"A myth," that's what one developer called it.
At a meeting of the team behind the monero cryptocurrency last week, suspicion was high about a new item on the roadmap – so-called "zk-starks." Described as a "trustless" solution to a problem that's long prevented anonymous blockchains, to some of the developers assembled it sounded like fantasy.
But while the blockchain industry is certainly no stranger to outlandish claims, the cryptographic technique is perhaps setting records in the levels of eyebrow-raising it has triggered. Heralded as a more secure version of zk-snarks, the creators of zk-starks claim their cryptography can remove the need for the contentious "trusted setup" necessary with the previous iteration of the idea.
Stepping back, zk-snarks are an evolution of a cryptographic technique first described in the 1980s. While seemingly complex, the idea is simple at heart – zero-knowledge proofs enable parties to verify if a statement is correct without receiving anything more than a true-or-false statement. In the blockchain world, the idea has become most often associated with zcash, the first large-scale blockchain that baked the cryptographic tool into its protocol layer.
But, while heralded at the time as a breakthrough, the platform's use of zk-snarks left room for improvement. For one, there's the fact that there's no way to tell with any real certainty that the elaborate procedure used to set up the cryptocurrency wasn't in some way compromised.
A year after the launch, the zcash team is still putting out audits on the matter. Yet as critics point out, their results, while helpful in mitigating doubts, can't ever be conclusive.
Should zk-starks be able to remove this roadblock – the impact could be felt far and wide. While there may be little that seems to unite the diverse developers working on private and public cryptocurrencies, privacy has emerged as perhaps a universal touchpoint.
And zk-starks could find a similarly broad reception – the new technology promises to be cheaper, faster, more scalable and more secure than zk-snarks.
But despite the possibilities, little information about zk-starks has been revealed to date.
First presented at an ethereum meetup back in January, the team behind the tech – comprised of Iddo Bentov, Ynon Horesh, Michael Riabzev, and zcash's Eli Ben-Sasson, are still working to publish the code. To date, just one aspect, called the FRI algorithm, is available online.
The principal investigator behind the tech is Ben-Sasson, a professor at the the Technion – Israel Institute of Technology, who helped pioneer zk-snarks back in 2015 and whose work draws on a long lineage of computer scientists dealing with zero-knowledge proofs.
Speaking to CoinDesk, Ben-Sasson said he was "a big believer in transparent proofs," and has been "passionately researching" the topic for 15 years. Still, he summarises the challenge he faces in building zero-knowledge designs as one that's core to cryptography.
As he explains:
"Hiding information is very easy using encryption. The hard part is proving and maintaining integrity under the veil of encryption."
Perhaps because of this, Ben-Sasson admits the issues inherent in the zk-snarks used to establish the zcash blockchain, believing that performing the setup of a zk-snark system correctly is a highly challenging ordeal that requires advanced security capabilities.
With zk-starks, however, he sees room for big improvements.
One of the key problems zk-starks can solve relates to the need for zero-knowledge blockchains to create a "master key," according to Ben-Sasson.
In the case of zcash, it's believed the key was destroyed, but the implications that it could be out there are chilling. For one, this key would allow a bad actor to forge false payments and completely ruin the integrity of the blockchain. Further, in order to destroy the key, a coordinated effort is required in what is known as the trusted setup.
But this setup is complicated to perform securely. For one, it's difficult to verify it really happened, because it can't have any witnesses (anyone viewing the ceremony could reversibly generate the key).
When zcash performed its ceremony, the team went to great lengths to ensure it wasn't compromised, but it's next to impossible to completely secure. And for a high-profile entity like a bank, there'd simply be too much interest in trying to sabotage it.
"There's going to be a huge incentive for governments and central organizations to try a put their hands on this key that will allow them to write a cheque for any amount … with increased value there is increased incentive to attack."
Zk-starks seek to remove this risk, and in the process, eliminate a lot of the heavy machinery associated with zk-snarks with it. Unlike zk-snarks, zk-starks don't rely on public key cryptography at all; instead, the only cryptographic assumption underlying the security of zk-starks is that hash functions (like SHA2) are unpredictable (this assumption also underlies the stability of Bitcoin mining).
The reliance on simpler cryptographic assumptions improves not only security, but also efficiency. In one "head-to-head" competition between zk-snarks and zk-starks, in which both systems had to setup and prove correctness of a single computation, the zk-snark required 28 minutes and 18.9 GB of communication (mostly due to the trusted setup computation and proving-key size), whereas zk-starks reduced calculation time to fractions of a second and communication complexity to 1.2 MB.
And monero's interest in the scheme, while early, is perhaps proof that there might be further development of the concept across blockchain communities.
One of the more innovative privacy-focused blockchains, monero uses entirely different cryptography than zcash based on a combination of stealth addresses and ring signatures. Rather than use zero-knowledge systems, the cryptocurrency offers privacy by heavily distorting information.
Because its system is well-functioning today, it arguably hasn't had a need for zero-knowledge proofs, but the idea that the network could further toughen privacy measures is leading the developer team to consider it.
Currently, zk-snarks are being considered for sidechains which would increase privacy by allowing payments to occur from separate blockchains –and which would then self-destruct following the transaction.
But to implement the idea, monero would have to face the problem of the trusted set up – making the zk-starks concept an enticing one.
So enticing, in fact, that lead developer Riccardo Spagni, who has called zcash "a complete security farce" – seems willing to look past the rivalry toward a common goal. He describes zk-starks as "preferable" and told CoinDesk that monero will be looking to integrate the tech if and when it's usable.
And they’re not the only ones who have problems will the trusted setup. If ethereum is to implement zk-snarks as formerly planned, it'll have to run an equivalent of the zcash security ceremony – but one that can scale to thousands of participants.
Such complications show that the concept is one that meets a compelling need – one likely to be further developed in a new white paper published in the next year.
Update: This article has been updated following comments from the zk-starks team.
Disclosure: CoinDesk is a subsidiary of Digital Currency Group, which has an ownership stake in Zcash Company, the for-profit entity that develops the Zcash protocol.
Boy with jetpack image via Shutterstock