zk-STARKs vs zk-SNARKs: Differences in zero-knowledge technologies

In the previous article, we already explored the zero-knowledge proofs and its role on Blockchain. Today, we will look at the two most popular types of non-interactive ZKPs, which are zk-STARKs and zk-SNARKs, as well as discussing the differences between them.

A quick reminder, zero-knowledge technology is a cryptographic technique that enables a user to demonstrate their knowledge of or possession of a piece of information without disclosing the underlying data. A “verifier,” who cannot see the data, verifies that the proof was calculated correctly using the knowledge of a system’s inputs provided by the “prover.” In essence, zero-knowledge proofs allow one to confirm the accuracy of a dataset while maintaining the data’s privacy.

zk-STARKs and zk-SNARKs are the two of the most popular zero-knowledge technologies available today. zk-STARK stands for zero-knowledge scalable transparent argument of knowledge, while zk-SNARK stands for zero-knowledge succinct non-interactive argument of knowledge. As mentioned above, both technologies are non-interactive zero-knowledge proofs, indicating that the program can run and function independently.

The table below shows the core differences between zk-STARKs and zk-SNARKs from both cultural and technical perspectives.

Source: Matter Labs

At its core, Zk-SNARKs rely on elliptic curves for security. Elliptic curves are used in cryptography under the presumption that it is impossible to determine the discrete logarithm of a given random elliptic curve element with respect to a known base point. 

Although there has been much discussion on whether elliptic curve random number generators have a backdoor, the technique as a whole is still largely considered secure. Although side-channel assaults include a few well-known vulnerabilities, these flaws can simply be fixed using a variety of methods. Although elliptic curve-based cryptography is vulnerable to quantum assaults, the quantum computing necessary to undermine its security model is not yet generally accessible.

In addition to having an elliptic curve foundation, zk-SNARKs also need a trusted setup, which is the initial production of the keys used to produce the proofs necessary for private transactions and the verification of those proofs. There is initially a secret parameter connected between the verification key and the keys sending private transactions when those keys are generated. The capacity to execute activities like producing brand-new tokens out of the blue and using them for transactions would be made possible if the secrets used to construct these keys in the trusted setup event were not destroyed. There would be no way to confirm the tokens created out of the blue were truly created out of the blue due to the privacy features of zk-SNARKs. Having stated that, the trusted setup is only required at first.

Users of the SNARK-based network must rely on the fact that the trusted set up was carried out properly, which means that the information related to the trusted set up key was destroyed and is not still in the possession of the people who oversaw the ceremony. One of the main points of contention for SNARKs' detractors has been the reliance on a trusted setup. Nevertheless, developers should only use the trusted setup once, not repeatedly.

The fact that SNARKs are not quantum resistant is a significant topic of concern as well. The SNARK privacy solution would be rendered useless once quantum computing became widely accessible. When quantum computers are used, the problems can go further such as the destruction of RSA and the majority of wallet infrastructure.

However, despite having issues with the trusted setup, SNARKs have been adopted faster than STARKs due to several reasons. As to the timeline, SNARKs were developed many years ahead of STARKs, which gave the technology an advantage in adoption. One of the more established digital asset initiatives, Zcash, helped spread the use of SNARKs among blockchain developers. SNARKs have the most developer libraries, published code, projects, and developers actively working on the technology thanks to Zcash and other SNARK adopters. Emergent DEX Loopring also uses SNARKs in addition to Zcash. A developer would have much more assistance using SNARKs than STARKs if they wanted to start using zero-knowledge technology.

Additionally, it is predicted that SNARKs would only need 24% of the gas that STARKs would, making transactions with SNARKs far more affordable for the end user. Last but not least, SNARKs' proof sizes are substantially less than those of STARKs, requiring less on-chain storage.

It is true that STARKs have some drawbacks compared to SNARKs such as the documentation and developer support, STARKs do offer some unique features. As opposed to SNARKs, STARKs' underlying technology is based on hash functions. Relying on hash functions provides various advantages right away, such as being quantum resistant. Additionally, there is no trusted setup needed to start utilizing STARKs in a network.

Despite this, STARKs have far bigger proof sizes than SNARKs, which makes STARK verification more time-consuming and increases the amount of gas needed for STARKs.

The absence of developer documentation and a development community will make it considerably more difficult for developers to use STARKs. Although some initiatives, like STARKWARE, are developing STARK-based scaling solutions, the SNARKs community is still significantly larger.

While the developer communities for both SNARKs and STARKs are outspoken in their support, the Ethereum Foundation specifically backs STARKware, which uses Starks. The Ethereum Foundation really awarded STARKware a $12 million grant, demonstrating their commitment to developing technology.

Furthermore, the technical community recently created a larger range of resources for individuals wishing to adopt the cutting-edge technology, even though the documentation for STARKs is inferior to that for SNARKs.