544 lines
35 KiB
HTML
544 lines
35 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
<HTML>
|
|
<HEAD>
|
|
<TITLE> [zapps-wg] Powers of Tau Ceremony Proposal
|
|
</TITLE>
|
|
<LINK REL="Index" HREF="/pipermail/zapps-wg/2017/index.html" >
|
|
<LINK REL="made" HREF="mailto:zapps-wg%40lists.zfnd.org?Subject=Re%3A%20%5Bzapps-wg%5D%20Powers%20of%20Tau%20Ceremony%20Proposal&In-Reply-To=%3CCAKazn3kCjoSWvp1K8%2BN9k5fdKXv8CkpGb2z%3DfC1WKyuZQe9%2BKA%40mail.gmail.com%3E">
|
|
<META NAME="robots" CONTENT="index,nofollow">
|
|
<style type="text/css">
|
|
pre {
|
|
white-space: pre-wrap; /* css-2.1, curent FF, Opera, Safari */
|
|
}
|
|
</style>
|
|
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
|
|
<LINK REL="Previous" HREF="000016.html">
|
|
<LINK REL="Next" HREF="000018.html">
|
|
</HEAD>
|
|
<BODY BGCOLOR="#ffffff">
|
|
<H1>[zapps-wg] Powers of Tau Ceremony Proposal</H1>
|
|
<B>Sean Bowe</B>
|
|
<A HREF="mailto:zapps-wg%40lists.zfnd.org?Subject=Re%3A%20%5Bzapps-wg%5D%20Powers%20of%20Tau%20Ceremony%20Proposal&In-Reply-To=%3CCAKazn3kCjoSWvp1K8%2BN9k5fdKXv8CkpGb2z%3DfC1WKyuZQe9%2BKA%40mail.gmail.com%3E"
|
|
TITLE="[zapps-wg] Powers of Tau Ceremony Proposal">sean at z.cash
|
|
</A><BR>
|
|
<I>Sun Nov 12 17:45:04 EST 2017</I>
|
|
<P><UL>
|
|
<LI>Previous message (by thread): <A HREF="000016.html">[zapps-wg] Powers of Tau Ceremony Proposal
|
|
</A></li>
|
|
<LI>Next message (by thread): <A HREF="000018.html">[zapps-wg] Powers of Tau Ceremony Proposal
|
|
</A></li>
|
|
<LI> <B>Messages sorted by:</B>
|
|
<a href="date.html#17">[ date ]</a>
|
|
<a href="thread.html#17">[ thread ]</a>
|
|
<a href="subject.html#17">[ subject ]</a>
|
|
<a href="author.html#17">[ author ]</a>
|
|
</LI>
|
|
</UL>
|
|
<HR>
|
|
<!--beginarticle-->
|
|
<PRE>Unfortunately, Cody had some problems and needs to reschedule. Also,
|
|
Kobi doesn't have time right now, so it's Matt's turn!
|
|
|
|
Sean
|
|
|
|
On Sun, Nov 12, 2017 at 12:40 PM, Sean Bowe <<A HREF="/mailman/listinfo/zapps-wg">sean at z.cash</A>> wrote:
|
|
><i> Cody is going but I haven't heard back in a while. In let's say about
|
|
</I>><i> five hours if we still don't hear back we'll move on to Kobi and
|
|
</I>><i> reschedule with Cody later. Matt can go after that! :)
|
|
</I>><i>
|
|
</I>><i> Sean
|
|
</I>><i>
|
|
</I>><i> On Sat, Nov 11, 2017 at 8:24 PM, Matt Drollette via zapps-wg
|
|
</I>><i> <<A HREF="/mailman/listinfo/zapps-wg">zapps-wg at lists.z.cash.foundation</A>> wrote:
|
|
</I>>><i> I'd like to be added to the queue. Happy to go after Cody unless there are
|
|
</I>>><i> others already lined up.
|
|
</I>>><i>
|
|
</I>>><i>
|
|
</I>>><i> ---
|
|
</I>>><i> Matt Drollette
|
|
</I>>><i>
|
|
</I>>><i> On Sat, Nov 11, 2017 at 4:31 PM, Sean Bowe via zapps-wg
|
|
</I>>><i> <<A HREF="/mailman/listinfo/zapps-wg">zapps-wg at lists.z.cash.foundation</A>> wrote:
|
|
</I>>>><i>
|
|
</I>>>><i> Thanks Jared! Awesome! I've verified the contribution and put your
|
|
</I>>>><i> response file up on the transcript repository.
|
|
</I>>>><i>
|
|
</I>>>><i> Can you submit a PR here to fill in more information (including a
|
|
</I>>>><i> signed attestation):
|
|
</I>>>><i>
|
|
</I>>>><i> <A HREF="https://github.com/ZcashFoundation/powersoftau-attestations/tree/master/0003">https://github.com/ZcashFoundation/powersoftau-attestations/tree/master/0003</A>
|
|
</I>>>><i>
|
|
</I>>>><i> Cody Burns is going next.
|
|
</I>>>><i>
|
|
</I>>>><i> Sean
|
|
</I>>>><i>
|
|
</I>>>><i> On Sat, Nov 11, 2017 at 1:35 PM, Jared Tobin <<A HREF="/mailman/listinfo/zapps-wg">jared at jtobin.io</A>> wrote:
|
|
</I>>>><i> >
|
|
</I>>>><i> > Hi all, here's my report:
|
|
</I>>>><i> >
|
|
</I>>>><i> > Powers of Tau Operational Writeup
|
|
</I>>>><i> > =================================
|
|
</I>>>><i> >
|
|
</I>>>><i> > Round: 3
|
|
</I>>>><i> > Date: 2017-11-12
|
|
</I>>>><i> > Name: Jared Tobin
|
|
</I>>>><i> > Location: Auckland, NZ
|
|
</I>>>><i> >
|
|
</I>>>><i> > Challenge:
|
|
</I>>>><i> >
|
|
</I>>>><i> > e712fa22f1d027a0b4ce3ef698f26d5cab07c3380e4c24a479a914c85617fd1a2960b386cceb5c94718979010a1b7ed8b6145da872f0744e06503bd664fe7283
|
|
</I>>>><i> > Response:
|
|
</I>>>><i> >
|
|
</I>>>><i> > cb48afb82ab4c476ae741633c3eb6643e7700dc7b2b4701af91e3cc932270b96c375e5f3a5c20c96fac6c9b40a5bba6c956d66f223f090c545c277aa05427757
|
|
</I>>>><i> >
|
|
</I>>>><i> > Preparation Steps
|
|
</I>>>><i> > =================
|
|
</I>>>><i> >
|
|
</I>>>><i> > Being somewhat pressed for time and hardware, I recruited several
|
|
</I>>>><i> > geographically-distributed volunteers that I know well and trust
|
|
</I>>>><i> > completely to help me out. In the end, the following volunteers were
|
|
</I>>>><i> > able to get back to me in time:
|
|
</I>>>><i> >
|
|
</I>>>><i> > * Shawn Tobin (RSA Canada)
|
|
</I>>>><i> > * Fredrik Harryson (Parity Technologies)
|
|
</I>>>><i> > * Jason Forbes (Kraken Sonar Systems)
|
|
</I>>>><i> >
|
|
</I>>>><i> > I set up a private Keybase team with the above volunteers, distributed
|
|
</I>>>><i> > the challenge to them over KBFS, and gave them instructions over the
|
|
</I>>>><i> > team chat on how to proceed. Each was to add entropy and compute the
|
|
</I>>>><i> > response locally using whatever mechanisms they preferred (report not
|
|
</I>>>><i> > required), then return their response/hash pairs to me over KBFS. Each
|
|
</I>>>><i> > member was to use the code in Sean's powersoftau repository as of commit
|
|
</I>>>><i> > 9e1553c437183540392a7231d0788318a19b18a3 to perform the computation.
|
|
</I>>>><i> >
|
|
</I>>>><i> > Procedure
|
|
</I>>>><i> > =========
|
|
</I>>>><i> >
|
|
</I>>>><i> > I computed a response locally in rather mundane fashion using rustc
|
|
</I>>>><i> > 1.21.0 on an early-2015 model Macbook Air running Sierra. Eventually
|
|
</I>>>><i> > the volunteers managed to upload their response/hash pairs to KBFS, and
|
|
</I>>>><i> > I randomly selected one of the resulting four responses to submit for my
|
|
</I>>>><i> > piece of the MPC.
|
|
</I>>>><i> >
|
|
</I>>>><i> > I uploaded the resulting response via the handy app Sean provided me
|
|
</I>>>><i> > with.
|
|
</I>>>><i> >
|
|
</I>>>><i> > Side channel defences
|
|
</I>>>><i> > =====================
|
|
</I>>>><i> >
|
|
</I>>>><i> > I used broad geographical distribution and randomness to mitigate the
|
|
</I>>>><i> > possibility of successful side channel attacks. Shawn was located in
|
|
</I>>>><i> > Vancouver, Canada, Fredrik was located in Malmö, Sweden, and Jason was
|
|
</I>>>><i> > located in St. John's, Canada.
|
|
</I>>>><i> >
|
|
</I>>>><i> > I selected the response to upload by pre-determining a correspondence
|
|
</I>>>><i> > between names and numbers, and then walking outside and asking the first
|
|
</I>>>><i> > stranger I saw to pick a number between one and four.
|
|
</I>>>><i> >
|
|
</I>>>><i> > - jared
|
|
</I>>>><i> >
|
|
</I>>>><i> >
|
|
</I>>>><i> > On Sat, Nov 11, 2017 at 12:25:33AM +0000, Jason Davies via zapps-wg
|
|
</I>>>><i> > wrote:
|
|
</I>>>><i> >> Hi all,
|
|
</I>>>><i> >>
|
|
</I>>>><i> >> Here is my report:
|
|
</I>>>><i> >>
|
|
</I>>>><i> >> Powers of Tau Operational Writeup
|
|
</I>>>><i> >> =================================
|
|
</I>>>><i> >>
|
|
</I>>>><i> >> Round: 2
|
|
</I>>>><i> >> Date: 2017-11-10
|
|
</I>>>><i> >> Name: Jason Davies
|
|
</I>>>><i> >> Location: London, UK
|
|
</I>>>><i> >>
|
|
</I>>>><i> >> Challenge:
|
|
</I>>>><i> >> 467bc84f6eb98ff956eaf12a1b7ef4dc0aff1093c7a0d5c1dfbdb85bbfffb20a43965d0daefee3fec6c1a47af69100e117b44b74371824ac8af1e33b6f91add5
|
|
</I>>>><i> >> Response:
|
|
</I>>>><i> >> 2f728af894524f55bda7a3e2c2e2db6a57a992811e90ed57456d62aead5106cdc5c97c86532d14b5185cc74d169f1b0c2c0ef1e582231ffa7936da55047c0cb2
|
|
</I>>>><i> >>
|
|
</I>>>><i> >> Preparation Steps
|
|
</I>>>><i> >> =================
|
|
</I>>>><i> >>
|
|
</I>>>><i> >> Git repository: <A HREF="https://github.com/ebfull/powersoftau">https://github.com/ebfull/powersoftau</A>
|
|
</I>>>><i> >> Commit hash: 9e1553c437183540392a7231d0788318a19b18a3
|
|
</I>>>><i> >> Compiler: rustc 1.23.0-nightly (d6b06c63a 2017-11-09)
|
|
</I>>>><i> >> Build: cargo build --release --features=u128-support
|
|
</I>>>><i> >> b2sum(./target/release/compute):
|
|
</I>>>><i> >> be42f68b07c5c857bb6561a9ac2967d671ef412a71c87c2fb31776a6ab38c756736de66e554553021e129ecab45d922092873df8b71bd9a775ec05f189485198
|
|
</I>>>><i> >>
|
|
</I>>>><i> >> I used a brand new 16GB USB stick and loaded
|
|
</I>>>><i> >> ubuntu-17.04-desktop-amd64.iso; b2sum:
|
|
</I>>>><i> >> 6a1c975b25b4e7f2dbf4fda84fe8b5de3ed6f4532b8c4f17e533ed11a0a8b5b9ad9fb83e8e4b89447c3a427be73f77a5f7c71b7f733fcc4bebf346e9c5c0de43.
|
|
</I>>>><i> >>
|
|
</I>>>><i> >> I reformatted a second brand new 16GB USB stick to ext4, then copied
|
|
</I>>>><i> >> the
|
|
</I>>>><i> >> `challenge` file and the `target/release/compute` binary.
|
|
</I>>>><i> >>
|
|
</I>>>><i> >> Sidechannel Defences
|
|
</I>>>><i> >> ====================
|
|
</I>>>><i> >>
|
|
</I>>>><i> >> First of all, I lined a large cardboard box with aluminium foil in
|
|
</I>>>><i> >> order to
|
|
</I>>>><i> >> make a rudimentary faraday cage. Then, I assembled an airgap compute
|
|
</I>>>><i> >> node
|
|
</I>>>><i> >> using some relatively cheap parts, putting them all inside the box:
|
|
</I>>>><i> >>
|
|
</I>>>><i> >> * Motherboard: Asus H81 Pro BTC (no radio, bluetooth or speakers AFAIK)
|
|
</I>>>><i> >> * CPU: Intel G1840
|
|
</I>>>><i> >> * Ram: 2x cheap 1GB sticks
|
|
</I>>>><i> >> * PSU: EVGA SuperNOVA 1300 G2
|
|
</I>>>><i> >> * Monitor: old Dell TFT display
|
|
</I>>>><i> >> * Keyboard: generic USB keyboard
|
|
</I>>>><i> >>
|
|
</I>>>><i> >> No other peripherals or cables were connected. I placed the compute
|
|
</I>>>><i> >> node in my
|
|
</I>>>><i> >> cellar (~6ft below ground level) and I remained with the node during
|
|
</I>>>><i> >> the entire
|
|
</I>>>><i> >> time it was computing, without using any other devices in the vicinity
|
|
</I>>>><i> >> (no
|
|
</I>>>><i> >> mobile phone etc.) The only cables coming out of the box were the two
|
|
</I>>>><i> >> power
|
|
</I>>>><i> >> cables, one for the PSU and one for the monitor.
