Trusted Setup Ceremony: Mixology Edition

Zero-knowledge proofs have become increasingly popular as decentralized ecosystems continue to thrive. There are plenty of whitepapers and blog posts on zk proofs and what they’re used for. At a high level, you can prove something to someone without revealing the details, and they can verify it independently. For example, I can create a “zk proof” showing I have more than $10,000 in my bank account and send this proof to my prospective landlord. My landlord can verify this is true — without ever seeing my account balance.

But before we can create certain types of zk proofs, we have to do some preparation¹. This prep work is called a Trusted Setup Ceremony and requires a group of people coming together to create some parameters for proving and verifying things. This Trusted Setup Ceremony is actually very important — failure to perform it correctly may allow false proofs to be generated i.e. I can create a proof showing I have at least $10,000 in my bank account when my bank account is empty. Let’s walk through the setup ceremony and identify some points of failure that would allow this to happen.

Now, instead of throwing around words like “common reference string” we will do this…MIXOLOGY style. In the real world, the goal of a trusted setup ceremony is to create a common reference string such that no single party has complete knowledge of the underlying secret information. In our world, the goal is to create a cocktail such that no single party has complete knowledge of the underlying secret ingredients.

Let’s go ahead and create a cocktail that cannot be recreated: the World’s Most Interesting Cocktail (WMIC).

The goal of our Trusted Setup Ceremony is simple: we want to create the World’s Most Interesting Cocktail — a cocktail that no one can recreate! If I just volunteer to make this cocktail by myself, no one would believe this to be the WMIC. Surely, if I made it once, I could easily write down the ingredients and make it again. What if I made the cocktail with my two best friends? Each of us could agree to keep an ingredient secret from one another and never disclose what it was or how much of it was used. Similar problem: since we’re best friends, other people wouldn’t trust us not to lie and reveal what ingredients we used to each other. This brings us to our first point of failure — there must be >1 independent parties involved in the Trusted Setup Ceremony. Otherwise, we can collude to recreate the cocktail, and it will not be the WMIC.

Understood. So we’ll put together a long list of people, and not everyone is aligned with or best friends with one another. Everyone is instructed to bring some random amount of a cocktail ingredient to my party. And because I want to make it difficult for people to guess the exact amount of an ingredient someone else brought, I have them bring randomized quantities rounded to 20 decimal places. So, you wouldn’t be bringing 2 oz of whiskey; you’d be bringing 2.37593475674385475704 ounces. This brings us to our second point of failure — the ingredient quantities must not be predictable or guessable. If we can predict the ingredients, we can recreate the cocktail, and it will not be the WMIC.

Since the ingredient quantities are too specific to memorize, everyone must write down their ingredient and quantity on paper to know what to buy and how much to bring to my party. Presumably, everyone involved wants to help create the WMIC, so they’ll probably shred their piece of paper after measuring the precise quantity of their ingredient. But what if they don’t? In fact, what if multiple people collude and all decide to retain knowledge of their exact ingredients to the decimal? This is troublesome, but all ingredients are required to create the WMIC — knowing most ingredients won’t cut it. This brings us to our final point of failure² — at least one participant must shred the paper containing their secret ingredient and how much was used. If all the pieces of paper remain intact, someone can obtain them and recreate the cocktail, and it will not be the WMIC.

Tying this back together, performing a Trusted Setup Ceremony is vital to ensure the security and correctness of zero-knowledge proof systems. Participants in the ceremony work together to create a unique cocktail (common reference string) that everyone can sip publicly — but no one can recreate.

1. zk-SNARKs are a common type of zero-knowledge proof system that typically require a Trusted Setup Ceremony; not all zkp systems require one.

2. This is not an exhaustive list of ways zero-knowledge-proof systems can fail.