ton-org · delovoyhomie · Mar 16, 2026 · Mar 23, 2026 · Mar 23, 2026 · Mar 23, 2026
@@ -0,0 +1,193 @@
+---
+title: "How to verify Groth16 examples on TON"
+sidebarTitle: "Groth16 examples"
+description: "Run Groth16 verifier examples on TON with Circom, Noname, Gnark, and Arkworks."
+---
+
+import { Aside } from '/snippets/aside.jsx';
+
+Run one of the Groth16 verifier examples from [`zk-examples/zk-ton-examples`](https://github.com/zk-examples/zk-ton-examples) and confirm the proof both locally and on-chain in TON.
+For the underlying export flow, see [Zero-knowledge proofs on TON](/contract-dev/zero-knowledge).
+
+## Objective
+
+Run one of these upstream circuits on TON:
+
+- `Multiplier` from Circom
+- `Sudoku` from Noname
+- `cubic-gnark` from Gnark
+- `MulCircuit` from Arkworks
+
+## Prerequisites
+
+- [Node.js](https://nodejs.org/en/download/) 18 or later LTS
+- [Blueprint](/contract-dev/blueprint/overview)
+- One proving stack: [Circom](https://docs.circom.io/getting-started/installation/#installing-circom), [Noname](https://github.com/zksecurity/noname), [Go](https://go.dev/dl/), or [Rust](https://www.rust-lang.org/tools/install)
+
+## Clone the examples repository
+
+```bash
+git clone https://github.com/zk-examples/zk-ton-examples.git
+cd zk-ton-examples
+npm install
+```
+
+## Choose an example
+
+| Example       | Stack    | Circuit                                                                                                                 | What the proof exposes publicly | Tolk test                                     |
+| ------------- | -------- | ----------------------------------------------------------------------------------------------------------------------- | ------------------------------- | --------------------------------------------- |
+| `Multiplier`  | Circom   | [`circuits/Multiplier`](https://github.com/zk-examples/zk-ton-examples/tree/main/circuits/Multiplier)                   | `c = a * b`                     | `npx blueprint test Verifier_multiplier_tolk` |
+| `Sudoku`      | Noname   | [`circuits/Sudoku`](https://github.com/zk-examples/zk-ton-examples/tree/main/circuits/Sudoku)                           | A partially filled grid         | `npx blueprint test Verifier_sudoku_tolk`     |
+| `cubic-gnark` | Gnark    | [`circuits/cubic-gnark`](https://github.com/zk-examples/zk-ton-examples/tree/main/circuits/cubic-gnark)                 | `y = x^3 + x + 5`               | `npx blueprint test Verifier_cubic_tolk`      |
+| `MulCircuit`  | Arkworks | [`circuits/Arkworks/MulCircuit`](https://github.com/zk-examples/zk-ton-examples/tree/main/circuits/Arkworks/MulCircuit) | `z = x * y`                     | `npx blueprint test Verifier_ark_tolk`        |
+
+<Aside type="tip">
+  This page follows the upstream Tolk verifier tests and runs locally in the Blueprint sandbox, not on TON mainnet.
+</Aside>
-<Aside type="tip">
-  This page follows the upstream Tolk verifier tests and runs locally in the Blueprint sandbox, not on TON mainnet.
-</Aside>
+<Aside type="caution" title="Run in sandbox or testnet">
+  These examples follow the upstream Tolk verifier tests and run in the Blueprint sandbox by default. When adapting them to TON Testnet or TON Mainnet, start on TON Testnet with small amounts; transfers on mainnet are irreversible.
+</Aside>
-<Aside type="tip">
-  This page follows the upstream Tolk verifier tests and runs locally in the Blueprint sandbox, not on TON mainnet.
-</Aside>
+<Aside type="caution" title="Run in sandbox or testnet">
+  These examples follow the upstream Tolk verifier tests and run in the Blueprint sandbox by default. When adapting them to TON Testnet or TON Mainnet, start on TON Testnet with small amounts; transfers on mainnet are irreversible.
+</Aside>
+
+## Run the `Multiplier` example
+
+Select `Multiplier` for the smallest end-to-end Groth16 verifier flow in the repository.
+The proof is generated at test time from `Multiplier.wasm` and `Multiplier_final.zkey`.
-Select `Multiplier` for the smallest end-to-end Groth16 verifier flow in the repository.
-The proof is generated at test time from `Multiplier.wasm` and `Multiplier_final.zkey`.
+Select `Multiplier` for a minimal end-to-end Groth16 verifier flow with two private inputs and one public output.
+The proof is generated at test time from `Multiplier.wasm` and `Multiplier_final.zkey`.
-Select `Multiplier` for the smallest end-to-end Groth16 verifier flow in the repository.
-The proof is generated at test time from `Multiplier.wasm` and `Multiplier_final.zkey`.
+Select `Multiplier` for a minimal end-to-end Groth16 verifier flow with two private inputs and one public output.
+The proof is generated at test time from `Multiplier.wasm` and `Multiplier_final.zkey`.
+
+```bash
+cd circuits/Multiplier
+circom Multiplier.circom --r1cs --wasm --sym --prime bls12381
+snarkjs powersoftau new bls12-381 10 pot10_0000.ptau -v
+snarkjs powersoftau contribute pot10_0000.ptau pot10_0001.ptau --name="First contribution" -v -e="some random text"
+snarkjs powersoftau prepare phase2 pot10_0001.ptau pot10_final.ptau -v
+snarkjs groth16 setup Multiplier.r1cs pot10_final.ptau Multiplier_0000.zkey
+snarkjs zkey contribute Multiplier_0000.zkey Multiplier_final.zkey --name="1st Contributor" -v -e="some random text"
+snarkjs zkey export verificationkey Multiplier_final.zkey verification_key.json
+cd ../..
+npx export-ton-verifier ./circuits/Multiplier/Multiplier_final.zkey ./contracts/verifier_multiplier.tolk --tolk
+npx export-ton-verifier import-wrapper ./wrappers/Verifier.ts --force --groth16
+npx blueprint test Verifier_multiplier_tolk
+```
+
+Expected output
+
+```text
+PASS tests/Verifier_multiplier_tolk.spec.ts
+```
+
+The checked-in upstream Tolk snapshot records `Verify = 88768` gas and code size `4353 bits / 11 cells`.
+
+## Run the `Sudoku` example
+
+Select `Sudoku` for a larger verification key and many public inputs.
+The current `Sudoku` source checks rows, columns, and diagonals. It does not check 3x3 boxes (subgrids).
+
+```bash
+cd circuits/Sudoku
+noname check
+noname run --backend r1cs-bls12-381 --private-inputs '<SOLUTION_JSON>' --public-inputs '<GRID_JSON>'
+snarkjs powersoftau new bls12-381 14 pot14_0000.ptau -v
+snarkjs powersoftau contribute pot14_0000.ptau pot14_0001.ptau --name="First contribution" -v -e="some random text"
+snarkjs powersoftau prepare phase2 pot14_0001.ptau pot14_final.ptau -v
+snarkjs groth16 setup Sudoku.r1cs pot14_final.ptau Sudoku_0000.zkey
+snarkjs zkey contribute Sudoku_0000.zkey Sudoku_final.zkey --name="1st Contributor" -v -e="some random text"
+snarkjs zkey export verificationkey Sudoku_final.zkey verification_key.json
+snarkjs groth16 prove Sudoku_final.zkey Sudoku.wtns proof.json public.json
+cd ../..
+npx export-ton-verifier ./circuits/Sudoku/Sudoku_final.zkey ./contracts/verifier_sudoku.tolk --tolk
+npx export-ton-verifier import-wrapper ./wrappers/Verifier.ts --force --groth16
+npx blueprint test Verifier_sudoku_tolk
+```
+
+Define placeholders
+
+- `<SOLUTION_JSON>` — JSON object with the private solved grid in the format expected by `circuits/Sudoku/src/main.no`
+- `<GRID_JSON>` — JSON object with the public partially filled grid in the format expected by `circuits/Sudoku/src/main.no`
+
+Expected output
+
+```text
+PASS tests/Verifier_sudoku_tolk.spec.ts
+```
+
+The checked-in upstream Tolk snapshot records `Verify = 850815` gas and code size `44471 bits / 75 cells`.
+
+## Run the `cubic-gnark` example
+
+Select `cubic-gnark` when the proving stack is Go.
+The upstream `main.go` proves the public relation `y = x^3 + x + 5` and exports `proof.json` plus `verification_key.json` in `snarkjs` format.
+
+```bash
+cd circuits/cubic-gnark
+go run main.go
+cd ../..
+npx export-ton-verifier ./circuits/cubic-gnark/verification_key.json ./contracts/verifier_cubic.tolk --tolk
+npx export-ton-verifier import-wrapper ./wrappers/Verifier.ts --force --groth16
+npx blueprint test Verifier_cubic_tolk
+```
+
+Expected output
+
+```text
+PASS tests/Verifier_cubic_tolk.spec.ts
+```
+
+The checked-in upstream Tolk snapshot records `Verify = 88768` gas and code size `4353 bits / 11 cells`.
+
+## Run the `MulCircuit` example
+
+Select `MulCircuit` when the proving stack is Rust.
