Groth16 is a pairing-based zk-SNARK with the smallest proofs and the fastest verification in production today: three elliptic-curve elements (~192 bytes) and a verification that costs roughly 1.5 million compute units on Solana. SolMask's withdraw circuit is compiled to Groth16 over BN254, the same curve EVM rollups use, so the on-chain verifier is well-trodden code.
Every SolMask withdraw carries one Groth16 proof. The proof attests to four statements at once: the prover knows a nullifier_secret whose Poseidon hash equals the revealed nullifier; the corresponding commitment is a leaf of the Merkle tree whose root matches a recently-published root; the current Solana slot is past the commitment's unlock_slot; and the recipient, amount, and relayer fee in the transaction match what the prover authorised.
Groth16 requires a per-circuit trusted setup. SolMask's setup was a multi-party ceremony with a public transcript so that no single participant can forge proofs.