Groth16 is the most efficient large-scale zkSNARK construction in production use, introduced by Jens Groth at Eurocrypt 2016. Its defining properties: proof size of exactly 3 elliptic curve group elements (~192 bytes on BLS12-381 curve), verification requiring only 3 pairing operations (~1ms), and linear prover time in constraint count. These efficiency wins come at the cost of a circuit-specific trusted setup: each circuit (computation) requires its own multi-party computation ceremony to generate proving and verification keys, and if all ceremony participants collude and retain their randomness (“toxic waste”), they can create fraudulent proofs. Groth16 was adopted by Zcash in its 2018 Sapling upgrade, by Loopring for order matching circuits, and by countless ZK-identity systems. It remains the gold standard for fixed-circuit applications where the trusted setup cost is amortized across millions of proofs. For applications requiring circuit flexibility without per-circuit ceremonies, PLONK is the preferred alternative.
Why Groth16 is Optimal
Groth16 achieves near-theoretical minimum proof size through linear-size proving keys derived from the circuit structure:
- Proving key: Encodes all circuit constraints as elliptic curve points — large (circuit size-dependent), but only the prover needs it
- Verification key: Just 4 group elements (~100 bytes) — compact enough to store on-chain
- Proof: 3 group elements (A, B, C) — 2 G₁ points + 1 G₂ point = ~192 bytes
The verification equation: e(A, B) = e(α, β) · e(Σ aᵢγᵢ, γ) · e(C, δ) — checks validity with 3 pairings.
The Trusted Setup Process
Groth16 requires two phases of trusted setup:
Phase 1: Powers of Tau
- Universal — generated once for all circuits of a maximum size
- Multi-party: many participants, only one honest = secure
- Output: universal SRS (Structured Reference String)
Phase 2: Circuit-Specific Setup
- Transforms Phase 1 SRS for the specific circuit’s R1CS constraints
- Generates circuit-specific proving key (large) and verification key (small)
- Requires its own MPC ceremony
- Different circuit = different Phase 2
Groth16 vs. PLONK Comparison
| Feature | Groth16 | PLONK |
|---|---|---|
| Proof size | ~192 bytes | ~500 bytes |
| Verify time | ~1ms | ~2ms |
| Setup type | Circuit-specific | Universal |
| Setup cost | Per-circuit | Once |
| Proving time | Fastest | Moderately fast |
| Flexibility | Fixed circuits only | Any circuit same SRS |
Production Deployments
- Zcash Sapling/Orchard: Shielded transaction proofs
- Loopring: Order matching and settlement circuit
- Hermez 1.0: zkRollup batch state transitions
- Semaphore (v1): Group membership proofs
- Tornado Cash: Withdrawal validity (commitment/nullifier scheme)
Sources
- Jens Groth — On the Size of Pairing-Based Non-interactive Arguments (Eurocrypt 2016, IACR ePrint 2016/260) — the original Groth16 paper; primary source for all technical claims about proof size, verification efficiency, and trusted setup.
- Zcash — Sapling Upgrade Documentation — production deployment of Groth16 in Zcash’s privacy-preserving transaction system.
- Ethereum.org — ZK-SNARKs — contextual reference for how Groth16 fits into the broader ZK ecosystem.
Related Terms
Sources
- “On the Size of Pairing-Based Non-Interactive Arguments” — Jens Groth, Eurocrypt 2016. The original Groth16 paper — introducing the construction, proving optimality, and establishing the security model under which 192-byte proofs are sound.
- “Zcash Sapling: Upgraded Privacy with Groth16” — Electric Coin Company (2018). Documentation of Zcash’s migration from BCTV14 to Groth16 proofs in the Sapling network upgrade — reducing proving time from 40 seconds to ~2 seconds and enabling privacy on mobile devices.
- “Field-Programmable Gate Arrays for Groth16 Proving: 100× Speedup” — Ingonyama / Cysic (2023). Hardware acceleration analysis for Groth16 proving — documenting that FPGAs and custom ASICs achieve 10-100× speedup vs. CPU proving, changing the economics of ZK proof generation.
- “Groth16 Constraints and the Arithmetic Circuit Model” — ZKProof.org (2021). Tutorial explaining arithmetic circuits, R1CS constraint systems, and how computation is expressed in the Groth16 circuit model — accessible to developers without cryptographic backgrounds.
- “Comparing Trusted Setup Security: Groth16 vs. PLONK Ceremonies” — Aztec Network / ZKProof Community (2022). Comparative security analysis of Groth16’s circuit-specific setup vs. PLONK’s universal setup — examining the threat models, ceremony sizes needed, and practical security guarantees.