zk-SNARKs vs zk-STARKs: Comparing Zero-knowledge Proofs
To understand the concept of zk-SNARKs vs zk-STARKs and how these cutting-edge zero-knowledge technologies measure against each other, it’s imperative to first outlay the problem they solve.
Lack of privacy and scalability are the two biggest obstacles hampering the mass adoption of blockchain technology. As beautiful as the idea of a public and permissionless blockchain is, without data privacy, a Web3-heavy future could look like a dystopia in which every single transaction leaves a clear trail open to the public to learn everything about you.
Publicly accessible transaction records are great as verifiable activity proofs. However, anyone who cared could go digging, linking payment to payment, and tying your real-world identity to your on-chain trail with the intent of using it against you.
Similarly, a lack of scalability can gravely inhibit the prospects of blockchain adoption. The scalability problem has been at the core of most of the blockchain innovations we’ve seen in the past couple of years. Without sacrificing decentralization, the current state of blockchain technology simply cannot support applications that reach mass adoption.
Then came zero-knowledge proofs – a single solution to both problems.
ZKPs – a solution to the blockchain privacy/scalability riddle
A ZKP (Which stands for zero-knowledge proof) allows one party to verify (among other things) a claim that a transaction is valid or correct without the need to carry additional information about the transaction. Through them, cryptography found a way to prove that a statement is true without revealing sensitive information, thus being able to verify the authenticity of a transaction.
The emergence of ZK-proofs signaled a new dawn for the crypto space. Not only could they enable truly private transactions, but they could also help networks like Ethereum scale.
For a zero-knowledge proof to work, it needs to fulfill three conditions – completeness, soundness, and zero-knowledge. ZKPs can be of one of two types – interactive and non-interactive. Interactive zero-knowledge proofs required constant, back-and-forth interactions between the prover and the verifier until the verifier confirmed the truth in the prover's claims. As such, non-interactive ZKPs came about to offer a more efficient solution.
Non-interactive ZKPs require no back and forth interactions, with a single exchange of information sufficing to satisfy both parties.
The most prominent non-interactive ZKPs are zk-SNARKs and zk-STARKs. In this article, we’ll look at what they are, their differences, applications, and use cases.
What are zk-SNARKs?
zk-SNARK stands for Zero-knowledge Succinct Non-interactive Argument of Knowledge, a type of non-interactive zero-knowledge proof widely used today to build zero-knowledge protocols. Privacy coins like Zcash use them to offer a shielded blockchain experience while providing sufficient proof that every shielded transaction is valid.
To understand their inner workings, we must consider each letter of the acronym:
- ZK: This pair represents “zero-knowledge”, signifying that the proof provides no additional information other than the validity of its submitter claims. Any information that describes the nature of the transaction(s), its participants, and the exchanged value is withheld from the verifier.
- S: This letter stands for “succinct”, meaning that the proof size is small (occupying little space) paving the way for quick and easy verifications.
- N: Stands for non-interactive, meaning that little or no interaction is required between prover and verifier. Everything from proof generation to submission and verification occurs within a single transaction.
- ARK: Represents “Argument of Knowledge”.This part adds the quality of computational soundness. Simply put, a bad actor can hardly cheat zk-SNARK based systems without the knowledge to support their claim (i.e. by holding the underlying information they’re trying to forge). This is based on the theory that the bad actor has limited computational power, meaning that anyone with unlimited computational power could create fake proofs. Some zk-SNARK protocols have a way to prevent this kind of attack.
This type of zero-knowledge proof has an important piece of their makeup: they require a trusted setup between prover and verifier. To construct zero-knowledge proofs with them, a set of public parameters is needed, along with the creation of cryptographic keys. You can liken these parameters to the “rules” of a protocol, and they are usually encoded. Meanwhile, the keys make privacy possible.
Zcash is one of the foremost privacy-preserving protocols that use zero-knowledge SNARKs. Some popular ZK-rollups and Layer-2 blockchains also use zk-SNARK-powered ZK technology to provide scalability to traditional blockchain networks like Ethereum.
What are zk-STARKs?
The first papers detailing STARKs were published in 2018 by Eli Ben-Sasson, Iddo Bentov, Yinon Horeshy, and Michael Riabzev. As another type of non-interactive zero-knowledge proof, zk-STARKs are less popular than their counterparts, mostly because they are a newer model. The term stands for zero-knowledge scalable transparent arguments of knowledge, and they are faithful to the fundamentals of zero-knowledge proofs, allowing users to share validated data or perform computations with third parties without disclosing any actual information to the third party. Like we did before, we will evaluate each letter of the acronym to learn how zk-STARK proofs work.
- ZK: Like in “zk-SNARKs”, this also means “zero-knowledge”, implying that they prove transactions or interactions without disclosing any underlying information except that they are correct and authentic.
- S: This means “scalable”, highlighting how these zero-knowledge proofs focus on enhancing blockchain scalability. zk-STARKs enable developers to execute computation and store data off-chain, increasing scalability exponentially. The zero-knowledge proofs verify these off-chain activities, which are then submitted online for interested parties to verify them.
