Why an SRS Publishes tau G Instead of tau
A trusted setup has a simple-looking puzzle:
People need powers of tau.
Nobody should know tau.
That sounds contradictory until you introduce the group generator G.
The purpose of G is not just to "mask" tau. The real purpose is to move numbers into a cryptographic group where the algebra still works, but recovering the hidden scalar is hard.
Open the interactive tau G explorer
Open the trusted setup walkthrough
The Precise Step Flow
Keep these five steps separate:
1. Raw powers expose tau.
2. Group elements lock those powers.
3. Discrete log prevents recovering the hidden exponents.
4. Group operations still preserve polynomial algebra.
5. Real SNARK setup files publish locked powers in groups like G1 and G2.
That is the whole tension an SRS has to solve:
hide tau
preserve algebra over powers of tau
Hashes can help with hiding. They cannot preserve the algebra SNARKs need. Elliptic-curve group elements can do both.
Without G
If a setup published the raw powers:
tau = 5
tau^2 = 25
tau^3 = 125
then everybody immediately knows tau = 5. They also know every later power:
5
25
125
There is no secret. There is no setup security. Anyone who needs the toxic waste has it.
With G
Instead, the setup publishes group elements:
G
tau * G
tau^2 * G
tau^3 * G
In multiplicative notation, you often see the same idea written as:
g
g^tau
g^(tau^2)
g^(tau^3)
If tau = 5, the public values conceptually become:
g
g^5
g^25
g^125
But users do not see the exponents directly. They see group elements.
Recovering the exponent from the group element is the discrete logarithm problem:
given: g, g^5, g^25, g^125
find: 5, 25, 125
For the elliptic-curve groups used in real proof systems, this is assumed to be computationally infeasible.
The Box Analogy
Think of G as a one-way lock mechanism.
tau = 5
Box(5)
Box(25)
Box(125)
Everyone can see the boxes. Everyone can pass the boxes around. Everyone can combine boxes in certain algebraic ways.
The group generator G is what makes this one-way box possible.
But nobody can open a box to recover:
5
25
125
That is the useful intuition:
tau = secret number
G = lock mechanism
tau G = locked secret
tau^2 G = locked square
tau^3 G = locked cube
A Small Toy Example
Real systems use elliptic-curve points. For a tiny hand-checkable model, pretend our group is arithmetic modulo 97.
G = 5
tau = 7
scalar multiplication = scalar * G mod 97
Then:
| Term | Scalar | Published toy group element |
|---|---|---|
G | 1 | 1 * 5 mod 97 = 5 |
tau G | 7 | 7 * 5 mod 97 = 35 |
tau^2 G | 7^2 mod 97 = 49 | 49 * 5 mod 97 = 51 |
tau^3 G | 7^3 mod 97 = 52 | 52 * 5 mod 97 = 66 |
The public SRS is:
[5, 35, 51, 66]
The secret is still:
tau = 7
This toy group is not secure. It is intentionally tiny. The point is to see the shape:
[G, tau G, tau^2 G, tau^3 G]
In a real elliptic-curve group, the published values are curve points, and extracting tau from those points is the hard problem.
Why Not Just Publish Hashes?
A natural question:
Why not publish:
Hash(5)
Hash(25)
Hash(125)
Hashes hide the numbers, but they destroy the algebra.
SNARKs and polynomial commitments need the prover to combine powers of tau.
For example:
3(tau^2 G) + 2(tau G) + 1(G)
This becomes:
(3 tau^2 + 2 tau + 1)G
That is the core trick. The prover can form a group element representing a polynomial evaluated at the hidden point tau, without learning tau.
Hashes do not support this:
3 Hash(tau^2) + 2 Hash(tau) + Hash(1)
That expression has no useful SNARK meaning. Hash outputs are bytes. They do not preserve the polynomial algebra the proof system needs.
The Two Requirements
The SRS must satisfy two requirements at the same time.
1. Hide tau
You should not learn:
tau
from:
G
tau G
tau^2 G
tau^3 G
That hiding comes from the hardness of discrete logarithms in the chosen group.
2. Preserve Algebra
The prover still needs to combine:
G
tau G
tau^2 G
tau^3 G
...
into polynomial commitments and proof elements.
Example:
f(x) = 3x^2 + 2x + 1
Using the SRS:
3(tau^2 G) + 2(tau G) + 1(G)
gives:
f(tau)G
The prover gets the locked evaluation f(tau)G, not the raw number f(tau).
That is why elliptic-curve groups are useful here. They hide the scalar while preserving linear algebra over hidden scalars.
Additive vs Multiplicative Notation
You will see both styles:
tau G
and:
g^tau
They describe the same mental model in different notation.
Elliptic-curve cryptography usually uses additive notation:
tau G
Pairing papers and some explanations use multiplicative notation:
g^tau
In both cases, tau is the hidden scalar and the public object is a group element.
What This Looks Like In Zcash-Style Setups
In real trusted setups, the values are not tiny integers.
At the simplified powers-of-tau level, the published values look more like:
[G1]
[tau G1]
[tau^2 G1]
[tau^3 G1]
...
and:
[G2]
[tau G2]
[tau^2 G2]
...
G1 and G2 are generators of two elliptic-curve groups used with pairings.
The generators are public. They are not the toxic waste.
For a Powers of Tau setup, the dangerous value is the hidden tau. For full circuit-specific SNARK setups, including Zcash-style circuit parameters, there may be additional trapdoor scalars too. But the same idea applies:
public group elements
hidden scalar trapdoors
algebra preserved in the group
discrete log prevents opening the locked values
Why Pairings Need Two Groups
Many SNARK systems use pairings.
A pairing is a special map that lets you check multiplicative relationships between hidden exponents:
e(aG1, bG2) = e(G1, G2)^(ab)
Do not worry about the full details yet. The important part is that pairings let verifiers check algebraic consistency without learning the hidden scalars.
That is why real setup files may contain powers in both G1 and G2.
They are not publishing tau.
They are publishing locked powers of tau in groups that support the later proof checks.
The Core Trick
The core cryptographic trick is:
The prover can do algebra with locked values,
but cannot unlock those values to recover tau.
So the mental model is:
tau = secret number
G = public lock mechanism
tau G = locked secret
tau^2 G = locked square
tau^3 G = locked cube
And the reason this works is:
discrete log hides the exponent
group operations preserve algebra
pairings allow special consistency checks
That is why SRS-based SNARKs do not publish tau, and why replacing the SRS with hashes would not work.
Sources And Further Reading
- Electric Coin Company: Zcash Parameters And How They Will Be Generated
- Electric Coin Company: The Design of the Ceremony
- Ethereum specs: KZG ceremony specification
- Ethereum EIPs: EIP-4844