zk-SNARKs and zk-STARKs Explained
Privacy has always been viewed as a valuable feature within the cryptocurrency community. It is the precursor to fungibility, which is necessary for a widely used form of money. Similarly, most crypto-asset holders don’t want their holdings and transaction history to be completely public. Among the various cryptographic techniques aiming to provide privacy to blockchains, the zk-SNARK and zk-STARK proofs are two noteworthy examples.
zk-SNARK stands for zero-knowledge succinct non-interactive argument of knowledge, and zk-STARK represents zero-knowledge succinct transparent argument of knowledge. Zk-SNARK proofs are already being used on Zcash, on JP Morgan Chase’s blockchain-based payment system, and as a way to securely authenticate clients to servers. But while zk-SNARKs have made significant headway to being well-established and adopted, zk-STARK proofs are now being touted as the new and improved version of the protocol, addressing many of the previous drawbacks of zk-SNARKs.
The Ali Baba's Cave Parable
In 1990, a paper entitled "How to Explain Zero-Knowledge Protocols to Your Children" was published by cryptographer Jean-Jacques Quisquater (along with other collaborators). The paper introduces the concept of ZK proofs with a parable involving Ali Baba's Cave. Since its creation, the parable has been adapted several times and we now have multiple variations. Still, the underlying information is essentially the same.
Let’s imagine a ring-shaped cave with a single entry and a magic doorway that separates the two side paths apart. In order to go through the magic doorway, one needs to whisper the correct secret words. So consider that Alice (yellow) wants to prove to Bob (blue) that she knows what the secret words are - while still keeping them in secret. To do so, Bob agrees to wait outside, while she enters the cave and walks until the end of one of the two possible paths. In this example, she decides to go through Path 1.
After a while, Bob walks by the entrance and shout which side he wants Alice to appear from (Path 2 in this case).
If Alice truly knows the secret, she will reliably show up from the path Bob names.
The whole process may be repeated several times as a way to confirm that Alice is not choosing the right path by luck.
Ali Baba’s Cave parable illustrates the concept of zero-knowledge proofs, which are part of the zk-SNARK and zk-STARK protocols. ZK proofs can be used to prove possession of certain knowledge without revealing any information about it.
Zcash is the first widely available application of zk-SNARKs. While other privacy projects like Monero employ ring signatures and other techniques - effectively creating a smokescreen around who sent what - zk-SNARKs fundamentally changes the way data is shared. The privacy of Zcash is derived from the fact that transactions in the network can remain encrypted but still be verified as valid by using zero-knowledge proofs. So those that are enforcing consensus rules don’t need to know all of the data underlying each transaction. It’s worth mentioning that privacy features in Zcash are not active by default, but are rather optional and dependent on manual setup.
Zero-knowledge proofs allow one individual to prove to another that a statement is true, without disclosing any information beyond the validity of the statement. The parties involved are commonly referred to as a prover and a verifier, and the statement they hold in secret is called a witness. The main objective of these proofs is to reveal as little data as possible between the two parties. In other terms, one can use zero-knowledge proofs to prove that they have certain knowledge without revealing any information about the knowledge itself.
Within the SNARK acronym, “succinct” means that these proofs are smaller in size and can be quickly verified. “Non-interactive” means that there is little to no interaction between the prover and the verifier. Older versions of zero-knowledge protocols usually require the prover and verifier to communicate back and forth, and therefore, are considered “Interactive” zk proofs. But in “non-interactive” constructions, provers and verifiers only have to exchange one proof.
Currently, zk-SNARK proofs are dependent on an initial trusted setup between a prover and verifier, meaning that a set of public parameters is required to construct zero-knowledge proofs and, thus, private transactions. These parameters are almost like the rules of the game, they are encoded into the protocol and are one of the necessary factors in proving a transaction was valid. However, this creates a potential centralization issue because the parameters are often formulated by a very small group.
While an initial trusted setup is fundamental to today’s zk-SNARK implementations, researchers are working to find other alternatives as a way to reduce the amount of trust required in the process. The initial setup phase is important in preventing counterfeit spending because if someone had access to the randomness that generated the parameters, they could create false proofs that seemed valid to the verifier. In Zcash, the initial setup phase is known as the Parameter Generation Ceremony.
Moving onto the “Arguments of Knowledge” piece of the acronym. zk-SNARKs are considered computationally sound, meaning that a dishonest prover has a very low chance of successfully cheating the system without actually having the knowledge (or witness) to support their statement. This property is known as soundness and assumes that the prover has limited computing power.
Theoretically, a prover with enough computational power could create fake proofs, and this is one of the reasons quantum computers are considered by many as a threat to zk-SNARKs (and blockchain systems).
Zero-knowledge proofs are quickly verifiable and usually take up much less data than a standard Bitcoin transaction. This opens up a pathway for zk-SNARK technology to be used as both a privacy and a scalability solution.
zk-STARKs were created by Eli-Ben Sasson, a professor at the Technion-Israel Institute of Technology. As an alternative version of zk-SNARK proofs, zk-STARKs are, generally, considered a more efficient variant of the technology - potentially faster and cheaper depending on the implementation. But more importantly, zk-STARKs do not require an initial trusted setup (hence, the “T” for transparent).
Technically speaking, zk-STARKs do no require an initial trusted setup because they rely on leaner cryptography through collision-resistant hash functions. This approach also eliminates the number-theoretic assumptions of zk-SNARKs that are computationally expensive and theoretically prone to attack by quantum computers.
In other terms, zk-STARK proofs present a simpler structure in terms of cryptographic assumptions. However, this novel technology comes with at least one major disadvantage: the size of the proofs is bigger when compared to zk-SNARKs. Such a difference in data size may present limitations depending on the context of use, but it is probably something that can be figured out as the technology is further tested and investigated.
It is clear that both zk-SNARKS and zk-STARKs appeal to the growing concern in regards to privacy. Within the cryptocurrency world, these protocols have great potential and may be a groundbreaking avenue towards mainstream adoption.