STARK vs SNARK

In the world of cryptography and blockchain technology, zero-knowledge proofs have emerged as a powerful tool for ensuring privacy and security. Among the various zero-knowledge proof systems, STARK and SNARK have gained significant attention due to their unique properties and potential applications. This article aims to provide a comprehensive comparison of these two technologies, delving into their differences, advantages, and disadvantages. We will also explore the underlying mathematical concepts and commitment schemes that make these technologies possible.

Understanding STARK and SNARK

STARK (Scalable Transparent ARguments of Knowledge) and SNARK (Succinct Non-interactive ARguments of Knowledge) are both cryptographic proof systems that enable a prover to convince a verifier that a certain statement is true without revealing any information about the statement itself. The primary difference between the two lies in their acronyms: STARK is scalable and transparent, while SNARK is succinct and non-interactive.

Scalable and Transparent in STARK

The word "scalable" refers to the fact that STARKs can handle large circuits and the ability of the proof system to handle large-scale computations efficiently. This is achieved through the use of Algebraic Intermediate Representations (AIR), which allow for efficient representation and verification of complex computations. Transparency, on the other hand, means that STARK does not require a trusted setup, which is a significant advantage in terms of security and trust and basically means that anyone can verify the proof without relying on a trusted party. This makes STARKs more transparent and secure.

R1CS and AIR: SNARK vs. STARK

Before we dive into the differences between STARK and SNARK, it is important to understand the arithmetisation process. Arithmetization, and it is the translation (often referred to as ‘reduction’) of the problem of verifying a computation to the problem of checking that a certain polynomial, which can be evaluated efficiently on the verifier’s side (this is the ‘succinctly’ part), is of low degree. Simply put, it's a process of changing a program, written in a high-level language, to a list of polynomials with constants, variables, and constraints.

The two main mathematical structures used in the arithmetisation process are R1CS and AIR. Rank-1 Constraint Systems (R1CS) and Algebraic Intermediate Representations (AIR) are two mathematical frameworks used to represent and verify computations in zero-knowledge proof systems. R1CS is a way of representing computations using linear equations and inequalities. It is a popular choice for implementing SNARKs as it has a simple structure and is efficient in handling circuits with a small number of variables. It allows for efficient representation of arbitrary computations using a set of quadratic equations.

AIR, on the other hand, stands for "Algebraic Intermediate Representation." It is a more expressive way of representing computations than R1CS, as it allows for more complex and efficient handling of large circuits. It is a more suitable choice for implementing STARKs, where the goal is to handle large circuits with thousands of variables and it enables the efficient representation of large-scale computations using polynomials. Advantages and Disadvantages of STARK and SNARK Now that we understand the difference between R1CS and AIR, let's move on to the differences between STARK and SNARK. STARK and SNARK each have their own set of advantages and disadvantages with respect to loops, building a virtual machine, and arbitrary computations.

STARKs are more scalable and transparent, but they require more computational resources and generate larger proofs. SNARKs are more efficient in terms of computation and storage, but they require a trusted setup and are less transparent.

In terms of handling loops, STARKs are more suitable as they can handle loops more efficiently, whereas SNARKs require all the loops to be explicitly unrolled, which increases the number of circuits significantly.

R1CS, as mentioned earlier, represents computations using linear equations and inequalities. It has a simple structure and is efficient in handling circuits with a small number of variables. As such, R1CS and R1CS-based SNARKs are particularly well-suited for applications that involve simpler computations and have a relatively small number of constraints. It can be used to build efficient virtual machines for specific tasks that do not require complex calculations or a large number of variables. On the other hand, AIR provides a more expressive and efficient representation of computations compared to R1CS. It is designed to capture the algebraic structure of computations, which enables more efficient execution of arbitrary computations. This makes AIR and AIR-based STARKs more suitable for building virtual machines that need to handle a wide range of arbitrary computations. The advantage of using AIR for building a general-purpose virtual machine lies in its ability to handle more complex calculations and larger circuits. It provides a higher degree of flexibility and expressive power, making it suitable for a broader range of computations.

Polynomial Commitment Schemes

Polynomial commitment schemes are cryptographic primitives used in the construction of zero-knowledge proof systems like STARK and SNARK. Some common polynomial commitment schemes include Kate-Zaverucha-Goldberg (KZG), Inner Product Argument (IPA), and Fast Reed-Solomon Interactive Oracle Proofs of Proximity (FRI).

