What is trusted setup?

By July 3, 2019 No Comments

In cryptography, a trusted setup is used to create a cryptographic system by generating certain initial parameters which will later be destroyed. An easy analogy is to imagine creating a lockbox with a key and then throwing the key away.

Why it is called trusted setup is that you must trust the person who created it, to actually destroy the parameters. Zero knowledge proof privacy systems such as the Zerocoin (as originally used in Zcoin and now deprecated) and Zerocash (as used in Zcash, Komodo and Horizen) protocol requires a trusted setup.

Zcoin’s Sigma and Lelantus privacy protocols, do not use trusted setups.

Why it Matters

Having a trusted setup is generally undesirable and adds another point of failure. One of blockchain’s mottos is ‘Don’t trust. Verify’ and trusted setups are the antithesis of that philosophy.

A compromised trusted setup in zero-knowledge proofs allows someone to forge the proofs meaning that coins can be created out of thin air leading to hyperinflation. In privacy coins where amounts are obscured, such inflation can also remain undetected.

There are ways to mitigate the risks of a trusted setup such as using a multi-party ceremony that if in theory works, requires all parties in the ceremony to collude. If at least one party destroys their portion of the secret, then the system is secure.

However, even if the risk is mitigated, we still need to be sure parties do not collude or that the ceremony was set up correctly or was not backdoored which can be challenging.

For example, Zcash’s original Sprout MPC ceremony sparked controversy because of binaries that were not deterministically built and MPC transcripts that went missing (which turned out to be to prevent a flaw from being exploited until it was patched).