►
From YouTube: KZG-Ceremony Breakout Call #5
Description
A
Welcome
everyone
to
the
fifth
kcg
ceremony
call,
so
I
think
most
people
know
why
we're
here,
but
I
see
jb
and
alex
if
you're
new.
This
is
the
call
to
coordinate
around
the
kzg
ceremony,
which
will
make
build
the
foundation
for
protobank
sharding,
which
is
upgrade
we
hope
to
put
into
progress
after
the
merge
it'll
be
the
next
upgrade
help
some
scalability.
A
Let's
see
so
top
of
mind
is
the
audit.
I
guess
we
could
start
with
that
carl
carl
and
kev.
Do
you
want
to
just
talk
about
where
we're
at
with
that?
Well,
I
guess
so
we're
the
audit
is
going
to
happen
in
a
couple
weeks.
That's
when
it's
slated
to
kick
off
there's
some
work.
That
still
needs
to
be
done,
and
maybe
we
should
just
go
over
that
before
getting
into
other
stuff.
B
C
Yeah,
so
I
was
reading
the
specs
again.
I
think
there
are
some
changes
that
I
need
to
upstream
to
this
spec.
C
I
basically
created
a
new
python
implementation
that
to
get
some
executable
specs
and
I
was
going
to
send
it
to
carl
and
then
basically
modify
the
rust
code
again
and
based
on
that
so
yeah.
That's
where
I'm
currently
at.
D
B
Okay,
fantastic
yeah.
I
will
review
that
asap
because
I
guess
getting
getting
all
these
final
changes
in
there
and
then
merged
into
all
your
stuff
would
be
well.
There's
number
one
priority
for
the
audit.
C
Right
so
one
change
that
carl,
I
don't
know
if
you're
strongly,
for
it
is
to
have
the
cryptography,
like
library,
only
deal
with
one
ceremony.
So
the
context
of
having
multiple
ceremonies
is
sort
of
done
by
the
client.
The
front
end.
B
B
I
guess
the
the
the
only
aspect
of
this
I
do
like
is
the
idea
of
just
not
having
to
sort
of
touch
the
the
files
like
we
just
pass
in
the
structure.
That
is
exactly
as
it
is
from
the
for
from
the
interpreter
json
in
terms
of
simplifying
things
but
yeah.
Otherwise,
it
sort
of
gets
touched
in
two
places
once
when
we
we
deal
with
it
on
the
website
side
and
then
again,
once
it
gets
passed
into
the
krypton
library.
E
C
Okay,
so
I'll
just
defer
that
to
jeff
to
see
the
complexity,
I
guess
also
the
json
as
well
for
the
crypto.
I
noticed
that
we're
dealing
with
json
currently
in
the
rust
library
we
basically
just
serialize
the
points
in
the
binary
file.
So
it's
just
like
2
to
the
15
g1
points
followed
by
65
g2
points,
but
in
the
specs
it's
a
json
file.
C
I
noticed
the
rationale
was
so
that
we
can.
Basically,
I
think
it
said
something
about
touching
parts
of
the
transcript.
B
C
Usually,
there's
like
for
points
you
can
do
like
like
compressed
form
to
just
send
it
over
like
some.
They
usually
have
this
serialization.
C
It's
just
one
after
the
other.
So
if
it's
2
to
the
16
points
that
you
need,
you
just
do
like
2
to
16
g1
points
followed
by
65
like
g2
points,
for
example,.
B
E
B
D
C
B
I
don't
think
it's
super
important,
but
I
do
think
it
is
like
sort
of
simpler
to
like,
particularly
for
someone,
if
they're
trying
to
implement
sort
of
the
just
the
the
website
of
this
and
and
not
the
the
the
crypto
so
sort
of
up
to
the
sdk.
Then
it's
easier
to
think
about
like
this.
When.
A
B
B
C
I
don't
know
what
does
everyone
else
think
about
this?
I
guess
the
the
main
thing
that
popped
up
for
me
was
that
the
json
on
the
cryptography
level
seemed
a
bit
off,
which
is
why
I
brought
it
up.
D
C
It's
just
really
a
really
flat
serialization
on
the
cryptography
side,
which
is
why
I
brought
it
up
like
for
the
I
imagine
the
front
end
would
need
some
like
it
makes
sense
on
the
front
end
for
me,
but
then
for
the
cryptography
part.
It
seems
that
we
just
need
just
the
bytes
and
we
just
need
to
know
how
many
points
there
were.
B
Yeah,
I
agree,
but
like
again,
there's
also
sort
of
standards
that
seem
to
exist
across
the
ethereum
space.
If
you
go
like
right
down
to
like
how
the
el
and
cl
talk
to
one
another
or
how
the
beacon
and
vcs
talk
to
one
another,
all
of
this
stuff
seems
to
be
just
via
via
basic
json,
even
if
they're
like
way
more
efficient
or
more
sensical
ways
of
encoding.
This,
it's
all
just
pack
strings
for
for
for
for
ease
of
use,
and
I
think
this
is
an
extension
of
that.
E
C
And
did
anyone
else
have
any
thoughts,
duncred
or
jb.
B
B
I
mean
yeah
in
essence,
the
the
this
is
again
why
I
was
trying
to
have
the
the
the
what
I
was
meaning
when
I
was
messaging
the
other
day
about
exactly
how.
