A Common Reference String (CRS) is a public, structured set of parameters generated during a trusted setup ceremony and used by all participants in a cryptographic protocol, most notably zero-knowledge Succinct Non-interactive Arguments of Knowledge (zk-SNARKs). This string serves as a common, verifiable reference point that allows a prover to generate a proof and a verifier to check its validity without further interaction. The security of the entire system depends on the initial setup being performed correctly, as any party with knowledge of the CRS's secret toxic waste could forge false proofs.
LABS
Glossary
Common Reference String (CRS)
A Common Reference String (CRS) is a set of public parameters, generated in a one-time trusted setup ceremony, that is required to create and verify succinct non-interactive arguments of knowledge (zk-SNARKs).
Chainscore © 2026
definition
CRYPTOGRAPHIC PRIMITIVE
What is a Common Reference String (CRS)?
A foundational element in advanced cryptographic protocols, the Common Reference String is a public parameter that enables trust and verification in zero-knowledge proof systems.
The primary role of the CRS is to establish a foundation of shared, public randomness. In zk-SNARK constructions, it typically consists of encoded elliptic curve points that represent the evaluation of polynomials. The prover uses these points to construct a proof that a computation was performed correctly, while the verifier uses different points from the same string to check the proof's consistency. This mechanism enables the remarkable property of succinctness, where the proof is small and verification is fast, independent of the computation's complexity.
The requirement for a trusted setup is the most critical consideration for a CRS. The ceremony to create it involves generating secret random values, using them to compute the public parameters, and then securely destroying the secrets. Protocols like Zcash's original Sprout ceremony and Perpetual Powers of Tau are high-profile examples. To mitigate trust, modern implementations use multi-party computation (MPC) ceremonies, where multiple parties contribute randomness, and security is maintained as long as at least one participant is honest and discards their secret.
Beyond zk-SNARKs, the concept of a CRS appears in other cryptographic contexts, such as identity-based encryption and certain signature schemes. A key distinction is often made between a structured reference string (SRS), which has a specific algebraic form for SNARKs, and a truly common reference string, which may be unstructured. The evolution towards transparent setups—exemplified by zk-STARKs and some newer SNARKs—aims to eliminate the trusted setup entirely by using publicly verifiable randomness, thus removing the need for a CRS with associated toxic waste.
how-it-works
ZK-SNARK FUNDAMENTALS
How Does a Common Reference String (CRS) Work?
A Common Reference String (CRS) is a foundational cryptographic parameter used to generate and verify zero-knowledge proofs, particularly in ZK-SNARK systems.
A Common Reference String (CRS), also known as a structured reference string or public parameters, is a set of public, cryptographically secure parameters generated in a one-time trusted setup ceremony. This string serves as the foundational public key for an entire zk-SNARK proving system, enabling any prover to generate a proof and any verifier to check it. The security of all subsequent proofs relies entirely on the initial trusted setup being performed correctly, meaning the secret "toxic waste" used to create the CRS was securely destroyed.
The generation of the CRS is a critical and sensitive process. It often uses a multi-party computation (MPC) ceremony, where multiple participants contribute randomness to create the string. As long as at least one participant is honest and destroys their secret contribution, the final CRS remains secure. This process "bakes in" the constraints of a specific circuit or computational statement. Once published, the CRS allows for the efficient generation of succinct non-interactive arguments of knowledge (SNARKs), where proofs are small and verification is fast, independent of the computation's complexity.
In practice, the CRS consists of two main components: the proving key and the verification key. The prover uses the proving key, derived from the CRS, to generate a proof that they know a witness satisfying a public statement. The verifier uses the separate verification key to check the proof's validity. This separation is crucial for efficiency and security. Major blockchain systems like Zcash (for its shielded transactions) and various Layer 2 rollups (e.g., zkSync, StarkNet) rely on specific CRS instantiations to enable private and scalable transactions.
key-features
CRS MECHANICS
Key Features of a Common Reference String
A Common Reference String (CRS) is a foundational public parameter used in many zero-knowledge proof systems, particularly zk-SNARKs, to enable succinct verification. Its security and structure are critical for the integrity of the entire proving system.
