Wrapping up the KZG Ceremony


The KZG Ceremony was the largest multi-party computation of its kind (by number of participants). Through an open, accessible process, it produced a secure cryptographic foundation for EIP-4844.

Learn more about how the Ceremony worked in Carl Beekhuizen’s Devcon talk: “Summoning the spirit of the Dankshard”

As the Dencun upgrade approaches, this post will serve as a comprehensive record of outcomes and people that brought the Ceremony to life in 2023.

Outcomes and Methods

The Ceremony ran for 208 days: from Jan 13 13:13 UTC 2023 until Aug 08 23:08 UTC 2023

141,416 contributions made this the largest setup of this kind at the time of publishing.

Contributors were required to sign-in via Github or authenticate using an Ethereum address for spam prevention.

  • 132,021 (93.36%) used Sign in with Ethereum
  • 9,395 (6.64%) used Github

As additional spam prevention, Ethereum addresses were required to have sent a certain number of transactions (also referred to as “nonce”) before the start of the Ceremony at block 16,394,155 2023/01/13 00:00 UTC. This requirement was modified throughout, depending on the needs at that time.

  • Jan 13 – March 13: nonce 3
  • March 13 – April 01: no new logins, but the lobby was allowed to clear out, ie. anyone already logged-in was able to complete their contribution.
  • April 01-16: public contributions closed to accommodate Special Contributions
  • April 16-25: 128
  • April 25-May 8: 64
  • May 8-25: 32
  • May 25 – June 27: 16
  • June 27 – Aug 23: 8

To prevent bots or scripts from interrupting honest contributors, the process was set up to blacklist any accounts with excessive logins/pings. To reset honest accounts accidentally added to the list, the blacklist was cleared four times throughout the contribution period.

Please note that we do not recommend using KZG contributions as a reliable list of unique identities e.g. for airdrops. While the sign-in and nonce requirements encouraged honest entropy contributions, these were ultimately minor impediments to actors wanting to contribute multiple times. Analysis of the transcript and onchain activity clearly show that many contributions came from linked addresses controlled by single entities. Fortunately, because these contributions were still adding entropy, it doesn’t detract from the soundness of the final transcript output.

Verifying the transcript

8ed1c73857e77ae98ea23e36cdcf828ccbf32b423fddc7480de658f9d116c848: is the sha-256 hash of the final transcript output.

The transcript is available on GitHub in the ethereum/kzg-ceremony repo or via IPFS under the CID QmZ5zgyg1i7ixhDjbUM2fmVpES1s9NQfYBM2twgrTSahdy. It was added to the spec in this PR.

There are several means of verifying the transcript. It can be explored and verified on ceremony.ethereum.org, or with a dedicated verification script written in rust.

Learn more about the checks implemented here in Geoff’s blog post: Verifying the KZG Ceremony Transcript.

There was a commemorative POAP NFT which could be claimed by contributors who logged in with their Ethereum address. The design of the POAP matches that of the original hosted interface, and includes the hash of the transcript in the border (8ed…848). To date, over 76k NFTs have been claimed by participants. Anyone who verified the transcript output was also able to tweet as social proof of success: see recent verification tweets here.

As noted above, we do not recommend using the list of minted POAPs as a strong anti-sybil signal, eg. for airdrop eligibility.

Special Contributions

April 1-16 2023 was the Special Contribution Period for the KZG Ceremony. This allowed participants to contribute in ways that may not have been possible in the Open Contribution period.

While the Ceremony only needs a single honest participant to provide a secure output, Special Contributions provide additional assurances beyond a standard entropy contribution:

  • computing over the entropy in an isolated environment (eg. on an air-gapped machine, wiping and physically destroying hardware) means it’s unlikely for a malicious entity to have extracted the entropy at any point
  • detailed documentation (explore links below) attached to real reputations are unlikely to all have been coopted or faked by a malicious coordinating entity. The records are available for future observers to explore.
  • different hardware and software limits correlated risk
  • differentiated entropy generation (eg. measuring an explosion) prevents the Ceremony output being compromised by some failure in the regular entropy generation (eg. the hosted interface)
  • contributions involving large groups of people are harder to fake than those with only one person

See the original Ethereum blog post which documents the 14 special contributions: details on methodology, where to find them in the transcript, and links to documenting media.

