Trusted Setup Security
RISC Zero has run a trusted setup ceremony for our Groth16 prover/verifier. This ceremony secures our STARK Verify circuit so we can publish compact receipts for our general purpose zkVM to limited-memory environments like blockchains.
You don't need to take our word for it that this is secure, though! This document will walk you through how to verify the security of our ceremony for yourself. This can also be used to aid in the detection of attacks related to our ceremony, e.g. it may help detect fraudulent actors publishing something they claim to be the RISC Zero STARK Verifier but which is actually malicious code.
Overview
There are multiple steps to verifying the security of a trusted setup ceremony. Kobi Gurkan gave a good list of what is required in the form of a list of ways a malicious project could pretend to run a ceremony while secretly retaining a backdoor. Following this model, we will cover the following steps to verify our ceremony is secure:
- Verifying the circuit we are securing is what we intend to secure and does not include security holes.
- Verifying the transcript corresponds to this circuit
- Verifying contributors' attestations match the transcript
- Verifying the setup ceremony does not include security holes
The Circuit
The circuit we are securing is the RISC Zero STARK Verify circuit, which is open source and available on GitHub (along with a short library it depends on).
To ensure that the circuit itself does not have security holes, we have used a mixture of good software engineering practices, internal security reviews, and external audits. We have published these audits: you can read more details and the audits themselves here.
The Transcript Matches the Circuit
Our ceremony transcript is included in the zkey
published on ceremony.pse.dev in the "Download ZKey" tab of the RISC Zero STARK-to-SNARK Prover page. (We mirror this file here.) You can verify it matches the circuit using Circom and snarkjs:
- Install Circom and snarkjs.
- Download the
stark_verify.circom
andrisc0.circom
source files. - Download the Powers of Tau (
ptau
) file we used for our ceremony; we used the Hermez rollup with2^23
powers of tau, which is linked in the snarkjs README or available directly here (mirrored here). - Generate the
r1cs
file from thecircom
source files, by runningcircom stark_verify.circom --r1cs
in the directory where you downloaded these files. This should generate the samer1cs
file as listed in our p0tion configuration (available directly here). The SHA-256 hash of this file (i.e. as computed byshasum -a 256
) is84d3c34b7c0eb55ad1b16b24f75e0b9de307f7b74089ea4a20a998390ee24178
. - Prepare JavaScript to use a large amount of memory: Its default settings generally are insufficient to verify this circuit. On my system, I needed to run
export NODE_OPTIONS="--max-old-space-size=32768"
. - Use snarkjs to verify that the transcript matches this circuit and powers of tau, by running
snarkjs zkey verify stark_verify.r1cs powersOfTau28_hez_final_23.ptau stark_verify_final.zkey
. You should see a list of contribution hashes (attestations) followed by the messagesnarkJS: ZKey Ok!
.
Contributor Attestations Match the Transcript
Each contributor authorized our ceremony to publish an attestation to their GitHub account. (In a Gist entitled "risc-zero-stark-to-snark-prover_attestation.log
") These attestations match the attestations published in the transcript. This proves which GitHub user made each contribution to the ceremony. You can verify attestations by looking them up both in the transcript and on GitHub:
In the transcript (generated by snarkjs
in the previous step), you will see that each contribution is preceded by the phrase contribution #[number] [username]-[number]
. That username is the GitHub username.
On GitHub, you can run a search to find an attestation Gist on gist.github.com. For example, if the username is somecontributor
, then you could search for filename:"risc-zero-stark-to-snark-prover_attestation.log" user:somecontributor
.
To verify an attestation, confirm that the hash in the attestation in the transcript matches the hash in the GitHub Gist for that same user.
If you are looking for your own contribution, you can also go to gist.github.com and navigate to your Gist named "risc-zero-stark-to-snark-prover_attestation.log
" (which will be linked at the top if you don't make Gists for other reasons; otherwise you can look for it under "View your gists" or with the search function as described in the previous paragraph). You can also find your contribution the same way as for any other user (i.e. by searching the transcript for your username).
Important Note: Contributors can remove their attestations from GitHub at any time. They can also edit their attestations (although in this case the edit history will be visible). Only the original version of the attestation can be valid; an edited version cannot be a valid attestation. Note that that if any malicious contributors were able to participate in the ceremony, it does not damage the security of the ceremony, but it does mean that they can pretend to have a bad attestation by editing or deleting their Gist. Therefore, a contribution with no attestation provides no security to the ceremony, but does not necessarily mean anything is wrong, either.
Please exercise good judgment about whether a missing or edited attestation represents:
- A malicious contributor
- Someone just cleaning up old Gists
- A problem in the ceremony
Ceremony Security
We used the open-source tools p0tion and DefinitelySetup to run our ceremony, and our ceremony was coordinated with the PSE team. This gave us tools that had been battle-tested by prior ceremonies, and moreover, by using tools written by an external team, we put substantial limits on our own ability to maliciously manipulate the ceremony software.