1. Introduction

2. Related Work

3. Methodology

4. Protocol Comparison

5. Proposed Solution

6. Results

6.2. Analysis

Now that we have detailed all the obtained benchmark results, we start with our analysis of those results.

First, we analysed the differences between the Bulletproof, zk-SNARK, and zk-STARK protocols. To this end, we created some additional graphs that show the obtained metrics as a plot for each protocol, which also shows the change in this metric for different numbers of MiMC rounds. Figure 3 shows the size of the proof generated by each protocol implementation and the difference that an increasing number of MiMC rounds makes for this metric. Figure 4 and Figure 5 show a similar plot for the proof generation time and proof verification time metrics, respectively.

As one can see from the metrics in Table 4 and the plot in Figure 3, there is a clear distinction between the proof sizes in the four implementations. The SNARK protocol implementations had the smallest proofs, with a size of 192 bytes for the Rust implementation and 484 bytes for the Go implementation. The proof size was also constant for both, meaning that the size of the proof remained the same, independent of the number of MiMC rounds. This was different for the Bulletproof and zk-STARK implementations, which both displayed a proof size that increased with the number of MiMC rounds. The proof size of the STARK protocol was larger than that of the Bulletproof protocol and additionally grew more rapidly in size with the number of MiMC rounds than the Bulletproof proof. This observation, however, fails to capture the broader perspective of data that needs to be transferred. The two SNARK protocol implementations may have had the lowest proof sizes, they additionally required the verifier to obtain the verification key. This key was a constant additional 528 bytes for the Rust implementation, or an increasing size starting at 1448 bytes for the Go implementation. For us to obtain the total data size as required by the verifier, we summed these figures. This resulted in the data size from the Rust SNARK implementation, a total of 720 bytes, suddenly being just shy of the Bulletproof implementation data size. Having said that, the size of the Rust SNARK implementation was nonetheless still constant, whereas the data size for the Bulletproof implementation grew with the number of hash rounds. At the same time, the combined data size of the Go SNARK implementation grew even faster in the number of MiMC rounds. Besides, the combined amount of data was already larger than for the Bulletproof, even without the public witness the verifier required to verify a proof in this implementation. By 1023 MiMC rounds, the amount of data from the combined verification key and proof size in the Go SNARK implementation was higher than for the STARK implementation. This showed a clear contrast between the two zk-SNARK implementations, an aspect which we will deliberate on in Section 7.

After the proof size, we now examine the proof generation times, as detailed in Table 5 and plotted in Figure 4. As one can see, the Bulletproof protocol implementation demonstrated the slowest proof-generating time, followed from a distance by the two SNARK implementations. Additionally, even though all protocol implementations showed the proof generation times to be increasing with the number of MiMC rounds, the Bulletproof implementation proving time increased faster than the other three implementations. The two SNARK implementations performed similarly in this metric, and performance between the two converged at higher numbers of MiMC rounds. Especially at lower round numbers, however, the Go implementation performed better than the Rust implementation. Having said that, the Go SNARK implementation required a separate compile time, which the Rust implementation did not need. For lower numbers of MiMC rounds, this compile time was negligible, yet towards higher round numbers this compile time grew and became significant. So significant, in fact, that when added to the proof generating time, the Go implementation converged with the Rust implementation at 1023 rounds. For any larger number of rounds, the combined compile and proving time in the Go library demonstrated a higher combined compile and proving time than the Rust library. The zk-STARK implementation’s proof time metrics showed some intriguing fluctuations. These fluctuations made it beat the Go SNARK implementation for some numbers of MiMC rounds while losing out to it in others. Especially the 63 MiMC rounds benchmark metric is perplexing since the proof generating time was much faster than at 15 MiMC rounds. At first, we suspected this result to be a fluke in our benchmark. Re-running the same benchmark multiple times, however, provided us with consistent results throughout each attempt. This indicated that the performance fluctuation was caused by something other than a problem in our benchmark. We therefore attribute the performance fluctuation to some number internal to the protocol, related to the number of MiMC rounds, being optimal for the FRI process at 63 MiMC rounds, especially compared to the same number for the 15 rounds benchmark. We elaborate on this topic in our discussion in Section 7. In general, the data and graphs displayed that the zk-STARK and two zk-SNARK implementations had a proof time in the same order of magnitude, while the Bulletproof protocol was slower in generating proofs. Next to that, the proof time increased more rapidly with the number of rounds for the Bulletproof implementation than in other implementations.

