As part of using Halo2 proofs with KZG commitments, Zircuit needs to set up the KZG commitment scheme. The scheme requires some random seeds that we cannot predict. By redeeming this Pragma perk, the Ethereum address recorded in your ETH Global account just became a part of it.
Once the redemption period ends, you’ll be rewarded Zircuit points for your participation!
The Build to Earn program on Zircuit is live! Join other builders, and contribute to the Zircuit ecosystem. Get personalized support, earn more points, and most importantly, have fun with us!
As part of using Halo2 proofs with KZG commitments, we need to set up the KZG commitment scheme. This is done via a KZG (Kate-Zaverucha-Goldberg) ceremony which involves generating public parameters for a zk-SNARKs system under a multi-party computation setting. Here’s a high-level breakdown of how the KZG ceremony typically unfolds and how Pragma pack participant addresses are used.
We first retrieve the latest contribution to a perpetual multi-party KZG ceremony described here. This will be the base for the cryptographic computations that follow, providing us with a starting set of parameters.
The parameters are then passed to the first participant in the ceremony; in this case, that’s us -- Zircuit. We will generate a secret based on things like the randomness in /dev/random and update the KZG parameters, computing new values based on our secret and the previous parameters. These computations will be done in such a way that we don’t leak our random secret, and we’ll delete it and the necessary files.
Our contribution will be accompanied by a proof that we correctly followed the protocol. This proof is publicly verifiable, allowing everyone to check that no tampering has occurred and that wethe participant did not retain any information that could compromise the system.
After our contribution is verified, the updated parameters and proofs are passed on to the next participant. This process is repeated with each participant sequentially contributing to and then passing on the parameters, deleting their own randomness along the way. We have provided the code for the community to participate in this process and will accept contributions in the form of pull requests up to May 25, 2024. Note that this process may take several hours on your computer to complete.
After the last PR is merged from the last contributor, we could generate our starting parameters from it. However, we (and you, the public) do not know if the last contribution may have introduced any kind of bias. Therefore, we’ll randomize the final contribution, using a seed that cannot be known during the entire contribution phase. For this, we’ll use a file that is the concatenation of (1) the first block hashes of Bitcoin and Ethereum on June 1, 2024 (UTC), and (2) the addresses of Pragma pack holders who submitted their address. We will hash this file many times (2^30 times), and use the final result as part of the last contribution.
The final set of parameters, after our last contribution by the given date, will be published as the official parameters for the Zircuit mainnet.
The KZG distributed ceremony is critical because it ensures that no single party knows the entirety of the secret used to generate the parameters, making it infeasible for any participant (or group of colluding participants) to compromise the system -- including Zircuit. This type of ceremony was famously used during the setup of Zcash and for setting up Proto-Danksharing on Ethereum via EIP-4844.
For your participation in this KZG ceremony, you’ll be awarded Zircuit points at a date after the Pragma pack submissions are closed. You’ll be able to check your points here and earn even more by participating in our Build to Earn program.
More on KZG ceremonies:
The KZG Ceremony - or How I Learnt to Stop Worrying and Love Trusted Setups by Carl Beekhuizen (YouTube - DevCon VI)
KZG Ceremony FAQs (GitHub - Ethereum)
How do trusted setups work? (Vitalik’s blog)
