Are There SDKs That Abstract Multiple Proof Systems (Groth16, Plonk, zkVM) and Output a Single Verifier Friendly to Ethereum Calldata Limits?

Absolutely! The quick answer is yes, but it’s not going to be as simple as having one “universal Solidity verifier” that works for every proof system. Looking ahead to 2026, it seems like we’re really moving towards finding ways to verify and combine various proofs, whether that's off-chain or through a zkVM recursion circuit. It's going to be interesting to see how this all shapes up! After that, they'll whip up an EVM-friendly SNARK--usually something like Groth16 or Plonk on BN254. This setup is great because it jives nicely with Ethereum's calldata and keeps things within the gas limits. If you want to dive deeper into the details, just head over to this link: eips.ethereum.org. Happy exploring!

---

Executive summary (description)

Hey, guess what? There’s a really cool bunch of SDKs available that lets teams mix and match different proof systems--like those STARK-based zkVMs, Groth16, and Plonk--into one neat little proof. And the best part? It’s super easy to verify on Ethereum! How awesome is that? At the moment, the most dependable approaches involve using recursive proofs or wrapping things up with Groth16 or Plonk on the BN254 curve. With this setup, you can expect proofs to be around 260 to 900 bytes, and the verification process will cost you roughly 270 to 300k gas. That’s well within the limits for calldata and gas, so you’re all good! If you want to dive deeper into the details, just click here. Happy exploring!

---

The short answer for decision‑makers

• So, here's the deal: there's no universal Solidity contract that can smoothly handle all types of proofs--like Groth16, Plonk, STARK, and the like--through a single interface. The way verification works with the math can differ quite a bit between these systems. What we really notice from the top SDKs looks more like this: They’ve got this cool multi-prover layer, or you could call it a recursion layer, that’s capable of managing various types of proofs. And then... They create just one "final" proof--either Groth16 or Plonk on BN254--that's then checked on-chain using a lightweight and trustworthy verifier contract or gateway. Feel free to dive deeper into it over at docs.succinct.xyz. There's a lot of useful info waiting for you!

This setup is pretty clever! It helps save on calldata and gas fees, all thanks to the BN254 precompiles (EIP-196/197) and those tiny final proofs. Just a quick heads up--blobs coming from EIP-4844 can’t be read by the EVM, which means they’re not able to carry the proof to the verifier. If you're looking to explore this topic further, check out more details over at eips.ethereum.org. Happy reading!

---

Why a “single verifier for everything” isn’t how Ethereum works

Ethereum has some really useful precompiles for BN254 addition, multiplication, and pairings, all thanks to EIP-196 and EIP-197. These definitely power the smooth on-chain SNARK verification we’re experiencing right now. So, about BLS12-381--there's no mainnet precompile available yet. EIP-2537 is still hanging out as an EIP, and hasn’t made its way into the mainnet just yet. What this really means is that trying to use universal verifiers across different curves and schemes on Layer 1 isn't super practical. Unless you're ready to dive into a bunch of custom coding and tackle those sky-high gas fees, it's probably not the way to go. (eips.ethereum.org).

So, if you're dealing with EVM calldata, just a heads-up: it's still charged by the byte. That means you’ll be paying 4 gas for a zero byte and 16 gas for anything that's non-zero, all thanks to EIP-2028. So, EIP-4844 did bring in some cost-effective blob data, which is pretty cool. But there’s a little twist--smart contracts can’t actually tap into that blob data directly. What you really get is just the promise. Alright, so what you need to do is send the proof over to the verifier using calldata. (eips.ethereum.org).

Here's the game plan: Start by building something that the EVM can easily verify, maybe something like the BN254 Groth16 or Plonk--these are pretty cost-effective options. Then, for your multi-proof setup, you can either tackle that off-chain or manage it within a zkVM. It’s all about keeping things efficient while still getting the job done!

