KZG Trusted Setup
For those who want to know about our production setup
For those new to ZK, we recommend skipping this section on first read.
Since we are using the Halo2 proving system with the KZG polynomial commitment scheme, all of our circuits rely on a one-time universal trusted setup (also known as a powers-of-tau ceremony). This is the same kind of ceremony that Ethereum is performing right now in preparation for EIP-4844 (aka proto-danksharding).
Due to the size of our circuits, we need a larger setup than the one used for danksharding. Fortunately, there are already existing large trusted setups performed by multi-party computations. We use the perpetual powers-of-tau ceremony used in production by Semaphore and Hermez.
In more detail, we used the following challenge from the ceremony. The challenge file is, however, formatted for use with snarkjs and a different proving system (Groth16). To convert it into a format usable by Halo2, we modified the original Rust code for the ceremony to read in the file, reformat it, and print out a new file. Our modified code is here. To convert the file challenge_0072, download the file and run
The original powers of tau goes up to 2^28 powers, but to reduce the time of conversion, we only needed the first 2^25 powers. For the convenience of future developers using Halo2, we are publicly hosting the Halo2-compatible trusted setup files below (k means 2^k powers of tau):
Last updated