Some proof systems need a one-off ritual before they can be used: a trusted setup, in which public parameters are generated from randomness that must then be destroyed. Understand that sentence and most of the discourse around SNARKs becomes legible.
The parameters are a kind of shared reference string the prover and verifier both use. Generating them involves secret randomness - and whoever knows that secret can forge proofs that verify. This is why the discarded secret is called toxic waste: it is harmless only if it no longer exists.
| System | Setup | The price |
|---|---|---|
| Groth16 | One ceremony per circuit | Repeat the ritual for every program change |
| PLONK-style | One universal, updatable ceremony | Same honesty assumption, held once |
| STARKs | None | Larger proofs |
Since no one should have to take a single party’s word for its destruction, real ceremonies are multi-party. Dozens or thousands of participants each contribute randomness in sequence, and the security guarantee becomes: the setup is sound if at least one participant was honest and destroyed their share. Large public ceremonies have made that assumption easy to accept in practice - but it remains an assumption, carried for the life of the system.
Two refinements matter. Groth16, the workhorse SNARK, needs a separate ceremony per circuit - change the program being proved and you repeat the ritual. PLONK-style systems moved to a universal setup: one ceremony covers any circuit up to a size limit, and anyone can add their own contribution later. Same assumption, far less operational pain.
And some systems opt out entirely. STARKs are transparent: built from hash functions, with no secret parameters and therefore nothing toxic to destroy. The price is bigger proofs. That three-way trade - per-circuit ceremony, universal ceremony, or no ceremony with larger proofs - is the real content of most “SNARK vs STARK” arguments you will encounter.
Ceremonies at planetary scale
The honesty assumption - someone in the ceremony was honest - gets easier to swallow as the participant list grows, and the industry has pushed it to remarkable lengths. Early per-circuit ceremonies were elaborate theatre out of necessity: air-gapped machines, filmed destruction of hardware, participants scattered across jurisdictions so no single authority could compel them all. The universal-setup era turned ceremonies into open, rolling events anyone could join from a browser, and the largest to date - run for a major blockchain’s upgrade - collected contributions from well over a hundred thousand participants. To forge proofs against that setup, every one of them would have had to collude or be compromised. The assumption never disappears; it just becomes an assumption about all of humanity who showed up, which is about as good as trusted setup gets.
Reading a setup claim
The checkable questions are mercifully short. Which kind of setup does the system use - per-circuit, universal, or none? If a ceremony: how many independent participants, is the transcript public, and can contributions still be added? And if a team says “no trusted setup”, confirm the proof sizes they are quoting come from the same transparent construction - it is not unknown for marketing to claim one family’s trust story alongside the other family’s byte counts.
The two ceremonies that bracket the field
The trust model’s evolution fits in two snapshots. October 2016: six people, three continents, air-gapped machines and destroyed hardware, generating Zcash’s original parameters - rigorous, filmed, and still uncomfortably compromisable in principle by a sufficiently motivated adversary who reached all six. January to August 2023: Ethereum’s KZG ceremony ran 208 days and took 141,416 contributions - the largest trusted setup ever performed - to generate the parameters now securing blob data under every major rollup since March 2024’s Dencun upgrade. The security claim is the same one-honest-participant logic at absurd scale: to break it, every single one of 141,416 contributors must have been dishonest, together. The final transcript is public, its hash is published, and anyone can verify it - which is, of course, the point of this desk existing.
- Why KZG at all - the commitment scheme these parameters power, in our rollup explainer.
- The setup-free path - STARKs, and the kilobytes they charge for transparency.