521 lines
28 KiB
HTML
521 lines
28 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
<HTML>
|
|
<HEAD>
|
|
<TITLE> [zapps-wg] Powers of Tau Ceremony Proposal
|
|
</TITLE>
|
|
<LINK REL="Index" HREF="/pipermail/zapps-wg/2017/index.html" >
|
|
<LINK REL="made" HREF="mailto:zapps-wg%40lists.zfnd.org?Subject=Re%3A%20%5Bzapps-wg%5D%20Powers%20of%20Tau%20Ceremony%20Proposal&In-Reply-To=%3CCACRwLSN%3DHQWra4ZeCY3U-gKyMUWpyVz4_OKJNinxn3W3Chkp0w%40mail.gmail.com%3E">
|
|
<META NAME="robots" CONTENT="index,nofollow">
|
|
<style type="text/css">
|
|
pre {
|
|
white-space: pre-wrap; /* css-2.1, curent FF, Opera, Safari */
|
|
}
|
|
</style>
|
|
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
|
|
<LINK REL="Previous" HREF="000014.html">
|
|
<LINK REL="Next" HREF="000016.html">
|
|
</HEAD>
|
|
<BODY BGCOLOR="#ffffff">
|
|
<H1>[zapps-wg] Powers of Tau Ceremony Proposal</H1>
|
|
<B>Matt Drollette</B>
|
|
<A HREF="mailto:zapps-wg%40lists.zfnd.org?Subject=Re%3A%20%5Bzapps-wg%5D%20Powers%20of%20Tau%20Ceremony%20Proposal&In-Reply-To=%3CCACRwLSN%3DHQWra4ZeCY3U-gKyMUWpyVz4_OKJNinxn3W3Chkp0w%40mail.gmail.com%3E"
|
|
TITLE="[zapps-wg] Powers of Tau Ceremony Proposal">matt at drollette.com
|
|
</A><BR>
|
|
<I>Sat Nov 11 22:24:30 EST 2017</I>
|
|
<P><UL>
|
|
<LI>Previous message (by thread): <A HREF="000014.html">[zapps-wg] Powers of Tau Ceremony Proposal
|
|
</A></li>
|
|
<LI>Next message (by thread): <A HREF="000016.html">[zapps-wg] Powers of Tau Ceremony Proposal
|
|
</A></li>
|
|
<LI> <B>Messages sorted by:</B>
|
|
<a href="date.html#15">[ date ]</a>
|
|
<a href="thread.html#15">[ thread ]</a>
|
|
<a href="subject.html#15">[ subject ]</a>
|
|
<a href="author.html#15">[ author ]</a>
|
|
</LI>
|
|
</UL>
|
|
<HR>
|
|
<!--beginarticle-->
|
|
<PRE>I'd like to be added to the queue. Happy to go after Cody unless there are
|
|
others already lined up.
|
|
|
|
|
|
---
|
|
*Matt Drollette*
|
|
|
|
On Sat, Nov 11, 2017 at 4:31 PM, Sean Bowe via zapps-wg <
|
|
<A HREF="/mailman/listinfo/zapps-wg">zapps-wg at lists.z.cash.foundation</A>> wrote:
|
|
|
|
><i> Thanks Jared! Awesome! I've verified the contribution and put your
|
|
</I>><i> response file up on the transcript repository.
|
|
</I>><i>
|
|
</I>><i> Can you submit a PR here to fill in more information (including a
|
|
</I>><i> signed attestation):
|
|
</I>><i> <A HREF="https://github.com/ZcashFoundation/powersoftau-">https://github.com/ZcashFoundation/powersoftau-</A>
|
|
</I>><i> attestations/tree/master/0003
|
|
</I>><i>
|
|
</I>><i> Cody Burns is going next.