+The upstream `main.rs` proves a multiplication circuit over `Bls12_381` and exports `json/proof.json` plus `json/verification_key.json`.
+
+```bash
+cd circuits/Arkworks/MulCircuit
+cargo run
+cd ../../..
+npx export-ton-verifier ./circuits/Arkworks/MulCircuit/json/verification_key.json ./contracts/verifier_ark.tolk --tolk
+npx export-ton-verifier import-wrapper ./wrappers/Verifier.ts --force --groth16
+npx blueprint test Verifier_ark_tolk
+```
+
+Expected output
+
+```text
+PASS tests/Verifier_ark_tolk.spec.ts
+```
+
+The checked-in upstream Tolk snapshot records `Verify = 88768` gas and code size `4353 bits / 11 cells`.
+
+## Verify
+
+Run-time verification succeeds when all of the following are true:
+
+- `snarkjs.groth16.verify(...)` returns `true`
+- The contract `getVerify` method returns `true`
+- `npx blueprint test ...` exits with code `0`
+
+Not runnable. Partial snippet from the upstream Tolk tests:
+
+```ts
+const okLocal = await snarkjs.groth16.verify(verificationKey, publicSignals, proof);
+expect(okLocal).toBe(true);
+
+const { pi_a, pi_b, pi_c, pubInputs } = await groth16CompressProof(proof, publicSignals);
+
+expect(await verifier.getVerify({ pi_a, pi_b, pi_c, pubInputs })).toBe(true);
+
+const verifyResult = await verifier.sendVerify(deployer.getSender(), {
+  pi_a,
+  pi_b,
+  pi_c,
+  pubInputs,
+  value: toNano('0.15'),
+});
+```
+
+## Troubleshoot
+
+- If `npx blueprint test ...` fails because `../wrappers/Verifier` is missing, rerun `npx export-ton-verifier import-wrapper ./wrappers/Verifier.ts --force --groth16`.
+- If `npx blueprint test ...` fails because the Tolk contract is missing, rerun the matching `npx export-ton-verifier ... --tolk` command for that example.
+- If `snarkjs.groth16.verify(...)` returns `false`, confirm that the proof, public signals, and verification key come from the same circuit build.
+- If `export-ton-verifier` rejects the input file, confirm that the example uses Groth16 over `bls12-381`.
+
+## See also
+
+- [Zero-knowledge proofs on TON](/contract-dev/zero-knowledge)
+- [`zk-examples/zk-ton-examples`](https://github.com/zk-examples/zk-ton-examples)
+- [`mysteryon88/export-ton-verifier`](https://github.com/mysteryon88/export-ton-verifier)
@@ -10,7 +10,8 @@ This guide shows how to create, compile, and test a simple [Circom](https://docs
 <Aside>
   This guide is also applicable to circuits written in the [Noname](https://github.com/zksecurity/noname) language, since the [`export-ton-verifier`](https://github.com/mysteryon88/export-ton-verifier) library integrates with `snarkjs`, which in turn integrates with the Noname language.
 
-  Other examples can be found [here](https://github.com/zk-examples/zk-ton-examples/).
+  For repo-backed examples covering Circom, Noname, Gnark, and Arkworks, see [Groth16 verification examples](/contract-dev/privacy-zk/groth16-examples).
+  The upstream source repository is [`zk-examples/zk-ton-examples`](https://github.com/zk-examples/zk-ton-examples/).
 </Aside>
 
 ## Prerequisites

@@ -459,13 +459,19 @@
           "contract-dev/signing",
           "contract-dev/contract-sharding",
           "contract-dev/security",
+          {
+            "group": "ZK proofs",
+            "pages": [
+              "contract-dev/zero-knowledge",
+              "contract-dev/privacy-zk/groth16-examples"
+            ]
+          },
           "contract-dev/gas",
           "contract-dev/on-chain-jetton-processing",
           "contract-dev/using-on-chain-libraries",
           "contract-dev/random",
           "contract-dev/upgrades",
-          "contract-dev/vanity",
-          "contract-dev/zero-knowledge"
+          "contract-dev/vanity"
         ]
       },
       {

@@ -303,6 +303,10 @@ Goldschlag
 Golev
 Grafana
 grammY
+Gnark
+gnark
+Groth
+Groth16
 GTon
 Gunicorn
 gusarich
@@ -468,6 +472,7 @@ multicast
 Multicasting
 multichain
 Multichain
+MulCircuit
 multiplatform
 Multiplatform
 multiset
@@ -683,6 +688,7 @@ subexpressions
 subfolder
 subfolders
 subgraph
+subgrids
 subinterval
 subnet
 subnets