Using ceremony parameters for KZG10

Technology
1

I’ve been on an escapade trying to see it’s possible to leverage the ceremony powers of tau the reference string needed in KZG10. After briefly speaking with both @daira and @ebfull , both say this should be possible.

In the KZG10 construction, the parameters needed are any number of powers of tau from G1 and g^alpha in G2.

After speaking with @ebfull it looks like the G1 portion can be extracted from h in the powers of tau code, but the question still remains as to where / how to extract g^alpha in G2.

Any insight would be greatly appreciated thank you :smiley:

2 Likes
2

Howdy! Apologies for not getting back via email.

The current_accumulator variable in the code you linked to is what contains what you’re looking for. It is a struct with the following composition:

/// The `Accumulator` is an object that participants of the ceremony contribute
/// randomness to. This object contains powers of trapdoor `tau` in G1 and in G2 over
/// fixed generators, and additionally in G1 over two other generators of exponents
/// `alpha` and `beta` over those fixed generators. In other words:
///
/// * (τ, τ<sup>2</sup>, ..., τ<sup>2<sup>22</sup> - 2</sup>, α, ατ, ατ<sup>2</sup>, ..., ατ<sup>2<sup>21</sup> - 1</sup>, β, βτ, βτ<sup>2</sup>, ..., βτ<sup>2<sup>21</sup> - 1</sup>)<sub>1</sub>
/// * (β, τ, τ<sup>2</sup>, ..., τ<sup>2<sup>21</sup> - 1</sup>)<sub>2</sub>
#[derive(PartialEq, Eq, Clone)]
pub struct Accumulator {
    /// tau^0, tau^1, tau^2, ..., tau^{TAU_POWERS_G1_LENGTH - 1}
    pub tau_powers_g1: Vec<G1Affine>,
    /// tau^0, tau^1, tau^2, ..., tau^{TAU_POWERS_LENGTH - 1}
    pub tau_powers_g2: Vec<G2Affine>,
    /// alpha * tau^0, alpha * tau^1, alpha * tau^2, ..., alpha * tau^{TAU_POWERS_LENGTH - 1}
    pub alpha_tau_powers_g1: Vec<G1Affine>,
    /// beta * tau^0, beta * tau^1, beta * tau^2, ..., beta * tau^{TAU_POWERS_LENGTH - 1}
    pub beta_tau_powers_g1: Vec<G1Affine>,
    /// beta
    pub beta_g2: G2Affine
}

You don’t really need the alpha or beta stuff. Your KZG10 parameters can be grabbed from the tau_powers_g1 field for the G1 parameters (that’ll be all the [tau^i] G values), and you can get H and [\tau] H from the first two values in the tau_powers_g2 field – as well as higher powers of [\tau^i] H in the remainder of of that field if you need them for some reason. (In vanilla KZG10 you don’t.)

If you’re going to piggyback on the utility you pointed out in order to extract the parameters you want, don’t forget to remove this call to the verification routine (expensive, pointless for your purpose) and set this to CheckForCorrectness::No to speed things up. All you really need from the transcript file is the final accumulator which is the current_accumulator value after this loop finishes.

Speaking of which, let’s make sure you have the correct transcript file locally so you wind up with the correct parameters. I have it on my machine and I get a BLAKE3 sum of 944872c4d7efebd9430877df5d400fed535edfba75594d86bf363ab7b4d2285e.

4 Likes
3

Ah I see. This makes much more sense.

I was under the assumption that the powers of tau would have to be reverse engineered from the groth16 parameters. My mistake was not realizing that the mpc transcript contained the accumulator.

One small problem though:

I Downloaded the ceremony transcript and tried verifying the hash

$ wget https://download.z.cash/zcashfinalmpc/transcript

$ sha256sum transcript 
7da0c07a4bec04fbe4ae99ebd62d4ce7e1710b1f7a1f317345b0a48feec984d3  transcript

^ verified from here

My blake3 check though isn’t the same as yours @ebfull based on what I got from this download :grimacing: . Is there somewhere else you are getting this transcript?

$ b3sum transcript 
548537fb6904c99a091512e54805ccc566f397e53b09fe0ae0285d85b59f4430  transcript

EDIT:

The transcript I linked too is from the original zcash ceremony (whoops!) . The powers of tau ceremony transcript is somewhere else.

EDIT2:

The transcript file is hosted via

this torrent
or
this internet archive link.

1 Like