On November 9, Ethereum creator Vitalik Buterin published a blog post exploring the class of technology known as zero-knowledge Succinct Transparent ARguments of Knowledge (zk-STARKs) and how they differ from the related and better-known mechanisms that fit under the gloss of zero-knowledge Succinct Non-interactive ARguments of Knowledge (zk-SNARKs).
The concept for zk-SNARKs (which predates Ethereum, but in the Ethereum context could be used to verify transactions) caught the attention of several of that blockchain’s developers as a result of its anonymity-enabling properties.
While currently the sending address, receiving address, and the amount of Ether involved in every Ethereum transaction is a matter of public record, zk-SNARKs would effectively mask these three data points, potentially making the platform more attractive to privacy-focused users.
Among the features that enable greater anonymity is the use of a non-zero “random secret number.” The prover of a transaction multiplies this number by the product of two mathematical functions, then sends the verifier the resulting value as well as the value of the random secret number. With this information, the recipient node can verify a transaction while knowing almost nothing about it.
As the ability to verify transactions faster has become a more central concern for Ethereum, several of the blockchain’s developers have started looking at zk-SNARKs as a means to boost scalability. In addition to their potential to enhance privacy, zk-SNARKs offer the benefit of reducing transaction verification time relative to the capacity of the current protocol.
Zk-STARKs share this feature with their more famous SNARK “cousins,” but according to Buterin, also address several shortcomings, including their “reliance on a ‘trusted setup.’” Additionally, he claims that the technology is theoretically “secure even against attackers with quantum computers.”
While he estimates zk-STARKs’ proof sizes to be “a few hundred kilobytes” relative to zk-SNARKs’ 288 bytes, he argues that the tradeoff may be worthwhile “in the context of public blockchain applications where the need for trust minimization is high,” and most certainly will be “if elliptic curves break or quantum computers do come around.”
According to a PowerPoint document by computer science professor Eli Ben-Sasson, who Buterin thanks by name in his zk-STARKs blog post, a “[computational integrity and privacy] system is transparent if setup and all verifier queries are public random coins.” Unlike this technology, zk-SNARKS require a “non-transparent setup phase.”
For further details, be sure to visit Buterin’s blog post, here.