SNARK public parameters

Out of interest, why not simply allow anyone that wants to be part of the SNARK public parameter generation ceremony to participate?

Several reasons:

  • Speed: The current ceremony IIRC scales linearly with the number of participants, which seems fine, but it also requires uploading and downloading gigabytes of information (which may also scale with the number of participants, IDK, but if so then overall it would be worse than linear). It took two whole days to run the ceremony with six participants; with 100 participants (as some suggested elsewhere for "anyone can participate") it would take over a month of continuous participation from everyone.

  • Security: The longer the ceremony takes, the longer an adversary has to discover and compromise the participants. Also, the more likely it is that participants get tired or sloppy with their local security measures (and the more likely it is the married participants end up getting divorced :stuck_out_tongue_winking_eye: ).

  • Reliability: The current ceremony requires (IIRC) three stages of round-robin calculations. If any one person who said they would participate then doesn't continue through until the very end, the entire ceremony aborts. The longer the ceremony would take, the more likely this will happen, and hence the longer it will take to actually run a successful ceremony.

  • Adversary resistance: In an "anyone can participate" ceremony suffering from the above three issues, an adversary who wants to compromise the parameters can:

    • Join every ceremony that runs (perhaps as multiple people, to increase the fraction of the parameters they already control).
    • Attempt to compromise all honest participants in the ceremony.
    • If they fail to do so, then on one of their turns they can refuse to participate (or they can DDoS an honest participant to prevent them from participating), causing that ceremony to abort.
    • Rinse and repeat until success.

In reality, we wouldn't just run the ceremony again - we'd want to first learn why it failed and what that meant, which adds time and cost to the parameter generation process. If the adversary's goal is just to prevent the parameters from being made, they can repeat this disruption until they've won.

Now, all of the above applies to the current version of the ceremony. IMHO (speaking for myself, not company) it would be awesome if in future, the ceremony was more efficient or faster or more secure, to make it possible for more participants to be involved while not suffering from the above issues. But the science isn't there yet. Maybe it will be by the time we want to perform another ceremony!

A few remarks about that.
I think out of those things the main hurdle is speed -
the ceremony time scales linearly with number of participants.
The other reasons for avoiding a large ceremony are less compelling.
-The player does not need to be online all the time, just when it's his turn in the round-robin
-The length of the messages only depends on the size of the circuit for which you want zk proofs, not on the # of players. The total transcript size does naturally grow linearly with the # of players, but the only time there is a super-linear computation, what's called the FFT, it is on a single message and done only once by the protocol coordinator during the whole protocol.
-Actually, the security proof is resistant to aborts, but just loses a little in the security guarantee. That is,
if you conduct a ceremony with t players and allow arbitrary aborts you need to start with a discrete-log problem that is t bits harder to get the same security guarantee..and this is just for the proof, in practice I don't see a way to attack the ceremony by aborting.

2 Likes

Agreed, but I didn't say they needed to be online all the time, just that they would need to be continuously participating. I'm thinking of the effect of the ceremony duration on the continued security of the participant's hardware, and how e.g. the cost of filming it the entire time would affect the participant's security choices.

Excellent! I didn't think this was an issue, but I couldn't remember, hence being cautious in my initial comments.

Good to know it resists aborts, since that cuts out several of my latter points. However, I assume that increasing the hardness of the discrete-log problem for large t (as would inevitably be the case for an "anyone can participate" model) would incur a performance cost, resulting in a non-trivial speed/security tradeoff space (since a longer ceremony is not necessarily more secure, per my initial comments).

If you would really Increase discrete log hardness according to what proof said you need for abort resistance that would be a terrible efficiency loss..but some would say that's being overly cautious..

Maybe in a open ceremony we should ask for deposit to encourage people to stay till the end..in any case Its definitely on my mind to find a way make it simpler and more efficient

Good responses, thanks!

The idea of deposits is great! That way you are inclusive yet also filter so that you are left with people that are serious about the ceremony.

1 Like

Because it already happened and nobody is willing to loan out their time machine right now.

2 Likes

At risk of feeding a troll, there might be future ceremonies and I wanted to understand the thinking behind the first ceremony.

2 Likes