Introduction
Zkrollup proving key generation is a foundational cryptographic process that enables zero-knowledge rollups to produce compact proofs of transaction validity, but its implementation involves distinct benefits, security risks, and emerging alternatives that developers must weigh carefully.
Zero-knowledge rollups (zkrollups) rely on two primary cryptographic constructs: the proving key, used by the prover to generate proofs off-chain, and the verification key, used on-chain to check those proofs. The proving key generation ceremony—often called a trusted setup—is a one-time event that produces these parameters. Understanding this process is critical for any team building or deploying zkrollup solutions, as errors or compromises in key generation can undermine the entire scaling system.
This article explains how proving key generation works, examines the benefits and risks inherent in the current approach, and reviews alternatives that aim to reduce trust assumptions. The analysis draws on industry practices from major zkrollup projects, including those used by platforms where users can Decentralized Finance Regulations to access zkrollup-based trading infrastructure.
How Proving Key Generation Works
The proving key is a set of elliptic curve points or polynomial commitments that define the constraints of a specific circuit. In most zkrollup designs, the circuit encodes the rules of a virtual machine or state transition function. Generating the proving key requires evaluating a structured reference string (SRS) that contains random elements no single participant can know completely.
This is achieved through a multi-party computation (MPC) ceremony, where multiple participants contribute randomness to the SRS. Each participant computes a transformation on the current SRS using secret local randomness, then destroys that randomness before passing the result to the next participant. As long as at least one participant behaves honestly and discards their secret, the final SRS is secure—no adversary can reconstruct the randomness needed to forge proofs.
The ceremony produces both a proving key and a verification key. The proving key is often gigabytes in size for complex circuits, while the verification key is small (typically a few kilobytes). After generation, the proving key is distributed to sequencers or provers, who use it to construct validity proofs. The verification key is deployed to the Ethereum smart contract that will validate those proofs.
Notable examples include the Ceremony for Semacaulk, an updated version of the Semaphore protocol, and the Perpetual Powers of Tau ceremony, which provides a universal SRS that many zkrollup projects share. This universality reduces the need for repeated ceremonies, but each project must still generate its own circuit-specific proving key from that shared SRS.
Benefits of Proper Proving Key Generation
When correctly executed, proving key generation offers several technical advantages that directly impact zkrollup performance and security.
- Proof size and verification efficiency: A well-structured proving key enables proofs that are small (typically less than 1 KB) and verifiable in constant time on Ethereum. This is what makes zkrollups gas-efficient compared to zk-validiums or optimistic rollups.
- Toxicity destruction: In an MPC ceremony, the randomness contributed by each participant (called "toxic waste") must be destroyed after the ceremony. If done properly, no single entity can forge proofs, preserving the system's integrity. This property is mathematically guaranteed if at least one participant discards their secret.
- Scalability across circuits: Projects that use a universal SRS can generate multiple proving keys for different circuits without repeating the full MPC ceremony. This lowers the operational overhead for iterating on protocol logic.
- Auditability: The transcript of an MPC ceremony—the sequence of contributions—can be published for public verification. Anyone can confirm that all participants followed the correct protocol and that no contributions were skipped or altered.
These benefits make proving key generation a viable approach for current zkrollup deployments. However, the process also introduces risks that have led the industry to explore alternatives. For teams evaluating these trade-offs, understanding the full landscape of Zkrollup Proof Generation is essential before committing to a specific architecture.
Risks and Limitations
Proving key generation is not without significant drawbacks. Critics argue that the ceremony introduces unnecessary complexity and trust assumptions that contradict the decentralized ethos of blockchain systems.
Trusted setup assumptions. Despite the MPC ceremony ensuring that no single party can compromise the SRS, the entire framework rests on the assumption that at least one participant was honest. If all participants colluded, they could retain their randomness and later forge false proofs. While this scenario is unlikely in a well-organized ceremony with dozens of participants from different jurisdictions, it remains a theoretical risk—and one that regulators or auditors may flag as a centralization vector.
