Sacred Ceremony

Say hello to an immutable way to earn privately on public chains. A Trusted Setup Ceremony is an important step for any ZK-SNARK application which ensures that no one can fake proofs, steal user funds, and compromise the privacy of Sacred users.

In the previous section, it was discussed that users generate claims which involve proof of knowledge of a leaf and path in the tree that leads to a particular node stored in the contract, without revealing the leaf nor the path taken. The type of proof involved here is, as mentioned, a zk-SNArK. That is, it is a succinct, non-interactive argument of knowledge (it is a way of demonstrating that you have a particular piece of knowledge that obeys certain constraints; in this case, you know a leaf and path to get to a particular node in a Merkle tree) that you reveal without revealing any knowledge besides the fact of the truth of the statement (the “ZK-” prefix, meaning “zero knowledge”). Proving the knowledge involves the prover to know a polynomial, which, when applied to a value P (the polynomial has terms aP + bP^2 + cP^3 +...) produces a particular value. However, a precaution must be taken to prevent an attacker from generating just any polynomial that works for this value of P: the actual value of P is unknown to anyone!

Instead, all parties work with the homomorphic hashes of P, P^2, P^3 etc. There are also some additional values that need to be generated, their homomorphic hashes taken and released, and then the values themselves destroyed forever. The sets of public values needed for users to generate proofs, and for the smart contract to verify the proofs, are respectively referred to as a “proving key” and “verifying key”; these values are computed from the aforementioned homomorphic hashes and some additional values to be used specifically for these particular problems and, after generation, are hard-coded into the Sacred smart contracts.

It must be understood that there is great danger in somebody having access to the original P (or other) values, which are appropriately dubbed “toxic waste” and must be destroyed after the generation of the resulting values to be released to the public. This is the reason for a “trusted setup ceremony”; multiple parties each generate a piece of the “toxic waste” each, and then each destroys it on their own. Therefore, to compromise the trusted setup ceremony, all participants in the ceremony must be compromised.