| A | |
|---|---|
1 | How would you explain the trusted setup to a friend? |
2 | A computational social contract in which a groups of people agree about an initial set of conditions without the need to trust each other. |
3 | A fun ceremony, where multi-party computation gets executed to calculate parameters for executing the zkSNARKS protocol. |
4 | A good friend ceremony |
5 | A group of people get together online to generate the parameters used to verify and construct private transactions in a zkSNARK enabled cryptocurrency. These participants are relied upon to delete the data they create after the fact as if they don't and all collude, they can print new coins without detection. |
6 | a pre-phase where people have to agree on a set of data to make the proof/verification protocol later non-interactive. This setup has to be trusted so no one can fake proofs. |
7 | A procedure that waranties that a random seed is generated, used to calculate some keys and the deleted. The security of the zero knowlage system is based in that now body knows the seed (some times called toxic value) that generated the keys. |
8 | A rather complicated preparation phase that has to be done at each major update of the network and that has important security implication for the whole network. In practice it is carried out in a very transparent and safe way. |
9 | A set of encrypted data, securely computed, that allows to verify the later calculations of the zkSNARKs proofs generation and verification in a non interactive way. |
10 | A trusted setup is a set of some random numbers with special properties. They are used to create proofs and verify them so they are shared to the verifier and the prover. During the setup creation, some intermediate values are used to generate the output numbers. The setup is called trusted because one must trust the setup provider that he deleted the intermediate values used to generate this setup. Indeed, with these intermediate values, which are called toxic wastes, it is possible to generate a fake proof. |
11 | a trusted setup is like god, something you need to believe in when there isnt another alternative |
12 | A trusted setup is where a system requires some trusted parties to set up a set of initial parameters but we have to be able to trust that every party will destroy this set of parameters, so that no one, including themselves, would have access to the parameters after the setup. |
13 | A way to generate a key (foundational piece to particular tech) that reduces the risks of what you consider a negative outcome. |
14 | A zk-SNARK algo requires a ceremony to generate key parameters for one-time setup of a cryptographic proof (SNARK) |
15 | After explaining the Find Waldo analogy for zkSNARKs, I would describe the trusted setup as constructing the board with the hole. If I were to cheat during the setup and tape a picture of waldo behind the hole, and thus always be able to find Waldo. |
16 | An efficient solution to privacy concerns we are all confronted with today. |
17 | Anonymous secure server activity attestation with TLS and Zeroknowledge |
18 | Assuming a non-techie friend, I would say that the trusted setup is a necessary step to make zk-SNARKS to work. It is a way to decide on the initial parameters among a group of participants and we say it is "trusted" because we have to trust that at least 1 participant is honest and will do as expected. |
19 | At the very start of a special type of a system that doesn't leak any information, some special artefacts are created that, if not properly destroyed, can compromise the secrets, at any point in the future. |
20 | Bootstrapping an engine manually by choosing some of its key parameters that will help it function |
21 | Cooperate with someone to create a judge that cannot be fooled. |
22 | Create a shared private key, keep public, throw private provably away |
23 | Crypto party for ice breaking :) |
24 | cryptomagic that allows peoples to verify stuff without revealing what this stuff is about |
25 | Depending on the friend: I would first explain what a zk proof is and then explain that in some systems you'd need to do a computation before you can do the zk proofs. It is called trusted setup because whoever has the full result of the computation has the power to create proofs for fake statements. |
26 | Dunno what you mean by "trusted setup" but I assume it's the Zcash trusted setup: For Zcash we need a trusted setup phase first, where in theory everyone could participate. We need to generate a secret that must not be revealed at any point in time (otherwise Zcash is worthless). To achieve this everyone adds a snippet to this secret and destroys his/her secret afterwards. (It's way more trick in reality but you know, you're not the brightest light in the harbor. ;) ). The process of creation is designed in a way that it is not possible to restore the secret at all, but even if you think there might be a small chance that the process doesn't work you can still participate and make sure you delete your "toxic waste". |
27 | Firstly as a secret that is not known to the participants of the protocol. Then I would talk very fast about multi-party computation while waving my hands a lot. |
