Trusted Setup

A trusted setup is a multi-party computation (MPC) ceremony where participants collaboratively generate a common reference string (CRS) or structured reference string (SRS). Each participant contributes randomness, creating a chain of secrets. The final security relies on the assumption that at least one participant was honest and destroyed their secret share, a concept known as the "1-of-N" trust assumption.

The entire system's security is conditional on the destruction of toxic waste—the private parameters generated during the ceremony. If all participants collude and retain their shares, they could potentially create fraudulent proofs. This introduces a trusted third-party risk at inception, contrasting with trustless systems. The security model is often summarized as "N-1" honesty.

• Circuit-Specific Setup: Creates a CRS for a single zk-SNARK circuit. Used in early implementations like Zcash's original Sprout ceremony. Less flexible.
• Universal Setup (Updatable): Generates a structured reference string (SRS) that can be used for any circuit within certain bounds. Protocols like PLONK use this. It can be made updatable, allowing new participants to refresh the ceremony, progressively weakening trust assumptions.

• Zcash's Powers of Tau: A pioneering universal MPC ceremony with thousands of participants.
• Ethereum's KZG Ceremony (EIP-4844): A trusted setup for proto-danksharding, generating an SRS for KZG polynomial commitments.
• Tornado Cash: Utilized a multi-party setup for its anonymity pools. These events are often public, transparent, and designed to maximize participant diversity.

Trusted setups are often compared to STARKs (Scalable Transparent Arguments of Knowledge), which require no trusted setup and rely on publicly verifiable randomness. The trade-off is between the initial trust assumption in a setup and the potentially larger proof sizes and computational requirements of trustless systems. Bulletproofs are another cryptographic primitive that is transparent (no setup).

Once completed, the ceremony's output (CRS/SRS) is public and verifiable. However, the trust is perpetual; if the secret was compromised at creation, the system remains vulnerable forever. This is why ceremonies emphasize public audibility, procedural transparency, and participation from credible, adversarial parties to minimize collusion risk.

Multiple protocols leverage the same foundational trusted setup.

• Filecoin: Uses the parameters for its storage proof system (Proof-of-Replication).
• Polygon zkEVM: Its zk-rollup utilizes the same Perpetual Powers of Tau ceremony (coordinated by the Zcash team) that Ethereum's KZG ceremony extended. This demonstrates reuse of a secure, audited setup across ecosystems.

A secure multi-party computation (MPC) ceremony follows a specific sequence to generate the Structured Reference String (SRS):

1. Initialization: First participant generates initial parameters with a secret.
2. Sequential Rounds: Each subsequent participant receives the output, applies their own secret randomness, and passes it on.
3. Finalization: The final SRS is published after the last round. Security Guarantee: The setup is secure as long as at least one participant was honest and destroyed their secret "toxic waste."

Toxic waste refers to the secret random values (often denoted as tau or s) generated during a trusted setup. If compromised, this waste allows an attacker to create fraudulent proofs. The core security assumption is that all participants securely delete this material. Ceremonies are designed to make partial disclosure useless, requiring all secrets to be leaked to break the system.

Not all ZK systems require a trusted setup. Key alternatives include:

• zk-STARKs: Use publicly verifiable randomness, eliminating the need for a ceremony. (Used by Starknet).
• Bulletproofs: A transparent setup requiring no trusted parameters. (Originally used by Monero). The choice involves a trade-off between proof size, verification speed, and initial trust assumptions.

Unlike trustless protocols, a trusted setup introduces a cryptographic trust assumption. The system's security relies on the belief that at least one participant in the ceremony acted honestly and permanently deleted their toxic waste (the secret randomness). If all participants collude or are compromised, they could generate fraudulent proofs. This creates a single point of failure in time, distinct from ongoing validator trust in Proof-of-Stake.

The critical output of a setup is the Structured Reference String (SRS). To create it, participants generate secret random values. The leftover secret material is called toxic waste.

• If preserved, it allows the creator to forge proofs for any statement.
• The security model is often described as "1-of-N" honesty: only one participant needs to destroy their waste.
• The ceremony's goal is to ensure the final SRS is generated without anyone knowing the complete secret, rendering the perpetual forgery machine inoperable.

To minimize risk, setups use multi-party ceremonies with sequential layers. Each participant contributes randomness to the SRS from the previous layer, a process called sequential composition.

• Zcash's Powers of Tau (2016) involved 6 participants.
• Ethereum's KZG Ceremony (2023) had over 141,000 contributors, vastly increasing the difficulty of collusion.
• Universal setups (like Powers of Tau) can be reused by many applications, amortizing the risk. Application-specific setups confine risk to one system.

If the trusted setup is compromised, an attacker with the toxic waste can:

• Create undetectable fake proofs, invalidating the core security guarantee of the zk-rollup or privacy protocol.
• Mint unlimited assets in a privacy pool or rollup bridge.
• Double-spend shielded transactions. The breach is undetectable by protocol users, as forged proofs are cryptographically valid. Recovery would require a hard fork and a completely new, secure setup.

The cryptographic community actively researches trustless alternatives to avoid this risk:

• STARKs: Do not require a trusted setup, relying on collision-resistant hashes instead.
• Bulletproofs: Also trustless, but with larger proof sizes.
• Transparent SNARKs (e.g., based on IPA or Halo2): Eliminate the trusted setup requirement. The trade-off is often between proof size, verification speed, and the elimination of the trust assumption.

Participants must cryptographically verify their contribution was included correctly and provide a zero-knowledge proof of knowledge (PoK) of their secret. The ceremony's output must be publicly verifiable. Long-term security depends on the computational hardness assumptions (like the Discrete Log Problem) remaining unbroken. A setup is not a one-time audit; it's a perpetual foundation. Projects like Semaphore and Tornado Cash rely on the same Ethereum KZG setup, creating interconnected risk.

The secret, ephemeral data generated during a trusted setup that must be permanently deleted to ensure the system's security. If this data is retained or leaked, it could allow a malicious actor to create fraudulent cryptographic proofs. The entire purpose of a secure multi-party ceremony is to ensure this toxic waste is never known in its entirety by any single party.

• Analogy: The private key used to mint the public parameters, which must be thrown away.
• Security Imperative: The compromise of toxic waste invalidates the security guarantees of the system.