Help Onym become trustworthy.

For Groth16 over a pairing-friendly curve (BLS12-381 here), soundness requires a structured reference string (SRS) of the form

$$ \sigma = \Big( \{ \tau^i G \}_{i=0}^{n-1}, \{ \alpha \tau^i G \}_{i=0}^{n-1}, \{ \beta \tau^i G \}_{i=0}^{n-1},\ \alpha H,\ \beta H \Big) $$

with $G \in \mathbb{G}_1$, $H \in \mathbb{G}_2$, and toxic scalars $\tau, \alpha, \beta \in \mathbb{F}_r^*$ that must be erased after generation. If $(\tau, \alpha, \beta)$ survive, the SRS is broken: anyone holding them can construct accepting proofs for false statements [Groth16].

Toxic waste $= (\tau_i, \alpha_i, \beta_i) \in (\mathbb{F}_r^*)^3$ sampled by participant $i$. The MPC output after round $i$ is $(\tau^{(i)}, \alpha^{(i)}, \beta^{(i)}) = (\tau^{(i-1)} \tau_i,\ \alpha^{(i-1)} \alpha_i,\ \beta^{(i-1)} \beta_i)$. Soundness after $N$ rounds requires

$$\exists\, i^\star \in [N]\ :\ \tau_{i^\star},\ \alpha_{i^\star},\ \beta_{i^\star}\ \text{erased}.$$

The ceremony is sound iff at least one honest erasure occurred; this is the 1-of-$N$ assumption.

Let $\tau^{(N)} = \tau^{(0)} \prod_{i=1}^N \tau_i$. An adversary controlling any subset $S \subsetneq [N]$ learns $\prod_{i \in S} \tau_i$ but, given $\tau_{i^\star}$ is erased for $i^\star \notin S$, recovering $\tau^{(N)}$ requires solving DLOG over $\mathbb{G}_1$ — i.e., the scheme reduces to the $q$-SDH assumption under the generic group model [BGM17].

The 1-of-$N$ bound is tight: if all $N$ participants are corrupted, $\tau^{(N)} = \tau^{(0)} \prod \tau_i$ is fully known and Groth16 soundness collapses. No cryptographic assumption rescues this case. The ceremony therefore aims for diverse, non-colluding $N$ — geographic, institutional, and ideological diversity are all load-bearing.

At round $i$, participant $i$:

1. Samples $(\tau_i, \alpha_i, \beta_i) \leftarrow (\mathbb{F}_r^*)^3$ via OS CSPRNG.
2. Computes $\sigma^{(i)}$ by scalar multiplication over $\sigma^{(i-1)}$.
3. Computes a Schnorr PoK over $\mathbb{G}_1$ binding the round-id and new commitments: $\pi_i = (\tau_i G, H(\text{transcript}) \cdot \tau_i G, \ldots)$.
4. Emits state.srs, state.txt (metadata + hashes), receipt.txt (PoK + participant pubkey).
5. Zeroizes $(\tau_i, \alpha_i, \beta_i)$; the binary uses zeroize and rejects stdout of scalars.

The binary samples $(\tau_i, \alpha_i, \beta_i)$ from a uniform distribution over $\mathbb{F}_r^*$ via rejection sampling. The underlying entropy source is OsRng (which on Linux is getrandom(2) ultimately backed by the kernel CSPRNG). Bias is bounded: $\Delta \le 2^{-r} \cdot \log_2 r$ where $r = 255$ for BLS12-381's scalar field. For participants demanding higher assurance, --seed-hex accepts 32 externally generated bytes, from which we derive via HKDF-SHA256.

Receipt = Schnorr proof-of-knowledge $\pi$ of $\tau_i$ bound to a Fiat–Shamir challenge over the transcript hash. Specifically:

$$ \pi = (\tau_i G,\ H(\text{transcript}) \cdot \tau_i G),\qquad \text{transcript} = \text{round}\ \|\ \sigma^{(i-1)}\ \|\ \sigma^{(i)} $$

Verification: $e(H(\text{tx}) \cdot \tau_i G, H) \stackrel{?}{=} e(\tau_i G, H(\text{tx}) \cdot H)$. Analogously for $\alpha_i, \beta_i$. See $\texttt{src/ceremony/mod.rs}$ functions verify_contribution and verify_initial_contribution.

Verification of round $i$ checks six pairing equations (three ratio consistency checks, three power-of-$\tau$ consistency checks). For the initial round there are three additional checks against the generator. A full-transcript verify is $O(N)$ in pairings; on commodity hardware this is a few minutes for $N=128$ and $n=2^{11}$.

Browser verify uses ceremony-wasm compiled with ark-bls12-381; backend verify shells out to the same ceremony_tool binary participants run.

For each round $i$ verifier checks:

$$ \begin{aligned} e(\tau_i^{(\text{new})} G,\ H) &\stackrel{?}{=} e(G,\ \tau_i H) \cdot e(\tau^{(i-1)} G,\ H) \\ e(\alpha_i^{(\text{new})} G,\ H) &\stackrel{?}{=} e(G,\ \alpha_i H) \cdot e(\alpha^{(i-1)} G,\ H) \\ e(\beta_i^{(\text{new})} G,\ H) &\stackrel{?}{=} e(G,\ \beta_i H) \cdot e(\beta^{(i-1)} G,\ H) \end{aligned} $$

Plus three power-of-$\tau$ chain checks: $e(\tau^{(i),k} G,\ H) \stackrel{?}{=} e(\tau^{(i),k-1} G,\ \tau^{(i)} H)$ for $k \in \{1,\ldots,n-1\}$.

Authoritative source: src/ceremony/mod.rs::verify_contribution.

Artifacts are addressed by $\text{SHA-256}(\text{bytes})$; transcript events are Nostr kind 30078 (addressable) signed with the coordinator's secp256k1 key. Each event carries:

• d: sepceremony1:<tier>:r<round> (replaceable key)
• e: previous round's event-id (hash-linked chain)
• blob: (name, sha256, url) — one per artifact file
• participant_pubkey: contributor's npub

The chain yields a hash-linked Merkle-ish ledger; tampering with any round invalidates all subsequent e tags. Mirrors can ingest directly from any Nostr relay that accepted the events.

Phase 2 translates the universal SRS into Groth16-specific proving and verifying keys via the circuit's QAP: given the R1CS $(\mathbf{A}, \mathbf{B}, \mathbf{C})$ with $m$ constraints and $n$ variables, and the Phase 1 output $\{\tau^i G\}_{i \le 2^d}$, Phase 2 computes the Lagrange-evaluated polynomials $\ell_i(\tau), r_i(\tau), o_i(\tau)$ and the $\mathbf{h}(\tau) t(\tau) / \delta$ terms. $\delta$ is introduced as a fresh random scalar at Phase 2; this is why Phase 2 is per-circuit.

We run Phase 2 via snarkjs zkey rounds inside a pinned Docker image; see docs/phase2-mpc-integration.md.

Beacon $B = \text{SHA-256}(\text{blockheader}_h)$ for some pre-announced height $h$. Final SRS is derived as $\sigma^{(\text{final})} = \sigma^{(N)} \cdot B$ via scalar-multiplying each commitment by $\text{HKDF}(B, \text{"onym-ceremony-1"})$.

Beacon serves as a "post-commit" common reference, removing the last-contributor-biasing attack: $B$ is not known until after every $\tau_i$ has been committed, so no adversary can adapt $\tau_N$ to yield a useful target.