---

What “EVM‑friendly” actually means in 2026

• Groth16 on BN254: These proofs are quite small, typically weighing in at just about 200 to 300 bytes. The awesome thing? Verification happens super quickly--in constant time (O(1))--and it hardly uses any calldata or gas at all! Usually, you can count on proofs to be about 260 bytes in size and use around 270k gas in today’s setups. (dple.github.io).
• Plonk on BN254: Plonk proofs are still pretty compact, usually hanging out in the range of 0. 8-1. 3KB. If you tweak the verifiers a bit, you can expect to see around 300k gas. (docs.succinct.xyz).
• STARK proofs: These tend to be a bit on the larger side, usually weighing in at a few hundred KB. They typically get bundled into a neat little SNARK for on-chain verification, which makes them way easier to deal with. (dev.risczero.com).

---

SDKs and stacks that already abstract multiple proof systems into one EVM‑friendly verifier

Check out these great production-focused options we've either tried ourselves or looked into for our clients.

1) Succinct SP1 zkVM: STARK recursion with Groth16/Plonk final proofs

• What it does So, you whip up these awesome Rust programs, right? Then, SP1 jumps in to give them a once-over, using STARK recursion to check everything. After that, it ties it all together with a final Groth16 or Plonk proof over BN254. It's like having a trusty sidekick making sure everything runs smoothly! Getting on-chain verification will set you back about 270,000 to 300,000 gas. Feel free to dive into the details right here. You’ll find all the info you need! SP1 gives you some solid options for proof types: there's "Groth16," which is pretty compact at around 260 bytes, and then there's "Plonk," coming in a bit larger at about 868 bytes. You can pick whichever one suits your deployment needs better! More info here. You can easily spot canonical SP1 verifier gateways on Ethereum and most of the big Layer 2 solutions out there. Just submit one proof along with the public inputs to a single contract, and you're all set! If you want to learn more about this, check it out here. Happy exploring!
• What makes it so friendly to all kinds of proof. What’s really cool about SP1 is that it can verify Groth16 and Plonk proofs created with different stacks, like gnark, all thanks to its BN254 verifier crate. Pretty neat, right? This means you can combine a bunch of different proofs into one single SP1 Groth16 or Plonk proof for the blockchain. Pretty handy, right? It's really all about bringing together a bunch of proofs into one neat package! If you're curious to dive deeper into this concept, check it out here.
• Practical numbers So, if you're diving into on-chain verification, you can expect Groth16 to use around 270k gas. On the other hand, Plonk will run you about 300k gas if you’re using the Solidity SDK or gateways. Just something to keep in mind! Get the specifics here.
• Implementation sketch If you want to check out external Groth16 or Plonk proofs in an SP1 program, you've got a couple of options. You can go with either the sp1-verifier or the bn254 verifier. Just pick whichever one suits your needs! Once that's done, you can go ahead and run your application logic. After that, just hit up client.prove( to wrap things up. ). If you want to submit everything to the SP1VerifierGateway on mainnet or Layer 2, just use the groth16() function. If you’re looking for more help, just click here. It's a great resource!

When to Choose

When you're on the hunt for a general-purpose zkVM, keep an eye out for these key things:

• Proven Recursion: It really comes down to having a strong history of dealing with recursive proofs.
• Keep On-Chain Costs Low: Let’s be real--nobody likes getting hit with crazy fees. So, it's best to choose options that won't drain your wallet.
• Flexibility: You need to have the ability to incorporate any random SNARKs and merge them into one proof that works smoothly with the EVM.

2) RISC Zero zkVM: STARK recursion with a Groth16 “receipt” for EVM

• What it does
  RISC Zero is focused on demonstrating how RISC-V runs using STARKs. It takes those proofs, compresses them in a neat, recursive way, and then runs a STARK-to-SNARK circuit. This whole process produces what's called a Groth16Receipt, which your Solidity verifier can easily check out. Pretty cool, right? If you want to explore more about it, check out this link: dev.risczero.com. You’ll find some pretty cool info there!
• So, what makes it so great for multi-proof situations? One really cool thing about RISC Zero is that you can actually combine different program segments using recursion! So, basically, you can bundle everything together into one Groth16 proof. This is super helpful because it really slashes the amount of calldata you need. Take a look at this link: dev.risczero.com. You'll find some cool stuff there!
• Developer tip
  Hey developers, here’s a cool tip for you! Check out the docs for Prover::prove_with_opts. It’s a great feature that gives you the flexibility to choose between composite, succinct, and groth16 receipts. Give it a look! If you're diving into EVM, then for sure check out groth16! Trust me, it's a solid choice. If you’re looking for more details, check out this link: dev.risczero.com. There's a bunch of info waiting for you there!

When to Choose:

If you're thinking about going with RISC-V VM semantics and looking to build a STARK stack, but you also want to keep those on-chain proofs super small, then this is definitely the way to go!

3) Noir (ACIR) + backends: language‑level abstraction, pick your final SNARK

• What it does
  So, Noir wraps everything up into ACIR, and then it’s up to you to choose your backend. You can go with something like Aztec’s Barretenberg or UltraPlonk, or you might want to check out some of the community backends, like gnark. The choice is yours! What’s really awesome is that Noir’s tools can create Solidity verifiers that are customized for each backend. You know, it's genuinely “proof system agnostic” when it comes to the language level. (noir-lang.org).
• Why it helps
  This method allows teams to make adjustments to their circuits and target different final proof systems. If you're looking to get just one verifier, you can actually bundle or combine it into Groth16/Plonk BN254 for the EVM. (noir-lang.org).

When to Choose Noir

Hey there! If your product teams are all about using Noir for safety and portability but still want to maintain some flexibility with the final verifier, you've come to the perfect place!

4) gnark (Go): one circuit, multiple backends, Solidity exports

• What it does Gnark is super versatile! It works with both Groth16 and Plonk on a bunch of different curves. Plus, it can even whip up a Solidity verifier for BN254 Groth16, which is pretty cool! Here's the fun part: You can choose to stick with a single circuit and easily swap between different backends whenever you want. Just a quick heads-up, though--you'll need to deploy a separate verifier for each backend on-chain. Take a look at it on GitHub! You'll find some interesting stuff there.
• Multi‑proof unification approach Hey there! So, if you’re diving into SNARK circuits, you can totally use gnark for your more “classic” setups. Plus, you can verify those proofs in SP1 or any other recursion system you like. It's pretty flexible! Once you’ve got everything set up, you can whip up a Groth16 proof that you can send over to Ethereum. Check out all the details over at docs.rs! It’s packed with great info that you won’t want to miss.

5) Off‑chain/mid‑chain verifiers for heterogeneous proofs (zkVerify)

• What it does
  So, zkVerify is this cool network that specializes in verifying different proof types, like RISC Zero, Groth16, and Fflonk, and it gives out attestations. It's super useful if you want to maintain a small L1 footprint but still get that verification across various ecosystems. (blog.zkverify.io).

When you're making your decision, think about whether you really need cross-chain proof validation or if you'd rather cut down on Ethereum interactions by using attestation bridges. It’s all about what fits your needs best!

---

Calldata constraints you must design around

• Calldata cost: So, here's the deal: it costs 4 gas for each zero byte and 16 gas for any non-zero byte. This is all detailed in EIP-2028, in case you're curious! Hey, just a quick heads up--those big proofs can seriously hike up gas costs! On the bright side, SNARK proofs really help to lighten the load. (eips.ethereum.org).
• Blobs (EIP-4844): So, these blobs are pretty awesome because they make data availability way cheaper. But, just a heads up--you won’t be able to read them directly in the EVM. Basically, you can't send proofs through a blob to a Solidity verifier. Right now, all you can see are the commitments. (eips.ethereum.org).
• Pro tip: If it suits your needs, definitely stick with BN254 Groth16! It has a reliable setup tradeoff, but it manages to keep the calldata pretty lightweight. Another option you’ve got is to go with BN254 Plonk if you’re looking for a universal setup. No matter what, you’ll end up with really tiny calldata and verification costs will be around 270-300k gas. (docs.succinct.xyz).

---

Goal:

You want your product to really take off and start making an impact.

• So, we’ve got a Groth16 proof for an older circuit, which is pretty cool.
• So, there’s this gnark Plonk proof that’s been created for a newer circuit.
• Here’s a zkVM proof for some pretty intense calculations.

All of this should be bundled together in a single EVM transaction, complete with one neat proof.

A Minimal Architecture:

Minimal architecture is all about keeping things simple and functional. It really pares down the design to the essentials, getting rid of anything that isn’t absolutely needed. It's really about crafting those clean, open spaces where you can move around easily and just feel free. So, if you're thinking about getting into minimal architecture, here are a few things to keep in mind:

Key Principles:

1. Focus on Purpose: Make sure that everything has a reason for being there. If it doesn't fit, then it probably wasn't meant to be there.

2. Open Spaces: Picture a light and spacious vibe. Keep it simple and free of clutter. Open floor plans that let in tons of natural light really make a place feel welcoming and cozy.

3. Natural Materials: Go for wood, stone, and other earthy materials. They not only have a great look but also develop a beautiful patina as they age.

4. Neutral Color Palette: Using soft, muted colors can really set a relaxing vibe in any space. They help to create a calm and soothing atmosphere that feels welcoming.

5. Subtle Decoration: Go for a straightforward and low-key vibe with your decor. Sometimes, just a couple of carefully chosen pieces can really stand out and make a statement without making the room feel cluttered.

Examples of Minimal Architecture:

• Residential Homes: A lot of today’s homes are going for that minimalist vibe. You’ll notice plenty of clean lines and uncomplicated shapes, creating a really fresh and stylish look.
• Office Spaces: You know, workspaces that stick to a simple, clean design can really boost productivity. They help cut down on distractions and keep you focused.
• Public Buildings: Museums and galleries are all about that minimal design vibe. They keep things simple so that their amazing collections can really shine without any distractions.

Why Choose Minimal Architecture?

• Clarity: Embracing a minimalist vibe helps you zero in on what really counts, whether it’s in your design choices or in everyday life.
• Sustainability: When you focus on quality instead of just cranking out more stuff, you end up creating spaces that are really stunning and good for the planet, too. It’s a win-win!
• Timeless Charm: You know, minimal architecture really has a way of sticking around. It avoids those fleeting trends that seem to come and go in the blink of an eye.

If you’re looking for some inspiration, you should totally check out this awesome resource on minimal architecture! You can find it right here: great resource. Happy exploring!

1. How about we create a recursion “aggregator” program in SP1? Sounds fun, right? Hey, don’t forget to add sp1-verifier so you can check out the SP1 Groth16/Plonk right in the VM! If you’re looking for more info, check it out over here: docs.rs. Hey, just a quick reminder: make sure to include a BN254 verifier for those gnark Groth16/Plonk proofs. It’s super important! They’ve made it super easy for you by laying out compatibility with gnark formats. Check it out: (github.com). Alright, so here’s the scoop on what your program needs to get done:

• Check the verification key and public inputs for the gnark Groth16 proof. First things first, go ahead and check the gnark Plonk proof's verification key and the public inputs.
• Take a look at any previous SP1 subproofs you might have.
• So, basically, you’ll want to merklize or hash all the public outputs into one neat digest. This way, those final public inputs on-chain stay nice and tidy!

Alright, let’s dive in and prove that aggregator program using SP1, and we’ll go with the Groth16 mode.

• Using client.prove(. ). When you use groth16()`, you’ll end up with a proof that’s roughly around 260 bytes in size. You can find all the details right here: docs.succinct.xyz. Just click the link!

1. So, the last step is to send this over to SP1’s VerifierGateway on Ethereum. So, it’s really just one call that happens here, and it uses about 270,000 gas. Plus, there’s this single verifier contract that’s all taken care of by Succinct. Pretty straightforward! For more details, check this out: docs.succinct.xyz. It’s got all the info you need!

This setup gives you a single verifier "surface" on L1, which helps keep your gas costs steady and reduces the amount of calldata you need. Pretty neat, right? On top of that, it lets you easily switch out your upstream proof systems, so you’re all set for whatever comes your way in the future.

---

RISC Zero variant: STARK to Groth16Receipt

You can whip up as many STARK receipts as you'd like using lift/join recursion in RISC Zero. So, all you need to do is call compress() and you’ll get a Groth16Receipt. Easy, right? Next up, you’ll want to deploy the Groth16 verifier from RISC Zero on Ethereum. Once you've got that set up, feel free to submit a receipt along with a few basic public inputs. Take a look at this: dev.risczero.com. It’s pretty cool!

---

Emerging techniques to watch

• Groth16 Aggregation (SnarkPack): There’s some pretty exciting research and projects popping up that reveal an interesting trick with Groth16 proofs. When you group a bunch of these proofs together, the verification process becomes really efficient, working on a logarithmic scale! How cool is that? If you're just diving into Groth16 proofs, this is super useful! When everything's said and done, you’ll have one solid SNARK that’s verified right on the chain. Feel free to take a look at it here. I think you'll find it interesting!
• Exciting new “final SNARK” candidates: There’s some really interesting research surfacing lately, especially from Polymath, hinting that we might be able to create even shorter arguments than Groth16 for the final wrapper. It's definitely something to keep an eye on! This is super exciting, but it's not quite up to the Ethereum standard just yet. Check out the details over here!
• Modular zkVMs (OpenVM): If you're into blockchain tech, you should definitely take a look at this framework! It gives you the flexibility to mix and match different proof system components and even lets you verify Halo2 proofs right on-chain. Pretty cool, right? It can operate with around ~330k gas, which is pretty great, all thanks to a super useful Solidity SDK! Just keep in mind that you'll still need to pick one last verifier contract before you’re all set. If you want to learn more, check out their blog. It’s packed with great info!

---

Best practices we recommend to clients

• We're aiming to finalize BN254 on Ethereum.
• This one takes advantage of the EIP-196/197 precompiles, which means that pairing checks are really inexpensive. Hey there! Just wanted to give you a quick heads up that as of January 7, 2026, the BLS12‑381 precompile (EIP‑2537) isn't up and running on the mainnet yet. (eips.ethereum.org).
• Keep public inputs short and sweet.
• To make things a bit more efficient, you can compress those bulky outputs into just one field element--something like Poseidon or Keccak will work great. Then, you only need to share the digest as the public input for the final verifier. This will help reduce the amount of calldata, which means you'll save some gas in the process.
• Look for an SDK that’s got a solid track record and has on-chain verifier contracts that are actively maintained. Hey, if you can, try to stick with SP1 contracts and gateways. They’re getting regular updates, which is pretty great! If you don't need anything super specific, it's usually a good idea to stick with these options instead of trying to build your own verifier from the ground up. (docs.succinct.xyz).
• If you're planning to support different proof systems over the long haul, make sure to focus on the recursion layer for abstraction instead of getting too caught up in the Solidity layer. Hey, have you thought about using SP1 or RISC Zero? They can help you verify Groth16, Plonk, or STARK proofs directly in the VM, which is pretty neat! This approach means that the Solidity layer will only have to handle a single call to the Groth16/Plonk verifier gateway. (docs.rs).
• Avoid relying on blobs to verify things. Hey, just a heads up: blobs are meant just for keeping data available, so contracts can’t actually grab or read the bytes from those blobs. Just a quick reminder: always send the final proof and any public inputs using calldata. It's super important! (eips.ethereum.org).

Hey, make sure to check the gas and calldata right from the start! It's a good idea to get that sorted out early on. So, usually, Groth16 delivers the smallest calldata size, coming in at around 260 bytes for the proof. When it comes to verification, it takes about 270k gas. Pretty efficient, right? Just a heads-up, Plonk is looking like it’ll be around 868 bytes and about 300k gas. So, when you're planning your budget, make sure to factor that in! (docs.succinct.xyz).

---

What to choose when

If you're looking to keep your on-chain footprint as small as possible but still want to explore different proof systems, then... Take a look at the SP1 zkVM featuring the Groth16 final proof! (docs.succinct.xyz).

Hey there! Are you on the hunt for a STARK-native stack that works smoothly with a clean EVM bridge?

• If you're looking for something reliable, RISC Zero with Groth16Receipt could be just the ticket! (dev.risczero.com).

So, your team is looking for a way to simplify things with a language-level abstraction while also keeping things flexible across various backends, huh?

• Jump into Noir (ACIR) alongside Barretenberg/gnark backends, and finish things off with a BN254 Groth16/Plonk verifier. (noir-lang.org).

Are you just looking to work with multiple Groth16 proofs? Hey, you should definitely give SnarkPack aggregation a try! It’s really awesome for bundling together multiple Groth16 proofs before you go ahead with the on-chain verification. Trust me, it makes things a whole lot easier! (research.protocol.ai).

---

Implementation notes and gotchas

• Trusted setup tradeoff: So, here’s the deal with Groth16. It gives you these super compact proofs, which is awesome, but it does come with a catch. You’ve got to have a specific setup for each circuit. If you don’t want to go through all that hassle, you might want to check out community events like Aztec’s Ignition. They’re pretty cool for getting involved with certain projects! If that feels like too much of a hassle, you might want to consider going with Plonk instead. It has a universal setup, but just a heads up, your proofs might be a bit larger. If you want to dive deeper into it, feel free to check it out here.

Alright, so here’s the deal: if you're diving into L1 verification, it's best to go with BN254 for your proofs. Trust me, it just works better that way! When it comes to generating BLS12-381 proofs, you’re really going to have to set up some custom heavy verifiers. And to be honest, that can be a real hassle and probably isn’t worth the extra effort. Sticking with BN254 is definitely a smart move when it comes to EVM. It just makes things a lot easier! If you’re looking for more details, you can check this out here.

• Tooling details:
• If you're getting into Circom or snarkJS, they can easily create Groth16 and Plonk verifiers for you! It's awesome for tackling specific problems, but don’t count on it to manage complex, multi-proof situations all by itself. Take a look at their documentation right here. It’s super helpful for getting started with proving circuits! On the flip side, hardhat-circom can whip up verifiers for every circuit automatically. Pretty handy, right? You can totally create a “multi-verifier” template, but just a heads up--you'll still have to wade through the specific steps for each protocol. Get the scoop here.

---

Bottom line

Hey there! If you’ve been curious about whether we can create a system that handles Groth16, Plonk, and zkVM proofs all at once and then just send out a single, lightweight proof to Ethereum--guess what? The answer is a big yes! You can totally make this happen by leveraging recursion for a bit of abstraction, and then you can just wrap things up by sending out a final Groth16 or Plonk proof on BN254. Pretty cool, right?

At this point, your best bets are definitely SP1 and RISC Zero. If you're diving into the circuit or back-end layer, Noir and Gnark are really solid choices. And hey, if attestations are more your thing, definitely check out zkVerify - it's got you sorted! This approach helps you maintain a low on-chain footprint, keeps your costs in check, and keeps your options flexible as ZK tech continues to develop. Hey! If you're looking for more info, you can find all the details here.

---

References and further reading

• So, there are these BN254 precompiles for the EVM, which are tied to EIP-196 and EIP-197. Check it out here. So, when it comes to layer 1 (L1) constraints, you definitely can't overlook the impact of calldata pricing (that’s EIP-2028) and blobs (thanks to EIP-4844). They're really making waves in this space! You can check out more info here. So, we've got these SP1 proof types, right? They're all about gas and SDK stuff. And on top of that, they’ve thrown in Solidity verifier gateways too. It's a pretty cool setup! If you want to dive deeper into this topic, check it out here. It's a great resource! Hey, have you checked out RISC Zero recursion and the Groth16Receipt path? They’re actually pretty fascinating! Dive deeper here. Take a look at Noir's ACIR backend-agnostic documentation and guides right here. You'll find some really helpful resources! Hey, you should definitely check out the gnark backends and the Solidity export--they’re pretty interesting! Find them here. I’ve gotta say, Groth16 aggregation, also known as SnarkPack, and the recent developments in “final SNARK” research from Polymath are super fascinating topics! Check it out here.

---