How
would
you
like
this
interface
to
be
encoded
for
the
sdk,
because
now
that
the
sdk
defines
all
the
same
like
the
same
types
but
they're
defined
now
as
native
javascript
objects,
as
opposed
to
json.
E
D
Yeah
json
strings,
so
I
need.
C
To
change
that,
okay
yeah,
I
mean
it
doesn't
change
much.
I
think
if
the
cryptography
never
needs
to
worry
about,
the
actual
json
file
should
be
fine
yeah.
I
think
I'll
write
this
down.
C
Oh
sorry,
I
didn't
mean
to
send
that
I'll
write
this
down
as
because
as
one
of
the
part
of
the
rationale,
because
I
think
in
other
ceremonies
they
usually
do
this
pact
absolutely
right.
Encoding.
B
Yeah-
and
I
think
that
the
the
two
differences
here
is
one
I'm
very
heavily
trying
to
optimize
for
anyone
to
be
able
to
write
their
own
software
and
b
that
we
just
have
so
few
points
that,
like
the
amount
saved
over
writing
your
own
biting
coding
or
deciding
that
it's
just
not
worth
it.
E
C
Creation,
and
because,
in
a
theory
it's
this
is
what
you
usually
do.
C
Okay,
okay,
that's
cool!
Looking
at
the
notes,
another
thing
was
the
actual
encoding.
I
was
using
pi
ecc
and
they
basically
always
compressed
the
point,
but
I
noted
that
we
could
just
use
the
uncompressed
point.
I
think,
with
the
json
idea.
We
might
not
be
able
we
could
do
it,
but
it's
going
to
make
the
file
a
lot
bigger.
C
G
H
Is
that
what
is
the
trade-off
here
between,
like
that's
more
more
bandwidth
at
the
cost
of
lower
performance,
right,
yeah.
H
B
So
the
ceremony
right
now,
the
files
like
seven
megabytes
going
for
uncompressed
would
push
this
up
to
like
15
or
so
megabytes.
H
C
H
H
Like
what's
the
worst
case,
connection
that
we
are
factoring
like,
let's
say
it's
one
megabit,
then
seven
extra
megabytes
is
like
a
minute
or
something
a
bit
more.
H
B
H
H
B
B
Not
quite
that
bad,
but
yeah,
something
like
that.
Five
to
10x
yeah.
H
Okay,
I
mean
my
intuition
is
that
compressed
is
better
because
the
worst
case,
like
I
mean
the
worst
case
connection,
is
just
much
much
worse
than
the
worst
case
like
so
so
I
I
guess
like
in
in
in
the
in
the
average
case.
It
doesn't
matter
much
like
both
are
pretty
fast
and
like
we're
both
talking
about
fractions
of
a
second
but
but
if
either
like.
H
You're
unlikely
to
get
100x
slower
processor,
but
you're
quite
likely
to
get
100x
lower
internet
connection.
C
Right:
okay,
yeah.
I
think
that's.
H
C
G
C
Right
yeah
just
remember
the
json
discussion.
I
don't
know
if
you
cut
if
he
was
not
here,
did
you
have
any
opinions
on
that?
Basically
json
versus
binary.
H
B
B
H
No,
but
but
don't
don't
like
I
mean,
don't
can't
you
get
the
browser
to
compress
it
or
something
I
thought.
B
We
can,
but
then
we
gotta
decide
on
standards,
and
everyone
has
to
include
this
compression.
Then
what
I'm
trying
to
argue
here
is
that,
like
relative
to
the
the
like
what
we
already
have
for
numbers
for
participation
whatever
these
are
like
not
limiting
factors
yet.
So
I
agree
if
we're
struggling
to
get
all
this
done
and
we
had
gigabytes
worth
of
files
or
whatever,
but
I
mean.
H
B
C
F
H
C
I
think
the
problem
with
sort
of
giving
people
a
lot
of
time
is
that
I
can
register
like
10,
000,
github
accounts
and
then
now
you've.
Given
me,
let's
say
three
minutes:
I
can
put
myself
in
the
queue
and
then
just
waste.
Thirty
thousand
minutes.
B
C
Right
but
you've,
but
each
participant
gets
like
some
upper
bounds
to
do
everything.
Yeah.
H
F
B
A
F
B
That's
also
that's
also
another
option
we
can
get
around.
H
With
github
accounts,
here's
how
you
could
do
it
make
sure
that
it
has
a
commit
that
is
at
least
like
well
that
doesn't
that
was
made
before
we
made
this
decision.
Basically,
then
it's
very
difficult
to
game
because
yeah
you
would
have
have
already
and
that
that
still
includes
like
a
huge
number
of
potential
people.
So
it's
yeah.
H
F
B
Weather
jeff
opened
a
pr
five
hours
ago
against
the
the
reaper.
Where
he's
put
some
of
these
ideas
down-
and
I
assume
we're
going
to
discuss
that
later
on
this
call
but
yeah
we.
This
is
part
of
why
I
won't
be
going
to
get
on
github
as
we
can
have
these
discussions
sort
of
out
in
the
open,
because
there
are
sort
of
many
ideas.
We've
all
been
throwing
rough
numbers
around,
but
we
actually
need
to
make
some
decisions
on
these
constants
yeah.
B
H
Okay,
so
I
mean
like
basically
with
a
three
minute:
seven
megabytes
file.