|
|
</I>><i>
|
|
</I>><i> Sean
|
|
</I>><i>
|
|
</I>><i> On Sat, Nov 11, 2017 at 1:35 PM, Jared Tobin <<A HREF="/mailman/listinfo/zapps-wg">jared at jtobin.io</A>> wrote:
|
|
</I>><i> >
|
|
</I>><i> > Hi all, here's my report:
|
|
</I>><i> >
|
|
</I>><i> > Powers of Tau Operational Writeup
|
|
</I>><i> > =================================
|
|
</I>><i> >
|
|
</I>><i> > Round: 3
|
|
</I>><i> > Date: 2017-11-12
|
|
</I>><i> > Name: Jared Tobin
|
|
</I>><i> > Location: Auckland, NZ
|
|
</I>><i> >
|
|
</I>><i> > Challenge:
|
|
</I>><i> > e712fa22f1d027a0b4ce3ef698f26d5cab07c3380e4c24a479a914c85617
|
|
</I>><i> fd1a2960b386cceb5c94718979010a1b7ed8b6145da872f0744e06503bd664fe7283
|
|
</I>><i> > Response:
|
|
</I>><i> > cb48afb82ab4c476ae741633c3eb6643e7700dc7b2b4701af91e3cc93227
|
|
</I>><i> 0b96c375e5f3a5c20c96fac6c9b40a5bba6c956d66f223f090c545c277aa05427757
|
|
</I>><i> >
|
|
</I>><i> > Preparation Steps
|
|
</I>><i> > =================
|
|
</I>><i> >
|
|
</I>><i> > Being somewhat pressed for time and hardware, I recruited several
|
|
</I>><i> > geographically-distributed volunteers that I know well and trust
|
|
</I>><i> > completely to help me out. In the end, the following volunteers were
|
|
</I>><i> > able to get back to me in time:
|
|
</I>><i> >
|
|
</I>><i> > * Shawn Tobin (RSA Canada)
|
|
</I>><i> > * Fredrik Harryson (Parity Technologies)
|
|
</I>><i> > * Jason Forbes (Kraken Sonar Systems)
|
|
</I>><i> >
|
|
</I>><i> > I set up a private Keybase team with the above volunteers, distributed
|
|
</I>><i> > the challenge to them over KBFS, and gave them instructions over the
|
|
</I>><i> > team chat on how to proceed. Each was to add entropy and compute the
|
|
</I>><i> > response locally using whatever mechanisms they preferred (report not
|
|
</I>><i> > required), then return their response/hash pairs to me over KBFS. Each
|
|
</I>><i> > member was to use the code in Sean's powersoftau repository as of commit
|
|
</I>><i> > 9e1553c437183540392a7231d0788318a19b18a3 to perform the computation.
|
|
</I>><i> >
|
|
</I>><i> > Procedure
|
|
</I>><i> > =========
|
|
</I>><i> >
|
|
</I>><i> > I computed a response locally in rather mundane fashion using rustc
|
|
</I>><i> > 1.21.0 on an early-2015 model Macbook Air running Sierra. Eventually
|
|
</I>><i> > the volunteers managed to upload their response/hash pairs to KBFS, and
|
|
</I>><i> > I randomly selected one of the resulting four responses to submit for my
|
|
</I>><i> > piece of the MPC.
|
|
</I>><i> >
|
|
</I>><i> > I uploaded the resulting response via the handy app Sean provided me
|
|
</I>><i> with.
|
|
</I>><i> >
|
|
</I>><i> > Side channel defences
|
|
</I>><i> > =====================
|
|
</I>><i> >
|
|
</I>><i> > I used broad geographical distribution and randomness to mitigate the
|
|
</I>><i> > possibility of successful side channel attacks. Shawn was located in
|
|
</I>><i> > Vancouver, Canada, Fredrik was located in Malmö, Sweden, and Jason was
|
|
</I>><i> > located in St. John's, Canada.
|
|
</I>><i> >
|
|
</I>><i> > I selected the response to upload by pre-determining a correspondence
|
|
</I>><i> > between names and numbers, and then walking outside and asking the first
|
|
</I>><i> > stranger I saw to pick a number between one and four.
