In December’s ZK call, we had a presentation that provided a discussion based on pairing-based SNARKs and their proof sizes. This is due to the recent paper ADY2025. Link to youtube video will be added once posted.
For a passive observer of developments in ZK, the past year has seen several papers emerge to push the (concrete) proof size for pairing-based zk-SNARKs smaller and smaller. These papers use Groth16 as their baseline. Groth16 has been the state-of-the-art pairing-based proof system since it was released. It is widely used from Zcash to Risc0.
In this post, we will provide a high level explanation for:
- what is a pairing-based SNARK
- developments for a smaller concrete proof size
- practically, what does it mean?
What is a pairing-based SNARK?
Pairing-based SNARKs uses a pairing as the primary structure for proof generation. A pairing is a bilinear mapping between two elliptic groups into a multiplicative group for a field extension. E.g., g_1 \in \mathbb{G}_1, g_2 \in \mathbb{G}_2, and a,b \in \mathbb{Z}_p, we have e(a \cdot g_1, b \cdot g_2) = e(g_1,g_2)^{ab}.
This seems very in the weeds for high level, so what does that mean?
A zk-SNARK proof attests to the validity of a statement for a given arithmetic circuit. An arithmetic circuit consists of two operations: addition and multiplication.
The groups \mathbb{G}_1 and \mathbb{G}_2 only support additive operations. However, with the pairing we can get multiplication. Observe: e(a \cdot g_1, b \cdot g_2) = e(g_1,g_2)^{ab} = e(ab \cdot g_1, g_2).
This is why pairings are so important.
Why is Groth16 so important?
A Groth16 proof consists of three group elements (2 from \mathbb{G}_1 and 1 from \mathbb{G}_2). It is a very well audited proof system.
Unfortunately, it has a lot of downsides:
- Tt is not transparent. The CRS/public parameters must be generated in a ceremony to ensure no entity possesses knowledge that can forge proofs.
- It is not universal. Each circuit requires its own CRS generation…
- It is not updatable. The public parameters cannot be extended to accomodate a larger circuit.
- It is not post quantum secure.
Due to these limitations, Groth16 tends to be used to compress STARK proofs.
These drawbacks have been addressed by other pairing-based SNARKs, except for post quantum security. Most notably by Plonk. However, due to post quantum security concerns, non-Groth16 pairing-based SNARKs seem to be less often used.
Shrinking Groth16 proofs down?
Polymath, Pari and, recently, ADY2025 has pushed the concrete proof size smaller and smaller.
Polymath and Pari did this by changing the arithmetic circuit type (squaring arithmetic program) and introducing field elements. ADY2025 is the first to use only group elements.
Moreover, ADY2025 use only group elements from one group!
This seemingly contradicts Groth16’s result: Groth16 showed that using only generic group model (GGM), a proof must have at least one group element from each group. ADY2025 used GGM and random oracle model (ROM) for their proof system. Further, ADY2025 shows that a SNARK (under GGM+ROM) cannot have a single group element proof.
Practical consequences?
All of the developments with respect to Polymath, Pari and ADY2025 are really cool from a theoretical standpoint.
But, are we going to see a wide adopt of ADY2025? No.
- ADY2025 does not have perfect completeness.
- ADY2025 has an annoying soundness bound.
- ADY2025 is not post quantum secure.
Unfortunately, due to the worry of quantum computers, a new pairing-based SNARK very unlikely to see adoption.
Cool theoretical result, but not a result that will likely have practical ramifications.