When comparing proof systems like zk-SNARKs, zk-STARKs, and Bulletproofs, you must define clear performance goals. These systems are not universally "fast" or "cheap"; their efficiency depends on the specific computational task, known as the circuit. Key metrics to benchmark include proving time, verification time, proof size, and the trusted setup requirement. For instance, a decentralized application (dApp) requiring frequent, low-cost verification for many users will prioritize small proof size and fast verification, even if proving is slower.
LABS
Guides
How to Compare Proof System Performance Goals
A technical guide for developers and researchers on establishing performance benchmarks for ZK-SNARKs, STARKs, and other proof systems. Covers key metrics, measurement tools, and code for reproducible testing.
Chainscore © 2026
introduction
BENCHMARKING ZKPS
How to Compare Proof System Performance Goals
A guide to evaluating and comparing the performance characteristics of different zero-knowledge proof systems for blockchain applications.
The proving process is often the most computationally intensive. Performance here is measured in seconds or minutes and is heavily influenced by circuit complexity and the proving system's underlying cryptographic constructions. Groth16 zk-SNARKs offer extremely small proofs and fast verification but require a circuit-specific trusted setup and have slower proving times for large circuits. In contrast, PLONK and Halo2 use universal setups, trading slightly larger proof sizes for more flexible and sometimes faster proving across different circuits.
Verification cost is critical for on-chain applications, as it determines the gas fee for validating a proof on a blockchain like Ethereum. A zk-SNARK verifier might perform a few pairing operations, costing ~200k gas, while a zk-STARK verifier uses simpler hash functions but must verify a larger proof, leading to higher gas costs. You must test verification with your exact circuit on the target network. Tools like the snarkjs library and Circom compiler allow you to generate and benchmark proofs for custom circuits.
Memory and hardware requirements are practical constraints. Generating a proof for a complex circuit (e.g., one verifying an Ethereum block) can require 32+ GB of RAM. zk-STARKs, while post-quantum secure and transparent, generate proofs measured in hundreds of kilobytes, which impacts data availability and storage costs. Your comparison must account for the hardware available to your provers (servers) and the data constraints of your verifiers (smart contracts).
Ultimately, selecting a proof system is an optimization problem. Create a matrix for your project: list your primary constraints (e.g., verification_gas < 500k, proof_size < 5 KB, no_trusted_setup). Then, prototype your circuit with different backends. The zkEVM benchmark by Ethereum Foundation provides a model, comparing systems across these axes for standardized workloads. There is no single best system, only the best fit for your specific performance goals and trust assumptions.
prerequisites
PREREQUISITES AND SETUP
How to Compare Proof System Performance Goals
Before benchmarking, you must define clear, measurable performance goals. This guide outlines the key metrics and setup required for a meaningful comparison of zero-knowledge proof systems.
Effective performance comparison starts with defining your application's specific requirements. Are you optimizing for prover time in a high-frequency trading application, minimizing verifier time for on-chain gas costs, or reducing proof size for bandwidth-constrained environments? Each goal prioritizes different aspects of a proof system's architecture. For instance, a zkRollup sequencer cares deeply about prover speed to maintain low latency, while a privacy-preserving voting dApp might prioritize small proof sizes to keep transaction fees minimal. Clearly document these primary and secondary objectives before evaluating any system.
You will need a standardized benchmarking environment to ensure fair comparisons. This involves setting up identical hardware (e.g., AWS c6i.metal instance), using the same underlying cryptographic libraries (like arkworks or libsnark), and defining a canonical circuit representation for your benchmark. The circuit should be non-trivial—such as a Merkle tree inclusion proof or a signature verification—to stress-test the systems. Use version-pinned dependencies (e.g., circom 2.1.5, halo2 0.3.0) to ensure reproducibility. Tools like criterion.rs for Rust or custom scripts can automate the collection of key metrics: prover time, verifier time, memory footprint, and proof size in bytes.
