A trusted setup is a one-time cryptographic ceremony used to generate the initial parameters for certain zero-knowledge proof systems, such as zk-SNARKs. During this process, a group of participants collaboratively creates a piece of secret data, often called the toxic waste or proving key, which is then used to construct public parameters for the proof system. The critical security assumption is that at least one participant must act honestly by permanently deleting their portion of the secret; if all participants collude and retain the secret, they could potentially create fraudulent proofs, compromising the entire system built upon it.
LABS
Glossary
Trusted Setup
A trusted setup is a one-time cryptographic ceremony that generates secret parameters required to initialize certain proof systems, most notably zk-SNARKs, creating a critical piece of 'toxic waste' that must be securely destroyed.
Chainscore © 2026
definition
CRYPTOGRAPHIC FOUNDATION
What is a Trusted Setup?
A trusted setup is a foundational ceremony in cryptography where a secret parameter is generated, requiring participants to be honest and destroy their secret shares to ensure the system's long-term security.
The necessity for a trusted setup arises from the requirement for a common reference string (CRS) in many advanced cryptographic protocols. This string acts as a public anchor for proving and verifying statements. The ceremony's goal is to create this CRS in a way that no single entity knows the underlying secret trapdoor. Prominent examples include the original Zcash Sapling ceremony (Power of Tau) and Ethereum's KZG ceremony for its data availability layer. These are designed as multi-party computations (MPC) where the security trust is distributed among many participants, theoretically increasing security with each honest actor.
The major critique of trusted setups is the inherent trust assumption they introduce, which conflicts with the trust-minimization ethos of blockchain. If the secret is compromised post-ceremony, the cryptographic guarantees of the system are void. Consequently, there is significant research into trustless or transparent setup alternatives, such as STARKs, which do not require a secret parameter. For systems that use trusted setups, the ceremony is often conducted with great transparency, involving public figures and open-source software to audit and verify that the toxic waste has been successfully destroyed.
how-it-works
CRYPTOGRAPHIC PROTOCOL
How a Trusted Setup Ceremony Works
A trusted setup ceremony is a multi-party computation (MPC) protocol designed to generate the critical cryptographic parameters, or structured reference string (SRS), for a zk-SNARK or similar proof system, while minimizing the risk of a single point of failure.
The core problem a ceremony solves is the toxic waste problem. To create a zk-SNARK proving system, an initial set of secret parameters must be generated. If even one participant in this generation is honest and destroys their secret, the final public parameters can be trusted. However, if any single party retains the complete secret, they could create fraudulent proofs. A trusted setup ceremony distributes this secret generation across many participants, ensuring security as long as at least one participant was honest.
The process typically follows a sequential, one-way structure. The first participant generates an initial secret and uses it to create the first set of public parameters, then passes only these parameters—not the secret—to the next participant. This second participant adds their own secret randomness, "mixing" it with the previous parameters to create a new set. This chain continues, with each participant contributing their secret and destroying it. The final output is a public Structured Reference String (SRS) that is secure if any participant in the chain was honest and discarded their contribution.
Famous real-world examples include the Perpetual Powers of Tau ceremony for Ethereum and Zcash's original Sapling ceremony. These events involved hundreds or thousands of participants from across the globe, including researchers, developers, and even members of the public. The transparency and public verifiability of each step's transcripts are crucial for establishing trust in the final parameters, as anyone can cryptographically verify that each contribution was performed correctly without learning the secrets.
While often called "trust-minimized," these ceremonies do not eliminate trust entirely; they transform it. Instead of trusting a single entity, you trust that at least one participant in a large, diverse group acted honestly. This is considered a significant security upgrade. The security model is formally defined: for a ceremony with n participants, it remains secure against collusion of up to n-1 malicious actors, assuming at least one is honest.
key-features
CRYPTOGRAPHIC PRIMER
Key Features of a Trusted Setup
A trusted setup is a one-time, multi-party ceremony to generate the initial parameters for certain cryptographic systems, most notably zk-SNARKs. Its security relies on the assumption that at least one participant was honest and destroyed their secret.
01
The Ceremony
A trusted setup is a coordinated event where multiple participants sequentially contribute randomness to generate a common reference string (CRS). Each participant performs a computation on the previous output, adding their secret. The final CRS is published and used to create and verify zero-knowledge proofs. The ceremony is complete once the secret contributions are securely destroyed.
02
Security Model: '1-of-N' Honesty
The core security assumption is that at least one participant acted honestly by destroying their secret contribution. If all participants collude, they could forge false proofs. This model transforms the problem from trusting a single entity to trusting that collusion did not occur among all ceremony participants. Larger, more diverse ceremonies increase this trust.
03
Common Reference String (CRS)
The public output of a trusted setup is the Common Reference String (CRS), also called public parameters or proving/verification keys. This string is a critical piece of public data that:
- Allows anyone to create a zero-knowledge proof.
- Allows anyone to verify that proof.
- Must be generated correctly for the entire system's security.
04
Toxic Waste
Toxic waste refers to the secret random values (often called tau or toxic randomness) generated during the ceremony. If this material is not destroyed, an attacker could use it to create fraudulent proofs that appear valid. The secure deletion of toxic waste is the defining act of honesty in a trusted setup.
05
Universal vs. Circuit-Specific
Trusted setups can be categorized by their scope:
- Circuit-Specific: Generates a CRS for a single application (e.g., a specific ZK-rollup). New apps require new ceremonies.
- Universal (Updatable): Generates a CRS that can be used for any circuit within certain bounds (e.g., zk-SNARKs). Protocols like PLONK use this, and ceremonies can be updated by new participants, progressively weakening trust assumptions.
06
Real-World Examples
Major blockchain projects have conducted large-scale trusted setup ceremonies:
- Zcash (2016): The original 'Powers of Tau' ceremony for the Sprout protocol.
- Ethereum's KZG Ceremony (2023): A universal setup for proto-danksharding (EIP-4844), with over 140,000 contributions.
- Tornado Cash (2019): A 1,114-participant ceremony for its privacy pool circuit. These demonstrate the industry's move towards large, public, and transparent ceremonies.
examples
HISTORICAL EXAMPLES
Notable Trusted Setup Ceremonies
These ceremonies are foundational to modern zero-knowledge cryptography, each representing a significant community effort to generate the initial parameters for a zk-SNARK system.
04
Tornado Cash's Trusted Setup
A ceremony conducted to launch the privacy mixer, where a small group of developers performed the initial setup. The continued reliance on this original setup, and the inability to re-run the ceremony without breaking user funds, later became a central point of vulnerability and debate regarding the system's long-term security assumptions.
security-considerations
TRUSTED SETUP
Security Considerations & The 'Toxic Waste' Problem
A trusted setup is a one-time cryptographic ceremony that generates a common reference string (CRS) or structured public parameters for a zk-SNARK or similar proof system, requiring participants to destroy secret randomness to ensure system security.
01
The Core Security Model
A trusted setup's security relies on the honest majority assumption—at least one participant must honestly delete their secret contribution, known as the toxic waste. If all participants collude and retain their secrets, they can forge proofs and compromise the entire system. This creates a single point of failure in time, as the ceremony cannot be safely repeated after the fact.
02
Toxic Waste & The Forging Threat
Toxic waste refers to the secret random values (often denoted as tau or s) generated during the setup. If preserved, this waste allows an attacker to:
- Create valid proofs for false statements.
- Mint unlimited tokens in privacy-focused applications.
- Break the soundness guarantee of the zero-knowledge proof system. The entire security model collapses if this material is not permanently erased.
04
Trust Minimization Techniques
Ceremonies employ several techniques to reduce required trust:
- Multi-Party Computation (MPC): Distributes trust across many participants.
- Verifiable Delay Functions (VDFs): Ensure a minimum time between contributions, preventing last-minute attacks.
- Public Auditing & Transparency: All contributions and transcripts are publicly recorded for verification.
- Diverse Participants: Involve cryptographers, developers, and public figures to reduce collusion risk.
06
Ongoing Risks & Verification
Even with MPC, risks persist:
- Implementation Bugs: Flaws in ceremony software can leak secrets.
- Side-Channel Attacks: Physical attacks (e.g., power analysis) on participants' machines.
- Long-Term Secret Extraction: Future cryptographic breaks (e.g., quantum computing) could recover secrets from public data. Verification is passive; anyone can cryptographically verify the ceremony output was computed correctly, but cannot prove the toxic waste was deleted.
CRYPTOGRAPHIC FOUNDATIONS
Trusted Setup vs. Trustless/Transparent Setup
A comparison of the foundational ceremony types used to generate critical cryptographic parameters for protocols like zk-SNARKs.
| Feature | Trusted Setup | Trustless/Transparent Setup |
|---|---|---|
Core Dependency | Requires one or more trusted parties to generate and discard a secret parameter (toxic waste). | Requires no secret parameters from trusted parties; uses publicly verifiable computations or inherent system properties. |
Security Assumption | Trust assumption that all participants in the ceremony acted honestly and destroyed their secret shares. | No trust assumption; security relies solely on cryptographic proofs and public data. |
Ceremony Complexity | High. Often involves multi-party computation (MPC) ceremonies with ritualistic participant coordination. | Low to none. Parameters are generated algorithmically from public entropy (e.g., a blockchain's history). |
Cryptographic Family Example | zk-SNARKs (e.g., original Groth16, Plonk with universal setup). | zk-STARKs, Bulletproofs, and some newer zk-SNARK constructions (e.g., Halo). |
Verifiability | Only the final public parameters are verifiable; the process itself is not fully transparent. | The entire parameter generation process is publicly verifiable and reproducible. |
Long-Term Risk | Contains a 'cryptographic backdoor' risk if the secret is compromised, potentially breaking all future proofs. | No long-term backdoor risk, as there is no secret to compromise. |
Notable Protocol Examples | Zcash's original Sprout ceremony, early implementations of Tornado Cash. | Monero (Ring Signatures), Mina Protocol, Ethereum's upcoming Verkle trees. |
Participant Requirement | Requires active, coordinated participation from multiple independent parties for security. | Requires no special participant ceremony; runs automatically on public data. |
FAQ
Common Misconceptions About Trusted Setups
Trusted setups are a foundational cryptographic component for many zero-knowledge proof systems, yet they are often misunderstood. This section clarifies the most frequent points of confusion regarding their security, necessity, and operational models.
A trusted setup is not a single point of failure in the traditional sense, but rather a one-time vulnerability that must be managed during the ceremony's execution. The security model depends on the ceremony design, such as a Multi-Party Computation (MPC) ceremony. In a well-designed MPC, the setup's secret is divided among multiple participants, and the final cryptographic parameters are secure as long as at least one participant was honest and destroyed their secret share. The risk is front-loaded; after the ceremony concludes correctly, the system's ongoing security does not rely on any participant's continued honesty.
TRUSTED SETUP
Frequently Asked Questions (FAQ)
A trusted setup is a foundational cryptographic ceremony used to generate the initial parameters for certain zero-knowledge proof systems, creating a critical piece of secret data that must be destroyed for the system's security.
A trusted setup is a one-time cryptographic ceremony that generates the initial parameters, or structured reference string (SRS), required to construct and verify zero-knowledge proofs in systems like zk-SNARKs. It is necessary because these proof systems rely on a common reference string that is created using secret random values; if those secrets are not properly destroyed or 'toxic waste' is not discarded, an attacker could forge fraudulent proofs. The ceremony establishes trust that the initial parameters were generated correctly and the secrets were erased, forming the bedrock of the system's security. Prominent examples include the original Zcash Sapling ceremony and Perpetual Powers of Tau.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall