Sharding multi-party computation ceremony

chaser · January 14, 2022, 4:46pm

given that sharding will very likely use KZG commitments and those require a trusted setup, with the Merge now on the horizon, let’s start talking about the setup.

my initial thoughts:

can we start collecting participants now to have a wide enough scale by the time the MPC ceremony is due?
can the setup incorporate the results from any previous trusted setups (like Zcash’s Powers of Tau, Aztec’s Ignition, Tornado Cash’s setup) to lower the chances of a reconstructed private key?
what is the greatest possible damage that someone with a reconstructed private key can do to a sharded Ethereum? can we parametrize the extent of this damage?
if every participant computes the MPC with the same client, the MPC has a single point of failure (which is, ironically, what an MPC is supposed to guard against). not least in the spirit of a multi-client Ethereum, I think this setup is critical enough to warrant multiple implementations on multiple CPU architectures.

delbonis · January 17, 2022, 5:00am

There is the Perpetual Powers of Tau project that I believe Tornadocash used, although it’s been some months since that repository was updated so I’m unsure of the current status. It’s unnecessary to use an MPC for this, but it would be neat if someone made a contribution to it in an MPC using a heterogeneous set of computers they operated themselves.

Edit: Actually, I’m not sure which curve is planned to be used for the KZG commitment, I’m assuming BLS12-381 but PPoT is only BN254.

chaser · January 17, 2022, 9:09pm

nice catch, this is what I hazily remembered. from what I see Tornado Cash did use a PoT ceremony but I’m not sure it’s perpetual. and yes, their curve was also BN254.

FYI, the repo you linked to doesn’t contain every contribution to that ceremony, the total was a bit over 1000.

even if sharding could use this ceremony, why do you think an MPC is unnecessary? I have great respect for many of the known PPoT participants, but Ethereum mainnet consensus is something the human civilization may rely upon for centuries. guarantees should be as solid as possible. community members deserve a chance to take part in the security of the cryptography, and there’s not much to lose by adding more participants. commissioning a single participant to set up computers is no different trust-wise from adding just a single participant.

delbonis · January 17, 2022, 10:27pm

Do you know where the PPoT is being organized now? I saw that the original organizer is no longer at EF now.

Well you could think of a PoT ceremony as a kind of MPC. You get a similar trust model at the end.

Maybe someone should organize another PPoT ceremony using BLS12-381?

chaser · January 18, 2022, 9:09pm

no idea. isn’t it still at the repo you linked to?

by the way I asked people at Tornado Cash and I guess their setup is not useful in this case because it is related to BN128.

I though “MPC” and “ceremony” are interchangeable in this context.

that’s why I posted in the first place with regards to the curve, input would be appreciated from @dankrad.

dankrad · January 18, 2022, 10:33pm

Yeah indeed we will be using BLS12_381. The ceremony is indeed on our radar now. I think we will be building on existing setups to add security.

If you are interested in helping with this effort, feel free to contact me.