A permanent cryptographic backdoor is created during a ZK rollup's trusted setup. The 'toxic waste' parameters generated allow the creation of fraudulent proofs. While the ceremony aims to destroy this waste, its success relies on one honest participant, creating systemic risk that persists for the protocol's lifetime.
the-ethereum-roadmap-merge-surge-verge
Blog
Trusted Setup Choices in ZK Rollups
An analysis of the foundational cryptographic ceremonies underpinning major ZK Rollups. We dissect the trade-offs between performance, security, and decentralization, revealing the hidden single points of failure that could undermine the entire Surge narrative.
introduction
THE TRUSTED SETUP
The Cryptographic Debt Hiding in Plain Sight
The initial trusted setup ceremony for a ZK rollup creates a permanent, non-upgradable cryptographic backdoor that the ecosystem must amortize.
Ceremony size does not equal security. A 10,000-participant ceremony with poor randomness or collusion is weaker than a 10-participant ceremony with verifiable, distributed entropy. The security model shifts from cryptographic guarantees to social coordination, akin to a multisig but with irreversible consequences.
This debt compounds with upgrades. Major protocol changes like a new proof system (e.g., moving from Groth16 to Plonk) or a hard fork often require a new trusted setup. Each iteration resets the security clock and fragments community trust, as seen in the sequential ceremonies for Zcash and Aztec.
The industry standard is evasion. Leading rollups like StarkNet and Scroll use transparent setups (STARKs and bulletproofs) that require no trust. Others, including Polygon zkEVM and zkSync Era, use perpetual powers-of-tau ceremonies (like the one for Tornado Cash) to bootstrap, outsourcing the debt to a communal ritual.
thesis-statement
THE CEREMONY
Trusted Setups Are a Temporary, High-Stakes Compromise
ZK rollups rely on a one-time trusted setup to generate a secret parameter set, creating a persistent security vulnerability.
A persistent vulnerability is created by the initial ceremony. The generated secret parameters must be destroyed; if leaked, an attacker can forge proofs and mint infinite funds.
The multi-party computation (MPC) ceremony mitigates but does not eliminate risk. Projects like zkSync and Scroll use large, public ceremonies, but a single honest participant is required for security.
Trusted setups are a temporary bottleneck for production. Teams like Polygon zkEVM and StarkWare use them for speed, but the endgame is transparent, updatable setups or recursive proofs.
Evidence: The 2022 Tornado Cash indictment highlighted the legal risk. Authorities can subpoena ceremony participants, making the 'trusted' model incompatible with long-term, decentralized infrastructure.
protocol-spotlight
TRUST ASSUMPTIONS & TRADEOFFS
The Setup Spectrum: How Major ZK Rollups Stack Up
Every ZK Rollup's security and upgrade path is defined by its cryptographic ceremony, creating a hierarchy of trust from fragile to robust.
01
The Perpetual Problem: Why One-Time Ceremonies Are a Ticking Bomb
A single trusted setup for a ZK circuit creates a persistent toxic waste risk. If compromised, all proofs are forged. This is the original model used by zkSync Era and Polygon zkEVM.\n- Key Risk: Single point of failure that lasts for the protocol's lifetime.\n- Operational Burden: Requires massive, one-time multi-party computation (MPC) ceremony.
Lifetime
Risk Window
1
Ceremony
02
StarkWare's Solution: Volition & SHARP
StarkNet uses a recursive proof system (STARKs) that enables a universal, shared prover called SHARP. This amortizes setup costs and trust across all applications.\n- Key Benefit: A single, continuously used setup for all StarkNet apps reduces per-app risk.\n- Scalability: SHARP batches proofs from many dApps, driving down individual proving costs.
Shared
Trust Pool
Batch
Efficiency
03
The Gold Standard: Scroll's Transparent Setup
Scroll's zkEVM uses Halo2 with no trusted setup, relying on the inner product argument. This eliminates the trusted ceremony entirely, achieving cryptographic transparency.\n- Key Benefit: Zero toxic waste. Security relies only on cryptographic hardness, not a secret ceremony.\n- Trade-off: Slightly larger proof sizes compared to Groth16, but considered the ultimate trust minimization.
0
Trust Assumption
Halo2
Stack
04
Aztec's Hybrid Model: PLONK + Upgradable Circuits
Aztec uses the PLONK universal trusted setup, shared by many projects, but couples it with a slowly updating security council for circuit upgrades. This balances trust dispersion with practical upgradability.\n- Key Benefit: Universal Setup (Power of Tau) distributes trust across a large, diverse participant set.\n- Practicality: Allows for necessary protocol upgrades without a full re-launch, a common need for complex private apps.
Universal
Setup
Governed
Upgrades
05
The Business Reality: Why Frax Finance Chose Polygon CDK
Frax's rollup, Fraxtal, uses Polygon CDK which defaults to a one-time, decentralized ceremony. This highlights the pragmatic trade-off for projects prioritizing time-to-market and Ethereum alignment.\n- Key Driver: Leverage Ethereum L1 security for settlement and data availability, making the setup risk a secondary concern.\n- Ecosystem Play: Integrates seamlessly with the broader Polygon AggLayer for shared liquidity and interoperability.