Ceremony coordination overhead. Organizing an MPC ceremony for a new circuit can take weeks. Participants must be vetted, their hardware specifications verified, and their contributions sequenced correctly. Failed contributions due to software crashes or network interruptions may require a restart of the entire ceremony, delaying deployment.
Key storage and distribution. The proving key can be hundreds of megabytes to several gigabytes. Distributing it across a decentralized network of provers is non-trivial. If the key is lost or corrupted, proofs cannot be generated until a new ceremony is run. This creates a single point of failure in practice, especially for smaller teams without robust key management infrastructure.
Circuit upgrade friction. Any change to the circuit logic—even a minor optimization—requires a completely new proving key and a new ceremony. This makes rapid iteration expensive and time-consuming. Projects may delay upgrades to avoid repeating the setup process, which introduces technical debt and latent security bugs.
These risks have prompted the development of alternative approaches that reduce or eliminate dependence on trusted setups.
Alternatives to Traditional Proving Key Generation
Several cryptographic techniques aim to remove the requirement for a trusted proving key generation ceremony. Each alternative addresses different aspects of the risk profile outlined above.
1. Transparent setups (STARKs). Zero-knowledge scalable transparent arguments of knowledge (ZK-STARKs) do not require a trusted setup. Instead, they rely on collision-resistant hash functions and random oracles to generate the necessary cryptographic parameters. This eliminates all ceremony overhead and the need for toxic waste destruction. However, STARK proofs are significantly larger than SNARK proofs (hundreds of kilobytes versus less than one kilobyte), which increases on-chain verification gas costs. Projects such as StarkNet and zkSync Era have adopted STARK variants, though they still use a small SNARK inside to reduce final proof size.
2. Universal setups with on-chain upgrades. Some projects use a universal SRS (like the Powers of Tau) that is circuit-agnostic. When a circuit changes, only the circuit-specific part of the proving key is regenerated, without redoing the entire MPC. This reduces ceremony frequency but still requires an initial trusted setup for the SRS. This is the approach taken by the Aztec network and Loopring's zkrollup.
3. Incrementally verifiable computation (IVC). IVC schemes, such as those based on Halo or SuperNova, avoid a trusted setup entirely by using recursive proof composition. In these systems, each proof verifies the previous one, and the entire chain can be validated with a single verification key derived from the protocol itself—no ceremony needed. IVC is still in early research stages but has been implemented by platforms like Mina Protocol for its blockchain. IVC may become viable for zkrollups as prover efficiency improves.
4. Hybrid approaches. Several teams combine a trusted setup for the main circuit with transparent STARK proofs for auxiliary computations. For example, a zkrollup might use a SNARK (requiring a ceremony) to compress thousands of transactions into a single proof, but then use a STARK to verify that the SNARK was constructed correctly. This creates a layered architecture that mitigates trust assumptions while maintaining reasonable proof sizes.
Each alternative has its own trade-offs in terms of proof size, verification cost, prover time, and developer complexity. The choice depends on the specific application: DeFi applications that require sub-second finality may accept a trusted setup for small proofs, while permissionless networks may prioritize trustlessness over proof efficiency.
Conclusion
Proving key generation remains a critical component of zkrollup scaling, offering substantial efficiency gains at the cost of introducing a ceremony that requires careful execution and trust assumptions. The benefits of small proofs and fast verification are real, but the risks of ceremony coordination, key distribution, and upgrade friction cannot be ignored.
The industry is actively evolving toward transparent and recursive alternatives that eliminate the need for a trusted setup. For projects launching today, adopting a universal SRS with a well-audited MPC ceremony is a pragmatic compromise. For those building for the longer term, monitoring progress in IVC and transparent STARK-based prover systems is essential, as these may offer the same scalability without the ceremony overhead. Ultimately, the choice of proving key generation method should be driven by the project's specific security model, upgrade cycle, and decentralization requirements.