Share this article
Zk-STARKs have long been touted as a replacement for Zcash’s Zk-SNARK system, for a simple reason: they don’t require the trust setup, which (if compromised) could allow an attacker to hit an unlimited number of rooms.
The Monero team was particularly vocal on this possibility, speculating in 2017 on the inclusion Zk-STARK in the roadmap. Fluffypony same ‘promised’ a STARK-based sidechain on Twitter.
Now, as soon as we can reduce the zk-STARKs from their 133 GB memory requirement, we will build a zk-STARKs sidechain mixer for XMR 🙂
– Riccardo Spagni (@fluffypony) September 30, 2017
Zcash has gone so far as to put money on the line, with Electric Coin Co. invest in Starkware, whose co-founder, Dr. Eli Ben-Sasson, was a founding scientist of the ECC.
Zk-STARK were considered “a myth” at the time, cutting-edge technology still too distant in the future. Recently, 0x made this a reality thanks to OpenZKP, which should have been a wish come true, but a lot has changed in two years.
And that could mean major privacy coins will pass STARKs completely.
Why is 0x developing STARKs?
0x builds an Ethereum-based decentralized exchange protocol, which is the backbone of DEXs such as Radar Relay. At the end of 2018, he partnered with Starkware, the lead developer of Zk-STARK to offer StarkDex, a proof of concept for an evolving decentralized exchange.
SNARK and STARK are presented as possible scaling tools for blockchain calculations, thanks to the S for ‘Succinct’ part. Short proofs scale very well to the size of the secret they are meant to prove, improving performance.
This feature was exploited for Starkdex by offloading the majority of the computation of off-chain exchange transactions, using zero-knowledge STARK proof to verify that they were computed correctly.
The sudden exit from OpenZKP seems to indicate that 0x a ‘supported’ STARK industries – but their applications could go beyond simply scaling DEXs.
Is STARK the bane of existing privacy rooms?
Despite all the previous hype, the STARKs were met with a lukewarm reception from the top privacy coin teams.
“STARKs are not a direct or obvious progression from SNARKs, but rather occupy a different point in the design space”, explains George Tankersley, director of engineering at the Zcash Foundation.
The technology has evolved over the past couple of years, with several usability improvements being made to Zcash’s algorithm. “We are actually happy with the proof system we are using now, which is a SNARK called Groth16”, continued Tankersley. “STARK proofs are much larger and slower than Groth16 proofs, so the question is, are we ready to make this trade-off for transparency and post-quantum security? “
But while the STARKs seem to have a lot to be desired in terms of optimization, even their lack of confidence is not unique.
” On this point [transparency], it is too early to choose. There has been an explosion of research targeting these features this year: Sonic and Marlin dramatically improve the trust configuration issue while Halo and Fractal address transparency AND recursion, which is important for scaling, ” Tankersley added.
“By the time we can make a solid judgment there will probably be something other than STARKs that we want to use. ” he concluded.
Members of the Monero Research Lab have also been cautious in their discussions of Zk-STARKs. While a general consensus on the specific implementation of OpenZKP is yet to be formed, they highlighted several issues with STARKs in general.
“Certainly, the idea of effective generalized zero-knowledge proof systems whose strength does not depend on third-party trust is excellent” prefaced a member of the Monero Research Lab. “BBut all the formalizations that I have seen in the preprints / articles all have [sic] suffered from proof size issues.
“Right now, you can’t really get everything: without trust, quick proof, quick verification, little evidence” stressed the deputy.
The test systems currently used by Monero and Zcash each meet only half of these qualities; and STARKs are no exception. Large proof sizes lead to heavy blockchains, an issue plaguing Monero pre-bulletproofs.
MRL also considers all three systems to be low in terms of Prover complexity, but improvements may make some of them acceptable.
So it becomes a matter of preference, and the initial reaction suggests that the STARKs boat sailed for existing privacy rooms, although a hypothetical StarkCash project could still compete, in theory.
The representative of MRL remains optimistic about the general trend. “Advances in the demonstration of systems are excellent because they provide flexibility in the frameworks available for the creation of transaction protocols” he concluded.