Announcing the Perpetual Powers of Tau Ceremony to benefit all zk-SNARK projects

Koh Wei Jie
Sep 11, 2019 · 4 min read

The Ethereum community has responded positively to our technical blog post about Semaphore, a zero-knowledge signalling gadget built on Ethereum. This post is an update about our next major step: the launch of a multi-party trusted setup we dub the Perpetual Powers of Tau Ceremony.

Image for post
Image for post
Passing a baton. Image source: Wikimedia Commons

Why is this necessary?

Anyone who deploys a zk-SNARK circuit to production must perform a computation called a trusted setup in order to generate a proving key and verifying key. Unfortunately, this process also produces a piece of data called toxic waste which must be discarded, as it can be used to produce fake proofs and thereby violate the security of the system. To solve this, the trusted setup can be performed using a special cryptographic ceremony in which multiple participants each take turns to perform a computation.

The final result of all the computations can be trusted as long as just one participant ensures that they securely discard their toxic waste. The Zcash cryptocurrency project famously performed such a ceremony in 2017, and explained how this property enhanced its trustworthiness:

Note that each zk-SNARK project requires two phases of parameter generation, and Perpetual Powers of Tau can only replace the first phase for all projects. The second phase circuit-specific, and is the responsibility of individual teams. Nevertheless, each ceremony takes time and is tedious to coordinate. Moreover, zk-SNARK projects built on Ethereum cannot use the parameters generated by Zcash’s ceremony due to particular cryptographic incompatibilities. As such, it is necessary to run a new ceremony.

The solution

The solution is to run a new phase-one ceremony for the entire community and thereby reduce the burden on all teams, including zk-SNARK scaling solutions (such as iden3 rollup, Matter Network, and Loopring) and mixers like Tornado Cash. Moreover, this ceremony will be perpetual — that is, there is no limit to the number of participants required, and any zk-SNARK project can pick any point of the ceremony to begin their circuit-specific second phase.

Image for post
Image for post

We have begun the ceremony, and are actively seeking participants to join in.

Each participant will receive a challenge file, and must generate a response file in a secure and honest manner. As long as one participant discards the toxic waste after this process, the entire ceremony can be trusted.

Each round takes about 24 hours on a fast machine, and requires a 97G download and 49G upload. We recognise that this is cumbersome for many, and is also significantly more time- and space-intensive than other Powers of Tau ceremonies. Yet, we want to support as many zk-SNARK circuits as possible, including those which a large number of constraints. In particular, roll_up requires more than 260 million constraints; as such, the ceremony must compute 2 ^ 28 powers of tau, which explains why it is so heavy.

There is a central coordinator (myself) who works with Kobi Gurkan and Barry WhiteHat to manage logistics, determine the order of participants, and maintain a record of all contributions. Although the coordinator has a great deal of influence over the process, they do not need to be fully trusted. Anyone can verify the public transcript of the ceremony, which is the whole set of challenge files, response files, and cryptographically signed attestations per participant. The coordinator, however, could censor participants, and the community should watch them to make sure that they do not. This is why there is a public mailing list where interested parties can coordinate to schedule their involvement.

We host attestations and participation instructions on this Github repository. Interested members of the community should join the mailing list to get involved. We are excited to continue the Perpetual Powers of Tau ceremony and we thank everyone in advance for their help.

Coinmonks

Coinmonks is a non-profit Crypto educational publication.

Sign up for Coinmonks

By Coinmonks

A newsletter that brings you week's best crypto and blockchain stories and trending news directly in your inbox, by CoinCodeCap.com Take a look.

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Koh Wei Jie

Written by

kohweijie.com

Coinmonks

Coinmonks

Coinmonks is a non-profit Crypto educational publication. Follow us on Twitter @coinmonks Our other project — https://coincodecap.com

Koh Wei Jie

Written by

kohweijie.com

Coinmonks

Coinmonks

Coinmonks is a non-profit Crypto educational publication. Follow us on Twitter @coinmonks Our other project — https://coincodecap.com

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store