EF Blog

ETH top background starting image
ETH bottom background ending image
Skip to content

Wrapping up the KZG Ceremony

Posted by EF Protocol Support Team on January 23, 2024

Wrapping up the KZG Ceremony

The KZG Ceremony was the largest multi-party computation of its kind (by number of participants). Through an open, accessible process, it produced a secure cryptographic foundation for EIP-4844.

Learn more about how the Ceremony worked in Carl Beekhuizen's Devcon talk: "Summoning the spirit of the Dankshard"

As the Dencun upgrade approaches, this post will serve as a comprehensive record of outcomes and people that brought the Ceremony to life in 2023.

Outcomes and Methods

The Ceremony ran for 208 days: from Jan 13 13:13 UTC 2023 until Aug 08 23:08 UTC 2023

141,416 contributions made this the largest setup of this kind at the time of publishing.

Contributors were required to sign-in via Github or authenticate using an Ethereum address for spam prevention.

  • 132,021 (93.36%) used Sign in with Ethereum
  • 9,395 (6.64%) used Github

As additional spam prevention, Ethereum addresses were required to have sent a certain number of transactions (also referred to as "nonce") before the start of the Ceremony at block 16,394,155 2023/01/13 00:00 UTC. This requirement was modified throughout, depending on the needs at that time.

  • Jan 13 - March 13: nonce 3
  • March 13 - April 01: no new logins, but the lobby was allowed to clear out, ie. anyone already logged-in was able to complete their contribution.
  • April 01-16: public contributions closed to accommodate Special Contributions
  • April 16-25: 128
  • April 25-May 8: 64
  • May 8-25: 32
  • May 25 - June 27: 16
  • June 27 - Aug 23: 8

To prevent bots or scripts from interrupting honest contributors, the process was set up to blacklist any accounts with excessive logins/pings. To reset honest accounts accidentally added to the list, the blacklist was cleared four times throughout the contribution period.

Please note that we do not recommend using KZG contributions as a reliable list of unique identities e.g. for airdrops. While the sign-in and nonce requirements encouraged honest entropy contributions, these were ultimately minor impediments to actors wanting to contribute multiple times. Analysis of the transcript and onchain activity clearly show that many contributions came from linked addresses controlled by single entities. Fortunately, because these contributions were still adding entropy, it doesn't detract from the soundness of the final transcript output.

Verifying the transcript

8ed1c73857e77ae98ea23e36cdcf828ccbf32b423fddc7480de658f9d116c848: is the sha-256 hash of the final transcript output.

The transcript is 242 MB, and is available on GitHub in the ethereum/kzg-ceremony repo or via IPFS under the CID QmZ5zgyg1i7ixhDjbUM2fmVpES1s9NQfYBM2twgrTSahdy.

There are several means of verifying the transcript. It can be explored and verified on ceremony.ethereum.org, or with a dedicated verification script written in rust.

Learn more about the checks implemented here in Geoff's blog post: Verifying the KZG Ceremony Transcript.

There was a commemorative POAP NFT which could be claimed by contributors who logged in with their Ethereum address. The design of the POAP matches that of the original hosted interface, and includes the hash of the transcript in the border (8ed...848). To date, over 76k NFTs have been claimed by participants. Anyone who verified the transcript output was also able to tweet as social proof of success: see recent verification tweets here.

As noted above, we do not recommend using the list of minted POAPs as a strong anti-sybil signal, eg. for airdrop eligibility.

Special Contributions

April 1-16 2023 was the Special Contribution Period for the KZG Ceremony. This allowed participants to contribute in ways that may not have been possible in the Open Contribution period.

While the Ceremony only needs a single honest participant to provide a secure output, Special Contributions provide additional assurances beyond a standard entropy contribution:

  • computing over the entropy in an isolated environment (eg. on an air-gapped machine, wiping and physically destroying hardware) means it's unlikely for a malicious entity to have extracted the entropy at any point
  • detailed documentation (explore links below) attached to real reputations are unlikely to all have been coopted or faked by a malicious coordinating entity. The records are available for future observers to explore.
  • different hardware and software limits correlated risk
  • differentiated entropy generation (eg. measuring an explosion) prevents the Ceremony output being compromised by some failure in the regular entropy generation (eg. the hosted interface)
  • contributions involving large groups of people are harder to fake than those with only one person

See the original Ethereum blog post which documents the 14 special contributions: details on methodology, where to find them in the transcript, and links to documenting media.