28 | Generally, a trusted setup is a mathematical environment, created by a trusted source, from which participants of a cryptographic process receive some common knowledge necessary to actually perform the process. For zkSNARKs specifically, a trusted setup creates the proving and verification key, allowing the proof to be non-interactive. |
29 | Generating a bunch of randomness to create the shared params that privacy preserving currencies use to shield the identities of Alice and Bob in Alice pays Bob scenarios. |
30 | Generation of keys to be able to generate snark proofs |
31 | Good one ... Think of zk-snarks as a myriad of uniquely matched keys and multi-keyhole locks. In order to create all these keys and locks, we start with a set of master keys, one for each keyhole for the origin/genesis lock. From these masters, we can derive a myriad copies with slight changes so that there is only one set of keys to each keyhole for each corresponding lock making for unique and secure key-lock combos. However, the changes to the masters are so small, that the (combined set of) master keys can open any one of the derived locks. so to ensure security, the master keys must be destroyed and we must trust the entities originally crafting those masters to do that. |
32 | Group of people need to compute an unbiased random number with special properties such that all of them would have to collude to bias it. |
33 | Hey J., 'trusted setup' is just the name for a implementation not revealing the details to the public, remember when you told you nephew the story with the robber's den with the locked door in the tunnel - just to tell him why you liked zcash for using zkSNARKs, or when you calculated speedy O(n*) runtime for zkSTARKS fibonacci proofs or this crazy TOPOS everyone ist now so excited about. |
34 | I can prove something without revealing the solution itseld |
35 | I don't know what that is 😅 (I am still a cs student, wanting to learn more and go deeper into the field) |
36 | I just wish it was gone and I did not have to |
37 | I promise I will think of something funny later |
38 | |
39 | |
40 | I wouldn't. I would say use PRE or FHE. But really... I know there is a ceremony involved and its used in MPC and TEEs but that's about it. |
41 | I'm assuming that I'm talking to a reasonably technical friend who already has a rough idea of what a zk proof is. I do not consider myself to have a strong knowledge of the internals of zk-SNARKS, some of this may be wrong. In interactive zk proofs the verifier asks the prover a series of questions about the answer that reveal partial knowledge of the solution until the verifier is satisfied that the prover knows the full answer. In zk-SNARKS we preselect the questions and then encrypt them. The prover uses homomorphic encryption to compute the encrypted answers to the preselected questions and returns them as the proof. The trusted setup is the phase of selecting the questions & encrypting them. It's trusted because if the participants do not throw away the encrypted questions they can easily fake proofs. |
42 | If at least one of us is honest - we both are ok |
43 | If you trust this one thing, you don't have to ever trust anything else |
44 | Imagine that you had to make a time capsule that you don't want tampered with by anyone in your generation. You would make the box, fill it with valuable time capsule goodies, and put a lock on it. But what do you do with the key? The key has a lot of information (one could, perhaps, reverse engineer the lock?). What if you want to prove to everyone else that you won't go back on your promise and dig up the time capsule and get the goodies. A trusted setup is basically a ceremony where you create the lock/key pair in a public manner with only 'trusted' users allowed to place the input on the initial key. These users each contribute a little to the key design (I get one nook, you get 3 nooks, she gets 5 nooks), but none of them know enough (hopefully) to recreate the key, reverse engineer the lock, and steam the goodies. The key, by the way, is the 'parameter' here, in parameter selection. [I got the idea for this description from Craig Gentry's PhD thesis on FHE] |
45 | |
46 | Imagine your friend films how you are carrying out cake at a birthday party. And then you hilariously fall and cake is all over the place. You ask your friend to delete this video,you even watch how he does it,however you can't be totally sure it's not already backed up somewhere and the only way you're figure that it is Some time later when you become YouTube star. |
47 | In a trusted setup everyone has to trust anyone. In case the private keys are not properly destroyed, the system can be compromised at a later point. |
48 | in a very abstract way: Crypto schemes have different phases (setup, keygen, etc...). A scheme could now have a trusted setup phase or an untrusted one. A trusted setup phase here means that you need to trust something to make the system work technically. This is a disadvantage. Schemas that support an untrusted setup are basically more robust, since no trust relation to anything or someone is needed to set up and use the system. Further good crypto reads at https://eprint.iacr.org |
