When using a zero-knowledge proof protocol from the SNARK family, you never know the rules of the game. The rules are set by the participants of the procedure of system trusted parameters generation (“ceremony”), but after its completion it is impossible to check these rules. You can believe in correctness of the generation, but if you have not participated in it, you don’t have hundred percent guarantee.
In recent years, various zero knowledge protocols are increasingly mentioned in the blockchain community (to get a general understanding I recommend this article): first of all in the context of privacy, more rarely in the context of scalability and others.
One of the most studied, and most importantly — implemented is zk-SNARK (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge) protocol family. In particular, such protocol is used in Zcash cryptocurrency. SNARK popularity is justified: the protocol allows to prove zero-knowledge facts, proof is relatively small, and security is guaranteed by modern elliptic-curve cryptography.
However, there are some tradeoffs. The main disadvantage of this family of zk-protocols is the need to generate initial (trusted) system parameters. This process is also called ceremony. There are secret parameters that are used for ceremony and after that must be destroyed — they are called toxic. The problem is that in case toxic parameters are not destroyed the owner will be able to prove false facts (in the case of Zcash — to generate cryptocurrency out of thin air).Trusted setup generation
Further, the mathematics underlying SNARK protocols will be only superficially considered. If you want to understand it, I recommend a series of articles by Vitalik Buterin.
Let’s take a look at the process of trusted parameters generation. We have a statement of the problem, the fact of the solution of which we want to prove with...