Trusted Setup is a one-time process used in zero-knowledge proofs like ZK-SNARKs to create a public set of values (called the SRS) from a secret number. This setup allows users to prove things without revealing the actual data. In this blog, we explain how it works using easy math and the help of Alice and Bob, showing how they create and verify the setup securely. We also explore why this process must be trusted and how multi-party setups make it safer—even if only one person is honest.
Story Setup: The Problem
Imagine we want to commit to a polynomial and later prove its value at some point without revealing the whole polynomial.
Why?
Because in things like ZK-SNARKs, we want to prove statements (like “I know a secret”) without revealing the secret.
But first, we need a Trusted Setup so no one cheats. That’s where Alice and Bob come in.
Step 1: The Trusted Setup Ceremony
Alice and Bob both want to agree on a polynomial system without trusting each other.
So, they follow this process:
Alice picks a secret number τ (tau)
Let’s say:
τ = 3 (but she keeps it secret!)
She then computes:
- τ⁰ = 1
- τ¹ = 3
- τ² = 9
- τ³ = 27
She multiplies each of these by a generator G (a fixed point on an elliptic curve) and gets:
[G, τG, τ²G, τ³G]
This is the Structured Reference String (SRS) — it’s public!
She deletes τ after generating this so no one (even herself) can cheat later.
Bob trusts that she did this honestly… but how can he verify it?
Step 2: Verifying the Trusted Setup
Bob now receives the public SRS:
[G, τG, τ²G, τ³G]
He wants to check if this is valid, i.e., if someone really used the same τ in all parts.
Bob’s Check: Pairing Test
He picks a random number a
, and calculates:
- [a]G and [a]H (same scalar a, but different groups: G1 and G2)
- Then checks if:
e([aτ]G, H) == e([a]G, [τ]H)
This works because in elliptic curve pairings:
e(xG, yH) = e(G, H)^(xy)
So both sides become:
e(G, H)^(a * τ)
✅ If this holds true, Bob knows that τ was used consistently — no cheating!
G and H are public starting points (called generators) on two different elliptic curve groups — G is from group G₁, and H is from group G₂.
They are used to keep things secure when doing pairing checks. Even if you multiply both by the same secret number a
, the results [a]G
and [a]H
stay in their own groups and can't be directly compared. But using a special pairing function, we can still verify things safely.
Let’s walk through an actual example:
as in Step-1 Alice Chooses τ = 3 & G is the generator point on curve (think of it as a known reference)
So, SRS becomes:
[G, τG, τ²G, τ³G]
[G, 3G, 9G, 27G]
She publishes SRS and deletes τ.
Bob wants to check:
He picks a random number a = 5
- Computes:
- [5 * 3]G = 6G
- [5]G = 5G, [3]H = 3H
- Then checks:
e([aτ]G, H) == e([a]G, [τ]H)
e(15G, H) == e(5G, 3H)
e(xG, yH) = e(G, H)^(xy)
e(G, H)^15 == e(G,H)^15
Both sides equal e(G, H)^(15), so they match
Wait... If τ Is Deleted and Never Shared, How Can Bob Verify the SRS?
After Alice generates the SRS (like [G, τG, τ²G, τ³G]
and [H, τH, τ²H, τ³H]
) — she publishes these values and deletes τ forever. So how can Bob be sure she used the same τ in both lists?
The trick is: Bob doesn't need to know τ at all.
Instead, he uses values directly from the public SRS — like:
τG
from the G-based SRSτH
from the H-based SRS
And he picks a random number a
himself.
Now he does this check using the pairing function:
e([a]τG, H) == e([a]G, τH)
All parts here are either from the public SRS or chosen by Bob
Here’s why this works:
Pairings follow the rule:
e(xG, yH) = e(G, H)^(xy)
So both sides become:
e(G, H)^(a * τ)
If both sides match, that means the same unknown τ was used across both SRS lists. Even though τ is deleted, the math proves everything was generated honestly.
let’s take it one step further with a Multi-Party Setup. This removes full trust from one person and makes the system safer. Let’s see how that works!
Multi-Party Setup
let say,
We want to:
- Commit to a polynomial
P(x) = 4x² + 7x + 8
- Prove that this polynomial evaluates to a specific value at a certain input
x = 2
- Verify the proof using the pairing check
Setup Phase (Trusted Phase)
Sita, Ram, Radha, Krishna individually choose private secrets: τ₁, τ₂, τ₃, τ₄
These secrets are multiplied together to form the final secret τ:
τ = τ₁ × τ₂ × τ₃ × τ₄
Nobody knows the final τ — unless all 4 collude and share their secrets (which we assume won't happen in a trusted setup).
Then, they publish the SRS:
[G, τG, τ²G, τ³G, ..., τⁿG]
These are just elliptic curve points. We never see τ itself, only powers of τ multiplied with G.
Step-by-Step: MPC Ceremony
Step 1: Sita starts the setup
Sita randomly picks a secret: τ₁
She computes:
G₀ = G
G₁ = τ₁·G
G₂ = τ₁²·G
G₃ = τ₁³·G
...
She destroys τ₁ (so no one knows it anymore).
She publishes only the resulting group elements:
[G, τ₁·G, τ₁²·G, τ₁³·G, …]
This is now the intermediate SRS.
Step 2: Ram adds her secret
Ram picks τ₂, without knowing τ₁.
She takes Sita’s output and raises everything to τ₂:
[G, τ₁·G, τ₁²·G, τ₁³·G, …]
⟶
[G, τ₁·τ₂·G, (τ₁·τ₂)²·G, …]
Again, she destroys τ₂ and only publishes the updated group elements.
Now the SRS is based on τ = τ₁·τ₂, but no one knows τ, not even Sita or Ram.
In the trusted setup of zkSNARKs:
- G, the generator point on the elliptic curve, is public
- The SRS (Structured Reference String) is also public, e.g., [G, τ·G, τ²·G, …]
- However, each participant’s secret value τ (tau) must remain private
This ensures that no one can cheat during proof generation — as long as even one participant deletes their τ, the setup remains secure.
If G and τ₁·G (from Sita) are both public in the SRS,
Q: Can Ram just “divide” τ₁·G by G and figure out Sita’s private τ₁?
No, Ram Can’t Because of a special hard problem in math called the Discrete Logarithm Problem (DLP).
Given G and τ₁·G, there’s no easy way to compute τ₁.
It’s like a trapdoor — easy to go forward (τ₁·G), but almost impossible to go backward.
Even with modern computers, it would take thousands of years to solve.
Steps 3 and 4: Radha and Krishna repeat
Each does the same:
- Pick secret τ₃ and τ₄
- Update the SRS by exponentiating it
- Destroy their secrets
In the end, the SRS looks like:
[G, τ·G, τ²·G, τ³·G, …]
where τ = τ₁·τ₂·τ₃·τ₄
This is your Structured Reference String (SRS). It’s public.
Commitment Phase
Say Surali (Prover) wants to commit to P(x) = 4x² + 7x + 8
Using the public SRS, Surali builds:
C = 4[τ²]G + 7[τ¹]G + 8[τ⁰]G
= 4·τ²G + 7·τG + 8·G
This is the commitment C
— it hides the coefficients, but is bound to P(x)
.
Let’s say someone wants to verify a claim:
Hey, Surali prove to me that this hidden polynomial evaluates to value v at x = 3.
then Surali (Prover) will Commit to the polynomial using the public SRS (Commitment Phase).
-
Commitment:
This is the commitment to the polynomial using the public SRS:
C=[P(τ)]G=4[τ2]G+7[τ1]G+8[τ0]G
This acts like a cryptographic fingerprint of the polynomial.
-
Evaluation value at the chosen point:
v=P(3)=4⋅32+7⋅3+8=36+21+8=65
Proof π:
Bob computes the quotient polynomial
Q(x) = (P(x) - P(3)) / (x - 5)
Then he commits to it using the SRS:
π=[Q(τ)]G
Prover Sends:
- C: the commitment
- v: the claimed evaluation at x = 3
π=[Q(τ)]G
: the proof
Verifying the Proof
Anyone can now verify that the committed polynomial evaluates to 65 at x = 3 by checking:
e(π,τH−[3]H) =? e(C−[v]G,H)
⟶
e(π, [τ - 3]H) =? e(C - [65]G, H)
Pairing functions are bilinear, which means:
e(aG,bH) = e(G,H)^ab = e(bG,aH)
That’s the superpower that makes verification possible.
The prover sends:
C = [P(τ)]G
v = P(x0) = P(3)
π = [Q(τ)]G, where Q(x)=(P(x) - v)/(x - x0)
we know that,
x0 = 3
v = P(3) = 65
So, P(x)−v = (x−3)Q(x) from (Q(x)=(P(x) - v)/(x - 3))
This is a key algebraic fact.
So, on the curve:
[P(τ)]G−[v]G = [(τ−3)Q(τ)]G at x = τ as Q(x)=(P(x) - v)/(x - 3)
Factor it out:
C−[v]G = [τ−3]⋅[Q(τ)]G as C = [P(τ)]G
Let’s simplify RHS:
C−[v]G = [τ−3]Q(τ)⋅G
Now Apply Pairing
Now take pairing on both sides with H (generator of group G₂ (public)):
e(C−[v]G,H) = e([τ−3]Q(τ)⋅G,H)
Using pairing properties:
e(C−[v]G,H) = e([Q(τ)]G,[τ−3]H) as e(aG,bH) = e(G,H)^ab = e(bG,aH)
Which is:
e(C−[v]G,H) = e(π,[τ−3]H) as π = [Q(τ)]G
That’s why this verification equation works — without knowing τ!
If both sides of this pairing match, the verifier is convinced:
“Yes, the committed polynomial really does evaluate to 65 at x = 3.”
All of this happens without revealing the polynomial!