I
think
I
get
like
you
need
probably
like
a
600
megabits
upstream
or
something
realistically
to
be
able
to
complete
this,
giving
one
and
a
half
minutes
for
the
upload.
It's
probably
okay
for
most
people
with
a
broadband
connection,
but
it's
probably
gonna
fail
for
some
people
if
they
try
to
do
it
using
a
mobile
connection.
E
H
B
B
The
the
the
other
thing
is
my
part
of
what
I
proposed
in
the
past
is
that
at
the
end
of
all
of
this,
we
have
a
separate
time
where
you
can
apply
for
longer
slots,
etc,
etc.
So,
if
you
fail
to
get
into
all
of
this,
because
your
internet
connection
was
too
slow,
you
could
apply
for
slots.
H
Yeah,
but
I
really
want
to
reserve
those
more
for
specials
like
for
vitalik
using
pi,
ecc
and
stuff
like
that,
rather
than
making
that
a
general
thing
for
like
I,
I
think
I
think
you
should
get
into
these.
If
you
have
a
justification,
why
your
contribution
adds
a
non-trivial
amount
of
extra
security.
C
Yep
wait
but
then
can't
we
say
that
we'd
be
sort
of
disallowing
people
who
are
so
who
don't
have
strong
internet
connections
like
maybe
in
countries
that
just
don't
have
good
internet.
C
Another
thing
was
the
mention
of
irtf
bls
draft
in
the
specs.
C
I
think
that
some
people
just
won't,
have
read
the
draft
and
they
might
not
know
what
actually
it
is
so
in
the
implementation
I
did.
I
wrapped
pi,
ecc
and
just
exposed
methods
like
pairing
is
in
subgroup,
is
identity,
so
methods
that
don't
actually
relate
to
this.
I
to
the
draft.
C
B
The
reason
I
included
the
draft
is
the
draft
is
where
we
have
all
the
my
constants,
etc,
etc.
It's
also
like
what
most
these
libraries
are
are
talking
about,
but
I
don't
think
I
say
anywhere
that
it's
required
to
be
fully
compliant
and
that's
why
I
have
the
file
bls.md
was
to
define
all
these
endpoints.
C
B
B
I
was
just
trying
to
offer
another
option
but
like
absolutely,
if
any
of
this
is
unclear,
I'm
happy
to
make
changes
except
prs,
but
I'm
not
trying
to
like
enforce.
You
need
a
full
irtf
standards,
compliant
implementation
of
bls.
C
Yeah,
oh
yeah,
sure
yeah,
it's
just
maybe
let's
find
them.
I
just
thought
it
might
be
better
if
we
just
had
something
very
general
like
this
is
what
you
need
from
the
from
a
pairings
group
and
that's
it
but
yeah.
I
guess.
Actually,
if
most
libraries
are
irtf
compliant,
we
could
have
this
extra
section.
That
says
you
can
implement
it
using
this
or
something
along
those
lines.
D
B
Yeah,
but
that
the
fact
that
that
was
possible
to
you
is
is
sort
of
an
issue
to
me
but
anyways.
I
think
we're
on
the
same
page
here.
C
C
The
witness
continuity
check.
I
wasn't
quite
sure
what
it
was
doing,
but
maybe
we
can
take
that
part
off
line.
I
think
it's
missing
a
pairings.
C
B
C
Cool
yeah,
apart
from
that,
I
think
that's
where
most
of
the
differences
were.
I
changed
up.
Some
of
the
terminology,
like
I
don't
use
the
word
transcript
anymore.
I
use
srs
or
update
proof.
B
Yeah
sure
I
did,
I
don't
know
if
you
saw,
I
did
a
big
change
just
before
I
went
on
holiday,
which
sort
of
changed
what
was
called
transcripts
and
what
wasn't
et
cetera.
So
the
sort
of
change
now
is
that
the
whole
file
is
called
the
transcript
and
then
there's
a
thing.
The
notion
of
a
sub-ceremony
which
refers
to
like
the
individual
collection
of
powers
of
top
plus
witness.
B
C
Okay,
yeah.
That
makes
a
lot
of
sense
yeah.
So
I
think
that's
mainly
all
of
the
where
all
of
the
discrepancies
are
while
we're
on
the
call
I'll
just
try
to
push
this
python
version
and
then
modify
it
to
just
slightly
to
match
the
specs.
C
E
A
A
There's
also
the
we
had
talked
to
previously
about
this
idea
of
a
rationale
document.
Is
that
something
that
we
can
also
make
sure
to
have?
It
sounds
like
it
would
be
helpful
for
the
audit.
C
C
So
yeah,
I
think
it
would
be
really
helpful
to
sort
of
explain
why
we
diverged
from
previous
ceremonies
as
well.
A
Yeah
for
sure,
and
the
more
context
that
we
can
give
people,
the
better,
I
think,
is
before
we
send
it
off
or
do
the
kickoff
call?
Is
there
anyone
that
you'd
like
to
have
review
it,
or
is
the
internal
group
here
probably
sufficient.
B
A
Yeah,
I'm
just
thinking
about.
Obviously
we
a
bad
situation
would
be
kev
finishes
it
like
the
day
before
and
there's
no
time
for
people
other
people
to
review
it,
but
I
don't
think
that's
going
to
be
the
case.
I
just
want
to
make
sure
that
there's
enough
time
for
some
other
people
to
get
eyes
on
it,.
