Let’s explore one of the most popular trusted setups, which is known as the KZG, or “powers-of-tau,” ceremony. Credit to Ethereum cofounder Vitalik Buterin, whose blog post on trusted setups informed our ideas in this section. The setup generates the encodings of the powers-of-tau, so named because “tau” happens to be the variable used to express the secrets generated by participants:

pp = [[𝜏]_{1}, [𝜏^{2}]_{1}, [𝜏^{3}]_{1}, …, [𝜏^{n}]_{1}; [𝜏]_{2}, [𝜏^{2}]_{2}, …, [𝜏^{k}]_{2}]

For some applications (e.g. Groth16, a popular zkSNARK proving scheme designed by Jens Groth in 2016), this first-phase of the setup is followed by a second phase, a multiparty computation (MPC) ceremony, that generates parameters for a specific SNARK circuit. However, our work focuses solely on phase one. This first phase – the generation of the powers-of-tau – is already useful as a foundational building block for universal SNARKs (e.g. PLONK and SONIC), as well as other cryptography applications, such as KZG commitments, Verkle trees and data-availability sampling (DAS). Generally, universal SNARK parameters should be very large so they can support big and useful circuits. Circuits that contain more gates are generally more useful as they can capture large computations; the number of powers-of-tau roughly corresponds to the number of gates in the circuit. So, a typical setup will be of size |pp| = ~40 GB and capable of supporting circuits with ~2^{28} gates. Given Ethereum’s current constraints, it would be infeasible to put such large parameters on-chain, but a smaller trusted setup ceremony useful for small SNARK circuits, Verkle trees, or DAS can feasibly be run on-chain.

The Ethereum Foundation is planning to run several smaller ceremonies for powers-of-tau of size 200 KB to 1.5 MB. While bigger ceremonies may seem better, given that larger parameters can create more useful SNARK circuits, bigger is, in fact, not always better. Certain applications, such as DAS, specifically need a smaller one! [The reason is very technical, but if you’re curious, it’s because a setup with n powers (in G_{1}) only enables KZG-commitments to polynomials of degree ≤ n, which is crucial for making sure that the polynomial underneath the KZG-commitment can be reconstructed from any n evaluations. This property enables data-availability-sampling: every-time t random evaluations of the polynomial are successfully obtained (sampled) it gives an assurance that the polynomial can be fully-reconstructed with probability t/n. If you want to learn more about DAS, check out this post by Buterin on the Ethereum Research forum.]

We designed a smart contract that can be deployed on the Ethereum blockchain to run a trusted setup ceremony. The contract stores the public parameters – the powers-of-tau – fully on-chain, and collects participation through users’ transactions.

A new participant first reads those parameters:

pp_{0} = ([𝜏]_{1}, [𝜏^{2}]_{1}, [𝜏^{3}]_{1}, …, [𝜏^{n}]_{1}; [𝜏]_{2}, [𝜏^{2}]_{2}, …, [𝜏^{k}]_{2}),

then samples a random secret 𝜏’ and computes updated parameters:

pp_{1} = ([𝜏𝜏’]_{1}, [(𝜏𝜏’)^{2}]_{1}, [(𝜏𝜏’)^{3}]_{1}, …, [(𝜏𝜏’)^{n}]_{1}; [𝜏𝜏’]_{2}, [(𝜏𝜏’)^{2}]_{2}, …, [(𝜏𝜏’)^{k}]_{2}),

and publishes them on-chain with a proof that demonstrates three things:

**Knowledge of discrete-log**: the participant knows 𝜏’. (A proof that the latest contribution to the trusted setup ceremony builds on the work of all preceding participants.)
**Well-formedness of the pp**_{1}: the elements indeed encode incremental powers.(A validation of the well-formedness of a new participant’s contribution to the ceremony.)
**The update is not-erasing**: 𝜏’ ≠ 0. (A defense against attackers trying to undermine the system by deleting all participants’ past work.)

The smart contract verifies the proof and if it is correct, it updates the public parameters that it stores. You can find more details on the math and the reasoning behind it in the repo.