The KZG Ceremony was the largest multi-party computation of its kind (by number of participants). Through an open, accessible process, it produced a secure cryptographic foundation for EIP-4844.
Learn more about how the Ceremony worked in Carl Beekhuizen's Devcon talk: "Summoning the spirit of the Dankshard"
As the Dencun upgrade approaches, this post will serve as a comprehensive record of outcomes and people that brought the Ceremony to life in 2023.
Outcomes and Methods
The Ceremony ran for 208 days: from Jan 13 13:13 UTC 2023 until Aug 08 23:08 UTC 2023
141,416 contributions made this the largest setup of this kind at the time of publishing.
Contributors were required to sign-in via Github or authenticate using an Ethereum address for spam prevention.
- 132,021 (93.36%) used Sign in with Ethereum
- 9,395 (6.64%) used Github
As additional spam prevention, Ethereum addresses were required to have sent a certain number of transactions (also referred to as "nonce") before the start of the Ceremony at block 16,394,155 2023/01/13 00:00 UTC. This requirement was modified throughout, depending on the needs at that time.
- Jan 13 - March 13: nonce 3
- March 13 - April 01: no new logins, but the lobby was allowed to clear out, ie. anyone already logged-in was able to complete their contribution.
- April 01-16: public contributions closed to accommodate Special Contributions
- April 16-25: 128
- April 25-May 8: 64
- May 8-25: 32
- May 25 - June 27: 16
- June 27 - Aug 23: 8
To prevent bots or scripts from interrupting honest contributors, the process was set up to blacklist any accounts with excessive logins/pings. To reset honest accounts accidentally added to the list, the blacklist was cleared four times throughout the contribution period.
Please note that we do not recommend using KZG contributions as a reliable list of unique identities e.g. for airdrops. While the sign-in and nonce requirements encouraged honest entropy contributions, these were ultimately minor impediments to actors wanting to contribute multiple times. Analysis of the transcript and onchain activity clearly show that many contributions came from linked addresses controlled by single entities. Fortunately, because these contributions were still adding entropy, it doesn't detract from the soundness of the final transcript output.
Verifying the transcript
8ed1c73857e77ae98ea23e36cdcf828ccbf32b423fddc7480de658f9d116c848: is the sha-256 hash of the final transcript output.
The transcript is 242 MB, and is available on GitHub in the ethereum/kzg-ceremony repo or via IPFS under the CID QmZ5zgyg1i7ixhDjbUM2fmVpES1s9NQfYBM2twgrTSahdy.
There are several means of verifying the transcript. It can be explored and verified on ceremony.ethereum.org, or with a dedicated verification script written in rust.
Learn more about the checks implemented here in Geoff's blog post: Verifying the KZG Ceremony Transcript.
There was a commemorative POAP NFT which could be claimed by contributors who logged in with their Ethereum address. The design of the POAP matches that of the original hosted interface, and includes the hash of the transcript in the border (8ed...848). To date, over 76k NFTs have been claimed by participants. Anyone who verified the transcript output was also able to tweet as social proof of success: see recent verification tweets here.
As noted above, we do not recommend using the list of minted POAPs as a strong anti-sybil signal, eg. for airdrop eligibility.
Special Contributions
April 1-16 2023 was the Special Contribution Period for the KZG Ceremony. This allowed participants to contribute in ways that may not have been possible in the Open Contribution period.
While the Ceremony only needs a single honest participant to provide a secure output, Special Contributions provide additional assurances beyond a standard entropy contribution:
- computing over the entropy in an isolated environment (eg. on an air-gapped machine, wiping and physically destroying hardware) means it's unlikely for a malicious entity to have extracted the entropy at any point
- detailed documentation (explore links below) attached to real reputations are unlikely to all have been coopted or faked by a malicious coordinating entity. The records are available for future observers to explore.
- different hardware and software limits correlated risk
- differentiated entropy generation (eg. measuring an explosion) prevents the Ceremony output being compromised by some failure in the regular entropy generation (eg. the hosted interface)
- contributions involving large groups of people are harder to fake than those with only one person
See the original Ethereum blog post which documents the 14 special contributions: details on methodology, where to find them in the transcript, and links to documenting media.
- Cryptosat: entropy from space
- The KZG Marble Machine: 3d printed marble machine
- Mr. Moloch’s Ephemeral Album II: a day-long musical adventure
- Dog Dinner Dance Dynamics: a good boy get dinner
- CZG-Keremony: a pure JS KZG ceremony client
- Improvised Theatre: unpredictable improv
- A Calculating Car: Self-driving car collects data
- A noisy city: Sydney whispers its stories
- Exothermic Entropy: chemicals go boom
- The Sferic Project: lightning never strikes in the same place twice
- The Great Belgian Beer Entropy Caper: recording a night of beer with a friend
- KZGamer: summoning Dankshard with a dice-tower
- Catropy: cats continue being integral to the internet
- srsly: an iOS KZG Ceremony client
Resources + Media
The resources here are helpful to learn more about how these constructions work, both generally and with regard to Ethereum's particular context.
- KZG Ceremony FAQ
- How do trusted setups work?
- EIP-4844
- Proto-Danksharding FAQ
- KZG polynomial commitments
- KZG Ceremony Timeline
- Spec Repo
- Frontend Repo
- Learnings from the KZG Ceremony (Nico's blog post)
| Title | Venue | Participants | Release Date |
|---|---|---|---|
| Danksharding and the KZG Ceremony w/ Carl Beekhuizen (Ethereum Foundation) | Strange Water Podcast | Rex, Carl Beekhuizen | November 2023 |
| KZG Ceremony Duo Summons The Ethereum Road Map | The Defiant | Tegan Kline, Carl Beekhuizen, Trent Van Epps | April 2023 |
| Episode 262: Ethereum’s KZG Ceremony with Trent & Carl | Zero Knowledge | Anna Rose, Kobi Gurkan, Carl Beekhuizen, Trent Van Epps | Feb 2023 |
| Ethereum's KZG Ceremony | Bankless | David Hoffman, Trent Van Epps, Carl Beekhuizen | Jan 2023 |
| Peep an EIP - KZG Ceremony | EthCatHerders | Pooja Ranjan, Carl Beekhuizen | Jan 2023 |
| Ethereum Foundation – EIP-4844 & KZG Ceremony | Epicenter | Friederike Ernst, Trent Van Epps, Carl Beekhuizen | Jan 2023 |
| Building the KZG Ceremony | PSE Learn and Share | Nico Serrano, Geoff Lamperd | Dec 2022 |
| The KZG Ceremony - or How I Learnt to Stop Worrying and Love Trusted Setups | Devcon | Carl Beekhuizen | Oct 2022 |
Audits
Given the utmost importance of security in this project, two audits were conducted, each for different components.
- SECBIT Spec + Implementation Audit - Aug 2022
- Sigma Prime Sequencer Audit - Jan 2023
Client Implementations
There were a number of independent implementations that Ceremony participants could run locally, with a variety of different features.
CLI Interfaces
| Implementation | BLS Library | Language | License | Author | Notes |
|---|---|---|---|---|---|
| Chotto | blst (jblst) | Java | Apache 2.0 | Stefan Bratanov (@StefanBratanov) | |
| go-kzg-ceremony-client | gnark-crypto | Go | MIT | Ignacio Hagopian (@jsign) | Features: transcript verification, using additional external sources of entropy, eg. drand network, an arbitrary URL provided by the user. Note: double signing not supported due to lack of hash-to-curve in gnark. |
| eth-KZG-ceremony-alt | kilic | Go | GPL-3.0 | Arnaucube (@arnaucube) | |
| Towers of Pau | blst | Go | MIT | Daniel Knopik (@dknopik), Marius van der Wijden (@MariusVanDerWijden) | Linux only, no signatures. |
| cpp-kzg-ceremony-client | blst | C++ | AGPL-3.0 | Patrice Vignola (@PatriceVignola) | Features: BLS/ECDSA signing, transcript verification, Linux/Windows/MacOS support |
| czg-keremony | noble-curves | JavaScript | MIT | JoonKyo Kim (@rootwarp), HyungGi Kim (@kim201212) | |
| kzg-ceremony-client | blst | C# | MIT | Alexey (@flcl42), CheeChyuan (@chee-chyuan), Michal (@mpzajac), Jorge (@jmederosalvarado), Prince (@prix0007) |
Browser Interfaces
| Interface | BLS Library | License | Author | IPFS | Repository | Notes |
|---|---|---|---|---|---|---|
| ZKParty Frontend | Arkworks | Several | latest.kzgceremony.eth | trusted-setup-frontend | References the latest version of the interface, which departs from the audited version in minor ways | |
| ZKParty Frontend (Audit Commit) | Arkworks | Several | [1] audit.kzgceremony.eth | trusted-setup-frontend | The exact interface which Sigma Prime audited in November 2022. May have minor bugs or differences from the latest version above. docker instructions | |
| Doge KZG | gnark | MIT | Andrew Davis (@Savid) | [2] | dogekzg | 🐶 |
- audit: QmevfvaP3nR5iMncWKa55B2f5mUgTAw9oDjFovD3XNrJTV
- doge: QmRs83zAU1hEnPHeeSKBUa58kLiWiwkjG3rJCmB8ViTcSU
BLS Libraries
| Library | Language | License | Audit |
|---|---|---|---|
| blst | C & assembly | Apache 2.0 | Audit Report, [WIP] Formal Verification |
| Arkworks | Rust | Apache 2.0, MIT | |
| gnark-crypto | Go & assembly | Apache 2.0 | Audit Report |
| kilic | Go | Apache 2.0 | |
| Herumi BLS | C++ & assembly | modified BSD | Technical Assessment |
| Constantine | Nim | Apache 2.0 | |
| py_ecc | Python | MIT | |
| matterlabs/EIP1962 | Rust | Apache 2.0 | |
| noble-curves | TypeScript/JS | MIT |
A massive shout out to the dozens of people from the broader Ethereum community involved in design, coordination, audits, devops-ing, and writing code. This project would not have existed without your efforts!
Another thank you to the tens of thousands of people who took the time to contribute, report bugs, and help scale Ethereum.