Figure 5. Verification time benchmark plot

Figure 5. Verification time benchmark plot

We now change our focus from the proof generation times to the proof verification times, which we plotted in Figure 5 from the data in Table 5. Our first observation is that the rankings between the protocols were like those for the proof generation times. The Bulletproof protocols showed the slowest proof generation times, whereas the two zk-SNARK implementations demonstrated a comparable proof verification time. The zk-STARK implementation demonstrated the fastest proof verification times throughout. Upon closer inspection, though, there are several more differences. First, the Bulletproof implementation temporarily had a faster proof verification time than the two STARK implementations for the lowest number of benchmarked MiMC rounds. Second, unlike the Go SNARK implementation, which showed slightly increasing verification times for larger numbers of MiMC rounds, the Rust implementation verification times were constant within the margin of expected variability of a benchmark. As for the proof generation times, this means that the Rust implementation became faster than the Go implementation at higher numbers of MiMC rounds. Third, especially at low round numbers, the zk-STARK protocol was around an order of magnitude faster than the two zk-SNARK implementations. Given that the verification times for the STARK increased though, while those of the Rust STARK implementation remained constant, it is conceivable that the STARK implementation would have lost this advantage for even larger numbers of MiMC rounds. This observation involves us extrapolating the data though, it is not something we can conclude from our benchmark data.

The final analysis for the comparing benchmark is the security level of each protocol. As specified in Section 6.1.3 and reflected in Table 5, we could only obtain the conjured and proven security level in bits from a function in the zk-STARK implementation library. This made it hard to directly compare the security level for each implementation, which we will indicate as a limitation in Section 7.4. However, we could obtain an expected security level for the protocol implementations from referential works by others. In [41] authors surveyed several elliptic curves for proof systems, including the BLS12-381 curve. They specified the BLS12-381 curve, the curve used in both our SNARK implementations, to have a 127- or 126-bit security for the group and prime field, respectively. While they likewise discussed curve25519 as used in the Bulletproof implementation, they did not mention any security level. Because the only configuration option for the zk-SNARK implementation was the used elliptic curve, as discussed in Section 6.1.2, we assume that the curve alone decided most of the protocol security in the SNARK implementation. This would give the two SNARK implementations the same almost 128-bit level security as stated for the BLS12-381 curve, which we expect to be a conjured security level and not a proven one. Similarly, because the Bulletproofs paper [9] only mentioned the security of the protocol in the context of the used libsecp256k1 curve, we expect the curve to define the burden of the security level of the protocol. Since our Bulletproof protocol benchmark implementation used Curve25519, which provides an approximately 128-bit security level [42], we hypothesize this to be the conjured security level of the Bulletproof implementation as well. This is not the case for the zk-STARK, for which Ben-Sasson et al. Described the proven security bound in their work [43]. As they demonstrated, the conjured security level for zk-STARK is the minimum between a number calculated from the number of queries and grinding factor, the collision resistance of the used hash, and a number calculated from the field extension and trace length [44]. The lack of direct numbers for the security level of each protocol implementation in our benchmark resulted in uncertainty, though from the hypothesized numbers that we obtained from a spectrum of sources, the best we could infer was that the security level for the three protocols feature a comparable conjured security level. Yet, for this conclusion, we admittedly did not consider several practical factors in the SNARK and Bulletproof protocols. For this reason, we state that the conclusion does not provide a comprehensive view.