49 | In order to setup a zero knowledge proof system for public usage one needs to generate a random number. This random number is only needed once for the setup procedure. It needs to be deleted afterwards because it would allow people that can access it to tamper with the proofs. The setup is called trusted, because you must trust the founders to delete the number. |
50 | In some systems like ZCash or POANetwork it is necessary to have a one-time setup of some common parameters of a cryptographic protocol. Trusted setup guarantees that if at least one part of multi-party computation behave honest, than the system is not compromised |
51 | In the CRS model you need data both to generate and verify proofs. This data can be generated by the verifier as a challenge to the prover, who has to construct its proof using this data and the witness data from the computation it ran. In a trusted setup this data won't be generated as a challenge by a verifier, but once and for all for everyone in a big MPC. Since knowledge of the paramters that went into the CRS is enough to craft false proofs, you want to distribute this computation to many parties in such a way that a single honest party is enough to ensure the CRS is incorruptible. |
52 | In zk-snarks to verify the private transactions there need the initial trusted setup phase initiated with the private key which is then trusted to be destroyed. |
53 | increasing confidence in performance of legal obligations is what Lexon is about |
54 | Interoperable networking layer for distributed resources and services |
55 | It is an one-time setup where the seeding parameters for zero knowledge proof generation/validation are created. It has to be done in such a way that it is impossible to retrieve all the pieces (keys) later on - otherwise it would be possible for someone to read/decypher/compromise the zero knowledge proofs later on. |
56 | It is like having a special piggy bank with a lock. During the setup, the founders lock the bank with the key and destroy it, so no one will be able to steal any money from the bank without actually breaking the jar ( being detected). If the key is not destroyed , someone could potentially steal money from the bank by opening the lock and closing it back without being detected... |
57 | It is the initial parameter generation for a ZKSNARK setup. During this process, one must generate a parameter that links the keys used to create and verify proofs, that if leaked, will allow those in possession of it to trick the verifier. For this reason this initial setup is considered "trusted", as in you must trust the participant(s) to make this parameter irrecoverable. To do so, we've invented several nifty ways to involve many individuals to participate in trusted setup ceremonies in such a way that they must all collude in order for the parameter to be recoverable. STARKS do not require a trusted setup :) |
58 | It is time window when people could exchange secrets before they exchanging any zero-knowledge based transactions. |
59 | It was necessary to make ZCash happen : ) |
60 | It's a ceremony where a group of people found a cult promising privacy or something similar. |
61 | It's a crypto setup process when a system needs some value B to operate and this B needs to be computed from A in a specific way. But if anyone knows A - the system is broken. That's why they use MPC to compute B out of pieces of A. That way if at least one party is honest and actually destroys their part of A - A never existed in full. Unless someone screwed up and logs were too verbose ;) |
62 | It's a one-way process to generate a piece of information that acts as a sort of shortcut to checking a math problem. The process has an information by-product that is actually a bit more 'powerful', and would provide easy solutions to the problem. Because we want to make sure that people actually have to solve the problem, the information is generated in a way where everyone involved would have to be cheating in order for the by-product to leak. |
63 | It's a process by a group of people, as long as one person destroy his/her toxic waste. The system is trustable |
64 | It's a simplifying assumption, where you assume all participants have access to a "string of random bits in the sky". In traditional computer science, this kind of assumption is usually realistic and easy to make (because of the wide availability of practical pseudorandomness) and thus many cryptographic solutions use this assumption as well. However, because cryptography is actually adversarial, those pseudorandom solutions tend to be much trickier to obtain in practice in crypto solutions, so this assumption turned out to be a huge pain in the ass (even immortalized in a Radiolab episode featuring Zooko.) So right now many researchers are trying to get rid of this assumption. (My friends tend to be pretty savvy about algorithms :) ) |
65 | It's like a seed planting |
66 | It's like putting money into a trusted bank and you expect the bank will calculate the interests for you correctly |
