The L2BEAT research team would like to propose a framework for evaluating trusted setups of zero knowledge proving systems used in L2-related applications. The general goal of the framework is to expose implicit trust assumptions of various trusted setups and initiate a public discussion on reasonable standards. This is a part of our effort to rework ZK Catalog section of the website and make it more comprehensive and helpful. At this stage, we invite broad community feedback to refine and enhance our framework.
Context
SNARK proving systems are currently ubiquitous among a broad range of applications in the blockchain industry. Various zk rollups, bridges and applications derive their security and trust properties from such systems. The upcoming version of ZK Catalog L2BEAT page aims to shed light on the properties of various provers, and this includes a careful look at trusted setups for generating common reference strings of SNARKs.
In practice, almost every proving system currently deployed on Ethereum uses a trusted setup. Even STARK-based provers like SP1, Risc0 or Boojum implement a final wrap in a SNARK for efficient onchain verification (Starkware’s Stone is a notable exception here), so the analysis of trusted setups is highly relevant for almost any zk project.
Theoretical background
A trusted setup of a proving system is an algorithm that produces a common reference string (CRS), i.e. a public piece of data that is used both for generating and verifying a proof, and “toxic waste”, i.e. a secret piece of data that could be used to forge arbitrary proofs in not deleted. In practice trusted setup ceremonies are performed using multi party computation (MPC), so the “toxic waste” is split among several computers running the algorithm. In this case proof forging is possible only if all ceremony participants collude, effectively giving 1-out-of-n trust assumption.
Different proving systems have different requirements for trusted setups. SNARKs that are based on KZG polynomial commitment scheme need only universal trusted setup that could be run once for a chosen maximal polynomial degree and reused for all proving systems using KZG for polynomials of given maximal degree. Groth16 proving systems require a circuit-specific trusted setup on top of a universal trusted setup, meaning the ceremony has to be run separately for each circuit and each version of a particular circuit. Finally, STARKs require no trusted setups. Trusted setup is related to the elliptic curve group used in proof verification, so proving systems operating on different groups require different trusted setups.
Proposal
A comparative analysis of existing trusted setups led us to propose the following 3-tier evaluation.
At least one condition for yellow is not satisfied.
All of the following applies:
- All individual contributions to the trusted setup ceremony are published and the final output could be verified. If this does not hold then the number of participants could not be confirmed and the source of CRS is not transparent.
- Ceremony client code is open-source and available. Ceremony client is responsible for producing the secret “toxic waste” parameters. It should be possible to verify that this data is managed correctly, e.g. is not transmitted to a server of a malicious entity.
- At least 30 contributions to the ceremony. While the trusted setup operates on 1-out-of-n trust assumption, we think it is not secure enough for small n, and decided to settled on this (somewhat arbitrary) value. We’re particularly open to discussion on this.
- Ceremony participation was accessible to the general public, public announcements were posted. If this does not hold, it is impossible to verify whether independent actors had a chance to join the ceremony.
- Public identifiers of ceremony participants are published (e.g. Ethereum address, GitHub or twitter / X username, email). If such identifiers are unavailable it is impossible to detect if ceremony organizers have generated all the contributions themselves.
All conditions for yellow apply, plus all of the following:
- At least 150 contributions to the ceremony.
If a system recursively uses several proving systems with different trusted setups, the total evaluation is the minimum of all evaluations in the recursion scheme.
Reasoning
- Universal vs. circuit-specific trusted setup. The proposed evaluation makes no distinction between universal (like KZG) or circuit-specific trusted setups (like Groth16). The main challenge of circuit-specific setups would be to repeat high-quality ceremony every time a circuit is updated, however once this is done there is no theoretical disadvantage.
- Importance of ceremony metadata. The proposal requires the public accessibility of individual contributions, identifiers of the participants and announcements. In our opinion this is essential for independent verification of trusted setups, since it provides the possibility of checking someone’s participation in a ceremony.
- Chosen cutoff parameters. The choice of the number of participants / entities required for or is arbitrary to a degree. We pick the numbers based on the existing trusted setups and a general feeling of the order of these numbers.
Appendix: evaluation of chosen trusted setups
Here we present some trusted setup currently used in production and their corresponding evaluations according to the framework above.
Aztec Ignition
Aztec Ignition is a big trusted ceremony with open calls to participate and all artifacts accessible and verifiable.
- 176 participants
- Verification repo: GitHub - AztecProtocol/ignition-verification: Repository to verify contributions to the AZTEC Ignition ceremony
- Blogpost with a call to participate: Announcing Ignition | Aztec Blog
Risc0 Groth16
Risc0 Groth16 is a circuit-specific ceremony with many participants and a publicly available transcript and participation / verification instructions.
- 238 participants
- Link to the verification: Trusted Setup Security | RISC Zero Developer Docs
- Post with a call to community to participate: https://x.com/RiscZero/status/1781110200923275769
Polygon zkEVM
Polygon zkEVM trusted ceremony uses a subset of perpetual powers of tau contributions, it has an open call to participate and all artifacts available. It uses 55 contributions, not enough for .
- 55 participants
- Verification repo: GitHub - iden3/snarkjs: zkSNARK implementation in JavaScript & WASM
- Public announcement: Announcing the Perpetual Powers of Tau Ceremony to benefit all zk-SNARK projects | by Koh Wei Jie | Coinmonks | Medium
SP1 Groth16
Currently available SP1 Groth16 circuit-specific ceremony was run privately and it includes too few contributions.
- 7 participants, 5 from Succinct
- More info here: Security Model | Succinct Docs
Celo Plumo
While ceremony client code for Celo Plumo trusted setup is available, the ceremony transcript is not publicly available and thus cannot be verified.
- 55 participants
- Link to the ceremony details: https://celo.org/plumo (it is broken. Archived version here: Plumo Ceremony)