01
Trusted Setup Ceremony
The CRS is generated through a trusted setup ceremony, a multi-party computation (MPC) where participants collaboratively create the string. The security relies on the assumption that at least one participant was honest and destroyed their secret 'toxic waste'. This process is foundational for systems like Groth16.
02
Public Parameters
Once generated, the CRS consists of publicly verifiable parameters that are used by both the prover and verifier. The prover uses it to construct a proof, while the verifier uses it to check the proof's validity. These parameters are specific to the circuit or statement being proven.
03
Toxic Waste Problem
The major security concern is the toxic waste—the secret random values used during setup. If not destroyed, they could allow an attacker to forge proofs. This creates a need for ceremonies (e.g., Perpetual Powers of Tau) to decentralize trust and mitigate this single point of failure.
04
Succinct Proofs
A primary function of the CRS is to enable succinct proofs. The verifier's work, using the CRS, is constant and minimal, regardless of the complexity of the computation being proven. This is what makes zk-SNARKs scalable for blockchain applications.
05
Universal vs. Specific
CRS types vary:
- Circuit-specific: Tailored to one program (efficient but inflexible).
- Universal/Updatable: Can be used for many circuits (e.g., Marlin, Plonk). Systems like the Powers of Tau ceremony generate a universal CRS that can be later specialized.
06
Contrast with Transparent Setup
The CRS model differs from transparent setups used in zk-STARKs and Bulletproofs, which require no trusted ceremony and have publicly verifiable randomness. The trade-off is between the smaller proof sizes of CRS-based systems and the stronger trust assumptions.
trusted-setup-ceremony
CRS GENERATION
The Trusted Setup Ceremony
A trusted setup ceremony is a multi-party computation protocol used to generate the foundational cryptographic parameters, known as the Common Reference String (CRS), for advanced zero-knowledge proof systems like zk-SNARKs.
In cryptographic systems such as zk-SNARKs, a Common Reference String (CRS) is a set of public parameters required to construct and verify proofs. If a single party generates this CRS in secret, they gain the power to create fraudulent proofs that appear valid—a critical security flaw known as a toxic waste problem. The trusted setup ceremony, also called a powers-of-tau ceremony or MPC ceremony, is designed to eliminate this single point of failure by distributing the generation process across many participants.
During the ceremony, each participant sequentially contributes their own random secret to the computation. The protocol is structured so that each contribution "mixes in" fresh entropy, effectively destroying the toxic waste from previous contributors. As long as at least one participant is honest and discards their secret, the final CRS is secure. This process creates a chain of trust, making it computationally infeasible for any coalition of malicious participants to reconstruct the original secret parameters needed for forgery.
Notable examples include the Perpetual Powers of Tau ceremony for Ethereum and the Zcash Sprout ceremony. These events often involve a diverse set of participants—from core developers to independent researchers—to maximize trust decentralization. The ceremony's output, the final CRS, is then made publicly available for anyone to use, forming the trust anchor for applications like private transactions and scalable Layer 2 rollups. The security model shifts from trusting a single entity to trusting that someone in the group acted honestly.
security-considerations
COMMON REFERENCE STRING (CRS)
Security Considerations and Trust Assumptions
The Common Reference String (CRS) is a foundational cryptographic parameter in zk-SNARKs and other proof systems, establishing critical security assumptions that underpin trust in zero-knowledge applications.
01
The Trusted Setup Ceremony
A Common Reference String (CRS) is generated during a one-time trusted setup ceremony. This process involves multiple participants using secret randomness to create the public parameters. If any single participant is honest and destroys their secret 'toxic waste', the final CRS is secure. This establishes a trust-once model, where the ceremony's integrity is critical for all future proofs.