A
F
Oh
yeah,
so
I
guess
the
big
breakthrough
is.
We
have
a
solution
for
running
the
wasm
in
firefox.
It's.
F
Yeah
so
at
least
we
can
do
it
in
firefox.
It's
it's!
It's
not
multi-threading
where
it
is
in
other
browsers,
but
we
we've
got
time
to
work
on
that
and
get
it
multi-threaded.
I
think,
but
at
least
we've
got
a
solution.
F
F
Oh,
the
issue
in
firefox
is
so
we
had.
We
had
russ
compiled
to
wasm
and
running
fine
in
chrome
with
multiple
threads,
but
it
crashed
in
firefox,
and
so
we
could
run.
F
It
was
the
multiple
threads
that
were
causing
that
that
issue.
So
we
could
run
a
single
threaded
model
in
everything
in
every
browser
and
effectively.
What
we've
done
is
run,
keep
the
multi-threads
in
multiple
threads
in
chrome,
based
browsers
and
do
a
polyfill
to
run
the
single
threaded
version
in
firefox.
H
Right
what
I'm
I'm
asking
about
is
what
what
is
the
performance
right
now,
how
long.
F
Yes,
I've
got
good
figures
on
that,
so
in
chrome
it
was.
It
was
like
five
to
15
seconds
in
that
sort
of
range.
I
think
in
firefox,
probably
more
like
40
to
50
seconds.
F
F
F
E
D
F
We
haven't
addressed
that.
Oh
it's
because
of
modules
when
you,
when
you
compile
it
with
rayon,
it's
in
it,
insists
on
doing
a
modules.
Build
and
firefox
doesn't
support
web
workers
with
modules.
F
C
C
Yeah
sorry
to
backtrack,
I
I
just
remembered
I
had
another
thing
about
the
api:
can
we
allow
a
single
person
to
make
multiple
updates.
C
So
contributor
can
submit
multiple
update
proofs.
C
C
G
B
C
Right
yeah,
it
was
awesome
because
the
api
could
easily
allow
multiple
update
proofs.
I
think
marius
brought
it
up
before
it
didn't
bring
any
security.
C
Advantages,
I
think-
and
I
actually
know
that
no
actually
never
mind,
because
I
didn't
that
introduces
a
lot
more
complexity,
because
if
I
do
a
sub
ceremony,
I'm
gonna
have
to
have
a
bigger
upper
bound
than
three
minutes.
So
I
could
easily
dust
this
thing.
C
So
I
guess
the
scenario
is
that
I'm
a
contributor
but
then
I'm
doing
a
ceremony,
a
sub-ceremony
of
10
people.
B
B
C
Yeah
yeah
exactly
yeah.
I
think
it
introduces
a
lot
more
complexity.
I
only
act
because
the
api
allows
is
someone's
internet
connection.
C
Yeah
yeah,
I
only
said
it
because
I
noticed
the
api
easily
allowed
it,
but
actually
it
opens
up
a
dos
vector.
If,
because
you
have
to
increase
the
upper
bound
for
this
contributor,
because
there's
multiple
people
contributing
yeah.
C
I
think
it
should
be
fine
to
just
have
one
update
proof.
If
you
look
at
the
actors.py
file
it
and
then
the
coordinator
you'll
see
that
if
it's
one
update
proof
there
can
only
be
one
update
from
the
previous
to
the
current
srs,
so
it
should
be
fine.
I
think.
B
Yeah,
so
all
the
update
proofs
are
kept
forever
in
the
the
transcript
json.
G
C
I
think
that
might
be
a
bit
that
might
be
a
lot
of
mega
megabytes
in
the
end,
because
if
10
000
people
have
come
before
me,
then
I'd
need
the
update
proof
from
all
10
000
of
them.
Is
that
correct.
B
B
B
For
verification,
after
the
fact
right
now
are
you
sending
an
abbreviated
transcript
to
participants?
I
mean
I'm
happy
to
define
this,
but
this
is
just
something
that.
C
C
I
I'm
a
bit
I'm
a
bit
weary
because
having
the
file
size
grow
with
the
number
of
participants,
I
think
we
said
ten
thousand,
but
I
don't
I'm
not
sure
like.
Usually
we
just
as
a
contributor,
I
don't
care
about
the
previous
contributions.
I
only
care
about
my
ones
so.
B
You
just
point
you
point
to
your
your
your
contribution
in
the
what
were
you,
according
to
you
put
your
point
to
your
update
proof.
C
Right
so
I
so
I
can
point
to
my
update
proof,
but
I
also
need
to
link
it
to
the
final
srs.
B
C
C
B
B
H
Right
right,
right,
okay,
but
I
mean
the
reasonable
thing
is
during
the
what
happens
during
the
ceremony,
I
think
you
should
just
get
a
signed
confirmation
by
the
sequencer.
You
have
participated
and
then,
if
the
sequencer
is
lying
at
the
end,
then
you
can
like
cry
both
and
get
pull
out.
The
signed
message
like
he
was
signed,
I
participated,
but
my
contribution
isn't
in
there.
B
I
guess
the
distinction
here
is
between
saying
I
participated
in
the
trusted
ceremony
and
my
proof
is
dead.
Beef
and
the
I
participated
in
trusted
ceremony
output.
Thus-
and
my
proof
is
dead.
Beef.