|
|
</I>><i> >
|
|
</I>><i> > - jared
|
|
</I>><i> >
|
|
</I>><i> >
|
|
</I>><i> > On Sat, Nov 11, 2017 at 12:25:33AM +0000, Jason Davies via zapps-wg
|
|
</I>><i> wrote:
|
|
</I>><i> >> Hi all,
|
|
</I>><i> >>
|
|
</I>><i> >> Here is my report:
|
|
</I>><i> >>
|
|
</I>><i> >> Powers of Tau Operational Writeup
|
|
</I>><i> >> =================================
|
|
</I>><i> >>
|
|
</I>><i> >> Round: 2
|
|
</I>><i> >> Date: 2017-11-10
|
|
</I>><i> >> Name: Jason Davies
|
|
</I>><i> >> Location: London, UK
|
|
</I>><i> >>
|
|
</I>><i> >> Challenge: 467bc84f6eb98ff956eaf12a1b7ef4dc0aff1093c7a0d5c1dfbdb85bbfff
|
|
</I>><i> b20a43965d0daefee3fec6c1a47af69100e117b44b74371824ac8af1e33b6f91add5
|
|
</I>><i> >> Response: 2f728af894524f55bda7a3e2c2e2db6a57a992811e90ed57456d62aead51
|
|
</I>><i> 06cdc5c97c86532d14b5185cc74d169f1b0c2c0ef1e582231ffa7936da55047c0cb2
|
|
</I>><i> >>
|
|
</I>><i> >> Preparation Steps
|
|
</I>><i> >> =================
|
|
</I>><i> >>
|
|
</I>><i> >> Git repository: <A HREF="https://github.com/ebfull/powersoftau">https://github.com/ebfull/powersoftau</A>
|
|
</I>><i> >> Commit hash: 9e1553c437183540392a7231d0788318a19b18a3
|
|
</I>><i> >> Compiler: rustc 1.23.0-nightly (d6b06c63a 2017-11-09)
|
|
</I>><i> >> Build: cargo build --release --features=u128-support
|
|
</I>><i> >> b2sum(./target/release/compute): be42f68b07c5c857bb6561a9ac2967
|
|
</I>><i> d671ef412a71c87c2fb31776a6ab38c756736de66e554553021e129ecab4
|
|
</I>><i> 5d922092873df8b71bd9a775ec05f189485198
|
|
</I>><i> >>
|
|
</I>><i> >> I used a brand new 16GB USB stick and loaded ubuntu-17.04-desktop-amd64.iso;
|
|
</I>><i> b2sum: 6a1c975b25b4e7f2dbf4fda84fe8b5de3ed6f4532b8c4f17e533ed11a0a8
|
|
</I>><i> b5b9ad9fb83e8e4b89447c3a427be73f77a5f7c71b7f733fcc4bebf346e9c5c0de43.
|
|
</I>><i> >>
|
|
</I>><i> >> I reformatted a second brand new 16GB USB stick to ext4, then copied the
|
|
</I>><i> >> `challenge` file and the `target/release/compute` binary.
|
|
</I>><i> >>
|
|
</I>><i> >> Sidechannel Defences
|
|
</I>><i> >> ====================
|
|
</I>><i> >>
|
|
</I>><i> >> First of all, I lined a large cardboard box with aluminium foil in
|
|
</I>><i> order to
|
|
</I>><i> >> make a rudimentary faraday cage. Then, I assembled an airgap compute
|
|
</I>><i> node
|
|
</I>><i> >> using some relatively cheap parts, putting them all inside the box:
|
|
</I>><i> >>
|
|
</I>><i> >> * Motherboard: Asus H81 Pro BTC (no radio, bluetooth or speakers AFAIK)
|
|
</I>><i> >> * CPU: Intel G1840
|
|
</I>><i> >> * Ram: 2x cheap 1GB sticks
|
|
</I>><i> >> * PSU: EVGA SuperNOVA 1300 G2
|
|
</I>><i> >> * Monitor: old Dell TFT display
|
|
</I>><i> >> * Keyboard: generic USB keyboard
|
|
</I>><i> >>
|
|
</I>><i> >> No other peripherals or cables were connected. I placed the compute
|
|
</I>><i> node in my
|
|
</I>><i> >> cellar (~6ft below ground level) and I remained with the node during
|
|
</I>><i> the entire
|
|
</I>><i> >> time it was computing, without using any other devices in the vicinity
|
|
</I>><i> (no
|
|
</I>><i> >> mobile phone etc.) The only cables coming out of the box were the two
|
|
</I>><i> power
|
|
</I>><i> >> cables, one for the PSU and one for the monitor.
