The KZG ceremony was the largest multi-party computation of its kind (in terms of number of participants). Through an open and accessible process, it produced a secure cryptographic basis for EIP-4844.
Learn more about how the ceremony works in Carl Beekhuizen’s work Discussion on Devcon: “Invocation of the spirit of Dankshard”
As the Dencun upgrade approaches, this article will serve as a comprehensive account of the results and the people who brought the ceremony to life in 2023.
Results and methods
The ceremony lasted 208 days: Since January 13, 2023 1:13 PM UTC until 08 Aug 23:08 UTC 2023
141,416 contributions making it the largest configuration of its kind at the time of publication.
Contributors had to log in through Github or authenticate using an Ethereum address to avoid spam.
- 132,021 (93.36%) used Connect with Ethereum
- 9,395 (6.64%) used Github
As an additional spam prevention measure, Ethereum addresses were required to have sent a certain number of transactions (also known as a “nonce”) before the ceremony began at block 16,394,155 on 2023-01-13 at 00:00 UTC. This requirement has been changed over time, depending on the needs of the moment.
- January 13 – March 13: Nuncio 3
- March 13 – April 1: No new logins, but the lobby was allowed to clear, meaning anyone already logged in was able to complete their contribution.
- April 1-16: Closing of public contributions to accommodate special contributions
- April 16-25: 128
- April 25-May 8: 64
- May 8-25: 32
- May 25 – June 27: 16
- June 27 – August 23: 8
To prevent bots or scripts from interrupting honest contributors, the process was put in place to blacklist all accounts with excessive connections/pings. To reset honest accounts accidentally added to the list, the blacklist was cleared four times throughout the contribution period.
Please note that we do not recommend using KZG contributions as a reliable list of unique identities For example, for airdrops. While the connection and nonce requirements encouraged honest entropy contributions, they were ultimately only minor obstacles for actors wishing to contribute multiple times. Analysis of the transcript and on-chain activity clearly shows that many contributions came from linked addresses controlled by single entities. Fortunately, since these contributions always added entropy, this does not harm the robustness of the final transcription result.
Transcription Check
8ed1c73857e77ae98ea23e36cdcf828ccbf32b423fddc7480de658f9d116c848: is the SHA-256 hash of the final transcription output.
The transcription is 242 MBand is available on GitHub in the ethereum/kzg-ceremony repository or via IPFS under the CID QmZ5zgyg1i7ixhDjbUM2fmVpES1s9NQfYBM2twgrTSahdy.
There are several ways to check the transcription. It can be explored and verified on ceremony.ethereum.orgor with a dedicated verification script written in rust.
Learn more about the controls implemented here in Geoff’s blog post: Verification of the KZG ceremony transcript.
There was a commemoration NFT POAP which could be claimed by contributors who logged in with their Ethereum address. The POAP design matches the original hosted interface and includes the hash of the transcript in the border (8ed…848). To date, over 76,000 NFTs have been claimed by participants. Anyone who verified the transcript output was also able to tweet as social proof of success: see recent verification tweets here.
As stated above, we do not recommend using the list of hit POAPs as a strong anti-sybil signalfor example for airdrop eligibility.
Special contributions
The special contribution period for the KZG ceremony ran from April 1 to 16, 2023. It allowed participants to contribute in ways that may not have been possible during the open contribution period.
Although the ceremony only requires one honest participant to provide a secure result, special contributions provide additional guarantees beyond a standard entropy contribution:
- Calculating entropy in an isolated environment (e.g. on an isolated machine, by physically wiping and destroying the hardware) means that it is unlikely that a malicious entity has extracted the entropy at any given time
- It is unlikely that the detailed documentation (see links below) attached to real reputations has been fully recovered or tampered with by a malicious coordinating entity. The records are available for future observers to explore.
- different hardware and software limitations, correlated risk
- differentiated entropy generation (e.g. measuring an explosion) prevents the ceremony output from being compromised by a failure in regular entropy generation (e.g. hosted interface)
- Contributions involving large groups of people are more difficult to falsify than those involving a single person
See the original Ethereum blog post which documents the 14 special contributions: details on the methodology, where to find them in the transcript and links to the documentation supports.
