A trusted setup is a one-time cryptographic ceremony that generates the initial parameters, often called the Common Reference String (CRS) or structured reference string (SRS), for a zero-knowledge proof system like zk-SNARKs. During this process, one or more participants use random secrets to create public parameters that will be used by all future users to generate and verify proofs. The critical security assumption is that these participants must honestly delete their secret random values, known as toxic waste; if any single participant retains this waste, they could potentially create fraudulent proofs that appear valid to the network, compromising the entire system.
LABS
Glossary
Trusted Setup
A trusted setup is a one-time ceremony in cryptographic systems to generate public parameters, where the secrecy of generated 'toxic waste' is critical for the system's security.
Chainscore © 2026
definition
CRYPTOGRAPHIC PROTOCOL
What is Trusted Setup?
A trusted setup is a foundational ceremony in certain cryptographic systems where a secret parameter is generated, requiring participants to be honest for the system's long-term security.
The process often employs a multi-party computation (MPC) ceremony to distribute trust among many participants, a method known as a MPC-based trusted setup. In this model, each participant sequentially contributes their own randomness to the setup, with the final parameters being a product of all contributions. The security guarantee improves dramatically: as long as at least one participant is honest and destroys their secret, the toxic waste is effectively erased and the system remains secure. High-profile examples include the Perpetual Powers of Tau ceremony for Ethereum and the setup for Zcash's original Sprout protocol, which involved six participants in a detailed public ceremony.
The primary critique of trusted setups is the inherent trust assumption they introduce, which conflicts with the trust-minimization ethos of blockchain. A compromised setup creates a systemic, undetectable backdoor. Consequently, cryptographic research strongly favors transparent setups (like those used in zk-STARKs and Bulletproofs) that require no secret parameters and no trust. However, for many efficient zk-SNARK constructions, a trusted setup remains a practical necessity, making robust, publicly auditable MPC ceremonies the best available method to bootstrap trust for these powerful privacy and scaling technologies.
how-it-works
CRYPTOGRAPHIC PROTOCOL
How a Trusted Setup Ceremony Works
A trusted setup ceremony is a multi-party cryptographic protocol designed to generate the initial parameters, or *structured reference string* (SRS), for a zero-knowledge proof system while minimizing the risk of a single point of failure.
In a trusted setup ceremony, multiple independent participants sequentially contribute random secret values, or toxic waste, to a shared computation. Each participant receives the output from the previous contributor, adds their own secret randomness, and passes the updated parameters forward. This process creates a chain of dependencies where the final public parameters are secure as long as at least one participant was honest and successfully destroyed their secret. Famous examples include the Perpetual Powers of Tau ceremony for SNARKs and the ceremony for the Zcash cryptocurrency's original Sprout protocol.
The security model is often described as a 1-of-N trust assumption. If all participants collude or are compromised, they could collectively reconstruct the master secret and generate fraudulent proofs. However, the ceremony's design makes such collusion statistically improbable as the number of honest, independent participants grows. Techniques like multi-party computation (MPC) and public attestations (e.g., video recordings of the secret destruction) are used to enhance transparency and verifiability. The final output is a set of public parameters that can be universally used and verified by anyone.
For developers, the ceremony's output is typically a structured reference string or common reference string (CRS), which is essential for generating and verifying zero-knowledge proofs in systems like Groth16, PLONK, or Halo2. Once generated, these parameters are considered universal or updatable, allowing future ceremonies to extend security rather than requiring a full restart. This process is critical for bootstrapping privacy-preserving blockchains and layer-2 scaling solutions, as it establishes the foundational cryptographic trust for the entire system without relying on a single trusted entity.
key-features
TRUSTED SETUP
Key Features & Characteristics
A trusted setup is a foundational cryptographic ceremony where a set of secret parameters is generated to initialize a system, most commonly a zero-knowledge proof (ZKP) circuit. The security of the entire system depends on the correct execution and subsequent destruction of these secrets.
01
The Ceremony
A trusted setup is a one-time, multi-party computation (MPC) ceremony. Participants, or contributors, sequentially generate and combine random secrets to create the final Structured Reference String (SRS) or Common Reference String (CRS). The ceremony is designed so that as long as at least one participant is honest and destroys their secret, the final parameters remain secure.
02
Security Model
The security of a trusted setup is based on the "1-of-N" trust assumption. It assumes that at least one participant in the ceremony acted honestly by:
- Generating their random contribution securely.
- Permanently deleting ("toxic waste") their secret entropy after contributing. If all participants collude or are compromised, they could create fraudulent proofs, undermining the entire system.
