MantaPay, a service that offers private payments between two parties, achieves its privacy by using Zero Knowledge Proofs (ZKPs) to guarantee the validity of a transaction without posting any private information to the blockchain. ZKPs are core to Manta Network’s privacy preservation functionality to enable privacy for all crypto assets, and fulfil the vision of the Network to be the privacy layer for Web3.
The kind of ZKP Manta uses requires some infrastructure, which is why we need a trusted setup. In this post we dive into what a trusted setup is, and how it will provide security to Manta Network.
What is a trusted setup?
A trusted setup is part of the infrastructure that we need to generate ZKPs. The idea with ZKPs is that someone (the prover) can prove the correctness of a statement to someone else (the verifier) without disclosing any information. In order to generate a ZKP, both the prover and the verifier need to commit to some shared secret and use this shared secret to generate public parameters. A trusted setup is how we generate the prover and verifier keys that are needed to create a transaction on the Manta/Calamari network. These keys have to be computed before launching the privacy product, hence the term “setup.” Moreover, the computation of these keys produces some toxic waste that has to be thrown away, hence the term “trusted” (meaning you trust that the toxic waste was thrown away).
These keys are central to everything we do on our network, so it is important that they are constructed correctly. There are complex specific mathematical rules for how they must be formed, the main idea being that we start with a secret number, do some pretty intense computations, and then we have our prover/verifier keys.
When will a trusted setup be secure?
The important thing to know is that it’s practically impossible to determine the secret number we started with if everyone is given the prover/verifier keys. However, if someone does ever figure out that secret number then they would be able to use it to create fake proofs. They could use those fake proofs to lie to the network and create tokens out of thin air.
Therefore it is essential that we throw away that secret number after forming the prover/verifier keys. That secret number is so dangerous that we call it toxic waste. This is where the “trust” in “trusted setup” comes from: users of the network have to trust that the toxic waste has been thrown away (meaning that the secret number was deleted from memory after generating the keys).
So who can we trust to compute the keys?
Anyone who knows the secret number can create tokens out of thin air, so the temptation to keep the toxic waste is just too great for any one person to handle (except perhaps Frodo Baggins, but sadly he’s not real…) .
Luckily, there is a way to share this burden through a procedure called “secure multiparty computation.” We’ll give more details below, but the idea is that instead of one single person knowing the toxic waste, we break the toxic waste apart into hundreds or even thousands of pieces held by different people. Then something magical happens: as long as one single person throws away their piece of the toxic waste it’s impossible to figure out the secret number — this means no one can create fake proofs, so no coins will ever be made out of thin air. (Imagine how much easier Harry Potter’s life would have been if he had only needed to destroy one single Horcrux to get rid of Voldemort for good…)
So trusting our setup means believing that out of the hundreds or thousands of people who participated, at least one person destroyed their piece of the toxic waste. In other words, any malicious conspiracy to discover the secret number would require literally every single participant to be involved in a conspiracy or compromised by it. As more and more people participate in our ceremony, this becomes less and less likely.
The best part is that you yourself can ensure the security of the prover/verifier keys by participating in the ceremony and destroying your toxic waste. As long as you’re confident that you participated honestly then you can be confident that the setup is trustworthy.
What exactly happens in a trusted setup ceremony?
The ceremony will have many participants (including you, if you wish). Each participant will do some complicated computation on their computer (don’t worry, there is a script that does all the math for you) and this computation will produce some toxic waste. The participant destroys the toxic waste (again, the script will do that automatically) and then reports the result of their computation.
Manta will check that the participant did their computations correctly and then pass the result along to the next participant. This will happen over and over, forming a chain of hundreds of participants who have each contributed to the prover/verifier keys and have then thrown away their toxic waste. At the end of the ceremony the final prover/verifier keys will be obtained. As long as at least one participant destroyed their toxic waste, those keys will be secure for use in ZKPs.
How long does the ceremony take?
The math is complicated but the computation is fast. Each participant will have to download a little under 20 Mb of data, do some computations that take somewhere from 1 to 5 minutes (depending on your machine), and then upload 20 Mb of data to our server. There will be about 1 minute of downtime while we check that calculations are correct for each participant, then it moves on to the next participant. It shouldn’t take more than 10 minutes per participant.
What happens after the ceremony?
The ceremony will generate the proving/verifying keys that powers MantaPay protocol. These keys will be released to the public. We will deploy MantaPay protocol on Calamari/Manta and potentially more using the proving/verifying keys generated in the ceremony.
Other resources:
Trusted SetUps have been used by various privacy protocols such as Zcash, Aztec, and Aleo to help the networks become fully trustless. There are different types of trusted setups, you can learn more about it in this post by Vitalik or the Zk podcast.
