🎯Cryptographic Proofs

Trusted Setup Ceremony

The Groth16 proof system requires a one-time trusted setup ceremony that generates the proving and verification keys. This ceremony produces what's called the Common Reference String (CRS), consisting of elliptic curve points encoding the circuit structure mixed with random secret values. The security of the entire system depends on the proper execution of this ceremony and the destruction of the secret randomness afterward.

The ceremony proceeds in multiple rounds with multiple participants. In each round, a participant receives the current CRS state, applies their own randomness by multiplying curve points by random scalars, and passes the result to the next participant. Mathematically, if participant i receives points (g^τⁱ⁻¹, g^α·τⁱ⁻¹, ...) and applies randomness rᵢ, they compute (g^τⁱ⁻¹·rᵢ, g^α·τⁱ⁻¹·rᵢ, ...) and destroy rᵢ. The final CRS after n participants is (g^τ, g^α·τ, ...) where τ = r₁·r₂·...·rₙ.

The critical security property is that the ceremony requires only one honest participant. Even if n-1 participants collude and share their randomness, as long as one participant properly generates random values and destroys them, the final τ remains unknown to everyone. An adversary who learns τ could generate fake proofs for invalid statements, completely breaking the system's security. Therefore, Nonce's ceremony includes over 50 participants from different geographic locations, organizational affiliations, and technical backgrounds, making collusion essentially impossible.

The ceremony transcript is published publicly, allowing anyone to verify the computation chain. Each participant signs their contribution, and the final parameters can be verified by checking the transformations applied in each round. Multiple independent teams can verify the ceremony's correctness, providing strong assurance that the setup was performed honestly even without trusting any single participant.

Soundness and Knowledge Soundness

The soundness property ensures that no adversary can convince the verifier of a false statement except with negligible probability. For Nonce, soundness means an adversary cannot spend notes they don't own, create notes out of thin air, or violate value conservation. More formally, for any probabilistic polynomial-time adversary A, the probability that A can generate a valid proof for a false statement is bounded by some negligible function ε(λ) where λ is the security parameter.

Groth16 provides computational soundness based on the hardness of certain mathematical problems in elliptic curve groups. Specifically, security relies on the q-Strong Diffie-Hellman assumption and the q-Power Knowledge of Exponent assumption in bilinear groups. These assumptions state that certain computational problems (like computing g^(1/(τ+c)) for a chosen c when given g^τ but not τ) are infeasible for polynomial-time adversaries.

Knowledge soundness, a stronger property, ensures that if a prover can generate a valid proof, then they must actually "know" the witness. This prevents situations where a prover could somehow generate proofs without knowing the actual secret values. For Nonce, knowledge soundness ensures that anyone spending a note must actually know the note's contents and the private key, not just somehow generate a valid-looking proof through mathematical manipulation.

Zero-Knowledge Property

The zero-knowledge property guarantees that proofs leak no information beyond the truth of the proven statement. In Nonce's context, this means that a proof of note ownership reveals nothing about the note's value, the owner's identity, the blinding factor, or any other private inputs. The formal definition involves the existence of a simulator that can generate proofs that are computationally indistinguishable from real proofs without knowing the witness.

Groth16 achieves perfect zero-knowledge, meaning even an adversary with unbounded computational power cannot distinguish between a real proof and a simulated proof. The simulator uses the trapdoor from the trusted setup (which honest participants destroy) to generate proofs without witnesses. Since adversaries don't have this trapdoor, they cannot tell that simulated proofs weren't generated through the normal proving process. This provides strong privacy guarantees independent of future computational advances.

The zero-knowledge property extends to the nullifier mechanism. While nullifiers are public, they appear as random field elements to anyone who doesn't know the corresponding note commitment and private key. The Poseidon hash function ensures that nullifiers reveal no information about the notes they're derived from, maintaining the privacy of spent notes even after their nullifiers become public.

Anonymity Set and Privacy Guarantees

The practical privacy of Nonce depends heavily on the anonymity set: the number of users and transactions that could plausibly be responsible for any observed action. A privacy pool with only two users provides minimal privacy because any transaction has a 50% chance of being attributable to each user. As the anonymity set grows, privacy strengthens significantly.

Nonce's privacy guarantees can be analyzed through information-theoretic and computational lenses. Information-theoretically, an observer with complete knowledge of all blockchain data can only learn what the zero-knowledge proofs reveal: that notes were consumed and created, with no information about amounts, identities, or relationships. The observer cannot determine which notes were inputs to a transaction or which new notes belong to which users.

Computationally, breaking Nonce's privacy requires either solving the hard mathematical problems underlying the proof system or compromising the trusted setup. The former remains infeasible for polynomial-time adversaries under widely-believed cryptographic assumptions. The latter requires all ceremony participants to collude, which becomes exponentially unlikely as participant count increases.

Practical privacy attacks might exploit metadata or timing information rather than breaking cryptography directly. Network observers could potentially correlate shield transactions with subsequent private operations based on timing. To mitigate this, Nonce implements transaction batching where multiple users' operations are processed together, and recommends users wait random delays between shielding and spending. The relayer network prevents IP-based correlation by submitting transactions on behalf of users.