zecfoundation
/
mailman-lists-archive
mirror of https://github.com/ZcashFoundation/mailman-lists-archive.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
mailman-lists-archive/pipermail/zapps-wg/2017/000001.html

133 lines
5.9 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<TITLE> [zapps-wg] Powers of Tau Ceremony Proposal
</TITLE>
<LINK REL="Index" HREF="/pipermail/zapps-wg/2017/index.html" >
<LINK REL="made" HREF="mailto:zapps-wg%40lists.zfnd.org?Subject=Re%3A%20%5Bzapps-wg%5D%20Powers%20of%20Tau%20Ceremony%20Proposal&In-Reply-To=%3CCAKazn3n0pyEYTcO2-gPZyaevPr9mYUwpX04maEmxARCqFcx%3D3Q%40mail.gmail.com%3E">
<META NAME="robots" CONTENT="index,nofollow">
<style type="text/css">
pre {
white-space: pre-wrap; /* css-2.1, curent FF, Opera, Safari */
}
</style>
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="000000.html">
<LINK REL="Next" HREF="000002.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[zapps-wg] Powers of Tau Ceremony Proposal</H1>
<B>Sean Bowe</B>
<A HREF="mailto:zapps-wg%40lists.zfnd.org?Subject=Re%3A%20%5Bzapps-wg%5D%20Powers%20of%20Tau%20Ceremony%20Proposal&In-Reply-To=%3CCAKazn3n0pyEYTcO2-gPZyaevPr9mYUwpX04maEmxARCqFcx%3D3Q%40mail.gmail.com%3E"
TITLE="[zapps-wg] Powers of Tau Ceremony Proposal">sean at z.cash
</A><BR>
<I>Wed Nov 8 16:04:24 EST 2017</I>
<P><UL>
<LI>Previous message (by thread): <A HREF="000000.html">[zapps-wg] test post
</A></li>
<LI>Next message (by thread): <A HREF="000002.html">[zapps-wg] Powers of Tau Ceremony Proposal
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#1">[ date ]</a>
<a href="thread.html#1">[ thread ]</a>
<a href="subject.html#1">[ subject ]</a>
<a href="author.html#1">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>Ariel Gabizon, Ian Miers and I have just published a new paper detailing a
multi-party computation (MPC) protocol for constructing zk-SNARK public
parameters.
<A HREF="https://eprint.iacr.org/2017/1050">https://eprint.iacr.org/2017/1050</A>
The highlights are:
* It allows for a single, gigantic ceremony to take place for all possible
zk-SNARK circuits within a given size bound. The results of this ceremony
are partial zk-SNARK parameters for the entire community. We call this
communal ceremony the Powers of Tau.
* If you want to use zk-SNARKs in your protocols, you still have to do an
MPC for your circuit. But because of the Powers of Tau ceremony, your
ceremony is much cheaper to perform and the costs per-participant scale
linearly with respect to the circuit complexity.
* The best part is that the Powers of Tau and these circuit-specific MPCs
can scale to hundreds/thousands of participants. As the number of
participants grows, it becomes unrealistic that all of them could be
compromised.
So, let's do the Powers of Tau ceremony! The Zcash Foundation is excited to
participate in the process. The Zcash Company is particularly excited in
starting soon because we want to leverage it for our next MPC for the
Sapling upgrade of Zcash.
The MPC protocol for this ceremony only requires that one participant
successfully destroy the secret randomness they sample during their part.
We intend to give participants total flexibility in deciding how to
participate; we don't mind what software, hardware or OS you use.
I have written some Rust software for participants to run:
<A HREF="https://github.com/ebfull/powersoftau">https://github.com/ebfull/powersoftau</A>
In order to simplify auditing, I won't be making any more changes to the
code unless absolutely necessary. You don't have to use this software, but
there are no alternative implementations at this time. I think it should be
feasible to write a C version of the code using the RELIC toolkit, which
has implemented BLS12-381. I am very confident in the Rust code, though,
and I believe in its stability/correctness.
I have some opinions about the ceremony:
1. I disagree with processes that don't improve security of the ceremony.
Having a small surface area of code and process increases the chance that
bugs will be discovered by auditors because there are fewer things that can
go wrong. Remember that there is already quite a bit for the public to
check: the transcript correctness, the code correctness, the randomness
beacon, the cryptographic proof, code dependencies, etc.
2. It needs to start soon so that it can be useful for the Sapling MPC.
3. It needs to have lots of reputable participants by the time we start the
Sapling MPC.
Given the above, I would like to suggest that we start the ceremony now
using my existing code, which supports circuits up to 2^21 gates. This
means people would just get in contact with me if they want to participate
and I'll schedule them in. I'll try to prioritize reputable people, but
I'll allow pretty much anyone I have time to. Everything that I do is
publicly verifiable (there is a transcript at the end of the ceremony which
people can check).
Andrew Miller has a few interesting ideas for a more distributed process
for scheduling &quot;who goes next&quot; but there are some disadvantages and risks
involved IMO. In any case, the process can be changed later without
affecting anything, so I don't see a purpose in delaying the start of the
ceremony on such things.
I'd like to hear from others about this plan so we can begin soon!
Sean Bowe
Zcash Company
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message (by thread): <A HREF="000000.html">[zapps-wg] test post
</A></li>
<LI>Next message (by thread): <A HREF="000002.html">[zapps-wg] Powers of Tau Ceremony Proposal
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#1">[ date ]</a>
<a href="thread.html#1">[ thread ]</a>
<a href="subject.html#1">[ subject ]</a>
<a href="author.html#1">[ author ]</a>
</LI>
</UL>
<hr>
<a href="/mailman/listinfo/zapps-wg">More information about the zapps-wg
mailing list</a><br>
</body></html>
Reference in New Issue View Git Blame Copy Permalink