A trusted setup ceremony is a cryptographic protocol where multiple participants collaboratively generate the initial parameters, known as the Common Reference String (CRS) or structured reference string (SRS), for a zero-knowledge proof system like zk-SNARKs. The ceremony's primary goal is to decentralize trust by ensuring that at least one participant is honest and destroys their secret contribution, thereby preventing the creation of fraudulent proofs. If all participants collude and retain their secrets, they could theoretically generate false proofs without detection, compromising the entire system's security.
LABS
Glossary
Trusted Setup Ceremony
A trusted setup ceremony is a multi-party computation protocol used to generate the public parameters for cryptographic systems, where security is maintained if at least one participant is honest.
Chainscore © 2026
definition
CRYPTOGRAPHIC PROTOCOL
What is a Trusted Setup Ceremony?
A foundational process for generating the initial parameters required by certain cryptographic systems, most notably zero-knowledge proof protocols.
The ceremony typically involves a multi-party computation (MPC) where each participant sequentially adds a layer of secrecy. Each party receives the current state of the parameters, mixes in a random secret value, performs a computation, and then passes the updated parameters to the next participant. Crucially, after contributing, each party must perform a toxic waste disposal—the permanent deletion of their secret random value. The final output is a set of public parameters that can be used to generate and verify proofs, with security guaranteed as long as at least one participant was honest.
Prominent examples include the Zcash Sapling Powers of Tau ceremony and Ethereum's KZG ceremony for its danksharding roadmap. These events often involve hundreds or thousands of participants, including notable cryptographers and community members, to maximize the perceived likelihood of an honest participant. The process is publicly verifiable; participants generate proofs of correct computation, and all transcripts are published, allowing anyone to audit the ceremony's integrity without revealing the secret contributions.
While trusted setup ceremonies significantly reduce central points of failure, they are not required by all zero-knowledge systems. zk-STARKs, for instance, are transparent and do not need a trusted setup, trading this off for larger proof sizes. For systems that use them, the ceremony is a critical, one-time bootstrap event. Once completed successfully, the generated parameters can be used indefinitely by all users of the protocol, forming a bedrock of trust for applications in private transactions and scalable blockchain computation.
how-it-works
MECHANISM
How Does a Trusted Setup Ceremony Work?
A trusted setup ceremony is a cryptographic ritual where multiple participants collaborate to generate the initial parameters for a zero-knowledge proof system, distributing trust to prevent a single point of failure.
A trusted setup ceremony is a multi-party computation (MPC) protocol designed to generate the structured reference string (SRS) or common reference string (CRS) required by zk-SNARKs and other advanced proving systems. The core objective is to produce this critical cryptographic parameter while ensuring that at least one participant honestly destroys their secret "toxic waste"—a piece of ephemeral secret data used during the generation. If this toxic waste is retained, it could allow the holder to create fraudulent proofs. The ceremony's security model is based on a 1-of-N trust assumption: the system is secure as long as at least one participant was honest and successfully deleted their secret.
The process typically follows a sequential, round-based structure. In each round, a participant receives the current public parameters from the previous participant, performs a computation that mixes in their own secret randomness, and then passes the updated parameters to the next party. Crucially, each participant must provide a cryptographic proof of correct computation (often a proof of knowledge) to verify they followed the protocol without introducing errors or backdoors. After contributing, the participant is expected to permanently erase their secret randomness. Famous examples include the Zcash Powers of Tau ceremony for the Sapling upgrade and Perpetual Powers of Tau, which serve as universal setups for various zk-SNARK circuits.
The integrity of the ceremony hinges on robust participant selection and verifiability. Participants, or "contributors," are often a diverse group of credible individuals and organizations to minimize collusion risk. The entire process is publicly recorded: all contributions, proofs, and the final output are published on-chain or in public repositories. This allows anyone to cryptographically verify that each step was performed correctly, creating a transparent and auditable trail. While the ceremony reduces centralization risk, it does not eliminate trust entirely; it distributes it across the participant set, making compromise exponentially more difficult.
key-features
TRUSTED SETUP CEREMONY
Key Features & Properties
A trusted setup ceremony is a cryptographic ritual where a group of participants collaboratively generates the initial parameters (often called a Common Reference String or CRS) for a zk-SNARK or similar proving system, with the goal of ensuring no single party knows the secret 'toxic waste'.
01
The Toxic Waste Problem
The core security requirement. To generate the proving and verification keys for a zk-SNARK, a secret random value (often called toxic waste or a trapdoor) is used. If this secret is known by anyone after setup, they could create fraudulent proofs that verify as true, breaking the entire system. The ceremony's purpose is to destroy all knowledge of this secret.
02
Multi-Party Computation (MPC)
The primary defense mechanism. The ceremony uses secure multi-party computation (MPC) to distribute trust. Multiple participants sequentially contribute their own randomness to the setup. The final parameters are a product of all contributions. Security holds if at least one participant was honest and destroyed their secret randomness, as this renders the final toxic waste unrecoverable.
03
Ceremony Phases
A structured process to ensure integrity:
- Contribution Phase: Participants generate randomness, perform a computation on the current parameters, and publish their update.
- Verification Phase: Other participants or the public can cryptographically verify that each contribution was computed correctly.
- Completion & Destruction: The final parameters are published, and participants are expected to securely delete their secret randomness. Public transcripts allow for auditability.
04
Notable Examples
Real-world implementations that established the model:
- Zcash's Powers of Tau (2016): The original large-scale ceremony for the Sapling upgrade, involving 6 participants.
- Filecoin's Trusted Setup: A massive ceremony with contributions from thousands of participants worldwide.
