The Best of Both Worlds: How to Transform ZK Proofs

Horizen Labs Tech
4 min readMay 22


Plonky2 is an efficient ZKP system for constructing succinct non-interactive arguments of knowledge. Groth16 is a widely used ZKP system based on bilinear pairings, known for its strong security and efficiency in generating zk-SNARKs. In this article, discover how Horizen Labs’ research aims to revolutionize both worlds to make them more decentralized and scalable.

Using “wraps” to transform a STARK (Plonky2) to a SNARK (Groth16), achieving a smaller and faster zero-knowledge proof.

At Horizen Labs, we have a strong cryptography team specializing in the usage of zero-knowledge proofs (ZKPs). Two types of ZKPs used in blockchain are STARKs and SNARKs. STARKs are transparent and fast, while SNARKs have smaller proofs. While these two types of ZKPs are often used separately, our team has recently discovered how to transform STARK (Plonky2) to a SNARK (Groth16) in order to reduce proof size and increase speed.

In this blog post, we will delve into the significance of this transformation and explain how Horizen users will benefit from it.

Introducing zero-knowledge technologies

Zero-knowledge technologies refer to a class of cryptographic protocols and systems that allow one party to prove to another that it knows certain information without revealing any additional details, thereby preserving privacy and confidentiality while still allowing verification. These technologies have applications in secure authentication, secure communication, and privacy-preserving computation.

Zero Knowledge Proof (ZKP) technology is used in the blockchain industry in several ways. Let’s see some examples:

  • Scalable and efficient verification: ZKPs improve blockchain scalability by providing concise proofs for complex computations, enabling faster verification and reducing computational overhead.
  • Identity and Authentication: ZKPs enhance secure identity systems on the blockchain, allowing users to prove their identity or attributes without revealing unnecessary personal information, enabling secure logins and selective data disclosure.

Now let’s dive into the Plonky2 and Groth16 zero-knowledge proofs.

Deeper Dive into Plonky2 and Groth16

Plonky2 and Groth16 are two types of zero-knowledge proofs (ZKPs) used in blockchain technology.

Plonky2 is a STARK that uses a technique called Plonk arithmetization to achieve incredibly fast proving times (only 170 milliseconds on an average laptop), making it highly recommended for use in our sidechains. However, Plonky2 has a drawback: its proof size can be quite large, ranging from 50 to 130 kilobytes depending on the configuration.

Groth16 is a SNARK that uses a different technique called R1CS relying on elliptic curve pairings. Groth16 has one of the smallest proof sizes of any ZKP, at only around 300 bytes. However, its proving time is slower than Plonky2, taking anywhere from 50 to 100 times longer.

While these technical details may seem complex, they are essential to understand the benefits and limitations of each ZKP type. In the next section, we will explore how we planned to transform Plonky2 to Groth16 with ‘look-up arguments’.

¹ Measured on a laptop with processor Intel Core i7–10870H, memory 16 GB RAM 3200 MHz. Circuit benched: 2000 Poseidon Hashes.


In the context of zero-knowledge proofs, a “wrap” is a way of transforming a proof for a particular statement from one proving system to another. Wraps can be useful in situations where one proving system has certain limitations or drawbacks, and it is necessary to switch to another system in order to achieve better performance or other benefits.

In this scenario, we used a “wrap” to transform a Plonky2 proof into a Groth16 proof. The main problem with using a “wrap” to transform a proof from one proving system to another is that the two systems may not be fully compatible with each other. This means that the wrapping process can require a lot of extra checks to make sure everything works correctly, which can be very time-consuming and expensive in terms of computer resources.

However, we have found a way to reduce the number of checks needed by using something called “look-up arguments”. This means that the wrapping process will be faster and more efficient, but it may result in slightly larger proof sizes.

How does it benefit the user?

The use cases of zero-knowledge technologies are the same depending on the protocols used. As mentioned in the introduction, it allows verifying information without revealing it.

Using “wrapping” to transform a Plonky2 proof into a Groth16 proof allows the end user to benefit from the best of both worlds of SNARKs and STARKs.

In fact, Groth16 proofs are cheaper to verify on an EVM chain because of their smaller size and the simplicity of the operations to perform on the verifier side.

Thus, the scalability of Plonky2 can be used to make off-chain recursions of proofs — where the requirements are simpler — and then use Groth16 to post a rollup on the L1.

That is scalability at reduced cost. Speed and low cost with the bonus of improved decentralization with the same security. This can translate into low transaction fees to perform cross-chain transactions while being very fast.

In other words, a SNARK/STARK protocol is even more suitable for enterprises, developers, and end users in the blockchain industry.

Daniele Di Tullio,



Horizen Labs Tech

Sharing learnings in blockchain security and industry-leading cryptography research