zkzkHeliosDocs

Proof system

A short primer on the Groth16 proofs zkHelios uses and how Solana verifies them.

Groth16

zkHelios uses Groth16 SNARKs over the BN254 (alt_bn128) pairing-friendly curve. Groth16 proofs are tiny — three group elements, about 256 bytes — and cheap to verify, which is exactly what you want for on-chain verification on Solana.

  • A — a G1 point (2 × 32 bytes)
  • B — a G2 point (4 × 32 bytes)
  • C — a G1 point (2 × 32 bytes)

On-chain verification

The verifier computes vk_x = ic[0] + Σ publicInputs[i]·ic[i+1], then runs a single pairing check: e(A, B) == e(α, β) · e(vk_x, γ) · e(C, δ). On Solana this is one sol_alt_bn128_pairing syscall — the whole verification fits in ~200k CU, well under the 1.4M per-transaction cap.

Each circuit ships with a verifying key produced by a trusted setup. Production circuits should use a multi-party ceremony (e.g. Powers of Tau) — see Circuits.

Public vs private inputs

Public inputs are committed in the proof and visible to the verifier (and on-chain). Private inputs (the witness) are used only to generate the proof and are never transmitted. The circuit defines which is which.