September 11, 2019
Announcing the Perpetual Powers of Tau Ceremony to benefit all zk-SNARK projects
The Ethereum community has responded positively to our technical blog post about Semaphore, a zero-knowledge signalling gadget built on Ethereum. This post is an update about our next major step: the launch of a multi-party trusted setup we dub the Perpetual Powers of Tau Ceremony.
Passing a baton. Image source: Wikimedia Commons
Why is this necessary?
Anyone who deploys a zk-SNARK circuit to production must perform a computation called a trusted setup in order to generate a proving key and verifying key. Unfortunately, this process also produces a piece of data called toxic waste which must be discarded, as it can be used to produce fake proofs and thereby violate the security of the system. To solve this, the trusted setup can be performed using a special cryptographic ceremony in which multiple participants each take turns to perform a computation.
The final result of all the computations can be trusted as long as just one participant ensures that they securely discard their toxic waste. The Zcash cryptocurrency project famously performed such a ceremony in 2017, and explained how this property enhanced its trustworthiness:
The Powers of Tau ceremony proceeds in turns, one turn for each participant… The result of each computation is then added to a public transcript, so that the entire protocol can be publicly verified. As long as one participant successfully destroys their randomness when they’re finished, the resulting parameters are secure. As more and more participants are added, it becomes unlikely that an adversary could have compromised everyone. This is especially true as participants have enormous flexibility in the counter-measures they employ.
Note that each zk-SNARK project requires two phases of parameter generation, and Perpetual Powers of Tau can only replace the first phase for all projects. The second phase circuit-specific, and is the responsibility of individual teams. Nevertheless, each ceremony takes time and is tedious to coordinate. Moreover, zk-SNARK projects built on Ethereum cannot use the parameters generated by Zcash’s ceremony due to particular cryptographic incompatibilities. As such, it is necessary to run a new ceremony.
The solution is to run a new phase-one ceremony for the entire community and thereby reduce the burden on all teams, including zk-SNARK scaling solutions (such as iden3 rollup, Matter Network, and Loopring) and mixers like Tornado Cash. Moreover, this ceremony will be perpetual — that is, there is no limit to the number of participants required, and any zk-SNARK project can pick any point of the ceremony to begin their circuit-specific second phase.
We have begun the ceremony, and are actively seeking participants to join in.
Each participant will receive a challenge file, and must generate a response file in a secure and honest manner. As long as one participant discards the toxic waste after this process, the entire ceremony can be trusted.
Each round takes about 24 hours on a fast machine, and requires a 97G download and 49G upload. We recognise that this is cumbersome for many, and is also significantly more time- and space-intensive than other Powers of Tau ceremonies. Yet, we want to support as many zk-SNARK circuits as possible, including those which a large number of constraints. In particular, roll_up requires more than 260 million constraints; as such, the ceremony must compute 2 ^ 28 powers of tau, which explains why it is so heavy.
There is a central coordinator (myself) who works with Kobi Gurkan and Barry WhiteHat to manage logistics, determine the order of participants, and maintain a record of all contributions. Although the coordinator has a great deal of influence over the process, they do not need to be fully trusted. Anyone can verify the public transcript of the ceremony, which is the whole set of challenge files, response files, and cryptographically signed attestations per participant. The coordinator, however, could censor participants, and the community should watch them to make sure that they do not. This is why there is a public mailing list where interested parties can coordinate to schedule their involvement.
We host attestations and participation instructions on this Github repository. Interested members of the community should join the mailing list to get involved. We are excited to continue the Perpetual Powers of Tau ceremony and we thank everyone in advance for their help.