MPC Ceremony
BGM17 phase-2 trusted setup ceremony for paraloom's Groth16 proving keys.
MPC trusted setup
Paraloom's Groth16 proving keys come from a multi-party computation ceremony based on the BGM17 phase-2 protocol. Anyone can contribute; each contribution is recorded with a verifiable transcript. Mainnet activation gates on the ceremony's completion and an independent transcript verification.
Why a ceremony
Groth16 zkSNARKs require a circuit-specific Common Reference String (CRS). If a single party generates the CRS and keeps the toxic waste, they could forge proofs. A multi-party computation ensures no single contributor can recover the toxic waste — as long as one honest contributor exists, the resulting CRS is sound.
Participation
Contributing requires:
- The previous transcript (
.binfile) - 64 bytes of fresh entropy
- Roughly 30–60 seconds of compute per circuit on a modern laptop
- A clean machine (preferably air-gapped during the run)
# Pull the latest transcript from the public ceremony bucket
$ paraloom-ceremony-contribute \
--circuit deposit \
--in transcript-prev.bin \
--out my-contribution.bin \
--entropy "$(head -c 64 /dev/urandom | base64)"
generating phase-2 contribution
computing DLEQ proofs
✓ contribution recorded
✓ transcript appended (your hash: 7f3a…ae9b)After contributing, destroy the entropy source (overwrite the file or, ideally, run on a machine that won't be reused).
Verification
Anyone can verify the entire transcript chain end-to-end without participating:
$ paraloom-ceremony-verify --transcript transcript.bin
loading 23 contributions
checking BGM17 phase-2 contribution deltas
checking DLEQ proofs per contribution
checking transcript hash chain integrity
✓ all 23 contributions valid
✓ DLEQ checks pass
✓ transcript chain hash matches anchorThe verifier is implemented in src/ceremony/verifier.rs; the lower-level DLEQ check is verify_contribution_deltas.
Finalization
When the contribution window closes, a single finalize step extracts the production proving keys from the transcript:
$ paraloom-ceremony-finalize \
--transcript transcript.bin \
--out-dir ./keys/v0.5.0/
✓ deposit_pk.bin (~120 MB)
✓ transfer_pk.bin
✓ withdraw_pk.binThese are the keys L2 binaries v0.5.0 will accept. The finalize CLI is in src/bin/paraloom_ceremony_finalize.rs.
What's frozen during the ceremony
Once contributions begin, the circuits cannot change without invalidating the entire transcript. A CI guard (circuit-freeze workflow) blocks PRs touching circuit code while the ceremony window is active.
Status
| Value | |
|---|---|
| Protocol | BGM17 phase-2 |
| Circuits | deposit, transfer, withdraw |
| Tooling | shipped at v0.5.0-rc2 |
| Ceremony execution | gating mainnet — see GitHub issue #64 |
| Audit of tooling | included in pre-mainnet external audit scope |
Threat model
The ceremony is sound under the assumption that at least one contributor behaves honestly (uses real entropy, destroys toxic waste, signs their contribution). With ~20–30 contributors planned, this is a conservative assumption. The transcript is public; anyone can re-run paraloom-ceremony-verify after the ceremony to confirm.