Trusted Setup

Groth16 requires a trusted setup — a one-time ceremony that generates the proving and verification keys for each circuit. This is the primary trade-off for Groth16's unmatched proof size and verification speed. If the setup is compromised, an attacker can forge proofs. Specter takes this trade-off seriously and plans a rigorous multi-party computation ceremony for mainnet deployment.

What Is a Trusted Setup?

A Groth16 trusted setup produces two artifacts:

Artifact	Purpose	Size
Proving key (circuit.zkey)	Used by the prover to generate proofs. Contains encoded circuit structure and setup randomness.	Large (tens of MB)
Verification key (verification_key.json)	Used by the on-chain verifier to check proofs. Contains curve points derived from the circuit and setup.	Small (a few KB)

The setup process involves generating random values (collectively called toxic waste) that must be destroyed after the ceremony. If any participant retains this toxic waste, they can forge proofs — creating valid-looking proofs for false statements.

The setup has two phases:

Phase 1: Powers of Tau

Phase 1 is curve-generic — it depends only on the elliptic curve (BN254), not on any specific circuit. The output is a structured reference string containing powers of a secret value $\tau$ encoded as curve points:

$$[1]_1, [\tau]_1, [\tau^2]_1, \ldots, [\tau^n]_1, \quad [1]_2, [\tau]_2, \ldots$$

The parameter $n$ determines the maximum circuit size the setup can support. Specter uses the Hermez pot16_final.ptau file, which supports circuits with up to $2^{16} = 65{,}536$ constraints. This Phase 1 output was generated by the Hermez team's public multi-party ceremony with dozens of independent contributors.

Parameter	Value
Source	Hermez Cryptographic Setup
File	pot16_final.ptau
Max constraints	$2^{16}$ (65,536)
Contributors	50+ independent participants
Curve	BN254

The security guarantee: if at least one contributor in the Phase 1 ceremony properly destroyed their toxic waste, the output is secure. With 50+ contributors from diverse organizations and geographies, this is a strong assumption.

Phase 2: Circuit-Specific

Phase 2 takes the Phase 1 output and specializes it for a specific circuit (Redemption or Access Proof). This phase:

1. Compiles the circom circuit into an R1CS constraint system.
2. Combines the R1CS with the Phase 1 Powers of Tau.
3. Generates the circuit-specific proving key and verification key.

Phase 2 introduces its own toxic waste. Like Phase 1, it should be performed as a multi-party computation where each contributor adds their own randomness. The security guarantee is the same: if at least one participant destroys their contribution, the setup is secure.

Current Testnet Status

Specter's testnet uses development setup keys generated with a single contributor and a known delta value ($\delta = 1$). This means:

Testnet Proofs Are Technically Forgeable

The testnet setup uses delta=1, meaning the toxic waste is trivially known. Proofs on testnet can be forged by anyone who understands the Groth16 math. This is acceptable because testnet tokens (GHOST) have no monetary value and the testnet exists for integration testing, not security validation.

Property	Testnet	Mainnet (Planned)
Phase 1	pot16_final.ptau (Hermez)	pot16_final.ptau (Hermez)
Phase 2	Single contributor, $\delta = 1$	Multi-party ceremony, 3-5+ contributors
Proofs forgeable?	Yes (by design)	No (if ceremony is honest)
Token value	None (testnet tokens)	Real economic value
Purpose	Integration testing	Production security

Mainnet Ceremony Plan

For mainnet, Specter will conduct a multi-party computation (MPC) ceremony for Phase 2 of both circuits (Redemption and Access Proof). The ceremony design:

Participants

A minimum of 3-5 independent contributors, ideally more. Contributors should:

• Come from different organizations and jurisdictions
• Use different hardware and operating systems
• Generate entropy from diverse sources (hardware RNGs, physical randomness, etc.)
• Publicly attest to their participation and entropy destruction

Process

1. Initialization: Start from the Phase 1 pot16_final.ptau and the compiled circuit R1CS.
2. Sequential contributions: Each participant adds their randomness to the setup, producing an updated parameters file. Each contribution is publicly logged with a hash for verification.
3. Finalization: The final parameters file is used to extract the proving key and verification key.
4. Verification: Anyone can verify the contribution chain using snarkjs tooling, confirming that each contribution was correctly applied.
5. Deployment: The verification key is embedded in the on-chain verifier contract. The proving key is distributed to provers.

Entropy Sources

Contributors are encouraged to use diverse entropy sources:

• Hardware random number generators (e.g., Intel RDRAND, dedicated HSMs)
• Physical randomness (dice rolls, radioactive decay measurements, atmospheric noise)
• Combined sources (XOR of multiple independent generators)
• Keyboard/mouse entropy from extended interaction

The key property is independence: even if $n-1$ contributors collude or are compromised, as long as one contributor genuinely destroys their toxic waste, the setup is secure.

What Happens If the Setup Is Compromised?

If a Groth16 trusted setup is compromised (all contributors collude or fail to destroy toxic waste), an attacker gains the ability to forge proofs — they can create a valid proof for any statement, including false ones. In Specter's context, this means:

Attack	Impact
Forge a redemption proof	Mint GHOST tokens without having committed them
Forge an access proof	Authenticate as a data owner without knowing the secrets
Forge a change commitment proof	Create tokens from nothing via invalid partial withdrawals

This is the worst-case scenario for any Groth16 system. Specter's defenses:

1. Multi-party ceremony: the 1-of-N honesty assumption makes compromise difficult in practice.
2. Quantum commitment layer: Specter's roadmap includes a post-quantum commitment scheme that provides defense-in-depth. Even if Groth16 proofs can be forged, the quantum-resistant commitment layer adds an independent verification path.
3. Monitoring: on-chain monitoring can detect anomalous mint/reveal patterns that might indicate proof forgery (e.g., total reveals exceeding total commits for a given token).
4. Circuit upgrades: if a compromise is suspected, new circuits with a fresh setup can be deployed. Existing commitments can be migrated via a governance-controlled upgrade path.

Verification Tools

The setup can be verified by anyone using standard tooling:

# Verify Phase 1 (Powers of Tau)
snarkjs powersoftau verify pot16_final.ptau

# Verify Phase 2 contributions
snarkjs zkey verify circuit.r1cs pot16_final.ptau circuit_final.zkey

# Export verification key
snarkjs zkey export verificationkey circuit_final.zkey verification_key.json

All ceremony artifacts (contribution hashes, participant attestations, final parameters) will be published for public audit.