- Ethereum's KZG Ceremony (2023): For proto-danksharding (EIP-4844), it became one of the largest with over 141,000 contributions.
05
Security Model: 1-of-N Trust
The ceremony transforms the security assumption from trust in a single entity to trust that at least one of many participants was honest. This is considered a significant improvement. The security increases with the number and diversity of participants, as it becomes statistically less likely that all were compromised or colluding.
06
Limitations & Critiques
Understanding the trade-offs is crucial.
- Not Trustless: It introduces a trust assumption, albeit distributed.
- Complexity & Cost: Running a secure ceremony is logistically complex and expensive.
- Verification Burden: While contributions are verifiable, the process requires careful auditing.
- Alternative: Some newer proof systems like STARKs and Bulletproofs are designed to be transparent, eliminating the need for a trusted setup entirely.
examples
TRUSTED SETUP CEREMONY
Real-World Protocol Examples
Trusted setup ceremonies are foundational cryptographic rituals used by major protocols to generate the initial parameters for zero-knowledge proof systems. These examples demonstrate how different projects have implemented this critical security process.
security-considerations
CRYPTOGRAPHIC PROTOCOL
Trusted Setup Ceremony
A trusted setup ceremony is a multi-party cryptographic protocol used to generate the initial parameters for certain zero-knowledge proof systems, where the security of the entire system depends on the destruction of a secret 'toxic waste' generated during the process.
A trusted setup ceremony is a cryptographic ritual where multiple participants collaboratively generate the structured reference string (SRS) or common reference string (CRS) required for zk-SNARKs and other advanced proving systems. The core security premise is that as long as at least one participant is honest and destroys their secret randomness, or 'toxic waste,' the final parameters can be trusted. This process transforms a scenario requiring a single, completely trusted party into one that is trust-minimized, relying on the improbability of all participants colluding.
The ceremony typically involves a sequential process where each participant receives the current state of the parameters, contributes their own secret randomness, and then passes the updated parameters to the next participant. Common models include the Powers of Tau setup for pairing-based cryptography and circuit-specific setups. The final output is the public SRS, while the contributing secrets must be verifiably discarded. The integrity of the ceremony is often bolstered by public verifiability, allowing anyone to cryptographically verify that each step was performed correctly without learning the secrets.
While a major improvement over a single trusted party, trusted setups are considered a security assumption or 'trusted third party in the past.' If the toxic waste is not destroyed, an adversary could create fraudulent proofs. High-profile examples include the original Zcash Sprout ceremony and the perpetual Filecoin and Ethereum KZG ceremony. The goal is to maximize participant diversity and use auditable hardware to minimize collusion risk, making the setup 'ceremonial' in its transparent, ritualistic execution to build public confidence.
CRYPTOGRAPHIC FOUNDATIONS
Trusted vs. Transparent Setup
A comparison of the two primary methods for generating the initial parameters (common reference string) for zero-knowledge proof systems.
| Feature | Trusted Setup | Transparent Setup |
|---|---|---|
Initial Parameter Generation | Requires a secret ceremony with one or more participants. | Uses public, verifiable randomness (e.g., nothing-up-my-sleeve numbers). |
Trust Assumption | Participants must destroy their secret shares (toxic waste). | No trust assumptions; setup is publicly verifiable from inception. |
Security Risk | If any participant is compromised and retains the secret, the system's security is broken. | No secret to retain or compromise; security relies solely on cryptographic hardness. |
Ceremony Complexity | High; requires secure multi-party computation (MPC) and auditable participant coordination. | Low; parameters are generated algorithmically without secret coordination. |
Examples | Zcash's original Sprout ceremony (Powers of Tau), Groth16 proof system. | zk-SNARKs with FRI (STARKs), Bulletproofs, Halo. |
Post-Quantum Security | ||
Common Use Case | Early-generation zk-SNARKs requiring optimal proof size and verification speed. | Newer protocols prioritizing trust minimization and auditability. |
TRUSTED SETUP CEREMONIES
Common Misconceptions
Trusted setup ceremonies are a critical cryptographic procedure for generating the initial parameters for certain zero-knowledge proof systems, but they are often misunderstood. This section clarifies the most frequent points of confusion.
A trusted setup ceremony is a multi-party computation (MPC) protocol used to generate the common reference string (CRS) or structured reference string (SRS) required by certain zk-SNARKs (like Groth16) and other cryptographic systems, where a single party generating the parameters would create a dangerous 'toxic waste' secret. The ceremony is necessary because if the secret parameters used to create the CRS are known by any single entity, that entity could create fraudulent proofs that would be accepted as valid, breaking the system's security. The goal of the ceremony is to distribute the generation of this secret across multiple participants so that as long as at least one participant is honest and destroys their secret share, the final toxic waste is unrecoverable and the system is secure.
TRUSTED SETUP CEREMONY
Frequently Asked Questions
A trusted setup ceremony is a foundational cryptographic ritual used to generate the initial parameters for certain zero-knowledge proof systems. These questions address its critical role, security implications, and real-world examples.
A trusted setup ceremony is a multi-party protocol used to generate the common reference string (CRS) or structured reference string (SRS) for cryptographic systems like zk-SNARKs, where at least one participant must be honest and destroy their secret for the system to be secure. It works by having multiple participants sequentially contribute randomness to a set of initial parameters. Each participant takes the output from the previous participant, mixes in their own secret random value (a 'toxic waste' or 'toxic parameter'), and passes it on. The final output is the public CRS. The ceremony is considered secure if at least one participant successfully deleted their secret contribution, making it computationally infeasible to reconstruct the original toxic waste and compromise the system.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall