zk-SNARKs vs zk-STARKs
Lesson by Uvin Vindula
Two dominant zero-knowledge proof systems have emerged in the blockchain world: zk-SNARKs and zk-STARKs. While both achieve the same goal — proving statements without revealing data — they differ significantly in their construction, trust assumptions, and performance characteristics.
zk-SNARKs: Succinct Non-Interactive Arguments of Knowledge
zk-SNARKs were the first practical ZKP system widely deployed in blockchain. The name reveals their properties:
- Succinct: The proofs are very small (typically a few hundred bytes), regardless of how complex the underlying computation is.
- Non-interactive: The prover sends a single proof; no back-and-forth with the verifier.
- Arguments of Knowledge: The prover demonstrates they "know" the secret witness, not just that it exists.
zk-SNARKs were first used in production by Zcash in 2016 to enable fully private cryptocurrency transactions. They rely on elliptic curve cryptography and require a one-time trusted setup ceremony — a process where initial parameters are generated and the randomness used must be destroyed. If the setup randomness is compromised, fake proofs could be created.
zk-STARKs: Scalable Transparent Arguments of Knowledge
zk-STARKs were developed by Eli Ben-Sasson and others at StarkWare, and address some of zk-SNARKs' limitations:
- Scalable: Proof generation scales quasi-linearly with computation size — they handle very large computations efficiently.
- Transparent: No trusted setup required. All parameters are derived from public randomness, eliminating the trust assumption.
- Post-quantum secure: STARKs rely on hash functions rather than elliptic curves, making them resistant to quantum computer attacks.
The trade-off? STARK proofs are significantly larger than SNARK proofs — typically tens to hundreds of kilobytes versus a few hundred bytes.
Head-to-Head Comparison
| Feature | zk-SNARKs | zk-STARKs |
|---|---|---|
| Proof size | ~200-300 bytes | ~50-200 KB |
| Verification time | Very fast (~ms) | Fast (slightly slower) |
| Trusted setup | Required | Not required (transparent) |
| Quantum resistance | No | Yes |
| Underlying math | Elliptic curves | Hash functions |
| Major users | Zcash, zkSync, Scroll | StarkNet, StarkEx |
Modern Developments: The Lines Are Blurring
The distinction between SNARKs and STARKs is becoming less clear-cut as the field evolves. New proof systems like PLONK, Halo 2, and Groth16 offer various trade-offs:
- PLONK: A universal SNARK that requires only a one-time trusted setup that can be reused for any circuit.
- Halo 2: Eliminates the trusted setup for SNARKs using recursive proof composition (used by Zcash since the Orchard upgrade).
- Groth16: Remains the most efficient SNARK for specific circuits, with the smallest proofs and fastest verification.
In practice, the choice between SNARK and STARK depends on the specific application — proof size constraints, trust assumptions, and future quantum-resistance needs all factor into the decision.
Key Takeaways
- •zk-SNARKs produce tiny proofs but require a trusted setup ceremony
- •zk-STARKs need no trusted setup and are quantum-resistant, but proofs are larger
- •SNARKs use elliptic curve cryptography; STARKs use hash functions
- •Modern systems like PLONK and Halo 2 are blurring the SNARK/STARK distinction
- •The best choice depends on the application: proof size, trust assumptions, and quantum resistance
Quick Quiz
Question 1 of 3
0 correct so far
What is the main disadvantage of zk-SNARKs compared to zk-STARKs?