“A myth,” that’s what one developer called it.
At a meeting of the team behind the monero cryptocurrency last week, suspicion was high about a new item on the roadmap – so-called “zk-starks.” Described as a “trustless” solution to a problem that’s long prevented anonymous blockchains, to some of the developers assembled it sounded like fantasy.
But while the blockchain industry is certainly no stranger to outlandish claims, the cryptographic technique is perhaps setting records in the levels of eyebrow-raising it has triggered. Heralded as a more secure version of zk-snarks, the creators of zk-starks claim their cryptography can remove the need for the contentious “trusted setup” necessary with the previous iteration of the idea.
Stepping back, zk-snarks are an evolution of a cryptographic technique first described in the 1980s. While seemingly complex, the idea is simple at heart – zero-knowledge proofs enable parties to verify if a statement is correct without receiving anything more than a true-or-false statement. In the blockchain world, the idea has become most often associated with zcash, the first large-scale blockchain that baked the cryptographic tool into its protocol layer.
But, while heralded at the time as a breakthrough, the platform’s use of zk-snarks left room for improvement. For one, there’s the fact that there’s no way to tell with any real certainty that the elaborate procedure used to set up the cryptocurrency wasn’t in some way compromised.
A year after the launch, the zcash team is still putting out audits on the matter. Yet as critics point out, their results, while helpful in mitigating doubts, can’t ever be conclusive.
Should zk-starks be able to remove this roadblock – the impact could be felt far and wide. While there may be little that seems to unite the diverse developers working on private and public cryptocurrencies, privacy has emerged as perhaps a universal touchpoint.
Groups as diverse as banking consortium R3 and ethereum have had zk-snarks on their list for exploration, despite their different needs and technologies.
And zk-starks could find a similarly broad reception – the new technology promises to be cheaper, faster, more scalable and more secure than zk-snarks.
Slowing emerging
But despite the possibilities, little information about zk-starks has been published to date.
First presented at an ethereum meetup back in January, the team behind the tech – comprised of researchers associated with zcash – are still working to complete the code. To date, just one aspect, called the FSA algorithm, is available online.
One of the team’s more public figures is Eli Ben-Sasson, a professor at the Technion Institute of Technology in Israel, who helped pioneer zk-snarks back in 2015 and whose work draws on a long lineage of computer scientists dealing with zero-knowledge proofs.
Speaking to CoinDesk, Ben-Sasson said he was “a big believer in transparent proofs,” and has been “passionately researching” the topic for 15 years. Still, he summarises the challenge he faces in building zero-knowledge designs as one that’s core to cryptography.
As he explains:
“Hiding information is very easy using encryption. The hard part is proving and maintaining integrity under the veil of encryption.”
Perhaps because of this, Ben-Sasson admits the issues inherent in the zk-snarks used to establish the zcash blockchain, believing the technology is too risky for valuable or business-sensitive information.
With zk-starks, however, he sees room for big improvements.
The stakes
One of the key problems zk-starks can solve relates to the need for zero-knowledge blockchains to create a “master key,” according to Ben-Sasson.
In the case of zcash, it’s believed the key was destroyed, but the implications that it could be out there are chilling. For one, this key would allow a bad actor to forge false payments and completely ruin the integrity of the blockchain. Further, in order to destroy the key, a coordinated effort is required in what is known as the trusted setup.
But this setup is complicated to perform securely. For one, it’s difficult to verify it really happened, because it can’t have any witnesses (anyone viewing the ceremony could reversibly generate the key).
When zcash performed its ceremony, the team went to great lengths to ensure it wasn’t compromised, but it’s next to impossible to completely secure. And for a high-profile entity like a bank, there’d simply be too much interest in trying to sabotage it.
Ben-Sasson said:
“There’s going to be a huge incentive for governments and central organizations to try a put their hands on this key that will allow them to write a cheque for any amount … with increased value there is increased incentive to attack.”
Zk-starks seek to remove this risk, and in the process, take a lot of the heavy machinery associated with zk-snarks with it. Unlike zk-snarks, zk-starks don’t rely on public key cryptography at all.
Actually, all zk-starks need to function is one algorithm similar to that performed by computers when mining the bitcoin blockchain.
However, while mining involves the same encryption pattern repeatedly, zk-starks use random numbers so the steps involved cannot be predicted.
The use of a single algorithm is minimal compared to zk-snarks, which by contrast relies on a cluster of the tools. The impact of is that while a zk-snark takes about 28 minutes and 18.9GB to compute, a zk-stark promises to reduce calculation time down to a fraction of a second, and storage down to 1.2MB.
Monero’s motives
And monero’s interest in the scheme, while early, is perhaps proof that there might be further development of the concept across blockchain communities.
One of the more innovative privacy-focused blockchains, monero uses entirely different cryptography than zcash based on a combination of stealth addresses and ring signatures. Rather than use zero-knowledge systems, the cryptocurrency offers privacy by heavily distorting information.
Because its system is well-functioning today, it arguably hasn’t had a need for zero-knowledge proofs, but the idea that the network could further toughen privacy measures is leading the developer team to consider it.
Currently, zk-snarks are being considered for sidechains which would increase privacy by allowing payments to occur from separate blockchains –and which would then self-destruct following the transaction.
But to implement the idea, monero would have to face the problem of the trusted set up – making the zk-starks concept an enticing one.
So enticing, in fact, that lead developer Riccardo Spagni, who has called zcash “a complete security farce” – seems willing to look past the rivalry toward a common goal. He describes zk-starks as “preferable” and told CoinDesk that monero will be looking to integrate the tech if and when it’s usable.
And they’re not the only ones who have problems will the trusted setup. If ethereum is to implement zk-snarks as formerly planned, it’ll have to run an equivalent of the zcash security ceremony – but one that can scale to thousands of participants.
Such complications show that the concept is one that meets a compelling need – one likely to be further developed in a new white paper published in the next year.