|
|
</I>>>><i> >>
|
|
</I>>>><i> >> Image: <A HREF="https://pbs.twimg.com/media/DOT55KUXUAEV44-.jpg:large">https://pbs.twimg.com/media/DOT55KUXUAEV44-.jpg:large</A>
|
|
</I>>>><i> >>
|
|
</I>>>><i> >> Procedure
|
|
</I>>>><i> >> =========
|
|
</I>>>><i> >>
|
|
</I>>>><i> >> I booted the node, with "Try Ubuntu" (Live CD mode). Then, I inserted
|
|
</I>>>><i> >> the
|
|
</I>>>><i> >> challenge USB stick and ran `./compute` in the USB media directory,
|
|
</I>>>><i> >> entering
|
|
</I>>>><i> >> some additional entropy as requested by typing randomly on the
|
|
</I>>>><i> >> keyboard. The
|
|
</I>>>><i> >> box lid was only partially opened to allow use of the keyboard and to
|
|
</I>>>><i> >> view the
|
|
</I>>>><i> >> monitor at this point. After 60 minutes had passed, I looked inside
|
|
</I>>>><i> >> the lid
|
|
</I>>>><i> >> and saw that the computation had completed, so I wrote down the BLAKE2b
|
|
</I>>>><i> >> hash,
|
|
</I>>>><i> >> and unmounted and removed the USB stick, and then powered the node
|
|
</I>>>><i> >> down.
|
|
</I>>>><i> >>
|
|
</I>>>><i> >> Postprocessing
|
|
</I>>>><i> >> ==============
|
|
</I>>>><i> >>
|
|
</I>>>><i> >> I took the USB stick and transferred the response file to my laptop,
|
|
</I>>>><i> >> and then
|
|
</I>>>><i> >> uploaded it using the laptop to S3 via Sean Bowe's transcript site.
|
|
</I>>>><i> >>
|
|
</I>>>><i> >> I did not destroy the compute node but I'm unlikely to use it or plug
|
|
</I>>>><i> >> it in for
|
|
</I>>>><i> >> some time.
|
|
</I>>>><i> >> --
|
|
</I>>>><i> >> Jason Davies, <A HREF="https://www.jasondavies.com">https://www.jasondavies.com</A>
|
|
</I>>>><i> >>
|
|
</I>>>><i> >
|
|
</I>>>><i> >
|
|
</I>>>><i> >>
|
|
</I>>>><i> >>
|
|
</I>>>><i> >> > On 10 Nov 2017, at 22:11, Sean Bowe via zapps-wg
|
|
</I>>>><i> >> > <<A HREF="/mailman/listinfo/zapps-wg">zapps-wg at lists.z.cash.foundation</A>> wrote:
|
|
</I>>>><i> >> >
|
|
</I>>>><i> >> > Thanks Andrew! That's a great start.
|
|
</I>>>><i> >> >
|
|
</I>>>><i> >> > Now it's Jason Davies' turn.
|
|
</I>>>><i> >> >
|
|
</I>>>><i> >> > The entire transcript will appear here throughout the process:
|
|
</I>>>><i> >> >
|
|
</I>>>><i> >> > <A HREF="https://powersoftau-transcript.s3-us-west-2.amazonaws.com/index.html">https://powersoftau-transcript.s3-us-west-2.amazonaws.com/index.html</A>
|
|
</I>>>><i> >> >
|
|
</I>>>><i> >> > We can make a more formal announcement once we're in the groove and
|
|
</I>>>><i> >> > everything looks good. We're getting a repo up with attestations soon
|
|
</I>>>><i> >> > also.
|
|
</I>>>><i> >> >
|
|
</I>>>><i> >> > Sean
|
|
</I>>>><i> >> >
|
|
</I>>>><i> >> > On Fri, Nov 10, 2017 at 12:53 PM, Andrew Miller
|
|
</I>>>><i> >> > <<A HREF="/mailman/listinfo/zapps-wg">soc1024 at illinois.edu</A>> wrote:
|
|
</I>>>><i> >> >> OK, I'll go first. Below is my report:
|
|
</I>>>><i> >> >>
|
|
</I>>>><i> >> >> Powers of Tau Operational writeup
|
|
</I>>>><i> >> >> =================================
|
|
</I>>>><i> >> >> Round: 1
|
|
</I>>>><i> >> >> Date: 2011-11-10
|
|
</I>>>><i> >> >> Name: Andrew Miller
|
|
</I>>>><i> >> >> Location: Champaign, Illinois
|
|
</I>>>><i> >> >>
|
|
</I>>>><i> >> >> Challenge: (genesis)
|
|
</I>>>><i> >> >>
|
|
</I>>>><i> >> >> ce00f2100dd876fdff8dd824f55307bcb72d724f29ff20b9e0760f3a65e5588a65eaed57cbc61697111ae1f4cc7da2e62a85311c2ae683a041fb872b891c68dc
|
|
</I>>>><i> >> >> Response:
|
|
</I>>>><i> >> >>
|
|
</I>>>><i> >> >> 15729e0edc4201dc5ee6241437d926f614cb4214ff1b9c6fbd73daf401639f7a4238cf04bc94edac9f2ad037003daab9a4408ba7c62a4413dc2a0ddd683bd719
|
|
</I>>>><i> >> >> ./response-2017-11-10-amiller
|
|
</I>>>><i> >> >>
|
|
</I>>>><i> >> >> Preparation steps
|
|
</I>>>><i> >> >> =================
|
|
</I>>>><i> >> >> I used Sean’s powersoftau rust repo, commit
|
|
</I>>>><i> >> >> 9e1553c437183540392a7231d0788318a19b18a3
|
|
</I>>>><i> >> >>
|
|
</I>>>><i> >> >> I followed instructions online for building portable rust binaries,
|
|
</I>>>><i> >> >> and so I ran
|
|
</I>>>><i> >> >> ```
|
|
</I>>>><i> >> >> cargo build --target=x86_64-unknown-linux-musl --release
|
|
</I>>>><i> >> >> --features=u128-support --bin=compute
|
|
</I>>>><i> >> >> ```
|
|
</I>>>><i> >> >>
|
|
</I>>>><i> >> >> Compiler: rustc 1.23.0-nightly (02004ef78 2017-11-08)
|
|
</I>>>><i> >> >>
|
|
</I>>>><i> >> >> I copied the resulting binary to a freshly formatted USB stick I
|
|
</I>>>><i> >> >> had.
