An evaluation key is a public parameter in a fully homomorphic encryption (FHE) scheme that enables a designated party, such as a cloud server, to perform specific mathematical operations on ciphertext (encrypted data). Crucially, these operations are performed without ever accessing the underlying plaintext, preserving data privacy. The key is generated alongside a secret key during the initial setup of the cryptographic system and is required to execute the Eval function, which is the homomorphic evaluation of a circuit or function.
LABS
Glossary
Evaluation Key
An evaluation key is a public cryptographic parameter in zk-SNARK systems that allows a prover to generate a zero-knowledge proof for a specific computation without revealing the underlying inputs.
Chainscore © 2026
definition
CRYPTOGRAPHY
What is an Evaluation Key?
An evaluation key is a cryptographic parameter that allows a third party to perform computations on encrypted data without decrypting it, a core component of fully homomorphic encryption (FHE) systems.
The evaluation key is distinct from the public key used for initial encryption. While the public key allows anyone to encrypt data, only a holder of the evaluation key can perform computations on that encrypted data. This separation of duties enhances security and control. In many FHE constructions, such as the BGV, BFV, or CKKS schemes, the evaluation key contains additional information, often called hints or encryptions of the secret key, that are necessary to manage the noise growth that inherently occurs during homomorphic operations, a process known as bootstrapping.
Practically, evaluation keys enable critical privacy-preserving applications. For instance, in secure cloud computing, a client can send encrypted data and an evaluation key to a server. The server can then run a machine learning model or a database query on the encrypted data and return an encrypted result, which only the client can decrypt with their secret key. This architecture ensures the server never sees the raw data, mitigating privacy risks in outsourced computation.
The size and management of evaluation keys present significant engineering challenges. In advanced FHE schemes, evaluation keys can be large—sometimes gigabytes in size—and their generation can be computationally intensive. Ongoing research focuses on optimizing key sizes and improving the efficiency of key-switching and modulus switching operations that rely on these keys. These optimizations are vital for making FHE practical for real-world, large-scale deployments.
how-it-works
CRYPTOGRAPHIC PRIMITIVE
How an Evaluation Key Works
An evaluation key is a public parameter in advanced cryptographic systems like zk-SNARKs and fully homomorphic encryption (FHE) that allows a third party to perform computations on encrypted or committed data without learning the underlying secrets.
In zero-knowledge proof systems, particularly zk-SNARKs, an evaluation key (often called a proving key) is a public parameter generated during a trusted setup ceremony. It contains encoded information about the specific circuit or program being verified. A prover uses this key to generate a proof that they have executed the circuit correctly on some private witness data, without revealing that data. The complementary verification key is used by the verifier to check the proof's validity. This separation of keys is fundamental to the succinctness and efficiency of SNARKs.
Within fully homomorphic encryption (FHE), an evaluation key serves a different but analogous purpose. It is a public key derived from the secret key that enables anyone to perform arbitrary computations (addition and multiplication) on ciphertexts. When an evaluator applies a function to encrypted data using the evaluation key, the resulting ciphertext remains encrypted and can be decrypted with the original secret key to reveal the output of the function as if it were run on the plaintext. This enables privacy-preserving cloud computing.
The security of an evaluation key is paramount. In zk-SNARKs, if the toxic waste from the trusted setup used to create the evaluation and verification keys is not destroyed, a malicious actor could generate fraudulent proofs. In FHE schemes like BGV or CKKS, the evaluation key's structure often introduces "noise" growth during computation, which must be managed through techniques like bootstrapping. Proper generation and handling of this key are therefore critical operational details for any system deploying these advanced cryptographic protocols.
key-features
CRYPTOGRAPHY
Key Features of an Evaluation Key
An Evaluation Key is a cryptographic component in zk-SNARKs and zk-STARKs that allows anyone to verify a zero-knowledge proof without revealing the secret proving key. It is a public parameter derived from a trusted setup.
01
Public Verifiability
The primary function of an evaluation key is to enable public verifiability. Anyone with the key can cryptographically check the validity of a submitted zero-knowledge proof. This allows blockchains like Zcash or Ethereum Layer 2s to verify transaction correctness without executing the full computation or accessing private data.
02
Derived from Trusted Setup
The evaluation key is generated during a trusted setup ceremony (e.g., the Powers of Tau). It is derived from, but does not reveal, the corresponding proving key and the system's secret toxic waste. This process creates the public parameters needed for the proving and verification systems to operate securely.
03
Enables Proof Aggregation
In systems like zk-Rollups, the evaluation key is crucial for proof aggregation. A single verifier (or smart contract) uses the same evaluation key to verify a batch of thousands of transactions condensed into one succinct proof, enabling massive scalability by reducing on-chain verification cost.
