Cryptography

ZK-SNARKs and ZK-STARKs

Zcash allows transferring a Bitcoin-equivalent completely anonymously - sender, receiver, and amount are all hidden. Under the hood: 192 bytes of mathematical proof and 2 ms of verification.

  • **Zcash Sapling**: Groth16 makes every shielded transaction a proof of knowledge of the spending key - 192 bytes, 2 ms to verify.
  • **zkSync Era and Polygon zkEVM**: PLONK-based rollups batch thousands of Ethereum transactions into a single proof on L1.
  • **StarkNet**: Cairo VM + STARKs with no trusted setup - L2 with mathematically verifiable correctness for every block.
  • **Ethereum KZG Ceremony 2023**: 140,000+ participants created the SRS for EIP-4844 blob transactions, enabling data availability for L2s.

Trusted Setup and the Structured Reference String (SRS)

A SNARK (Succinct Non-interactive ARgument of Knowledge) requires a preliminary setup procedure that generates public parameters (the Common Reference String, CRS). The setup creates encrypted powers of a secret value tau: [tau^0]G, [tau^1]G, ..., [tau^n]G. If tau is known to an adversary, that adversary can produce fake proofs for false statements. The secret tau is called 'toxic waste' - it must be destroyed after the setup.

Circuit-specific vs universal setup: Groth16 requires a separate trusted setup for each circuit. PLONK and Marlin use a universal SRS - a single setup works for any circuit up to a maximum size. Transparent setup (no trusted setup required): STARKs and Bulletproofs use only publicly verifiable randomness (hashes). Ethereum uses KZG polynomial commitments with the Ethereum KZG ceremony 2023 - the largest in history.

Why is the 'toxic waste' in a trusted setup critical for SNARK security?

Groth16: The Most Compact SNARK

Groth16 (Jens Groth, 2016) produces the smallest SNARK proofs: just 3 group elements (192 bytes on BN254). Verification requires 3 pairing operations - constant time regardless of circuit complexity. It is used in Zcash Sapling, Filecoin, and Celo. The main limitation: circuit-specific setup - every new circuit requires a new ceremony.

Circom is the language for writing arithmetic circuits. A circuit describes a computation as a system of constraints over a finite field. snarkjs is the JavaScript library for Groth16 and PLONK. A Zcash Sapling shielded transaction proves that the sender knows the spending key and that input amounts equal output amounts (balance preserved), without revealing addresses or amounts. Proof size: 192 bytes; verification: ~2 ms.

Why is Groth16 preferred when a single circuit is used millions of times (as in Zcash transactions)?

PLONK and Universal SNARKs

PLONK (Permutations over Lagrange-bases for Oecumenical Non-interactive arguments of Knowledge, 2019) is a universal SNARK: a single trusted setup (SRS) works for any circuit up to a maximum size. When the circuit changes, only the verifying key needs to be recomputed - no new ceremony is required. PLONK uses a polynomial IOP (Interactive Oracle Proof) combined with KZG polynomial commitments. Ethereum rollups such as zkSync and Polygon zkEVM use PLONK variants.

KZG (Kate-Zaverucha-Goldberg) polynomial commitments form the foundation of PLONK and Ethereum blob transactions (EIP-4844). They allow committing to a polynomial and later opening its value at a point with a compact proof. A KZG proof is 1 group element (48 bytes). The Ethereum KZG ceremony 2023 involved 140,000+ participants creating an SRS for 4096 evaluation points, used for blob storage to support L2 data availability.

What is the main advantage of PLONK over Groth16 for application developers?

STARKs and Bulletproofs: No Trusted Setup

STARKs (Scalable Transparent ARguments of Knowledge, Eli Ben-Sasson, 2018) require no trusted setup - they use only hash functions (publicly verifiable randomness). They are resistant to quantum computers (no pairings or ECC). Downside: large proof sizes (10-100 kB vs 192 bytes for Groth16). StarkNet and StarkWare use STARKs. Ethereum 2 attestation proofs are verified via STARKs.

Cairo VM is the programming language for StarkWare STARK circuits. It allows compiling arbitrary programs into STARKs. StarkNet is an Ethereum L2 built on STARKs: theoretically 100,000+ TPS. Proving a batch of 1000 Ethereum transactions takes ~2 minutes to generate a STARK; verification on Ethereum L1 takes ~10 ms via a single STARK verifier contract. Recursive STARKs (proofs about proofs) enable scaling without linear proof size growth.

Why are STARKs attractive for long-lived systems despite their larger proof size?

The ZK Proof Landscape

  • **Groth16**: smallest proof (192 bytes), fast verification, circuit-specific setup - ideal for fixed circuits used millions of times.
  • **PLONK**: universal setup, developer-friendly, proof ~500 bytes - the Ethereum L2 ecosystem.
  • **STARKs**: no trusted setup, post-quantum, proof 10-100 kB - long-term security, StarkNet.
  • **Bulletproofs**: no trusted setup, range proofs in Monero - compact proofs for specific tasks.

Related Topics

ZK-SNARKs combine advanced mathematics: bilinear pairings, polynomial commitments, and interactive proof systems.

  • ZKP Basics — The Schnorr protocol and Fiat-Shamir heuristic are the theoretical foundation of all SNARK and STARK systems.
  • Advanced ECC — Bilinear pairings from the BLS topic are used in Groth16 and PLONK verification.
  • Blockchain Cryptography — ZK rollups use SNARKs and STARKs to scale Ethereum - the primary production use case.

Вопросы для размышления

  • If STARKs require no trusted setup and are quantum-resistant, why is Groth16 still widely used in production (Zcash, Filecoin) instead of a full migration to STARKs?
  • The Ethereum KZG ceremony had 140,000 participants. What is the minimum number of honest participants needed for the ceremony to remain secure?
  • Recursive STARKs can prove the correctness of another STARK proof. What practical scaling properties does this enable for L2 blockchains?

Связанные уроки

  • aa-09-polynomials
ZK-SNARKs and ZK-STARKs

0

1

Sign In