Real World Crypto 2021 - Session 11: Invited TalkRWC2021 · Real World Crypto
zkp.science – a list of resources about zero-knowledge proofs.
His Pitch: “Blockchains == Inclusive Accountability” but sacrifice privacy and scalability. ZK-STARKs solve both problems, because anyone can download chain and verify.
SNARK = Succinct, Non-Interactive ARgument of Knowledge
STARK = Scaleable, Transparency ARgument of Knowledge
Solving for scaleability
- ZKPs go back to 1985. Explosion of implementations since.
- see blog post A Cambrian explosion of ZKPs
- STARKs vs SNARKs
ZK-STARKs: they can solve scale and privacy - in theory, and in practice!
- but how to make them accessible to all?
Why can’t blockchains meet the txns/per sec that VISA et al can? He claims: VISA run big iron that can do 10,000s txns/sec, but your laptop can’t.
ZK proof recap:
- privacy is from ZK: the prover’s private inputs are shielded
- scalability is from Prover running in linear time, and generating a proof that is exponentially smaller than the amount of data the prover had to process. The verifier has exponentially small (‘poly-log’) running time
On a blockchain: verifiers only need to see a Merkle root hash of all txns, they see prev root and proposed new root, and a proof, and this can be executed v quickly. The prover only has to see all the individual txns.
Transparency is the T in ZK-STARK. “arthur - merlin protocol”](https://en.wikipedia.org/wiki/Arthur%E2%80%93Merlin_protocol)
SNARK - S = succinct; N = Non-Interactive (set-up may require huge computation time and must be highly trusted. (remember zcash genesis?) He calls the need for these properties ‘toxic’ and claims that ZK-STARK is ‘non-toxic’.
Cairo: MVL (minimal viable language) for production STARK systems
If you write using Cairo code, then you get a ZKP verifier for free as part of Cairo.
This has been launched on the Ethereum test net.