search

celo-org / celo-bls-snark-rs

Implements SNARK-friendly BLS signatures
https://celo.org
Apache License 2.0
83 stars 24 forks source link

Phase 1 setup random beacon #220

Open kobigurk-clabs opened 3 years ago

kobigurk-clabs commented 3 years ago

As part of the Groth16 Phase 1 setup for Plumo, we apply a public random beacon value as the last contribution. As described in the MMORPG paper, a random beacon is applied to the SRS in order to randomize secret values and prevent adaptive attacks. This value must not be known by the adversary before the contributions finish and they cannot be able to influence it.

While recent works have shown that the random beacon is not required in some models, there's no major downside in applying it.

We will use the drand random beacon, that generates a random value every 30 seconds. At the time of writing, the data returned from the info API call is:

{"round":919149,"randomness":"829a8e43629428b8ef4a0d84a8f4f6abaa52b2d6fe845d9f6e62ce211a3232f2","signature":"b5ada8d4e5275ff59acd871907e749b33e009e267334401b6bc8408f2bf28f33df64fc2400bedcf056d3450596d439610b586d2a413fd74c0f2fef939f805cedad29f10816a6c5fd882f6a56d3fb521b2b1282e14a0b31ec093718a4863b9591","previous_signature":"b7806871acb83a3edd43660824ac56b658a718bc2086dc58b5b890418a702d0b51f5140ea23eb9bf55b81d3808258df913c93ddbe42586f9e9fd5ae97c9b5353845484efd036a4822f5cc475fb6e0ffb17324ce30fbc62aade20e7ab721e476f"}

We will take the value at round 923709, which will occur around June 8th 9am UTC and apply it directly using version 1.2.1 of verify_transcript in snark-setup-operator.

The value will be obtained using the public/{round} API call and will be posted here.

The value can be verified using drand-client, which can be obtained as follows.

git clone https://github.com/drand/drand
cd drand
git checkout a2ba475cc77ad51f6470a1099d422cf25055f19c
make drand-client

Then it can be obtained as follows. ./drand-client --url https://api.drand.sh --chain-hash 8990e7a9aaed2ffed73dbd7092123d6f289930540d7651336225dc172e51b2ce --round 923709. Note that this call also verifies the value matches the public key and chain. 8990e7a9aaed2ffed73dbd7092123d6f289930540d7651336225dc172e51b2ce is the chain hash of main drand deployment.

kobigurk commented 3 years ago

The announcement as a file with hash 03b909b9fb7f8f09d44402aac97676b148a84155e801c05e36ed4f988246514e53f89de1e74c88367a30a5e8014d870c4623b077510f15e80fc98cec756a819a

random_beacon.txt

kobigurk commented 3 years ago

Concretely, we will apply the beacon with a modified version that takes a shortcut rather than verifying the entire transcript, but produces the same output as 1.2.1.

kobigurk commented 3 years ago

For reference, the output of Phase 1 is the output of round 8, and the combined contribution has hash d84048c48de5eac702984fc6bee7e10f2853f92f4feef6d649c9d5cb337cefe8928b1ba524859d52940c1df04c183209584a275f69bb689e7765c6f268b53900.

kobigurk commented 3 years ago

Value has been obtained!

{"round":923709,"randomness":"57794ada50a068cab08dd4c62866180ef7ffc42b82fa223d7d9e6f910dea6ac9","signature":"866370764c610a37d76c64e6238b38e810d77675271d505a990fbcc7ef04b24fcd202df08ff83dd57b72a90ec9668e34112ed645f393cccef89f57e83e5394a01106bf01a5ed4df46988f42b76ee35d28a70bc923a1b815d28dc02ad8ac2f5ce","previous_signature":"b029859887d232d51638c481b6462620ef47b093bcc0387c63acb493fb07fc8946a72c05cf6afc386defa102d48df06613e6cf9dcd5d6542f864c7dda6177d7a532b15004e12b2dc4b91b2a4da04e99a5c57e7ed908f6e16b3aacf03a13539f3"}

Applying it now.

kobigurk commented 3 years ago

The beacon has been applied. The resulting file has b2sum hash of 06d108d8a0abbc4e0c22b2e387cc62ae592a5f25ac04c471037fa027a837c2d5c3f0854682a3269f15276d0dc7b13ef7fb2bc030e35a00bbaa76508919ff5ade.