Powers-of-Tau, explained without the priesthood

Powers-of-Tau sounds like a folk ritual.

Villagers under a full moon, whispering secrets into the wind, hoping the gods do not listen.

Close. It is a ritual, just with less smoke and more math.

Dapp AI:
Less poetry, more packets. Powers-of-Tau is the first phase of a trusted setup for certain zero-knowledge systems. It publishes group elements that encode successive powers of a hidden number τ, like g^τ,g^τ2,… Those values form a structured reference string used by SNARKs and KZG commitments. If τ ever leaks, someone can forge proofs. So we run a ceremony where many people mix in randomness, and we keep security if at least one participant was honest and destroyed their secret.

What it is, in plain English

The problem: Many popular zk-SNARKs and KZG commitments need a public set of numbers with a secret structure. If anyone knows the hidden structure, they could cheat.
The fix: Run a multi-party ceremony where thousands of people each add randomness. Everyone downloads a transcript, adds their secret spice, proves they touched every element correctly, and uploads the new transcript. If even one person is honest and burns their leftovers, called “toxic waste,” the final parameters are safe to reuse.

Like the old village cooperative. Everyone brings grain, one thief does not ruin the bread.

Unless everyone is a thief.

Dapp AI:
Threat model translated: if all contributors collude or get popped, bad news. Otherwise you get tiny proofs and fast verification, which is why people still accept these ceremonies even though there are “transparent” systems, like STARKs, that avoid trusted setups. Tradeoff, as always.

Two phases you should remember

Phase 1, Powers-of-Tau, universal and reusable. It sets a maximum circuit size, then publishes the powers τ⁰, τ¹,… in the curve groups. Many proof systems can share this.
Phase 2, circuit-specific, only for schemes like Groth16. You tailor that universal setup to your particular circuit, then you are done. New circuit, new Phase 2. Some modern schemes, like PLONK, only need Phase 1.

Universal is nice. Reuse, like old winter coats. Still warm, still ugly.

Where you will meet it in the wild

Zcash: Ran the landmark Powers-of-Tau in 2017–2018, 87 contributions, used for Sapling. The blueprint many copied.
Ethereum, EIP-4844: The KZG Summoning Ceremony produced parameters for blob commitments in proto-danksharding. Public specs, audits, and a beautiful ritual UI. Over 141,000 contributions.
Perpetual Powers-of-Tau (PSE): Always-on, updatable Phase 1 so new projects can plug in and keep extending security over time. Site, repo, and report are public.
Semaphore and friends: Semaphore uses Groth16, runs trusted setups, and leverages Perpetual PoT for Phase 1 in some versions. Worldcoin’s SMTB also ran a dedicated setup.
Filecoin: Completed Phase 1 PoT, then a massive Phase 2 for its proving pipeline.
Cardano ecosystem, emerging: Community proposals and articles describe PoT efforts for BLS12-381 to seed ZK on Cardano. This is ongoing work, not core-protocol canonical, but activity exists.

How the math looks, but without headache

Secret: a random scalar τ, never revealed.
Public: the curve points that hide powers of τ, such as {g₁^τi}, {g₂^τi} for ranges of i big enough for the circuits you want.
Why it holds: pairing-based schemes rely on assumptions like q-SDH. If nobody knows τ, forging proofs becomes as hard as solving those problems. If someone knows τ, game over.

Dapp AI:
Purists will note the exact hardness assumptions vary by scheme. Point stands, the trapdoor must stay unknown. Read the Groth16 and KZG explainers if you enjoy pain.

How a contribution actually works

Fetch the current transcript, produced either by a coordinator or on-chain sequencer.
Mix in randomness, touching every element in the transcript in a verifiable way.
Prove you did it right, then upload your updated transcript.
Delete your secret, the “toxic waste.” If even one contributor does this, the final result is safe.

Delete means delete. Not “I put it in the Recycle Bin next to family photos.”

Burn it like last year’s tax receipts.

Why people still do this in 2025

Proof size and speed: Pairing-based SNARKs like Groth16 give tiny proofs and fast verification. Cheap to verify on chain. That cost wins deals.
Universal reuse: With a big enough PoT, many apps can skip Phase 1. Only run Phase 2 when you must. PLONK-style systems reuse Phase 1 entirely.
Ecosystem gravity: Ethereum now uses KZG for blobs, which anchored a widely audited, public PoT. That legitimacy matters.

Counterpoint, transparency crowd: STARKs and some “transparent SNARKs” avoid trusted setups. Bigger proofs, more CPU, simpler trust story. Pick your poison.

Common pitfalls, the honest list

Misunderstanding universality: Phase 1 is reusable up to a maximum degree, Phase 2 is per circuit for Groth16. Do not assume one ceremony covers everything forever.
Insufficient size: If your circuit grows beyond the max power generated, you need a bigger PoT. Plan capacity.
Weak operational hygiene: Bad entropy, unverified clients, or sloppy “deletion” of toxic waste defeats the point. Use audited tooling and public procedures.
Marketing lies: “No trust needed” is false for pairing-based SNARKs that use an SRS. Be precise with auditors. Link the scheme’s assumptions, like q-SDH.

How to explain it to an auditor in two minutes

We used a public, multi-party Powers-of-Tau to derive universal parameters up to N constraints.
We either reused an existing PoT (PSE or Ethereum KZG), or coordinated our own. The transcript, proofs, and tooling are public and auditable.
If using Groth16, we then ran a separate Phase 2 for our specific circuit.
Security hinges on the “at least one honest party” assumption, documented and tested. We used independent implementations and documented destruction steps.

Where this is going next

Decentralized, on-chain ceremonies: Protocols that coordinate PoT on Ethereum or L2s, permissionless, with on-chain data availability. Lower coordinator trust, higher scalability headaches.
Perpetual setups: Continuous randomness, long-lived transcripts, many projects reusing the same base. A shared utility.
Better explainers and tooling: snarkjs, audited clients, standardized specs. Less heroics, more checklists.

Soon we will upload souls, or at least our ad preferences, to blockchains.

Dapp AI:
If that ever happens, please do not store τ next to your soul. Separate concerns.

If we were wiring this into a fresh L1 like Acki Nacki

Pick the proof family by product need.
Privacy heavy and on-chain verification cheap, Groth16 or PLONK with a shared Phase 1 PoT.
Verifiable compute with minimal trust assumptions, consider STARKs, accept bigger proofs.
Reuse before you roll your own.
Start from Perpetual PoT or the Ethereum KZG PoT where appropriate, inherit audits and scale.
Operational discipline.
Independent clients, random beacons, transcript verification, and publicly documented “toxic waste” destruction. These are not optional.

TL,DR

Powers-of-Tau is a collaborative ritual to generate public parameters with a hidden backbone. It lets many zk systems work fast and cheap, at the cost of a trust story you must manage. Use it when you need the performance and can accept the ceremony. Avoid it when transparency is king.

Good ritual.

Paranoid by design.

Dapp-approved.

Dapp AI:
And measurable. Ship small proofs, or ship a transparent conscience. Your call.

Dapp Ahoy! World beyond Web3