Skip to content

Latest commit

 

History

History
109 lines (70 loc) · 5.11 KB

README.md

File metadata and controls

109 lines (70 loc) · 5.11 KB

Powers of Tau

Original story

This is a multi-party computation (MPC) ceremony which constructs partial zk-SNARK parameters for all circuits up to a depth of 221. It works by taking a step that is performed by all zk-SNARK MPCs and performing it in just one single ceremony. This makes individual zk-SNARK MPCs much cheaper and allows them to scale to practically unbounded numbers of participants.

This protocol is described in this paper. It produces parameters for an adaptation of Jens Groth's 2016 pairing-based proving system using the BLS12-381 elliptic curve construction. The security proof relies on a randomness beacon being applied at the end of the ceremony.

Contributions

Extended to support Ethereum's BN256 curve and made it easier to change size of the ceremony. In addition proof generation process can be done in memory constrained environments now.


To run the ceremony on your machine:

  1. Preparation:
$ rustup update # tested on rustup 1.24.3 and rustc 1.55.0
$ cargo build --release
  1. Put the challenge and response file from the previous ceremony to root directory.
  2. To generate new_challenge run:
$ cargo run --release --bin verify_transform_constrained challenge response new_challenge 21 256
  1. Run ceremony:
$ cargo run --release --bin compute_constrained new_challenge new_response 21 256

Put your hash from output response to private gist (example: https://gist.github.com/skywinder/c35ab03c66c6b200b33ea2f388a6df89)

  1. Reboot your machine to clean up toxic waste.

  2. Save the newly generated response file and give it to the next participant.

Recommendations from original ceremony

Participants of the ceremony sample some randomness, perform a computation, and then destroy the randomness. Only one participant needs to do this successfully to ensure the final parameters are secure. In order to see that this randomness is truly destroyed, participants may take various kinds of precautions:

  • putting the machine in a Faraday cage
  • rebooting the machine afterwards
  • rebooting the machine afterwards and disconnecting RAM
  • destroying the machine afterwards
  • running the software on secure hardware
  • not connecting the hardware to any networks
  • using multiple machines and randomly picking the result of one of them to use
  • using different code than what we have provided
  • using a secure operating system
  • using an operating system that nobody would expect you to use (Rust can compile to Mac OS X and Windows)
  • using an unusual Rust toolchain or alternate rust compiler
  • lots of other ideas we can't think of

It is totally up to the participants. In general, participants should beware of side-channel attacks and assume that remnants of the randomness will be in RAM after the computation has finished.

Perpetual Powers of Tau

In this section we are going to use a response from Perpetual Powers of Tau to prepare for a circuit-specific ceremony (also known as phase 2).

1. Pick a response

At the time of writing this, the last response was https://github.com/privacy-scaling-explorations/perpetualpowersoftau/tree/master/0074_daniel_response

2. Reduce powers

Perpetual Powers of Tau supports circuits of up to 2^28 (260+ million) constraints. We can reduce the parameters to the power of our choice. In this example, we will reduce the power to 21 (up to 2M constraints).

$ cargo run --release --bin reduce_powers challenge_0075 challenge_reduced 28 21 256

3. Apply a random beacon

To finalize the setup, we apply a random beacon to the final challenge. In this example, we are going to use an ethereum block height 16627102 with a corresponding hash 0x171147a580764b8445aa1deaeedf8a81436ca1c9c447612e198cb41376aec3a6. The process and code for calculating the beacon value should be announced before the block appears.

$ cargo run --release --bin beacon_constrained challenge_reduced response_final 21 256 171147a580764b8445aa1deaeedf8a81436ca1c9c447612e198cb41376aec3a6 10

4. Prepare phase 2

$ cargo run --release --bin prepare_phase2 response_final 21 256

This command will generate parameters for various circuit depths which we can use in the phase 2.

License

Licensed under either of

at your option.

Originally forked from phase2-bn254

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.