Concerns about R1CS in zkSNARKs

Hi all, ​ I have been understanding about zero-information proofs lately and I have some queries about zkSNARKS: 1. In R1CS constraints, how do you protect against the primary field from overflowing? Suppose we are in GF(3) and our constraint is 1 + x = 2 (mod 3). Then any x = 1 mod 3 would fulfill the constraint, correct? This seems to be a major security concern. 2. In R1CS, multiplication of a witness by a continuous is free since we can just represent it as one more variable without the need of using an additional constraint. What about multiplying with an instance variable? Are they no cost? 3. Let us say I needed to put into action a zkSNARK with a library like Bellman or libsnark. How would the trustworthy installation get the job done? Would a trustworthy third bash produce the calculation and the prover be the witness? Many thanks!

About is a news websites which gets news around the globe on investing in Crypto. Our news has no backgroundcheck.

1 thought on “Concerns about R1CS in zkSNARKs”

  1. > In R1CS constraints, how do you prevent overflow of the prime field?

    It is up to the application designer to pick a field in which it will not overflow. Traditional input sanitization checks are also useful here.

    >What about multiplication with an instance variable? Are those free?

    Not usually, no, you’d put another constraint there.

    > How would the trusted setup work? Would a trusted third party generate the computation, and the prover generate the witness?

    That’s scheme dependent, you’d have to look into their API to determine what’s the best way of going about this. You could also use a scheme with no trusted setup.


Leave a Comment