How to generate SNARK parameters securely

vly3 · April 22, 2016, 10:57pm

If you were to use an FPGA to generate the keys, and keep the keys securely on the FPGA for all computations, then the FPGA would need random numbers. I searched google and found this paper about how to generate random numbers on an FPGA

vly3 · April 22, 2016, 11:04pm

This appears to be a different method of generating random numbers on an FPGA

http://forums.xilinx.com/xlnx/attachments/xlnx/EDK/27322/1/HighSpeedTrueRandomNumberGeneratorsinXilinxFPGAs.pdf

colin012 · June 3, 2016, 8:57pm

I would only be satisfied if there was a video recording of someone computing and deleting the key. This recording would show a cold boot of a live OS CD on a computer with no HDD/SDD or removable media devices. Once the computation is finished, the PC is powered down and unplugged. After that, 10 minutes go by giving any remaining power in the RAM time to dissipate so that the key is 100% gone. That would satisfy me.

Austin-Williams · June 3, 2016, 9:13pm

The generation of SNARK parameters and the centralization of mining are completely independent issues. The SNARK parameters have nothing to do with the PoW – rather they concern how transaction verification happens in zero-knowledge.

If 100% of the parameter creators collude, they will be able to undetectably mint an arbitrary amount of zcash.

As long as at least ONE of the parameter creation participants is honest (and uncompromised), then we can be sure that money cannot be created out of thin air.

That’s what this is about.

It is decidedly non-trivial. It’s actually the only part of this project that requires trust. And there is no conceivable way that we (as non-participators in the parameter-creation process) can actually verify that the participants haven’t colluded (or been compromised).

Information destruction is not a thing that can actually be verified. So their choice of participants is important. If all the participants come from the same academic circle it’s going to be unconvincing.

The attack surface has been reduced to this one very-vulnerable area: the one-time SNARK parameters setup. It’s small – but absolutely critical.

vly3 · July 23, 2016, 7:02pm

Maybe it would work to launch the parameter generating computer as a satelite in orbit. After it generates the parameters and broadcasts them, it could degrade its orbit so it drops into the atmosphere and burns up. Whatever it broadcasts would be publicly visible to anybody with a satelite reciever pointed at it. This would provide assurance that it did not transmit anything secret to special parties.

Austin-Williams · July 25, 2016, 4:18am

Perhaps we could arrange for parameter generation to occur at the edge of an event horizon…