|
|
</I>>>><i> >> >>
|
|
</I>>>><i> >> >> b2sum:
|
|
</I>>>><i> >> >>
|
|
</I>>>><i> >> >> 9059a0a64f5021c36df630ca48ac40674862b2fea14f4843ff2150256b95162ac4d6d1621d2dd3f5d0d1c604ad8e581c0ff449d2449140380eab075a9b83c960
|
|
</I>>>><i> >> >> ./target/x86_64-unknown-linux-musl/release/compute
|
|
</I>>>><i> >> >>
|
|
</I>>>><i> >> >> I also rummaged through my shelf of several USB sticks, and found
|
|
</I>>>><i> >> >> one
|
|
</I>>>><i> >> >> that happened to be a Linux Mint 18 USB bootable disk, so I used
|
|
</I>>>><i> >> >> that
|
|
</I>>>><i> >> >> for my operating system.
|
|
</I>>>><i> >> >>
|
|
</I>>>><i> >> >> Sidechannel defenses
|
|
</I>>>><i> >> >> ====================
|
|
</I>>>><i> >> >> I used an airgap compute node, a Dell Inspiron that I’ve had for
|
|
</I>>>><i> >> >> about
|
|
</I>>>><i> >> >> a year now (Actually this is a computer I bought last year for
|
|
</I>>>><i> >> >> dress-rehearsals in the Zcash Sprout param generation ceremony).
|
|
</I>>>><i> >> >>
|
|
</I>>>><i> >> >> I unplugged all the computer’s hard drives, and detached its
|
|
</I>>>><i> >> >> wifi/bluetooth radios. I booted the computer from the Linux Mint
|
|
</I>>>><i> >> >> livecd usb stick, and then also copied the binaries into RAM. The
|
|
</I>>>><i> >> >> compute node was located in my bedroom, and I attended it for the
|
|
</I>>>><i> >> >> ~1hr
|
|
</I>>>><i> >> >> duration of the compute process.
|
|
</I>>>><i> >> >>
|
|
</I>>>><i> >> >> Image: <A HREF="https://pbs.twimg.com/media/DOSZz4FXkAEKC7N.jpg:large">https://pbs.twimg.com/media/DOSZz4FXkAEKC7N.jpg:large</A>
|
|
</I>>>><i> >> >>
|
|
</I>>>><i> >> >> Postprocessing
|
|
</I>>>><i> >> >> ==============
|
|
</I>>>><i> >> >> After compute was finished, I took a cell phone picture of the
|
|
</I>>>><i> >> >> blake2b
|
|
</I>>>><i> >> >> hash of the response. I then copied the response file to the USB
|
|
</I>>>><i> >> >> stick
|
|
</I>>>><i> >> >> containing the binaries, and then I unplugged the compute node.
|
|
</I>>>><i> >> >> Using
|
|
</I>>>><i> >> >> my personal laptop, I posted the blake2b hash to the #mpc chat and
|
|
</I>>>><i> >> >> uploaded the response file to s3.
|
|
</I>>>><i> >> >>
|
|
</I>>>><i> >> >> The repsonse file is hosted here for now, though I expect we'll
|
|
</I>>>><i> >> >> mirror it elsewhere later:
|
|
</I>>>><i> >> >> <A HREF="https://s3.amazonaws.com/socrates1024_a/response-2017-11-10-amiller">https://s3.amazonaws.com/socrates1024_a/response-2017-11-10-amiller</A>
|
|
</I>>>><i> >> >>
|
|
</I>>>><i> >> >> I did not destroy the compute node and do plan to use it again,
|
|
</I>>>><i> >> >> although I'm going to leave it unplugged for several days.
|
|
</I>>>><i> >> >>
|
|
</I>>>><i> >> >> On Wed, Nov 8, 2017 at 10:19 PM, Sean Bowe <<A HREF="/mailman/listinfo/zapps-wg">sean at z.cash</A>> wrote:
|
|
</I>>>><i> >> >>> Note that the `response` file contains a hash of the `challenge`
|
|
</I>>>><i> >> >>> file
|
|
</I>>>><i> >> >>> that was used as input for the compute tool. As a result, only the
|
|
</I>>>><i> >> >>> hashes of the `response` files need to be published; a hash chain
|
|
</I>>>><i> >> >>> is
|
|
</I>>>><i> >> >>> formed through all participants. The initial challenge file is
|
|
</I>>>><i> >> >>> deterministic. (You can use the `new` tool on the repository to
|
|
</I>>>><i> >> >>> construct it.)
|
|
</I>>>><i> >> >>>
|
|
</I>>>><i> >> >>> The initial challenge file has BLAKE2b hash:
|
|
</I>>>><i> >> >>>
|
|
</I>>>><i> >> >>>
|
|
</I>>>><i> >> >>> ce00f2100dd876fdff8dd824f55307bcb72d724f29ff20b9e0760f3a65e5588a65eaed57cbc61697111ae1f4cc7da2e62a85311c2ae683a041fb872b891c68dc
|
|
</I>>>><i> >> >>>
|
|
</I>>>><i> >> >>> It doesn't hurt to post hashes of everything though. Hash all the
|
|
</I>>>><i> >> >>> things.
|
|
</I>>>><i> >> >>>
|
|
</I>>>><i> >> >>> Sean
|
|
</I>>>><i> >> >>>
|
|
</I>>>><i> >> >>> On Wed, Nov 8, 2017 at 4:51 PM, Andrew Miller
|
|
</I>>>><i> >> >>> <<A HREF="/mailman/listinfo/zapps-wg">soc1024 at illinois.edu</A>> wrote:
|
|
</I>>>><i> >> >>>> Thanks Sean!
|
|
</I>>>><i> >> >>>>
|
|
</I>>>><i> >> >>>> My idea is to use an ad hoc and publicly visible process. "Get in
|
|
</I>>>><i> >> >>>> contact with [sean]" could be as simple as posting in public to
|
|
</I>>>><i> >> >>>> this
|
|
</I>>>><i> >> >>>> thread. Unless we're overrun by trolls, a public mailing list can
|
|
</I>>>><i> >> >>>> be
|
|
</I>>>><i> >> >>>> an informal way to agree on who goes next. Whoever posts and says
|
|
</I>>>><i> >> >>>> "Me,
|
|
</I>>>><i> >> >>>> me! I'd like to go next", should, by convention, go next. Any
|
|
</I>>>><i> >> >>>> aberrations (parties taking too long or dropping out, posting
|
|
</I>>>><i> >> >>>> invalid
|
|
</I>>>><i> >> >>>> data, etc., can be dealt with as needed).
|
|
</I>>>><i> >> >>>>
|
|
</I>>>><i> >> >>>> I believe it's also the case that
|
|
</I>>>><i> >> >>>> a) The "response" file from each person is roughly the same as the
|
|
</I>>>><i> >> >>>> "challenge" file for the next participant, and
|
|
</I>>>><i> >> >>>> b) The response/challenge files are safe to be published at any
|
|
</I>>>><i> >> >>>> time,
|
|
</I>>>><i> >> >>>> not private at all.
|
|
</I>>>><i> >> >>>> So, by convention, we should post the hashes of those files here
|
|
</I>>>><i> >> >>>> right
|
|
</I>>>><i> >> >>>> away, and make a best effort to mirror them publicly (each one is
|
|
</I>>>><i> >> >>>> like
|
|
</I>>>><i> >> >>>> a gigabyte, I think).
|
|
</I>>>><i> >> >>>>
|
|
</I>>>><i> >> >>>> What does the initial challenge file consist of? Could you post
|
|
</I>>>><i> >> >>>> the
|
|
</I>>>><i> >> >>>> hash of it here?
|
|
</I>>>><i> >> >>>>
|
|
</I>>>><i> >> >>>> Cheers,
|
|
</I>>>><i> >> >>>>
|
|
</I>>>><i> >> >>>> On Wed, Nov 8, 2017 at 3:04 PM, Sean Bowe via zapps-wg
|
|
</I>>>><i> >> >>>> <<A HREF="/mailman/listinfo/zapps-wg">zapps-wg at lists.z.cash.foundation</A>> wrote:
|
|
</I>>>><i> >> >>>>> Ariel Gabizon, Ian Miers and I have just published a new paper
|
|
</I>>>><i> >> >>>>> detailing a
|
|
</I>>>><i> >> >>>>> multi-party computation (MPC) protocol for constructing zk-SNARK
|
|
</I>>>><i> >> >>>>> public
|
|
</I>>>><i> >> >>>>> parameters.
|
|
</I>>>><i> >> >>>>>
|
|
</I>>>><i> >> >>>>> <A HREF="https://eprint.iacr.org/2017/1050">https://eprint.iacr.org/2017/1050</A>
|
|
</I>>>><i> >> >>>>>
|
|
</I>>>><i> >> >>>>> The highlights are:
|
|
</I>>>><i> >> >>>>>
|
|
</I>>>><i> >> >>>>> * It allows for a single, gigantic ceremony to take place for all
|
|
</I>>>><i> >> >>>>> possible
|
|
</I>>>><i> >> >>>>> zk-SNARK circuits within a given size bound. The results of this
|
|
</I>>>><i> >> >>>>> ceremony
|
|
</I>>>><i> >> >>>>> are partial zk-SNARK parameters for the entire community. We call
|
|
</I>>>><i> >> >>>>> this
|
|
</I>>>><i> >> >>>>> communal ceremony the Powers of Tau.
|
|
</I>>>><i> >> >>>>> * If you want to use zk-SNARKs in your protocols, you still have
|
|
</I>>>><i> >> >>>>> to do an
|
|
</I>>>><i> >> >>>>> MPC for your circuit. But because of the Powers of Tau ceremony,
|
|
</I>>>><i> >> >>>>> your
|
|
</I>>>><i> >> >>>>> ceremony is much cheaper to perform and the costs per-participant
|
|
</I>>>><i> >> >>>>> scale
|
|
</I>>>><i> >> >>>>> linearly with respect to the circuit complexity.
|
|
</I>>>><i> >> >>>>> * The best part is that the Powers of Tau and these
|
|
</I>>>><i> >> >>>>> circuit-specific MPCs
|
|
</I>>>><i> >> >>>>> can scale to hundreds/thousands of participants. As the number of
|
|
</I>>>><i> >> >>>>> participants grows, it becomes unrealistic that all of them could
|
|
</I>>>><i> >> >>>>> be
|
|
</I>>>><i> >> >>>>> compromised.
|
|
</I>>>><i> >> >>>>>
|
|
</I>>>><i> >> >>>>> So, let's do the Powers of Tau ceremony! The Zcash Foundation is
|
|
</I>>>><i> >> >>>>> excited to
|
|
</I>>>><i> >> >>>>> participate in the process. The Zcash Company is particularly
|
|
</I>>>><i> >> >>>>> excited in
|
|
</I>>>><i> >> >>>>> starting soon because we want to leverage it for our next MPC for
|
|
</I>>>><i> >> >>>>> the
|
|
</I>>>><i> >> >>>>> Sapling upgrade of Zcash.
|
|
</I>>>><i> >> >>>>>
|
|
</I>>>><i> >> >>>>> The MPC protocol for this ceremony only requires that one
|
|
</I>>>><i> >> >>>>> participant
|
|
</I>>>><i> >> >>>>> successfully destroy the secret randomness they sample during
|
|
</I>>>><i> >> >>>>> their part. We
|
|
</I>>>><i> >> >>>>> intend to give participants total flexibility in deciding how to
|
|
</I>>>><i> >> >>>>> participate; we don't mind what software, hardware or OS you use.
|
|
</I>>>><i> >> >>>>>
|
|
</I>>>><i> >> >>>>> I have written some Rust software for participants to run:
|
|
</I>>>><i> >> >>>>>
|
|
</I>>>><i> >> >>>>> <A HREF="https://github.com/ebfull/powersoftau">https://github.com/ebfull/powersoftau</A>
|
|
</I>>>><i> >> >>>>>
|
|
</I>>>><i> >> >>>>> In order to simplify auditing, I won't be making any more changes
|
|
</I>>>><i> >> >>>>> to the
|
|
</I>>>><i> >> >>>>> code unless absolutely necessary. You don't have to use this
|
|
</I>>>><i> >> >>>>> software, but
|
|
</I>>>><i> >> >>>>> there are no alternative implementations at this time. I think it
|
|
</I>>>><i> >> >>>>> should be
|
|
</I>>>><i> >> >>>>> feasible to write a C version of the code using the RELIC
|
|
</I>>>><i> >> >>>>> toolkit, which has
|
|
</I>>>><i> >> >>>>> implemented BLS12-381. I am very confident in the Rust code,
|
|
</I>>>><i> >> >>>>> though, and I
|
|
</I>>>><i> >> >>>>> believe in its stability/correctness.
|
|
</I>>>><i> >> >>>>>
|
|
</I>>>><i> >> >>>>> I have some opinions about the ceremony:
|
|
</I>>>><i> >> >>>>>
|
|
</I>>>><i> >> >>>>> 1. I disagree with processes that don't improve security of the
|
|
</I>>>><i> >> >>>>> ceremony.
|
|
</I>>>><i> >> >>>>> Having a small surface area of code and process increases the
|
|
</I>>>><i> >> >>>>> chance that
|
|
</I>>>><i> >> >>>>> bugs will be discovered by auditors because there are fewer
|
|
</I>>>><i> >> >>>>> things that can
|
|
</I>>>><i> >> >>>>> go wrong. Remember that there is already quite a bit for the
|
|
</I>>>><i> >> >>>>> public to
|
|
</I>>>><i> >> >>>>> check: the transcript correctness, the code correctness, the
|
|
</I>>>><i> >> >>>>> randomness
|
|
</I>>>><i> >> >>>>> beacon, the cryptographic proof, code dependencies, etc.
|
|
</I>>>><i> >> >>>>> 2. It needs to start soon so that it can be useful for the
|
|
</I>>>><i> >> >>>>> Sapling MPC.
|
|
</I>>>><i> >> >>>>> 3. It needs to have lots of reputable participants by the time we
|
|
</I>>>><i> >> >>>>> start the
|
|
</I>>>><i> >> >>>>> Sapling MPC.
|
|
</I>>>><i> >> >>>>>
|
|
</I>>>><i> >> >>>>> Given the above, I would like to suggest that we start the
|
|
</I>>>><i> >> >>>>> ceremony now
|
|
</I>>>><i> >> >>>>> using my existing code, which supports circuits up to 2^21 gates.
|
|
</I>>>><i> >> >>>>> This means
|
|
</I>>>><i> >> >>>>> people would just get in contact with me if they want to
|
|
</I>>>><i> >> >>>>> participate and
|
|
</I>>>><i> >> >>>>> I'll schedule them in. I'll try to prioritize reputable people,
|
|
</I>>>><i> >> >>>>> but I'll
|
|
</I>>>><i> >> >>>>> allow pretty much anyone I have time to. Everything that I do is
|
|
</I>>>><i> >> >>>>> publicly
|
|
</I>>>><i> >> >>>>> verifiable (there is a transcript at the end of the ceremony
|
|
</I>>>><i> >> >>>>> which people
|
|
</I>>>><i> >> >>>>> can check).
|
|
</I>>>><i> >> >>>>>
|
|
</I>>>><i> >> >>>>> Andrew Miller has a few interesting ideas for a more distributed
|
|
</I>>>><i> >> >>>>> process for
|
|
</I>>>><i> >> >>>>> scheduling "who goes next" but there are some disadvantages and
|
|
</I>>>><i> >> >>>>> risks
|
|
</I>>>><i> >> >>>>> involved IMO. In any case, the process can be changed later
|
|
</I>>>><i> >> >>>>> without
|
|
</I>>>><i> >> >>>>> affecting anything, so I don't see a purpose in delaying the
|
|
</I>>>><i> >> >>>>> start of the
|
|
</I>>>><i> >> >>>>> ceremony on such things.
|
|
</I>>>><i> >> >>>>>
|
|
</I>>>><i> >> >>>>> I'd like to hear from others about this plan so we can begin
|
|
</I>>>><i> >> >>>>> soon!
|
|
</I>>>><i> >> >>>>>
|
|
</I>>>><i> >> >>>>> Sean Bowe
|
|
</I>>>><i> >> >>>>> Zcash Company
|
|
</I>>>><i> >> >>>>
|
|
</I>>>><i> >> >>>>
|
|
</I>>>><i> >> >>>>
|
|
</I>>>><i> >> >>>> --
|
|
</I>>>><i> >> >>>> Andrew Miller
|
|
</I>>>><i> >> >>>> University of Illinois at Urbana-Champaign
|
|
</I>>>><i> >> >>
|
|
</I>>>><i> >> >>
|
|
</I>>>><i> >> >>
|
|
</I>>>><i> >> >> --
|
|
</I>>>><i> >> >> Andrew Miller
|
|
</I>>>><i> >> >> University of Illinois at Urbana-Champaign
|
|
</I>>>><i> >>
|
|
</I>>>><i> >
|
|
</I>>><i>
|
|
</I>>><i>
|
|
</I>
|
|
</PRE>
|
|
|
|
<!--endarticle-->
|
|
<HR>
|
|
<P><UL>
|
|
<!--threads-->
|
|
<LI>Previous message (by thread): <A HREF="000016.html">[zapps-wg] Powers of Tau Ceremony Proposal
|
|
</A></li>
|
|
<LI>Next message (by thread): <A HREF="000018.html">[zapps-wg] Powers of Tau Ceremony Proposal
|
|
</A></li>
|
|
<LI> <B>Messages sorted by:</B>
|
|
<a href="date.html#17">[ date ]</a>
|
|
<a href="thread.html#17">[ thread ]</a>
|
|
<a href="subject.html#17">[ subject ]</a>
|
|
<a href="author.html#17">[ author ]</a>
|
|
</LI>
|
|
</UL>
|
|
|
|
<hr>
|
|
<a href="/mailman/listinfo/zapps-wg">More information about the zapps-wg
|
|
mailing list</a><br>
|
|
</body></html>
|