Security
Trusted setup & ceremony
Why Groth16 needs a trusted setup, why the development keys must never secure real funds, and what a production multi-party Powers-of-Tau ceremony requires before mainnet.
Groth16 produces tiny, fast-to-verify proofs — but each circuit needs a one-time trusted setup that generates its proving and verifying keys. If the secret randomness ("toxic waste") of that setup is known to someone, they can forge proofs. This is the central operational risk of the whole system.
The development setup
pnpm circuits:setup runs a single-contributor Powers-of-Tau and Groth16 setup. It is reproducible and perfect for local development and the test gate.
What production requires
Mainnet requires a multi-party Powers-of-Tau ceremony: many independent contributors each add randomness and discard their secret. The setup is secure as long as at least one honest contributor destroyed their toxic waste.
- A multi-party Powers-of-Tau contribution with many participants.
- A published transcript so anyone can verify the contribution chain.
- An external audit of the circuits and contracts.
- Fuzz and invariant tests on top of the existing unit gate.
Re-running the setup
Reporting issues
shh is privacy infrastructure that moves funds — treat every component as security-critical. Report vulnerabilities to gimalsrb2@gmail.com with a description, the affected component, and a reproduction; please don't open public issues for exploitable findings. In scope: circuits, contracts, sdk, the shielded bridge, and the wallet backend. Out of scope (for now): third-party OP Stack components, Blockscout, and dependency CVEs that don't affect shh's own code paths.