Snarky Ceremonies: an in depth analysis of setup ceremonies for Groth16

For anyone who has or is thinking about implementing Groth16 under a trusted setup, you may be interested in our security proof validating the powers-of-tau approach of Zcash (here).

Abstract: Succinct non-interactive arguments of knowledge (SNARKs) have found numerous applications in the blockchain setting and elsewhere. The most efficient SNARKs require a distributed ceremony protocol to generate public parameters, also known as a structured reference string (SRS). Our contributions are two-fold:

– We give a security framework for non-interactive zero-knowledge arguments with a ceremony protocol.

– We revisit the ceremony protocol of Groth’s SNARK [Bowe et al., 2017]. We show that the original construction can be simplified and optimized, and then prove its security in our new framework. Importantly, our construction avoids the random beacon model used in the original work.