CDK
Speed
AggLayer
Network
06
The Future: zkSync's Move to Boojum
zkSync is transitioning from its original one-time setup to Boojum, a STARK-based, transparent proving system. This is a major architectural shift to eliminate trusted setup risks entirely.\n- Key Shift: Moving from a Groth16 SNARK (trusted setup) to a STARK (transparent).\n- Implication: Will place zkSync Era in the same trust-minimized category as Scroll and StarkNet, resolving its biggest cryptographic criticism.
STARK
Future Stack
Transparent
Target
ZK-ROLLUP PROVING SYSTEMS
Trusted Setup Comparison Matrix
A technical breakdown of trusted setup choices for major ZK-Rollups, evaluating ceremony scale, security assumptions, and operational overhead.
| Feature / Metric | Perpetual Powers of Tau (e.g., Polygon zkEVM, zkSync) | Single-Use Ceremony (e.g., Scroll) | Transparent / No Setup (e.g., StarkNet, RISC Zero) |
|---|---|---|---|
Ceremony Participant Threshold |
| ~ 30 contributors | N/A |
Security Assumption | 1 honest participant | 1 honest participant | No trusted third party |
Proving System | Groth16 / PLONK | Groth16 | STARK / FRI |
Recurring Setup Required | |||
Trusted Setup Ceremony Cost | $50k - $200k+ | $200k - $500k+ | $0 |
Prover Key Size | ~ 1-2 GB | ~ 1-2 GB | ~ 100-200 MB |
Post-Quantum Safety |
deep-dive
THE TRUST TRADEOFF
The Slippery Slope from Performance to Peril
ZK rollup teams face a critical choice between a complex, trusted setup for performance or a simpler, trustless one for security, with long-term consequences for protocol resilience.
Trusted setup complexity is the primary lever for ZK proof performance. Projects like zkSync Era and Polygon zkEVM use multi-party ceremonies (MPCs) to generate initial parameters, trading a one-time trust assumption for faster, cheaper proof generation. This is a pragmatic optimization for user experience today.
The security decay of this choice is non-linear. If the ceremony is compromised, all proofs are invalid. This creates a systemic risk vector absent in validity-proof-native chains like Starknet, which uses STARKs without trusted setups. The trade-off is raw speed versus cryptographic purity.
Evidence: A compromised Groth16 ceremony, used by early ZK rollups, would retroactively break all historical proofs. Newer systems like Scroll adopt Halo2 with a universal trusted setup, reducing but not eliminating this perpetual tail risk. The industry standard is shifting, but legacy risk persists.
risk-analysis
TRUSTED SETUP VULNERABILITIES
The Bear Case: What Could Go Wrong?
The foundational security of most ZK Rollups rests on a single, fragile ceremony. A failure here is catastrophic.
01
The Single Point of Failure
A successful attack on the trusted setup ceremony invalidates the entire security model. If toxic waste is recovered, an attacker can forge infinite proofs, stealing ~$10B+ in bridged assets.
- No Retroactive Fix: Compromise is permanent; the entire network must be redeployed.
- Human Element: Relies on participants' honesty and operational security, a notoriously weak link.
Permanent
Failure Mode
$10B+
TVL at Risk
02
The MPC Black Box
Multi-Party Computation (MPC) ceremonies, used by zkSync, Polygon zkEVM, and Scroll, are opaque and impossible to fully audit post-hoc.
- Verifier Trust: Users must trust the ceremony organizers' setup and execution, not just the math.
- Complexity Risk: Bugs in the MPC implementation itself could leak secrets, a risk highlighted by the Zcash Powers of Tau audit.
Opaque
Audit Trail
3+ Major L2s
Dependent
03
StarkWare's Proprietary Stone
StarkNet uses a proprietary, closed-source trusted setup (the 'Stone'). This creates vendor lock-in and centralizes trust in a single corporate entity.
- Audit Barrier: The community cannot independently verify the setup's integrity.
- Continuity Risk: StarkWare's long-term viability becomes a systemic security assumption for the chain.
Closed
Source
1 Entity
Trust Assumption
04
The Upgrade Paradox
To improve performance (e.g., new hash functions, larger circuits), a new trusted setup is often required. This forces the ecosystem through repeated high-stakes ceremonies.
- Fragmentation Risk: Each upgrade creates a new, untested trust root, increasing attack surface.
- Coordination Overhead: Requires re-mobilizing a critical mass of credible participants for each iteration.
Recurring
Risk
High
Coordination Cost
05
The Transparency Theater
Public livestreams and participant lists create a facade of security. They do not guarantee the mathematical soundness of the final parameters.
- Theater vs. Proof: A ceremony can be performatively secure while being cryptographically broken.
- False Sense of Safety: Can lead to complacency and underinvestment in trust-minimized alternatives like Bulletproofs or STARKs.
Illusory
Security
06
The Exit to Trustlessness
The only true mitigation is eliminating the trusted setup entirely. Projects like Mina Protocol (recursive SNARKs) and newer STARK constructions aim for this, but they trade off for other complexities.
- Performance Trade-offs: Transparent proofs are often larger or more computationally intensive.
- Adoption Lag: The ecosystem remains entrenched in the trusted setup paradigm, slowing the transition.
Long-Term
Solution
Trade-offs
Required
future-outlook
THE SETUP
The Path to Trustlessness: Recursion and the Verge
ZK rollups must navigate a critical trade-off between a one-time trusted ceremony and ongoing centralized proving to achieve final trustlessness.
The trusted setup dilemma is the foundational security choice. Projects like zkSync Era and Scroll use a Perpetual Powers of Tau ceremony, creating a universal CRS. This requires a one-time assumption that at least one participant destroyed their toxic waste.
Recursive proof aggregation is the escape hatch from this dilemma. Systems like Polygon zkEVM and Starknet use STARKs to generate proofs of proofs, compressing thousands of transactions. This amortizes the cost of the initial trust assumption across the entire chain history.
The Verge is Ethereum's final data layer for proofs. The EIP-4844 blob market and eventual Verkle trees provide the cheap, permanent storage for these recursive proof traces. Without this, the trust reduction is theoretical.
Evidence: Starknet's SHARP prover aggregates proofs from multiple apps into a single STARK for Ethereum, demonstrating the practical scaling of recursive verification.
takeaways
TRUSTED SETUP TRADEOFFS
TL;DR for Protocol Architects
Your choice of trusted setup ceremony defines your protocol's security model, upgrade path, and community trust. There is no free lunch.
01
The Perpetual Problem: Upgradable vs. Trusted
A one-time, fixed ceremony (e.g., original Zcash Powers of Tau) provides a clean trust boundary but permanently locks in proving power. An upgradable setup (e.g., StarkWare's SHARP) allows for new proving systems but re-introduces a live trust assumption in the upgrade committee.\n- Key Benefit 1: Fixed = maximal decentralization post-ceremony.\n- Key Benefit 2: Upgradable = future-proofing for algorithm advances (e.g., moving to STARKs).
1
Trust Event
Permanent
Security Model
02
The MPC Ceremony: Scaling Trust
Multi-Party Computation (MPC) ceremonies (e.g., Tornado Cash, Hermez, Scroll) distribute trust across hundreds to thousands of participants. Security relies on at least one honest participant destroying their toxic waste. This is the current industry standard for new L2s.\n- Key Benefit 1: Trust scales with participant count and diversity.\n- Key Benefit 2: Public verifiability and transparency build community legitimacy.
1000+
Participants
1/N Honest
Assumption
03
The Transparency Solution: Nova & CycleFold
Recursive proof systems like Nova and its successor CycleFold (used by projects like Lurk and Axiom) eliminate trusted setups entirely for specific application classes. They use elliptic curve cycles to enable efficient recursion of SNARKs without a ceremony.\n- Key Benefit 1: Zero trusted setup for incremental computation.\n- Key Benefit 2: Enables parallel proof generation and constant-time verification.
0
Ceremony
O(1)
Verification
04
The StarkWare Model: Centralized Trust, Unmatched Scale
StarkEx and StarkNet use a proprietary, centralized trusted setup run by StarkWare. This is the trade-off for quantum-resistant STARKs and proving batches spanning millions of transactions. The trust is ongoing and linked to the entity's reputation.\n- Key Benefit 1: Enables ~1M TPS proving capacity on StarkEx.\n- Key Benefit 2: No cryptographic backdoor (quantum-safe).
1M+ TPS
Proving Scale
Entity
Trust Assumption
05
The Aztec Choice: Specialized, Heavy Ceremonies
For maximum privacy with general-purpose smart contracts, Aztec runs large, application-specific MPC ceremonies (e.g., their UltraPlonk setup). The complexity and cost are high, but necessary for the security of private DeFi. This contrasts with lighter setups for public rollups.\n- Key Benefit 1: Supports complex private state transitions.\n- Key Benefit 2: Ceremony size and rigor match the value-at-risk.
High
Complexity
App-Specific
Ceremony
06
The Economic Reality: Ceremony as a Sunk Cost
The ceremony is a one-time, non-refundable R&D cost (often $500K-$2M+). It must be amortized over the lifetime of the chain. A poorly executed or distrusted ceremony becomes a permanent liability, as seen with early zkSync skepticism. This cost influences L2 tokenomics and launch strategy.\n- Key Benefit 1: Correct execution is a durable competitive moat.\n- Key Benefit 2: Major marketing/community trust event.
$1M+
Typical Cost
Sunk Cost
Economic Model
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall