zk-STARKs

What Are zk-STARKs?

zk-STARKs were introduced in a 2018 paper by Eli Ben-Sasson, Iddo Bentov, Yinon Horesh, and Michael Riabzev. The motivation was to address two specific weaknesses of zk-SNARKs that had limited their adoption. First, every zk-SNARK system requires a trusted setup ceremony — a process that generates cryptographic keys from random values that must be destroyed afterwards — and if any participant retains those values, they can forge proofs. Second, the cryptography underlying zk-SNARKs relies on the hardness of elliptic curve discrete logarithm problems, which are known to be broken by sufficiently powerful quantum computers.

zk-STARKs replace both of these foundations. They rely only on collision-resistant hash functions — the same primitives used in Bitcoin mining — for their security. There is no trusted setup ceremony at all; the public parameters are simply published, and there are no secret values to destroy. The proofs are quantum-resistant in the sense that no known quantum algorithm reduces their security to a level that matters in practice. These are meaningful improvements for systems that need to remain secure for decades into a future where the cryptographic landscape may change.

The cost of these gains is proof size. A zk-STARK proof is typically 40 to 200 kilobytes, compared to the 200 bytes of a zk-SNARK. For applications where verification happens on a blockchain and block space is precious, that is a significant difference. Whether the trade-off makes sense depends on the application — for large computations being proved infrequently, the larger proof is acceptable; for small computations being proved constantly, zk-SNARKs are still usually preferred.

How Do zk-STARKs Work?

The technical mechanism behind zk-STARKs is built around two layers. The first encodes the computation being proved as an algebraic relationship between polynomials, similar in spirit to zk-SNARKs but using different mathematical objects. The second uses a proximity test called FRI (Fast Reed-Solomon Interactive Oracle Proof of Proximity) to convince the verifier that those polynomials have the right structure. The verifier samples a small number of random points and checks consistency at those points; the probability of accepting an invalid proof is exponentially small in the number of samples.

Consider a concrete use case. Starknet, the largest zk-STARK-based Layer 2 network on Ethereum, processes thousands of user transactions off-chain and produces a single zk-STARK proof that all of them were valid. The proof is then verified on Ethereum mainnet by a smart contract that runs the STARK verification algorithm. The cost of verifying one proof is roughly fixed regardless of how many transactions it covers, which means the per-transaction cost on the underlying chain drops as the batch grows. A batch covering 10,000 transactions has roughly the same on-chain verification cost as one covering 100, but the gas cost spread across 10,000 transactions is far lower per user.

The transparency property — no trusted setup — has a practical security implication. zk-SNARK systems that rely on multi-party setups must convince users that at least one participant in the original ceremony was honest. zk-STARK systems make no such request. The public parameters are simply published, anyone can verify how they were derived, and there is no possibility of a forger having retained a hidden trapdoor. For protocols that need to remain credible over very long time horizons, this is a meaningful simplification.

zk-SNARKs vs zk-STARKs

Why Are zk-STARKs Important for Traders?

For users of zk-rollups and other zero-knowledge systems, the choice between zk-SNARK and zk-STARK technology affects two practical properties: long-term security and cost structure. zk-STARKs are designed for systems that need to remain secure for decades, including against the possibility of quantum computers powerful enough to break elliptic-curve cryptography. zk-SNARKs offer smaller and cheaper proofs today but inherit a small theoretical risk from the trusted setup and a much larger long-term risk from advances in quantum computing. Both approaches anchor their security in a base chain — typically secured by proof-of-stake or proof-of-work — and inherit that chain’s settlement guarantees.

The structural limitation of zk-STARKs is proof size, which translates directly into higher costs on the chain where verification happens. A Starknet batch verification on Ethereum mainnet uses substantially more gas than the equivalent zk-SNARK-based zkSync verification, even though both prove similar amounts of off-chain computation. This pushes zk-STARK-based systems toward designs where verification happens less frequently — batching is more aggressive — or toward use cases where the off-chain computation is so large that proof size becomes a minor share of the cost.

The wider point is that both technologies are improving simultaneously. Recent zk-SNARK constructions have reduced or eliminated the trusted setup requirement, and recent zk-STARK constructions have reduced proof size. The dichotomy between “small proofs with trusted setup” and “large proofs without” is softening as the field matures. For practical purposes, the security and cost differences between major Layer 2 networks already matter less than they did even a year ago, and assuming today’s trade-offs will persist is a mistake when modelling longer-term outcomes — especially as more chains rely on validator-based settlement that interacts with zero-knowledge proof verification at multiple layers.

Key Takeaways

• zk-STARKs are zero-knowledge proofs designed to require no trusted setup and to remain secure against quantum computers — two properties that distinguish them from zk-SNARKs.
• The acronym stands for Zero-Knowledge Scalable Transparent Arguments of Knowledge — scalable because verification cost grows slowly with computation size, transparent because no secret parameters need to be generated.
• zk-STARKs rely only on hash functions for their security, the same primitives used in Bitcoin mining, rather than the elliptic-curve cryptography that zk-SNARKs depend on.
• The main trade-off is proof size: zk-STARK proofs are 40 to 200 kilobytes versus around 200 bytes for zk-SNARKs, which translates into higher on-chain verification costs for the same amount of off-chain work.
• The largest production deployment is Starknet, which uses zk-STARK proofs to batch thousands of off-chain transactions into a single proof verified on Ethereum mainnet.