2026-07-01
Trusted Setup Ceremonies: Risks and Mitigations
What toxic waste actually is, how powers-of-tau and phase-2 ceremonies work, what history teaches about setup risk, and what integrating teams must verify before trusting someone else's parameters.
Trusted Setup Ceremonies: Risks and Mitigations
Pairing-based SNARKs like Groth16 and KZG-based PLONK need structured public parameters — a proving key and verifying key derived from secret randomness. If anyone knows that randomness, they can forge proofs that verify perfectly. Ceremonies exist to generate these parameters so that, with high confidence, nobody knows the secret. This guide explains what can actually go wrong, what history teaches, and what you should verify before building on parameters someone else generated.
What Toxic Waste Is
The parameters for these systems encode powers of a secret field element — conventionally tau (τ) — "in the exponent": group elements of the form [τ]G, [τ²]G, …, [τⁿ]G. Deriving τ from these elements is a discrete-log problem, presumed infeasible. But whoever sampled τ knew it, at least momentarily. That knowledge is the toxic waste.
Why is it toxic? In KZG, knowing τ lets you open a polynomial commitment to arbitrary values — you can "prove" false evaluations. In Groth16, knowledge of the setup secrets lets you construct proofs of false statements that the verifier accepts. The forgery is undetectable by design: the proof is indistinguishable from an honest one. In a shielded pool, that means silent counterfeiting; in a rollup, fraudulent state transitions with valid proofs.
So the entire security question of a ceremony reduces to: was the secret randomness actually destroyed? — a claim about the physical world (RAM, disks, swap files, memory of participants) that cryptography alone cannot establish.
MPC Ceremonies and the 1-of-N Honesty Assumption
Nobody runs single-party setups for serious systems anymore. Instead, multi-party computation ceremonies chain contributions: participant 1 samples τ₁ and outputs parameters; participant 2 samples τ₂ and re-randomizes those parameters so they now encode τ₁·τ₂; and so on. Each participant publishes a proof (of knowledge of their contribution's discrete log) that they updated the previous transcript correctly, without revealing their secret.
The resulting security property: an attacker must compromise every participant to learn the combined secret. Equivalently, if even one of N participants honestly destroyed their randomness, the parameters are secure. This "1-of-N honesty" assumption is why ceremonies recruit many, diverse, mutually-distrusting participants — the marginal contributor costs the ceremony little and forces the attacker's job to include them too. It is also why you can participate in a ceremony for a system you'll depend on: your own honest contribution makes the setup secure for you, regardless of everyone else.
Powers of Tau and Per-Circuit Phase 2
Groth16 setups split into two phases:
- Phase 1 — powers of tau. Circuit-independent: it produces the encoded powers
[τⁱ]Gup to a size bound. One phase-1 transcript can serve every circuit that fits. The Perpetual Powers of Tau effort maintains exactly this: a long-running, open-participation transcript that many projects use, accumulating hundreds of contributions over years. Reusing it is good practice — its honesty assumption is as strong as its full contributor history. - Phase 2 — circuit-specific. Groth16 additionally needs parameters bound to the specific R1CS. Every circuit — and every modification of a circuit — needs its own phase-2 ceremony (snarkjs implements this workflow). This is the operational trap: a one-line security fix to your circuit invalidates your keys and requires re-running phase 2, and teams under incident pressure are tempted to cut ceremony corners exactly when they can least afford to.
Universal-setup systems (PLONK/KZG) need only the phase-1-style setup, which is additionally updatable — new contributions can be appended later, monotonically strengthening the 1-of-N assumption. STARKs and IPA-based systems need no setup at all.
Historical Context
Zcash's ceremonies set the template for taking this seriously. The 2016 Sprout ceremony used six participants with air-gapped machines, destroyed hardware, and recorded procedures; the 2018 Sapling ceremony (Powers of Tau plus phase 2) scaled to broad public participation. The elaborate operational security was a direct response to the stakes: a compromised setup would enable invisible counterfeiting of shielded ZEC.
The BCTV14 flaw is the essential nuance. In 2018–2019 it emerged that BCTV14 — the proving system used by Zcash Sprout — had a flaw in how its published parameters were specified: extra elements exposed in the parameters could have enabled proof forgery. Crucially, this was a protocol/parameter-specification bug, not a ceremony compromise. Every participant could have behaved perfectly and the vulnerability would still exist, because the design of what the setup published was wrong. Zcash mitigated it quietly via the Sapling upgrade (which used the newer, unaffected Groth16) before public disclosure, and no exploitation was ever detected. The lesson: ceremony opsec and cryptographic soundness of the setup specification are independent failure modes. Auditing the ceremony's livestream does nothing if the math of what it outputs is flawed.
Verifying a Ceremony
A ceremony's output is only as good as its public verifiability:
- Transcript verification. Anyone should be able to download the full transcript and verify every contribution chains correctly from the previous one, using independent tooling. If the coordinator's own tool is the only verifier, that's a finding.
- Contribution attestations. Participants publish signed statements identifying themselves (or deliberately not) and describing their procedure. Diversity — jurisdictions, organizations, hardware — strengthens the honesty assumption.
- Coordinator trust. The coordinator sequences contributions but must not be able to substitute them; the chained proofs prevent this if verified. Watch for coordinator-inserted contributions at the end.
- Randomness beacon. Many ceremonies finalize with a public, unpredictable beacon (e.g., a future block hash) applied as a final contribution, limiting adaptive last-contributor attacks.
- Parameter binding. Verify that the proving/verifying keys your system ships were actually derived from the verified transcript and the audited circuit — hash-pin everything. A perfect ceremony followed by an unverified key file on a CDN is a supply-chain hole.
What to Check as an Integrating Team
If you're building on someone else's parameters (a shared powers of tau, a vendor's phase 2):
- Obtain the full transcript and run the verification yourself, with tooling not authored by the ceremony coordinator if possible.
- Check the contributor list: how many, who, and would you bet the protocol's TVL that all of them colluded?
- Confirm the setup size bound covers your circuit, and that the parameter format matches your prover's expectations exactly.
- For Groth16: confirm the phase-2 transcript corresponds to your exact compiled circuit (same compiler version, flags, and commit). A phase 2 for a slightly different R1CS is worthless.
- Pin hashes of the proving key, verifying key, and verifier contract, and check them in CI and at deploy time.
- Contribute yourself if the ceremony is open — it converts "trust N strangers" into "trust yourself."
- Plan the re-ceremony path now: who runs phase 2 when you patch the circuit, on what timeline, with what verification? Incident-time ceremonies are where corners get cut.
When to Prefer Transparent Setups
Choose STARKs, IPA-based halo2, or other transparent systems when: the application is long-lived and high-value enough that ceremony risk dominates; your team cannot credibly run or verify ceremonies; circuits will change frequently (per-circuit phase 2 becomes an operational treadmill); or your threat model can't tolerate an undetectable-forgery failure mode at all. The costs — larger proofs, pricier verification — are measurable and bounded; toxic-waste risk is neither. Many production systems split the difference: transparent proving internally, wrapped in a final SNARK for cheap settlement — in which case, remember that the wrapper's setup is back in your trust base.
Closing
Trusted setup risk is manageable, but only deliberately: a widely-verified powers of tau, a properly verified per-circuit phase 2, hash-pinned artifacts, your own contribution where possible — and the humility of BCTV14's lesson, that the setup's specification needs auditing as much as its execution. If that checklist reads as more operational burden than your team will sustain, that is itself the answer: pick a transparent system and delete the problem.