advanced

Trusted Setup

Groth16 Powers of Tau ceremony details

Overview#

Groth16 requires a trusted setup ceremony to generate the proving key and verification key. Mini Veil uses the BN254 (alt_bn128) curve with a Powers of Tau ceremony.

Trusted Setup Security

Groth16's security depends on the "toxic waste" being properly destroyed. If the toxic waste is leaked, an adversary can forge proofs. The Mini Veil ceremony uses a multi-party computation (MPC) approach to mitigate this risk, but no setup ceremony can guarantee that all participants behaved honestly.

Ceremony Structure#

Mini Veil uses a Powers of Tau ceremony (phase 1 only) which is universal for all circuits using the BN254 curve. This means:

  • The same ceremony output can be used for any BN254 circuit
  • No circuit-specific phase 2 is required for the protocol itself (the withdrawal circuit uses the phase 2 output from the ceremony)
  • Additional circuits (e.g., ETA update circuit) can be supported without a new ceremony

Circuit Files#

| File | Location | Purpose | |---|---|---| | mixer_withdraw.wasm | public/circuits/ | Circuit logic for snarkjs proving | | mixer_withdraw_final.zkey | public/circuits/ | Proving key (~50 MB) | | verification_key.json | circuits/build/ | Verification key for vk.rs embedding |

Two Verification Key Files

There are two verification_key.json files in the project:

  • circuits/build/verification_key.json — the one matching vk.rs (embedded in the program)
  • circuits/build/mixer_withdraw/verification_key.json — may differ from the root one

When rebuilding circuits, always regenerate vk.rs from the correct verification_key.json and redeploy the Solana program. The frontend uses the zkey file from mixer_withdraw/.

Regenerating Circuit Artifacts#

To rebuild circuit artifacts:

cd circuits

# 1. Compile circuit to R1CS
circom mixer_withdraw.circom --r1cs --wasm --sym -o build/

# 2. Phase 2: Generate proving key (requires Powers of Tau output)
snarkjs groth16 setup build/mixer_withdraw.r1cs pot.ptau build/mixer_withdraw_0000.zkey

# 3. Contribute entropy
snarkjs zkey contribute build/mixer_withdraw_0000.zkey build/mixer_withdraw_final.zkey

# 4. Export verification key
snarkjs zkey export verificationkey build/mixer_withdraw_final.zkey build/verification_key.json

# 5. Regenerate vk.rs for Solana program
cd programs/mini-veil
cargo build

Verifying the Setup#

To verify the ceremony artifacts are unmodified:

snarkjs zkey verify mixer_withdraw.r1cs pot.ptau mixer_withdraw_final.zkey
snarkjs zkey export verificationkey mixer_withdraw_final.zkey verification_key.json

Security Considerations#

Toxic Waste#

The phase 2 contribution should be generated with high entropy. Best practices:

  • Use a dedicated air-gapped machine
  • Generate entropy from multiple sources (hardware RNG, dice, keyboard mashing)
  • Publish your contribution hash publicly
  • Destroy all intermediate files after contribution

Verification Key Integrity#

The verification key embedded in the Solana program (vk.rs) must match the one exported from the final .zkey file. A mismatch will cause all proofs to fail verification.

Use this check:

# Export VK from zkey
snarkjs zkey export verificationkey mixer_withdraw_final.zkey build/verification_key.json

# Compare with Rust-embedded VK
# (manual check of vk_delta_2 coordinates)

Future Ceremony Improvements#

For production deployment, consider:

  1. Multi-party ceremony with remote coordination
  2. Public verification of all contributions
  3. Hardware security module (HSM) integration
  4. Audit of ceremony transcript