67 | It's the most dangerous phase of the process, when information that is needed for the system to work is derived from a common secret, that should be protected lest it becomes possible to eavesdrop/forge further communications. |
68 | It’s so complicated not even zcash got it right the first time ;) |
69 | just listen to the radiolab podcast episode haha |
70 | Let's try with colors (improvising here :)) A community needs to agree on a color to build a publicly-available-but-impossible-to-reproduce color-filter. Thus, this color needs to be created to build the filter but known to none. Ppl trusted to build this filter will each commit a drop of a paint of the color of their choice in a black box, the mix of all paints is used to build the filter. If only one of the person is honest and trash out his original and unique paint, it will be impossible to create the same color and reproduce the filter. |
71 | Like a hazing experience we must go through to get connected but forget about and make sure no one (not even ourselves) must know about. |
72 | Magic which creates secure randomness |
73 | Many people come together to create a secret that will be revealed to none of the induviduals. The only way it can be compromised is that all of the people collaborate. |
74 | mpc for starters |
75 | necessary procedure for zk SNARKs to set the initial parameters. "Trusted" since the keys used to do so need to be destroyed for the network to be trustless |
76 | No idea |
77 | Non-interactive zero-knowledge proofs rely on a set of public parameters in order to allow anyone to compute as well as verify proofs of private transactions. Those public parameters need to be established using some random numbers, which need to be deleted afterwards (otherwise they would allow for a back-door for fraudulently proving wrong facts/transactions). Thus there is trust to be placed in the fact that setup phase was conducted correctly and random numbers have in deed been deleted. Therefore multi-party computations, which allow for the random number generation to be derived from many different random numbers (from multiple parties), while the process has integrety as long as at least 1 party involved can be trusted to properly delete their random numbers after the ceremony. |
78 | nuclear waste that makes you glow |
79 | |
80 | |
81 | Number of independent people run piece of code to generate the secure key. The generation requires each party to come up with a secret number and use that number to generate piece of secure key. Caveat is that these secret numbers if put together will result in ability to counterfeit the encryptions we use the secure key. This is why we need to trust that at least one person will destroy their secret. |
82 | One time generation of protocol parameters which involves knowledge of or learning of some secrets that can be used to break the guarantees of the protocol |
83 | Part of the setup creates some "toxic waste" distributed across a number of people that causes the entire system to fall apart if someone gets their hand on all of the pieces. However, as long as one of the participants was honest, and deleted their section, we're safe! |
84 | probably by suggesting the radiolab about it - http://www.radiolab.org/story/ceremony/ |
85 | Probably one of the craziest security ceremonies to ever go down, and an endless well of tweetable conspiracy theory content. |
86 | Provers and verifiers need to use a set of keys to generate and verify solutions for a given constraint system - which is generated as part of the common reference string. This refers to choosing a source of entropy that would enable the prover to create points of evaluation of the linear combination of polynomials making up the constraint system without actual giving up the underlying values, and for the verifier to utilise a elliptic curve (a cryptographic primitive) to provide the appropriate points in the trusted setup where the polynomials should be evaluated, without giving up the actual secret (which could enable the creation of fraud proofs). |
87 | proving a statement usually goes in a interactive challenge-response fashion. To make it non-interactive you can refer to a common shared information but this information should be encrypted. It has to be set up in a trusted way. |
88 | Say you want to be able to prove to me that you know the solution to a "where's wally" puzzle without giving away the solution. You will be able to do that by generating and sending me a Zero Knowledge Proof which I will be able to verify without learning any new information about your solution. Before you can build such a proof, we will need to setup the system so as to generate a few parameters that will be used for you to generate the proof ("proving key") and for me to verify it ("verification key"). The challenge is that when we run this setup, we will also generate some data (sometimes called "toxic waste") which, if you happen to store this data, will let you generate fake proofs. For this reason, it's important that we run this setup in such a way that everyone is confident that the toxic waste data got deleted. One way to achieve that is to run a multi-party computation wherein if at least one participant acts honestly (i.e. deletes its part of the data), then you are guaranteed that the resulting "toxic waste" cannot be recovered, making the setup "trusted: |
