March 4, 2020

Release announcement: Semaphore, a zero-knowledge gadget for Ethereum

A train signal. Source: Wikimedia

We are excited to announce that Semaphore, a generic privacy layer for Ethereum applications based on zk-SNARKs, has been fully audited and is now available for developers to build upon. This open-source library allows any user to signal their endorsement of an arbitrary string, revealing only that they have been previously approved to do so, and not their specific identity. Developers can use it to build distributed applications such as mixers, anonymous voting, and whistleblowing platforms (read more here). Semaphore can also be applied off-chain for anonymous authentication and rate-limiting spam prevention.

As Semaphore is open source and generic, developers can save time otherwise spent on writing and auditing code to produce zero-knowledge proofs, which require deep expertise. Additionally, Semaphore saves teams the trouble of performing their own zk-SNARK trusted setup, as the Semaphore team will soon complete a multi-party trusted setup and make all required files freely available.

For a high-level overview of Semaphore, and the necessary context behind this post, please read this introductory blog post: To Mixers and Beyond: presenting Semaphore, a privacy gadget built on Ethereum.

Security audit

With the generous support of the Ethereum Foundation and POA Network, the Semaphore team commissioned ABDK Consulting to perform a security audit of the formal specification, Solidity smart contracts, and zk-SNARK circuit code which comprises Semaphore. After three rounds of fixes and reviews, the team resolved all security and efficiency issues which the auditors uncovered. The audit also included a significant part of circomlib, the set of gadgets written in the Circom language, which may be useful for other use-cases as well.

Semaphore’s specification and full audit report will be published when ready. In the meantime, the audited source code can be found here.

Trusted setup

The final step before Semaphore is production-ready is phase 2 of a multi-party trusted setup for its zk-SNARK circuit. This will generate the proving and verifying keys required to produce and verify proofs. As long as one party in the ceremony behaves honestly to discard the toxic waste produced by the process, and their equipment is not compromised, the entire setup is trustworthy.

The team will use the response from the latest participant in the Perpetual Powers of Tau ceremony, and apply a random beacon to it. This random beacon will be the Ethereum block hash of a pre-announced block in the future, with an iterated hash and a verifiable delay function (VDF) applied to it. At best, the VDF will ensure that no ceremony participants can easily predict the output of the beacon (e.g., by colluding with a miner to produce a block hash which they prefer), and at worst, the VDF will not decrease the security of the random beacon. Moreover, we apply the random beacon only out of an abundance of caution and as an educational exercise, as research by Mary Maller shows that the random beacon is not required in the generic group model, a cryptographic model which the proof system Semaphore uses, Groth16, already relies on. Stay tuned for an announcement about the details of the random beacon.

As Semaphore can be thought of as a generic base layer on which applications are built, we expect that various use-cases will be able to benefit from this setup.

Finally, the team will invite members of the Ethereum community and the general public to participate in the Semaphore-specific trusted setup ceremony. Each round takes less than a minute on a modern laptop, and requires less than 50MB of data transfer. Please contact Wei Jie (via Telegram: @weijiek) to volunteer.

Build on Semaphore today

We invite the Ethereum community to build dApps on Semaphore and explore its full potential. If you have an idea for an application whose use case involves privacy or anonymity, Semaphore may fit your needs. Projects we would love to see built include private DAOs, private social recovery mechanisms, and integrations with existing platforms or apps. Feel free to get in touch with us in the Semaphore Society Telegram chat group.

Credits

Semaphore was built by members of the Ethereum Foundation’s Applied ZKP team, with the invaluable support and technical assistance of Chih Cheng Liang, Harry Roberts, ABDK Consulting, Jordi Baylina, PepperSec, and POA Network. Additionally, much of its design was inspired by Zcash and greatly benefited from their pioneering work on zero-knowledge cryptographic primitives.

Release announcement: Semaphore, a zero-knowledge gadget for Ethereum - March 4, 2020 - Koh Wei Jie