Note: the forum software is limiting my newly created account to a maximum of two links, so I’ve been forced to remove some useful links here, but you should be able to find them by visiting the GitHub issue.
Continuing from the discussion in this GitHub issue, I will use this thread to document my odyssey in attempting to verify the Zcash Sapling parameters.
Previously I left off trying to follow @str4d’s instructions to get the
phase1radix2m21 files from BitTorrent (which were not easy to obtain due to a lack of seeders. You’re also supposed to generate these yourself, but that can take 100 hours). If you’d like to try this yourself, you can follow @ebfull’s updated instructions.
So I’m pleased to report that I was able to finally run the
sapling-mpc code using the distributed
sapling-output.params sapling-spend.params sprout-groth16.params params (by concatenating them) and the 3
phase1 params mentioned previously (retrieved from Bittorrent).
The program spat out a bunch of hashes, and all of them matched the ones listed
here (max links reached), with the exception that two extra hashes were listed that do not exist on the wiki:
What the existence of these extra hashes means — I have no idea.
As I do not understand the math behind the MPC ceremony, I do not know whether these hash listings are useful, meaningful, or are at all able to prevent any sort of attack.
I’m also waiting for the machine to generate the phase1 parameters itself from the transcript log and will compare them with the Bittorrent ones once it does.
All-in-all, given the supposed importance of verifying these parameters, I am pretty disturbed by how difficult this whole process has been, and how few people seem to have done this.
And again I stress, that given all of the uncertainties involved, I’m not sure how much stock should be placed even into a verified ceremony, and I again urge Zcash to consider moving away from them.