H
H
Guess
it
would
be
even
better,
it
would
be
even
better
if,
like
you
actually
got,
I
don't
know.
If
that
has
been
thought
I
mean
I
don't
want
to
cause
complications,
but
I
guess
like
in
ideally
the
sequence.
I
would
sign
that
you
have
participated
as
well,
basically
to
like
yeah
increase
trust
in
the
sequencer,
because
at
the
end
it
can't
have
excluded
some
of
the
contributions,
but
yeah.
C
Great,
so
I
guess
to
go
back
to
what
we're
just
started.
It
was
including
these
proofs
during
the
ceremony.
B
B
And
like
this
public
case
in
in
this
essence,
then
becomes
a
like
distributed
storage
amongst
all
the
participants
that
you
can
see.
All
the
people
who
participated
before
you
so
like.
Not
only
are
you
keeping
the
the
coordinator
honest
by
having
like
checking
out
at
the
end,
you're
also
doing
it
in
the
interim,
because
you
can
verify
other
people
have
already
participated.
H
B
Yeah,
let's
that
that,
like
I
agree
with
that
statement
like,
but
we're
not
going
to
have
43
000
participants,
I'd
be
ecstatic
right.
We
might
like,
like
like
goals
right.
As
I
said
a
few
times,
I
want
to
have
more
participants
and
we
have
points
in
the
ceremony
which
would
be
awesome
but
yeah
right.
H
Okay,
I
mean,
I
don't
know
I.
If
it
causes
technical
complications,
then
I
would
say
like
whatever
like
keep
it
as
it
is,
but
my
intuition
is
that
it
seems
that
we
should
be
able
to
remove
the
proofs
from
the
participant
files.
I
feel,
like
I
mean,
what's
the
participant
going
to
do
with
it,
they
don't
do
anything.
B
You
can
so
to
me
all
it
does.
Is
it
saves
the
complexity
of
having
like
two
different
files,
I'm
happy
to
include
that.
I
just
think
it
makes
it
more
complicated
for
reading
the
spec,
where
there's
now
one
version
of
the
file
that
you
receive
at
one
point
and
another
version
that
you're
gonna
receive
at
the
end,
and
I'm
fine
with
that.
We
can
do
that.
I
just
think
it's
that's
pretty
and
this
easy
to
understand.
C
As
a
contributor,
all
I
receive
is
the
srs
file
when
I'm
doing
it.
After
the
fact,
I
receive
two
srs
files
and
a
bunch
of
update
proofs.
C
Yeah,
I
guess
my
only
concern
is
that
we
say
we
might
have
just
ten
thousand,
but
it's
a
bit
weary
that
the
the
like
this,
the
proofs,
the
proofs,
could
be
sort
of
an
impact.
F
Yeah,
I
I
was
having
a
conversation
just
last
night
and
with
someone
and
they
he
said
oh
you're,
going
to
get
a
hundred
thousand
participants
and
my
initial
reaction
was
no
way.
But
then
he
started
to
say
well,
people
think
you
know
there's
going
to
be
some
reward
at
the
end
or
something
I'll
just
dive
in
and
okay.
If
we,
if
we
end
up
with
a
60
megabyte
file,
then
we're
kind
of
cutting
off
that
that
possibility,
because
you
can
end
it
with
a
you
know,
one
minute,
two
minute
download.
B
Okay,
it
seems
like
I'm
very
clearly
in
the
minority
here.
I
will
define
a
truncated
and
non-truncated
version
of
this
file,
which
basically
does
it
does.
The
list
include
all
the
proofs
or
just
the
first
and
last
elements
in
the
proofs.
I'm
fine
with.
B
C
Right
yeah,
I
think
it's
just
the
srs,
but
we
can
take
it
offline
just
because
there's
terminology
differences,
there
sure.
B
Yeah
I
mean
if
we,
if,
if
we're
starting
with
the
generator,
then
then
it's
the
same
but
anyways
yeah,
okay,.
G
C
It's
just
a
copy
of
the
generator
multiple
times.
G
E
D
D
A
Okay,
great
real,
quick,
let's
just
restate
what
people
are
gonna
be
doing.
Obviously,
the
audit
is
main
main
focus
for
the
next
week
and
a
half.
What
else
there
is
somebody
from
pse
working
on
putting
together
a
wireframe
for
the
site?
A
That's
really
exciting,
and
hopefully
we'll
have
that
sooner
rather
than
later,
so
we
can
start
jeff.
What
would
it
take
to
get
that
wireframe
or
the
once
is
a
prototype?
Combine
it
with
your
existing
site.
F
Yes
see
how
much
integration,
oh,
so
you
actually
want
like
the
test
data
to
feed
into
that
dashboard
yeah.
I
don't
know
it
feels
like
a
couple
of
weeks
work
so
like
a
few
few
of
these
meetings
away.
A
Okay,
that's
fine
just
just
to
give
me
an
idea
of
the
ballpark
timelines,
yeah,
so
yeah
that
puts
us
in
the
beginning
of
september,
and
I
feel
like
by
mid-september.
We
should
be
when,
when
do
people
think
we
should
what's
what
date
should
we
try
to
run
initial
contributions
through
this?
Obviously
there's
still
another
audit
with
sigma
prime
for
the
coordination
bit
and
we'll
have
more,
it
seems
like
there's
still
some
work
to
like
package
that
and
figure
out
what
they
actually
need
to
see.
A
But
at
what
point
do
you
guys
think
we
would
actually
be
running
initial
contributions.
C
So
carl,
I
guess
for
to
run
initial
contributions.
The
only
thing
that
needs
to
be
fixed
is
sort
of
the
apis
and
the
formats
that
we're
using.
B
Yeah,
I
mean
that's,
that's
that's
pretty
much
been
my
argument
like
as
long
as
we
can.
We
can
standardize
all
of
those.
Then
then
that's
that's
fine,
like
even
if
there
are
some
slight
bugs
in
the
the
stuff
running
on
top
of
it.
As
long
as
the
we
can
keep
the
coordinator
up
and
running
through
all
that
it
should
be
fine.
C
Right
right,
so,
even
if
there's
bugs
inside
of
an
implementation,
we
can
just
ask
people
to
contribute
again,
for
example,
yeah
and
then
everything.
B
B
That's
sort
of
as
long
as
everything
that
that
comes
out
of
that
is
is
reasonably
sensible.
Then
I'm
happy
with
that
and
in
the
the
timelines
I've
posted
previously.
I've
talked
about
sort
of
a
closed
contribution,
which
is
where
I
think
like
we
can
have
contribution,
but
we're
not
just
like
throwing
this
up
on
twitter,
asking
anyone
to
contribute
it's
more
like
hey.
We
have
this
thing
running.
B
E
A
Okay,
that
makes
sense
to
me
anything
else.
I'm
missing.
A
C
Yeah,
maybe
I
think
we
missed
one
way
optimistic
contributions.
I
think
jeff
put
it
in
carl
mentioned
it
in
the
issue.
I
think
that
we
haven't
actually
finalized,
whether
we're
doing
it
that
way
or
not.
B
I'm
still
keen
on
this
and
I
defined
the
api
in
a
way
that
it's
compatible
with
us.
Those
are
the
sdk.
H
B
No,
no,
no!
This
idea
I
came
up
with,
but
the
basically
you
assume
that
the
coordinator
is
giving
you
an
honest
set
of
points
to
contribute
on,
and
you
only
verify
after
you've
contributed.
B
B
Right
so
the
the
the
the
issue
here
is
it's
a
it's
a
subgroup
check.
So
if
there
is
a
low
order
group
which
gets
mixed
in
with
the
points
the
coordinator
gives
you,
then
you
could
be
tricked
to
leaking
a
few
bits
of
your
security
which
they
can
remove
after
the
fact,
by
brute
forcing
all
the
the
possible.
B
B
C
Actually,
I
think
we
could
skip
it
if
the
contributor,
because
the
update
the
contributors
also
say
this
was
the
degree
one
element
of
the
srs
that
I
was
given.
So
after
the
fact,
if
you
check
that
none
of
those
have
a
low
do
low
order,
then
you
can
sort
of
skip
all
verification
checks
until
the
end.
C
C
You
have
to
post
the
the
towel
at
that
particular
point.
That's.
G
B
Yeah,
but
this
information
is
like
not
oh
yeah,
that
this
is
yeah,
so
this
is
my
the
the
the
I
call
this.
B
C
C
E
B
I
think
that
they
can
always
subtract
out
the
low
order
elements
that
they
gave.
People.
C
B
B
H
C
I
think
circum
does
avoid
them
by
just
checking
one
one
of
the
elements,
and
then
they
they
do
sort
of.
They
show
that
if
one
of
the
elements
is
not
low
order,
then
the
rest
of
them
aren't
lower
low
order.
Don't
have
any.
H
But
isn't
there
usually
like
you,
like
you,
exponentiate
by
the
cofactor
or
something.
E
H
E
E
H
H
H
H
Of
envisioning
clients-
that's
not
true;
no,
it
just
becomes
part
of
the
secret
like
it's,
including
your
commitment,
like
your
g
to
the
gtts.
That
will
also
like
you.
Your
secret
is
literally
defined
as
like
take
whatever
your
secret
generation
process
is
now
and
at
the
end,
append
a
step
where
you
multiply
it
by
the
cofactor.
H
B
Fine
yeah
intuitively.
I
agree
it
seems
okay,
but
I
want
to
run
this
past
some
people
first.
C
Yeah
I
mean,
I
guess.
H
You,
okay,
you
have
to
multiply
without
doing
modular
afterwards,
so
the
catch
is
okay.
Here
I
realize
what
the
catch
is,
because
if
you
do
modulo
the
subgroup,
then
it's
not
actually
like
inside
the
co-factor
group.
It
wouldn't
be
so
so.
Basically
your
secret
becomes
larger
than
256,
but
your
secret
is
now
381
bits.
H
C
Right,
I
guess
we
can
because
there's
like
three
ways
to
do
the
subject:
right
use
the
endomorph
of
them
just.
Do
it
the
naive
way
by
multiplying
it
by
the
the
curve
order
or
the
largest
prime
subgroup,
and
then
doing
it.
The
circumway,
which
is
just
checking
one
element,
the
circumway
would
be
the
cheapest,
but
I
guess
we
just
need
to
write
a
proof
that
it's
actually
okay
well,.
H
But
the
circle
no,
no,
but
that
only
works
if
you
are
actually
checking
the
transfer.
That's
the
correct
summary,
but
we
aren't
doing
that
either.
G
C
Yeah
the
pairings
check
with
is
always
there.
No,
you
don't
do
that.
E
B
You
you,
you
can
as
a
way
of
implementing
the
the
the
subgroup
check,
but
there's
this.
C
C
Okay,
that's
another
difference,
because
I.
C
E
B
H
H
H
B
H
Exactly
and
so
you
can
reduce
the
root
multi
exponentiation
because
you
can
do
it
using
local
randomness,
so
you
can
do
it
statistically.
So,
like
30
bits,
my
30
bits
might
be
enough,
but
I
mean
someone
needs
to
implement
multi
exponentiations.
I
don't
know.
If
or
do
we
have
already
do?
Do
we
have
that
ready
in
our
libraries?
H
H
H
It
would
be
quite
fast
overall,
like
I
mean,
theoretically,
if
you
do
a
30-bit
multi-x
over
16
000
elements
then
like
that
is,
I
don't
know
like
it
is
that
faster.
B
So
I
don't
know
how
that
works
under
the
hood,
but
it's
the
way
that
most
libraries
do
it
these
days,
something
the
zcash
people
came
up
with.
H
C
Okay,
let
me
recheck
the
roth
code,
because
if
we
was
doing
a
pairings
check,
that
would
mean
the
code
is
a
lot
faster
if
we
was
doing
the
replication.
B
Right,
my
other
thing
is
I'm
trying
to
not
make
a
requirement
that
people
have
to
implement
pairings
for
the
bls,
like
you
just
need
curve
ops
if
you're
writing
your
own
implementation.
H
Yeah,
I
think
that's
good
yeah.
To
be
fair,
though
we
could,
like
the
subgroup
checks,
we
could
make
them
optional
right.
I
mean
you
can
put
they're.
H
They're
already
optional
right
right
exactly
but
like.
Basically,
if
someone
wants
to
run
pi
ecc,
then
they
just
skip
the
subgroup
checks.
H
Does
the
that's
the
sequence?
Sorry
yeah,
that's
the
coordinator
sign
so
other
coordinate,
coordinator
messages
signed.
H
Right
because
that
would
also
be
a
way
to
avoid
the
subgroup
check.
If
the
coordinator
signs
all
messages
to
participants,
then
participants
could
later
prove
that
a
coordinator
has
sent
them
a
message
with
a
with
a
like
element:
that's
not
in
the
subgroup,
and
that
would
obviously
invalidate
the
whole
ceremony,
and
then
you
don't
really
need
to
do
subgroup
checks
immediately.
You
can
do
them
at
your
convenience
and
say
like
oh,
I
got
a
slash
that
coordinator.
D
B
B
H
Or
you
can
simply
use
ssl
like
simply
trust
that
the
browser
like
you,
you
do
everything
over
ssl,
you
certify
everything
I
mean.
H
Do
browsers
store
like
the
signatures
when
they
download
stuff
over
ssl,
or
is
there
some
way
to
get
this
via
javascript
or
something
like
to
get
the
actual
signature.
B
H
B
B
H
Right,
I
guess
I
guess
the
point
is
also
we
want.
We
want
to
be
able
to
claim
that
this
didn't
happen
and
then,
if
someone
said
hey
here
is
my
file
with
a
subgroup
with
the
subgroup
check
with
like
invalid
subgroup,
then
then
we
want
to
be
able
to
ask
them:
hey
yeah.
Can
you
prove
that
it
was
asked?
Can
you
prove
that
it
was
the
sequencer.
E
C
H
B
C
Okay,
so
I
guess
to
summarize
we're
gonna
do
optimistic
contributions
and
after
the
fact
the
user
can
choose
to
perform
a
group
chat
or
should
we.
C
C
We
just
can't
do
anything
about
that.
We
just
have
to
see
if
the
user's
trusted
and.
D
B
I
mean
this
is
also
compounded
by
the
fact
that,
to
my
knowledge,
we
don't
know
any
bloater
subgroups
for
for
bls.
C
G
B
B
I'm
saying
to
my
knowledge:
we
don't
know
any
low
order.
Bls
subgroups.
H
H
E
F
H
C
Right
so
I
guess
we'll
just
be
open,
opening
up
ourselves
to
the
possibility
of
a
trusted
person,
basically
saying
that
the
coordinator
is
malicious,
and
the
repercussions
of
that
is
that
basically,
all
of
the
contributions
that
were
taken
in
by
that
coordinator
could
also
would
need
to
be
thrown
away.
I
guess.
B
Like
assuming
you
you,
you
trust
this
person,
then
you
just
mark
say
it.
I
don't
know
a
third
or,
however
many.
That
coordinator
was
involved
in
points
as
as
as
being
being
used.
As
I
mean
you,
don't
actually
know
how
many
bits
of
security
were
leaked
because
it
depends
on
sort
of
what
the
the
subgroup
is
right,
but
even
if
you
assume
the
worst
case
and
that
that
adds
no
security,
you
should
still
have
lots
of
other
points,
but
I
mean,
if
people
are
worried
about
this,
we
can
add
a
signature.
It.
H
C
But
I'll
just
write
this
down,
because
I
think
this
could
be
some
way
for
someone
reputable
to
possibly
just
invalidate
coordinators
the
contributions
made
by
a
coordinator,
yeah,
but
you're
you're,
saying
that
the
way
that
we,
the
way
that
we
sort
of
mitigate
this
is
let's
say
downcredit,
is
a
coordinator
and
trend.
