“Scalable Multi-Party Computation for zk-SNARK Parameters in the Random Beacon Model” is a 2017 IACR ePrint paper by Sean Bowe, Ariel Gabizon, and Ian Miers of the Electric Coin Company (ECC). It describes the cryptographic protocol enabling the Zcash Sapling Powers of Tau ceremony — a multi-party computation (MPC) that generates SNARK proving parameters across many independent participants, where security holds if any single participant behaves honestly.

Sapling (October 2018) was Zcash’s most significant upgrade: it replaced the Sprout circuit and Libsnark-based proofs with a new, dramatically more efficient circuit built on the Groth16 proving system over BLS12-381 — providing ~100x faster shielded transaction proving, enabling practical mobile wallet support.

> PDF hosting: The Sapling MPC paper is at eprint.iacr.org/2017/1050. The full Sapling protocol specification is part of the Zcash Protocol Specification.

---

Publication and Context

Zcash’s original Sprout launch in 2016 used a 6-participant MPC ceremony with significant operational security (hardware destroyed after use, etc.). While reasonable for the time, the 6-participant ceremony was a weak security foundation: compromise of 2–3 participants’ secrets could potentially compromise the setup.

The Sapling upgrade addressed this with a new ceremony design that:

1. Supported hundreds of participants (the actual Sapling ceremony had ~100 participants in 2018)
2. Provided stronger security in the “random beacon” model (using verifiable randomness)
3. Allowed results to be publicly audited

Separately from the ceremony improvements, the Sapling circuit itself was dramatically redesigned.

---

The Sapling Circuit: Technical Improvements

New elliptic curve: BLS12-381

Sapling switched from the original Libsnark curves to BLS12-381 — a pairing-friendly elliptic curve designed specifically for SNARK efficiency:

• 381-bit base field (larger than the 254-bit curve used in Sprout)
• Better security level (128 bits vs. ~80 bits effective with Sprout’s curve)
• Highly optimized arithmetic in major languages (Rust, C++, Java)

New circuit components:

Component	Sprout	Sapling
Hash function	SHA-256 (expensive in SNARK circuits)	Pedersen Hash (much cheaper)
Signature scheme	ECDSA over BN-256	RedJubjub over Jubjub curve
Proving time (mobile)	~40 seconds	~1 second

JubJub curve:

The Sapling circuit introduced the JubJub curve — a “twisted Edwards curve” defined over BLS12-381’s scalar field. Operations within the SNARK circuit can natively use JubJub arithmetic, which is much cheaper to verify in a circuit than general elliptic curve operations.

---

The Powers of Tau Ceremony

The multi-party computation (MPC) to generate Sapling’s “Powers of Tau” (the structured reference string needed for Groth16 proofs) followed these principles:

Security model: The ceremony is secure if at least one participant destroys their secret (“toxic waste”) after contributing. An adversary would need to compromise ALL participants to forge proofs.

Structure:

1. First participant generates randomness, computes contribution, publishes result, destroys private input
2. Each subsequent participant receives the previous output, adds their own contribution, publishes, destroys their secret
3. Final output is the cumulative “powers of tau” — verifiable by anyone

Phase 2: After the universal Powers of Tau, each application (each Zcash circuit component) requires a circuit-specific second phase MPC. Sapling had separate Phase 2 ceremonies for the Sapling spend circuit and output circuit.

---

Sapling Address Format: zs-addresses

The Sapling upgrade introduced a new address format (zs-prefixed addresses in bech32 format), replacing Sprout’s zc-prefixed addresses:

• Spending key (sk): Authorizes spending
• Proof authorizing key (pak): Used in SNARK circuit construction
• Full viewing key: Can see all incoming and outgoing transactions for an address without spending authority
• Incoming viewing key: Detects incoming payments only

This key hierarchy allows selective disclosure — users can share full viewing keys with auditors without granting spending authority.

---

Reality Check

The Sapling upgrade was a major success — the proving time reduction from ~40 seconds to ~1 second was the most important practical improvement in Zcash’s history. It enabled mobile wallets and greatly improved UX for shielded transactions. Shielded adoption increased post-Sapling.

The MPC ceremony, despite involving ~100 participants, remains a trust assumption. Zcash’s subsequent NU5 upgrade (2022) with the Orchard shielded pool uses Halo2 — a polynomial commitment-based proving system that requires no trusted setup at all — addressing this fundamental concern.

---

Legacy

The Sapling MPC paper established best practices for large-scale trusted setup ceremonies. The Powers of Tau ceremony was subsequently adapted for other SNARK-based systems: Ethereum’s KZG ceremony (used in EIP-4844) borrowed the multi-party contribution structure, and the concept of “universal” (circuit-agnostic) structured reference strings has become a staple of SNARK deployments.

---

Related Terms

• Zcash Whitepaper
• zk-SNARK
• Groth16 Whitepaper
• Trusted Setup
• Zero-Knowledge Proof

---

Research

• Bowe, S., Gabizon, A., & Miers, I. (2017). Scalable Multi-Party Computation for zk-SNARK Parameters in the Random Beacon Model. IACR ePrint 2017/1050.

— Primary source. Sections 3–4 describe the Powers of Tau protocol; Section 5 the security analysis.

• Groth, J. (2016). On the Size of Pairing-Based Non-Interactive Arguments. EUROCRYPT 2016.

— The Groth16 proving system used in Sapling; minimizes proof size for pairing-based NI arguments.

• Bowe, S. (2017). BLS12-381: New Zk-SNARK Elliptic Curve Construction. ECC blog.

— Describes BLS12-381 curve design choices and efficiency properties.