89 | Secure and decentralized ; only you hold and know your keys |
90 | So I told you about all the cool things you can do with SNARKs, but there's a catch. At the very beginning, there is something called trusted setup. It's some computation that only needs to be do once, but whoever does it will be able to break the system - without anyone noticing. Currently, we try to alleviate that by distributing it to multiple parties. This way we strengthen trust in the system, because now we have multiple parties that are dishonest and collude, instead of just one dishonest one. |
91 | Some cryptographic protocols require shared knowledge to exist between participants of the protocol. Generating this preliminary shared knowledge is referred to as a setup. The derivation of this shared knowledge leads to generation of information that needs to be forgotten afterwards to guarantee the protocol's security. Since "forgetting" cannot be proven, trust in the fact that the party deriving the shared knowledge forgot the information is required. |
92 | Some of the cryptographic schemas need to have one time setup (ZK-SNARKS for example). It is called trusted because you have to trust the person or group of people who are involved in the setup. Typically during the setup they will have access to parameters of the system which would allow producing false proves in the future. The recommended way for dealing with these parameters is destroying them but it is very difficult to prove that someone didn't make a copy. In the state of the art cryptographic systems we use schema called multiparty computation. In this schema no one knows value of the parameters for the setup, the parameters are created jointly by all participants. It is enough if at least one participant is honest to guarantee security of the system. |
93 | Some protocols require numbers with special properties but our algorithms that create those properties also create auxiliary information that makes the protocol insecure. A trusted setup is an algorithm that makes this auxiliary information less dangerous, normally by making it safer to destroy. As an example we sometimes need a number that is a product of two prime numbers but where nobody knows the primes. |
94 | Some ZKP schemes involve an initial setup step where (for a given circuit) two keys are generated: A "proving key" needed to construct proofs and a "verification key" used to verify those proofs. This process is randomised; it is essential that some of the random input values that go into the setup ("toxic waste") are discarded, otherwise it is possible to construct false proofs that would still verify. Therefore the actor or group of actors need to be trusted to get rid of the "toxic waste". |
95 | That awkward thing that STARKs don't need. |
96 | The "trusted setup" is the setup phase of zero-knowledge-SNARKs. In the setup, some parameters are created that are needed for the proofs. For example, if a proofer wants provide a proof about something to a verifier, the proof is computed based on these parameters. The setup is called "trusted", because the party creating (or lets say "computing") the parameters is using a secret value to compute them. Knowing the secret value enables to create even more parameters. If these additional parameters are not known to everyone after setup phase, the party knowing them could create proofs that appear to be valid although they are invalid. Therefore, it has to be ensured that no additional parameters can be created after the setup phase. For this, everyone has to trust the party knowing the secret value to not make use of this secret value anymore, or, ideally, to delete it. This sounds like a lot of trust into one party. Therefore, there is exists also a more complex version of it, in which several parties choose a secrete value, and each party knows only its own secret value. To compute some parameters, all secret values have to be used. And if at least one of the parties deletes its secret value after the setup phase, then no additional parameters can be computed anymore. |
97 | The "trusted setup" means you have to simply trust that the initial conditions were not compromised to be able to trust the system as a whole. In a more secure system, you can trust the operation of the system without having to trust the initial setup. |
98 | The ceremony to launch a chain that requires a small group of people to be honest. But not as scary as it sounds. All members of this small group would have to collude to do any damage. Fortunately, STARKs will make the trusted setup unnecessary. |
99 | The locksmith gave me and my friend a lock which I can lock and my friend can unlock and we trust the locksmith to have destroyed the sketches/models of both the keys. |
100 | The one that you either must control entirely, or be aware of potential betrayal of various kinds every moment. |