A Trusted Setup Ceremony is a multi-party computation (MPC) protocol that generates a common reference string (CRS) — a set of public parameters required by certain zero-knowledge proof systems like ZK-SNARKs. The ceremony's security model relies on a "1-of-N" trust assumption: the entire system remains secure as long as at least one participant honestly destroys their generated secret randomness, known as toxic waste, rendering the setup sound.
Glossary
Trusted Setup Ceremony

What is Trusted Setup Ceremony?
A multi-party computation protocol used to generate the common reference string required by some zero-knowledge proof systems, where security relies on at least one participant destroying their secret randomness.
During the ceremony, participants sequentially contribute randomness to a cryptographic construction, often using powers-of-tau for polynomial commitment schemes like KZG. Each participant's contribution updates the parameters, and if any single participant destroys their secret, the final CRS is secure against malicious provers. This contrasts with ZK-STARKs, which eliminate the need for a trusted setup entirely by relying on hash functions and the FRI protocol for transparent, post-quantum secure verification.
Key Characteristics of Trusted Setups
A trusted setup ceremony is a multi-party computation (MPC) protocol that generates the structured reference string (SRS) required by pairing-based zero-knowledge proof systems. Its security model hinges on the '1-of-N' honesty assumption.
The 1-of-N Honesty Assumption
The foundational security guarantee of a trusted setup. The entire ceremony is considered secure as long as at least one participant destroys their secret randomness (toxic waste). This single honest party permanently breaks the link between the final parameters and the secret needed to forge proofs. If all N participants collude or leak their secrets, the system is compromised.
Toxic Waste Management
The secret randomness generated by each participant is called toxic waste because its exposure would allow an attacker to create valid proofs for false statements. The ceremony uses a sequential MPC where each participant:
- Receives the accumulated SRS from the previous participant
- Generates fresh entropy
- Mixes it into the SRS
- Destroys their local secret before passing the result forward
Powers of Tau Ceremony
The most well-known universal trusted setup protocol, used to generate an SRS for any circuit up to a certain size. The Powers of Tau ceremony computes a sequence of powers of a secret value τ multiplied by a generator point on an elliptic curve. This phase is circuit-agnostic and can be reused across different applications. Ethereum's KZG ceremony used this approach with over 140,000 participants.
Perpetual Powers of Tau
An ongoing, community-driven trusted setup ceremony initiated by the Zcash Foundation. It operates as a continuous ceremony where anyone can participate at any time, adding their entropy to the accumulated SRS. Key properties:
- Unbounded duration: The ceremony never formally ends
- Largest SRS: Supports circuits with billions of constraints
- Public verifiability: Each contribution includes a proof of correct execution
Phase 2 Circuit-Specific Setup
After the universal Phase 1 (Powers of Tau), a circuit-specific Phase 2 is required. This phase encodes the actual constraint system of the application into the SRS. Unlike Phase 1, Phase 2 must be repeated for each unique circuit. The security still depends on at least one participant destroying their secret, but the output is only valid for that specific circuit.
Ceremony Participation Verification
Each participant generates a proof of correct contribution that can be independently verified by observers. This proof demonstrates that:
- The participant knew the secret randomness they contributed
- The SRS was correctly updated according to the protocol
- No malicious manipulation of the parameters occurred
This enables public auditability without requiring trust in any central coordinator.
Trusted Setup vs. Transparent Setup
A structural comparison of the two primary approaches for generating the common reference string (CRS) in zero-knowledge proof systems, contrasting their security assumptions, performance profiles, and operational trade-offs.