- Cryptosat: Entropy from Space
- KZG Marble Machine: 3D Printed Marble Machine
- Mr. Moloch’s Ephemeral Album II: A One-Day Musical Adventure
- Dog Dinner Dance Dynamics: A Good Boy Gets Dinner
- CZG-Keremony: a pure JS KZG ceremony client
- Improvised Theatre: Unpredictable Improvisation
- A Calculating Car: A Self-Driving Car Collects Data
- A noisy city: Sydney whispers its stories
- Exothermic entropy: chemicals explode
- The Sferic Project: Lightning Never Strikes Twice in the Same Place
- The Great Adventure of Belgian Beer Entropy: Recording a Beer Night with a Friend
- KZGamer: Summon Dankshard with a Dice Tower
- Catropy: Cats remain an integral part of the Internet
- seriously: a KZG iOS ceremony client
The resources here are useful for learning more about how these constructs work, both generally and as they relate to the specific context of Ethereum.
| Title | Place | Participants | Release date |
|---|---|---|---|
| Thank you and the KZG ceremony with Carl Beekhuizen (Ethereum Foundation) | Strange Water Podcast | Rex, Carl Beekhuizen | November 2023 |
| KZG Ceremonial Duo Invokes Ethereum Roadmap | The challenge | Tegan Kline, Carl Beekhuizen, Trent Van Epps | April 2023 |
| Episode 262: Ethereum KZG Ceremony with Trent and Carl | Zero knowledge | Anna Rose, Kobi Gurkan, Carl Beekhuizen, Trent Van Epps | February 2023 |
| Ethereum KZG Ceremony | Without bank | David Hoffman, Trent Van Epps, Carl Beekhuizen | January 2023 |
| Take a look at an EIP ceremony – KZG | EthCatHerders | Pooja Ranjan, Carl Beekhuizen | January 2023 |
| Ethereum Foundation – EIP-4844 and KZG Ceremony | Epicenter | Friederike Ernst, Trent Van Epps, Carl Beekhuizen | January 2023 |
| Construction of the KZG ceremony | PSE Learn and share | Nico Serrano, Geoff Lamperd | December 2022 |
| The KZG Ceremony – or How I Learned to Stop Worrying and Love Reliable Setups | Devcon | Carl Beekhuizen | October 2022 |
Audits
Given the paramount importance of safety in this project, two audits were carried out, each for different components.
Client Implementations
There were a number of independent implementations that ceremony participants could run locally, with a variety of different features.
CLI Interfaces
| Implementation | BLS Library | Language | License | Author | Remarks |
|---|---|---|---|---|---|
| Chotto | blst (jblst) | Java | Apache 2.0 | Stefan Bratanov (@StefanBratanov) | |
| go-kzg ceremony client | Gnark-crypto | Go | MIT | Ignacio Hagopian (@jsign) | Features: transcription verification, use of additional external entropy sources, e.g. drand network, arbitrary user-provided URL. Note: double signing is not supported due to lack of hash-to-curve in gnark. |
| eth-KZG-ceremony-alt | Kilic | Go | GPL-3.0 | Arnaucube (@arnaucube) | |
| Pau Towers | blst | Go | MIT | Daniel Knopik (@dknopik), Marius van der Wijden (@MariusVanDerWijden) | Linux only, no signatures. |
| cpp-kzg-customer-ceremony | blst | C++ | AGPL-3.0 | Patrice Vignola (@PatriceVignola) | Features: BLS/ECDSA signature, transcript verification, Linux/Windows/MacOS support |
| czg-keremony | noble curves | JavaScript | MIT | JoonKyo Kim (@rootwarp), HyungGi Kim (@kim201212) | |
| client-ceremony-kzg | blst | C# | MIT | Alexey (@flcl42), CheeChyuan (@chee-chyuan), Michal (@mpzajac), Jorge (@jmederosalvarado), Prince (@prix0007) |
Browser interfaces
- Verification: QmevfvaP3nR5iMncWKa55B2f5mUgTAw9oDjFovD3XNrJTV
- doge: QmRs83zAU1hEnPHeeSKBUa58kLiWiwkjG3rJCmB8ViTcSU
BLS Libraries
Many thanks to the dozens of people from the broader Ethereum community involved in design, coordination, audits, development, and coding. This project would not have existed without your efforts!
Another thank you to the tens of thousands of people who took the time to contribute, report bugs, and help evolve Ethereum.