|
|
</I>><i> >>
|
|
</I>><i> >> Image: <A HREF="https://pbs.twimg.com/media/DOT55KUXUAEV44-.jpg:large">https://pbs.twimg.com/media/DOT55KUXUAEV44-.jpg:large</A>
|
|
</I>><i> >>
|
|
</I>><i> >> Procedure
|
|
</I>><i> >> =========
|
|
</I>><i> >>
|
|
</I>><i> >> I booted the node, with "Try Ubuntu" (Live CD mode). Then, I inserted
|
|
</I>><i> the
|
|
</I>><i> >> challenge USB stick and ran `./compute` in the USB media directory,
|
|
</I>><i> entering
|
|
</I>><i> >> some additional entropy as requested by typing randomly on the
|
|
</I>><i> keyboard. The
|
|
</I>><i> >> box lid was only partially opened to allow use of the keyboard and to
|
|
</I>><i> view the
|
|
</I>><i> >> monitor at this point. After 60 minutes had passed, I looked inside
|
|
</I>><i> the lid
|
|
</I>><i> >> and saw that the computation had completed, so I wrote down the BLAKE2b
|
|
</I>><i> hash,
|
|
</I>><i> >> and unmounted and removed the USB stick, and then powered the node down.
|
|
</I>><i> >>
|
|
</I>><i> >> Postprocessing
|
|
</I>><i> >> ==============
|
|
</I>><i> >>
|
|
</I>><i> >> I took the USB stick and transferred the response file to my laptop,
|
|
</I>><i> and then
|
|
</I>><i> >> uploaded it using the laptop to S3 via Sean Bowe's transcript site.
|
|
</I>><i> >>
|
|
</I>><i> >> I did not destroy the compute node but I'm unlikely to use it or plug
|
|
</I>><i> it in for
|
|
</I>><i> >> some time.
|
|
</I>><i> >> --
|
|
</I>><i> >> Jason Davies, <A HREF="https://www.jasondavies.com">https://www.jasondavies.com</A>
|
|
</I>><i> >>
|
|
</I>><i> >
|
|
</I>><i> >
|
|
</I>><i> >>
|
|
</I>><i> >>
|
|
</I>><i> >> > On 10 Nov 2017, at 22:11, Sean Bowe via zapps-wg
|
|
</I>><i> <<A HREF="/mailman/listinfo/zapps-wg">zapps-wg at lists.z.cash.foundation</A>> wrote:
|
|
</I>><i> >> >
|
|
</I>><i> >> > Thanks Andrew! That's a great start.
|
|
</I>><i> >> >
|
|
</I>><i> >> > Now it's Jason Davies' turn.
|
|
</I>><i> >> >
|
|
</I>><i> >> > The entire transcript will appear here throughout the process:
|
|
</I>><i> >> >
|
|
</I>><i> >> > <A HREF="https://powersoftau-transcript.s3-us-west-2.amazonaws.com/index.html">https://powersoftau-transcript.s3-us-west-2.amazonaws.com/index.html</A>
|
|
</I>><i> >> >
|
|
</I>><i> >> > We can make a more formal announcement once we're in the groove and
|
|
</I>><i> >> > everything looks good. We're getting a repo up with attestations soon
|
|
</I>><i> >> > also.
|
|
</I>><i> >> >
|
|
</I>><i> >> > Sean
|
|
</I>><i> >> >
|
|
</I>><i> >> > On Fri, Nov 10, 2017 at 12:53 PM, Andrew Miller <<A HREF="/mailman/listinfo/zapps-wg">soc1024 at illinois.edu</A>>
|
|
</I>><i> wrote:
|
|
</I>><i> >> >> OK, I'll go first. Below is my report:
|
|
</I>><i> >> >>
|
|
</I>><i> >> >> Powers of Tau Operational writeup
|
|
</I>><i> >> >> =================================
|
|
</I>><i> >> >> Round: 1
|
|
</I>><i> >> >> Date: 2011-11-10
|
|
</I>><i> >> >> Name: Andrew Miller
|
|
</I>><i> >> >> Location: Champaign, Illinois
|
|
</I>><i> >> >>
|
|
</I>><i> >> >> Challenge: (genesis)
|
|
</I>><i> >> >> ce00f2100dd876fdff8dd824f55307bcb72d724f29ff20b9e0760f3a65e5
|
|
</I>><i> 588a65eaed57cbc61697111ae1f4cc7da2e62a85311c2ae683a041fb872b891c68dc
|
|
</I>><i> >> >> Response:
|
|
</I>><i> >> >> 15729e0edc4201dc5ee6241437d926f614cb4214ff1b9c6fbd73daf40163
|
|
</I>><i> 9f7a4238cf04bc94edac9f2ad037003daab9a4408ba7c62a4413dc2a0ddd683bd719
|
|
</I>><i> >> >> ./response-2017-11-10-amiller
|
|
</I>><i> >> >>
|
|
</I>><i> >> >> Preparation steps
|
|
</I>><i> >> >> =================
|
|
</I>><i> >> >> I used Sean’s powersoftau rust repo, commit
|
|
</I>><i> >> >> 9e1553c437183540392a7231d0788318a19b18a3
|
|
</I>><i> >> >>
|
|
</I>><i> >> >> I followed instructions online for building portable rust binaries,
|
|
</I>><i> >> >> and so I ran
|
|
</I>><i> >> >> ```
|
|
</I>><i> >> >> cargo build --target=x86_64-unknown-linux-musl --release
|
|
</I>><i> >> >> --features=u128-support --bin=compute
|
|
</I>><i> >> >> ```
|
|
</I>><i> >> >>
|
|
</I>><i> >> >> Compiler: rustc 1.23.0-nightly (02004ef78 2017-11-08)
|
|
</I>><i> >> >>
|
|
</I>><i> >> >> I copied the resulting binary to a freshly formatted USB stick I had.
