In the evolving blockchain landscape, zero knowledge proofs have emerged as the most powerful cryptographic technology allowing more privacy and scalability. Also known as arguments of knowledge, they generate proof that some computation has a particular output while verifying that proof very quickly. The zero knowledge (ZK) part is an additional privacy bonus that keeps some inputs of the computation hidden.
ZK-SNARK is the first and most popular implementation of this cryptographic technology, but modern ZK-EVMs also employ zk-STARK for better efficiency. In this article, we’ll review and compare these two ZK-protocols – zk-SNARKs vs. zk-STARKs – shedding light on how they tackle blockchain’s scalability trilemma.
Zero-knowledge protocol, a method that uses ZK-proofs, allows one party to quickly prove that a computation has a particular output without revealing specific inputs to that computation. The secret information to be proved and validated is called a witness.
Sometimes, complex concepts are better understood with simpler, everyday analogies:
Imagine you’re a baker claiming you know a secret ingredient that produces a unique gold crust when added to a basic bread recipe and baked 100 times in a special oven. Instead of making someone bake it 100 times to verify, you provide a quick method to confirm the crust without revealing the secret ingredient. Like the baker’s method, the proof confirms the statement about the secret number without revealing it or undergoing a lengthy process.
In the realm of blockchain, consider the process akin to mining a block:
Imagine a miner claiming, “I have found a nonce that, when appended to a specific block’s header and hashed through SHA256, produces a hash value starting with a certain number of zeros.” Instead of having every participant in the network compute the hash to confirm its validity, which would be immensely time-consuming and energy-draining, the miner provides a succinct proof. This proof allows anyone to rapidly validate the claim without redoing the extensive hashing or discerning the exact nonce used.
Just like in the original scenario, the core idea is verifying a statement quickly without unveiling the specific secrets or redoing all the work.
ZK-proofs are powered by some really clever but very complex math, which we will only outline here. Consider a massive computation where we encode something with an input number and hash it one million times. A “succinct” proof aims to verify a certain output will come out of the computation without mirroring every step. Instead of checking each computation piece, a verifier, through random sampling, examines only a small share of the total parts. If these checks pass, it’s assumed that the entire computation is likely correct.
ZK-proofs bring two crucial benefits:
Owing to these powerful advantages, cryptographic tools like zk-SNARKs and zk-STARs are ideal for layer 2 scalability – reliably confirming off-chain transitions without re-execution on the main network.
Both zk-SNARKs and zk-STARKs refer to the same cryptographic technology of validating proofs in a really efficient and private way. However, these two tools are different in their implementation. SNARKs produce succinct and non-interactive proofs, while STARKs produce scalable and transparent ones. We’ll cover the difference next.
ZK-SNARKs, or “Zero Knowledge Succinct Non-Interactive Argument of Knowledge,” are cryptographic proofs that allow one to validate the claim without repeating lengthy computations and keeping some inputs private.
The Succinct part ensures that the verification process doesn’t take as much time as the computation. Otherwise, the verifiers would compute the output themselves. You can achieve this with random sampling, but the process will be fragile: a random check would never spot a deliberately inserted error. The answer to the problem is polynomial commitments, and the three main ways they’re implemented are FRI, bulletproofs, and Kate. We won’t go into details because it’s really heavy in the math department, but you can read Buterin’s article.
An important feature of SNARKs is the Non-Interactive part, where there’s no need for constant interaction between the prover and verifier. Interactive proving requires both parties, which limits its power. Any generated proof couldn’t be independently verified without initiating a new conversation between the prover and verifier, which is not cost-effective.
With a shared key (a.k.a public parameters) between the prover and verifier, these proofs allowed the prover to establish knowledge of certain data without actually revealing it. Non-interactive proofs streamlined the process, necessitating just one round of communication. The prover inputs the secret data into an algorithm to generate a zero-knowledge proof, which the verifier then checks using another algorithm. Once established, this proof can be verified by anyone with a shared key.
The shared key used for non-interactive proofing, known as the Common Reference String (CRS), is crucial for the protocol’s security. Any compromise in CRS can enable dishonest provers to fabricate false proofs. Multi-party computation (MPC) is utilized to counteract these threats, with multiple participants contributing random values during a trusted setup ceremony.
The zk-SNARK protocol’s integrity relies heavily on this trusted setup phase. Any missteps can threaten the security of all circuits of the ZK-EVM. Given its importance, we recommend undergoing a blockchain protocol audit to ensure the setup is executed correctly.
The first real use case of zk-SNARK in Web3 is Z.cash – a cryptocurrency that utilizes ZK-proofs for enhanced transaction privacy. Before its launch in 2016, zk-SNARK was just academic research.
Z.cash has contributed to the widespread use of this concept in ZK-rollups to enhance scalability. ZK-SNARKs have been applied in layer 2 protocols known as ZK-rollups to enhance scalability. Popular ZK-rollups include Loopring, zkSync, ZKSpace, Aztec, etc.
ZK-STARKs, or “Zero Knowledge Scalable Transparent Argument of Knowledge,” are a specific type of zk-SNARKs. STARK protocols are ideal when working with witnesses of large size. They also provide higher transparency.
ZK-STARKs have higher verification overhead than zk-SNARK, but they are way more cost-effective when working with big witnesses. In other words, STARK is a great solution when you need scale.
Another important feature of the STARK protocol is no need for a trusted setup because it uses publicly verifiable randomness to generate public parameters. Hence, it’s considered more transparent for situations where the credibility of the CRS process is unknown.
Like zkSNARKs, zkSTARKs are used for generating validity proofs to confirm the integrity of all the computations and transactions for ZK-Rollups. The pioneer project in zk-STARKs is Starkware. The company has developed its ZK-friendly language Cairo and the Starknet layer 2.
ZK-SNARK | ZK-STARK | |
Proof Size | Low. Allow for EVM data availability | High. Driving the costs up |
Trust Setup | Requires a trusted setup | Does not require a trusted setup |
Verification Time | Fast verification times | Faster times only with large datasets |
Quantum Security | Not quantum-resistant | Quantum-resistant |
Transparency | Less transparent due to trusted setup | More transparent using public verifiable randomness |
Scalability | Less scalable, linear increase | Highly scalable |
Use Cases | Best for systems where proof size and speed are key | Best where transparency and quantum-resistance are priorities |
A critical and emerging transition in the block validation process is the rise of ZK-EVMs.
ZK-EVM enables EVM (Ethereum Virtual Machine) execution for layer 2 protocols known as ZK-rollups. Some of these rollups are already in progress: ZK-EVM Community Solution, Polygon zkEVM, ZKSync Era, Scroll’s ZK-EVM, and others.
There are generally four types of ZK-EVM depending on the level of compatibility and equivalency with EVM. For example, Ty[e 1 ZK-EVM permits a 1:1 EVM compatibility: smart contracts written for Ethereum can be deployed as it is on ZK-EVM-based layer 2. So, Solidity can be used instead of dedicated languages for ZK-proofs like Circom and Cairo.
Here, it’s important to mention that modern ZK-EVMs employ both SNARK and STARK for higher efficiency. Another caveat is that “zero knowledge” is not used in existing ZK-Rollups, only succinctness (computation compression).
ZK-SNARKs and ZK-STARKs are groundbreaking cryptographic tools that can revolutionize how we view scalability and privacy in blockchain systems. Many believe that ZK-STARKs is an improvement from zk-SNARKs because of its quantum-resistance, scalability, and transparency. Yet, the current downside with STARKs is larger proof sizes and higher costs. Hence, SNARKs won’t go anywhere anytime soon.
As research progresses, it’s clear that both will continue to play pivotal roles in shaping the future of decentralized systems and ensuring cheap, swift, and private transactions.
Ben-Sasson, E., Bentov, I., Horesh, Y., & Riabzev, M. (2018). “Scalable, transparent, and post-quantum secure computational integrity.” https://eprint.iacr.org/2018/046
Buterin, V. (2022). “Some ways to use ZK-SNARKs for privacy.” https://vitalik.ca/general/2022/06/15/using_snarks.html
Buterin, V. (2021). “An approximate introduction to how ZK-SNARKs are possible.” https://vitalik.ca/general/2021/01/26/snarks.html
Chen, T., Hui Lu, H., Kunpittaya, T., & Luo, A. (2022). “A Review of ZK-SNARKs.” https://arxiv.org/abs/2202.06877
Ethereum.org (2023). “Zero Knowledge Rollups.” https://ethereum.org/en/developers/docs/scaling/zk-rollups/
Be the first to receive our latest company updates, Web3 security insights, and exclusive content curated for the blockchain enthusiasts.
Table of contents
Tell us about your project
14 min read
Discover
28 min read
Discover