Groth16: The workhorse of zk-SNARKs
Groth16 is the pairing-based zk-SNARK that set the bar for on-chain verification. It compresses any NP statement into just three group elements, making the verifier cheap enough to run inside an Ethereum transaction.
The construction takes an R1CS instance, turns it into a Quadratic Arithmetic Program, and commits to the QAP polynomials inside a structured reference string. The trade-off is a per-circuit trusted setup ceremony: the toxic waste must be destroyed, or a malicious party can forge proofs.
Despite newer schemes, Groth16 is still the fallback when proof size and gas cost dominate. Most privacy protocols shipped in production today still run a Groth16 verifier on Layer 1.
- pairing-based cryptography
- R1CS constraint systems
- trusted setup ceremony
- constant-size proofs
- BN254 / BLS12-381
- EP 001CH-012026-02-02
Groth16, from R1CS to three group elements
Anchor-chan opens the series with the proof system that shipped zk to production. We walk the pipeline from R1CS to QAP to the three-element proof, and cover what actually happens inside the trusted setup ceremony.
WATCH ->
