Hello all,

As you may have seen I delayed sharing my attestation until now (after
the amazing one by Ryan and Andrew), having shared the hash commitment
with Sean on Friday 19th at about 10:30am EST. Attached the text file.

sha256 of attestation file:

PS: I hope the attestation does not cause any negative reaction :)

Here is the signature of the sha256 (public key available in MIT PGP server):

Hash: SHA256

Version: Mailvelope v2.1.1
Comment: https://www.mailvelope.com



Daniel Benarroch
Powers of TAU Operetional writeup

Round: 40
Date: 2018-01-19
Location: Tel Aviv, Israel
Commit version: d47a1d3d1f007063cbcc35f1ab902601a8b3bd91

SHA256 challenge file: 

Blake2b response file: 
The BLAKE2b hash of `./response` is:
        8a5a9bcb a9c3ab76 c7e3a881 2ccd01e6 
        847204b6 61ca79a5 ee675e04 93d4b2ac 
        a516533e 8674577f a67568f5 06ccff56 
        55192c8d 28416526 38155fe6 ba8db30a

Preparation steps

Initially I wanted to ensure a secure execution environment so I took an old 
ASUS 64bit with an Intel Core i3-3217U with 1.8 GHz and a 4GB DDR3 RAM. It had 
Windows 8 installed and I rebooted it from an USB drive with the latest stable 
Ubuntu 16.04.

I planned on removing the unnesessary hardware and isolate the machine, to then 
destroy the memory for unrecoverability of the randomness. Then, I realized 
that this is round 40 and that most of the executions actually took the time 
and effort (good job everyone!) to implement such practical security 
properties. So I felt like (given that I am less of an engineer and more 
theoretically oriented) I wanted to emphasize more the theoretical security 
aspects of this powers of tau construction, giving some extra recognition to 
the authors. 

Hence I decided to become a (limited) adversarial player in this MPC 
computation by allowing for the low-hanging-fruit vulnerabilities. First I 
computed the response file while connected to the internet and shared on 
twitter the fact that I was computing the response file from a given IP address 
while connected to the internet. 
Tweet: https://twitter.com/BenarrochDaniel/status/954353954091085824

Second, here is the exact entropy I added to the computation when asked by the 
program: "this is my randomness for powers of tau", which reduces the computing 
effort needed to recover the rest of the entropy used for the random generator.


Third, I have not erased any of the challenge or response files, nor cleared my 
memory, which I believe *should* have enough information to recover my share of 
randomness to the accumulator. If I had thought of this previously I would have 
changed the source code to print out my share (maybe someone wants to do it).

As a final note, my purpose is clearly not to sabotage the MPC ceremony, but to 
reinforce the fact that its secure execution relies mostly on the cryptographic 
security of the scheme and not on the practical security features of the 
execution. Given that at least one of the participants performed the steps 
properly and erased any trace without having been intercepted, the non-encoded 
powers of tau vector should not be recoverable and hence soundness of the SNARK 
will still hold. I believe that there has already been at least one such 
instance, so if anyone wants to recover my share, feel free.

Reply via email to