Nova - Run trusted setup ceremony

This is a post to note that Tornado Cash Nova has not run a trusted setup ceremony for its groth16 zk-SNARK circuits, hence it adds a trust assumption on the developers that is likely not obvious to users/community members in their usage. In fact, it seems there are proposals such as Increase the deposit limit that have passed unanimously and note “there have been no concerns regarding the security of the contracts”. This post is the expression of one potential security concern.

From the repository build script, we can gather that Tornado Nova’s phase 2 ptau generation is run by the deploying developer entering randomness. While more than likely we can assume that the developer acts in good faith and destroys their randomness (often referred to as toxic waste) securely, it remains true that if this randomness were to be found by an adversary (or if the developer themselves were dishonest), it can be used to generate false positive proofs for the circuit - which could result in incorrect withdrawals and loss of funds for instance.

Given that Tornado Nova already secures over 6000 mainnet ETH (or 10million USD at current exchange rate), it seems quite important to run a trusted setup ceremony for the circuits before more widespread usage and/or educate users of the potential risks involved!

More on trusted setups

The following is a quick intro to what trusted setups are and why its important to run one for Tornado Cash Nova. It’s aimed at people not deeply familiar with ZK circuits, so feel free to ignore the rest of this text if you are!

With zero-knowledge proofs, there’s a certain degree of trust we place in developers of the circuits, much of which can be distributed across many people, including auditors, the readers of the open source repositories and of course, the core developers themselves. With Tornado Nova, for instance, the repo links an audit of the circuit code. This trust assumption is much like traditional open-source software (and probably similar to all blockchain/smart contract code most of us interact with).

However, another aspect, quite unlike traditional non-zk software, is the trusted setups/CRS. Most non-transparent zk-SNARK schemes (such as groth16 used by Tornado Cash Nova) rely on the usage of “secure” randomness in proof generation. Usually, this means that said randomness is not controllable by any adversaries in any meaningful way to cheat. Usually this randomness is captured and “secured” by trusted setup ceremonies in a 1-of-N guarantee - as long as at least one honest participant took part in the ceremony, the resultant randomness is “secure”. The original circuits for Tornado Cash, for instance, ran one of the most awesome trusted setup ceremonies with over 1100 participants!

For the Nova circuits, on the other hand, the randomness is generated by just a single participant (the developer who compiled the circuit). Of course, running a trusted setup ceremony is messy and complicated so it makes sense that Nova hasn’t run one yet. But now that Nova is getting more usage, since trusted setups are not something associated with securing non-ZK code, even though it is mentioned on the Tornado Nova website that Nova is “experimental software”, this is perhaps a trust assumption not usually expected by most users/community members of Tornado, so it seems important to a) make more users aware of this and/or b) get rid of it!

Upon mentioning, Roman also noted that the Nova contract being upgradeable (although controlled by a multisig) also exposes users to some degree of risk on similar order, which is worth noting.