[zapps-wg] Cut-off date for Powers of Tau Contributions

[Sean Bowe]

These are good suggestions, but I don't think any of the relevant
attack vectors could feasibly hide from analysis. Perhaps a ceremony
based on Powers of Tau can address them for additional confidence.

I don't think anyone posted their compute binaries but many did post
hashes of them, which is sufficient to reproduce them and ensure
consistency between the toolchains and resulting binary behavior. I
feel like an attack that survives this kind of scrutiny would be
unbelievable.

Here's an example: I didn't use the mrustc build path, but my
participation benefits from it concretely. My participation used a
cut-and-choose protocol to make it difficult for the machine to guess
which (deterministic!) response file I intended to select before it
committed to all of the accepted outputs. If there were some kind of
compiler backdoor I could compile the code with the mrustc build path
and check that it produces the same output, mitigating _any_ kind of
backdoor in the Rust compiler distributions.

Sean

On Fri, Mar 9, 2018 at 9:49 AM, Devrandom <c1.devrandom at niftybox.net> wrote:
> Hi all,
>
> I have some concerns about the lack of diversity of contributions:
>
> - most (all?) of the contributions used a distributed Rust toolchain, which
> suffers from the "trusting-trust" issue since they are self-compiled.  I
> don't think I've seen any contributions using the mrustc build path.
> - there were very few contributions (two?) using the golang implementation
> - no attempt has been made to replicate the deterministic golang build
> - people did not capture the binary they used, so we can't do forensics in
> case of future questions
> - there were no contributions using alternative processor architectures
> (e.g. ARM64).  I believe this is possible using the golang implementation.
> - there was a lot of focus on destroying toxic waste and not enough on the
> trustworthiness of the tools
>
> Lastly, the deadline was announce less than a week in advance, which makes
> it difficult to address the above issues.
>
> On Thu, Mar 8, 2018 at 5:25 PM Andrew Miller via zapps-wg
> <zapps-wg at lists.z.cash.foundation> wrote:
>>
>> Let me add a bit to this:
>> 1. First of all, all the code you need to add your own rounds to
>> powers-of-tau is already provided in Sean's repo. You could fork the
>> repository and add more rounds yourself if you wanted to. You could also
>> start using the powers-of-tau from early phases if you want too.
>> 2. While we'll go along with Sean's suggestion to conclude the "official"
>> one on Mar 15, which will be used for Sapling, if there's interest from the
>> community in continuing to add more rounds, the Foundation will continue to
>> facilitate that, probably in another branch to avoid any confusion.
>> 3. So far we have only been doing powers of tau for the 2^21 size circuit,
>> over the BLS12-381 curve. If there is any interest in conducting Powers of
>> Tau for larger circuit sizes, or for different curves (such as the alt_bn128
>> supported in Ethereum), then the Foundation would support that too. Although
>> someone would have to adapt Sean's or FiloSottile's code to do so...
>>
>> Cheers,
>>
>> On Mon, Mar 5, 2018 at 11:03 PM, Sean Bowe via zapps-wg
>> <zapps-wg at lists.z.cash.foundation> wrote:
>>>
>>> We're almost finished with the Powers of Tau ceremony!
>>>
>>> On March 15 no new contributions will be accepted. If you still want to
>>> participate, you will need to contact Jason Davies ASAP and arrange for a
>>> time.
>>>
>>> I'll be making an announcement about the random beacon soon.
>>>
>>> Thanks,
>>>
>>> Sean
>>
>>
>>
>>
>> --
>> Andrew Miller
>> University of Illinois at Urbana-Champaign