02
Toxic Waste & Subversion Attacks
The primary security risk is the retention of toxic waste—the secret randomness used during setup. If this material is not destroyed, an adversary could create fraudulent proofs that verify as valid. This is known as a subversion attack. Secure ceremonies use multi-party computation (MPC) to distribute trust, ensuring security if at least one participant is honest.
03
CRS vs. Transparent Setup
The CRS model contrasts with transparent setups, like those used in zk-STARKs, which require no trusted ceremony and have no toxic waste. The trade-off is between:
- CRS (zk-SNARK): Smaller proof sizes, faster verification, but requires a trusted setup.
- Transparent (zk-STARK): Larger proofs, no trust assumption, but offers post-quantum security potential.
04
Updatability & Ceremony Audits
Modern protocols implement updatable CRS setups. This allows new participants to contribute randomness to an existing CRS in a sequential ceremony, enhancing security over time. The integrity of these ceremonies is often verified through public audits, cryptographic transcripts, and participant attestations to ensure the toxic waste was correctly discarded.
05
Application-Specific Trust
The security impact of a compromised CRS is application-specific. For a privacy-preserving transaction, it could allow counterfeit assets. For a verifiable computation, it could enable incorrect results. The risk is universal for that specific circuit or application using the compromised string, necessitating extreme caution in the initial ceremony.
06
Verifiable Delay Functions (VDFs)
Some newer systems aim to reduce trust by using Verifiable Delay Functions (VDFs) in setup ceremonies. A VDF imposes a mandatory, sequential time delay on computation, making it impractical for the last participant to bias the final CRS based on others' contributions. This strengthens the security of the multi-party computation (MPC) process.
ZK-SNARK TRUST ASSUMPTIONS
CRS vs. Transparent & Other Setup Models
A comparison of the trust models, security properties, and practical trade-offs between Common Reference String (CRS) setups and alternative approaches in zero-knowledge proof systems.
| Feature / Property | CRS (Trusted Setup) | Transparent (STARKs) | Universal & Updatable CRS |
|---|---|---|---|
Core Trust Assumption | One-time trusted ceremony | Cryptographic only (collision-resistant hash) | Trust in a committee or ongoing ceremony |
Setup Perishability | Proofs are secure only if setup is corrupted | N/A - no perishable secret | Security degrades only if all updaters are corrupted |
Proof Size | ~288 bytes (Groth16) | ~45-200 KB | Varies, typically larger than trusted CRS |
Verification Speed | < 10 ms | ~10-100 ms | Slightly slower than trusted CRS |
Recursive Proof Support | |||
Post-Quantum Security | |||
Ceremony Complexity | High (multi-party computation required) | None | Ongoing (requires active participant set) |
Notable Implementations | Zcash (Sprout), Filecoin | StarkEx, StarkNet | Zcash (Sapling), Plonk |
ecosystem-usage
CRS IN PRACTICE
Ecosystem Usage and Protocols
The Common Reference String (CRS) is a foundational cryptographic element enabling zero-knowledge proofs. This section details its practical applications across major protocols.
01
Core Cryptographic Function
A Common Reference String (CRS) is a public parameter string, generated in a trusted setup ceremony, that is essential for constructing and verifying zero-knowledge proofs (ZKPs) like zk-SNARKs. It acts as a shared, one-time public key that encodes the proving and verification keys for a specific circuit, allowing a prover to demonstrate knowledge of a witness without revealing it. The security of the entire system depends on the trusted setup assumption that the ceremony's toxic waste was destroyed.
02
zk-SNARKs & zk-STARKs
The CRS is a defining component of zk-SNARK systems (e.g., Groth16, PLONK). It is used to generate the proving key and verification key for a circuit. In contrast, zk-STARKs do not require a trusted setup or a CRS, instead relying on publicly verifiable randomness, making them transparent but often with larger proof sizes. This distinction is a key trade-off in protocol design between setup trust and performance.
03
Trusted Setup Ceremonies
The CRS is created through a multi-party computation (MPC) ceremony where multiple participants contribute randomness. Famous examples include:
- Zcash's original Sprout ceremony (2016) for the first live zk-SNARKs.
- Perpetual Powers of Tau, an ongoing, universal setup used by protocols like Tornado Cash and Semaphore.
- Ethereum's KZG Ceremony for EIP-4844 proto-danksharding. The security model assumes at least one participant was honest and destroyed their secret contribution, preventing forgery of proofs.
04
Application: ZK-Rollups
ZK-Rollups like zkSync, StarkNet, and Scroll rely on a CRS (for SNARK-based systems) for their core proving mechanism. The rollup's state transition logic is compiled into a circuit, and the corresponding CRS is used to generate proving/verification keys. Validators (provers) use the proving key to create validity proofs, which are then verified on-chain using the verification key, ensuring the correctness of batched transactions with minimal on-chain data.
05
Key Management & Risks
Managing the CRS involves critical security considerations:
- Toxic Waste: The secret randomness used to generate the CRS must be permanently deleted. If compromised, an attacker could create fraudulent proofs.
- Circuit-Specificity: A CRS is typically generated for a specific arithmetic circuit. Updating the circuit logic requires a new trusted setup.
- Universal vs. Specific: Universal setups (Powers of Tau) can be used for many circuits, while specific setups are tailored to one.
06
Evolution & Alternatives
The cryptographic community is actively researching alternatives to mitigate trust assumptions:
- zk-STARKs: Eliminate the trusted setup entirely.
- Transparent SNARKs (e.g., Bulletproofs): Also require no trusted setup but may have different performance profiles.
- Updatable CRS: Designs where the reference string can be updated by new participants over time, reducing reliance on a single ceremony. This reflects the ongoing effort to move from trusted setups to trust-minimized or transparent systems.
ZKP FOUNDATIONS
Common Misconceptions About CRS
The Common Reference String (CRS) is a foundational component of many zero-knowledge proof systems, but its role and properties are often misunderstood. This section clarifies key technical points to separate fact from fiction.
Yes, a CRS typically implies a trusted setup ceremony. This is a one-time, multi-party computation where participants collaboratively generate the CRS's secret parameters. The security assumption is that if at least one participant was honest and destroyed their secret 'toxic waste', the final CRS is secure. Systems like Groth16 and the original Zcash Sapling ceremony use this model. It is distinct from transparent setups (like in STARKs) which require no trusted initial parameters.
CRS
Technical Deep Dive
A Common Reference String (CRS) is a foundational cryptographic setup parameter used to generate zero-knowledge proofs. This section explores its critical role, security implications, and implementation details.
A Common Reference String (CRS) is a public, structured string of data that serves as a trusted, one-time setup parameter for a class of zero-knowledge proof (ZKP) systems, particularly zk-SNARKs. It is generated in a secure ceremony and contains the proving key and verification key encoded within it. This string acts as a shared, public reference point that allows a prover to generate proofs and a verifier to check them without revealing the underlying secret witness. The security of the entire proof system hinges on the trusted setup ceremony used to create the CRS, as anyone with knowledge of its secret toxic waste could forge false proofs.
COMMON REFERENCE STRING
Frequently Asked Questions (FAQ)
Essential questions and answers about the Common Reference String (CRS), a foundational cryptographic component for zero-knowledge proof systems.
A Common Reference String (CRS) is a public, shared parameter string that is generated once in a trusted setup ceremony and then used by all participants in a zero-knowledge proof (ZKP) system, such as zk-SNARKs. It works by providing the necessary cryptographic 'anchor points'—often elliptic curve points—that allow a prover to construct a proof and a verifier to check it. The security of the entire system depends on the initial setup being performed correctly, meaning the secret 'toxic waste' used to generate the CRS must be securely destroyed. If compromised, an attacker could forge false proofs.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall