zk-SNARKs vs. zk-STARKS: Comparing the Main ZKPs in Blockchain

zk-SNARKs and zk-STARKs are two systems for developing ZKPs. While both systems can be used to generate equivalent proofs, they have significant differences between them.

Both ZKP systems are named using an acronym that describes some of their key features. 

In the case of zk-SNARKs, this breaks down into:

• Zero-Knowledge: zk-SNARKs can be used to develop ZKPs, which prove something while keeping it secret.

• Succinct: zk-SNARKs are designed to have small proofs, making them space-efficient and quick to verify.

• Non-Interactive: No interaction between the prover and verifier is needed when verifying a proof. This is essential for blockchain applications, where a ZKP may be posted on-chain and verified by blockchain nodes and users with no means of contacting the prover directly. zk-STARKs are also non-interactive despite the fact that this isn’t reflected in their algorithm.

• Arguments of Knowledge: This refers to the fact that the prover has some secret knowledge that isn’t revealed as part of the proof.

  
  

For zk-STARKs, the acronym comes from the following:

• Zero-Knowledge: Like zk-SNARKs, zk-STARKs are used to develop ZKPs.

• Scalable: zk-STARKs are designed to enable efficient validation, which makes the ZKPs generated using them more scalable than alternatives.

• Transparent: zk-STARKs don’t require a trusted setup, where secret parameters are created and discarded. This lack of a trusted setup can make zk-STARKs more secure than proof systems that rely upon a trusted setup.

• Arguments of Knowledge: Like zk-SNARKs, zk-STARKs are designed to prove something while keeping a secret.

In a nutshell, both zk-STARKs and zk-SNARKs are toolsets for building ZKPs. Both of them can be used to achieve many of the same purposes, but they have differences between them that can make them better or worse for a specific application.

SNARKs and STARKs both allow the development of ZKPs with similar functions. However, the two technologies have significant differences, including the following:

• Trusted Setup: Many SNARKs algorithms require a trusted setup in which a set of initial parameters are generated and used to initialize the system. These parameters must then be destroyed, or they compromise the security of the ZKPs generated using them. STARKs don’t require this trusted setup.

• Quantum Resistance: STARKs are based on hash functions, which gives them a level of resistance against cryptanalytic attacks by quantum computers. SNARKs, on the other hand, use elliptic curve cryptography (ECC), which is believed to be breakable by a sufficiently large quantum computer.

• Proof Size: SNARKs can generate smaller proofs than STARKs. This can be an important feature for blockchains, where Layer 1 chains have limited block sizes and capacities.

• Verification Time: Under certain conditions, STARKs can be verified more quickly than SNARKs, which can be useful for blockchain transaction verification. They also offer greater scalability than SNARKs, a vital feature as ZKPs become a core component of many blockchain technologies.

• Implementation Complexity: STARKs is a newer ZKP technology than SNARKs, meaning that libraries supporting it are less mature. Additionally, implementation details for the proof system can be more complex and require additional tooling.

ZKPs built using SNARKs or STARKs are used in various blockchain applications. Some of the biggest use cases for ZKPs in the blockchain include:

• Privacy: ZKPs enable someone to prove that something is correct without revealing the secret. Privacy coins can use ZKPs to demonstrate that a transaction is valid without revealing the source, destination, or value of the transaction.

• ZK-Rollups: Zero-knowledge rollups like zkSync are used to enhance the scalability of Layer-1 blockchains. Rollups move transactions off-chain and bundle them up into a single state update that is recorded on-chain alongside a ZKP that proves its correctness. By reducing the volume of data that needs to be recorded on-chain, ZK-Rollups improve blockchain throughput and transaction speeds.

• Cross-Chain Verification: As blockchains become more interconnected, one chain may need to verify cross-chain transactions or data recorded on another chain. ZKPs make this possible by allowing proofs to be generated that demonstrate that a particular transaction has been recorded on another chain’s digital ledger.

From a security perspective, both SNARKs and STARKs have their pros and cons. The requirement for a trusted setup in many SNARKs algorithms creates security concerns if the initial parameters are not properly destroyed afterward. Also, the reliance of SNARKs on ECC has long-term security implications when sufficiently large quantum computers exist to break their security.

On the other hand, the relative youth of STARKs algorithms also carries security risks. If there are overlooked flaws in their designs or in the cryptographic libraries that support them, then ZKPs built using a particular system may be vulnerable to exploitation.

SNARKs and STARKs also share the security risks of poor ZKP design and implementation. If secure coding practices are not followed, it’s possible that code will contain vulnerabilities that could be exploited by an attacker. Also, the existence of a ZKP provides no benefit if the verifier doesn’t check its correctness.

zk-SNARKs and zk-STARKs — and the ZKPs built using them — have significant potential in the blockchain space. Many blockchain privacy and security solutions are based on these technologies, and many teams are actively researching and developing solutions built on the technology.

However, while SNARKs and STARKs can provide significant security and privacy benefits, like any technology, there are security risks if they are used incorrectly. For this reason, any blockchain solution built using ZKPs should undergo a comprehensive security audit before deployment. For more information about securely deploying your ZKP-based project, get in touch with Halborn.