What is a Proving Key?

definition

ZERO-KNOWLEDGE CRYPTOGRAPHY

A proving key is a cryptographic parameter used in zero-knowledge proof systems, specifically zk-SNARKs, to generate a proof that a computation was performed correctly without revealing the underlying inputs.

A proving key is a public parameter generated during a trusted setup ceremony for a specific zk-SNARK circuit. It is used by a prover to cryptographically compile their secret witness data (the private inputs to a computation) into a succinct proof. This proof attests that the prover knows a valid solution to the circuit's constraints without disclosing the solution itself. The proving key is inherently tied to the logic of the application, such as verifying a valid transaction or proving identity, and is useless for any other purpose.

The security of the entire proof system depends on the toxic waste from the trusted setup being securely discarded. If this secret material is compromised, an attacker could forge false proofs using the public proving key. Consequently, the generation of the proving key and its counterpart, the verification key, is a critical and often decentralized process. For major networks like Zcash, these ceremonies involve multiple participants to ensure no single entity knows the complete secret.

In practice, a developer defines a computational problem as an arithmetic circuit and then uses a toolchain like circom or snarkjs to compile it. This compilation, paired with the toxic waste from the setup, produces the proving and verification keys. The proving key is typically larger and used for the computationally intensive proof generation, while the compact verification key is used by anyone to check proofs quickly. This asymmetry is a hallmark of zk-SNARK efficiency.

Proving keys enable core blockchain scaling and privacy solutions. In a zk-rollup, a sequencer uses a proving key to generate a validity proof for a batch of hundreds of transactions. This single proof, verified on-chain using the corresponding verification key, allows the main chain to trust the rollup's state transition without re-executing all transactions. Similarly, privacy-focused chains use proving keys to validate that transactions are legitimate (e.g., no double-spends) while keeping sender, receiver, and amount completely confidential.

It is crucial to distinguish a proving key from a signing key or a wallet's private key. A proving key is not a secret; it is a public parameter used to create proofs for a specific program. It does not control assets or authorize transactions on its own. The actual secret is the witness data (the prover's private inputs) fed into the proof generation algorithm. The system's security relies on the computational infeasibility of deriving the witness from the public proof and proving key.

key-features

PROVING KEY

Key Features

A proving key is a cryptographic parameter used to generate zero-knowledge proofs for a specific computational statement, enabling verification without revealing the underlying data.

01

Circuit-Specific Parameter

A proving key is uniquely generated for a specific arithmetic circuit or constraint system. It encodes the logic of the statement to be proven (e.g., 'I know a valid transaction signature'), making it impossible to use for proving a different statement. This ensures the proof's integrity and ties it to the exact computation.

02

Used in Proof Generation

During proof generation, the prover uses the proving key alongside:

The witness (private inputs and intermediate computations).
The public inputs (known statement parameters). The key is applied in a complex cryptographic process (like a multi-scalar multiplication) to produce a succinct zero-knowledge proof.

03

Paired with a Verification Key

The proving key is generated as part of a key pair during a trusted setup ceremony. Its counterpart is the verification key, which is made public. While the proving key is used to create proofs, the verification key is used by anyone to check their validity, ensuring a clear separation of roles.

04

Critical for Security

The secrecy of certain elements within the proving key is paramount. If compromised, a malicious actor could generate false proofs for the associated circuit. This is why the trusted setup ceremony, which generates these keys, is a critical security event requiring secure multi-party computation.

05

Implementation in zk-SNARKs

In zk-SNARK systems like Groth16, the proving key is a fixed set of elliptic curve points. Libraries such as snarkjs and bellman handle the process of loading this key and using it with witness data to generate a proof. The key's size is proportional to the complexity of the circuit.

06

Contrast with Universal Setup

Some proof systems like PLONK and Halo2 use a universal or updatable trusted setup. Here, a single structured reference string (SRS) is generated once and can be used to create proving and verification keys for many different circuits, reducing the need for repeated ceremony overhead.

how-it-works

ZK-SNARK MECHANICS

How a Proving Key Works

A proving key is a critical cryptographic parameter used by a prover to generate a zero-knowledge proof, such as a ZK-SNARK, which verifies the correctness of a computation without revealing its inputs.

A proving key is a fixed, public parameter generated during a one-time trusted setup ceremony for a specific zk-SNARK circuit. It encodes the constraints and structure of the computation being verified. To create a proof, the prover—the party executing the computation—uses this key alongside their secret witness data (the private inputs and intermediate computational states). The proving key acts as a template, allowing the prover to cryptographically compile their execution trace into a succinct proof that attests to the statement's truth.

The generation of the proving key is intrinsically linked to a corresponding verification key. Both are derived from the same common reference string (CRS) created during the setup phase. While the proving key is used to generate proofs, the verification key is used by any party to check them. This separation is fundamental: the prover needs the proving key's detailed structure to construct the proof, but the verifier only needs the lightweight verification key to validate it, enabling efficient and scalable verification.

In practice, the proving key is often large and circuit-specific, meaning a new key must be generated for each unique program or smart contract logic. For example, in a private transaction, the proving key for a "balance check and transfer" circuit allows the sender to generate a proof that they have sufficient funds and know the private key, without revealing their balance or address. The security of the entire system depends on the trusted setup being performed correctly, as anyone with knowledge of the setup's secret "toxic waste" could potentially create fraudulent proofs.

Optimizing proving key size and the speed of proof generation (prover time) are major focuses in zero-knowledge research. Techniques like recursive proof composition and more efficient cryptographic constructions (e.g., PLONK, STARKs) aim to reduce this overhead. In blockchain contexts like zk-Rollups, the proving key is a core component deployed on-chain or distributed to users, enabling them to generate proofs for batch transactions that will be verified by a smart contract holding the verification key.

trusted-setup-context

CRYPTOGRAPHIC ARTIFACT

Proving Key

A proving key is a public parameter generated during a trusted setup ceremony, used by a prover to create a zero-knowledge proof for a specific computational statement.

In zero-knowledge proof (ZKP) systems like zk-SNARKs, a proving key is a crucial piece of public data derived from the structured reference string (SRS) created in a trusted setup. It is algorithmically tailored to a specific circuit or program, encoding the constraints that any valid computation must satisfy. To generate a proof, the prover runs their secret witness data and the public inputs through this key using a proving algorithm. The output is a compact cryptographic proof that can be efficiently verified by anyone possessing the corresponding verification key.

The security of the entire system hinges on the trusted setup ceremony that produces the proving key. If the ceremony's toxic waste—the secret random parameters used—is compromised, a malicious actor could create false proofs that appear valid. Therefore, the proving key is considered a public but toxic parameter; it is safe to distribute and use, but its creation process must be executed with extreme care, often using multi-party computation (MPC) ceremonies to decentralize trust among multiple participants.

Practically, a proving key is a large file, often megabytes or gigabytes in size, that must be distributed to any party who needs to generate proofs, such as blockchain validators or application servers. Its counterpart, the verification key, is typically much smaller. This asymmetry is a key feature of SNARKs, enabling fast verification. In systems like Zcash's original Sprout protocol or various Layer 2 rollups, the proving key is a fixed part of the protocol's consensus rules, defining the only valid way to prove state transitions or transaction validity.

ecosystem-usage

PROVING KEY

Ecosystem Usage

A proving key is a cryptographic parameter used in zero-knowledge proof systems, specifically zk-SNARKs, to generate a proof that a computation was performed correctly without revealing the inputs.

01

Core Function in zk-SNARKs

In a zk-SNARK setup, the proving key is generated during a trusted setup ceremony. It is used by the prover to create a cryptographic proof that they possess secret witness data satisfying a public circuit. The key encodes the constraints of the computation, allowing for efficient proof generation.

Trusted Setup Dependency: The security of the entire system relies on the toxic waste from the setup being destroyed.
Circuit-Specific: Each unique program or smart contract function requires its own dedicated proving key.

02

Prover's Toolkit

To generate a proof, the prover uses the proving key alongside:

Private Witness Inputs: The secret data that satisfies the circuit's logic (e.g., a private balance).
Public Inputs: The known data that is verified alongside the proof (e.g., a public transaction amount).

The proving key acts as a specialized compiler, transforming the witness and public inputs into the elliptic curve points that constitute the final zk-proof.

03

Contrast with Verification Key

The proving key has a counterpart: the verification key.

Proving Key: Large, complex. Used once per proof generation by the prover. Must be kept secret during the trusted setup.
Verification Key: Small, public. Used repeatedly by anyone to check the validity of a proof. This asymmetry enables succinct verification on-chain.

This pair is the output of the same trusted setup procedure.

04

Use Case: Private Transactions

In privacy-focused blockchains like Zcash, a proving key is used to create proofs for shielded transactions.

The circuit enforces that input notes equal output notes without revealing amounts or addresses.
Users run client-side software with the proving key to generate a proof locally, which is then broadcast to the network.
This enables selective disclosure and regulatory compliance while maintaining default privacy.

05

Use Case: Scalable Rollups

In zk-Rollups (e.g., zkSync, StarkNet), the proving key is a core component of the sequencer or prover node.

It is used to generate a validity proof for a batch of hundreds of transactions.
This single proof is posted to Ethereum L1, compressing data and reducing costs.
The process provides cryptographic security and finality, unlike Optimistic Rollups which have a fraud proof delay.

06

Technical & Operational Challenges

Managing proving keys presents significant hurdles:

Size & Cost: Proving keys can be gigabytes large, requiring substantial storage and memory for proof generation.
Trusted Setup Ceremonies: Organizing secure multi-party computations (MPCs) for popular circuits is complex and critical.
Circuit Upgrades: Any change to the verified logic necessitates a new trusted setup and a new proving key, creating upgrade friction.

These challenges drive innovation in recursive proofs and STARKs, which don't require trusted setups.

security-considerations

PROVING KEY

Security Considerations

A proving key is a cryptographic parameter used in zero-knowledge proof systems to generate a proof. Its secure generation, distribution, and storage are critical to the integrity of the entire proving system.

01

Trusted Setup Ceremony

For many zk-SNARK systems, the proving key is generated via a trusted setup ceremony (e.g., Powers of Tau). This process creates a Common Reference String (CRS). If the ceremony's secret randomness (the 'toxic waste') is compromised, an attacker could create fraudulent proofs. Secure multi-party computation (MPC) ceremonies with many participants are used to mitigate this risk.

EXPLORE

02

Key Custody & Access Control

The entity holding the proving key has the power to generate valid proofs. Security considerations include:

Secure Storage: Proving keys must be stored in hardware security modules (HSMs) or secure enclaves to prevent exfiltration.
Access Logging: All proof generation events should be auditable.
Key Rotation: Procedures must exist to deprecate compromised keys, which may require a new trusted setup.

EXPLORE

03

Verification Key Dependency

The security of the system hinges on the verification key, which is derived from the same trusted setup as the proving key. Users and verifiers must ensure they are using the correct, uncompromised verification key that pairs with the legitimate proving key. Any mismatch or use of a maliciously generated verification key renders proofs meaningless.

04

Circuit-Specificity & Upgrades

A proving key is specific to a single zk-SNARK circuit. Changing the circuit logic (e.g., upgrading a protocol's rules) invalidates the existing key and requires a new trusted setup. This creates a security and operational trade-off between flexibility and the risks associated with repeated setup ceremonies.

05

Prover Centralization Risk

In systems where a single entity controls the proving key (a centralized prover), it creates a single point of failure. If that prover is offline, the system halts. If compromised, it can be forced to generate false proofs. Decentralized proving networks or proof-of-stake based proving mechanisms are emerging to mitigate this risk.

06

ZK-STARKs: A Trustless Alternative

ZK-STARKs do not require a trusted setup, eliminating the primary security risk associated with proving key generation. They use publicly verifiable randomness and cryptographic hashes. The trade-off is larger proof sizes and higher verification computational cost compared to zk-SNARKs.

EXPLORE

ZK-SNARK CRYPTOGRAPHIC KEYS

Proving Key vs. Verification Key

A functional comparison of the two primary cryptographic components in a zk-SNARK proving system.

Feature	Proving Key (PK)	Verification Key (VK)
Primary Function	Generates a zero-knowledge proof	Verifies the validity of a generated proof
Holder / User	Prover (e.g., transaction sender, rollup sequencer)	Verifier (e.g., blockchain node, smart contract)
Key Size	Large (e.g., gigabytes for complex circuits)	Small (e.g., kilobytes, fixed size)
Generation	Created once during a trusted setup ceremony for a specific circuit	Derived from the Proving Key during the same trusted setup
Security Sensitivity	Highly sensitive; knowledge compromises the system's zero-knowledge property	Public; designed to be shared widely without security risk
Computational Role	Used in proof generation, which is computationally intensive	Used in proof verification, which is computationally lightweight
Storage Location	Stored privately by the prover; often requires significant resources	Embedded in a verifier contract or client software; stored on-chain
Relation to Circuit	Encodes the constraints and structure of the specific arithmetic circuit	Contains the circuit's public parameters and verification logic

PROVING KEY

Frequently Asked Questions

A proving key is a critical cryptographic component in zero-knowledge proof systems. These questions address its function, generation, and security implications.

A proving key is a public parameter in a zk-SNARK or similar proof system that is used by a prover to generate a cryptographic proof of computational correctness. It is generated during a one-time trusted setup ceremony for a specific constraint system or circuit. The prover uses this key, along with their secret witness data, to create a succinct proof that a computation was performed correctly, without revealing the underlying inputs. The corresponding verification key is used by any party to check the proof's validity. This separation of keys is fundamental to the efficiency and security of non-interactive zero-knowledge proofs.

Proving Key