Note: the forum software is limiting my newly created account to a maximum of two links, so I’ve been forced to remove some useful links here, but you should be able to find them by visiting the GitHub issue.
Continuing from the discussion in this GitHub issue, I will use this thread to document my odyssey in attempting to verify the Zcash Sapling parameters.
Previously I left off trying to follow @str4d’s instructions to get the phase1radix2m13
phase1radix2m17
phase1radix2m21
files from BitTorrent (which were not easy to obtain due to a lack of seeders. You’re also supposed to generate these yourself, but that can take 100 hours). If you’d like to try this yourself, you can follow @ebfull’s updated instructions.
So I’m pleased to report that I was able to finally run the sapling-mpc
code using the distributed sapling-output.params sapling-spend.params sprout-groth16.params
params (by concatenating them) and the 3 phase1
params mentioned previously (retrieved from Bittorrent).
The program spat out a bunch of hashes, and all of them matched the ones listed here (max links reached), with the exception that two extra hashes were listed that do not exist on the wiki:
be38cb76c0472b182afc24b55b844068645be98dfc47ce43d8714134c02259c7192d925e25d9ab8ebd4cd8a2d35ddd28a0957ae50e0cf97923685f81a48bdfd1
403af2d88508dccfc7c70aac5a3e58a9ab0509a476e0fba1a6b249c30953a97ae8cbe6fac3b324e0919c6015e8e0139f08682eb22ef48e0f4db4ce898e9bd18e
What the existence of these extra hashes means — I have no idea.
As I do not understand the math behind the MPC ceremony, I do not know whether these hash listings are useful, meaningful, or are at all able to prevent any sort of attack.
I’m also waiting for the machine to generate the phase1 parameters itself from the transcript log and will compare them with the Bittorrent ones once it does.
All-in-all, given the supposed importance of verifying these parameters, I am pretty disturbed by how difficult this whole process has been, and how few people seem to have done this.
And again I stress, that given all of the uncertainties involved, I’m not sure how much stock should be placed even into a verified ceremony, and I again urge Zcash to consider moving away from them.