Beyond raw speed, you must measure trusted setup requirements and security assumptions. Some systems like Groth16 require a per-circuit trusted setup, adding operational complexity, while others like STARKs and Halo2 are transparent (setup-free). Document the concrete security level (e.g., 128 bits) each system achieves and any underlying hardness assumptions (e.g., discrete log). Furthermore, assess developer ergonomics: circuit writing complexity, quality of documentation, and audit history. A system with a 20% slower prover but a battle-tested, well-documented codebase like the one powering zkSync Era may be preferable for production over a faster but novel, unaudited construction.
Finally, structure your comparison with a clear scoring rubric. Assign weights to each metric (Prover Time: 40%, Proof Size: 30%, Verifier Time: 20%, Setup Complexity: 10%) based on your initial goals. Run benchmarks multiple times to account for variance and plot the results. This quantitative approach, combined with qualitative assessment of the codebase and community, will yield a holistic view. Remember, the "fastest" system in a paper may not be the most practical for your specific use case when integration overhead and security are factored in.
defining-metrics
PROOF SYSTEM COMPARISON
Defi Performance Metrics
A framework for evaluating zero-knowledge and validity proof systems based on their core computational trade-offs.
When comparing proof systems like zk-SNARKs, zk-STARKs, and Bulletproofs, you must define your performance goals across four key dimensions. These are prover time, verifier time, proof size, and trusted setup requirements. No single system optimizes for all four; each makes distinct trade-offs. For instance, Groth16 zk-SNARKs produce tiny proofs verified in milliseconds but require a circuit-specific trusted setup and have slower proving times. Understanding which metric is your primary constraint is the first step in selecting a system.
Prover time measures how long it takes to generate a proof, directly impacting user experience and operational cost. Systems like Halo2 (used by zkEVM rollups) and Plonky2 prioritize faster proving through recursive composition and efficient field arithmetic. Prover time is often the bottleneck for applications like private transactions or rollup sequencing, where proofs must be generated in near real-time. It's influenced by circuit complexity, the underlying cryptographic primitives, and hardware acceleration potential.
Verifier time and proof size are critical for on-chain verification and data availability. A verifier smart contract pays gas for every computational step, so verification must be cheap. zk-SNARKs excel here, with constant-time verification (e.g., ~200k gas for a Groth16 verification on Ethereum). Proof size affects calldata costs for rollups; a 200-byte SNARK proof is far cheaper to post than a 45KB STARK proof. However, newer STARK constructions with recursive proofs can achieve smaller final sizes for complex computations.
The trusted setup is a security and operational consideration. A trusted setup ceremony (like Powers of Tau for SNARKs) generates public parameters that must be securely discarded. If compromised, false proofs can be created. Transparent systems like zk-STARKs and Bulletproofs eliminate this need, enhancing decentralization and auditability. When evaluating, ask if your application can manage the ceremony logistics or if transparency is a non-negotiable security requirement.
To compare systems quantitatively, benchmark them against your specific circuit (e.g., a Merkle tree inclusion proof, a signature verification). Use frameworks like the zk-benchmarking suite from Ethereum Foundation or arkworks to measure prover/verifier time on target hardware and proof size. Always contextualize numbers: a "slow" 2-second prover time may be fine for a rollup batch but unacceptable for a wallet transaction. The optimal system balances your constraints for scalability, cost, and security.
benchmarking-tools
PERFORMANCE ANALYSIS
Benchmarking Tools and Libraries
Accurately measuring proof system performance requires specialized tools. This guide covers the essential libraries and frameworks for benchmarking proving time, verification speed, and memory usage across different protocols.
06
Defining Performance Goals & Metrics
Before benchmarking, define what you're measuring. Key metrics for proof systems include:
- Proving Time: The time to generate a proof, often the critical bottleneck.
- Verification Time: Must be sub-second for user-facing applications.
- Proof Size: Impacts on-chain gas costs and bandwidth.
- Memory Footprint: Determines hardware requirements for provers.
- Trusted Setup Requirements: Some SNARKs require a one-time ceremony, adding operational complexity. Establish baseline targets for your specific use case, whether it's a private payment or a verifiable ML inference.
KEY METRICS
Proof System Performance Comparison Framework
A quantitative framework for evaluating zero-knowledge proof systems across critical performance dimensions.
| Performance Metric | zk-SNARKs (Groth16) | zk-STARKs | Plonk / Halo2 |
|---|---|---|---|
Proving Time (1M constraints) | ~2 seconds | ~45 seconds | ~15 seconds |
Verification Time | < 10 ms | ~100 ms | ~50 ms |
Proof Size | ~200 bytes | ~45 KB | ~400 bytes |
Trusted Setup Required | |||
Post-Quantum Security | |||
Recursion Support | |||
Prover Memory Usage | ~4 GB | ~16 GB | ~8 GB |
Developer Tooling Maturity |
step-by-step-benchmarking
PERFORMANCE ANALYSIS
Step-by-Step Benchmarking Walkthrough
A practical guide to measuring and comparing the performance of zero-knowledge proof systems using real-world metrics and tools.
Effective benchmarking requires a structured approach to isolate and measure the key performance indicators (KPIs) of a proof system. The primary metrics to track are proving time, verification time, and proof size. Proving time is the computational cost for the prover to generate a proof, which is often the most resource-intensive step. Verification time is the cost for the verifier to check the proof's validity, which should be minimal for scalability. Proof size directly impacts the cost of on-chain verification and data availability. To begin, you must define a consistent computational workload, such as a specific zk-SNARK circuit for a Merkle tree inclusion proof or a signature verification, to ensure fair comparisons across different systems like Groth16, Plonk, or Halo2.
The next step is to establish a controlled testing environment. Use a dedicated machine with consistent hardware specifications (CPU, RAM, SSD) to eliminate external variables. For cloud-based testing, services like AWS or GCP offer repeatable instance types. Configure your benchmark to run the proving and verification routines multiple times, discarding the initial run to account for just-in-time compilation and caching. Calculate the mean and standard deviation for each metric over subsequent runs to ensure statistical significance. Tools like Criterion.rs for Rust-based systems or custom scripts with time commands are essential for precise measurement. Always document the exact software versions of the proving system, backend libraries (e.g., arkworks, bellman), and the curve being used (e.g., BN254, BLS12-381).
With raw data collected, analysis is key. Create visualizations like bar charts comparing proving times or scatter plots showing the trade-off between proof size and verification speed. Look for non-linear scaling: how do metrics change as the circuit constraint count doubles? This reveals the system's asymptotic complexity. Furthermore, measure memory usage during proving, as some memory-heavy systems may not be suitable for resource-constrained environments. It's critical to benchmark under different scenarios: a trusted setup (if required), a non-universal setup, and with and without recursive proof composition. Publishing your methodology and results, perhaps using a framework like the ZKP Benchmarking Framework initiative, contributes to ecosystem transparency and helps developers choose the right tool for their specific application in rollups or private transactions.
interpreting-results
HOW TO COMPARE PROOF SYSTEM PERFORMANCE GOALS
Interpreting Results and Trade-offs
Evaluating zero-knowledge proof systems requires analyzing a complex matrix of performance metrics. This guide explains how to interpret benchmark results and make informed trade-offs between prover time, proof size, and verification cost.
When comparing proof systems like zk-SNARKs (e.g., Groth16, Plonk) and zk-STARKs, you must first define your application's primary constraints. Is your goal low on-chain verification gas cost for an L2 rollup? Fast prover time for a privacy-preserving application? Or minimal proof size for bandwidth-constrained environments? Each system optimizes for different aspects of this performance triangle. For instance, Groth16 offers constant-size proofs and ultra-fast verification but requires a trusted setup and has slower proving. STARKs have faster proving and are transparent (no trusted setup) but generate larger proofs, increasing verification gas costs.
Key Metrics to Benchmark
Always measure these core metrics under controlled conditions: Prover Time (seconds to generate a proof), Proof Size (bytes), and Verifier Time/Gas (milliseconds or gas units to verify). Use standardized circuits of varying sizes (e.g., 10k, 100k constraints) for comparison. For Ethereum, verification gas is often the critical bottleneck. A proof that costs 500k gas to verify (like some early SNARKs) is impractical for frequent use, whereas newer systems like Plonk or Halo2 can achieve verification under 200k gas, making them suitable for rollups. Tools like criterion for Rust or custom benchmarking scripts are essential.
Interpreting these numbers requires context. A 2-second prover time might be fine for a once-per-block rollup proof but unacceptable for a real-time gaming transaction. Similarly, a 45 KB proof might be trivial for an off-chain attestation but prohibitively expensive to post on-chain during high network congestion. You must also account for trust assumptions (trusted setup vs. transparency) and recursion support. Systems that support proof recursion (like Plonk with a custom gate setup or certain STARKs) allow proofs to verify other proofs, enabling scalable L2 architectures but often at a performance trade-off in a single layer.
Making the Trade-off Decision
Your choice often comes down to prioritizing one or two metrics. For a ZK-Rollup, the hierarchy is typically: 1) Low verification gas (to keep L1 costs down), 2) Acceptable prover time (to maintain block production), 3) Proof size (less critical if data is posted as calldata). For a client-side proof (like a privacy wallet), the priority flips: 1) Fast prover time (user experience), 2) Small proof size (for quick transmission), 3) Verification cost (less critical, done by a server). There is no 'best' system, only the best for your specific constraints and threat model.
Finally, consider ecosystem maturity and audit status. A theoretically faster system is a liability if its cryptographic libraries are unaudited or lack production battle-testing. Always cross-reference academic papers (e.g., from the ZKProof Community) with implementation audits from firms like Trail of Bits or Quantstamp. Performance is meaningless without security. Start with a well-audited system like circom with Groth16 or Halo2 in the zcash ecosystem, then experiment with newer alternatives once they have undergone rigorous peer review and security audits.
PROOF SYSTEM COMPARISON
Real-World Benchmark Examples
Performance and resource benchmarks for widely used proof systems in production.
| Benchmark Metric | zk-SNARKs (Groth16) | zk-STARKs | Plonk |
|---|---|---|---|
Prover Time (1M constraints) | ~45 seconds | ~120 seconds | ~90 seconds |
Proof Size | ~200 bytes | ~45 KB | ~400 bytes |
Verifier Gas Cost (EVM) | ~450k gas | ~2.1M gas | ~500k gas |
Trusted Setup Required | |||
Post-Quantum Security | |||
Recursive Proof Support | |||
Developer Tooling Maturity |
resource-links
PERFORMANCE EVALUATION
Resources and Further Reading
Use these resources and frameworks to compare proof system performance goals across ZK rollups, validity proofs, and privacy-preserving applications. Each card focuses on a concrete evaluation angle developers can apply when choosing or benchmarking a proof system.
01
Understand Core Proof System Metrics
Before comparing systems, standardize the performance metrics you are measuring. Many benchmarks talk past each other by optimizing different variables.
Key metrics to define explicitly:
- Prover time: Wall-clock time to generate a proof for a fixed circuit size.
- Verifier time: CPU time required on-chain or off-chain to verify a proof.
- Proof size: Bytes transmitted and stored, directly affecting calldata or DA costs.
- Trusted setup requirements: Whether setup is universal, circuit-specific, or transparent.
- Asymptotic complexity: How prover time scales with constraint count or witness size.
Example: Groth16 typically has very small proof sizes (~200–300 bytes) and fast verification but requires circuit-specific trusted setup, while STARKs trade larger proofs for transparency and post-quantum safety. Comparing without fixing these axes leads to misleading conclusions.
02
Circuit-Level Benchmarking Methodology
Proof systems should be compared using identical circuit logic, not abstract claims from documentation. Small design changes materially affect performance.
Best practices for circuit benchmarking:
- Implement the same computation in multiple DSLs (e.g., Circom vs Halo2).
- Fix input sizes, constraint counts, and public input structure.
- Measure prover performance on the same hardware and OS configuration.
- Separate compilation time from prover runtime.
Concrete example: Hash-heavy circuits using Poseidon may favor PLONKish systems with custom gates, while RSA or big-integer arithmetic performs better in R1CS-based systems. Publishing constraint counts alone is insufficient; measurement must include actual prover execution time and peak memory usage.
03
Throughput and Cost Models in Production
Raw prover speed does not determine real-world viability. Developers should model end-to-end throughput and cost under production constraints.
Factors to include in cost models:
- Batching: How proof aggregation affects latency and amortized costs.
- Parallelization: Whether the prover efficiently utilizes multi-core CPUs or GPUs.
- On-chain verification cost: Gas usage for pairing checks or hash verification.
- Data availability overhead: Proof size impact on calldata or blob usage.
Example: A rollup generating one proof per block may prefer slower proofs with minimal calldata, while an off-chain ZK application may prioritize raw prover throughput and parallelizability. Performance goals must align with execution environment, not just benchmark headlines.
04
Security and Performance Tradeoffs
Performance comparisons are incomplete without evaluating security assumptions and their costs. Faster proofs often rely on stronger or less standard assumptions.
Key tradeoffs to document:
- Cryptographic assumptions: Pairing-based vs hash-based security.
- Transcript model: Fiat–Shamir heuristic and random oracle usage.
- Soundness error: Bits of security per proof and amplification strategies.
- Upgrade risk: Difficulty of migrating circuits if assumptions weaken.
Example: STARKs incur larger proofs and higher verifier costs but rely only on hash functions, while SNARKs achieve smaller proofs at the expense of pairing assumptions. When comparing performance goals, explicitly state acceptable security margins and failure probabilities to avoid underspecified evaluations.
PROOF SYSTEM PERFORMANCE
Frequently Asked Questions
Common questions from developers and researchers about benchmarking and comparing zero-knowledge proof systems.
When comparing proof systems, you must evaluate a core set of metrics. Proving time is the duration to generate a proof, often measured in seconds. Verification time is how long it takes to check a proof's validity, critical for on-chain applications. Proof size directly impacts gas costs for on-chain verification, typically measured in bytes or kilobytes. Memory usage (RAM) and circuit compilation time are also important for developer workflow. For example, a Groth16 proof may be small and fast to verify but requires a trusted setup and has slower proving times for large circuits compared to newer systems like PlonK or Halo2.
conclusion
PERFORMANCE ANALYSIS
Conclusion and Next Steps
A practical framework for evaluating proof systems based on your specific application requirements.
Comparing proof system performance is not about finding a single 'best' solution, but about matching a system's strengths to your project's constraints. The key is to define your primary goal: is it ultra-low latency for a gaming application, minimal on-chain verification cost for a high-frequency DeFi protocol, or massive throughput for a data availability layer? Your goal dictates which metrics—proving time, proof size, verification gas cost, or setup requirements—become your critical benchmarks.
For developers, the next step is to prototype with real SDKs. For a ZK-rollup prioritizing speed, test frameworks like Starknet's Cairo or zkSync's zkEVM with their respective provers. For applications where Ethereum mainnet verification cost is paramount, benchmark circuits compiled with Circom and proven with SnarkJS (Groth16) or Plonky2. Use the specific libraries, such as arkworks for algebraic backends or bellman for BLS12-381, to gather concrete data on your target hardware.
Finally, stay informed on the rapidly evolving frontier. New systems like Nova (for incremental verification) and HyperPlonk are pushing the boundaries of recursion and scalability. Follow research from teams like Ethereum Foundation's PSE, zkSecurity, and a16z Crypto. The optimal choice today may change in 12 months. By grounding your evaluation in application-specific requirements and empirical testing, you can navigate this complex landscape and select the proof system that delivers performance where your project needs it most.