# Multi-Party Trusted Setup Ceremony for clr.fund Kirill Goncharov, Koh Wei Jie ## Goals and context Minimal Anti-Collusion Infrastructure (MACI) requires a trusted setup ceremony to be secure. For clr.fund to use MACI's zk-SNARK circuits, it must first generate a *proving key* and *verifying key* per circuit via a process known as a *trusted setup*. The process by which these keys are generated involves the generation of *toxic waste*, which is data that must be securely discarded so that no-one can generate proofs that are fake but pass verification. If clr.fund performs this trusted setup by themselves, users have no way to know that they have retained or discarded the toxic waste, which will reduce trust in the system. As such, it is necessary to perform the trusted setup in a way that convinces as many external parties as possible that the toxic waste is discarded. The best way to do this is to use a *multi-party trusted setup ceremony*. Such a ceremony involves multiple participants. Each participant receives a *challenge file* from a coordinator, uses it to create a *response file*, and submits it to the coordinator, who then creates a new challenge file for the next participant in line. As long as just one participant discards their toxic waste, then the proving and verifying keys generated from the final challenge file are secure. The more participants in the ceremony, the lower the probability that all of them collude to retain and share their toxic waste. As such, clr.fund needs to attract as many participants as possible. Moreover, to minimise the chance of collusion, these participants should be as diverse as possible. Ideally, at least one participant should use an alternative implementation of the trusted setup ceremony software, to reduce the risk of compromised tooling. All the response files should be public, and anyone may verify that they are valid. The coordinator is therefore unable to alter any contributions, and only needs to be trusted to not censor them. Ultimately, the goals of the multi-party trusted ceremony is to convince an informed public of the security of the zk-SNARK proving and verifying keys generated for clr.fund. Future version of MACI may use zero-knowledge proving systems that do not require a trusted setup, but this is contingent on the availability of developer tools for said systems. ### Ceremony phases zk-SNARK trusted setups involve two phases. *Phase 1* applies to all circuits, and *phase 2* is circuit-specific. This document refers to phase 2 only. This is a circuit-specific trusted setup. clr.fund needs to perform one trusted setup per circuit, and there are two circuits. Fortunately, *phase 1* has already been taken care of. [Hermez Network](https://twitter.com/hermez_network/status/1297952787867869184) selected the 54th contribution of the [Perpetual Powers of Tau Ceremony](https://github.com/weijiekoh/perpetualpowersoftau) (PPOT) for their zk-rollup circuits, and ran the *prepare-phase-2 process* on it. clr.fund can reuse the [output of this process](https://www.dropbox.com/sh/mn47gnepqu88mzl/AACaJkBU7mmCq8uU8ml0-0fma?dl=0) as the starting point of its own phase 2 ceremony. If clr.fund chooses not to use Hermez Network's phase 1 output, then they have to do the following: 1. Select the latest PPOT output 2. Run the prepare-phase-2 process on the output, which could take a day to complete in a cloud VM The easier method is to verify and use Hermez Network's phase 1 output. ## clr.fund's phase 2 ceremony clr.fund needs the following the run a phase 2 ceremony: 1. Social media channels where they can make announcements about the ceremony. Ideally, these announcements should be mirrored publicly (e.g. on IPFS) so that no-one can claim that the team had retracted any of them. 2. A list of interested participants and their Ethereum addresses. Each participant should provide an address whose private key they can copy and paste into a command line. 3. A way for anyone to register interest in signing up for the ceremony, such as an online form. 4. A public chat group for people to ask questions and chat about the ceremony. Ideally, the chat platform should not allow anyone to edit any messages they post. 5. A participant guide containing clear, step-by-step instructions on how to sign up and participate in the ceremony. 6. Two instances of the [`setup-mpc-server`](https://github.com/briangu33/Setup). Currently, each server supports a single circuit, but MACI uses two circuits. If the server does not support multiple circuits by the time that the ceremony begins, the easiest way to proceed is to have two servers. A user needs to do the following to participate in the ceremony: 1. Sign up to participate by providing an Ethereum address for which they own a private key and can paste it into a command line 2. Run a Docker container to contribute a response for the first circuit. 3. Run a Docker container to contribute a response for the second circuit. ## For reference: Semaphore's phase 2 ceremony Please refer to this [participant guide](http://ceremony.semaphore.appliedzkp.org/) to learn about Semaphore's phase 2 ceremony. Also read the [instructions for ceremony providers](https://github.com/briangu33/Setup/tree/master/setup-mpc-server) and [general instructions for participants](https://github.com/briangu33/Setup/tree/master/setup-mpc-client).