Zk-rollup is a rollup-based technology that has gone viral in the blockchain world. It helps the system optimize security and reduce costs and transaction time by manipulating and compression at layer2.
What are ZK-Rollups?
About Zero-Knowledge proof: the method by which one party (the prover) can prove to another (the verifier) that a certain statement is true while avoiding conveying any additional information beyond the fact that the statement is true.
The essence of zero-knowledge proof is to prove that one possesses knowledge of some piece of information without disclosing it.
Two of the most prominent zero-knowledge technologies today are zk-STARK and zk-SNARK. Both are acronyms for the method by which the two parties prove their knowledge: ZK-STARKs stand for the zero-knowledge scalable transparent argument of knowledge, and zk-SNARK is the term ZK-SNARK represents the zero-knowledge succinct non-interactive argument of knowledge.
Both zero-knowledge technologies are non-interactive in nature, meaning that the code can be deployed and operated independently. However, there are core differences between these two non-knowledge technologies from both cultural and technical perspectives.
ZK-SNARK (Zero-Knowledge Succinct Non-interactive Argument of Knowledge)
In January 2012, a professor named Alessandro Chiesa co-authored a paper that coined the term zk-SNARK for proofs of zero knowledge that they had first constructed. Zk-SNARKs at their base depend on elliptic curves for security. Elliptic curves in cryptography operate under the basic assumption that it is not feasible to find the discrete logarithm of a random elliptic curve element with respect to a publicly known base point.
Elliptic curves in cryptography:
Although there has been much debate about whether there is a backdoor into elliptic curve random number generators, the algorithm is generally safe. Additionally, while there are some common vulnerabilities in side-channel attacks, they are easily mitigated through a number of techniques. Quantum attacks appear in cryptography based on elliptic curves, but the quantum computations required to break their security model are not yet widely available.
In addition to being based on elliptic curves, zk-SNARK also requires a reliable setup. A trusted Setup refers to the initial generation of the keys used to generate the necessary proofs for private transactions and verify those proofs. Initially, when those keys are generated, there is a hidden parameter associated between the verification key and the private transaction sending keys. If the secrets used to generate these keys in the trusted setup event are not destroyed, then the secrets can be used to forge transactions by false verification, giving the owner the ability to perform actions such as generating new tokens from thin space and using them for transactions. Due to the security features of zk-SNARKs, there will be no way to verify that the tokens generated from thin air are actually generated from thin air.
Therefore, users of a SNARK-based network must rely on the fact that the trusted setup has been properly performed, which means that the secrets associated with the trusted setup key have been destroyed and not compromised. the individual overseeing the holding ceremony. Reliance on a reliable system is one of the areas of greatest concern for critics of SNARK.
The project that creates scaling solutions based on SNARK, such as ZKSync, the community of SNARKs is very large.
Pros:
+ Smaller proof size
+ Smaller verification time
+ Bigger developer community and libraries (longer in the game)
Cons:
- Require trusted setup (honest participants needed)
- Longer prover time
- Not secure by quantum computers
- Strong crypto assumptions
ZK-STARK (Zero-Knowledge Scalable Transparent Argument of Knowledge)
Eli Ben-Sasson, Iddo Bentov, Yinon Horeshy, and Michael Riabzev wrote the first papers describing STARKs in 2018. Unlike SNARK, the underlying technology for STARK relies on hash functions. Right off the bat, relying on hash functions offers a number of benefits, such as quantum resistance. Furthermore, no trusted setup is required to start using STARKs in the network.
ZK-STARKS does not rely on public-private key pairs (such as ECDSA), but on collision-resistant hashing for interactive solutions (which Grover's algorithm is not meant to break) and the random oracle (a commonly used alternative model of general cryptographic hash functions where strong randomness assumptions are required for oracle output) for non-interactive proofs (zk- nSTARK, n = non-interactive), so ZK-STARK is now resistant to quantum computer attacks.
Many flavors of proof systems:
STARK has a much larger proof size than SNARK, which means that STARK verification takes longer than SNARK and also results in STARK needing more gas.
In addition, it will be much more difficult for developers to use STARK because of the lack of developer and community documentation. Although there are several projects that create STARK-based scaling solutions, such as STANKWARE, the community of SNARKs is still much larger.
Pros:
+ Quantum resistant
+ Assumptions: Collision-resistant hashes (less likely to be attacked)
+ No trusted setup required
+ Vocal support from the Ethereum foundation
+ More scalable in terms of computational speed
Cons:
- Far larger proof size = more gas
- Small developer community because it is new
ZK-SNARK vs. ZK-STARKS
Transparency
ZK-STARKs do not require any external reliable setup stages. They provide randomness with a public scope of verification, thus preventing any party from obtaining the setup parameters. The public verifiability of anonymous proofs also avoids the creation of any false evidence.
In the case of ZK-SNARK, you have to go through the mandatory trusted setup phase. For example, one of the notable cryptocurrencies using ZK-SNARKs, i.e. Zcash, requires users to set up a Genesis block along with ensuring its security.
While the initial setup phase may seem like a formality, it has many potential consequences. For example, users must place their trust in the initial setup phase along with the parties involved in setting up the system. In such cases, ZK-SNARK is not the best zero-knowledge protocol due to the fact that the initial setup phase may have been compromised or will be in the future.
Scalability
First of all, ZK-STARKs have reduced algebraic representations and the computational tasks involved in the proof generation and verification. Optimizing code to reduce arithmetic and computational complexity provide the ideal foundation for improving scalability.
The reduced arithmetic complexity of ZK-STARKs makes them the winner of the zk-snarks vs. zk-starks debate. They are almost 8 to 10 times faster than ZK-SNARK in terms of the computational size required to generate proofs.
Safety against Quantum Attacks
ZK-SNARK depends on public-private encryption methods such as ECDSA and RSA to generate public-private key pairs. The development of quantum computing has led to the development of new algorithms which can compromise such encryption methods.
On the other hand, ZK-STARK uses anti-collision hash functions and random oracle models. In addition, they also use Merkle trees to improve resistance to quantum attacks. Cryptographic principles help improve ZK-STARK's resilience to quantum computing attacks.
General comparison between the two technologies:
References
[1] Zksnarks Vs. Zkstarks – Key Differences, 101blockchains.com, accessed 14th September 2022.
[2] Zero-Knowledge Proofs: STARKs vs. SNARKs, consensys.net, accessed 14th September 2022.
[3] An Incomplete Guide to Rollups, vitalik.ca, accessed 14th September 2022.