search

celo-org / celo-bls-snark-rs

Implements SNARK-friendly BLS signatures
https://celo.org
Apache License 2.0
83 stars 24 forks source link

Phase 2 setup random beacon #227

Open kobigurk opened 2 years ago

kobigurk commented 2 years ago

As part of the Groth16 Phase 2 setup for Plumo, we apply a public random beacon value as the last contribution. As described in the MMORPG paper, a random beacon is applied to the SRS in order to randomize secret values and prevent adaptive attacks. This value must not be known by the adversary before the contributions finish and they cannot be able to influence it.

While recent works have shown that the random beacon is not required in some models, there's no major downside in applying it.

We will use the drand random beacon, that generates a random value every 30 seconds. At the time of writing, the data returned from the /public/latest API call is:

{"round":1332726,"randomness":"6e29d4a2f65bdfd86df01032df9c4194453ebd69d05fc2527e844b86198e041a","signature":"84aaed1414447d10026cff1f9ff8173465225b1c97527d6d4ec3d65fad7aa3d9e567196809ef314b5c0b4084bb2612f9153a439aa22487c7e87d0f63791e8e2199ffed80465dd2e3dc38c98d7bab9d907e1a10926b6de9a86f26476258bea981","previous_signature":"92686e63689b6bf423459fa03fc1ae6443b715ab2c9c1e20798bc5a29fecffae630701b261d1d0c07a26795763c47e4205911c2b849a3adfb82c04c3b1a6a052c5e5588ed5e000e859552533744928583330966bf657774baccdb81cc840ba1b"}

We will take the value at round 1335566, which will occur around October 29th 9am UTC and apply it using apply_beacon from commit 9b77e277fab2df787b46974bb503c3240ec47a5f. Later on, it can be verified by others using version 1.2.2 of verify_transcript in snark-setup-operator.

The value will be obtained using the public/{round} API call and will be posted here.

The value can be verified using drand-client, which can be obtained as follows.

git clone https://github.com/drand/drand
cd drand
git checkout a2ba475cc77ad51f6470a1099d422cf25055f19c
make drand-client

Then it can be obtained as follows. ./drand-client --url https://api.drand.sh --chain-hash 8990e7a9aaed2ffed73dbd7092123d6f289930540d7651336225dc172e51b2ce --round 1335566. Note that this call also verifies the value matches the public key and chain. 8990e7a9aaed2ffed73dbd7092123d6f289930540d7651336225dc172e51b2ce is the chain hash of main drand deployment.

The above announcement as a file with b2sum hash 662c15e7208c81f57a43d7f695097b607427de9e3c42c98a9fceda8df639745ef0d3fd37432e16abb15e1d1c327a6d1eb2b60b634e7324e52a12b121903a4193

random_beacon_phase_2.txt

Concretely, we will apply the beacon with a modified version that takes a shortcut rather than verifying the entire transcript, but produces the same output as 1.2.2.

For reference, the output of Phase 2 is the output of round 10, and the combined contribution has hash 22cf829b8a62591a1397f734127fa283a1658aeb36b3e519d830950452e16b40042f1e41a91ab89f432e87c69281ec47ba61f37bc35615b5dc45b5de48ace027 .

kobigurk commented 2 years ago

Value has been obtained!

{"round":1335566,"randomness":"50e6fa2d3e8ed9613bda92005c72193ebd6d0443d3c1b092ad9f569e531cc176","signature":"b5889a6a70ff26b96f069c351593118113cb097be35f33924bcfd28ed55aec1147014d3f320a76b2f7b65f3bf7e777dc0acb1c71897f9986e7c394380aa422478e6c4d39845931aee0fee2fabbf3ea14eac52069342ab7a0aa3659e3bb71fd2f","previous_signature":"a2978c22c40593c5eac29de7f443e107f9956ed2b4d352c2343c4050d2a201c79e99e66389e1db146c489738cb8ec97a1274c91c95cd748feca75b4d15d83247e827944a798049665736a754b1a0a7ebedc8e69b334aa74e25c049d590a7252b"}

Applying it now.

kobigurk commented 2 years ago

It's been done for some time, and we finally publish it :)

The resulting prover key has hash 22035ed1c5cee93b1b85ea05888e0be63295668088bc1486928b49510c1717fed18b0156e44ee581bd82b67771af47606932bb37a090a9737e56f29803a9acb5.