  • Cryptosat: entropy from space
  • The KZG Marble Machine: 3d printed marble machine
  • Mr. Moloch’s Ephemeral Album II: a day-long musical adventure
  • Dog Dinner Dance Dynamics: a good boy get dinner
  • CZG-Keremony: a pure JS KZG ceremony client
  • Improvised Theatre: unpredictable improv
  • A Calculating Car: Self-driving car collects data
  • A noisy city: Sydney whispers its stories
  • Exothermic Entropy: chemicals go boom
  • The Sferic Project: lightning never strikes in the same place twice
  • The Great Belgian Beer Entropy Caper: recording a night of beer with a friend
  • KZGamer: summoning Dankshard with a dice-tower
  • Catropy: cats continue being integral to the internet
  • srsly: an iOS KZG Ceremony client

Resources + Media

The resources here are helpful to learn more about how these constructions work, both generally and with regard to Ethereum's particular context.

TitleVenueParticipantsRelease Date
Danksharding and the KZG Ceremony w/ Carl Beekhuizen (Ethereum Foundation)Strange Water PodcastRex, Carl BeekhuizenNovember 2023
KZG Ceremony Duo Summons The Ethereum Road MapThe DefiantTegan Kline, Carl Beekhuizen, Trent Van EppsApril 2023
Episode 262: Ethereum’s KZG Ceremony with Trent & CarlZero KnowledgeAnna Rose, Kobi Gurkan, Carl Beekhuizen, Trent Van EppsFeb 2023
Ethereum's KZG CeremonyBanklessDavid Hoffman, Trent Van Epps, Carl BeekhuizenJan 2023
Peep an EIP - KZG CeremonyEthCatHerdersPooja Ranjan, Carl BeekhuizenJan 2023
Ethereum Foundation – EIP-4844 & KZG CeremonyEpicenterFriederike Ernst, Trent Van Epps, Carl BeekhuizenJan 2023
Building the KZG CeremonyPSE Learn and ShareNico Serrano, Geoff LamperdDec 2022
The KZG Ceremony - or How I Learnt to Stop Worrying and Love Trusted SetupsDevconCarl BeekhuizenOct 2022

Audits

Given the utmost importance of security in this project, two audits were conducted, each for different components.

Client Implementations

There were a number of independent implementations that Ceremony participants could run locally, with a variety of different features.

CLI Interfaces

ImplementationBLS LibraryLanguageLicenseAuthorNotes
Chottoblst (jblst)JavaApache 2.0Stefan Bratanov (@StefanBratanov)
go-kzg-ceremony-clientgnark-cryptoGoMITIgnacio Hagopian (@jsign)Features: transcript verification, using additional external sources of entropy, eg. drand network, an arbitrary URL provided by the user. Note: double signing not supported due to lack of hash-to-curve in gnark.
eth-KZG-ceremony-altkilicGoGPL-3.0Arnaucube (@arnaucube)
Towers of PaublstGoMITDaniel Knopik (@dknopik), Marius van der Wijden (@MariusVanDerWijden)Linux only, no signatures.
cpp-kzg-ceremony-clientblstC++AGPL-3.0Patrice Vignola (@PatriceVignola)Features: BLS/ECDSA signing, transcript verification, Linux/Windows/MacOS support
czg-keremonynoble-curvesJavaScriptMITJoonKyo Kim (@rootwarp), HyungGi Kim (@kim201212)
kzg-ceremony-clientblstC#MITAlexey (@flcl42), CheeChyuan (@chee-chyuan), Michal (@mpzajac), Jorge (@jmederosalvarado), Prince (@prix0007)

Browser Interfaces

InterfaceBLS LibraryLicenseAuthorIPFSRepositoryNotes
ZKParty FrontendArkworksSeverallatest.kzgceremony.ethtrusted-setup-frontendReferences the latest version of the interface, which departs from the audited version in minor ways
ZKParty Frontend (Audit Commit)ArkworksSeveral[1] audit.kzgceremony.ethtrusted-setup-frontendThe exact interface which Sigma Prime audited in November 2022. May have minor bugs or differences from the latest version above. docker instructions
Doge KZGgnarkMITAndrew Davis (@Savid)[2]dogekzg🐶
  1. audit: QmevfvaP3nR5iMncWKa55B2f5mUgTAw9oDjFovD3XNrJTV
  2. doge: QmRs83zAU1hEnPHeeSKBUa58kLiWiwkjG3rJCmB8ViTcSU

BLS Libraries

LibraryLanguageLicenseAudit
blstC & assemblyApache 2.0Audit Report, [WIP] Formal Verification
ArkworksRustApache 2.0, MIT
gnark-cryptoGo & assemblyApache 2.0Audit Report
kilicGoApache 2.0
Herumi BLSC++ & assemblymodified BSDTechnical Assessment
ConstantineNimApache 2.0
py_eccPythonMIT
matterlabs/EIP1962RustApache 2.0
noble-curvesTypeScript/JSMIT

A massive shout out to the dozens of people from the broader Ethereum community involved in design, coordination, audits, devops-ing, and writing code. This project would not have existed without your efforts!

Another thank you to the tens of thousands of people who took the time to contribute, report bugs, and help scale Ethereum.

Categories