Our Newest Verifiers Explained - Groth16 & Risc0

Our New Verifiers

We are excited to announce our new verifiers for Groth16 and Risc0. The former is a widely used pairing-based protocol, while the latter is a zkVM that allows users to prove the execution of Rust code. Internally, Risc0 uses the FRI protocol together with our hash function Poseidon2 presented last year at zkSummit9.

[Source: https://www.risczero.com/blog/zkvm-performance-upgrades-roadmap-q1-q2-2024]

What Our Verifiers Unlock

Our verifiers are specifically built to verify various types of proofs, with the new additions enabling verifications of Groth16 and Risc0 proofs. This enables any user of these proofs to get an even more efficient verification of their proofs on zkVerify, together with an attestation on Ethereum. The Risc0 verifier is a STARK verifier. This is important because it reduces the amount of computation and cost for the proof generation compared to a Risc0 SNARK verifier.

Background: zkRollups and zkVMs

zkRollups and zkVMs use recursive proof technology and aggregation in order to accumulate many proofs into fewer ones. Many of these use FRI-based proofs, whose security is based on coding theory and on the hash function used internally. These proofs avoid expensive pairing operations and, not being based on ECC, can use many different finite field sizes internally. In particular, a trend towards smaller fields defined by primes like Goldilocks or M31 has led to very fast provers. However, since proof sizes are still large compared to pairing-based approaches, the final step of many zkRollups includes a conversion to a smaller proof which can more simply be verified on Ethereum.

In the future, the final conversion step of many rollups to an Ethereum-friendly proof may even be avoided thanks to zkVerify – the proof size plays a much smaller role in our system than it does when verifying directly on Ethereum.