Anonymity has always been regarded as one of the very valuable characteristics of the cryptocurrency community. It is the precursor to fungibility, a feature also necessary for a widely used form of money. Likewise, most crypto asset holders do not want their assets and transaction records to be fully disclosed. Of all the various cryptographic technologies that are working to provide privacy to blockchains, zk-SNARK and zk-STARK are two noteworthy examples.

zk-SNARK represents a simplified non-interactive zero-knowledge proof, and zk-STARK represents a simplified fully transparent zero-knowledge proof. Zk-SNARK is already used on blockchain-based payment systems such as Zcash, JP Morgan Chase projects, and as a client-to-server secure verification method. But while zk-SNARKs are already well established and widely used, zk-STARK is now being touted as a new and improved version of the protocol that aims to address many of zk-SNARKs’ previous shortcomings.

  

Ali Baba's Cave Fable

In 1990, cryptographer Jean-Jacques Quisquater (along with other collaborators) published a paper titled "How to explain zero-knowledge proof protocols to children." This article introduces the concept of zero-knowledge proofs, incorporating the parable of Alibaba's cave. This fable has been adapted many times since its creation and we now have several versions. But the content expressed is basically the same.

Let's imagine a circular cave with an entrance and a magic door that separates two paths. In order to open the magic door, one needs to whisper the right secret. So, consider that Alice (yellow) wants to prove to Bob (blue) that she knows what the password is, but at the same time keep the password secret. To do this, Bob agrees to wait outside while Alice enters the cave and chooses one of two paths to the end. In this case, she decides to go through path 1.

zk-SNARKs和zk-STARKs解释

After a while, Bob walks to the entrance and calls out which side he wants Alice to emerge from (in this case it would be path 2).

zk-SNARKs和zk-STARKs解释

If Alice does know the password, she will be able to correctly follow the path Bob requires.

zk-SNARKs和zk-STARKs解释

This process can be repeated multiple times to confirm that Alice did not choose the correct path through luck.

Alibaba's cave parable illustrates the concept of zero-knowledge proofs, which are part of the zk-SNARK and zk-STARK protocols. Zero-knowledge proofs can be used to prove possession of certain knowledge without revealing any information about it.


zk-SNARKs

Zcash is the first widespread application of zk-SNARKs. While privacy projects like Monero also employ ring signatures and other techniques that effectively create a smokescreen to protect senders, zk-SNARKs fundamentally change how data is shared. Zcash's privacy stems from the fact that transactions in the network can be encrypted but can still be verified for validity through the use of zero-knowledge proofs. Therefore, those enforcing the consensus rules do not need to know all the data about each transaction. It’s worth mentioning that privacy features in Zcash are inactive by default and are optional, subject to manual settings.

Zero-knowledge proofs allow one person to prove to another person that what they are stating is true without revealing any information beyond the validity of the statement. The parties involved are often called provers and verifiers, and the secrets they hold are called evidence. The main purpose of these functions is to allow as little data exchange between the two parties as possible. In other words, people can use zero-knowledge proofs to prove that they know something without revealing any information about the knowledge itself.

In the SNARK acronym, the first letter "succinct" means that these proofs are simple and can be verified quickly. "Non-interactive" means there is little interaction between the prover and the verifier. Older versions of zero-knowledge proof protocols typically required the prover and verifier to communicate and were therefore considered "interactive" zero-knowledge proofs. But in a "non-interactive" structure, the prover and verifier only need to exchange relevant proofs.

Currently, zk-SNARK proofs rely on an initial trust setup between provers and verifiers, which means a set of public parameters are required to build a zero-knowledge proof and thus a private transaction. These parameters are almost like rules of the game, they are programmed into the protocol and are one of the necessary factors to prove that a transaction is valid. However, this creates potential centralization issues, as parameters are often set by a very small group.

While the original public setting is the basis for today’s zk-SNARK implementations, researchers are working to find alternatives that reduce the trust required in the interaction process. The initial setup phase is important to prevent fake payouts, because if someone has access to the randomness of the generated parameters, they could create fake proofs that are valid for the validator. In Zcash, the initial setup phase is called the parameter generation process.

Let’s talk about the acronym “ARguments” again. zk-SNARKs are considered reasonably computable, which means that the likelihood of a fake prover successfully cheating the system is very small. This property is called robustness and assumes that the prover has limited computational power. In theory, a prover with sufficient computing power can create forged proofs, which is one of the reasons why quantum computers are considered by many to be a possible threat to zk-SNARKs and blockchain systems.

The last initial is "Knowledge," which means the prover cannot construct evidence without actual knowledge (or witnesses) to back up his statement.

Zero-knowledge proofs can be verified quickly and typically take up much less data than standard Bitcoin transactions. This opens a new path for zk-SNARK technology to be used as an anonymity and scalability solution.

 

 zk-STARKs

zk-STARKs were created as an alternative version of the zk-SNARK protocol and are considered a faster and more convenient implementation of the technology. But more importantly, zk-STARK does not require initial trust setup (hence the letter "T" for transparency).

Technically, Zk-STARKs do not require an initialized trusted setup, as they rely on a leaner symmetric encryption method through hash function collisions. This approach also eliminates the number theory assumptions of zk-SNARKs, which are computationally expensive and theoretically vulnerable to attacks by quantum computers.

One of the main reasons Zk-STARK provides a more convenient and faster implementation is because the amount of communication between provers and verifiers remains constant with respect to any increment of computation. In contrast, in zk-SNARKs, the more calculations required, the more times parties have to send messages back and forth. Therefore, the overall data size of zk-SNARK is much larger than the data size in the zk-STARK proof.

It is clear that both zk-SNARKS and zk-STARK attract increasing questions about anonymity. In the cryptocurrency world, these protocols have huge potential to become a groundbreaking approach to widespread use.