Trusted Setups and Halo 2

Last reviewed: 2026-05-11

The biggest practical-cryptography milestone in Zcash’s history is one many users miss: with the Orchard pool activated in NU5 in May 2022, Zcash’s shielded transactions stopped requiring a trusted setup. The proof system underneath is Halo 2: and it matters far beyond Zcash.

This lesson explains what trusted setup is, why people worried about it, and what Halo 2 changed.

What “trusted setup” means

A trusted setup is a one-time procedure, before a SNARK system can be used, that generates a set of public parameters every prover and verifier will subsequently rely on.

The catch: generating those parameters involves random values. If anyone kept those random values instead of destroying them, they could produce fake proofs that verify as valid forever after. The discarded randomness is poetically called toxic waste.

For pairing-based SNARKs like Groth16, this toxic-waste problem is fundamental: the math requires a fresh secret to be sampled, used, and then erased. There’s no way to prove cryptographically that the secret was actually erased, you have to design the ceremony so that at least one honest participant erased their share, and the rest can’t reconstruct it without that share.

The Sprout Ceremony (2016)

For the original Sprout pool, a small group of cryptographers and engineers met in person and across separate continents to run a multi-party computation that produced the parameters. Each participant contributed randomness, then physically destroyed the hardware that held their share DVDs were shredded, drives were drilled, paranoia was high.

The mathematical guarantee: as long as at least one participant truly destroyed their toxic waste, the entire ceremony was secure. Six people participated in the original Sprout MPC. Catastrophe required all six to collude, keep their secrets, and reconstruct.

Zooko Wilcox wrote it up here, and Radiolab recorded an audio piece on it that’s worth a listen, it captures the strangeness of trying to make a publicly auditable cryptographic ritual out of a secret-destruction event.

A bug was later found in the Sprout circuit (the “counterfeiting vulnerability”, disclosed in 2018, fixed in 2019). It was unrelated to the ceremony itself and was patched without any visible exploitation. Worth noting for honesty; not a flaw of the trusted-setup model.

The Sapling “Powers of Tau” (2017–2018)

For the Sapling upgrade, the team designed an even bigger ceremony with hundreds of participants anyone could join. It came in two phases:

Powers of Tau, a generic ceremony reusable for any Groth16-style circuit. Open public participation; about 90 contributions in the first phase.
Sapling MPC: the circuit-specific phase, run by the Zcash team and ZF community.

Many independent participants, exotic hardware destruction ( a participant blew up a GPU with thermite), and the same one-honest-participant security model. The bar for total collusion was now astronomically high.

But, and this is the point of the lesson, the assumption was still there. Every shielded Sapling transaction’s validity rests on the ceremony having had at least one honest participant who really destroyed their toxic waste. That’s a small assumption, but a non-zero one. Cryptographers prefer not to bet a privacy property on something they can’t prove.

Why a trustless setup was hard

For years, the SNARKs that made on-chain proofs feasible (Groth16 in particular) all required trusted setup. Removing it without giving up succinctness was an open research problem.

Two things had to land:

A polynomial commitment scheme that didn’t require pairing-based parameters with a hidden trapdoor.
Recursive proof composition that could keep proofs small while verifying earlier proofs inside new ones.

Both arrived together in the Halo line of work.

Halo and Halo 2

In 2019, Sean Bowe, Jack Grigg, and Daira Hopwood published Halo: the first practical SNARK that achieved recursive composition without trusted setup, using inner-product arguments over a pair of compatible elliptic curves (a cycle of curves).

Halo 2 is the production-ready evolution:

No trusted setup. Public parameters are derived deterministically. No ceremony, no toxic waste, no one-honest-participant assumption.
Recursive proof composition. A proof can verify another proof inside its circuit, which makes proof aggregation and rollups possible in principle.
Pasta curves (Pallas and Vesta). A 2-cycle of elliptic curves designed for Halo 2’s particular needs.
A custom-gate, lookup-friendly arithmetization (“Halo 2 PLONKish”) that keeps circuits efficient.

When Orchard activated in NU5 (May 31, 2022), Zcash became the first major production cryptocurrency to deploy a SNARK without trusted setup. That milestone is the achievement worth remembering.

What this means in practice

If you’re a Zcash user:

Use the Orchard pool when you can. Modern wallets do this by default through Unified Addresses. There’s no extra step to take advantage of the trustless property.
Sapling is still a strong pool: used by hundreds of thousands of shielded transactions and never broken. The Powers of Tau ceremony was rigorous. The trustless property in Orchard is an upgrade, not a fix.
Sprout is being deprecated via ZIP-2003. Funds in Sprout will need to be migrated.

If you’re a developer or researcher, Halo 2 has spawned a whole sub-field. It’s used directly by Penumbra, and its ideas influence ongoing work in Aztec, Mina, and several Ethereum L2s. The Zcash team’s research keeps pushing this forward, including ongoing work on Halo 2 successors and lookup-argument efficiency.

A cleaner mental model of the three pools

Putting the three Zcash shielded pools side by side:

Pool	Year	Proof system	Trusted setup?
Sprout	2016	BCTV14	Yes (Sprout Ceremony)
Sapling	2018	Groth16	Yes (Powers of Tau)
Orchard	2022	Halo 2	No, trustless

This single column, “Trusted setup?”, is the historical arc of zk applied cryptography in miniature.