Proof system
A short primer on the Groth16 proofs zkHelios uses and how Solana verifies them.
Groth16
zkHelios uses Groth16 SNARKs over the BN254 (alt_bn128) pairing-friendly curve. Groth16 proofs are tiny — three group elements, about 256 bytes — and cheap to verify, which is exactly what you want for on-chain verification on Solana.
- A — a G1 point (2 × 32 bytes)
- B — a G2 point (4 × 32 bytes)
- C — a G1 point (2 × 32 bytes)
On-chain verification
The verifier computes vk_x = ic[0] + Σ publicInputs[i]·ic[i+1], then runs a single pairing check: e(A, B) == e(α, β) · e(vk_x, γ) · e(C, δ). On Solana this is one sol_alt_bn128_pairing syscall — the whole verification fits in ~200k CU, well under the 1.4M per-transaction cap.
Public vs private inputs
Public inputs are committed in the proof and visible to the verifier (and on-chain). Private inputs (the witness) are used only to generate the proof and are never transmitted. The circuit defines which is which.