03
Toxic Waste
This is the critical secret randomness generated during the ceremony. If retained, toxic waste allows its holder to forge proofs, such as creating tokens out of thin air or double-spending. The core purpose of the ceremony is to ensure this waste is generated in a distributed manner and then destroyed, making it computationally infeasible to reconstruct.
04
Universal vs. Circuit-Specific
Trusted setups can be categorized by their scope:
- Universal (Updatable): Creates a reusable SRS for an entire proof system (e.g., Groth16, PLONK). New circuits can be proven without a new ceremony. Examples: Perpetual Powers of Tau, Aztec's Ignition.
- Circuit-Specific: Generates parameters for a single, fixed circuit. Any change to the circuit logic requires a completely new ceremony. This is less flexible but was common in early ZK-SNARKs.
05
Verifiable & Transparent Alternatives
Not all proof systems require a trusted setup. Key alternatives include:
- STARKs: Use publicly verifiable randomness, making them transparent and trustless.
- Bulletproofs: Also transparent, with no required setup phase. Systems with trusted setups (like Groth16) often offer smaller proof sizes and faster verification, creating a trade-off between performance and trust assumptions.
06
Real-World Examples
Major blockchain projects have conducted high-profile trusted setup ceremonies:
- Zcash (Sprout): The original "The Ceremony" for the Sapling upgrade.
- Tornado Cash: Used a multi-party ceremony for its anonymity pools.
- Polygon zkEVM, Scroll, zkSync Era: Each conducted large-scale MPC ceremonies (often based on Perpetual Powers of Tau) to generate the SRS for their zk-rollup circuits.
toxic-waste
CRYPTOGRAPHIC SECURITY
The Role of 'Toxic Waste'
In cryptographic protocols, 'toxic waste' refers to the secret parameters generated during a trusted setup ceremony that must be permanently destroyed to ensure the system's long-term security.
In a trusted setup ceremony, participants collaborate to generate the common reference string (CRS) or public parameters for a cryptographic system, such as a zk-SNARK circuit. During this process, each participant generates a secret random value, often called a 'toxic' or 'toxic waste' value. These secrets are used to compute the final public parameters, but if even one piece of toxic waste is retained by any participant, it could compromise the entire system. The fundamental security assumption is that all participants successfully delete their secret values, making it computationally infeasible to forge proofs or break the protocol's soundness.
The term 'toxic waste' vividly illustrates the danger of these retained secrets. If not properly disposed of, they act as a master key or a trapdoor, allowing a malicious actor who possesses them to create fraudulent cryptographic proofs. For example, in a zk-SNARK system for a private transaction, someone with the toxic waste could generate a valid proof for an invalid transaction, potentially creating counterfeit assets or double-spending. Therefore, the security of the entire application built on these parameters hinges on the ceremony's integrity and the verifiable destruction of this material.
To mitigate the risk, trusted setup ceremonies employ multi-party computation (MPC). In a multi-party ceremony, the toxic waste is split among many participants, and security is guaranteed as long as at least one participant is honest and destroys their share. High-profile examples include the Perpetual Powers of Tau ceremony for Zcash and the setup for Ethereum's KZG polynomial commitments. These ceremonies are often publicly recorded and involve diverse, credible participants to increase trust in the process, moving from a 'trusted' setup to a 'trust-minimized' or ceremonial setup.
examples
HISTORICAL CONTEXT
Notable Trusted Setup Ceremonies
These ceremonies are foundational to the security of major zero-knowledge proof systems, where participants collaboratively generate the initial cryptographic parameters, or Structured Reference String (SRS).
06
The Concept of "Ceremony" vs. "Setup"
The term "ceremony" is deliberately used instead of "setup" to emphasize the human and procedural elements beyond pure cryptography. A successful ceremony requires:
- Transparent documentation of the process and participants.
- Verifiable contributions published to a public ledger.
- Coordinator robustness or removal (e.g., via ZK proofs).
- Clear destruction of toxic waste. The goal is to create a publicly verifiable audit trail that maximizes the cost of corruption for any attacker.
CRYPTOGRAPHIC CEREMONY COMPARISON
Trusted Setup vs. Trustless/Universal Setup
A comparison of the foundational security assumptions and properties of different types of cryptographic setup ceremonies used in zero-knowledge proof systems.
| Feature / Property | Trusted Setup | Trustless / Universal Setup |
|---|---|---|
Core Security Assumption | Requires at least one honest participant during the initial ceremony. | Relies solely on cryptographic hardness assumptions; no ceremony required. |
Setup Ceremony Required | ||
Ceremony Type | Multi-party computation (MPC) with a 'toxic waste' disposal problem. | None. Parameters are generated from a public, verifiable seed (e.g., a nothing-up-my-sleeve number). |
Trust Model | Fragile. Security collapses if all ceremony participants collude. | Robust. No trusted parties are assumed to exist. |
Prover/Verifier Keys | Ceremony-specific. A new setup creates new proving/verification keys. | Universal. A single set of public parameters supports many circuits and applications. |
Upgrade/Reusability | New application or upgrade requires a new trusted setup ceremony. | Supports new applications and circuit upgrades without a new setup. |
Notable Examples | Zcash's original Sprout ceremony, Tornado Cash, many zk-SNARK rollups. | zk-STARKs, Bulletproofs, Halo/Halo2, some newer zk-SNARK constructions. |
Primary Risk | Long-term secret compromise or collusion of all initial participants. | Reliance on the cryptographic security of the underlying hash function or problem. |
security-considerations
TRUSTED SETUP
Security Considerations & Risks
A trusted setup is a cryptographic ceremony where a secret parameter is generated to initialize a system, creating a persistent security risk if the secret is compromised.
01
The Single Point of Failure
The toxic waste (secret parameters) generated during the ceremony must be permanently destroyed. If any participant retains or reconstructs this secret, they can forge valid proofs (e.g., create fake zk-SNARKs) or decrypt private data, undermining the entire system's security. This creates a permanent, unchangeable backdoor.
02
Ceremony Complexity & Coordination
Mitigating the single-point-of-failure risk requires complex multi-party computation (MPC) ceremonies with many participants. Each participant adds a layer of entropy. The security model assumes at least one participant is honest and destroys their share. However, coordinating a large, geographically distributed group of trusted parties is operationally challenging and expensive.
03
Verification & Auditability
It is cryptographically impossible to verify from the final public parameters alone whether the toxic waste was destroyed. Security relies on transparent ceremony procedures, auditable software, and the reputation of participants. Any flaw in the ceremony implementation (e.g., poor randomness) or a covert channel can leak the secret.
04
Notable Examples & Incidents
- Zcash's original Sprout setup (2016): Used a 6-party ceremony, with concerns about its scale and the use of air-gapped machines.
- Tornado Cash Nova: Relied on a trusted setup for its anonymity pools.
- General Risk: Any system using zk-SNARKs with a structured reference string (SRS), like many early Layer 2 rollups, initially required a trusted setup, creating a systemic risk until upgraded.
05
Mitigations & Modern Alternatives
- Upgradable Systems: Parameters can be generated in a new ceremony, but this requires a hard fork and re-deployment.
- Universal Setups: A single ceremony (e.g., Perpetual Powers of Tau) can bootstrap multiple applications, amortizing risk.
- Transition to Trustless Proofs: Modern systems are moving to STARKs or zk-SNARKs with transparent setups (e.g., using elliptic curves with a known group order), which require no secret parameters.
06
Systemic & Long-Term Risk
The risk is perpetual for systems using a trusted setup. A secret compromised years later via cryptanalysis, hardware vulnerability (e.g., side-channel attacks), or coercion of a past participant invalidates all historical and future transactions. This makes trusted setups unsuitable for high-value, long-lived systems without robust, ongoing risk assessment.
FAQ
Common Misconceptions About Trusted Setups
Trusted setups are a foundational cryptographic component in many blockchain systems, but are often misunderstood. This section clarifies frequent points of confusion regarding their security, necessity, and operational reality.
A trusted setup is a one-time cryptographic ceremony where a set of secret parameters is generated to bootstrap a system, after which the secrets can be destroyed to ensure the system's security. It is necessary for constructing certain advanced cryptographic primitives like zk-SNARKs and zk-STARKs, which enable private transactions and scalable proofs. The ceremony establishes a Common Reference String (CRS) or Structured Reference String (SRS). While the setup phase requires trust that participants will discard their secrets (hence 'trusted'), the resulting system can be unconditionally secure for all future use. Protocols like Zcash (for Sprout and Sapling) and many Layer 2 rollups (e.g., those using Groth16) rely on such setups.
TRUSTED SETUP
Frequently Asked Questions (FAQ)
A trusted setup is a foundational cryptographic ceremony used to generate the initial parameters for certain zero-knowledge proof systems. This section answers common questions about its purpose, security model, and real-world implementations.
A trusted setup is a one-time, multi-party ceremony that generates the initial public parameters, often called a Common Reference String (CRS) or Structured Reference String (SRS), required to bootstrap a zk-SNARK or similar proving system. The process involves participants generating and combining secret values, with the security guarantee that if at least one participant is honest and destroys their secret, the final parameters are secure. This 'trust' in the honesty of at least one participant is the origin of the term. If all participants collude, they could theoretically create fraudulent proofs, making the ceremony's integrity paramount. Major networks like Zcash (for Sprout and Sapling) and Ethereum (for KZG commitments in EIP-4844) have conducted high-profile trusted setups.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall