zk-SNARKs: Succinct Zero-Knowledge Proofs for Blockchain
zk-SNARKs (Zero-Knowledge Succinct Non-Interactive Arguments of Knowledge) are cryptographic proofs that allow one party to prove knowledge of a secret with a small proof size and fast verification, without revealing the secret.
zk-SNARKs: Succinct Zero-Knowledge Proofs for Blockchain
zk-SNARKs (Zero-Knowledge Succinct Non-Interactive Arguments of Knowledge) are cryptographic proofs that allow one party (the prover) to prove to another party (the verifier) that a statement is true without revealing any additional information beyond the statement's validity. The proof is small in size (succinct) and can be verified quickly, requiring only a single message from prover to verifier (non-interactive). zk-SNARKs are the foundation of private transactions in Zcash and scaling solutions like zk-rollups on Ethereum.
To understand zk-SNARKs properly, it helps to be familiar with zero-knowledge proofs, elliptic curve cryptography, and hash functions.
┌─────────────────────────────────────────────────────────────────────────┐
│ zk-SNARKs Pipeline │
├─────────────────────────────────────────────────────────────────────────┤
│ │
│ 1. Setup Phase (One-time, MPC Ceremony) │
│ ┌─────────────────────────────────────────────────────────────────────┐│
│ │ Circuit (Constraint System) ──→ Trusted Setup ──→ Proving Key (pk) ││
│ │ Verification Key (vk)│
│ └─────────────────────────────────────────────────────────────────────┘│
│ │ │
│ ▼ │
│ 2. Proving Phase (Offline, per statement) │
│ ┌─────────────────────────────────────────────────────────────────────┐│
│ │ Proving Key (pk) + Witness (private inputs) + Public Inputs ││
│ │ │ ││
│ │ ▼ ││
│ │ Generate Proof (π) ││
│ │ (~200-300 bytes) ││
│ └─────────────────────────────────────────────────────────────────────┘│
│ │ │
│ ▼ │
│ 3. Verification Phase (Online, per proof) │
│ ┌─────────────────────────────────────────────────────────────────────┐│
│ │ Verification Key (vk) + Proof (π) + Public Inputs ││
│ │ │ ││
│ │ ▼ ││
│ │ Accept / Reject (milliseconds) ││
│ └─────────────────────────────────────────────────────────────────────┘│
│ │
│ Properties: Succinct, Non-Interactive, Zero-Knowledge │
│ │
└─────────────────────────────────────────────────────────────────────────┘What Are zk-SNARKs?
zk-SNARKs are a type of zero-knowledge proof with three key properties: succinctness, non-interactivity, and argument of knowledge. Succinct proofs are small (hundreds of bytes) and verify quickly (milliseconds). Non-interactive requires only a single message from prover to verifier (no back-and-forth). Arguments of knowledge mean the prover convinces the verifier they possess a secret witness satisfying the statement.
- Zero-Knowledge: Verifier learns nothing about the witness except that it exists and satisfies the statement.
- Succinct: Proof size is small (hundreds of bytes) regardless of computation size.
- Non-Interactive: Single message from prover to verifier (no round trips).
- Argument of Knowledge: Prover convinces verifier they actually know a valid witness (not just existence of one).
- Soundness: Cannot convince verifier of false statement (assuming computational hardness).
Why zk-SNARKs Matter
zk-SNARKs enable private and scalable blockchains where traditional verification would reveal information or be too expensive.
- Privacy on Public Blockchains: Hide transaction amounts, sender, and recipient (Zcash). Confidential assets and private smart contracts.
- Blockchain Scaling (zk-Rollups): Batch thousands of transactions into a single succinct proof. Verifying proof costs ~200k gas (vs 21k gas per transaction). Massive throughput increase (2000+ TPS).
- Verifiable Computation: Prove computation was performed correctly without re-executing. Outsourced computation verification (cloud computing). Reduced trust in third parties.
- Identity and Credentials: Prove age, citizenship, or qualifications without revealing underlying data.
Aspect zk-SNARKs Value
─────────────────────────────────────────────────────────────────────────────
Proof Size 200-500 bytes (fits in single block)
Verification Time Milliseconds (20-50ms)
Verification Cost ~150k-300k gas on Ethereum
Proving Time Seconds to minutes (depending on computation)
Non-Interactive Yes (one message)
Zero-Knowledge Yes (hides witness)
Trusted Setup Required Yes (for most schemes)How zk-SNARKs Work (Simplified)
1. Convert statement to arithmetic circuit
Example: "I know x such that SHA256(x) = hash"
↓
Circuit: gates (addition, multiplication) over finite field
2. Convert circuit to Quadratic Arithmetic Program (QAP)
↓
Polynomial constraints
3. Prover evaluates polynomials using witness (secret x)
↓
Encodes evaluation as pair of elliptic curve points
4. Verification checks polynomial equality
↓
using pairings (bilinear maps) precomputed from trusted setup
Key insight: Polynomial identity is easier to verify than re-doing computation
Pairings enable one-step verification of polynomial relationsElliptic Curve Pairings
zk-SNARKs rely on bilinear pairings on elliptic curves (e.g., BLS12-381, BN254). A pairing maps two group elements to a third group: e(G^a, G^b) = e(G, G)^(ab). This enables checking polynomial identities in one step without revealing the actual values.
Bilinear pairing e: G1 × G2 → GT
Property: e(g^a, g^b) = e(g, g)^(ab)
Allows checking a × b = c without revealing a, b, c:
Given g^a, g^b, g^c, can check e(g^a, g^b) ?= e(g, g^c)
Used in zk-SNARKs to verify that polynomial evaluation matches constraint:
e(P, g^α) ?= e(π, g) (pairing checks)zk-SNARK Constraint Systems (Circuits)
To prove a computation, you encode it as an arithmetic circuit with addition and multiplication gates over a finite field. The circuit is then converted to a rank-1 constraint system (R1CS).
Circuit gates:
sym1 = x * x (multiplication)
sym2 = sym1 * x (multiplication)
sym3 = sym2 + x (addition)
out = sym3 + 5 (addition)
Constraints (R1CS):
(x) * (x) = sym1
(sym1) * (x) = sym2
(sym2 + x) * (1) = sym3
(sym3 + 5) * (1) = out
Witness = [1, x, sym1, sym2, sym3, out]
Number of constraints = number of multiplication gatesPopular zk-SNARK Protocols
| Protocol | Proof Size | Prover Time | Verifier Time | Trusted Setup | Use Cases |
|---|---|---|---|---|---|
| Groth16 | ~200 bytes | Fast | Very fast | Per-circuit | Zcash Sapling, initial rollups |
| PLONK | ~400-600 bytes | Slower | Fast | Universal (once) | zkSync, Polygon zkEVM |
| Marlin | ~400 bytes | Moderate | Fast | Universal | General purpose |
| Halo 2 | Moderate | Slow | Moderate | None (recursive) | Zcash (future), recursive proofs |
Protocol Trusted Setup Proof Size Verification Speed
─────────────────────────────────────────────────────────────────────────────
Groth16 Per-circuit Smallest Fastest
PLONK Universal Medium Fast
Marlin Universal Medium Fast
Halo 2 None Medium Moderate
Groth16 Advantages:
Smallest proofs, fastest verification
Per-circuit setup overhead
PLONK Advantages:
Universal setup (one ceremony for all circuits)
Flexible (custom gates, lookup tables)
Halo 2 Advantages:
No trusted setup (using recursive proofs)
Recursive composition (proof of proofs)Trusted Setup (Toxic Waste Problem)
zk-SNARKs require a one-time trusted setup (except Halo 2). If the randomness used during setup is leaked or compromised, anyone can forge false proofs. Mitigations involve multi-party computation (MPC) ceremonies where many participants contribute randomness, and only one needs to be honest to protect the setup.
1. Single party (trusted third party)
┌─────────────────────────────────────────────────────────────────────┐
│ Risk: Single point of trust or compromise │
│ Not used in production │
└─────────────────────────────────────────────────────────────────────┘
2. MPC ceremony (many participants)
┌─────────────────────────────────────────────────────────────────────┐
│ Participant 1 Participant 2 ... Participant N │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ Randomness ──┬─────┼─────────────────────┘ │
│ │ │
│ ▼ │
│ Final Parameters │
│ │
│ Security: Any ONE honest participant prevents compromise │
│ Example: Zcash Sapling (88 participants) │
└─────────────────────────────────────────────────────────────────────┘
3. Universal setup (PLONK, Marlin)
┌─────────────────────────────────────────────────────────────────────┐
│ One setup supports all circuits of bounded size │
│ New circuits do not require new ceremony │
│ Still requires initial trusted setup (one time) │
└─────────────────────────────────────────────────────────────────────┘zk-SNARKs Applications
Zcash (Private Transactions)
Zcash uses zk-SNARKs to hide sender, recipient, and amount. Transaction is valid if inputs sum to outputs + fee. Proof demonstrates this without revealing data. Sapling upgrade (2018) reduced proving time from minutes to seconds. Halo 2 (no trusted setup) eliminates previous setup requirement for future upgrades.
zk-Rollups (Ethereum Scaling)
zkSync, StarkNet, Polygon zkEVM use zk-SNARKs (or STARKs) to batch transactions. Sequencer executes transactions off-chain, generates proof, submits to Ethereum. Contract verifies proof (low gas) and updates state root. Benefits: no 7-day withdrawal delay (vs optimistic rollups), higher capital efficiency, and up to 2000+ transactions per second.
Ethereum L1 transaction: 21,000 gas per tx
zk-Rollup: ~200,000 gas per batch
Batch size: 500 transactions
Gas per transaction: 400 gas
Cost reduction: 50x
Throughput comparison:
- Ethereum L1: 15 TPS
- zk-Rollup: 2000+ TPS
- Future zk-Rollup: 10,000+ TPSVerifiable Computation
Prove correctness of outsourced computation (cloud, edge). Verify result without re-executing: trust reduces for cloud provider; blockchain acts as public verifier.
Project Application Proof System
─────────────────────────────────────────────────────────────────────────────
Zcash Privacy cryptocurrency Groth16, Halo 2
zkSync Ethereum zk-rollup PLONK
Polygon zkEVM Ethereum zk-rollup PLONK
Scroll Ethereum zk-rollup zkEVM (custom)
Aleo Private smart contracts zk-SNARKs (custom)
Filecoin Proof of storage Groth16
Mina Protocol Lightweight blockchain Pickles (recursive)zk-SNARKs Anti-Patterns
- Insecure Trusted Setup: Single party setup with undisclosed toxic waste. Use MPC ceremonies with many participants. Document trust assumptions for users.
- Rolling Custom SNARKs: Extremely difficult to implement elliptic curve pairings securely. Use established libraries (arkworks, libsnark, circom + snarkjs). Off-the-shelf protocols (Groth16, PLONK) are already optimized and audited.
- Incomplete Circuit Constraints: Missing constraints allow forged proofs. Always test circuits with known-witness and false statements. Use formal verification for critical circuits.
- Witness Extraction Vulnerabilities: Secret intermediate values exposed in logs or error messages. Use constant-time operations. Avoid printing witnesses during development.
- No Proof Expiration or Nonces: Replay attacks on same proof (same transaction). Bind proofs to transaction IDs or timestamps.
Circuit Design:
□ All constraints included (no missing gates)
□ Test with valid and invalid witnesses
□ Formal verification for critical circuits
□ Constant-time witness generation
□ No intermediate witness leaking
Setup Phase:
□ MPC ceremony (many participants)
□ Toxic waste destroyed (documented)
□ Universal setup preferred (PLONK)
□ Verification key publicly available
Proving Phase:
□ Non-deterministic randomness (RNG)
□ Rate limit proof generation
Verification Phase:
□ Reject malformed proofs early
□ Validate public inputs range
□ Prevent replay attacks (nonces, timestamps)zk-SNARKs Best Practices
- Use PLONK for New Projects: Universal setup (reusable for many circuits), larger community tooling; flexible with custom gates and lookup tables; only slightly larger proofs than Groth16. Future-proof more than per-circuit protocols.
- Participate in or Use Existing MPC Ceremonies: Perpetual Powers of Tau (many participants, reusable). Join or use existing ceremony (no need to run new one). Use parameters from known trustworthy ceremonies.
- Optimize Circuit Constraints: Reduce number of constraints (faster proving). Use high-level DSLs (Circom, Noir, Leo). Avoid unnecessary multiplications (expensive).
- Parallelize Proof Generation: Proving is CPU-intensive (use multiple threads). Split large circuits into smaller modules. GPUs (CUDA) can accelerate for some protocols.
- Verify Proofs On-Chain Efficiently: Pre-compiled pairings on Ethereum (alt_bn128). Use verification gas estimation (pre-test transactions). Batch verification for multiple proofs (aggregate).
Optimization Impact
─────────────────────────────────────────────────────────────────────────────
Reduce constraints Faster proving (linear factor)
Use lookup tables Reduce constraints (PLONK)
Avoid conditional branching Constraints per branch
Pre-compute constants Reduces circuit size
Shared subcircuits Modular reuse, smaller total constraints
Use high-level DSL More readable, easier optimizationzk-SNARKs vs zk-STARKs
Aspect zk-SNARKs zk-STARKs
─────────────────────────────────────────────────────────────────────────────
Proof Size Very small (~200B) Larger (~200KB)
Verification Speed Very fast Moderate (linear in size)
Trusted Setup Required Not required
Quantum Resistance None (elliptic curves) Yes (hash-based)
Prover Time Faster Slower (for large circuits)
Transparency Low (setup trust) High
Use Cases Blockchain proofs Transparency-sensitive
(Zcash, rollups) (regulated applications)Frequently Asked Questions
- What is the difference between zk-SNARKs and zero-knowledge proofs?
ZK-SNARKs are a specific type of zero-knowledge proof with succinctness (small proof size) and non-interactivity. Zero-knowledge proofs are broader category including interactive proofs, bulletproofs, and STARKs. SNARK = Succinct Non-Interactive Argument of Knowledge. - Are zk-SNARKs quantum-safe?
No. All current zk-SNARKs rely on elliptic curve cryptography (discrete log problem) and pairings, which are vulnerable to Shor's algorithm. zk-STARKs are quantum-resistant. For long-term privacy (data archives), use zk-STARKs or combine with post-quantum schemes. - How long does it take to generate a zk-SNARK proof?
Depends on circuit size. Simple Zcash transaction: ~2-5 seconds (zk-SNARK). Full zkEVM block: minutes to tens of minutes. Optimizations (GPU, specialized hardware) can reduce time. - What is the trusted setup problem?
zk-SNARKs require a one-time parameter generation. If randomness (toxic waste) is leaked, anyone can forge false proofs. MPC ceremonies distribute trust across participants. PLONK universal setup reduces risk (one ceremony for unlimited circuits). - Can zk-SNARKs prove any computation?
Theoretically yes, but practical size is limited by circuit size. Complex computations (AI model inference, database queries) produce millions of constraints (impractical). Research continues into more efficient representation. - What should I learn next after zk-SNARKs?
After mastering zk-SNARKs, explore zk-STARKs (transparent, quantum-safe), Circom for circuit development, zk-rollup implementation, PLONK protocol details, elliptic curve pairings, and recursive proofs (Halo 2).