A trusted setup is a one-time cryptographic ceremony required to generate the initial parameters (often called a Common Reference String or Structured Reference String) for certain zero-knowledge proof systems, such as zk-SNARKs. During this process, a secret piece of data, often called the toxic waste or toxic parameters, is used and must be securely destroyed. If this secret is not properly discarded, it could allow a malicious party to create fraudulent proofs, undermining the entire system's security. The 'trust' stems from the assumption that the participants in the ceremony did not collude to retain or reconstruct the secret.
LABS
Glossary
Trusted Setup
A trusted setup is a one-time cryptographic ceremony to generate the public parameters (common reference string) required for ZK-SNARK systems, where participants must destroy secret material to ensure system security.
Chainscore © 2026
definition
CRYPTOGRAPHIC PROTOCOL
What is Trusted Setup?
A trusted setup is a foundational ceremony in cryptographic systems where secret parameters are generated, creating a potential point of failure if the process is compromised.
The primary goal is to establish a public, verifiable parameter set without revealing the underlying secret. Modern implementations use multi-party computation (MPC) ceremonies, like the Perpetual Powers of Tau, to distribute trust among many participants. In these ceremonies, each participant contributes their own randomness to the secret, and the final parameters are secure as long as at least one participant was honest and destroyed their contribution. This significantly reduces the trust assumption from a single entity to a decentralized group, making the setup trust-minimized rather than fully trustless.
Trusted setups are critical for enabling efficient succinct non-interactive arguments of knowledge (SNARKs) used in major scaling solutions like zk-Rollups (e.g., zkSync, Scroll) and privacy protocols (e.g., Zcash's original Sapling ceremony). The security of billions of dollars in assets often depends on the integrity of these historical events. While newer proof systems like zk-STARKs and certain bulletproofs eliminate the need for a trusted setup, they often trade this benefit for larger proof sizes or higher verification costs, making trusted setups a pragmatic choice for many high-throughput blockchain applications.
how-it-works
CRYPTOGRAPHIC PROTOCOL
How a Trusted Setup Ceremony Works
A trusted setup ceremony is a multi-party computation (MPC) protocol designed to generate the critical cryptographic parameters, known as a Common Reference String (CRS) or Structured Reference String (SRS), for advanced zero-knowledge proof systems like zk-SNARKs.
The ceremony's core purpose is to decentralize trust by ensuring that at least one participant in a group must act honestly and destroy their secret component, known as a toxic waste or toxic parameters, for the final parameters to be secure. If all participants collude or are compromised, they could theoretically forge false proofs. The process typically involves a sequential chain where each participant receives the output from the previous party, applies their own secret randomness, and passes the updated parameters forward. This structure is often called a sequential multi-party computation.
A canonical example is the Perpetual Powers of Tau ceremony used by projects like Zcash and Filecoin. In this setup, participants generate random numbers, compute elliptic curve points, and cryptographically commit to their contributions. The final output is a set of public parameters that anyone can verify were generated correctly, but from which the underlying secrets cannot be extracted—provided at least one participant was honest. This property is known as the 1-of-N trust assumption, a significant improvement over a single trusted party.
The security model relies on several key mechanisms: verifiable randomness to prove a participant's contribution was properly generated, public verifiability allowing anyone to cryptographically check the ceremony's output, and contributor attestations often involving video evidence or hardware security modules (HSMs). While not eliminating trust entirely, a well-executed ceremony with diverse, credible participants makes successful collusion or compromise statistically improbable, establishing a high-confidence foundation for privacy-preserving blockchain applications.
key-features
TRUSTED SETUP
Key Features & Characteristics
A trusted setup is a one-time, multi-party cryptographic ceremony that generates the initial parameters (common reference string) for a zk-SNARK or similar proving system, where the security of the entire system depends on at least one participant destroying their secret.
01
Ceremony & Participants
A trusted setup is a multi-party computation (MPC) ceremony where multiple participants sequentially contribute randomness to generate the final parameters. The security model assumes at least one participant is honest and destroys their secret 'toxic waste'. Famous examples include the Zcash 'Powers of Tau' ceremony (2016) and Ethereum's KZG ceremony for EIP-4844 (2023).
02
Toxic Waste
The toxic waste refers to the secret randomness (often called the 'toxic parameters' or 'secret trapdoor') generated during the setup. If this secret is retained by any participant, they could create fraudulent proofs. The core security requirement is the secure deletion of this material by all participants after the ceremony concludes.
03
Security Model & Trust Assumption
The setup introduces a trust assumption: the system is secure only if at least one participant was honest and deleted their secret. This is a '1-of-N' trust model. The goal of large, public ceremonies is to make this assumption practically reasonable by involving many diverse, credible parties, reducing the probability of universal collusion.
04
Universal vs. Application-Specific
- Universal Setup (Structured Reference String): Generates parameters reusable for many circuits (e.g., Groth16, PLONK). The Powers of Tau is a universal setup.
- Application-Specific Setup: Generates parameters for a single circuit. Less flexible but can be more efficient. Early zk-SNARKs like those in Zcash's original Sprout used this.
05
Verifiability & Auditability
A well-designed ceremony produces publicly verifiable transcripts. Anyone can cryptographically verify that each participant's contribution was computed correctly and that the final output derives from the sequence of contributions. This transparency is crucial for establishing trust in the process, even though the final secret remains unknown.
06
Contrast with Trustless Alternatives
Trusted setups are contrasted with trustless or transparent proof systems like STARKs and Bulletproofs, which require no initial secret parameters. The trade-off is between the one-time trust assumption of a setup (for potentially smaller proofs) and the computational overhead of transparent systems.
examples
HISTORICAL CONTEXT
Notable Trusted Setup Ceremonies
These are pivotal ceremonies where participants collaboratively generated the initial cryptographic parameters, known as the Common Reference String (CRS) or Structured Reference String (SRS), for major zk-SNARK systems. The security of billions in value depends on the 'toxic waste' from these events being successfully destroyed.
06
The Concept of a "Ceremony"
In cryptography, a trusted setup ceremony is a specific protocol where multiple parties collaborate to generate a common reference string. The goal is to ensure the resulting toxic waste (secret parameters) is permanently deleted.
- Security Model: Relies on the assumption that at least one participant was honest and destroyed their share.
- MPC Types: Can be sequential (one after another) or parallel (concurrent).
- Output: Produces public parameters essential for constructing zero-knowledge proofs.
CRYPTOGRAPHIC FOUNDATIONS
Trusted Setup vs. Trustless Alternatives
A comparison of the core properties, security assumptions, and trade-offs between systems requiring a trusted setup ceremony and those that are trustless by design.
| Feature / Property | Trusted Setup (e.g., zk-SNARKs with MPC) | Trustless Alternative (e.g., zk-STARKs, Bulletproofs) | Pure Transparency (e.g., Bitcoin, Ethereum PoW) |
|---|---|---|---|
Cryptographic Backbone | zk-SNARKs (Groth16, Plonk) | zk-STARKs, Bulletproofs | ECDSA, Merkle Proofs |
Initial Ceremony Required | |||
Trust Assumption | Participants in the ceremony were honest and destroyed toxic waste. | None. Security relies only on cryptographic hardness assumptions. | None. Security relies on consensus and economic incentives. |
Proof Size | ~200-300 bytes | ~10-100+ KB | N/A (No ZK proofs) |
Verification Speed | < 10 ms | ~10-100 ms | Varies by transaction |
Post-Quantum Security | |||
Recursive Proof Composition | |||
Primary Use Case | Private payments (Zcash), scalable L2s (zkRollups) | Scalable L2s, private computations | Public, transparent settlement |
Key Risk | Ceremony compromise creates undetectable counterfeit proofs. | Larger computational overhead for proof generation. | No inherent privacy; all data is public. |
security-considerations
TRUSTED SETUP
Security Considerations & The 'Toxic Waste' Problem
A trusted setup is a cryptographic ceremony that generates a set of secret parameters, after which the original secrets must be destroyed to ensure the system's long-term security.
01
The Ceremony & Its Output
A trusted setup is a multi-party computation (MPC) ceremony where participants collaboratively generate a Common Reference String (CRS) or Structured Reference String (SRS). This public string is essential for constructing zero-knowledge proofs (ZKPs) in zk-SNARKs. The security relies on at least one participant destroying their secret contribution, known as the toxic waste.
02
What is 'Toxic Waste'?
Toxic waste refers to the secret random values (often called tau or toxic parameters) generated during the setup ceremony. If any participant retains this waste, they can create fraudulent proofs that the system cannot detect, completely breaking its security. The core security assumption is that this waste has been permanently deleted by all honest participants.
03
Security Models & Trust Assumptions
The required trust level depends on the ceremony design:
- 1-of-N Trust: Security holds if at least one participant is honest and destroys their secret. Used by ceremonies like Perpetual Powers of Tau.
- N-of-N Trust: Requires all participants to be honest. This is weaker and generally avoided in modern systems.
- Universal/Updatable Setups: A single, reusable setup (like the Powers of Tau) can bootstrap many applications, amortizing trust across the ecosystem.
04
Real-World Ceremonies
Notable examples demonstrate the scale and methodology of trusted setups:
- Zcash's Original Sprout Setup (2016): A 6-party ceremony that established the initial model, though it used a weaker N-of-N trust assumption.
- Ethereum's KZG Ceremony (2023): A massive universal setup for proto-danksharding (EIP-4844), with over 140,000 contributions, creating a robust 1-of-N trust model.
- Perpetual Powers of Tau: An ongoing, multi-contributor ceremony that provides a reusable SRS for any zk-SNARK application.
05
Risks & Mitigations
The primary risk is secret leakage or collusion among all participants. Mitigations include:
- Ceremony Transparency: Full video recording and public attestations of participation.
- Diverse Participants: Involving cryptographers, auditors, and public figures to reduce collusion risk.
- Cryptographic Proofs: Using MPC to ensure the final output is correct even if some participants are malicious.
- Ceremony Audits: Independent review of the process and software used.
06
Trusted Setup vs. Trustless Setup
This contrasts with trustless or transparent setups used by zk-STARKs and Bulletproofs. These systems require no secret parameters, eliminating the toxic waste problem entirely but often at the cost of larger proof sizes or higher verification costs. The choice between trusted and trustless setups involves a trade-off between performance, proof size, and initial trust assumptions.
TRUSTED SETUP
Frequently Asked Questions
A trusted setup is a foundational cryptographic ceremony required by certain zero-knowledge proof systems. It generates a set of public parameters, but the process must be executed honestly and the initial secret must be destroyed to ensure the system's security. These questions address its purpose, risks, and real-world implementations.
A trusted setup is a one-time cryptographic ceremony where participants collaboratively generate a set of public parameters, known as a Common Reference String (CRS), for a zero-knowledge proof system like zk-SNARKs. The process involves creating and then destroying a secret piece of data, often called the toxic waste or secret randomness. If this secret is not properly discarded, it could allow a malicious actor to create fraudulent proofs. The security of the entire system thereafter hinges on the assumption that at least one participant in the ceremony was honest and destroyed their portion of the secret. Notable examples include the original Zcash Sapling ceremony and Ethereum's KZG ceremony for EIP-4844.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall