Hi everyone! On Wed, Nov 8, 2017 at 10:04 PM, Sean Bowe via zapps-wg < zapps...@lists.z.cash.foundation> wrote:
> Ariel Gabizon, Ian Miers and I have just published a new paper detailing a > multi-party computation (MPC) protocol for constructing zk-SNARK public > parameters. > > https://eprint.iacr.org/2017/1050 > > The highlights are: > > * It allows for a single, gigantic ceremony to take place for all possible > zk-SNARK circuits within a given size bound. The results of this ceremony > are partial zk-SNARK parameters for the entire community. We call this > communal ceremony the Powers of Tau. > * If you want to use zk-SNARKs in your protocols, you still have to do an > MPC for your circuit. But because of the Powers of Tau ceremony, your > ceremony is much cheaper to perform and the costs per-participant scale > linearly with respect to the circuit complexity. > * The best part is that the Powers of Tau and these circuit-specific MPCs > can scale to hundreds/thousands of participants. As the number of > participants grows, it becomes unrealistic that all of them could be > compromised. > If I understand that correctly, the randomness beacon is invoked only once at the end of the Powers of Tau ceremony. A header hash of a recent block in a blockchain of course comes to mind here, especially as the paper claims that some limited control by an adversary is acceptable. What exactly is planned to be used there? Best, Christian.