zk-SNARK

What Is a zk-SNARK?

A zk-SNARK (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge) is a cryptographic proof system that allows one party (the prover) to convince another party (the verifier) that a statement is true without revealing any information beyond the truth of the statement itself. The acronym captures the key properties: zero-knowledge (nothing leaked), succinct (small proof, fast verification), non-interactive (single message from prover to verifier), and argument of knowledge (the prover must actually possess the secret data, not merely know it exists).

zk-SNARKs were first described in a 2012 paper by Bitansky, Canetti, Chiesa, and Tromer, and became practical with the Pinocchio protocol in 2013. Since then, they have become foundational infrastructure for blockchain privacy and scalability. Zcash deployed the first production zk-SNARK system in 2016, and today zk-SNARKs underpin billions of dollars in layer-2 scaling solutions across multiple blockchains.

How It Works

At a high level, a zk-SNARK converts any computation into a mathematical puzzle that can be checked far more quickly than re-executing the computation. The process involves several transformation steps:

1. The computation is expressed as an arithmetic circuit: a series of addition and multiplication gates over a finite field
2. The circuit is converted into a Rank-1 Constraint System (R1CS): a set of equations that the correct inputs must satisfy
3. The R1CS is transformed into a Quadratic Arithmetic Program (QAP): polynomials encoding all constraints into a single identity that holds if and only if the computation is valid
4. The prover evaluates these polynomials at a secret point using elliptic curve cryptography, producing a short proof that the polynomial identity holds
5. The verifier checks the proof using elliptic curve pairings: a bilinear map that confirms the polynomial relationship without learning the secret inputs

The result is a proof that is constant in size and verification time. Whether the original computation involves ten operations or ten billion, the proof remains the same few hundred bytes and verifies in a few milliseconds.

Groth16

Groth16, published in 2016 by Jens Groth, produces the smallest known proofs among pairing-based SNARKs: exactly 192 bytes (three elliptic curve group elements on the BLS12-381 curve). Verification requires only three pairing operations and completes in roughly 3 milliseconds.

The tradeoff is that Groth16 requires a circuit-specific trusted setup: a new ceremony must be conducted for every distinct circuit. Despite this limitation, Groth16 remains the most widely deployed SNARK in production, powering Zcash's Sapling protocol and numerous DeFi privacy systems.

PLONK

PLONK (Permutations over Lagrange-bases for Oecumenical Noninteractive arguments of Knowledge), introduced in 2019, uses a universal and updatable trusted setup. A single ceremony produces parameters that work for any circuit up to a given size, eliminating the need for repeated ceremonies when deploying new applications.

PLONK proofs are larger than Groth16 (roughly 400 to 900 bytes depending on implementation) and verification takes 5 to 20 milliseconds. In exchange, PLONK offers greater flexibility through custom gates and lookup tables, and its universal setup can be continuously strengthened as new participants contribute randomness.

Halo 2

Halo 2, developed by the Electric Coin Company, eliminates the trusted setup entirely. Instead of pairing-based polynomial commitments, Halo 2 uses an Inner Product Argument (IPA) built on Pedersen commitments, which requires no toxic waste.

Individual Halo 2 proofs are larger than Groth16 or PLONK proofs, but the system supports recursive proof composition: multiple proofs can be aggregated into a single proof, amortizing verification costs. Zcash adopted Halo 2 for its Orchard shielded protocol, and it has been adopted by projects including Scroll and the Ethereum Foundation's Privacy and Scaling Explorations team.

The Trusted Setup

Many zk-SNARK constructions require a one-time setup ceremony that generates a Common Reference String (CRS): a set of public parameters used by both provers and verifiers. This ceremony also produces "toxic waste": secret randomness that, if retained by any participant, would allow forging fake proofs that pass verification.

The security model is "1-of-N honest": as long as at least one participant in the ceremony properly destroys their secret contribution, the system remains secure. Historical ceremonies have grown dramatically in scale to minimize trust assumptions:

How Newer Schemes Mitigate the Problem

The trusted setup has been a persistent concern, and newer constructions address it in different ways. PLONK uses a universal setup that works across all circuits, so the ceremony only needs to happen once. That setup is also updatable: anyone can contribute additional randomness at any time, continuously strengthening security. Halo 2 eliminates the requirement entirely by using transparent polynomial commitments that need no secret parameters. This evolution from circuit-specific to universal to fully transparent setups represents one of the most significant advances in practical zero-knowledge cryptography.

Use Cases

Privacy Currencies

Zcash pioneered the use of zk-SNARKs for financial privacy. When a user makes a shielded transaction, a zk-SNARK proves that the transaction is valid (inputs exist, amounts balance, the sender owns the funds) without revealing the sender, receiver, or amount. The blockchain records only the proof, which anyone can verify. Zcash has evolved through three proving systems: BCTV14 in Sprout (2016), Groth16 in Sapling (2018), and Halo 2 in Orchard (2022).

ZK Rollups

ZK rollups use zk-SNARKs to scale blockchains by executing transactions off-chain and posting only a compact validity proof on-chain. The base layer verifies a single SNARK proof covering thousands of transactions rather than re-executing each one. This approach delivers Ethereum scaling while inheriting the base layer's security guarantees.

Major ZK rollup implementations include zkSync Era (which processed over 700 million transactions by late 2025, using a hybrid STARK-then-SNARK architecture), Scroll (using Halo 2-based proofs for EVM equivalence), and Polygon zkEVM. Many of these systems use STARKs for heavy computation and then wrap the STARK proof in a SNARK for cheaper on-chain verification: a pattern that combines the transparency of STARKs with the compactness of SNARKs.

Privacy Protocols

Beyond dedicated privacy blockchains, zk-SNARKs enable private transactions on public chains. Protocols like RAILGUN use Groth16 circuits deployed on Ethereum, Polygon, and Arbitrum to let users interact with DeFi protocols privately. The proofs verify that transactions follow protocol rules without revealing user addresses or amounts.

zk-SNARKs vs zk-STARKs

zk-STARKs (Zero-Knowledge Scalable Transparent Arguments of Knowledge) are the primary alternative to zk-SNARKs. The two systems make fundamentally different cryptographic assumptions and offer distinct tradeoffs:

The critical practical difference is proof size. On blockchains where every byte of calldata costs gas, SNARKs' 100x smaller proofs translate directly to lower verification costs. This is why many ZK rollups use STARKs for off-chain proving (benefiting from transparency and scalability) and then compress the STARK proof into a SNARK for on-chain verification. For a deeper comparison, see the research on Bitcoin layer-2 scaling approaches.

SNARK Verification on Bitcoin

Bitcoin's limited scripting language makes direct SNARK verification challenging. Unlike Ethereum, which has precompiled contracts for elliptic curve pairings, Bitcoin lacks native support for the cryptographic operations SNARKs require. Several approaches are being explored:

BitVM: Optimistic Verification

BitVM and its successors take an optimistic approach: computation happens off-chain, and on-chain verification occurs only if a party challenges the result. BitVM2 enables permissionless challenging, improving trust assumptions. SNARKnado (Alpen Labs, 2025) optimizes this further by replacing BitVM's general-purpose RISC-V abstraction with a PLONK-native bisection protocol, reducing challenge-response rounds to roughly four. BitVM3, proposed in mid-2025, uses garbled circuits to reduce on-chain dispute costs by approximately 1,000x compared to BitVM2.

OP_CAT: Native Script Verification

The OP_CAT opcode proposal would enable Bitcoin scripts to concatenate stack elements, potentially allowing direct SNARK proof verification within transactions. In 2024, a STARK proof was successfully verified on Bitcoin's Signet testnet using OP_CAT-based covenants across chained transactions. However, full SNARK verification exceeds Bitcoin's 4 MB block size limit without further protocol changes, and OP_CAT has not been activated on mainnet.

Multiple Bitcoin layer-2 projects are building toward SNARK-verified bridges and rollups. Citrea is developing Bitcoin's first ZK rollup architecture using BitVM2 verification, and the BOB (Build on Bitcoin) project uses a BitVM bridge with 1-of-N fraud-proof security. For more context on how these approaches compare, see the research on Bitcoin covenants and Bitcoin script programmability.

Why It Matters

zk-SNARKs represent a fundamental breakthrough in cryptography: the ability to prove computational integrity without revealing the underlying data. This has direct implications for blockchain scalability (verifying thousands of transactions with a single proof), privacy (transacting without exposing sensitive information), and interoperability (proving state across chains without re-executing computations).

As Bitcoin's layer-2 ecosystem evolves, SNARK verification is becoming increasingly relevant. Projects building on Bitcoin, including Spark and other layer-2 protocols, stand to benefit from advances in compact proof verification that could enable trustless bridges and more expressive off-chain computation anchored to Bitcoin's security.

Risks and Considerations

Quantum Vulnerability

Most zk-SNARK constructions rely on the hardness of the discrete logarithm problem on elliptic curves. A sufficiently powerful quantum computer running Shor's algorithm could break these assumptions, allowing an attacker to forge proofs. This is a concern shared with other elliptic-curve-based systems, including Schnorr signatures and secp256k1. Research into post-quantum cryptography is active: lattice-based SNARK constructions like Greyhound (2025) aim to provide quantum resistance while maintaining practical performance.

Trusted Setup Risk

For constructions that require a trusted setup, the security of every proof generated by the system depends on the integrity of the ceremony. If all participants collude or are compromised, fake proofs become possible. While modern ceremonies with thousands of participants make this extremely unlikely, the risk is non-zero and cannot be verified after the fact.

Implementation Complexity

Writing correct zk-SNARK circuits is notoriously difficult. Unlike traditional software where bugs cause incorrect outputs, circuit bugs can create soundness vulnerabilities: proofs that verify as valid for false statements. Circuit development requires specialized expertise, and the gap between research and production implementation remains significant. Formal verification of circuits is an active area of research but not yet standard practice.

Prover Costs

While verification is fast and cheap, proof generation is computationally expensive. Generating a Groth16 proof for a complex circuit can require significant memory and CPU time. ZK rollup operators must invest in specialized hardware (GPUs, FPGAs) to generate proofs at scale, creating economic barriers and potential centralization of the prover role.

This glossary entry is for informational purposes only and does not constitute financial or investment advice. Always do your own research before using any protocol or technology.