  • Cryptosat: entropy from space
  • The KZG Marble Machine: 3d printed marble machine
  • Mr. Moloch’s Ephemeral Album II: a day-long musical adventure
  • Dog Dinner Dance Dynamics: a good boy get dinner
  • CZG-Keremony: a pure JS KZG ceremony client
  • Improvised Theatre: unpredictable improv
  • A Calculating Car: Self-driving car collects data
  • A noisy city: Sydney whispers its stories
  • Exothermic Entropy: chemicals go boom
  • The Sferic Project: lightning never strikes in the same place twice
  • The Great Belgian Beer Entropy Caper: recording a night of beer with a friend
  • KZGamer: summoning Dankshard with a dice-tower
  • Catropy: cats continue being integral to the internet
  • srsly: an iOS KZG Ceremony client


The resources here are helpful to learn more about how these constructions work, both generally and with regard to Ethereum’s particular context.

Title Venue Participants Release Date
Danksharding and the KZG Ceremony w/ Carl Beekhuizen (Ethereum Foundation) Strange Water Podcast Rex, Carl Beekhuizen November 2023
KZG Ceremony Duo Summons The Ethereum Road Map The Defiant Tegan Kline, Carl Beekhuizen, Trent Van Epps April 2023
Episode 262: Ethereum’s KZG Ceremony with Trent & Carl Zero Knowledge Anna Rose, Kobi Gurkan, Carl Beekhuizen, Trent Van Epps Feb 2023
Ethereum’s KZG Ceremony Bankless David Hoffman, Trent Van Epps, Carl Beekhuizen Jan 2023
Peep an EIP – KZG Ceremony EthCatHerders Pooja Ranjan, Carl Beekhuizen Jan 2023
Ethereum Foundation – EIP-4844 & KZG Ceremony Epicenter Friederike Ernst, Trent Van Epps, Carl Beekhuizen Jan 2023
Building the KZG Ceremony PSE Learn and Share Nico Serrano, Geoff Lamperd Dec 2022
The KZG Ceremony – or How I Learnt to Stop Worrying and Love Trusted Setups Devcon Carl Beekhuizen Oct 2022

Audits

Given the utmost importance of security in this project, two audits were conducted, each for different components.


Client Implementations

There were a number of independent implementations that Ceremony participants could run locally, with a variety of different features.

CLI Interfaces

Implementation BLS Library Language License Author Notes
Chotto blst (jblst) Java Apache 2.0 Stefan Bratanov (@StefanBratanov)
go-kzg-ceremony-client gnark-crypto Go MIT Ignacio Hagopian (@jsign) Features: transcript verification, using additional external sources of entropy, eg. drand network, an arbitrary URL provided by the user. Note: double signing not supported due to lack of hash-to-curve in gnark.
eth-KZG-ceremony-alt kilic Go GPL-3.0 Arnaucube (@arnaucube)
Towers of Pau blst Go MIT Daniel Knopik (@dknopik), Marius van der Wijden (@MariusVanDerWijden) Linux only, no signatures.
cpp-kzg-ceremony-client blst C++ AGPL-3.0 Patrice Vignola (@PatriceVignola) Features: BLS/ECDSA signing, transcript verification, Linux/Windows/MacOS support
czg-keremony noble-curves JavaScript MIT JoonKyo Kim (@rootwarp), HyungGi Kim (@kim201212)
kzg-ceremony-client blst C# MIT Alexey (@flcl42), CheeChyuan (@chee-chyuan), Michal (@mpzajac), Jorge (@jmederosalvarado), Prince (@prix0007)

Browser Interfaces


  1. audit: QmevfvaP3nR5iMncWKa55B2f5mUgTAw9oDjFovD3XNrJTV
  2. doge: QmRs83zAU1hEnPHeeSKBUa58kLiWiwkjG3rJCmB8ViTcSU

BLS Libraries



A massive shout out to the dozens of people from the broader Ethereum community involved in design, coordination, audits, devops-ing, and writing code. This project would not have existed without your efforts!

Another thank you to the tens of thousands of people who took the time to contribute, report bugs, and help scale Ethereum.





Source link

Leave a Comment