04
Cryptographic Anchor for Circuits
The key is cryptographically tied to a specific arithmetic circuit or program (e.g., a specific smart contract function). It contains the precomputed commitments to the circuit's wiring, allowing the verifier to efficiently check that the proof corresponds to the correct computation.
05
Contrast with Proving Key
- Evaluation Key (VK): Public. Used by the verifier. Small, constant size.
- Proving Key (PK): Private/Secret. Used by the prover. Often large. The security of the system depends on the inability to derive the proving key from the public evaluation key.
06
Implementation Example: Groth16
In the Groth16 zk-SNARK scheme, the evaluation key consists of specific elliptic curve points: [α]₁, [β]₁, [β]₂, [γ]₂, [δ]₂, [K]₁. The verifier uses these in a pairing equation e(A, B) = e(α, β) * e(C, δ) to check the proof's validity with minimal computation.
ZK-SNARK CRYPTOGRAPHIC KEYS
Evaluation Key vs. Verification Key
A comparison of the two primary keys used in the trusted setup and proof verification process of a zk-SNARK system.
| Feature / Property | Evaluation Key (EK) | Verification Key (VK) |
|---|---|---|
Primary Function | Used by the prover to generate a zero-knowledge proof | Used by the verifier to check the validity of a proof |
Generated During | Trusted setup ceremony (Phase 2) | Trusted setup ceremony (Phase 2) |
Holder / User | Prover (e.g., a user generating a transaction) | Verifier (e.g., a smart contract or node) |
Key Size | Large (megabytes), contains circuit-specific parameters | Small (kilobytes), a compressed public digest |
Sensitivity / Secrecy | Contains toxic waste; must be securely deleted after setup | Public information; can be published on-chain |
Content | Encodes the arithmetic circuit constraints and encryption of evaluation points | Encodes the verification equation and public inputs |
On-Chain Presence | ||
Example Use Case | Generating a ZK proof for a private transaction | Verifying a submitted proof in a smart contract |
trusted-setup-role
CRITICAL COMPONENT
Role in the Trusted Setup
The Evaluation Key is a public parameter generated during a cryptographic trusted setup ceremony, enabling the verification of zero-knowledge proofs without revealing the underlying secret.
An Evaluation Key is the public output of a trusted setup ceremony, a critical preparatory phase for many zero-knowledge proof systems like zk-SNARKs. This ceremony involves multiple participants collaboratively generating a set of public parameters, which includes the Evaluation Key and a corresponding Verification Key. The process uses a secret value, often called the toxic waste or tau, which must be securely discarded. The security of the entire system hinges on the assumption that this secret is permanently erased and cannot be reconstructed by any party.
The primary function of the Evaluation Key is to allow a prover to generate a proof. In systems such as Groth16, the key contains precomputed elliptic curve points that encode the constraints of the specific program or circuit being verified. When creating a proof, the prover uses this key to perform cryptographic operations that bind their secret witness data to the public statement, resulting in a short, easily verifiable proof. Importantly, the Evaluation Key is specific to a single arithmetic circuit; a new setup is required for each different program.
While the Evaluation Key is public, its creation is a point of vulnerability. If the secret toxic waste used to generate it is not properly destroyed, a malicious actor could create fraudulent proofs. To mitigate this, modern implementations use multi-party computation (MPC) ceremonies, like Perpetual Powers of Tau, where multiple participants contribute randomness. This decentralizes trust, as the final parameters are secure as long as at least one participant was honest and destroyed their secret share. The resulting structured reference string (SRS), which includes the Evaluation Key, is then considered safe for public use.
In practice, developers and networks treat a finalized Evaluation Key as a common reference point. For example, a zk-rollup like zkSync or a privacy-focused blockchain like Zcash will publish a specific Evaluation Key for its core circuit. All provers (e.g., rollup operators) must use this exact key to generate valid proofs that the network's verifiers, using the paired Verification Key, will accept. This creates a standardized, trust-minimized framework for executing and verifying complex computations off-chain.
ecosystem-usage
ZK-SNARKs & ZK-STARKs
Ecosystem Usage & Protocols
An Evaluation Key is a public parameter in zero-knowledge proof systems, specifically zk-SNARKs, used to verify proofs without revealing the underlying data or the proving key.
01
Core Function in zk-SNARKs
In a zk-SNARK setup, a trusted party generates a proving key and a verification key. The Evaluation Key is synonymous with the verification key. It is made public and allows anyone to check the validity of a proof that a computation was performed correctly, using only the proof's output and public inputs.
02
Trusted Setup Requirement
The security of the Evaluation Key depends on a trusted setup ceremony. If the secret randomness (toxic waste) used to generate the key pair is compromised, an attacker could create false proofs. This makes the setup phase a critical, one-time vulnerability for many zk-SNARK implementations like Groth16.
