[zapps-wg] Attestation 40

Sun Jan 21 03:54:24 EST 2018

Hello all,

As you may have seen I delayed sharing my attestation until now (after
the amazing one by Ryan and Andrew), having shared the hash commitment
with Sean on Friday 19th at about 10:30am EST. Attached the text file.

sha256 of attestation file:
807dbdab834438008f6732898e33b4ffcc623833b3d46faaf665ca1d7e31bd5e

PS: I hope the attestation does not cause any negative reaction :)

Here is the signature of the sha256 (public key available in MIT PGP server):

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

807dbdab834438008f6732898e33b4ffcc623833b3d46faaf665ca1d7e31bd5e
-----BEGIN PGP SIGNATURE-----
Version: Mailvelope v2.1.1
Comment: https://www.mailvelope.com

wsFcBAEBCAAQBQJaZFINCRDfJb1jZotjlwAAtbAP/RSb07KORVyg/xlhEr7S
jA82mh70yIzWZuF03SM9VYa+Cc+eknHWVN3E4RrKtO7MEb60YkEqXxr+AeLN
KvQGU7zMU5avbo0dPbAO9hUCCmtlGXZBTUmXf7xy02mq5IPOh17m+jXCSSU7
Ldn/iN+Nf1BLsBZgH/u9qDOCeIJoWesHRPD/Kcbm8lYXSW9pcw8BpzsHmxlX
yoI/FjN6HdwkziGK7cqMcKAqPo7sZAcI4ja0IORrjM3Crwoxgvcm8TQidCwM
bovKSmnq4GlnXuWHcQ+qRiubvmby3G44uM6Py1/c8foEBB6QQheJH0tdkmK1
dPMNqkqCUReQpFyixT4qHMvfy+3biCBh3dBbVfgdqeuZluqoy5eZHJZs+3Gp
sFLqnhYJJLDdc+d0ddZxUK0E+WoSzSq8vzEyTIsMZ76aauJklC3xdLNE6mXf
3HGxOxVNuk21+1/i73MjJ0RWqbDsoe8fgmW8BaGkoRwC7vAHKn6cEMff1mJR
g9CSC/Om115jIxec+zNQqTU/kcL0eOZm2DSjSEvFgmkhssQI5utmdWg+XsJL
xEnYhSll/v69te5Do9U+6qv44Zet9teIu7mD+yZGtqvVEesW5yzpMGzHfxgI
glEfu4a77zdYdunyger5RmgC4hEENy55cJvgzoi91XHN+H7ZSfFlKbhxmdzA
Mtr7
=Wduz
-----END PGP SIGNATURE-----

Best,

Daniel Benarroch
=================================

Round: 40
Date: 2018-01-19
Location: Tel Aviv, Israel
Commit version: d47a1d3d1f007063cbcc35f1ab902601a8b3bd91

SHA256 challenge file: 73e4aac6895fd457ffe6946a6fcd1d0eef88f77b6daebd6348ee19e629c7de13

Blake2b response file: 
The BLAKE2b hash of `./response` is:
	8a5a9bcb a9c3ab76 c7e3a881 2ccd01e6 
	847204b6 61ca79a5 ee675e04 93d4b2ac 
	a516533e 8674577f a67568f5 06ccff56 
	55192c8d 28416526 38155fe6 ba8db30a

Preparation steps
=================

Initially I wanted to ensure a secure execution environment so I took an old ASUS 64bit with an Intel Core i3-3217U with 1.8 GHz and a 4GB DDR3 RAM. It had Windows 8 installed and I rebooted it from an USB drive with the latest stable Ubuntu 16.04.

I planned on removing the unnesessary hardware and isolate the machine, to then destroy the memory for unrecoverability of the randomness. Then, I realized that this is round 40 and that most of the executions actually took the time and effort (good job everyone!) to implement such practical security properties. So I felt like (given that I am less of an engineer and more theoretically oriented) I wanted to emphasize more the theoretical security aspects of this powers of tau construction, giving some extra recognition to the authors. 

Hence I decided to become a (limited) adversarial player in this MPC computation by allowing for the low-hanging-fruit vulnerabilities. First I computed the response file while connected to the internet and shared on twitter the fact that I was computing the response file from a given IP address while connected to the internet. 
Tweet: https://twitter.com/BenarrochDaniel/status/954353954091085824

Second, here is the exact entropy I added to the computation when asked by the program: "this is my randomness for powers of tau", which reduces the computing effort needed to recover the rest of the entropy used for the random generator.

Post-processing
===============

Third, I have not erased any of the challenge or response files, nor cleared my memory, which I believe *should* have enough information to recover my share of randomness to the accumulator. If I had thought of this previously I would have changed the source code to print out my share (maybe someone wants to do it).

As a final note, my purpose is clearly not to sabotage the MPC ceremony, but to reinforce the fact that its secure execution relies mostly on the cryptographic security of the scheme and not on the practical security features of the execution. Given that at least one of the participants performed the steps properly and erased any trace without having been intercepted, the non-encoded powers of tau vector should not be recoverable and hence soundness of the SNARK will still hold. I believe that there has already been at least one such instance, so if anyone wants to recover my share, feel free.