As
a
coordinator,
if
vitalik
says
thank
great's,
been
malicious,
then
I'll
just
disregard
the
stuff
that
the
code,
the
contributions,
might
be.
B
C
D
B
B
Yeah,
so
can
we
stick?
We
stick
with.
We
stick
with
optimistic
and
then
in
the
case
that
it
goes
wrong.
You
would
have
a
fraud
proof.
B
I'm
saying
I'm
running
through
an
idea
here:
yeah
by
adding
a
sort
of
what
are
you?
What
are
you
imposing
extra
work
wise
and
then
so
you,
you
opted
you
you
run
this
and
then
you
can
do
your
own
subgroup
check
and
you
can
do
it,
the
like
very
slow
multiplication
way
or
whatever.
If
you
wrote
your
own
library
and
then,
if
that
fails,
then
you
can
go
and
call
on
a
you.
You
can
implement
pairings
or
whatever
to
to
verify
that
bls
signature
or
something
I
don't
know.
C
D
B
B
E
C
Yeah,
I
guess
it's
getting
a
lot
more
complex
in
practice
than
we
wanted
it
to
be.
B
B
C
But
I
think
in
past
ceremonies
they
did
different
types
of
like
signature
schemes,
which
is
a
bit
complicated.
I
saw
something
gpg
and
stuff
like
this.
C
Yes,
I
think
that's
about
it,
yeah,
sorry
for
the
sort
of
long.
I
think
trent
was
talking
about
next
steps.
Was
it
35.
G
A
We
diverged
quite
a
bit
from
that
closing
closing
comments,
but
that's
okay,
yeah,
I
mean
yeah,
I'm
more
than
happy
to
stick
around
to
hear
discussion,
but
it
does
remind
me
that
we
should
try
to
have
the
these
more
discussions
in
the
in
the
public
channels
which
I'm
assuming
some
of
this
is
happening
in
private,
but
just
so
there's
context
for
anybody
who's
catching
up
in
the
future
or
just
context
for
design
decisions.
Obviously
we
have
this
recording,
but
ideally
it'd
be
happening
in
the
public
channel.
A
We
don't
have
to
get
into
it
now,
but
I'm
just
remembering
that
there
was
this
discussion
around
like
bonding
eth
or
something
is
this
just
a
concept
or
something
that
people
are
interested
in?
Considering
for
this
project.
C
C
If
somebody
has
basically
obtained
tau,
then
they
can
withdraw
the
if,
from
whatever
the
contract
that
the
bonded
leaf
is
in,
I
think
they
rephrased
it
to
be
something
like
a
bug
bounty.
In
that
context,
I
think
it.
It
sounds
good
like
if
you
found
something
wrong
with
the
trusted
ceremony.
C
After
the
fact,
I
think
it'd
be
reasonable
to
sort
of
pay
you
something
if
this
could
lead
to
the
the
towel
being
exposed
in
some
meaningful
way.
I'm
still
not
quite
on
board.
With
the
bonded
eve
situation,
I
think
it
introduces
a
bit
more
complexity
than
we'd
need,
but
the
bug
bounty
seems
reasonable.
C
Got
it
yeah
yeah
it'd
not
be
directly
related
to
sort
of
the
trusted
ceremony.
H
C
Yeah
sure,
if
it's
not
related
to
the
trusted
ceremony
in
any
way,
and
we
don't
sort
of
need
to
do
anything,
then
I
think
it's
fine.
If.
H
We
can
just
we
can.
We
can
just
have
it
out
there
as
a
suggestion.
Someone
might
do
it
and-
and
you
can
easily
just
anyone-
can
just
put
ether
into
that
contract.
Yeah.
Okay,
like
it
seems
super
simple.
B
H
G
H
Sure
you
mean,
rather
than
putting
it
into
a
contract
yeah,
I
don't
know,
I
mean
people
seem
to
have
really
enjoyed
the
little
bounties
that
we
put
on
our
cryptography
problems.
So
I'm
not
sure,
like
I.
I've
always
had
good.
B
E
B
H
A
Okay,
so
we
can.
We
don't
have
to
plan
to
include
that
in
this
ceremony,
but
somebody
could
do
it
if
they
wanted.
H
C
H
Sorry
like
before,
before
that
happens,
basically
it
could
be
interesting
to
have
that
out
there
but
yeah.
I,
I
guess.
H
On
the
other
hand,
there
might
still
be
several
months
until
it
is
seriously
used,
like
the
actual
money
you
could
get
out
of
it
in
the
first
few
months
might
be
very,
very
low.
A
All
right
now
we're
definitely
divergent
okay
before
adoption,
okay,
so
yeah,
we
should
probably
wrap
up
the
call
now.
Is
there
anything
any
final
comments?
I
think
everybody
is
aware
what
what
is
going
on
and
what
they
need
to
do.
Yeah
anything
else
before
we
conclude.
A
Okay,
thank
you,
everybody
for
showing
up
and
having
discussions
excited
to
get
this
into
the
audit.
Finally,
and
probably
a
couple
weeks
after
that,
we'll
start
to
see
the
first
interface
some
of
the
wireframes
and
stuff
so
yeah,
exciting
progress
and
yeah.
Like
I
said,
let's
try
to
put
more
discussion
in
the
public
channels
if
we
can
all
right
thanks.
Everyone.