03
Contrast with Proving Key
The Proving Key is kept secret by the prover to generate proofs, while the Evaluation Key is public for verification. This separation is fundamental:
- Prover: Uses secret key + private inputs to create a proof.
- Verifier: Uses public Evaluation Key + proof to verify correctness. This enables applications like private transactions.
04
Use in ZK-Rollups
ZK-Rollups like zkSync and StarkNet use evaluation/verification keys to scale Ethereum. They batch thousands of transactions off-chain, generate a single validity proof using a proving key, and post it on-chain. The Ethereum smart contract uses the public Evaluation Key to verify the proof in milliseconds, ensuring state correctness.
05
zk-SNARKs vs. zk-STARKs
zk-SNARKs require a trusted setup to generate the Evaluation Key, but produce small, fast-to-verify proofs. zk-STARKs (e.g., used by StarkWare) do not require a trusted setup and are post-quantum secure, but their verification keys are larger and verification is more computationally intensive.
06
Example: Tornado Cash
Tornado Cash, a privacy mixer, used zk-SNARKs. Users deposited funds and later withdrew them with a zero-knowledge proof. The on-chain verifier contract held the public Evaluation Key to check proofs, ensuring withdrawals were valid without linking depositors to withdrawers, until the protocol's sanctions.
security-considerations
EVALUATION KEY
Security Considerations
An evaluation key is a cryptographic parameter in zk-SNARK systems that allows anyone to verify a proof without revealing the underlying data. Its security is paramount to the trust model of the entire system.
01
Trusted Setup Dependency
The evaluation key is generated during a trusted setup ceremony. This process creates a Common Reference String (CRS) containing proving and verification keys. If the ceremony is compromised, a malicious actor could generate false proofs that appear valid. This creates a single point of cryptographic failure that must be mitigated through secure multi-party computation (MPC) ceremonies with many participants.
02
Key Compromise & Forgery
If the secret toxic waste from the setup is not properly destroyed, an attacker can reconstruct the evaluation key and its counterpart, the proving key. This allows them to:
- Create valid proofs for false statements.
- Undermine the soundness guarantee of the zk-SNARK.
- Potentially double-spend tokens or falsify state transitions in a blockchain. The system's security collapses to the security of the setup.
03
Verification Key Substitution
Applications must ensure the correct evaluation key is used for verification. If an attacker can trick a verifier into using a maliciously crafted key, they can accept invalid proofs. This is typically prevented by hardcoding the key's hash into a smart contract or client software, creating a trust-on-first-use or decentralized governance model for key updates.
04
Algorithmic Security & Upgrades
The security of the evaluation key is tied to the underlying cryptographic elliptic curve and pairing-friendly group. A future breakthrough in cryptanalysis (e.g., solving the Elliptic Curve Discrete Logarithm Problem) could break all proofs. Systems must have governance plans for key rotation and migration to new, secure parameters, which requires another trusted setup.
05
Contrast with Transparent Systems
Systems like zk-STARKs and Bulletproofs use transparent setups, eliminating the need for a trusted ceremony and evaluation key. This removes the key compromise risk but often trades off for larger proof sizes or higher verification costs. Choosing between zk-SNARKs (with key risk) and transparent systems is a fundamental security architecture decision.
06
Auditing & Ceremony Design
Mitigating evaluation key risks requires auditable setup ceremonies. Best practices include:
- Multi-party computation (MPC) with many geographically distributed participants.
- Publicly verifiable ceremony transcripts.
- Post-ceremony destruction of all intermediate data.
- Timelock puzzles to ensure toxic waste deletion. The credibility of the ceremony participants is critical.
EVALUATION KEY
Common Misconceptions
Clarifying frequent misunderstandings about the role, security, and function of evaluation keys in zero-knowledge proof systems like zk-SNARKs.
No, an evaluation key and a proving key are distinct cryptographic artifacts in a zk-SNARK setup. The evaluation key is a public parameter used by the prover to generate a proof for a specific computation, containing the necessary precomputed values (like encrypted evaluations of polynomials) to make proof generation efficient. The proving key is often considered a subset or a processed form of the evaluation key specifically packaged for the prover's use. Crucially, the verification key, derived from the same setup, is the separate public key used to check proofs.
EVALUATION KEY
Frequently Asked Questions (FAQ)
Common questions about the cryptographic component used in zero-knowledge proof systems, particularly zk-SNARKs.
An evaluation key (EK) is a public parameter in a zk-SNARK system that allows a prover to generate a proof for a specific computation. It is derived from the common reference string (CRS) during a trusted setup ceremony and encodes the constraints of the circuit being verified. The prover uses the EK to perform cryptographic operations that encode the witness (private inputs) and the correctness of the computation into a succinct proof, without revealing any secret information. This key is specific to the application or smart contract function it was created for.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall