Trusted Setup

A trusted setup is a multi-party computation (MPC) ceremony where participants sequentially contribute randomness to generate the final parameters. Each participant receives the output from the previous contributor, adds their secret, and passes it on. The final parameters are secure as long as at least one participant was honest and destroyed their secret contribution (the 'toxic waste').

The toxic waste refers to the secret random values (often called 'tau' or 's') generated during the ceremony. If retained, this secret allows an attacker to forge proofs. The security assumption is that all participants perform a secure deletion of their toxic waste. Systems like Groth16 require a universal setup, while PLONK and Marlin use updatable or structured setups.

• Universal Setup (Groth16): A single ceremony generates parameters for a specific circuit size cap. It is not updatable; a new ceremony is required for larger circuits.
• Updatable/Powers of Tau Setup (PLONK, Marlin): The ceremony produces a structured reference string (SRS). New participants can contribute later, reinforcing security. This allows the same SRS to be used for many different circuits, making it more flexible and sustainable.

The ceremony moves from a trusted third party model (high risk) to a trusted initializer model. The goal is to maximize the number of independent, credible participants to make collusion statistically improbable. Security is often framed as 1-of-N trust, where only one honest participant is needed. Real-world ceremonies use diverse participants, public livestreams, and hardware security modules to increase confidence.

• Zcash's original Sprout setup (2016): A 6-party ceremony for the first major zk-SNARK implementation.
• Ethereum's Perpetual Powers of Tau (2018-): A continuous, contributor-driven universal MPC for the BN128 and BLS12-381 curves, with hundreds of participants.
• Filecoin's Trusted Setup (2018): A large-scale ceremony for their Proof-of-Replication and Proof-of-Spacetime circuits.
• Zcash's Sapling Powers of Tau (2018): A 90+ participant ceremony for the newer Sapling protocol.

Ceremonies employ multiple techniques to minimize required trust:

• Multi-Party Computation (MPC): Distributes trust across participants.
• Public Verification: Contributions are cryptographically verifiable by anyone.
• Transparent Ceremonies: Use public livestreams, detailed logs, and open-source software.
• Diverse Participants: Include cryptographers, auditors, community members, and public figures to reduce collusion risk.
• Hardware Security Modules (HSMs): Used to generate and securely delete secrets in isolated environments.

A trusted setup is a multi-party computation (MPC) ceremony where participants collaboratively generate a common reference string (CRS) or structured reference string (SRS). Each participant contributes randomness to create a secret, performs computations, and provides a proof. The final security relies on the assumption that at least one participant was honest and destroyed their secret contribution, a concept known as the "1-of-N trust assumption."

The Powers of Tau is a universal, updatable trusted setup for pairing-based zk-SNARKs. Unlike one-time ceremonies, it creates a structured reference string (SRS) that can be re-used and extended by future projects. Notable ceremonies include:

• Filecoin's Phase 2
• Ethereum's KZG Ceremony for EIP-4844 (proto-danksharding) This approach allows for trust amortization, where many protocols inherit security from a single, large-scale public ceremony.

Not all proving systems require a trusted setup. Key trustless alternatives include:

• zk-STARKs: Use publicly verifiable randomness, eliminating the need for a trusted ceremony.
• Bulletproofs: Also do not require a trusted setup, making them simpler to deploy. The trade-off is often between the proving/verification speed and size of proofs (better in SNARKs with setup) and the trust model (better in STARKs/Bulletproofs).

The core risk is toxic waste—if any participant records their secret contribution, they could generate fraudulent proofs. Mitigation strategies include:

• Multi-party computations (MPC) with many participants.
• Ceremony audits and public verification of transcripts.
• Subversion-resistant protocols that allow detection of compromised parameters. The goal is to make the cost of corruption astronomically high and publicly detectable.

A trusted setup ceremony involves multiple participants sequentially contributing randomness to generate a final set of public parameters (e.g., a Common Reference String or Structured Reference String). The core security assumption is that at least one participant is honest and destroys their secret 'toxic waste'. If all participants collude and retain their secrets, they could potentially generate fraudulent proofs. This makes the ceremony's integrity and transparency paramount.

Unlike ongoing consensus or cryptographic assumptions, a trusted setup creates a permanent, system-wide risk. If the ceremony is compromised, the entire cryptographic foundation of the application is broken, potentially allowing for:

• Counterfeit asset creation (minting tokens from nothing)
• Double-spending
• Censorship of valid transactions This risk cannot be patched post-deployment without a new setup and network migration.

Protocols employ several methods to minimize trust in the setup:

• Multi-Party Computation (MPC): Distributes trust among many participants.
• Public Ceremonies: Open participation increases the likelihood of an honest actor.
• Verifiable Delay Functions (VDFs): Can be used to create randomness without a trusted party, enabling trustless setups for some systems.
• Ceremony Audits: Public recording and verification of each participant's steps.

Major networks have undergone high-profile ceremonies, demonstrating the scale of the risk and effort involved:

• Zcash (2016): The original 'Powers of Tau' ceremony for zk-SNARKs, involving 6 participants.
• Ethereum's KZG Ceremony (2023): A massive public ceremony for EIP-4844 (proto-danksharding), with over 141,000 contributions, significantly raising the bar for collusion.
• Tornado Cash: Its initial setup required trust in a small group of developers, a point of centralization criticism.

This is a key architectural distinction in cryptography:

• Trusted Setup Required: Systems like Groth16 zk-SNARKs require a one-time ceremony. The risk is 'front-loaded'.
• Trustless (Transparent) Setup: Systems like Bulletproofs and STARKs use publicly verifiable randomness, eliminating this specific trust assumption. The trade-off is often larger proof sizes or higher verification costs.

For systems using a trusted setup, rigorous external security audits are non-negotiable. Auditors must verify:

• The correctness of the cryptographic implementation.
• The integrity of the ceremony procedure.
• The proper destruction of secret material by participants.
• The use of secure, air-gapped hardware during the ceremony. The audit report is a critical component of the system's security claims.