|
|
</I>><i> >> >>
|
|
</I>><i> >> >> b2sum:
|
|
</I>><i> >> >> 9059a0a64f5021c36df630ca48ac40674862b2fea14f4843ff2150256b95
|
|
</I>><i> 162ac4d6d1621d2dd3f5d0d1c604ad8e581c0ff449d2449140380eab075a9b83c960
|
|
</I>><i> >> >> ./target/x86_64-unknown-linux-musl/release/compute
|
|
</I>><i> >> >>
|
|
</I>><i> >> >> I also rummaged through my shelf of several USB sticks, and found one
|
|
</I>><i> >> >> that happened to be a Linux Mint 18 USB bootable disk, so I used that
|
|
</I>><i> >> >> for my operating system.
|
|
</I>><i> >> >>
|
|
</I>><i> >> >> Sidechannel defenses
|
|
</I>><i> >> >> ====================
|
|
</I>><i> >> >> I used an airgap compute node, a Dell Inspiron that I’ve had for
|
|
</I>><i> about
|
|
</I>><i> >> >> a year now (Actually this is a computer I bought last year for
|
|
</I>><i> >> >> dress-rehearsals in the Zcash Sprout param generation ceremony).
|
|
</I>><i> >> >>
|
|
</I>><i> >> >> I unplugged all the computer’s hard drives, and detached its
|
|
</I>><i> >> >> wifi/bluetooth radios. I booted the computer from the Linux Mint
|
|
</I>><i> >> >> livecd usb stick, and then also copied the binaries into RAM. The
|
|
</I>><i> >> >> compute node was located in my bedroom, and I attended it for the
|
|
</I>><i> ~1hr
|
|
</I>><i> >> >> duration of the compute process.
|
|
</I>><i> >> >>
|
|
</I>><i> >> >> Image: <A HREF="https://pbs.twimg.com/media/DOSZz4FXkAEKC7N.jpg:large">https://pbs.twimg.com/media/DOSZz4FXkAEKC7N.jpg:large</A>
|
|
</I>><i> >> >>
|
|
</I>><i> >> >> Postprocessing
|
|
</I>><i> >> >> ==============
|
|
</I>><i> >> >> After compute was finished, I took a cell phone picture of the
|
|
</I>><i> blake2b
|
|
</I>><i> >> >> hash of the response. I then copied the response file to the USB
|
|
</I>><i> stick
|
|
</I>><i> >> >> containing the binaries, and then I unplugged the compute node. Using
|
|
</I>><i> >> >> my personal laptop, I posted the blake2b hash to the #mpc chat and
|
|
</I>><i> >> >> uploaded the response file to s3.
|
|
</I>><i> >> >>
|
|
</I>><i> >> >> The repsonse file is hosted here for now, though I expect we'll
|
|
</I>><i> >> >> mirror it elsewhere later:
|
|
</I>><i> >> >> <A HREF="https://s3.amazonaws.com/socrates1024_a/response-2017-11-10-amiller">https://s3.amazonaws.com/socrates1024_a/response-2017-11-10-amiller</A>
|
|
</I>><i> >> >>
|
|
</I>><i> >> >> I did not destroy the compute node and do plan to use it again,
|
|
</I>><i> >> >> although I'm going to leave it unplugged for several days.
|
|
</I>><i> >> >>
|
|
</I>><i> >> >> On Wed, Nov 8, 2017 at 10:19 PM, Sean Bowe <<A HREF="/mailman/listinfo/zapps-wg">sean at z.cash</A>> wrote:
|
|
</I>><i> >> >>> Note that the `response` file contains a hash of the `challenge`
|
|
</I>><i> file
|
|
</I>><i> >> >>> that was used as input for the compute tool. As a result, only the
|
|
</I>><i> >> >>> hashes of the `response` files need to be published; a hash chain is
|
|
</I>><i> >> >>> formed through all participants. The initial challenge file is
|
|
</I>><i> >> >>> deterministic. (You can use the `new` tool on the repository to
|
|
</I>><i> >> >>> construct it.)
|
|
</I>><i> >> >>>
|
|
</I>><i> >> >>> The initial challenge file has BLAKE2b hash:
|
|
</I>><i> >> >>>
|
|
</I>><i> >> >>> ce00f2100dd876fdff8dd824f55307bcb72d724f29ff20b9e0760f3a65e5
|
|
</I>><i> 588a65eaed57cbc61697111ae1f4cc7da2e62a85311c2ae683a041fb872b891c68dc
|
|
</I>><i> >> >>>
|
|
</I>><i> >> >>> It doesn't hurt to post hashes of everything though. Hash all the
|
|
</I>><i> things.
|
|
</I>><i> >> >>>
|
|
</I>><i> >> >>> Sean
|
|
</I>><i> >> >>>
|
|
</I>><i> >> >>> On Wed, Nov 8, 2017 at 4:51 PM, Andrew Miller <<A HREF="/mailman/listinfo/zapps-wg">soc1024 at illinois.edu</A>>
|
|
</I>><i> wrote:
|
|
</I>><i> >> >>>> Thanks Sean!
|
|
</I>><i> >> >>>>
|
|
</I>><i> >> >>>> My idea is to use an ad hoc and publicly visible process. "Get in
|
|
</I>><i> >> >>>> contact with [sean]" could be as simple as posting in public to
|
|
</I>><i> this
|
|
</I>><i> >> >>>> thread. Unless we're overrun by trolls, a public mailing list can
|
|
</I>><i> be
|
|
</I>><i> >> >>>> an informal way to agree on who goes next. Whoever posts and says
|
|
</I>><i> "Me,
|
|
</I>><i> >> >>>> me! I'd like to go next", should, by convention, go next. Any
|
|
</I>><i> >> >>>> aberrations (parties taking too long or dropping out, posting
|
|
</I>><i> invalid
|
|
</I>><i> >> >>>> data, etc., can be dealt with as needed).
|
|
</I>><i> >> >>>>
|
|
</I>><i> >> >>>> I believe it's also the case that
|
|
</I>><i> >> >>>> a) The "response" file from each person is roughly the same as the
|
|
</I>><i> >> >>>> "challenge" file for the next participant, and
|
|
</I>><i> >> >>>> b) The response/challenge files are safe to be published at any
|
|
</I>><i> time,
|
|
</I>><i> >> >>>> not private at all.
|
|
</I>><i> >> >>>> So, by convention, we should post the hashes of those files here
|
|
</I>><i> right
|
|
</I>><i> >> >>>> away, and make a best effort to mirror them publicly (each one is
|
|
</I>><i> like
|
|
</I>><i> >> >>>> a gigabyte, I think).
|
|
</I>><i> >> >>>>
|
|
</I>><i> >> >>>> What does the initial challenge file consist of? Could you post the
|
|
</I>><i> >> >>>> hash of it here?
|
|
</I>><i> >> >>>>
|
|
</I>><i> >> >>>> Cheers,
|
|
</I>><i> >> >>>>
|
|
</I>><i> >> >>>> On Wed, Nov 8, 2017 at 3:04 PM, Sean Bowe via zapps-wg
|
|
</I>><i> >> >>>> <<A HREF="/mailman/listinfo/zapps-wg">zapps-wg at lists.z.cash.foundation</A>> wrote:
|
|
</I>><i> >> >>>>> Ariel Gabizon, Ian Miers and I have just published a new paper
|
|
</I>><i> detailing a
|
|
</I>><i> >> >>>>> multi-party computation (MPC) protocol for constructing zk-SNARK
|
|
</I>><i> public
|
|
</I>><i> >> >>>>> parameters.
