What's a trusted setup ceremony and why does Clementine need one?

At the core of Citrea's construction is Clementine Bridge, Citrea's BitVM-based bridge design. With this design, Citrea expresses a zero-knowledge proof verifier on Bitcoin and builds a trust-minimized peg mechanism around it. If challenged, Bitcoin (via BitVM) checks a compact proof on-chain. Clementine’s on-chain logic includes a Groth16 zkSNARK verifier (with recursion happening inside the proofs themselves), so the bridge depends on robust zkSNARK parameters.

Although Citrea uses the RISC Zero zkVM to produce STARK-based proofs for execution proving, it wraps each STARK receipt into a Groth16 SNARK. This final Groth16 proof is very short and fast to verify, which is essential to make verification on Bitcoin's limited scripting language practical. These types of SNARKs, particularly Groth16, require a trusted setup ceremony to ensure the integrity of the proof system.

What's a trusted setup ceremony?

A trusted setup ceremony is a critical, one-time procedure required by certain zero-knowledge proof systems, such as the Groth16 zk-SNARK.

Its purpose is to collaboratively generate a set of public parameters known as the Common Reference String (CRS). This CRS is essential for both the prover to generate proofs and the verifier to check them.

1. The Secret ("Toxic Waste"): Generating the CRS requires a piece of initial, random secret information, often called "toxic waste". This secret is mathematically embedded into the CRS.
2. The Integrity Check: If any malicious actor were to gain access to and retain this toxic waste, they could exploit the underlying mathematical structure to generate fake proofs for false statements, which the verifier would incorrectly accept as valid.
3. Security through MPC: To prevent this, the ceremony uses a Multi-Party Computation (MPC) protocol involving many independent participants. Each participant contributes their own source of randomness and, crucially, is trusted to destroy their private contribution immediately after using it.
4. The 1-of-N Trust Model: The security of the final CRS rests on the assumption that at least one participant in the ceremony was honest, followed the protocol, and successfully deleted their part of the toxic waste. This 1-of-N trust model greatly reduces the risk compared to relying on a single trusted party. In Citrea’s case, broad participation that also includes all bridge signers will ensure that no additional trust assumptions are introduced through the ceremony itself.  

Why does Citrea's bridge, Clementine, need this ceremony?

Clementine needs the trusted setup ceremony because its core security mechanism relies on a specific type of zk-SNARK that mandates it:

• The Groth16 Requirement: Citrea's architecture uses the highly efficient Groth16 proof system to wrap its STARK receipts. Groth16 produces the shortest proof sizes and fastest verification times compared to other SNARKs. However, Groth16 is not a "universal" SNARK and requires a dedicated, problem-specific trusted setup (the ceremony) to generate the necessary verification parameters. 
• Ensuring the integrity of the system : BitVM allows the Clementine bridge to encode the zkSNARK verifier’s checks over Bitcoin Script. When a dispute arises, verification is enforced on-chain via BitVM. If the trusted setup were compromised or not conducted, an attacker could create invalid proofs to trick the on-chain verifier, potentially enabling them to steal bridged funds.

Stay Tuned

Citrea’s trusted setup ceremony will ensure the cryptographic foundation for the first bridge that is verified by the Bitcoin Network. Completing the ceremony will move the BitVM-based bridge system out of concept and into its final implementation phase on Bitcoin mainnet. 

More information about the ceremony is coming soon.