Pre-migration documentation. This site reflects the pre-migration state of the protocol. It’s mostly current, but a few edges may not match ZERA at launch. We’re finalizing the new, detailed ZERA docs now. Thanks for your patience.
Perpetual Genesis Ceremony
Making the Genesis Ceremony Perpetual
How anyone can join at any future time while every later state remains a hard‑to‑predict, algebraically compatible descendant of the very first seed.
This mechanism replaces the one‑shot ceremony with an unending randomness beacon that allows continuous participation while maintaining cryptographic security.
1. Replace the One‑Shot Ceremony with an Unending Randomness Beacon
1.1 Global Epoch Counter
Time is divided into fixed‑length epochs T₁, T₂, ... Every wallet knows the current epoch index i from the ledger header.
1.2 Base Randomness per Epoch
A public randomness beacon (e.g., the threshold‑BLS drand network) publishes an unpredictable scalar:
βᵢ = Hash(drand sigᵢ) mod q
1.3 User Contributions are Homomorphically Merged
Anyone may inject additional entropy during the contribution window of epoch Tᵢ:
- Each contributor picks a private scalar r and broadcasts the Pedersen commitment C = gʳhᵘ together with a Schnorr proof of knowledge of (r, u).
- After the window closes, contributors open their commitments.
- All revealed scalars are added modulo q: ρᵢ = ∑r (mod q).
1.4 Epoch Seed and New Curve Bases
The seed for the next epoch is:
Sᵢ₊₁ = Hash(Sᵢ || βᵢ || ρᵢ)
Two fresh base points are deterministically derived via hash‑to‑curve:
Gᵢ₊₁ = H2C("G" || Sᵢ₊₁), Hᵢ₊₁ = H2C("H" || Sᵢ₊₁)
1.5 Ledger Checkpoint
The tuple (i+1, Gᵢ₊₁, Hᵢ₊₁) and the list of commitment openings are written into the next consensus block, forming a permanent, auditable transcript.
5. Security Summary
Even with continuous joining, the seed chain S₀ → S₁ → ... is forward‑secure; compromising today's users does not help predict tomorrow's seed.
All wallets can verify every step with public data — no hidden group secret ever exists.
Because the update rule is algebraically simple (addition mod q) and commitments are linked via zero‑knowledge proofs, proofs built for epoch i remain valid after migration to epoch i+1.
6. Why This Defeats Perfect Rollback Attacks
- Extract private keys from secure elements using $1M+ lab equipment
- Perfectly rollback a device to a previous state
- Replay transactions to double‑spend funds
- Escape detection through perfect timing
- Cost per successful rollback: $171M (equipment + expertise + time)
- Success rate: < 0.7% per attempt
- Scaling limitation: Each device requires individual lab work
- Detection window: 24–72 hours maximum
4. Practical Parameters
| Parameter | Typical Value | Rationale |
|---|---|---|
| Epoch length | 10 min (ledger block cadence) | Gives users time to post openings |
| Contribution size | 32 bytes | One scalar mod q |
| Commitment window | First 60% of the epoch | Allows reveal phase before block seal |
| Hash‑to‑curve | IETF draft "hash‑to‑curve" for Ristretto255 | Safe, deterministic point generation |
| Proof system | Schnorr + Merlin transcript | No trusted setup, linear‑time prover |
3. How Existing Commitments Stay Valid
All value commitments are epoch‑tagged:
Cᵢ(m, r) = Gᵢ^m · Hᵢ^r ∈ G
When the network rolls from Tᵢ to Tᵢ₊₁:
- Each owner re‑commits the same amount under the new bases with fresh blinding r': Cᵢ₊₁(m, r').
- They publish a link proof (single Schnorr argument) showing that the discrete logarithm relationship holds between epochs. The proof is ~96 bytes and verifies in one exponentiation.
Because the ledger demands a valid link proof for every unspent note at epoch rollover, earlier commitments remain enforceably connected to the evolving base points while their underlying values stay hidden.
2. Why Later Epochs Stay Unpredictable and Sound
| Property | Argument | Citations |
|---|---|---|
| Unpredictability | At least one of: (a) the drand beacon value βᵢ is unknown until it is signed, or (b) some contributor keeps r secret until reveal. Therefore βᵢ+ρᵢ is computationally unpredictable before the closing of Tᵢ. | [1], [2] |
| Bias Resistance | Pedersen commitments are perfectly hiding and binding, so a dishonest user cannot tweak r after seeing others' values. | [4], [3] |
| Algebraic Compatibility | Because the seed update is additive in ℤq and the new bases are obtained by a deterministic hash‑to‑curve, every epoch's (G, H) pair is a verifiable descendant of the original S₀. No wallet ever needs secret history to validate later points. | [3] |
| Late Joiner Bootstrap | A wallet that appears in epoch Tₖ reads the block header, fetches (Gₖ, Hₖ) and the entire beacon chain hash, and is immediately in sync — no private ceremony archive required. |