The definitive browser demo of Groth16 vs PLONK, trusted setup vs universal setup.
ZK Proof Lab introduces Schnorr and Fiat-Shamir. SNARK Arena goes deeper into the two systems that power production zero-knowledge systems.
Groth16 (Groth 2016) and PLONK (Gabizon, Williamson, Ciobotaru 2019) are shown side by side with setup assumptions, proof sizes, and verification behavior.
SNARK means Succinct Non-interactive ARgument of Knowledge.
Succinct: proof is small (often hundreds of bytes) regardless of computation size.
Non-interactive: prover sends one message; no back-and-forth transcript.
Argument of Knowledge: verifier is convinced prover knows a witness satisfying the circuit.
Completeness: honest prover with valid witness is accepted.
Soundness: cheating prover without witness is rejected except negligible probability.
Zero-knowledge: proof reveals nothing about the witness beyond validity.
A circuit is an arithmetic constraint system over a finite field. Example for x^3 + x + 5 = 35:
v1 = x * x, v2 = v1 * x, v2 + x + 5 = 35.
Groth16 is per-circuit setup with smallest proofs and fastest verification. PLONK is universal setup with more circuit flexibility.
For foundational Schnorr, Fiat-Shamir, and commitment mechanics, see ZK Proof Lab.
Groth16 is a pairing-based SNARK over curves like BN254 and BLS12-381 using QAP-style encodings (Groth, EUROCRYPT 2016).
Setup has Powers of Tau plus a circuit-specific phase 2 that emits proving key and verification key.
Proof has three group elements (A, B, C). On BN254 this is 128 bytes; on BLS12-381 this is 192 bytes.
Constraint count: 2
Proving key size: 42 KB (simulated educational profile)
Verification key size: 1.6 KB (simulated educational profile)
Proof size: 128 bytes (BN254)
Proof bytes (hex, truncated):
Verification time: 1.4 ms
Security holds if at least one participant destroys toxic waste.
Examples: Zcash Sapling (88 participants, 2018), Hermez (214 participants, 2021), Semaphore (open participation, thousands of contributors).
PLONK uses polynomial commitments and a permutation argument in Lagrange form (ePrint 2019/953).
One universal setup (Powers of Tau) can support many circuits up to a maximum size.
Proofs are larger than Groth16 (typically around 400-500 bytes) with still-fast verification.
Proof size: 448 bytes
Proof bytes (hex, truncated):
Verification time: 3.8 ms
SRS examples: 2^14 constraints ≈ 256 MB, 2^21 constraints ≈ 2 GB.
PLONK (original): KZG commitments.
TurboPlonk: custom gates (Aztec).
UltraPlonk: lookups and richer gate systems.
Halo2: no trusted setup via IPA commitments, used in Zcash Orchard and Scroll proving systems.
Proof bytes:
Proof size: 128 bytes (BN254)
Verification time: 1.5 ms
Setup type: per-circuit
Proof bytes:
Proof size: 448 bytes
Verification time: 3.9 ms
Setup type: universal
| Property | Groth16 | PLONK |
|---|---|---|
| Setup type | Per-circuit | Universal (once) |
| Proof size | 128 bytes (BN254) | ~400-500 bytes |
| Verification time | ~1-2ms | ~3-5ms |
| Proving time | Fast | Slightly slower |
| Circuit language | R1CS / circom | PLONKish / Halo2 |
| Trusted setup risk | Circuit-specific | Universal SRS |
| Recursive SNARKs | Complex | Native in Halo2 variants |
| Post-quantum safe | No (pairing-based) | No (pairing-based) |
| Used in | Zcash, Semaphore | Aztec, Polygon zkEVM |
I need smallest proof for fixed circuit -> Groth16.
I need circuit flexibility without new ceremonies -> PLONK.
I need recursive composition -> Halo2.
I cannot run trusted setup -> Halo2 or STARKs.
I need post-quantum security -> STARKs.
Toxic waste is setup randomness. If retained, forged proofs for false statements become possible and soundness collapses.
Verification keys cannot detect forgeries made by a party holding toxic waste. This is a catastrophic failure mode.
MPC ceremonies chain contributions from many participants; security holds if at least one honest participant deletes their randomness.
Groth16 compromise is circuit-scoped to the affected phase-2 setup, while universal setup compromise can affect all circuits using that SRS.
Press a simulation button.
Zcash Sprout (2016): 6 collocated participants.
Zcash Sapling (2018): 88 participants over 6 weeks.
Hermez 1.0 (2021): 214 participants.
Semaphore: open participation, thousands of contributors.
Ethereum KZG Ceremony for EIP-4844 (2023): approximately 141,000 contributors.
Every shielded transaction proves: "I know a spending key and note commitment that authorizes spending this amount" without revealing either.
Circuit: Sapling circuit, ~4 million constraints. Proof: 192 bytes (BLS12-381), generated in ~2–3 seconds on mobile. Verification: ~10 ms on a full node. Same circuit since 2018 Sapling upgrade.
Proves correct execution of Ethereum EVM bytecode. The proof allows Ethereum mainnet to verify L2 transactions without re-executing them — this is how zkRollups achieve scalability.
Circuit: millions of constraints for EVM opcode coverage. FFLONK (Fast PLONK variant): ~800 byte proofs, ~200 ms verification on-chain.
Proves: "I am a unique human who has not already voted in this poll" without revealing which human. Uses Groth16 with the Semaphore ceremony.
Enables anonymous, sybil-resistant voting and credential systems.
Proves: "I own this OAuth account (Google/Apple)" without revealing which account or its credentials. Enables blockchain accounts controlled by OAuth credentials.
Generates proofs client-side in ~2 seconds.