At last, we analysed the benchmark comparing the different configuration parameter values in the zk-STARK protocol implementation. First, we dissected the obtained metrics for changing each configuration parameter, starting with the number of queries. As can be seen in Section 6.1.2, the proof size and verification time increased with the number of queries. This makes sense since the more queries, i.e. checks in the protocol, the protocol had to perform, the more work had to be included in the proof and verified. This can be observed clearly in the results, in that the number of queries determined a large part of the security level. The one metric that behaved anomalously to the expectation in this regard was the proof time metric. Even when the prover did not have to perform any additional work for a larger number of queries, this does not explain why the benchmark results drastically differ between even small value changes. Furthermore, these metrics neither consistently go up or down, which is explicitly visible when looking at the sixfold increase in the proof time between 41 and 42 queries. We currently do not have an explanation for this phenomenon, yet the results for this metric were intriguing. Next up is the blowup factor. For this parameter, we could see a clear increase in the proof size and verification time. Besides some fluctuation, the proof time also seemed to increase with a larger blowup factor, especially towards higher values. This observation can be accounted for by an increasing blowup factor leading to a higher likelihood that a verifier detects a false proof. In turn, this can be observed in the security level increasing with the blowup factor and the additional work that this required. We now look at the grinding factor, which determined a specific number of leading zeros in hashes, resembling a proof-of-work like concept. This would require extra work from the prover for larger grinding factor values, which is indeed what we observed. In return for this extra work, the proof demonstrated a higher proven security level, though the conjured security level remained identical. The verification time, furthermore, did not significantly shift outside of the variation expected from a benchmark. The proof size, on the other hand, fluctuated in a manner that we cannot explain with benchmark variation. Instead, the small variation of a few thousand bytes indicated an expected proof size difference, initiated by fluctuations in parameters internal to the protocol that the proof had to include. The FRI folding factor did not show a clear increase or decrease in the proof size, proof time, and verification time metrics with the size of the parameter value. Instead, it seems that the optimum balance was somewhere in the middle. Whereas a folding factor set to 8 provided an optimal proof size, a value of 4 provided optimal proof generation and verification times. These optimum values were consistent with the impact that the FRI folding factor had, namely that it determined how much each iterative round reduced the degree of the polynomial. Large values would therefore mean that each iterative round had to reduce the polynomial degree by a large amount, requiring a lot of work. Small FRI folding factor values, on the contrary, would require a lot of iterations to reduce the polynomial to the desired degree. The FRI folding factor did not seem to influence the security level. Lastly, there was the FRI remainder maximum degree parameter, an increase that generally led to a smaller proof size and lower proof verification time. The proof time overall showed the same trend, though as it did for the number of queries and the blowup factor, it fluctuated significantly. The observation that the proof size and verification times went down with a higher maximum remainder degree makes sense given that this value allowed a polynomial to have a higher maximum remainder degree. This enabled the protocol to not reduce the degree of the polynomial as much, which removed the need for the proof to include these additional iterations. This furthermore reduced the work required for the verification. From our benchmark results, we observed that a reduced maximum FRI remainder degree did not impact the security level.

The final benchmark results, which collected the metrics for the STARK protocol when configured using a combination of the best-performing parameters, produced some disappointing results. The outcomes of this benchmark can be seen in Table 7. Each metric, except for the conjured security level, showed an improvement over the default configuration. While this is true, a closer examination reveals that the achieved metrics were worse than those achieved by just changing the FRI remainder maximum degree to 255. Only the proven security level improved when using this ’optimal’ configuration as opposed to choosing the default configuration and altering the FRI remainder maximum degree to 255. We further reflect on this finding in Section 7.

7. Discussion

8. Conclusion

References

1. Goldwasser, S.; Micali, S.; Rackoff, C. The Knowledge Complexity of Interactive Proof Systems. 18, 186–208. Publisher: Society for Industrial and Applied Mathematics. [CrossRef]
2. Blum, M.; Feldman, P.; Micali, S. Non-interactive zero-knowledge and its applications. Proceedings of the twentieth annual ACM symposium on Theory of computing. Association for Computing Machinery, STOC ’88, pp. 103–112. [CrossRef]
3. Biryukov, A.; Feher, D.; Vitto, G. Privacy aspects and subliminal channels in zcash. Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, 2019, pp. 1813–1830.
4. Kumar, E.S. Preserving privacy in ethereum blockchain. Annals of Data Science 2022, 9, 675–693. [Google Scholar] [CrossRef]
5. Oude Roelink, B.; El-Hajj, M.; Sarmah, D. Systematic review: Comparing zk-SNARK, zk-STARK, and bulletproof protocols for privacy-preserving authentication. n/a, e401.
6. Parno, B.; Gentry, C.; Howell, J.; Raykova, M. Pinocchio: Nearly Practical Verifiable Computation. Publication info: Published elsewhere. This is the full version of the IEEE Symposium on Security & Privacy 2013 paper.
7. Groth, J. On the Size of Pairing-based Non-interactive Arguments. Publication info: A minor revision of an IACR publication in EUROCRYPT 2016.
8. Ben-Sasson, E.; Bentov, I.; Horesh, Y.; Riabzev, M. Scalable, transparent, and post-quantum secure computational integrity. Publication info: Preprint. MINOR revision.
9. Bünz, B.; Bootle, J.; Boneh, D.; Poelstra, A.; Wuille, P.; Maxwell, G. Bulletproofs: Short Proofs for Confidential Transactions and More. Publication info: Published elsewhere. Minor revision. 39th IEEE Symposium on Security and Privacy 2018.
10. Post-Quantum Cryptography | CSRC | CSRC — csrc.nist.gov. https://csrc.nist.gov/Projects/post-quantum-cryptography. [Accessed 29-06-2024].
11. Meunier, T. Humanity wastes about 500 years per day on CAPTCHAs. It’s time to end this madness, 2021.
12. Whalen, T.; Meunier, T.; Kodali, M.; Davidson, A.; Fayed, M.; Faz-Hernández, A.; Sullivan, N.; Wolters, B.C.; Guerreiro, M.; Galloni, A. Let The Right One In: Attestation as a Usable CAPTCHA Alternative.
13. Faz-Hernández, A.; Ladd, W.; Maram, D. ZKAttest: Ring and Group Signatures for Existing ECDSA Keys. Publication info: Published elsewhere. Selected Areas in Cryptography – SAC 2021.
14. STARK — starkware.co. https://starkware.co/stark/. [Accessed 29-06-2024].
15. Ernstberger, J.; Chaliasos, S.; Kadianakis, G.; Steinhorst, S.; Jovanovic, P.; Gervais, A.; Livshits, B.; Orrù, M. zk-Bench: A Toolset for Comparative Evaluation and Performance Benchmarking of SNARKs. Cryptology ePrint Archive 2023. [Google Scholar]
16. GitHub - dalek-cryptography/bulletproofs: A pure-Rust implementation of Bulletproofs using Ristretto. — github.com. https://github.com/dalek-cryptography/bulletproofs. [Accessed 7-03-2024].
17. bulletproof-js — npmjs.com. https://www.npmjs.com/package/bulletproof-js. [Accessed 25-03-2024].
18. GitHub - elibensasson/libSTARK: A library for zero knowledge (ZK) scalable transparent argument of knowledge (STARK) — github.com. https://github.com/elibensasson/libSTARK. [Accessed 14-03-2024].
19. GitHub - facebook/winterfell: A STARK prover and verifier for arbitrary computations — github.com. https://github.com/facebook/winterfell. [Accessed 15-03-2024].
20. GitHub - zkcrypto/bellman: zk-SNARK library. — github.com. https://github.com/zkcrypto/bellman. [Accessed 15-03-2024].
21. EdDSA | gnark — docs.gnark.consensys.io. https://docs.gnark.consensys.io/Tutorials/eddsa. [Accessed 2-03-2024].
22. bjornouderoelink. NIZKP-Benchmark. https://github.com/bjornouderoelink/NIZKP-Benchmark. [Accessed 22-04-2024].
23. Albrecht, M.; Grassi, L.; Rechberger, C.; Roy, A.; Tiessen, T. MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity. Publication info: A minor revision of an IACR publication in ASIACRYPT 2016.
24. Grassi, L.; Khovratovich, D.; Rechberger, C.; Roy, A.; Schofnegger, M. Poseidon: A New Hash Function for Zero-Knowledge Proof Systems. Publication info: Published elsewhere. USENIX Security ’21.
25. Szepieniec, A.; Ashur, T.; Dhooghe, S. Rescue-Prime: a Standard Specification (SoK). Publication info: Preprint. MINOR revision.
26. Ben-Sasson, E.; Goldberg, L.; Levit, D. STARK Friendly Hash – Survey and Recommendation. Publication info: Preprint. MINOR revision.
27. bellman-examples/src/sharkmimc.rs at master · lovesh/bellman-examples — github.com. https://github.com/lovesh/bellman-examples/blob/master/src/sharkmimc.rs. [Accessed 15-02-2024].
28. bulletproofs-r1cs-gadgets/src/gadget_mimc.rs at master · lovesh/bulletproofs-r1cs-gadgets — github.com. https://github.com/lovesh/bulletproofs-r1cs-gadgets/blob/master/src/gadget_mimc.rs. [Accessed 27-03-2024].
29. bulletproofs - crates.io: Rust Package Registry. https://crates.io/crates/bulletproofs/4.0.0. [Accessed 29-06-2024].
30. bellman crates.io: Rust Package Registry. zk-SNARK library. https://crates.io/crates/bellman/0.14.0. [Accessed 15-03-2024].
31. gnark package - github.com/consensys/gnark - Go Packages — v0.9.1. https://pkg.go.dev/github.com/consensys/gnark@v0.9.1. [Accessed 15-03-2024].
32. GitHub - Consensys/gnark: gnark is a fast zk-SNARK library that offers a high-level API to design circuits. The library is open source and developed under the Apache 2.0 license — github.com. https://github.com/Consensys/gnark. [Accessed 15-03-2024].
33. prover, W.S. ; verifier. winterfell - crates.io: Rust Package Registry. https://crates.io/crates/winterfell/0.8.1. [Accessed 29-06-2024].
34. curve25519_dalek_ng - Rust — docs.rs. https://docs.rs/curve25519-dalek-ng/latest/curve25519_dalek_ng/. [Accessed 2-04-2024].
35. Ristretto - The Ristretto Group — ristretto.group. https://ristretto.group/ristretto.html. [Accessed 2-04-2024].
36. merlin - Rust — docs.rs. https://docs.rs/merlin/latest/merlin/. [Accessed 29-06-2024].
37. Fiat, A.; Shamir, A. How To Prove Yourself: Practical Solutions to Identification and Signature Problems. Advances in Cryptology — CRYPTO’ 86; Odlyzko, A.M., Ed. Springer, Lecture Notes in Computer Science, pp. 186–194. [CrossRef]
38. BLS12-381: New zk-SNARK Elliptic Curve Construction — electriccoin.co. https://electriccoin.co/blog/new-snark-curve/. [Accessed 3-04-2024].
39. GitHub - Consensys/gnark-crypto: gnark-crypto provides elliptic curve and pairing-based cryptography on BN, BLS12, BLS24 and BW6 curves. It also provides various algorithms (algebra, crypto) of particular interest to zero knowledge proof systems. — github.com. https://github.com/Consensys/gnark-crypto. [Accessed 29-06-2024].
40. bls12_381 - Rust — docs.rs. https://docs.rs/bls12_381/latest/bls12_381/. [Accessed 29-06-2024].
41. Aranha, D.F.; El Housni, Y.; Guillevic, A. A survey of elliptic curves for proof systems. Designs, Codes and Cryptography 2023, 91, 3333–3378. [Google Scholar] [CrossRef]
42. Nir, Y.; Josefsson, S. Curve25519 and curve448 for the internet key exchange protocol version 2 (ikev2) key agreement. Technical report, 2016.
43. Ben-Sasson, E.; Carmon, D.; Ishai, Y.; Kopparty, S.; Saraf, S. Proximity Gaps for Reed-Solomon Codes. Publication info: Published elsewhere. Minor revision. FOCS 2020.
44. GitHub - starkware-libs/ethSTARK — github.com. https://github.com/starkware-libs/ethSTARK?tab=readme-ov-file#7-Measuring-Security. [Accessed 29-06-2024].
45. Banerjee, A.; Clear, M.; Tewari, H. Demystifying the Role of zk-SNARKs in Zcash. 2020 IEEE conference on application, information and network security (AINS). IEEE, 2020, pp. 12–19.
46. Singh, R.K.; Puluckul, P.P.; Berkvens, R.; Weyn, M. Energy Consumption Analysis of LPWAN Technologies and Lifetime Estimation for IoT Application. 20, 4794. [CrossRef]
47. Bünz, B.; Fisch, B.; Szepieniec, A. Transparent SNARKs from DARK Compilers. Publication info: A major revision of an IACR publication in EUROCRYPT 2020.
48. Bowe, S.; Grigg, J.; Hopwood, D. Recursive Proof Composition without a Trusted Setup. Publication info: Preprint. MINOR revision.
49. Hwang, S.; Ozturk, E.; Tsudik, G. Balancing Security and Privacy in Genomic Range Queries. 26, 23:1–23:28. [CrossRef]
50. Ben-Sasson, E.; Bentov, I.; Horesh, Y.; Riabzev, M. Fast Reed-Solomon Interactive Oracle Proofs of Proximity. ISSN: 1433-8092.
51. Maller, M.; Bowe, S.; Kohlweiss, M.; Meiklejohn, S. Sonic: Zero-Knowledge SNARKs from Linear-Size Universal and Updateable Structured Reference Strings. Publication info: Preprint. MINOR revision.
52. Gailly, N.; Maller, M.; Nitulescu, A. SnarkPack: Practical SNARK Aggregation. Publication info: Preprint. MINOR revision.