Skip to content

Groth16

Overview

Groth16 is an algorithm proposed by Jens Groth in 2016. It is currently a classic zkSNARK algorithm, used in projects such as ZCash, Filecoin, and Coda.

Groth16 is currently the fastest zk-SNARK, with the smallest data size, but each circuit requires a separate Trusted Setup.

Core Properties

Extremely Small Proof Size: The algorithm has a unique characteristic: the proof size is extremely small, requiring only three group elements (approximately 200 bytes). This makes Groth16 ideal for blockchain applications, as on-chain storage and verification costs are very low.

Fast Verification: Verifying a Groth16 proof takes only constant time and is highly efficient.

Circuit-Specific Trusted Setup: Each circuit requires a separate Trusted Setup, which is its main limitation. Different circuits cannot share setup parameters.

Technical Implementation

Pairing-Based Cryptography: Groth16 uses bilinear pairing technology, typically implemented on elliptic curves such as BN254 or BLS12-381.

QAP (Quadratic Arithmetic Program): The computational circuit is converted to QAP, and then proofs are generated and verified through polynomial commitments and pairing checks.

Application in ZCash

Sapling Upgrade: In the Zcash project, the libsnark library was initially used to implement zk-SNARK zero-knowledge proofs. When upgrading to the Sapling version (2018), Zcash switched to its in-house bellman library, a Rust-based zk-SNARK library supporting the Groth16 scheme.

Trusted Setup Ceremony: To prevent security issues, Zcash generates public parameters through carefully designed multi-party ceremonies. If the "toxic waste" from the setup process is not properly destroyed, it could lead to forged proofs.

Use Cases

  1. Privacy Protection: Zcash uses Groth16 to implement shielded transactions, hiding the sender, receiver, and amount
  2. Decentralized Exchanges: Loopring 3.0 uses the Groth16 algorithm to provide zero-knowledge proofs
  3. Storage Proofs: Filecoin uses Groth16 to prove the availability of stored data
  4. Layer 2 Scaling: Multiple zkRollup projects adopt Groth16

Advantages and Limitations

Advantages: - Extremely small proofs (~200 bytes) - Extremely fast verification (~5-10 ms) - Low Gas cost - Technologically mature, production-ready

Limitations: - Requires circuit-specific Trusted Setup - Complex setup process with potential risks - Does not natively support recursive proofs (requires special handling) - Circuit updates require re-running the setup

  • zkSNARK
  • Trusted Setup
  • ZCash
  • Filecoin
  • Bilinear Pairing
  • QAP