|
|
</I>><i> >> >>>>>
|
|
</I>><i> >> >>>>> <A HREF="https://eprint.iacr.org/2017/1050">https://eprint.iacr.org/2017/1050</A>
|
|
</I>><i> >> >>>>>
|
|
</I>><i> >> >>>>> The highlights are:
|
|
</I>><i> >> >>>>>
|
|
</I>><i> >> >>>>> * It allows for a single, gigantic ceremony to take place for all
|
|
</I>><i> possible
|
|
</I>><i> >> >>>>> zk-SNARK circuits within a given size bound. The results of this
|
|
</I>><i> ceremony
|
|
</I>><i> >> >>>>> are partial zk-SNARK parameters for the entire community. We call
|
|
</I>><i> this
|
|
</I>><i> >> >>>>> communal ceremony the Powers of Tau.
|
|
</I>><i> >> >>>>> * If you want to use zk-SNARKs in your protocols, you still have
|
|
</I>><i> to do an
|
|
</I>><i> >> >>>>> MPC for your circuit. But because of the Powers of Tau ceremony,
|
|
</I>><i> your
|
|
</I>><i> >> >>>>> ceremony is much cheaper to perform and the costs per-participant
|
|
</I>><i> scale
|
|
</I>><i> >> >>>>> linearly with respect to the circuit complexity.
|
|
</I>><i> >> >>>>> * The best part is that the Powers of Tau and these
|
|
</I>><i> circuit-specific MPCs
|
|
</I>><i> >> >>>>> can scale to hundreds/thousands of participants. As the number of
|
|
</I>><i> >> >>>>> participants grows, it becomes unrealistic that all of them could
|
|
</I>><i> be
|
|
</I>><i> >> >>>>> compromised.
|
|
</I>><i> >> >>>>>
|
|
</I>><i> >> >>>>> So, let's do the Powers of Tau ceremony! The Zcash Foundation is
|
|
</I>><i> excited to
|
|
</I>><i> >> >>>>> participate in the process. The Zcash Company is particularly
|
|
</I>><i> excited in
|
|
</I>><i> >> >>>>> starting soon because we want to leverage it for our next MPC for
|
|
</I>><i> the
|
|
</I>><i> >> >>>>> Sapling upgrade of Zcash.
|
|
</I>><i> >> >>>>>
|
|
</I>><i> >> >>>>> The MPC protocol for this ceremony only requires that one
|
|
</I>><i> participant
|
|
</I>><i> >> >>>>> successfully destroy the secret randomness they sample during
|
|
</I>><i> their part. We
|
|
</I>><i> >> >>>>> intend to give participants total flexibility in deciding how to
|
|
</I>><i> >> >>>>> participate; we don't mind what software, hardware or OS you use.
|
|
</I>><i> >> >>>>>
|
|
</I>><i> >> >>>>> I have written some Rust software for participants to run:
|
|
</I>><i> >> >>>>>
|
|
</I>><i> >> >>>>> <A HREF="https://github.com/ebfull/powersoftau">https://github.com/ebfull/powersoftau</A>
|
|
</I>><i> >> >>>>>
|
|
</I>><i> >> >>>>> In order to simplify auditing, I won't be making any more changes
|
|
</I>><i> to the
|
|
</I>><i> >> >>>>> code unless absolutely necessary. You don't have to use this
|
|
</I>><i> software, but
|
|
</I>><i> >> >>>>> there are no alternative implementations at this time. I think it
|
|
</I>><i> should be
|
|
</I>><i> >> >>>>> feasible to write a C version of the code using the RELIC
|
|
</I>><i> toolkit, which has
|
|
</I>><i> >> >>>>> implemented BLS12-381. I am very confident in the Rust code,
|
|
</I>><i> though, and I
|
|
</I>><i> >> >>>>> believe in its stability/correctness.
|
|
</I>><i> >> >>>>>
|
|
</I>><i> >> >>>>> I have some opinions about the ceremony:
|
|
</I>><i> >> >>>>>
|
|
</I>><i> >> >>>>> 1. I disagree with processes that don't improve security of the
|
|
</I>><i> ceremony.
|
|
</I>><i> >> >>>>> Having a small surface area of code and process increases the
|
|
</I>><i> chance that
|
|
</I>><i> >> >>>>> bugs will be discovered by auditors because there are fewer
|
|
</I>><i> things that can
|
|
</I>><i> >> >>>>> go wrong. Remember that there is already quite a bit for the
|
|
</I>><i> public to
|
|
</I>><i> >> >>>>> check: the transcript correctness, the code correctness, the
|
|
</I>><i> randomness
|
|
</I>><i> >> >>>>> beacon, the cryptographic proof, code dependencies, etc.
|
|
</I>><i> >> >>>>> 2. It needs to start soon so that it can be useful for the
|
|
</I>><i> Sapling MPC.
|
|
</I>><i> >> >>>>> 3. It needs to have lots of reputable participants by the time we
|
|
</I>><i> start the
|
|
</I>><i> >> >>>>> Sapling MPC.
|
|
</I>><i> >> >>>>>
|
|
</I>><i> >> >>>>> Given the above, I would like to suggest that we start the
|
|
</I>><i> ceremony now
|
|
</I>><i> >> >>>>> using my existing code, which supports circuits up to 2^21 gates.
|
|
</I>><i> This means
|
|
</I>><i> >> >>>>> people would just get in contact with me if they want to
|
|
</I>><i> participate and
|
|
</I>><i> >> >>>>> I'll schedule them in. I'll try to prioritize reputable people,
|
|
</I>><i> but I'll
|
|
</I>><i> >> >>>>> allow pretty much anyone I have time to. Everything that I do is
|
|
</I>><i> publicly
|
|
</I>><i> >> >>>>> verifiable (there is a transcript at the end of the ceremony
|
|
</I>><i> which people
|
|
</I>><i> >> >>>>> can check).
|
|
</I>><i> >> >>>>>
|
|
</I>><i> >> >>>>> Andrew Miller has a few interesting ideas for a more distributed
|
|
</I>><i> process for
|
|
</I>><i> >> >>>>> scheduling "who goes next" but there are some disadvantages and
|
|
</I>><i> risks
|
|
</I>><i> >> >>>>> involved IMO. In any case, the process can be changed later
|
|
</I>><i> without
|
|
</I>><i> >> >>>>> affecting anything, so I don't see a purpose in delaying the
|
|
</I>><i> start of the
|
|
</I>><i> >> >>>>> ceremony on such things.
|
|
</I>><i> >> >>>>>
|
|
</I>><i> >> >>>>> I'd like to hear from others about this plan so we can begin soon!
|
|
</I>><i> >> >>>>>
|
|
</I>><i> >> >>>>> Sean Bowe
|
|
</I>><i> >> >>>>> Zcash Company
|
|
</I>><i> >> >>>>
|
|
</I>><i> >> >>>>
|
|
</I>><i> >> >>>>
|
|
</I>><i> >> >>>> --
|
|
</I>><i> >> >>>> Andrew Miller
|
|
</I>><i> >> >>>> University of Illinois at Urbana-Champaign
|
|
</I>><i> >> >>
|
|
</I>><i> >> >>
|
|
</I>><i> >> >>
|
|
</I>><i> >> >> --
|
|
</I>><i> >> >> Andrew Miller
|
|
</I>><i> >> >> University of Illinois at Urbana-Champaign
|
|
</I>><i> >>
|
|
</I>><i> >
|
|
</I>><i>
|
|
</I>
|
|
</PRE>
|
|
|
|
<!--endarticle-->
|
|
<HR>
|
|
<P><UL>
|
|
<!--threads-->
|
|
<LI>Previous message (by thread): <A HREF="000014.html">[zapps-wg] Powers of Tau Ceremony Proposal
|
|
</A></li>
|
|
<LI>Next message (by thread): <A HREF="000016.html">[zapps-wg] Powers of Tau Ceremony Proposal
|
|
</A></li>
|
|
<LI> <B>Messages sorted by:</B>
|
|
<a href="date.html#15">[ date ]</a>
|
|
<a href="thread.html#15">[ thread ]</a>
|
|
<a href="subject.html#15">[ subject ]</a>
|
|
<a href="author.html#15">[ author ]</a>
|
|
</LI>
|
|
</UL>
|
|
|
|
<hr>
|
|
<a href="/mailman/listinfo/zapps-wg">More information about the zapps-wg
|
|
mailing list</a><br>
|
|
</body></html>
|