Crate powersoftau [] [src]

This ceremony constructs the "powers of tau" for Jens Groth's 2016 zk-SNARK proving system using the BLS12-381 pairing-friendly elliptic curve construction.


Participants of the ceremony receive a "challenge" file containing:

  • the BLAKE2b hash of the last file entered into the transcript
  • an Accumulator (with curve points encoded in uncompressed form for fast deserialization)

The participant runs a tool which generates a random keypair (PublicKey, PrivateKey) used for modifying the Accumulator from the "challenge" file. The keypair is then used to transform the Accumulator, and a "response" file is generated containing:

  • the BLAKE2b hash of the "challenge" file (thus forming a hash chain over the entire transcript)
  • an Accumulator (with curve points encoded in compressed form for fast uploading)
  • the PublicKey

This "challenge" file is entered into the protocol transcript. A given transcript is valid if the transformations between consecutive Accumulators verify with their respective PublicKeys. Participants (and the public) can ensure that their contribution to the Accumulator was accepted by ensuring the transcript contains their "response" file, ideally by comparison of the BLAKE2b hash of the "response" file.

After some time has elapsed for participants to contribute to the ceremony, a participant is simulated with a randomness beacon. The resulting Accumulator contains partial zk-SNARK public parameters for all circuits within a bounded size.



The Accumulator is an object that participants of the ceremony contribute randomness to. This object contains powers of trapdoor tau in G1 and in G2 over fixed generators, and additionally in G1 over two other generators of exponents alpha and beta over those fixed generators. In other words:


Abstraction over a reader which hashes the data being read.


Abstraction over a writer which hashes the data being written.


Contains the secrets τ, α and β that the participant of the ceremony must destroy.


Contains terms of the form (s1, s1x, H(s1x)2, H(s1x)2x) for all x in τ, α and β, and some s chosen randomly by its creator. The function H "hashes into" the group G2. No points in the public key may be the identity.



Determines if points should be checked for correctness during deserialization. This is not necessary for participants, because a transcript verifier can check this theirself.


Errors that might occur during deserialization.


Determines if point compression should be used.



The size of the accumulator on disk.


The size of the contribution on disk.


The "public key" is used to verify a contribution was correctly computed.



Compute BLAKE2b("")


Constructs a keypair given an RNG and a 64-byte transcript digest.


Verifies a transformation of the Accumulator with the PublicKey, given a 64-byte transcript digest.