Trusted Setup is a one-time process used in zero-knowledge proofs like ZK-SNARKs to create a public set of values (called the SRS) from a secret number. This setup allows users to prove things without revealing the actual data. In this blog, we explain how it works using easy math and the help of Alice and Bob, showing how they create and verify the setup securely. We also explore why this process must be trusted and how multi-party setups make it safer—even if only one person is honest. Trusted Setup Story Setup: The Problem Story Setup: The Problem Imagine we want to commit to a polynomial and later prove its value at some point without revealing the whole polynomial. commit to a polynomial prove its value at some point without revealing the whole polynomial Why? Why? Because in things like ZK-SNARKs, we want to prove statements (like “I know a secret”) without revealing the secret. ZK-SNARKs without revealing the secret But first, we need a Trusted Setup so no one cheats. That’s where Alice and Bob come in. Trusted Setup Alice and Bob Step 1: The Trusted Setup Ceremony Step 1: The Trusted Setup Ceremony Alice and Bob both want to agree on a polynomial system without trusting each other. Alice Bob So, they follow this process: Alice picks a secret number τ (tau) Alice picks a secret number τ (tau) Let’s say: τ = 3 (but she keeps it secret!) τ = 3 She then computes: τ⁰ = 1 τ¹ = 3 τ² = 9 τ³ = 27 τ⁰ = 1 τ¹ = 3 τ² = 9 τ³ = 27 She multiplies each of these by a generator G (a fixed point on an elliptic curve) and gets: generator G [G, τG, τ²G, τ³G] [G, τG, τ²G, τ³G] This is the Structured Reference String (SRS) — it’s public! Structured Reference String (SRS) She deletes τ after generating this so no one (even herself) can cheat later. deletes τ Bob trusts that she did this honestly… but how can he verify it? trusts Step 2: Verifying the Trusted Setup Step 2: Verifying the Trusted Setup Bob now receives the public SRS: [G, τG, τ²G, τ³G] [G, τG, τ²G, τ³G] He wants to check if this is valid, i.e., if someone really used the same τ in all parts. check if this is valid Bob’s Check: Pairing Test Bob’s Check: Pairing Test He picks a random number a, and calculates: a [a]G and [a]H (same scalar a, but different groups: G1 and G2) Then checks if: [a]G and [a]H (same scalar a, but different groups: G1 and G2) Then checks if: e([aτ]G, H) == e([a]G, [τ]H) e([aτ]G, H) == e([a]G, [τ]H) This works because in elliptic curve pairings: e(xG, yH) = e(G, H)^(xy) e(xG, yH) = e(G, H)^(xy) So both sides become: e(G, H)^(a * τ) e(G, H)^(a * τ) ✅ If this holds true, Bob knows that τ was used consistently — no cheating! G and H are public starting points (called generators) on two different elliptic curve groups — G is from group G₁, and H is from group G₂. They are used to keep things secure when doing pairing checks. Even if you multiply both by the same secret number a, the results [a]G and [a]H stay in their own groups and can't be directly compared. But using a special pairing function, we can still verify things safely. G and H are public starting points (called generators) on two different elliptic curve groups — G is from group G₁, and H is from group G₂. G H generators G is from group G₁ H is from group G₂ They are used to keep things secure when doing pairing checks. Even if you multiply both by the same secret number a, the results [a]G and [a]H stay in their own groups and can't be directly compared. But using a special pairing function, we can still verify things