Summary: Why is the ceremony necessary? Loopring 3.0 relies on zkSNARKs to perform off-chain heavy-lifting computations and only pushes data on-chain with succinct ZK proofs for efficient verification. For every circuit used in the protocol, we need to generate proving and verification keys. These keys are, as you can deduce from the names, used to generate proofs ...
Why is the ceremony necessary?
Loopring 3.0 relies on zkSNARKs to perform off-chain heavy-lifting computations and only pushes data on-chain with succinct ZK proofs for efficient verification. For every circuit used in the protocol, we need to generate proving and verification keys. These keys are, as you can deduce from the names, used to generate proofs and to verify proofs.
The problem is that when generating these keys, a piece of data called toxic waste must be thrown away, otherwise, it can be used to generate fake proofs which would make the protocol insecure.
This is where the trusted setup multi-party computation ceremony comes in. In this ceremony, the trusted setup is done by multiple people. The protocol is secure as long as just one person from each phase deletes his/her toxic waste.
There are two phases for the ceremony. Phase 1 is the Perpetual Powers of Tau Ceremony that can be forever on-going and used by all circuits. Loopring has participated in phase 1 already. Phase 2 is circuit-specific and needs to be done for each circuit in the Loopring protocol. To generate fake proofs, one must recover all toxic waste from all participants of phase 1 and phase 2.
Loopring’s (Phase 2) Ceremony
We will start the phase 2 ceremony on top of the 11th round of phase 1. We will do an additional phase 1 contribution with a random beacon using the Bitcoin block hash at block height 602168 as announced beforehand on Twitter. The resulting data will form the base for Loopring’s phase 2.
Each participant will need to download a file of about 100GB. This data is then used to run some computations taking around 12 to 24 hours to complete on a modern computer. The result is a new file which is around 100GB and includes the participant’s contribution. This new file then needs to be uploaded so new participants can build upon it.
Phase 2 of the ceremony can also run indefinitely just like phase 1. Once we feel we have enough participants, we will generate the necessary keys so that protocol 3.0 can be used in production. Later on, as needed, we can generate new keys at a point when even more people have contributed.
We’d like to thank Koh Wei Jie, Kobi Gurkan, and BarryWhiteHat for running phase 1 of the trusted ceremony. We also thank Kobi Gurkan, Matter Labs, and Sean Bowe for writing most of the code that is used for running these trusted setup phases. And lastly, we‘d like to thank Zcash for basically creating all the technology that is utilized here.