Zk-STARKs Arrive: But Is The Privacy Coin Tech Even Needed?
Zero-knowledge without the trusted setup, what else could you need?
Zk-STARKs have been long hyped up as a replacement for Zcash’s Zk-SNARK system, for one simple reason: they don’t require the trusted setup, which (if compromised) could allow an attacker to mint unlimited coins.
The Monero team has been especially vocal about that possibility, speculating in 2017 on including Zk-STARKs in the roadmap. Fluffypony even ‘promised’ a STARK-based sidechain on Twitter.
Now as soon as we can get zk-STARKs down from their 133gb memory requirement then we'll build a zk-STARKs sidechain mixer for XMR:)
— Riccardo Spagni (@fluffypony) September 30, 2017
Zk-STARKs were considered “a myth” at the time, a cutting-edge technology still too far away in the future. Recently, 0x made it a reality through OpenZKP, which should have been a wish come true, but a lot has changed in two years.
And that could mean that the major privacy coins will pass on STARKs altogether.
Why is 0x developing STARKs?
0x is building an Ethereum-based decentralized exchange protocol, which forms the backbone of DEXes such as Radar Relay. In late 2018 it teamed up with Starkware, the chief developer of Zk-STARKs to propose StarkDex, a proof of concept for a scalable decentralized exchange.
Both SNARK and STARK are touted as possible scaling tools for blockchain computations, thanks to the S for ‘Succinct’ part. Succinct proofs scale very well with the size of the secret they’re meant to be proving, enhancing performance.
This feature was exploited for Starkdex by offloading the majority of the computation for exchange trades off-chain, using a zero-knowledge STARK proof to verify that they were computed correctly.
The sudden release of OpenZKP seems to indicate that 0x has ‘taken over’ the STARK industries – but their applications could go beyond just scaling DEXes.
Is STARK the bane of existing privacy coins?
Despite all the previous hype, STARKs found a lukewarm reception by leading privacy coin teams.
“STARKs are not a direct or obvious progression from SNARKs, but rather they occupy a different point in the design space,” explains George Tankersley, Director of Engineering at Zcash Foundation.
Technology has moved on in the past two years, as several usability improvements were made to Zcash’s algorithm. “We’re actually happy with the proof system we currently use, which is a SNARK called Groth16,” continued Tankersley. “STARK proofs are much larger and slower than Groth16 proofs, so the question is: are we willing to make that tradeoff for transparency and post-quantum security?”
But while STARKs appear to have much to be desired in terms of optimization, even their trustlessness is not unique.
“On that point [transparency], it’s just too soon to choose. There’s been an explosion of research targeting these features this year: Sonic and Marlin both greatly improve on the trusted setup problem while Halo and Fractal are addressing transparency AND recursion, which is important for scaling,” Tankersley added.
“By the time we can make a solid judgement, there will probably be something other than STARKs we’d want to use,” he concluded.
Members of the Monero Research Lab have also been cautious in discussing Zk-STARKs. While a general consensus on the specific OpenZKP implementation is yet to be formed, they highlighted several issues with STARKs in general.
“Certainly the idea of efficient generalized zero-knowledge proving systems whose soundness doesn’t depend on third-party trust is great,” prefaced a Monero Research Lab member. “But all the formalizations I’ve seen in preprints/papers have all [sic] suffered from proof size problems.”
“Right now you can’t really get it all: trust-free, fast proving, fast verifying, small proofs,” the member emphasized.
Proving systems currently used by Monero and Zcash each fulfill only half of those qualities; and STARKs are not an exception. Large proof sizes result in heavy blockchains, an issue afflicting pre-Bulletproofs Monero.
MRL also considers all three systems to be weak in terms of prover complexity, but improvements can make some of them acceptable.
It thus becomes a matter of preference, and the initial reaction suggests that the STARKs boat has sailed for existing privacy coins, though a hypothetical StarkCash project could still compete, in theory.
The MRL representative was still optimistic about the general trend. “Advances in proving systems are great because they provide flexibility in the frameworks available for building transaction protocols,” he concluded.