KZG is more suitable for SNARKs as it requires a trusted setup. KZG relies on elliptic curve pairings, which allows for efficient and secure commitments to polynomials. Essentially it uses a bilinear map that lets us use linearity and compress a lot of information to just a few points on an elliptic curve. As such, it enables very small proof sizes of just a few hundred bytes and efficient verification.

Inner Product Argument (IPA) is a commitment scheme that relies on the inner product of two vectors on an elliptic curve to represent a polynomial. This scheme is more suited for STARK, as it does not require a trusted setup. The generated proof is larger than that of KZG, but still rather small of just a few kilobytes.

Fast Reed-Solomon Interactive Oracle Proofs of Proximity (FRI) is a commitment scheme specifically designed for STARK, which allows for efficient and secure commitments to polynomials using a combination of Reed-Solomon codes and interactive oracle proofs. The commitment only relies on hash functions with no need to rely on any other cryptography. Despite FRI having the largest proofs of dozens of kilobytes, it has the fastest verification time as both elliptic curve and elliptic curve pairings are expensive to compute, and there are a lot of existing hardware optimisations to support hash functions computations.

Conclusion

In conclusion, STARK and SNARK are two powerful zero-knowledge proof systems with distinct advantages and disadvantages. While STARK offers better scalability, transparency, and post-quantum security, SNARK provides smaller proof sizes and more mature technology. The choice between the two depends on the specific requirements and constraints of the application in question.

I hope you found this article informative and insightful. Please feel free to leave a comment with your thoughts or suggestions for improvement. Stay tuned for our next article, which will explore the languages used to write zero-knowledge applications and further delve into the fascinating world of cryptography.

Comments

Post a Comment

Popular posts from this blog

Rust Static Analysis and Blockchain Licensing

Image
What is static analysis? Static analysis is an analysis of software artifacts. For example requirements or code, carried out without execution of these software development artifacts. Static analysis is usually carried out using supporting tools. In other words, we can say that static analysis is an examination of requirements, design, and code that differ from more traditional dynamic testing in several important ways. The main goal behind this analysis is to find the bugs, whether or not they may cause failures. As with reviews, static analysis finds bugs rather than failures. The general name for static analysis is linting. lint, or a linter, is a tool that analyzes source code to flag programming errors, bugs, stylistic errors, and suspicious constructs. Simply put, a linter is a tool that programmatically scans your code with the goal of finding issues that can lead to bugs or inconsistencies with code health and style. Some can even help fix them for you! How to analyse
Read more

Length extension attack

Image
What is length extension? When a Merkle–Damgård based hash is misused as a message authentication code with construction H(secret ‖ message), and message and the length of secret is known, a length extension attack allows anyone to include extra information at the end of the message and produce a valid hash without knowing the secret. Quick sidebar, before you freak out: Since HMAC does not use this construction, HMAC hashes are not prone to length extension attacks. So, a length extension attack is a type of attack where an attacker can use Hash(message1) and the length of message1 to calculate Hash(message1 ‖ message2) for an attacker-controlled message2, without needing to know the content of message1. Algorithms like MD5, SHA-1 and most of SHA-2 that are based on the Merkle–Damgård construction are susceptible to this kind of attack. Truncated versions of SHA-2, including SHA-384 and SHA-512/256 are not susceptible, nor is the SHA-3 algorithm. A bit more details
Read more

CAP Theorem and blockchain

Image
In theoretical computer science, the CAP theorem states that it is impossible for a distributed data store (such as a blockchain network) to simultaneously provide more than two out of the three guarantees: Consistency, Availability & Partition tolerance. CAP Theorem – the parts C: Consistency – At any given time, all nodes in the network have exactly the same (most recent) value. A: Availability – Every request to the network receives a response, though without any guarantee that returned data is the most recent. P: Partition tolerance – The network continues to operate, even if an arbitrary number of nodes are failing. Due to the nature of distributed data stores (such as blockchain), Partition tolerance is a given fact; there will always be failing/unreachable nodes in the network (not least because of the unstable nature of the internet). CAP Theorem states that one has to choose between C (Consistency) or A (Availability) when in the presence of P (Partition): Av
Read more