Over the past year, the excitement around zero-knowledge tech has blossomed, fueled mostly by what can only be described as an explosion in zero-knowledge ecosystem building. Zero knowledge proofs, also known as ZKPs, are increasingly becoming part of the Web3 scaling and data-privacy conversation with several systems arising from the movement. Privacy has always been viewed as a valuable feature within the cryptocurrency community. It is the precursor to fungibility, which is necessary for a widely used form of money. Similarly, most crypto-asset holders don’t want their holdings and transaction history to be completely public. Among the various cryptographic techniques aiming to provide privacy to blockchains, the zk-SNARK and zk-STARK proofs are two noteworthy examples.
But firstly, you should understand What zero-knowledge proof is. This article only breaks down some key distinction between two popular types of zero-knowledge protocols: SNARKs, and STARKs.
I. A Basic Understanding
Just a quick refresher, zero-knowledge proof technologies enable one party to prove to another party that they know something without the prover having to convey the information itself in order to prove their knowledge. The main objective of these proofs is to reveal as little data as possible between the two parties. In other terms, one can use zero-knowledge proofs to prove that they have certain knowledge without revealing any information about the knowledge itself.
They are both a privacy enhancing technology, as they reduce the amount of information that needs to be provided between users, and a scaling technology, since they can allow proofs to be verified at a faster rate because they don’t contain the full amount of information for non-private systems.
Furthermore, both of these zero-knowledge technologies are non-interactive by nature, meaning the code can be deployed and act autonomously.
Zk-SNARK proofs are already being used on Zcash, on JP Morgan Chase’s blockchain-based payment system, and as a way to securely authenticate clients to servers. But while zk-SNARKs have made significant headway to being well-established and adopted, zk-STARK proofs are now being touted as the new and improved version of the protocol, addressing many of the previous drawbacks of zk-SNARKs.
II. What is zk-SNARK?
zk-SNARK is an acronym which stands for Zero Knowledge Succinct Non-Interactive Argument of Knowledge.
- S- Succinct means that the proofs are small and easy to verify even if the concept being proven is complicated.
- N- Non-interactive means that we don’t need a back-and-forth communication between a prover and verifier.
Currently, zk-SNARK proofs are dependent on an initial trusted setup between a prover and verifier, meaning that a set of public parameters is required to construct zero-knowledge proofs and, thus, private transactions. These parameters are almost like the rules of the game, they are encoded into the protocol and are one of the necessary factors in proving a transaction was valid. However, this creates a potential centralization issue because the parameters are often formulated by a very small group.
While an initial trusted setup is fundamental to today’s zk-SNARK implementations, researchers are working to find other alternatives as a way to reduce the amount of trust required in the process. The initial setup phase is important in preventing counterfeit spending because if someone had access to the randomness that generated the parameters, they could create false proofs that seemed valid to the verifier.
- AR- Argument is a formalism for talking about these proofs because there is some fancy cryptography and non-determinism that doesn’t quite make these “formal proofs” in the traditional sense (though we can still think of them as such).
- K – Knowledge refers to the fact that the prover actually has the evidence themselves.
Moving onto the “Arguments of Knowledge” piece of the acronym. zk-SNARKs are considered computationally sound, meaning that a dishonest prover has a very low chance of successfully cheating the system without actually having the knowledge (or witness) to support their statement. This property is known as soundness and assumes that the prover has limited computing power.
Theoretically, a prover with enough computational power could create fake proofs, and this is one of the reasons quantum computers are considered by many as a threat to zk-SNARKs (and blockchain systems).
A fact that SNARKs are estimated to require only 24% of that gas that STARKs would require, meaning that transacting with SNARKs would be far cheaper for the end-user. Finally, the proof size for SNARKs is much much smaller than STARKs, meaning it would take less on-chain storage.
III. What is zk-STARK?
On the other hand, zk-STARKs stands for Zero Knowledge Scalable Transparent Argument of Knowledge. A zk-STARK is one of the more renowned types of proofs. This proof was invented by the team at StarkWare, who are one of the leading builders on top of the zk-STARK, with their two products StarkEx & StarkNet.
Zk-STARKs are, generally, considered a more efficient variant of the technology, potentially faster and cheaper depending on the implementation. But more importantly, zk-STARKs do not require an initial trusted setup (hence, the “T” for transparent).
STARKs are constructed using a different type of cryptography than SNARKs, which could be less susceptible to attack by theoretical quantum computers, essentially supercomputers that are powerful enough to run complex computations. They also do not require a trusted setup, but have some restrictions on the kinds of computations they can handle.
The main drawback of existing zk-STARKs is that they have a large proof size, between 10-100x larger than zk-SNARKs. This makes them more costly to send over the wire for cryptocurrencies and other applications, where bandwidth is often a constraint.
IV. SNARKs vs STARKs
When comparing these proofs, they obviously have similarities, but have different properties and use cases. Let’s dig into it!
Scalability
zk-STARKs are known to be significantly more scalable and faster, making them more efficient for large amounts of proofs. Ironically, SNARKs are much smaller in byte size, but they are unable to scale as effectively as STARKs. This ultimately can make transactions cheaper to process for STARKs when they are eventually pushed on-chain. Proofs are also able to be generated much faster with STARKs, but slower “to verify” compared to SNARKs.
This downside of a STARK means that if there isn’t a significant number of proofs created (low throughput), it will result in much longer wait times for the proof to be verified to amortize the large costs. Because of some of these reasons, many teams building products focused around DeFi, payments, and gaming applications are specifically using STARKs to compute data more effectively.
Privacy
One of the core use cases for a SNARK proof is around its ability for privacy preservation. A great example of a product using SNARKs is Dark Forest, which is a product built on Ethereum. The interesting thing about this is that all moves made by players in this universe are done publicly on-chain, but because they use zk-SNARKs, all of the movements are hidden from the other players! This allows for entirely new types of gaming applications to be created.
Other use cases for SNARKs are around identity, payments, DeFi, or even the ability to provide “proof of assets”. While STARKs can be used for privacy, most of the current development around privacy is focused around building on SNARKs.
Setup
In general, zk-SNARKs require a trusted setup, but it depends on the tradeoffs made with their implementation where you may not necessarily need them. STARKs don’t require this, and are also quantum secure (though the latter is not very useful for now). Although quantum security currently poses little concern, it could potentially be a significant issue in the future.
V. Who are Building on zk-SNARKs and zk-STARKs?
Over the last few years, the amount of development using these technologies has increased immensely. The first team to really build on zk-SNARKs was Z-Cash, a privacy-focused coin. Since then, other implementations have been built like Aztec Protocol, Mina Protocol, zkSync, Polygon Hermez, Loopring, Aleo, & Scroll.
The zkSTARK ecosystem is a bit smaller, but obviously much newer, as STARK proofs weren’t invented until 2018. StarkWare are currently the largest developers on the technology building StarkEx & StarkNet, however Polygon has begun building their own in-house product, known as Polygon Miden.
The Matter Labs team, the group building zkSync, has stated that although it’s not necessary for now to roll new cryptography, they plan to switch cryptographic primitives in the future based on the advancement of research, adoption, and peer review of novel proof systems.
VI. Closing Thoughts
Zero-knowledge proofs are quickly verifiable and usually take up much less data than a standard Bitcoin transaction. This opens up a pathway for zk-SNARK technology to be used as both a privacy and a scalability solution.
I expect ZK-SNARKs to be a significant revolution as they permeate the mainstream world over the next 10-20 years.
— vitalik.eth (@VitalikButerin) September 2, 2021
With some of these technologies in their infancy, we are most likely going to see a wave of innovation within zk-based applications built over the next couple years, especially zn-SNARKs. The research and development going into this field has increased significantly just over the last year, and the amount of capital deployed from an investment standpoint has grown similarly.
For the latest on zero-knowledge cryptography and other technologies, head over to the Chainslab Twitter to keep yourself always updated.