safely. a [a]G [a]H Let’s walk through an actual example: as in Step-1 Alice Chooses τ = 3 & G is the generator point on curve (think of it as a known reference) τ = 3 So, SRS becomes: SRS [G, τG, τ²G, τ³G] [G, 3G, 9G, 27G] [G, τG, τ²G, τ³G] [G, 3G, 9G, 27G] She publishes SRS and deletes τ. SRS τ Bob wants to check: Bob wants to check: He picks a random number a = 5 a = 5 Computes: [5 * 3]G = 6G [5]G = 5G, [3]H = 3H Then checks: Computes: [5 * 3]G = 6G [5]G = 5G, [3]H = 3H Then checks: [5 * 3]G = 6G [5]G = 5G, [3]H = 3H Then checks: [5 * 3]G = 6G [5]G = 5G, [3]H = 3H Then checks: e([aτ]G, H) == e([a]G, [τ]H) e(15G, H) == e(5G, 3H) e(xG, yH) = e(G, H)^(xy) e(G, H)^15 == e(G,H)^15 e([aτ]G, H) == e([a]G, [τ]H) e(15G, H) == e(5G, 3H) e(xG, yH) = e(G, H)^(xy) e(G, H)^15 == e(G,H)^15 Both sides equal e(G, H)^(15), so they match Wait... If τ Is Deleted and Never Shared, How Can Bob Verify the SRS? Wait... If τ Is Deleted and Never Shared, How Can Bob Verify the SRS? After Alice generates the SRS (like [G, τG, τ²G, τ³G] and [H, τH, τ²H, τ³H]) — she publishes these values and deletes τ forever. So how can Bob be sure she used the same τ in both lists? [G, τG, τ²G, τ³G] [H, τH, τ²H, τ³H] publishes these values deletes τ forever The trick is: Bob doesn't need to know τ at all. Bob doesn't need to know τ at all Instead, he uses values directly from the public SRS — like: τG from the G-based SRS τH from the H-based SRS τG from the G-based SRS τG τH from the H-based SRS τH And he picks a random number a himself. a Now he does this check using the pairing function: e([a]τG, H) == e([a]G, τH) e([a]τG, H) == e([a]G, τH) All parts here are either from the public SRS or chosen by Bob public SRS Here’s why this works: Here’s why this works: Pairings follow the rule: e(xG, yH) = e(G, H)^(xy) e(xG, yH) = e(G, H)^(xy) So both sides become: e(G, H)^(a * τ) e(G, H)^(a * τ) If both sides match, that means the same unknown τ was used across both SRS lists. Even though τ is deleted, the math proves everything was generated honestly. unknown τ τ let’s take it one step further with a Multi-Party Setup. This removes full trust from one person and makes the system safer. Let’s see how that works! Multi-Party Setup Multi-Party Setup Multi-Party Setup let say, We want to: Commit to a polynomial P(x) = 4x² + 7x + 8 Prove that this polynomial evaluates to a specific value at a certain input x = 2 Verify the proof using the pairing check Commit to a polynomial P(x) = 4x² + 7x + 8 Commit P(x) = 4x² + 7x + 8 Prove that this polynomial evaluates to a specific value at a certain input x = 2 Prove x = 2 Verify the proof using the pairing check Verify pairing check Setup Phase (Trusted Phase) Setup Phase (Trusted Phase) Sita, Ram, Radha, Krishna individually choose private secrets: τ₁, τ₂, τ₃, τ₄ individually choose private secrets These secrets are multiplied together to form the final secret τ: multiplied together τ = τ₁ × τ₂ × τ₃ × τ₄ τ = τ₁ × τ₂ × τ₃ × τ₄ Nobody knows the final τ — unless all 4 collude and share their secrets (which we assume won't happen in a trusted setup). Then, they publish the SRS: publish [G, τG, τ²G, τ³G, ..., τⁿG] [G, τG, τ²G, τ³G, ..., τⁿG] These are just elliptic curve points. We never see τ itself, only powers of τ multiplied with G. multiplied with Step-by-Step: MPC Ceremony Step-by-Step: MPC Ceremony Step 1: Sita starts the setup Step 1: Sita starts the setup Sita randomly picks a secret: τ₁ τ₁ She computes: G₀ = G G₁ = τ₁·G G₂ = τ₁²·G G₃ = τ₁³·G ... G₀ = G G₁ = τ₁·G