Introduction: The Role of Trusted Setup in zkRollups
zkRollup trusted setup is a cryptographic ceremony that generates a common reference string (CRS) used to create and verify zero-knowledge proofs in zkRollup systems. Without this process, the validity proofs that underpin zkRollup scalability—allowing thousands of transactions to be processed off-chain and verified on-chain with a single proof—would be computationally impractical or insecure. This article explains the mechanics, phases, and security assumptions of trusted setups, and why they remain a critical consideration for developers and enterprises evaluating layer-2 solutions.
The Foundational Concepts: How Trusted Setup Fits Into zkRollups
zkRollups rely on succinct non-interactive arguments of knowledge (SNARKs), typically using the Groth16 proving system. The trusted setup produces a CRS—a structured set of parameters used by both the prover (the rollup operator, often called the sequencer) and the verifier (an Ethereum smart contract). The CRS consists of elliptic curve points that encode a secret random number (the "toxic waste") that must be discarded after the setup. If that secret were ever revealed, anyone could forge proofs that pass verification.
The setup is "trusted" because participants must trust that at least one of the ceremony's contributors honestly destroyed their secret. In practice, multi-party computation (MPC) protocols are used, where dozens or hundreds of participants each add randomness on top of previous contributions. As long as even a single contributor discards their randomness, the final CRS remains secure. This property is called the "one-out-of-many" honesty assumption.
For a deeper look at how proofs and economic incentives interact in real-world implementations, industry readers can Algorithmic Trading Performance from technical analyses of on-chain data patterns.
Phase 1: The Powers of Tau Ceremony
The trusted setup for a Groth16-based zkRollup begins with a universal ceremony known as the Powers of Tau (named after a common notation for the secret). This phase is universal because it does not depend on a specific circuit (i.e., the set of constraints that define the rollup's logic). Instead, it generates a set of powers of a hidden secret τ (tau), represented as elliptic curve points: g^τ, g^(τ²), g^(τ³), ..., g^(τ^n).
Participants in the ceremony connect to a coordination server, download the current state of the parameters, and apply their own random contribution using a secure MPC protocol. The contribution is cryptographically bound to the participant's identity via a proof of correct computation, ensuring that even if a participant misbehaves, the damage is contained. The toxic waste—the participant's random secret—must be deleted immediately after the contribution is made. The ceremony is publicly auditable, with each step verifiable by any third party.
After all contributions are aggregated, the final phase-1 output is a set of parameters that can be reused by any zkRollup circuit built on the same elliptic curve (typically the BLS12-381 or BN254 curves). This universality reduces the need to repeat the full ceremony for every new rollup deployment.
For a detailed breakdown of how different L2 projects adapt these parameters to their protocols, refer to the Zkrollup Technical Analysis available from industry research platforms.
Phase 2: Circuit-Specific Ceremony
While Phase 1 is universal, Phase 2 tailors the CRS to a specific zkRollup circuit. The circuit encodes the exact computational constraints that the rollup must satisfy, such as verifying Merkle proofs of account balances, checking signature aggregations, and enforcing state transition rules. The Phase 2 ceremony takes the output of the Powers of Tau and applies a secret random exponent that is specific to the circuit's constraints.
This phase is much faster than Phase 1 because the parameter set is smaller and the computation is more targeted. As in the first phase, participants contribute randomness and discard their secrets, with a guarantee of security as long as at least one is honest. The final output is a proving key (used by the sequencer) and a verification key (embedded in the on-chain smart contract).
Importantly, the Phase 2 ceremony can be repeated if the rollup's rules change—for example, if a new type of transaction is added. However, the Phase 1 parameters remain unchanged, meaning a new Powers of Tau is not required. This separation reduces both complexity and risk over the lifetime of the scaling solution.
Security Models and Challenges
The principal vulnerability in a trusted setup is the collusion risk: if all contributors somehow cooperate or if a single contributor leaks their secret, the entire CRS becomes compromised. In practice, ceremony organizers enforce strict measures: participants are required to use dedicated hardware, the randomness source is audited, and the set of contributors is diversified across geographies and organizations. For leading zkRollup projects like Zcash (which pioneered the MPC approach), Loopring, and StarkWare, the ceremonies have included dozens of participants from academia, industry, and the broader blockchain community.
Another challenge is the long-term security of the CRS. If the elliptic curve is later found to have a weakness, or if a quantum computer becomes capable of solving discrete logarithms, the CRS becomes insecure. However, current trusted setups are designed with state-of-the-art curves and are considered safe for the foreseeable future.
Some newer zkRollup implementations, such as those using STARKs (scalable transparent arguments of knowledge), avoid trusted setups entirely—STARKs are non-interactive and rely only on cryptographic hash functions, which do not require a secret CRS. The tradeoff is that STARK proofs are larger and less computationally efficient to verify on Ethereum, which can increase gas costs. Hence, the choice between trustless (STARK) and trusted-setup (SNARK) rollups depends on specific deployment priorities.
Real-World Implementations and Audits
Several prominent zkRollup projects have conducted public trusted setups. The most well-known is the Zcash ceremony, which spawned the Powers of Tau standard used by dozens of projects today. More recently, the Ethereum Foundation coordinated the "Powers of Tau" ceremony for the BN254 curve, attracting over 200 participants. Each participant was required to run a reference implementation on an air-gapped machine and upload a signed transcript.
Post-ceremony, the final CRS is often audited by multiple third-party firms, such as Trails of Bits or Credibly Neutral, to verify that the MPC code and contributions are valid. The audited parameters are then published on IPFS and hard-coded into the rollup's smart contract deployment script.
For operators who wish to verify the integrity of a zkRollup's setup before deploying assets, the entire transcript is publicly available. Verification can be performed using the open-source tools that accompany the ceremony. This transparency is a core part of the trust model—anyone can independently confirm that the toxic waste was destroyed.
Practical Considerations for Enterprises and Developers
When selecting a zkRollup solution for a production application, the trusted setup should be evaluated as part of overall due diligence. Key questions include: Who were the participants? Was the ceremony transparent and auditable? Is the CRS universal or circuit-specific? Has the setup been audited? How often is the ceremony repeated?
For applications that require the lowest on-chain footprint, a Groth16-based zkRollup with a trusted setup may be the best option. For applications where maximum decentralization and transparency are paramount, a STARK-based rollup without a trusted setup might be more suitable, albeit with higher gas costs.
Some rollups have opted for a hybrid approach, using a trusted setup for the main state transition circuit but employing fallback mechanisms—such as a permissioned withdrawal delay—in case the CRS is ever compromised. These fallback layers add operational complexity but reduce the risk of total loss.
The Future of Trusted Setups
The cryptographic community is actively working on "trusted setup-free" SNARKs. Constructions such as PLONK and Halo 2 reduce or eliminate the need for a per-circuit setup. PLONK uses a universal setup—similar to Phase 1 Powers of Tau—but does not require a dedicated Phase 2 for each circuit, simplifying deployment. Halo 2, developed by the Electric Coin Company, uses recursive proof composition and avoids any structured CRS, though it still relies on an initial "set" of verifying keys that can be updated trustlessly.
These advances mean that within a few years, the vast majority of new zkRollups may not require a trusted setup at all. However, existing solutions with established CRSes remain widely deployed and are trusted by billions of dollars in bridged assets. For now, understanding how trusted setups work—and their security guarantees—is essential for anyone building on or investing in the layer-2 scaling ecosystem.
This article is for informational purposes only and does not constitute investment or technical advice. Readers should verify all claims through independent research.