I’m glad to see that Jordy Baylina is out there asking for a shared standard—128-bit security. I feel compelled to add, though: it only matters if it is mathematically verifiable, ie trustless! Trusted setup, to me, is basically 80-bit security.

Ie, sure, it is expensive to crack, and maybe nobody has cracked it, but if they had you wouldn’t be able to tell. … until that day that you wake up and find out that every asset and every access of every user of every app on your platform is under enemy control.

And “universal trusted setup” or whatever they call it is basically 90-bit security. Sure, it is even more expensive for someone to crack, but you still can’t tell if they have, until the day when you wake up to an even bigger disaster scenario.

To me, there is a simple bright line: can a bright young mathematician with a textbook and a computer independently verify a proof? All trusted setup proof systems, including the popular Groth16, fail this test. The mathematician can’t verify whether the proofs are forged.