G₂ = τ₁²·G G₃ = τ₁³·G ... She destroys τ₁ (so no one knows it anymore). destroys τ₁ She publishes only the resulting group elements: [G, τ₁·G, τ₁²·G, τ₁³·G, …] [G, τ₁·G, τ₁²·G, τ₁³·G, …] This is now the intermediate SRS. intermediate SRS Step 2: Ram adds his secret Step 2: Ram adds his secret Ram picks τ₂, without knowing τ₁. τ₂ without knowing τ₁ he takes Sita’s output and raises everything to τ₂: raises everything to τ₂ [G, τ₁·G, τ₁²·G, τ₁³·G, …] ⟶ [G, τ₁·τ₂·G, (τ₁·τ₂)²·G, …] [G, τ₁·G, τ₁²·G, τ₁³·G, …] ⟶ [G, τ₁·τ₂·G, (τ₁·τ₂)²·G, …] Again, he destroys τ₂ and only publishes the updated group elements. destroys τ₂ Now the SRS is based on τ = τ₁·τ₂, but no one knows τ, not even Sita or Ram. τ = τ₁·τ₂ no one knows τ In the trusted setup of zkSNARKs: G, the generator point on the elliptic curve, is public The SRS (Structured Reference String) is also public, e.g., [G, τ·G, τ²·G, …] However, each participant’s secret value τ (tau) must remain private This ensures that no one can cheat during proof generation — as long as even one participant deletes their τ, the setup remains secure. If G and τ₁·G (from Sita) are both public in the SRS, Q: Can Ram just “divide” τ₁·G by G and figure out Sita’s private τ₁? No, Ram Can’t Because of a special hard problem in math called the Discrete Logarithm Problem (DLP). Given G and τ₁·G, there’s no easy way to compute τ₁.It’s like a trapdoor — easy to go forward (τ₁·G), but almost impossible to go backward. Even with modern computers, it would take thousands of years to solve. In the trusted setup of zkSNARKs: G, the generator point on the elliptic curve, is public The SRS (Structured Reference String) is also public, e.g., [G, τ·G, τ²·G, …] However, each participant’s secret value τ (tau) must remain private G, the generator point on the elliptic curve, is public G public The SRS (Structured Reference String) is also public, e.g., [G, τ·G, τ²·G, …] SRS public [G, τ·G, τ²·G, …] However, each participant’s secret value τ (tau) must remain private τ (tau) remain private This ensures that no one can cheat during proof generation — as long as even one participant deletes their τ, the setup remains secure. If G and τ₁·G (from Sita) are both public in the SRS, G τ₁·G Sita Q: Can Ram just “divide” τ₁·G by G and figure out Sita’s private τ₁? Ram Sita No, Ram Can’t Because of a special hard problem in math called the Discrete Logarithm Problem (DLP). Ram Discrete Logarithm Problem (DLP) Given G and τ₁·G, there’s no easy way to compute τ₁.It’s like a trapdoor — easy to go forward (τ₁·G), but almost impossible to go backward. G τ₁·G, τ₁ τ₁·G Even with modern computers, it would take thousands of years to solve. thousands of years Steps 3 and 4: Radha and Krishna repeat Steps 3 and 4: Radha and Krishna repeat Each does the same: Pick secret τ₃ and τ₄ Update the SRS by exponentiating it Destroy their secrets Pick secret τ₃ and τ₄ Update the SRS by exponentiating it Destroy their secrets In the end, the SRS looks like: [G, τ·G, τ²·G, τ³·G, …] where τ = τ₁·τ₂·τ₃·τ₄ [G, τ·G, τ²·G, τ³·G, …] where τ = τ₁·τ₂·τ₃·τ₄ This is your Structured Reference String (SRS). It’s public. Structured Reference String (SRS) Commitment Phase Commitment Phase Say Surali (Prover) wants to commit to P(x) = 4x² + 7x + 8 Surali (Prover) P(x) = 4x² + 7x + 8 Using the public SRS, Surali builds: Surali C = 4[τ²]G + 7[τ¹]G + 8[τ⁰]G = 4·τ²G + 7·τG + 8·G C = 4[τ²]G + 7[τ¹]G + 8[τ⁰]G = 4·τ²G + 7·τG + 8·G This is the commitment C — it hides the coefficients, but is bound