zecfoundation
/
zfnd
mirror of https://github.com/ZcashFoundation/zfnd.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
zfnd/_posts/blog/2018-04-13-conclusion-of-po...

6.2 KiB
Raw Blame History

layout title excerpt categories tags image date author
post Conclusion of the Powers of Tau Ceremony The world's largest multi-party computation ceremony comes to a successful end. blog
feature
2018-04-13 ebfull-jasondavies

In November of last year, we announced the beginning of what has become the largest multi-party computation (MPC) ceremony ever performed. In the Powers of Tau ceremony, we aimed to produce partial public parameters that can be used by all projects that wish to use zk-SNARKs — small and flexible zero-knowledge proofs which require a parameter setup.

We're happy to announce the completion of the ceremony, after many months and many dozens of participants. Today, we're publishing the final parameters, the protocol's transcript, a tool for verifying the transcript and the parameters, and a report of what took place.

Ceremony Results

  • We announced the completion of the ceremony on the mailing list, along with signatures of the ceremony artifacts.
  • The final parameters are available over BitTorrent.
  • The transcript of the ceremony is also available over BitTorrent. It has also been placed on the Internet Archive. The transcript and the parameters can be verified using a tool we have written.
  • The attestations of all participants are being collected here.

Ceremony Overview

The ceremony used an MPC protocol described in a paper written by Sean Bowe, Ariel Gabizon, and Ian Miers, who are scientists and engineers at the Zcash Company. This ceremony produced a partial common reference string (CRS) for Jens Groth's pairing-based zk-SNARK scheme — the current state-of-the-art in performance. This CRS supports arithmetic circuits with up to 2^21 multiplication gates.

The correctness of the proofs which use these parameters require that at least one participant of the Powers of Tau ceremony destroyed some randomness they sampled during their part of the ceremony. The protocol guarantees zero-knowledge of the resulting proofs, even if all participants were compromised.

Verification of the Protocol

The integrity of the resulting parameters can only be determined through public review of the process and artifacts of the ceremony.

  • The ceremony was originally described in a blog post here, and was coordinated by Sean Bowe (an employee of the Zcash Company) and later by Jason Davies (a member of the Zcash community). People were encouraged to post to a mailing list if they wanted to participate, or to contact the coordinator privately to arrange a time to participate.
  • All of the participants were encouraged to write an attestation of what took place and publish it afterwards, ideally to the mailing list. We are hosting these attestations here. In total, there were 87 contributions to the ceremony, including participation from cryptographers and members of the crypto and cryptocurrency communities.
  • We have published a transcript of the protocol which can be used to verify the protocol was correctly executed and can also be used to reproduce the final parameters.
  • We have pre-printed a paper describing the MPC protocol.
  • The ceremony depends on a pairing-friendly elliptic curve construction designed specifically for high-performance and high-security zk-SNARKs. Our choice of this curve and its parameters is explained in our paper.
  • We published tools, written in Rust, which many participants used during their part of the ceremony. These tools also allow the public to evaluate the correctness of the transcript and the final parameters.
  • Several participants used an independent implementation of the software written by Filippo Valsorda. A trusted build-chain was also developed by Devrandom.

Assuming the cryptography is sound, the only way for the final parameters to be compromised is if every participant colluded or were all compromised. By involving a large set of diverse and reputable participants, it becomes unrealistic for all of them to be compromised. By encouraging participants to take their own initiative and making the process as flexible as possible, we reduced the risk that all participants could be compromised by the same attack vectors.

We'd like to thank all of the participants and community members who played a part in the process, from the participants, to witnesses on the mailing list and reviewers and verifiers of the ceremony artifacts.

Future Work

Anybody can use the Powers of Tau parameters to perform their own MPC for zk-SNARK parameters, using the phase2 library. As an example, the Zcash Company will be doing a multi-party computation for the Sapling zk-SNARK parameters.

The Zcash Foundation intends to promote future ceremonies, as well as extensions of Powers of Tau that may adopt larger circuit bounds or alternative elliptic curves. If you're interested, please join our mailing list!