Implementation of compute tool for participants, along with README changes and a version bump.

Cargo.lock

@@ -1,6 +1,6 @@
 [root]
 name = "powersoftau"
-version = "0.1.0"
+version = "0.1.1"
 dependencies = [
  "blake2 0.6.1 (registry+https://github.com/rust-lang/crates.io-index)",
  "byteorder 1.1.0 (registry+https://github.com/rust-lang/crates.io-index)",

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "powersoftau"
-version = "0.1.0"
+version = "0.1.1"
 authors = ["Sean Bowe"]
 license = "MIT/Apache-2.0"
 

README.md

@@ -4,7 +4,31 @@ This is a [multi-party computation](https://en.wikipedia.org/wiki/Secure_multi-p
 
 This protocol is described in a [forthcoming paper](https://eprint.iacr.org/2017/1050). It produces parameters for an adaptation of [Jens Groth's 2016 pairing-based proving system](https://eprint.iacr.org/2016/260) using the [BLS12-381](https://github.com/ebfull/pairing/tree/master/src/bls12_381) elliptic curve construction. The security proof relies on a randomness beacon being applied at the end of the ceremony.
 
-**This is a work in progress.**
+## Instructions
+
+If you've been asked to participate, you were sent a `challenge` file. Put that in the current directory and use your Rust toolchain execute the computation:
+
+```
+cargo run --release --bin compute
+```
+
+The process could take an hour or so. When it's finished, it will place a `response` file in the current directory. That's what you send back. It will also print a hash of the `response` file it produced. You need to write this hash down (or post it publicly) so that you and others can confirm that your contribution exists in the final transcript of the ceremony.
+
+## Recommendations
+
+Participants of the ceremony sample some randomness, perform a computation, and then destroy the randomness. **Only one participant needs to do this successfully to ensure the final parameters are secure.** In order to see that this randomness is truly destroyed, participants may take various kinds of precautions:
+
+* putting the machine in a Faraday cage
+* destroying the machine afterwards
+* running the software on secure hardware
+* not connecting the hardware to any networks
+* using multiple machines and randomly picking the result of one of them to use
+* using different code than what we have provided
+* using a secure operating system
+* using an operating system that nobody would expect you to use (Rust can compile to Mac OS X and Windows)
+* lots of other ideas we can't think of
+
+It is totally up to the participants. In general, participations should beware of side-channel attacks and assume that remnants of the randomness will be in RAM after the computation has finished.
 
 ## License
 

src/bin/compute.rs

@@ -0,0 +1,128 @@
+extern crate powersoftau;
+extern crate rand;
+extern crate blake2;
+extern crate byteorder;
+
+use powersoftau::*;
+
+use std::fs::OpenOptions;
+use std::io::{self, Read, BufReader, Write, BufWriter};
+
+fn main() {
+    // Create an RNG based on a mixture of system randomness and user provided randomness
+    let mut rng = {
+        use byteorder::{ReadBytesExt, BigEndian};
+        use blake2::{Blake2b, Digest};
+        use rand::{SeedableRng, Rng, OsRng};
+        use rand::chacha::ChaChaRng;
+
+        let h = {
+            let mut system_rng = OsRng::new().unwrap();
+            let mut h = Blake2b::default();
+
+            // Gather 1024 bytes of entropy from the system
+            for _ in 0..1024 {
+                let r: u8 = system_rng.gen();
+                h.input(&[r]);
+            }
+
+            // Ask the user to provide some information for additional entropy
+            let mut user_input = String::new();
+            println!("Type some random text and press [ENTER] to provide additional entropy...");
+            io::stdin().read_line(&mut user_input).expect("expected to read some random text from the user");
+
+            // Hash it all up to make a seed
+            h.input(&user_input.as_bytes());
+            h.result()
+        };
+
+        let mut digest = &h[..];
+
+        // Interpret the first 32 bytes of the digest as 8 32-bit words
+        let mut seed = [0u32; 8];
+        for i in 0..8 {
+            seed[i] = digest.read_u32::<BigEndian>().expect("digest is large enough for this to work");
+        }
+
+        ChaChaRng::from_seed(&seed)
+    };
+
+    // Try to load `./challenge` from disk.
+    let reader = OpenOptions::new()
+                            .read(true)
+                            .open("challenge").expect("unable open `./challenge` in this directory");
+
+    {
+        let metadata = reader.metadata().expect("unable to get filesystem metadata for `./challenge`");
+        if metadata.len() != (ACCUMULATOR_BYTE_SIZE as u64) {
+            panic!("The size of `./challenge` should be {}, but it's {}, so something isn't right.", ACCUMULATOR_BYTE_SIZE, metadata.len());
+        }
+    }
+
+    let reader = BufReader::new(reader);
+    let mut reader = HashReader::new(reader);
+
+    // Create `./response` in this directory
+    let writer = OpenOptions::new()
+                            .read(false)
+                            .write(true)
+                            .create_new(true)
+                            .open("response").expect("unable to create `./response` in this directory");
+
+    let writer = BufWriter::new(writer);
+    let mut writer = HashWriter::new(writer);
+    
+    println!("Reading `./challenge` into memory...");
+
+    // Read the BLAKE2b hash of the previous contribution
+    {
+        // We don't need to do anything with it, but it's important for
+        // the hash chain.
+        let mut tmp = [0; 64];
+        reader.read_exact(&mut tmp).expect("unable to read BLAKE2b hash of previous contribution");
+    }
+
+    // Load the current accumulator into memory
+    let mut current_accumulator = Accumulator::deserialize(&mut reader, UseCompression::No, CheckForCorrectness::No).expect("unable to read uncompressed accumulator");
+    
+    // Get the hash of the current accumulator
+    let current_accumulator_hash = reader.into_hash();
+
+    // Construct our keypair using the RNG we created above
+    let (pubkey, privkey) = keypair(&mut rng, current_accumulator_hash.as_ref());
+
+    // Perform the transformation
+    println!("Computing, this could take a while...");
+    current_accumulator.transform(&privkey);
+    println!("Writing your contribution to `./response`...");
+
+    // Write the hash of the input accumulator
+    writer.write_all(&current_accumulator_hash.as_ref()).expect("unable to write BLAKE2b hash of input accumulator");
+
+    // Write the transformed accumulator (in compressed form, to save upload bandwidth for disadvantaged
+    // players.)
+    current_accumulator.serialize(&mut writer, UseCompression::Yes).expect("unable to write transformed accumulator");
+
+    // Write the public key
+    pubkey.serialize(&mut writer).expect("unable to write public key");
+
+    // Get the hash of the contribution, so the user can compare later
+    let contribution_hash = writer.into_hash();
+
+    print!("Done!\n\n\
+              Your contribution has been written to `./response`\n\n\
+              The BLAKE2b hash of `./response` is:\n");
+
+    for line in contribution_hash.as_slice().chunks(16) {
+        print!("\t");
+        for section in line.chunks(4) {
+            for b in section {
+                print!("{:02x}", b);
+            }
+            print!(" ");
+        }
+        println!("");
+    }
+
+    println!("\n");
+}