to P(x). commitment C P(x) Let’s say someone wants to verify a claim: Let’s say someone wants to verify a claim: Hey, Surali prove to me that this hidden polynomial evaluates to value v at x = 3. Surali v x = 3 then Surali (Prover) will Commit to the polynomial using the public SRS (Commitment Phase). Surali (Prover) Commit to the polynomial Commitment: This is the commitment to the polynomial using the public SRS: C=[P(τ)]G=4[τ²]G+7[τ¹]G+8[τ⁰]G Commitment: This is the commitment to the polynomial using the public SRS: C=[P(τ)]G=4[τ²]G+7[τ¹]G+8[τ⁰]G Commitment: Commitment: This is the commitment to the polynomial using the public SRS: C=[P(τ)]G=4[τ²]G+7[τ¹]G+8[τ⁰]G C=[P(τ)]G=4[τ²]G+7[τ¹]G+8[τ⁰]G This acts like a cryptographic fingerprint of the polynomial. Evaluation value at the chosen point: v=P(3)=4⋅3²+7⋅3¹+8⋅3⁰=36+21+8=65 Evaluation value at the chosen point: v=P(3)=4⋅3²+7⋅3¹+8⋅3⁰=36+21+8=65 Evaluation value at the chosen point: Evaluation value v=P(3)=4⋅3²+7⋅3¹+8⋅3⁰=36+21+8=65 v=P(3)=4⋅3²+7⋅3¹+8⋅3⁰=36+21+8=65 Proof π: Proof π Bob computes the quotient polynomial quotient polynomial Q(x) = (P(x) - P(3)) / (x - 5) Q(x) = (P(x) - P(3)) / (x - 5) Then he commits to it using the SRS: π=[Q(τ)]G π=[Q(τ)]G Prover Sends: C: the commitment v: the claimed evaluation at x = 3 π=[Q(τ)]G: the proof C: the commitment v: the claimed evaluation at x = 3 π=[Q(τ)]G: the proof π=[Q(τ)]G Verifying the Proof Verifying the Proof Anyone can now verify that the committed polynomial evaluates to 65 at x = 3 by checking: verify 65 x = 3 e(π,τH−[3]H) =? e(C−[v]G,H) ⟶ e(π, [τ - 3]H) =? e(C - [65]G, H) e(π,τH−[3]H) =? e(C−[v]G,H) ⟶ e(π, [τ - 3]H) =? e(C - [65]G, H) Pairing functions are bilinear, which means: e(aG,bH) = e(G,H)^ab = e(bG,aH) That’s the superpower that makes verification possible. Pairing functions are bilinear, which means: Pairing functions are bilinear e(aG,bH) = e(G,H)^ab = e(bG,aH) e(aG,bH) = e(G,H)^ab = e(bG,aH) That’s the superpower that makes verification possible. The prover sends: The prover sends: C = [P(τ)]G v = P(x0) = P(3) π = [Q(τ)]G, where Q(x)=(P(x) - v)/(x - x0) C = [P(τ)]G v = P(x0) = P(3) π = [Q(τ)]G, where Q(x)=(P(x) - v)/(x - x0) we know that, x0 = 3 v = P(3) = 65 So, P(x)−v = (x−3)Q(x) from (Q(x)=(P(x) - v)/(x - 3)) x0 = 3 v = P(3) = 65 So, P(x)−v = (x−3)Q(x) from (Q(x)=(P(x) - v)/(x - 3)) This is a key algebraic fact. This is a key algebraic fact. So, on the curve: [P(τ)]G−[v]G = [(τ−3)Q(τ)]G at x = τ as Q(x)=(P(x) - v)/(x - 3) [P(τ)]G−[v]G = [(τ−3)Q(τ)]G at x = τ as Q(x)=(P(x) - v)/(x - 3) Factor it out: C−[v]G = [τ−3]⋅[Q(τ)]G as C = [P(τ)]G C−[v]G = [τ−3]⋅[Q(τ)]G as C = [P(τ)]G Let’s simplify RHS: C−[v]G = [τ−3]Q(τ)⋅G C−[v]G = [τ−3]Q(τ)⋅G Now Apply Pairing Now Apply Pairing Now take pairing on both sides with H (generator of group G₂ (public)): H e(C−[v]G,H) = e([τ−3]Q(τ)⋅G,H) e(C−[v]G,H) = e([τ−3]Q(τ)⋅G,H) Using pairing properties: e(C−[v]G,H) = e([Q(τ)]G,[τ−3]H) as e(aG,bH) = e(G,H)^ab = e(bG,aH) e(C−[v]G,H) = e([Q(τ)]G,[τ−3]H) as e(aG,bH) = e(G,H)^ab = e(bG,aH) Which is: e(C−[v]G,H) = e(π,[τ−3]H) as π = [Q(τ)]G e(C−[v]G,H) = e(π,[τ−3]H) as π = [Q(τ)]G That’s why this verification equation works — without knowing τ! why this verification equation works If both sides of this pairing match, the verifier is convinced: “Yes, the committed polynomial really does evaluate to 65 at x = 3.” “Yes, the committed polynomial really does evaluate to 65 at x = 3.” All of this happens without revealing the polynomial! without revealing the polynomial
