Zero-knowledge proofs (ZKPs) are cryptographic protocols that allow one party (the prover) to convince another party (the verifier) that a statement is true without revealing any information beyond the validity of the statement itself. ZKPs are a revolutionary technology for blockchain ecosystems, enabling blockchain scalability with layer 2 solutions and privacy-preserving applications to be built. Two of the most prominent types of ZKPs are zk-SNARKs and zk-STARKs, each with distinct characteristics and use cases.
In this article, we will discuss zk-SNARKs and zk-STARKs, their key features, and how they compare to each other.
Prerequisites
- Understanding of ZKPs: You know what circuits, constraints, the witness, the verifier, and the prover are.
What is a zk-SNARK (Succinct Non-Interactive Argument of Knowledge)
Zk-SNARKs are a broad class of ZKP systems that are non-interactive, meaning there is no back-and-forth communication between the prover and the verifier after the initial proof is generated. They are known for their efficiency, providing short proof sizes and fast verification times that remain constant regardless of complexity.
Key features of zk-SNARKs
- Trusted setup: SNARKs require a trusted setup phase, where an initial set of parameters, often called a Structured Reference String (SRS), is generated. This setup phase uses a secret that, if exposed, will compromise the security of all subsequent proofs created with that setup. This setup data is often referred to as “toxic waste”. Trusted setups are often seen as a drawback since they introduce potential trust issues: users must trust that the setup was performed correctly and that the secret was destroyed afterward.
- Elliptic curve cryptography (ECC): Many SNARK constructions rely on elliptic curve cryptography, which depends on the hardness of the discrete logarithm problem (DLP). While this provides strong security against classical computers, it makes SNARKs potentially vulnerable to future quantum computers that could solve the DLP efficiently.
Popular zk-SNARK protocols
- Groth16: Groth16 is one of the most widely used SNARK protocols. It requires a circuit-specific trusted setup and is highly efficient, producing very small proofs and fast verification times. It is commonly used in blockchain projects, such as Zcash, due to its compact proof size.
- PLONK (Permutation Argument over Lagrange bases for Oecumenical Noninteractive Arguments of Knowledge): PLONK is a more flexible SNARK protocol that uses a universal and updatable SRS, meaning it can be used for any circuit and can be modified to support larger circuits. Unlike Groth16, PLONK’s setup is not specific to any particular circuit and can be reused for multiple circuits. This reduces the need for repeated trusted setups and enables easier addition of new programs or circuits without redoing the entire setup.
Characteristics of zk-SNARKs
- Proof size: Small, which makes SNARKs suitable for applications where bandwidth and storage are limited.
- Post-quantum security: Limited due to reliance on ECC. SNARKs are not quantum-resistant since a sufficiently powerful quantum computer could potentially solve the DLP.
- Trusted setup: This is required (in most SNARKs). The setup phase introduces a trust assumption that, if not managed correctly, can pose a potential security risk.
- Scalability: Efficient for applications requiring compact proofs and quick verification, though the need for trusted setups can be a limitation in highly dynamic environments.
What is a zk-STARK (Scalable Transparent Argument of Knowledge)
Zk-STARKs are another class of ZKPs that seek to address the drawbacks of zkSNARKs. They are designed to be scalable and "transparent," meaning they do not require a trusted setup phase. Instead, zk-STARKs use hash functions and publicly known randomness to construct proofs, which enhances their security and scalability.
Key features of zk-STARKs
- Transparent setup: STARKs do not rely on secret parameters. Instead, their proofs are generated using public randomness, meaning that they do not have “toxic waste” that could compromise the system, and no trusted setup is required.
- Hash-based security: STARKs rely on hash functions, such as SHA-256, instead of elliptic curve cryptography. This makes them resistant to quantum attacks, as hash functions are currently considered secure in the presence of quantum computers.
Characteristics of STARKs
- Proof size: STARK proofs can be several times larger than SNARK proofs, which increases verification time and is a disadvantage in environments with limited bandwidth or storage. This is due to their transparency, use of polynomial commitments, and approach to achieving scalability.
- Post quantum security: Strong. Since STARKs use hash functions rather than elliptic curve cryptography, they are not known to be susceptible to quantum attacks under current cryptographic assumptions.
- Trusted setup: Not required. STARKs use a transparent setup, removing the need for trust in the setup phase and enhancing security.
- Scalability: Highly scalable, especially for large computations, they offer performance benefits that become more apparent with increased complexity. The lack of a trusted setup means they are more flexible, as the setup doesn’t need to be redone for each new application or use case.
Comparing zk-SNARKs vs. zk-STARKs
Feature |
SNARKs |
STARKs |
Trusted setup |
Required (introduces trust assumptions, potential vulnerabilities, and scalability issues). |
Not required (transparent and secure). |
Proof size |
Smaller. |
Larger. |
Scalability |
Efficient for applications needing small proofs and fast verification. |
More scalable for large computations (especially as complexity increases). |
Post-quantum security |
Vulnerable to quantum attacks due to reliance on ECC. |
Resistant to quantum attacks due to hash-based security. |
Summary
Zk-SNARKs are zero-knowledge proof systems. They provide efficient proof sizes and fast verification times but require a trusted setup and use elliptic curve cryptography, making them vulnerable to quantum attacks.
Zk-STARKs , on the other hand, do not require a trusted setup. Instead, they rely on hash functions for security (making them quantum-resistant) and are more scalable for larger computations. However, they have larger proof sizes and slower verification for smaller computations.
These two main ZKPs are crucial for building ZK protocols in blockchain ecosystems, enabling blockchain scalability with layer 2 solutions and privacy-preserving applications to be built.
- To learn smart contract security and development, visit Cyfrin Updraft.
- Or to request a security review for your smart contract, contact us.