Groth16 is the most widely deployed SNARK construction -- elegant, fast to verify, and well-understood. But it requires a trusted setup ceremony that introduces institutional trust assumptions, and it relies on elliptic curve pairings that are broken by quantum computers. H33 ZK Lookup STARKs eliminate both limitations: no trusted setup, no toxic waste, no pairing-based assumptions, and post-quantum security that reduces to collision resistance of SHA3-256.
Groth16 asks you to trust that a ceremony was conducted honestly. H33 STARKs ask you to trust that hash functions are collision-resistant. The difference is foundational.
Groth16, introduced by Jens Groth in 2016, is the most widely deployed SNARK (Succinct Non-interactive Argument of Knowledge) construction in production cryptographic systems. It is used by Zcash for shielded transactions, by numerous Layer 2 scaling solutions for validity proofs, and by a broad ecosystem of privacy-preserving applications. Its appeal is clear: Groth16 produces constant-size proofs of approximately 128 bytes regardless of the computation being proved, and verification is fast -- typically around 200 milliseconds, dominated by a small number of bilinear pairing operations over elliptic curves.
The construction works over pairing-friendly elliptic curves, most commonly BN-254 or BLS12-381. The prover encodes a computation as an arithmetic circuit, converts it to a Rank-1 Constraint System (R1CS), and then uses the structured reference string (SRS) generated during setup to produce a proof consisting of three group elements. The verifier checks the proof by computing a pairing equation that relates the proof elements to the public inputs and the verification key. If the equation holds, the verifier accepts the proof as valid.
This construction is mathematically elegant. The proof is small, verification is fast, and the soundness guarantee is strong -- assuming the setup was honest and assuming the underlying hardness assumptions hold. Those two assumptions are where the architectural limitations live.
Groth16 requires a per-circuit trusted setup ceremony. This ceremony generates the structured reference string -- a set of encoded evaluation points that the prover needs to construct proofs and the verifier needs to check them. The ceremony is typically conducted in two phases: a universal "powers of tau" phase that generates generic toxic waste, and a circuit-specific phase that binds the SRS to the particular computation being proved.
The term "toxic waste" is not metaphorical. During the ceremony, each participant generates secret randomness that is combined into the SRS. If any participant retains their secret contribution, they can forge valid-looking proofs for false statements. A forged proof is cryptographically indistinguishable from a legitimate one -- there is no mathematical test that can separate them. The security guarantee of the ceremony is: "at least one of the N participants honestly destroyed their secret randomness." This is a 1-of-N honesty assumption.
Large-scale ceremonies have involved hundreds or thousands of participants to make this assumption more plausible. The Zcash Sapling ceremony, for example, involved over 100 participants. The argument is probabilistic and social: it is unlikely that every single participant was compromised or dishonest. But "unlikely" is not "impossible," and "trust that a ceremony was honest" is categorically different from "trust that a hash function is collision-resistant." The first is institutional trust. The second is mathematical trust.
There is a further operational cost: the ceremony must be repeated for every new circuit. If the computation being proved changes -- a new business rule, a new verification logic, a new constraint -- a new trusted setup ceremony must be conducted. This creates a deployment friction that does not exist in transparent proof systems. Every circuit update requires coordinating a multi-party ceremony, publishing the new SRS, and asking all verifiers to update their verification keys. In production environments where circuits evolve regularly, this overhead is substantial.
Groth16's security rests on the hardness of the discrete logarithm problem in elliptic curve groups and, more specifically, on computational assumptions related to bilinear pairings (the q-type assumptions, or the generic group model for BN-254 and BLS12-381). These assumptions hold against all known classical algorithms. They do not hold against quantum algorithms.
Shor's algorithm, running on a sufficiently large quantum computer, solves the discrete logarithm problem in polynomial time over any finite cyclic group, including the groups used by BN-254 and BLS12-381. When such a quantum computer exists, an adversary can recover the toxic waste from a published SRS, forge proofs for arbitrary false statements, and retroactively compromise every proof ever generated under that SRS. There is no "quantum-resistant mode" for Groth16. The construction is fundamentally tied to the hardness of discrete logarithms in pairing groups.
The timeline for quantum computers reaching the required scale is debated. NIST's post-quantum migration guidance assumes a planning horizon of 10-15 years. The National Security Agency's CNSA 2.0 suite requires post-quantum algorithms for all classified systems by 2030 for software and 2033 for firmware and hardware. Regardless of the exact timeline, the direction is clear: pairing-based constructions are on a deprecation path. Every Groth16 proof generated today carries an expiration date determined by the pace of quantum hardware development.
This is not a theoretical concern for compliance-sensitive applications. A financial attestation generated today using Groth16 may need to be verifiable in 10 years. A healthcare proof may need to hold for 20 years. A legal attestation may need to survive for the lifetime of the parties involved. If the proof system is broken before the attestation expires, the attestation becomes worthless -- and there is no way to retroactively distinguish forged proofs from legitimate ones.
H33 ZK Lookup STARKs eliminate both of Groth16's structural limitations. STARKs (Scalable Transparent Arguments of Knowledge) were introduced by Ben-Sasson, Bentov, Horesh, and Riabzev in 2018. The "transparent" in the name is load-bearing: there is no trusted setup. No ceremony. No toxic waste. No 1-of-N honesty assumption.
The prover and verifier share only public randomness, derived from the proof itself via the Fiat-Shamir heuristic. The prover commits to a computation trace using a Merkle tree (hashed with SHA3-256), and the verifier queries random positions in the trace to check consistency. The soundness of the proof reduces entirely to the collision resistance of the hash function. If SHA3-256 is collision-resistant, the proof system is sound. There is no additional assumption about ceremonies, participants, or secret destruction.
Post-quantum security follows directly. SHA3-256 is a sponge construction based on the Keccak permutation. The best known quantum attack against it is Grover's algorithm, which provides a quadratic speedup for preimage search -- reducing 256-bit security to 128-bit security. This is well within acceptable security margins. No known quantum algorithm breaks collision resistance of SHA3-256 more efficiently than classical birthday attacks. The security parameter does not degrade meaningfully in a quantum setting.
H33's STARK implementation uses an Algebraic Intermediate Representation (AIR) to encode computations as polynomial constraint systems over finite fields. The proof is constructed using FRI (Fast Reed-Solomon Interactive Oracle Proofs), which provides quasi-logarithmic proof size and logarithmic verification time relative to the computation size. The prover converts the computation trace into a polynomial, extends it via Reed-Solomon encoding, commits to it with a Merkle tree, and then uses FRI to prove that the committed function is close to a low-degree polynomial. The verifier checks a logarithmic number of queries against the Merkle commitments.
The primary trade-off in STARKs versus Groth16 is proof size. Groth16 proofs are constant-size: approximately 128 bytes (three group elements on BN-254). STARK proofs grow quasi-logarithmically with the computation size, typically ranging from 50KB to 200KB depending on the circuit complexity, the number of FRI rounds, and the security parameter.
H33 resolves this trade-off with the H33-74 attestation primitive. The STARK proof is generated, verified, and then the verified result is attested with three independent post-quantum signature families: ML-DSA-65 (lattice-based, NIST FIPS 204), FALCON-512 (NTRU lattice-based), and SLH-DSA-SHA2-128f (hash-based, NIST FIPS 205). The three signatures and the proof metadata are then compressed to 74 bytes total -- 32 bytes persisted on-chain and 42 bytes cached via the H33-74 distillation process.
What travels across the network is the 74-byte attestation, not the 50-200KB proof. The attestation is sufficient for any downstream system to trust the result: it is independently verifiable, post-quantum signed, and deterministically reproducible. The full proof remains available for independent re-verification via the H33 Verifier CLI, but the attestation alone provides the same trust guarantee in 74 bytes that Groth16 provides in 128 bytes -- with the critical addition of post-quantum security and no trusted setup dependency.
Groth16 requires a new trusted setup ceremony for every circuit change. In practice, this means that modifying the business logic of a ZK application -- adding a new verification rule, changing a threshold, updating a compliance check -- requires coordinating a new multi-party ceremony, generating a new SRS, and distributing new verification keys to all verifiers. This creates a tight coupling between circuit development and ceremony logistics.
H33 STARKs deploy new circuits instantly. Because there is no setup ceremony, a new AIR constraint system can be compiled, tested against the H33-Chaos adversarial validation suite (54 test vectors), and deployed to production without any ceremony coordination. The verification key is derived deterministically from the circuit definition. Verifiers update automatically. The development-to-deployment cycle for a new circuit is bounded by testing time, not by ceremony coordination time.
This architectural property becomes critical at scale. An organization that needs to prove 50 different computations -- different compliance checks, different business rules, different attestation types -- needs 50 separate trusted setup ceremonies under Groth16. Under H33 STARKs, the organization defines 50 AIR constraints and deploys them. The operational complexity is linear in the number of circuits, not quadratic (circuits multiplied by ceremony overhead).
Groth16 verification requires computing bilinear pairings over elliptic curves. This requires a pairing library -- a substantial cryptographic dependency that implements point multiplication, Miller's algorithm, and final exponentiation over extension fields. These libraries (such as arkworks, bellman, or gnark) carry significant code complexity, introduce supply-chain risk, and -- critically -- embed the same elliptic curve assumptions that make the proofs quantum-vulnerable.
H33 STARK verification requires SHA3-256 hashing and basic finite field arithmetic. The H33 Verifier CLI provides single-command verification: h33 verify receipt.json. No pairing library. No elliptic curve code. No trusted setup parameters to load. The verifier is independently implementable from the HATS specification -- any party can build a conformant verifier without using H33's code, H33's libraries, or H33's infrastructure. Verification depends on mathematics, not on H33.
H33's cached STARK verification completes in 1.75 milliseconds (cold: 495ms, cached: 1.75ms, 282x speedup). Independent verification of the 74-byte attestation completes in 71 microseconds. Both are faster than Groth16's typical 200ms pairing-based verification, and neither requires a pairing library.
Groth16 trusts that a ceremony was conducted honestly. H33 STARKs trust that SHA3-256 is collision-resistant. The first is a social contract. The second is a mathematical property. When the question is "will this proof still be valid in 15 years," the distinction determines the answer.
Groth16 optimizes for proof size at the cost of trusted setup and quantum vulnerability. H33 STARKs optimize for transparency and longevity, with H33-74 closing the proof size gap.
A dimension-by-dimension comparison across the properties that determine whether a proof system provides mathematical trust or institutional trust.
| Dimension | Groth16 | H33 STARKs |
|---|---|---|
| Trust model | Trusted setup (1-of-N honesty assumption) | Transparent (public randomness only) |
| Quantum resistance | No -- pairing-based (BN-254 / BLS12-381) | Yes -- hash-based (SHA3-256) |
| Setup ceremony | Required per circuit | None |
| Toxic waste risk | Yes -- undetectable forgery if waste retained | No -- no toxic waste exists |
| Proof size | ~128 bytes (constant) | ~50-200KB (mitigated: H33-74 = 74 bytes) |
| Verification time | ~200ms (pairing computation) | ~71us attestation; 1.75ms cached STARK |
| New circuit deployment | Requires new trusted setup ceremony | Instant -- no ceremony needed |
| Post-quantum attestation | No -- signatures use ECDSA/EdDSA | Yes -- ML-DSA + FALCON + SLH-DSA |
| Deterministic replay | No -- no replay infrastructure | Yes -- independently reproducible |
| Independent verification | Requires pairing library + SRS | h33 verify receipt.json |
| Adversarial testing | Varies by implementation | 54 vectors (H33-Chaos) |
Every claim on this page links to a specification, a benchmark, a live demo, or a CLI command you can run yourself.
Answers to the questions that arise when organizations evaluate whether Groth16 or H33 STARKs is the correct proof system for their verification requirements.
SNARKs (Succinct Non-interactive Arguments of Knowledge) typically rely on elliptic curve pairings and require a trusted setup ceremony to generate proving and verification keys. Groth16 is the most widely deployed SNARK construction. STARKs (Scalable Transparent Arguments of Knowledge) rely only on hash functions and public randomness -- no trusted setup, no elliptic curves, no pairings. H33 ZK Lookup STARKs use SHA3-256 as the underlying hash function, making them post-quantum safe. The trade-off is proof size: Groth16 proofs are approximately 128 bytes, while STARK proofs range from 50-200KB. H33 mitigates this with H33-74 attestation, compressing the verified result to 74 bytes regardless of underlying proof size.
No. Groth16 relies on bilinear pairings over elliptic curves (typically BN-254 or BLS12-381). These pairings depend on the hardness of the discrete logarithm problem in elliptic curve groups, which is efficiently solvable by Shor's algorithm on a sufficiently large quantum computer. Every Groth16 proof generated today becomes forgeable when quantum computers reach the required scale. A forged proof is indistinguishable from a valid one -- there is no way to retroactively detect which proofs were legitimate and which were fabricated. H33 STARKs reduce security to collision resistance of SHA3-256, which is not efficiently broken by any known quantum algorithm. See H33 PQC Architecture for the full post-quantum design.
A trusted setup ceremony generates the structured reference string (SRS) required by Groth16. The ceremony involves multiple participants who each contribute randomness and must destroy their secret contribution (called "toxic waste") afterward. If even one participant retains their secret, they can forge valid-looking proofs for false statements. The security guarantee is: "at least one of N participants honestly destroyed their secret." This is institutional trust, not mathematical trust. The ceremony must be repeated for every new circuit. H33 STARKs require no setup ceremony -- the prover and verifier share only public randomness derived from the proof itself via the Fiat-Shamir heuristic. See ZK Lookups for the transparent proof architecture.
STARK proofs are larger than Groth16 proofs -- typically 50-200KB versus approximately 128 bytes. H33 addresses this with the H33-74 attestation primitive. The STARK proof is verified, and the verified result is attested with three independent post-quantum signature families (ML-DSA-65, FALCON-512, SLH-DSA-SHA2-128f). The attestation is then compressed to 74 bytes total (32 bytes on-chain, 42 bytes cached). What travels across the network and persists on-chain is the attestation, not the proof. The full proof remains available for independent re-verification via the Verifier CLI, but the 74-byte attestation is sufficient for downstream systems to trust the result.
Yes. Groth16 verification requires a bilinear pairing library implementing operations over BN-254 or BLS12-381 curves. These libraries are complex, carry significant dependency surface area, and introduce the same elliptic curve assumptions that make Groth16 quantum-vulnerable. H33 STARK verification requires only SHA3-256 hashing and basic field arithmetic. The H33 Verifier CLI provides one-command verification: h33 verify receipt.json. No pairing library, no elliptic curve code, no trusted setup parameters. The verifier is independently implementable from the HATS specification.
Run the STARK benchmarks. Try the ZK Lookups demo. Download the Verifier CLI and verify a receipt with one command. Every claim on this page is backed by a system you can test.