Bulletproofs, zkSNARKs, and zkSTARKs Walk into a Blockchain

thumbnail for this post
We dissect a trio of zero-knowledge cryptographic proofs and explain why Offshift selected Bulletproofs as the best fit for our PriFi solution.

Zero knowledge proofs (‘zk proofs’ or ‘zks’) are amongst the foundations of modern cryptography. At Offshift, zks are a bedrock of our PriFi technology. In conjunction with a decentralized oracle network, zk proofs enable our users to mint zkAssets, our proprietary line of fully private synthetics.

But what exactly is zero knowledge? The fundamental question at the heart of zero knowledge cryptography is whether “person A” (the prover) can prove to “person B” (the verifier) that they know a secret without exposing the secret itself. In general, zero-knowledge proofs help to verify confidential transactions. Historically, they have seen substantial use in blockchain applications, with three different types of zero-knowledge proofs owning the lion’s share of attention and utilization in cryptocurrency.

Below, we’ll outline the pros and cons of each implementation of zk proofs: zkSNARKs, zkSTARKs, and Bulletproofs, to dig deeper into which is best suited to support a new paradigm of protocols which are both decentralized and private.

zkSNARKs: An Early Private Cryptographic Proof

One of the earliest and most popular zero-knowledge proof implementations is zk-SNARK, which stands for zero-knowledge succinct non-interactive argument of knowledge. zk-SNARKS are a method of transaction verification first described in 2012 by UC Berkeley professor Alessandro Chiesa and others. In 2016, Zcash used zk-SNARKs to employ four basic transaction types: private transactions, deshielding transactions, shielding transactions, and public transactions, a feature that allowed users to decide how much data to make visible while sending transactions on the Zcash blockchain.

In order to launch a zkSNARK network, a trusted setup is required. In a trusted setup, multiple (ideally independent) parties each generate a partial key to launch the network and then destroy the key afterwards. In theory, a trusted setup could be exploited if the parties don’t destroy the key, and/or collude to reconstruct them. Subsequently, the holders of those keys could prove that false statements are true (for example: “my account has $1m”). Providing an extra layer of complexity, it is impossible to know if a trusted setup has been exploited, as all transactions are inherently private — even dishonest ones.

To protect against this sort of collusion and risk, zk-SNARK setups in networks such as Zcash, Aztec, and Plumo have designed elaborate key generation ceremonies that involve multiple parties and extraordinary randomness, reducing the possibility of exploitation to nearly 0.

zk-STARKs: A More Efficient Cousin to SNARKs

zk-STARK stands for zero-knowledge succinct transparent argument of knowledge. zk-STARKs were developed by Eli-Ben Sasson, a lecturer at the Technion-Israel Institute of Technology, as a more scalable evolution of the zk-SNARK, and are deployable in a broader set of use cases such as voting and ID verification.

Most people who see SNARKs and STARKs side-by-side notice that STARKs are the more efficient version of the two systems. STARKs don’t have to rely on a trusted setup, reducing the complexity of launching the network and eliminating any risk of collusion. They use a leaner cryptographic methodology that relies on collision-resistant hash functions as well, serving the additional benefit of making zk-STARKs quantum resistant. Such protection is possible because STARKs don’t assume an attacker won’t leverage infinite processing power.

While zk-STARKs are more efficient than zk-SNARKs, they have one major drawback: the proof size for a zk-STARK is thousands of times larger than that of a zk-SNARK, which benefits from tiny proof sizes. This is no small matter. When transactions aren’t burdened with the effort of proving the precise details of past transactions, and only effectively have to answer “true” or “false”, the computational requirements of a network are drastically reduced. Some networks like Filecoin are even leveraging zero knowledge *primarily* for its computation-conserving benefits, and only secondarily for its privacy component. The fact that zk-STARKs are thousands of times larger than zk-SNARKs eliminates one of the core benefits of the technology.

Bulletproofs: What are They, and How Do They Fit in?

Initially proposed by Stanford’s Applied Cryptography group in 2017, Bulletproofs get their name from a quote by Shashank Agrawal, who described them as: “short like a bullet, with bulletproof security assumptions.” Bulletproofs take some of the best features of SNARKs and STARKs to create an efficient middleground. On the one hand, they don’t require a trusted setup to run and function, similar to STARKs. On the other hand, like SNARKs, they don’t rely on massive proof sizes.

Bulletproofs implementations began receiving significant attention in the crypto space in 2018 when Monero, a privacy coin that relies on stealth addresses to ensure the anonymity of its users, began using Bulletproofs. In larger networks, proof and verification times might be longer than either SNARKs or STARKs, but these time differences are negligible. Bulletproofs are also massively scalable without added transaction costs, a factor which played a major role in bringing Monero to the crypto mainstream with its relatively small transaction fees, proof sizes, and trustless privacy.

Making a Choice

Offshift had to decide on a zk proof implementation that remained in line with our principles, worked for our developers, and prioritized our community’s security. The risk of security compromise, though small, made us wary of adopting a zk-SNARK solution. Additionally, our chosen proof had to be manageable and scalable, making zk-STARKs unwieldy. The apparent decision was a Bulletproof.

As mentioned earlier, Bulletproofs have demonstrated their value proposition on the Monero blockchain. Monero’s longevity speaks volumes about the robustness and security of Bulletproofs, and we are proud to be incorporating Bulletproofs into our own protocol on those grounds. Since Offshift’s solution will live on Ethereum, the negligible differences in processing and verification times stand as a reasonable sacrifice. Without the need for a trusted setup, Bulletproof zks present a valid tradeoff between the STARK and the SNARK.

Both SNARKs and STARKs have pioneered the zero knowledge ecosystem, but both struggle with drawbacks and minimal room for optimizations. Bulletproofs offer a performant compromise of the two: they require no trusted setup, and generate little to no network congestion. Finally, the size of a Bulletproof is a fraction of the size of a STARK proof. Thus, Bulletproofs are the best fit for Offshift, which is why after rigorous research and testing, they emerged as our preferred zk proof implementation.

About Offshift

Offshift is leading private decentralized finance (PriFi) with the world’s first Private Derivatives Platform. It leverages zero-knowledge (zk) proofs and sources reliable, real-time price feeds from Chainlink’s decentralized oracle network to enable users to mint zkAssets, an unprecedented line of fully private synthetics. Offshift’s mostly anonymous team has developed a trusted reputation for their thorough privacy research, development and execution.

To learn more and get involved, visit the links below:

Website | Telegram | Discord | Twitter | Instagram | YouTube | Buy XFT