Hello all,
As you may have seen I delayed sharing my attestation until now (after
the amazing one by Ryan and Andrew), having shared the hash commitment
with Sean on Friday 19th at about 10:30am EST. Attached the text file.
sha256 of attestation file:
807dbdab834438008f6732898e33b4ffcc623833b3d46faaf665ca1d7e31bd5e
PS: I hope the attestation does not cause any negative reaction :)
Here is the signature of the sha256 (public key available in MIT PGP server):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
807dbdab834438008f6732898e33b4ffcc623833b3d46faaf665ca1d7e31bd5e
-----BEGIN PGP SIGNATURE-----
Version: Mailvelope v2.1.1
Comment: https://www.mailvelope.com
wsFcBAEBCAAQBQJaZFINCRDfJb1jZotjlwAAtbAP/RSb07KORVyg/xlhEr7S
jA82mh70yIzWZuF03SM9VYa+Cc+eknHWVN3E4RrKtO7MEb60YkEqXxr+AeLN
KvQGU7zMU5avbo0dPbAO9hUCCmtlGXZBTUmXf7xy02mq5IPOh17m+jXCSSU7
Ldn/iN+Nf1BLsBZgH/u9qDOCeIJoWesHRPD/Kcbm8lYXSW9pcw8BpzsHmxlX
yoI/FjN6HdwkziGK7cqMcKAqPo7sZAcI4ja0IORrjM3Crwoxgvcm8TQidCwM
bovKSmnq4GlnXuWHcQ+qRiubvmby3G44uM6Py1/c8foEBB6QQheJH0tdkmK1
dPMNqkqCUReQpFyixT4qHMvfy+3biCBh3dBbVfgdqeuZluqoy5eZHJZs+3Gp
sFLqnhYJJLDdc+d0ddZxUK0E+WoSzSq8vzEyTIsMZ76aauJklC3xdLNE6mXf
3HGxOxVNuk21+1/i73MjJ0RWqbDsoe8fgmW8BaGkoRwC7vAHKn6cEMff1mJR
g9CSC/Om115jIxec+zNQqTU/kcL0eOZm2DSjSEvFgmkhssQI5utmdWg+XsJL
xEnYhSll/v69te5Do9U+6qv44Zet9teIu7mD+yZGtqvVEesW5yzpMGzHfxgI
glEfu4a77zdYdunyger5RmgC4hEENy55cJvgzoi91XHN+H7ZSfFlKbhxmdzA
Mtr7
=Wduz
-----END PGP SIGNATURE-----
Best,
Daniel Benarroch
Powers of TAU Operetional writeup
=================================
Round: 40
Date: 2018-01-19
Location: Tel Aviv, Israel
Commit version: d47a1d3d1f007063cbcc35f1ab902601a8b3bd91
SHA256 challenge file:
73e4aac6895fd457ffe6946a6fcd1d0eef88f77b6daebd6348ee19e629c7de13
Blake2b response file:
The BLAKE2b hash of `./response` is:
8a5a9bcb a9c3ab76 c7e3a881 2ccd01e6
847204b6 61ca79a5 ee675e04 93d4b2ac
a516533e 8674577f a67568f5 06ccff56
55192c8d 28416526 38155fe6 ba8db30a
Preparation steps
=================
Initially I wanted to ensure a secure execution environment so I took an old
ASUS 64bit with an Intel Core i3-3217U with 1.8 GHz and a 4GB DDR3 RAM. It had
Windows 8 installed and I rebooted it from an USB drive with the latest stable
Ubuntu 16.04.
I planned on removing the unnesessary hardware and isolate the machine, to then
destroy the memory for unrecoverability of the randomness. Then, I realized
that this is round 40 and that most of the executions actually took the time
and effort (good job everyone!) to implement such practical security
properties. So I felt like (given that I am less of an engineer and more
theoretically oriented) I wanted to emphasize more the theoretical security
aspects of this powers of tau construction, giving some extra recognition to
the authors.
Hence I decided to become a (limited) adversarial player in this MPC
computation by allowing for the low-hanging-fruit vulnerabilities. First I
computed the response file while connected to the internet and shared on
twitter the fact that I was computing the response file from a given IP address
while connected to the internet.
Tweet: https://twitter.com/BenarrochDaniel/status/954353954091085824
Second, here is the exact entropy I added to the computation when asked by the
program: "this is my randomness for powers of tau", which reduces the computing
effort needed to recover the rest of the entropy used for the random generator.
Post-processing
===============
Third, I have not erased any of the challenge or response files, nor cleared my
memory, which I believe *should* have enough information to recover my share of
randomness to the accumulator. If I had thought of this previously I would have
changed the source code to print out my share (maybe someone wants to do it).
As a final note, my purpose is clearly not to sabotage the MPC ceremony, but to
reinforce the fact that its secure execution relies mostly on the cryptographic
security of the scheme and not on the practical security features of the
execution. Given that at least one of the participants performed the steps
properly and erased any trace without having been intercepted, the non-encoded
powers of tau vector should not be recoverable and hence soundness of the SNARK
will still hold. I believe that there has already been at least one such
instance, so if anyone wants to recover my share, feel free.
