Groth16 is a specific, non-interactive zero-knowledge proof (ZK-SNARK) construction, named after its creator Jens Groth and published in 2016. It allows a prover to demonstrate to a verifier that they have correctly executed a computation (represented as an arithmetic circuit) without revealing any of the private inputs used in that computation. The protocol's defining feature is its succinctness; the proof is extremely small (only three elliptic curve points) and can be verified in constant time, making it ideal for blockchain applications where on-chain verification cost is critical.
LABS
Glossary
Groth16
Groth16 is a highly efficient and widely adopted zk-SNARK (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge) proof system, known for its minimal proof size and fast verification.
Chainscore © 2026
definition
ZK-SNARK PROTOCOL
What is Groth16?
Groth16 is a highly efficient zero-knowledge proof system used to verify computational integrity with minimal on-chain data.
The protocol operates by first requiring a trusted setup ceremony to generate a common reference string (CRS). This one-time, circuit-specific setup produces public proving and verification keys, but introduces a requirement for trusted parties to securely discard the ceremony's toxic waste (the secret randomness). Once established, the prover uses the proving key to generate a proof from their private witness data, and the verifier checks this proof against the public verification key and the statement's public inputs. Groth16 proofs are renowned for their verification efficiency, often requiring only three pairing operations on elliptic curves.
Groth16's primary application is in zk-rollups and private transactions on blockchains like Zcash, which implemented it in its Sapling upgrade. Its minimal proof size and fast verification enable scalable Layer 2 solutions by batching thousands of transactions into a single, easily verifiable proof. However, its major limitation is its circuit-specific trusted setup; each new program or smart contract logic requires a separate, potentially risky ceremony, unlike more modern universal proof systems (e.g., PLONK, STARKs).
Compared to other ZK-SNARKs, Groth16 offers the smallest proof size and fastest verification, but trades off flexibility. Its security relies on cryptographic assumptions like the Knowledge-of-Exponent Assumption and pairing-friendly elliptic curves. For developers, implementing Groth16 typically involves writing constraints in a domain-specific language like Circom or Zokrates, which compile the logic into the arithmetic circuit required for proof generation and setup.
etymology
ZK-SNARK PROTOCOL
Etymology and Origin
The name Groth16 originates from its creator, cryptographer Jens Groth, and the year of its seminal publication, 2016. It represents a specific, highly optimized instantiation of a zk-SNARK proof system.
Groth16 is a succinct non-interactive zero-knowledge proof system introduced in the 2016 paper "On the Size of Pairing-based Non-interactive Arguments" by Jens Groth. The name follows a common academic convention, combining the author's surname with the publication year to create a unique identifier for the protocol. This naming distinguishes it from other proof systems like Plonk or Bulletproofs. Its primary innovation was achieving a fixed-size proof consisting of only three elliptic curve group elements, regardless of the complexity of the statement being proven, which was a significant efficiency breakthrough.
The protocol's design is built upon a quadratic arithmetic program (QAP) representation of computational statements and relies heavily on cryptographic pairings (specifically bilinear maps) for verification. The '16' in its name is crucial, as Groth published an earlier, less efficient zk-SNARK construction in 2010; the 2016 version is the optimized form that became widely adopted. Its development was part of a broader wave of research making zk-SNARKs practically usable, following the foundational work of Gennaro, Gentry, Parno, and Raykova (GGPR).
Groth16's origin in academic cryptography directly influenced its early adoption in blockchain. It was the first zk-SNARK implementation integrated into a major cryptocurrency, serving as the core proving system for Zcash's initial shielded transactions. This implementation demonstrated the real-world viability of zero-knowledge proofs for privacy. The protocol requires a trusted setup ceremony for each specific circuit, a process famously executed by Zcash in the "Power of Tau" multi-party computation. While newer proof systems have since emerged with different trade-offs, Groth16 remains a benchmark for proof succinctness and verification speed in applications where its trusted setup model is acceptable.
how-it-works
ZK-SNARK PROTOCOL
How Groth16 Works
Groth16 is a highly efficient zero-knowledge proof system that enables one party to prove knowledge of a secret without revealing it, forming a cornerstone of modern blockchain privacy and scalability.
Groth16 is a specific, non-interactive Zero-Knowledge Succinct Non-Interactive Argument of Knowledge (zk-SNARK). Its primary function is to allow a prover to generate a small, easily verifiable proof that they possess a witness (private data) satisfying a given computational statement, without revealing the witness itself. The protocol is named after its creator, Jens Groth, and the year of its seminal 2016 paper. It is distinguished by its constant-size proofs and fast verification time, making it exceptionally practical for blockchain applications where proof data must be stored on-chain.
The protocol operates on a Quadratic Arithmetic Program (QAP), a method of representing any computational program as a set of polynomial equations. To use Groth16, a trusted setup ceremony first generates a Common Reference String (CRS), which consists of public parameters for proving and verification. This setup is circuit-specific, meaning it is tailored to the exact logic of the statement being proven (e.g., "I know the private key for this public address"). The security of the entire system relies on the toxic waste from this ceremony being securely destroyed, a process often managed through multi-party computation (MPC) ceremonies to decentralize trust.
The proving process involves the prover using the CRS and their private witness to construct the proof, which consists of just three elliptic curve group elements: A, B, and C. The verifier, using their portion of the CRS, performs a pairing check—a specific type of bilinear map operation—on these elements. If the pairing equation holds, the statement is verified as true with overwhelming probability. This elegant mathematical construction is what enables the proof to be both succinct (only ~200 bytes) and efficient to verify, often requiring only milliseconds.
Groth16's efficiency comes with specific constraints. It is primarily designed for proving the execution of arithmetic circuits, making it ideal for cryptographic operations but requiring complex toolchains (like circom or arkworks) to compile high-level code into the required circuit format. Furthermore, its requirement for a circuit-specific trusted setup is often seen as a drawback compared to universal setup systems like PLONK, as each new logical statement necessitates a new, potentially complex ceremony.
In practice, Groth16 has been instrumental in enabling private transactions (e.g., Zcash's original Sapling upgrade) and scalability solutions through ZK-Rollups. By generating a single proof for a batch of thousands of transactions, a rollup can post a tiny Groth16 proof to a base layer like Ethereum, allowing the network to verify the entire batch's validity almost instantly, dramatically increasing throughput while maintaining security.
key-features
GROTH16
Key Features
Groth16 is a highly efficient zk-SNARK proving system known for its small proof sizes and fast verification, making it a foundational technology for private blockchain transactions and computations.
01
Succinct Proofs
Groth16 generates extremely compact zero-knowledge proofs, typically just three elliptic curve points. This small size (often ~128-256 bytes) allows proofs to be stored on-chain and transmitted efficiently, a critical feature for scalable blockchain applications.
02
Fast Verification
Verification of a Groth16 proof is exceptionally quick, requiring only a few pairing operations on elliptic curves. This constant-time verification, often under 10 milliseconds, enables smart contracts to cheaply and instantly verify complex off-chain computations.
03
Trusted Setup Requirement
A one-time, ceremonial trusted setup is required to generate the system's common reference string (CRS). This process involves generating and destroying a 'toxic waste' parameter. If compromised, it could allow fake proof generation, making secure ceremony execution paramount.
04
Quadratic Arithmetic Programs (QAP)
Groth16 proves statements expressed as Quadratic Arithmetic Programs (QAPs), a method of representing computational circuits. The prover shows they know a satisfying assignment to the QAP's polynomials, which encodes the correct execution of a program.
05
Non-Interactive & Publicly Verifiable
Proofs are non-interactive, requiring only a single message from prover to verifier. They are also publicly verifiable; anyone with the public verification key and proof can verify its validity without interacting with the prover.
06
Primary Use Cases
- Private Transactions: Hiding amount, sender, and receiver (e.g., Zcash).
- Scalable Rollups: Bundling thousands of transactions into a single, verifiable proof.
- Verifiable Computation: Proving the correct execution of any program without revealing its inputs.
COMPARISON MATRIX
Groth16 vs. Other ZK Proof Systems
A technical comparison of the Groth16 proving scheme against other prominent zero-knowledge proof systems, focusing on cryptographic assumptions, proof size, and performance characteristics.
| Feature / Metric | Groth16 | PLONK | STARKs |
|---|---|---|---|
Cryptographic Assumption | Pairing-Friendly Elliptic Curves | Universal Structured Reference String (SRS) | Collision-Resistant Hashes |
Trusted Setup Required | |||
Proof Size | ~200 bytes | ~400 bytes | ~45-200 KB |
Verification Time | < 10 ms | ~10-50 ms | ~10-100 ms |
Prover Memory | Moderate | High | Very High |
Recursive Proof Support | |||
Post-Quantum Security | |||
Primary Use Case | Succinct blockchain proofs | Universal circuits, rollups | High-throughput, scalable proofs |
ecosystem-usage
GROTH16
Ecosystem Usage
Groth16 is a highly efficient zk-SNARK proving system, renowned for its small proof sizes and fast verification, making it a foundational technology for privacy and scalability in blockchain applications.
02
Scalable Layer 2 Rollups
Several zk-Rollup solutions leverage Groth16's fast verification to batch thousands of transactions off-chain and post a single, small proof to Ethereum. This drastically reduces gas costs and increases throughput while inheriting Ethereum's security.
- Aztec Network: Uses Groth16 for its private rollup.
- Early zkSync (1.0): Initially utilized Groth16 before later versions adopted other proving systems.
03
Credential & Identity Verification
Beyond payments, Groth16 enables selective disclosure of credentials. A user can generate a proof that they are over 18 from an identity document, or that they have a specific accreditation, without revealing any other personal information. This is foundational for decentralized identity (DID) and privacy-preserving KYC.
04
Trusted Setup Ceremony
A critical operational aspect of Groth16 is its requirement for a one-time trusted setup (also called a Parameter Generation Ceremony or Powers of Tau). This process generates the public parameters (proving and verification keys) needed for the circuit. If the ceremony is compromised, proofs can be forged. Major projects like Zcash have conducted large, public multi-party ceremonies to maximize security and decentralization of this initial trust.
05
Circuit-Specific Optimization
Unlike some newer SNARKs, Groth16 requires a unique trusted setup for each specific arithmetic circuit (program logic). This makes it less flexible for general-purpose smart contract platforms that need to support arbitrary logic, but it delivers optimal performance (smallest proofs, fastest verification) for fixed, widely-used functions like private transfers.
06
Comparison to Later SNARKs
Groth16 is often compared to newer proving systems like PLONK and STARKs. Key differentiators include:
- Proof Size: Groth16 proofs are extremely small (~200 bytes).
- Verification Speed: Very fast, with constant-time verification.
- Trusted Setup: Requires a circuit-specific setup (a drawback).
- Recursion: Does not natively support proof recursion without wrapping, unlike PLONK. Its efficiency keeps it in use for applications where its circuit-specific nature is acceptable.
security-considerations
GROTH16
Security Considerations
Groth16 is a highly efficient zk-SNARK proving system. Its security relies on a trusted setup, making the generation and destruction of toxic waste a critical consideration.
02
Updatable & Universal Setups
To mitigate the risks of a single trusted setup, updatable or universal setups are used.
- Updatable: Multiple parties sequentially contribute to the ceremony, with each new contribution rendering previous toxic waste useless. The final contributor must be honest.
- Universal (e.g., Perpetual Powers of Tau): A single setup can be used for many circuits, allowing for large, public ceremonies that amortize trust across many applications.
03
Cryptographic Assumptions
Groth16's security is based on specific cryptographic assumptions that are believed to be hard to break. The primary assumptions are:
- Knowledge-of-Exponent (KEA)
- q-Strong Diffie-Hellman (q-SDH)
- Decision Linear (DLIN) A break in any of these underlying mathematical problems would compromise the soundness of all Groth16 proofs derived from affected parameters.
04
Circuit-Specific Trust
Unlike some newer proving systems, a Groth16 trusted setup is circuit-specific. The proving/verification keys generated are only valid for the exact arithmetic circuit they were created for. Any change to the circuit logic requires a new trusted setup ceremony, reintroducing the associated risks and coordination costs for each application update.
06
Post-Quantum Considerations
Groth16 is not post-quantum secure. Its security relies on the hardness of problems in bilinear groups (pairings), which are vulnerable to attacks by sufficiently powerful quantum computers. While such computers do not yet exist, this is a long-term consideration for systems requiring decades of security guarantees. Post-quantum zk-SNARKs are an active area of research.
ZK-SNARK PROTOCOL
Technical Details
Groth16 is a foundational zero-knowledge proof system used to generate succinct, non-interactive arguments of knowledge. It is a specific, highly efficient construction of a zk-SNARK, renowned for its small proof size and fast verification.
Groth16 is a specific, highly efficient construction of a zk-SNARK (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge) that allows a prover to convince a verifier they know a secret witness for a public statement without revealing the witness itself. It works by first compiling a computational problem into an arithmetic circuit and then a Quadratic Arithmetic Program (QAP). During a trusted setup ceremony, public parameters (a Common Reference String or CRS) are generated. The prover uses the CRS and the secret witness to generate a small, constant-sized proof. The verifier then uses the CRS, the public statement, and the proof to perform a few pairing operations on elliptic curves to check validity, which is extremely fast.
Key Steps:
- Problem Formulation: The statement to be proven is expressed as a Rank-1 Constraint System (R1CS).
- Trusted Setup: A one-time ceremony generates the prover and verifier keys (the CRS).
- Proof Generation: The prover uses the prover key and the private witness to create the proof.
- Proof Verification: The verifier uses the verifier key and the proof to execute a quick check.
ZK-SNARKS
Common Misconceptions
Groth16 is a foundational zero-knowledge proof system, but its specific properties and limitations are often misunderstood. This section clarifies key technical points.
No, Groth16 is a non-universal or circuit-specific SNARK. This is a critical distinction. A trusted setup (specifically, a structured reference string or SRS) is generated for a single, fixed arithmetic circuit. This circuit defines the exact computation to be proven (e.g., "I know a private key for this public address"). You cannot use the same trusted setup to prove different statements. This contrasts with universal or updatable SNARKs like PLONK or Marlin, where a single, reusable SRS can be used for many different circuits.
GROTH16
Frequently Asked Questions
Groth16 is a foundational zero-knowledge proof system. These questions address its core mechanics, applications, and how it compares to other ZK-SNARK constructions.
Groth16 is a highly efficient, non-interactive zero-knowledge proof system, specifically a zk-SNARK (Succinct Non-interactive Argument of Knowledge). It allows a prover to convince a verifier they know a secret witness satisfying a public statement without revealing the witness itself. The protocol works in three phases: a trusted setup ceremony generates public proving and verification keys for a specific circuit; the prover uses the proving key to create a short proof from their secret witness; and the verifier uses the verification key to check the proof's validity in constant time, independent of the circuit's complexity. Its defining features are extremely small proof sizes (only three elliptic curve points) and fast verification, making it ideal for blockchain applications.
further-reading
GROTH16
Further Reading
Dive deeper into the technical foundations, applications, and ecosystem of the Groth16 zero-knowledge proof system.
02
Trusted Setup & Ceremonies
Groth16 requires a one-time trusted setup to generate a Common Reference String (CRS). If the setup's toxic waste is compromised, false proofs can be created. This has led to large-scale trusted setup ceremonies (e.g., Zcash's Powers of Tau) where multiple participants contribute randomness to decentralize trust, making it computationally infeasible for any single party to subvert the system.
03
zk-SNARKs vs. zk-STARKs
Groth16 is a leading zk-SNARK (Zero-Knowledge Succinct Non-interactive Argument of Knowledge). Compare its properties to zk-STARKs:
- Proof Size: Groth16 (~200 bytes) is much smaller than STARKs (~100 kB).
- Setup: Groth16 requires a trusted setup; STARKs are transparent (no trusted setup).
- Scalability: STARKs have faster prover times for large computations.
- Post-Quantum: STARKs are believed to be quantum-resistant; SNARKs are not.
05
Real-World Applications
Groth16's efficiency has made it the proof system of choice for several major blockchain projects:
- Zcash (ZEC): The first major cryptocurrency to implement zk-SNARKs for shielded transactions.
- Tornado Cash: Used Groth16 to enable private Ethereum transactions (now deprecated).
- Various L2 Rollups: Early iterations of zk-Rollups utilized Groth16 for succinct validity proofs, though newer systems often use different SNARK constructions.
06
Performance & Constraints
Groth16 is renowned for its verification speed and minimal proof size, but has notable constraints:
- Prover Time: Can be computationally intensive, scaling with circuit complexity.
- Circuit Specificity: A new trusted setup is required for each distinct circuit.
- Elliptic Curve Dependency: Relies on pairing-friendly elliptic curves (e.g., BN254, BLS12-381), which influences security assumptions and implementation efficiency.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall