Choosing the right ZK proving system significantly impacts your application. Groth16 and PLONK are the two most popular systems, each with distinct trade-offs. This guide helps you decide.
Overview
Groth16
A pairing-based SNARK from 2016, known for minimal proof size and verification time.
PLONK
A universal SNARK from 2019, known for flexibility and universal trusted setup.
Key Differences
At a Glance
Groth16: Smallest proofs (~200 bytes), fastest verification, circuit-specific setup
PLONK: Larger proofs (~400+ bytes), universal setup, more flexible
Trusted Setup
Groth16
- Requires per-circuit trusted setup ceremony
- Changing the circuit requires new setup
- Setup must be done securely—toxic waste must be destroyed
PLONK
- Universal setup: one ceremony for all circuits up to a size limit
- Update circuits without new setup
- More practical for evolving applications
Proof Size and Verification
Groth16
- Proof size: ~192 bytes (constant)
- Verification: 3 pairing operations
- Fastest verification of any practical SNARK
PLONK
- Proof size: ~400-800 bytes (varies by variant)
- Verification: More expensive than Groth16
- Still very efficient, just not as minimal
Proving Time
Both have similar proving complexity, though:
- Groth16 requires FFTs over the full circuit
- PLONK has slightly different proving structure
- Actual performance depends on implementation
Flexibility
Groth16
- Fixed circuit at setup time
- Any change requires new trusted setup
- Rigid but optimal for known, stable circuits
PLONK
- Universal setup supports any circuit within size bounds
- Custom gates can optimize specific operations
- Variants (TurboPLONK, UltraPLONK) add features
Ecosystem and Tooling
Groth16
- Mature ecosystem (snarkjs, bellman, gnark)
- Well-understood security properties
- Widely deployed in production
PLONK
- Growing ecosystem (halo2, plonky2, Noir)
- Active development and optimization
- Increasingly adopted
When to Choose Each
Choose Groth16 when:
- Proof size is critical (blockchain, on-chain verification)
- Circuit is stable and won't change
- You can coordinate trusted setup
- Verification cost is paramount
Choose PLONK when:
- Circuit may evolve over time
- Universal setup is more practical
- You want custom gate flexibility
- Slightly larger proofs are acceptable
H33's Approach
We use Groth16 for our production ZK proofs because:
- Our identity verification circuit is stable
- Minimal proof size matters for blockchain attestation
- Fastest verification for real-time authentication
Both systems are excellent choices. Your decision should be driven by your specific requirements around flexibility, proof size, and operational constraints.
Ready to Go Quantum-Secure?
Start protecting your users with post-quantum authentication today. 1,000 free auths, no credit card required.
Get Free API Key →