PLONK Benchmarks I — 2.5x faster than Groth16 on MiMC

Benchmarks on TurboPLONK from AZTEC

We’re excited to present some early benchmarks for TurboPLONK, the supercharged version of the PLONK ZK-SNARK. At last a Universal SNARK that can compete with, and in certain instances outperform, the single-circuit Groth16.

This is a huge step towards AZTEC’s ambition for scalable privacy on Ethereum.

What is PLONK?

PLONK is a new type of SNARK — a highly efficient Universal SNARK, created in a collaboration between Zac Williamson and Ariel Gabizon. PLONK uses a new circuit description which consists of gates, of two kinds: multiplications (×) and additions (+).

R1CS uses ‘constraints’, whilst PLONK uses ‘gates’. Gates are just particular types of constraints. But more importantly, R1CS and PLONK’s Circuit describe exactly the same universe of computations — Arithmetic Circuits.

And TurboPLONK?

TurboPLONK is Zac Williamson’s idea to supercharge the PLONK circuit —by introducing certain ‘custom gates’ that appear many times in a circuit, you can hugely reduce the number of gates whilst maintaining efficiency.

The Benchmarks

The PLONK Benchmarks

AZTEC is aiming for something very ambitious — to make Universal SNARKs as fast as single-circuit Groth16

Hashes dominate the computation requirements in SNARKs — we discuss in our Primer why Merkle Trees are so important for private assets. So we are testing PLONK against the toughest benchmark out there (Groth16), and we’re doing it over the most important type of computation — the hash.

For any given circuit, Groth16 sets the pace. It’s:

Fast to Prove Cheap to Verify Succinct

Unfortunately, Groth16 is not universal — i.e. if you change the circuit (modify your private smart contract), you need to do a new trusted setup. AZTEC Protocol took over 6 weeks to run its secure MPC Ceremony — you can’t run this process every time you want to update your Solidity code.