- T: Stands for “transparent”, and this quality marks one of the most significant differences between zk-STARKs and zk-SNARKs. They use publicly-available randomness to generate parameters, eliminating the need for a trusted setup.
- ARK: “Argument of Knowledge” implies the same as before, but uses a different computation approach. It uses hash functions resistant to collisions, effectively eliminating the need for trusted setups.
zkSTARK technology is more recent, and it was pioneered by Starkware with rollup solutions. Using zk-STARKs, one can compute several thousands of transactions in batches off-chain and submit a sole zkSTARK proof to confirm the transactions’ validity on-chain.
zk-SNARKs vs. zk-STARKs: similarities and differences
These two share a few similarities. Firstly, they are cutting-edge non-interactive zero-knowledge proof protocols, requiring little interaction between prover and verifier. Proof generation, submission, and verification are usually completed within one transaction.
Also, they enhance blockchain scalability. Zero-knowledge proofs are much smaller than the average Bitcoin transaction and get verified much quicker. Swift verification and less block space mean more scalability for networks like Ethereum.
Differences
zk-SNARKs and zk-STARKs differ on four major points, at least:
Transparency
When comparing zk-SNARKs vs zk-STARKs, one key difference lies in their approach to transparency. zk-SNARKs need an initial trusted setup phase to generate the randomness required to generate zero-knowledge proofs. These parameters are usually held in the custody of a small group to protect them. If the parameters fall into the wrong hands, dishonest actors could use them to create false proofs.
zk-STARKs follow a different approach, utilizing collision-resistant cryptography to eliminate the need for private parameter generation ceremonies. Without trusted setups, the parameters for generating randomness are public, limiting centralization and empowering transparency.
Security
Another distinction between zk-SNARKs vs zk-STARKs is their approach to security. Zero-knowledge SNARKS use an initial setup to generate parameters and, according to their setup, are computationally sound. Their soundness, however, assumes that provers have limited computing power. However, when a prover uses an unlimited amount of computing power, they will be able to, for instance, make use of a certain algorithm that can execute extremely quick parallel integer factorization computations that can be used to extract a private key from a public key. In other words, they will be able to breach proof systems. Thus, they are in theory vulnerable to quantum computing attacks, therefore, not quantum resistant.
zk-STARKs do not need an initial trusted setup, choosing a collision-resistant approach instead. Thus, unlike their counterpart, they do not require high computation costs, eliminating the threat of being compromised by the unlimited computation power of quantum computing. They are, therefore, higher in the quantum resistant scale.
Scalability
zk-STARKs have far larger proof sizes than zk-SNARKs, however, zk-SNARKs’ computational demand makes them slower to generate proofs compared to the other option. They also consume less gas than zk-STARKs, and they verify proofs faster because of the difference in byte size.
While it may seem like zk-SNARKs are more scalable due to their faster proof verification, zk-STARKs generate proofs quicker and scale faster, even though they have larger proof sizes. Additionally, zk-STARKs consume less gas when coming on-chain due to the adoption of off-chain computation and storage. However, during periods of low throughput (few proofs created), they will take much longer to verify.
Structure
zk-SNARKs are built on elliptic curves, which improve security and privacy under the assumption that it is infeasible to find the discrete logarithm of a random elliptic curve element in relation to a public base point.
zk-STARKs, on the other hand, uses lean cryptography – collision-resistant hash functions – to provide scalability and security.
zk-SNARKs vs. zk-STARKs: Applications and Use Cases
zk-SNARKs
zk-SNARKs are the more popular of the two main non-interactive zero-knowledge proofs. Several projects in the crypto space today have adopted them to further scalability and privacy, with the latter being more widely used.
They generate and verify zero-knowledge proofs quickly, and privacy-enhancing protocols have used them vastly. With them, privacy-enabled blockchains can shield transactions from the public eye, allowing users to provide zero-knowledge proofs in the place of average transaction records.
Some privacy protocols like Panther Protocol have integrated selective disclosure mechanisms that allow users to share the information shielded by the blockchain with trusted third parties.
Another application of zk-SNARKs is identity verification, allowing users to pass KYC and AML requirements without putting their sensitive information at risk. With them, these protocols can allow users to submit a zero-knowledge proof of their identity instead of documents, confirming that they have the required data to be verified without revealing any extra information. They have also been adopted to drive privacy in decentralized finance, gaming, ZK-rollups, and asset ownership.
zk-STARKs
zk-STARKs are known to scale better than zk-SNARKs. Hence they have been adopted by blockchain scalability solutions like ZK-rollups and Layer-2 blockchain solutions. With them, these protocols compute transactions and store data off-chain, then submit zero-knowledge proofs on-chain to update the network's state.
About Panther
Panther is a decentralized protocol that enables interoperable privacy in DeFi using zero-knowledge proofs.
Users can mint fully-collateralized, composable tokens called zAssets, which can be used to execute private, trusted DeFi transactions across multiple blockchains.
Panther helps investors protect their personal financial data and trading strategies, and provides financial institutions with a clear path to compliantly participate in DeFi.