Trusted Setup

A trusted setup is a mechanism ZK-SNARKs use to evaluate a polynomial at a secret value.

Observe that a polynomial f(x)f(x) can be evaluated by computing the inner product of the coefficients with successive powers of xx:

For example, if f(x)=3x3+2x2+5x+10f(x)=3x^3+2x^2+5x+10, then the coefficients are [3,2,5,10][3,2,5,10] and we can compute the polynomial as

f(x)=[3,2,5,10],[x3,x2,x,1]f(x)=\langle[3,2,5,10],[x^3,x^2,x, 1]\rangle

In other words, we typically think of evaluating f(2)f(2) for the polynomial above as

f(2)=3(2)3+2(2)2+5(2)+10f(2)=3(2)^3+2(2)^2+5(2)+10

but we could also evaluate it as

f(2)=[3,2,5,10],[8,4,2,1]=38+24+52+101f(2)=\langle[3,2,5,10],[8,4,2,1]\rangle = 3\cdot8+2\cdot4+5 \cdot2+10\cdot1

Now suppose that someone picks a secret scalar τ\tau and computes

[τ3,τ2,τ,1][\tau^3,\tau^2,\tau,1]

then multiplies each of those points with the generator point of a cryptographic elliptic curve group. The result would be as follows:

[Ω3,Ω2,Ω1,G1]=[τ3G1,τ2G1,τG1,G1][\Omega_3, \Omega_2, \Omega_1, G_1]=[\tau^3G_1,\tau^2G_1,\tau G_1,G_1]

Now anyone can take the structure reference string (SRS) [Ω3,Ω2,Ω1,G1][\Omega_3, \Omega_2, \Omega_1, G_1] and evaluate a degree three polynomial (or less) on τ\tau.

For example, if we have a degree 2 polynomial g(x)=4x2+7x+8g(x)=4x^2+7x+8, we can evaluate g(τ)g(\tau) by taking the inner product of the structured reference string with the polynomial:

[0,4,7,8],[Ω3,Ω2,Ω1,G1]=4Ω2+7Ω1+8G1\langle[0,4,7,8],[\Omega_3, \Omega_2, \Omega_1, G_1]\rangle=4\Omega_2+7\Omega_1+8G_1

We have now computed g(τ)g(\tau) without knowing what τ\tau is!

This is also called a trusted setup because although we don’t know what the discrete log of g(τ)g(\tau) is, the person who created the structured reference string does. This could lead to leaking information down the line, so we trust that the entity creating the trusted setup deletes τ\tau and in no way remembers it.

Example in Python

from py_ecc.bn128 import G1, multiply, add
from functools import reduce

def inner_product(points, coeffs):
    return reduce(add, map(multiply, points, coeffs))

## Trusted Setup
tau = 88
degree = 3

# tau^3, tau^2, tau, 1
srs = [multiply(G1, tau**i) for i in range(degree,-1,-1)]

## Evaluate
# p(x) = 4x^2 + 7x + 8
coeffs = [0, 4, 7, 8]

poly_at_tau = inner_product(srs, coeffs)

Verifying a Trusted Setup was Generated Properly

Given a structured reference string, how do we even know that they follow the structure [xd,xd1,,x,1][x^d, x^{d-1},\dots,x,1] and weren’t chosen by the roll of the dice?

If the person doing the trusted setup also provides Θ=τG2\Theta=\tau G_2, we can validate the structured reference string is indeed successive powers of τ\tau.

e(Θ,Ωi)=?e(G2,Ωi+1)e(\Theta, \Omega_i)\stackrel{?}=e(G_2,\Omega_{i+1})

where ee is a bilinear pairing. Intuitively, we are computing ττi\tau\cdot\tau^i on the left side and 1τi+11\cdot\tau^{i+1} on the right side…

To validate that Θ\Theta and Ω1\Omega_1 have the same discrete logarithms (Ω1\Omega_1 is supposed to be τG1\tau G_1, we can check that

e(Θ,G1)=?e(G2,Ω1)e(\Theta,G_1)\stackrel{?}=e(G_2,\Omega_1)

Generating a structured reference string as part of a multiparty computation

It’s not a good trust assumption the person generating the structured reference string actually deleted τ\tau.

We now describe the algorithm for multiple parties to collaboratively create the structured reference string, and as long as one of them is honest (i.e. deletes τ\tau), then the discrete logs of the structured reference string will be unknown.

Alice generates the structured reference string ([Ωn,...,Ω2,Ω1,G1],Θ)([\Omega_n,...,\Omega_2,\Omega_1, G_1],\Theta) and passes it to Bob.

Bob verifies the SRS is “correct” by using the checks from the earlier section. Then Bob picks his own secret parameter γ\gamma and computes

([γnΩn,...,γ2Ω2,γΩ1,G1],γΘ)([\gamma^n\Omega_n,...,\gamma^2\Omega_2,\gamma\Omega_1,G_1],\gamma\Theta)

Note that the discrete logs of the srs are now

([(τγ)n,...,(τγ)2,(τγ),1],τγ)([(\tau\gamma)^n,...,(\tau\gamma)^2,(\tau\gamma),1],\tau\gamma)

If either Alice or Bob delete their τ\tau or γ\gamma, then the discrete logs of the final srs are not recoverable.

Of course, we don’t need to limit the participants to two, we could have as many participants as we like.

This multiparty computation is often informally referred to as the powers of tau ceremony.

The use of a trusted setup in ZK-SNARKs

Evaluating a polynomial on a structured reference string doesn’t reveal information about the polynomial to the verifier, and the prover doesn’t know what point they are evaluating on. We will see later that this scheme helps prevent the prover from cheating and helps keep their witness zero knowledge.

Ready to Get Started?Join Thousands of Users Today

Start your free trial now and experience the difference. No credit card required.

© 2025 Better-Start. All rights reserved.