| Feature | Trusted Setup | Transparent Setup | Hybrid/Universal Setup |
|---|---|---|---|
Core Mechanism | Multi-party computation (MPC) ceremony to generate structured reference string (SRS) from secret randomness | Public randomness derived from deterministic, verifiable sources (e.g., hash functions, block hashes) | One-time universal setup generates a single SRS that can be reused for all circuits up to a size bound |
Primary Cryptographic Primitive | Bilinear pairings over elliptic curves (e.g., BN254, BLS12-381) | Collision-resistant hash functions (e.g., SHA-256, Poseidon, Blake2s) | Polynomial commitment schemes with structured reference strings (e.g., Powers of Tau) |
Proof System Examples | Groth16, Pinocchio, Marlin (with setup) | ZK-STARK, Bulletproofs, Aurora, Fractal | PLONK, Sonic, Marlin (universal mode) |
Security Assumption | Honest majority: at least 1 of N ceremony participants must destroy their toxic waste for soundness | Cryptographic hash function security; no trusted third party required | Honest majority during the one-time setup; subversion-resistant if at least one party is honest |
Proof Size | Constant and extremely small (128-288 bytes) | Larger, typically logarithmic or polylogarithmic (40-200 KB) | Constant but larger than Groth16 (300-500 bytes) |
Proving Time | Fastest; circuit-specific optimization yields minimal proving overhead | Slower; relies on FRI or inner-product arguments requiring more rounds | Competitive; universal circuit constraints add minor overhead vs. Groth16 |
Verification Time | Constant and fastest (single pairing check) | Logarithmic; requires multiple hash evaluations and Merkle path verification | Constant; typically one or two pairing checks |
Post-Quantum Security | |||
Setup Reusability | Circuit-specific; each new circuit requires a new ceremony | Fully universal; no setup required for any circuit | Universal; one setup serves all circuits up to a pre-defined constraint limit |
Toxic Waste Risk | High; secret parameters must be destroyed or soundness collapses | Moderate; one-time toxic waste exists but is amortized across all future circuits | |
Notable Deployments | Zcash (Sprout/Sapling), Tornado Cash, zkSync Era | StarkNet, Polygon Miden, Immutable X | Aztec, Mina, Dusk Network |
Frequently Asked Questions
A trusted setup ceremony is a multi-party computation protocol used to generate the common reference string required by some zero-knowledge proof systems, where security relies on at least one participant destroying their secret randomness.
A trusted setup ceremony is a multi-party computation (MPC) protocol that generates a common reference string (CRS)—a set of public parameters required by certain zero-knowledge proof systems like ZK-SNARKs. The ceremony proceeds in sequential rounds where each participant contributes a random secret (often called "toxic waste") to the parameters and then destroys their contribution. The protocol's security guarantee is elegantly simple: the CRS is secure as long as at least one participant honestly destroys their randomness. If even a single participant's secret remains unknown, the entire system remains sound. This "1-of-N" trust assumption transforms a single point of failure into a distributed trust model.
- Phase 1 (Powers of Tau): Generates universal parameters independent of any specific circuit.
- Phase 2: Tailors the parameters to a specific application circuit.
Notable ceremonies include Zcash's original ceremony (2016), the Perpetual Powers of Tau (ongoing since 2019), and Ethereum's KZG Ceremony (2022-2023) which attracted over 140,000 contributions.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
A trusted setup ceremony is a foundational multi-party computation protocol. The following concepts form the cryptographic ecosystem that either depends on, replaces, or parallels the trusted setup process.
Common Reference String (CRS)
The output of a trusted setup ceremony and a critical input to many ZK-SNARK proving systems. The CRS is a structured piece of public data shared between prover and verifier that encodes secret randomness. If the toxic waste—the discrete logarithm linking the CRS elements—is not destroyed, an attacker could forge proofs. The CRS is sometimes called a Structured Reference String (SRS) when it has a specific algebraic structure.
- Must be generated by a ceremony or updatable process
- Size grows linearly with circuit complexity in Groth16
- Universal SRS schemes like Sonic and Marlin support any circuit up to a size bound
Toxic Waste
The secret randomness generated during a trusted setup that must be destroyed for the system to remain secure. In pairing-based SNARKs, the toxic waste is typically the discrete logarithm relationship between CRS elements. If an attacker possesses the toxic waste, they can forge validity proofs for false statements—minting counterfeit assets in a zk-rollup or creating shielded transactions from nothing.
- Must be destroyed by every ceremony participant
- Destruction is typically done by deleting private keys or physically destroying hardware
- Some ceremonies use air-gapped computers later incinerated

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us