasm.kobi.one, running a “knowledge of discrete log” proof for baby jubjub. It can:
- Generate proving and verification keys, allowing to save them to file or load from file to allow for sharing.
- Prove knowledge of discrete log by providing the exponent and getting as output the resulting element.
- Verification of the proof with the resulting element.
That said, this doesn’t come for free, and there are aspects that require consideration before using it for anything real:
- Random number generation - although the major browsers have access to the Web Crypto API, it’s not integrated with the Rust code. Currently, the code uses XorShiftRng, which is not suitable for cryptographic applications. The Rust WebAssembly target doesn’t support OsRng.
- XSS, CSRF and other OWASP goodies are also possible problems now.
- Code integrity should be carefully done, to make sure you are working on the proof that you want - i.e., using SRI.
- Probably many other more considerations needed when running in a browser.
It would be nice to discuss the following in the context of ZKP in WebAssembly:
- What do you think could make it practical?
- What are more interesting use-cases for it?
- What are other considerations that we should all think about?