On Wed, Nov 8, 2017 at 10:04 PM, Sean Bowe via zapps-wg <
> Ariel Gabizon, Ian Miers and I have just published a new paper detailing a
> multi-party computation (MPC) protocol for constructing zk-SNARK public
> The highlights are:
> * It allows for a single, gigantic ceremony to take place for all possible
> zk-SNARK circuits within a given size bound. The results of this ceremony
> are partial zk-SNARK parameters for the entire community. We call this
> communal ceremony the Powers of Tau.
> * If you want to use zk-SNARKs in your protocols, you still have to do an
> MPC for your circuit. But because of the Powers of Tau ceremony, your
> ceremony is much cheaper to perform and the costs per-participant scale
> linearly with respect to the circuit complexity.
> * The best part is that the Powers of Tau and these circuit-specific MPCs
> can scale to hundreds/thousands of participants. As the number of
> participants grows, it becomes unrealistic that all of them could be
If I understand that correctly, the randomness beacon is invoked only once
at the end of the Powers of Tau ceremony. A header hash of a recent block
in a blockchain of course comes to mind here, especially as the paper
claims that some limited control by an adversary is acceptable. What
exactly is planned to be used there?