Trusted Setup Ceremony

RAILGUN’s zk-SNARK circuits are proved using the Groth16 proof system, a pairing-based zk-SNARK design. Groth16 is the most widely used zk-SNARK (with Zcash notably using it for the first shielded transaction protocol) as it allows for efficient verifier performance and short proof strings, requiring less computation time and power. A consequence of using Groth16 is that it requires the generation of randomization for each circuit in what is called a ‘ceremony’.​
zk-SNARKs rely on a common reference string (CRS), a public parameter that is used in proving and verifying and must be generated in advance by a trusted party. This is because zk-SNARK proving systems require the prover and verifier to have access to some public common knowledge (in this case the CRS) which was pre-generated by a shared algorithm.
Ceremonies are how this CRS is generated by having multiple, independent, and decentralized participants contributing random numbers. This setup ceremony type involving multiple parties is known as multi-party computation (MPC) and it prevents any single party involved in the ceremony from gaining knowledge of the underlying mathematic structure of the CRS. The CRS (derived from individual submissions) is a set of encrypted values where at least one of the original un-encrypted values (Toxic Waste) needs to be destroyed to ensure that no actor is able to generate fake proofs to maintain system security.
The setup ceremony type used in RAILGUN’s circuits was the Perpetual Powers of Tau. It is perpetual in the sense that there are no limits to the number of participants and is what enables the security derived from only requiring 1 participant to destroy the CRS. The Perpetual Powers of Tau are points along the elliptic curve outputted from the ceremony and are used for private and public key derivation.
This trusted setup is a requirement of Groth16 and allows for secure encryption as long as the ceremony is performed correctly. One trusted setup ceremony is sufficient to secure the proving mechanisms, however, new ceremonies are required each time circuits are upgraded for performance or when new features are added.
As RAILGUN has optimized Groth16 zk-SNARK design for verification, the on-chain gas costs are low, given the level of computation and encryption that is available in the RAILGUN privacy system. This is a more secure privacy system design than relying on an L2 for consensus. However, as above, new upgrades and circuit designs require new trusted setup ceremonies.
The transcript of the RAILGUN setup ceremony is here, and the contributors to the ceremony can be found here.