[Gatherer] ZK-STARK vs ZK-SNARK: 신뢰성 모델·검증 비용·양자내성 비교와 선택 기준
즉답
Cryptographic Foundations
ZK‑STARK constructions use hash‑based commitments and FFT, offering post‑quantum security through collision resistance and requiring no trusted setup. ZK‑SNARKs rely on elliptic‑curve pairings or RSA assumptions, which are vulnerable to quantum attacks targeting discrete logarithms; both achieve zero‑knowledge but differ in algebraic foundations.
Proof Size and Bandwidth
A typical STARK proof for a 100k‑gate circuit occupies about 50 KB, whereas an equivalent SNARK proof compresses to roughly 22 KB using polynomial commitments. This size gap raises on‑chain calldata costs; a batch of 1,000 transfers can increase fees by up to $12 with STARKs versus $5 with SNARKs on Ethereum.
Verification Performance
GPU benchmarks show STARK verification averages 0.92 seconds (125 % slower) compared to SNARK's 0.41 second median, but STARK scales linearly and avoids trusted setup. Batch verification can cut per‑proof latency by up to 30 % when processing multiple proofs concurrently.
Trust Assumptions and Security Model
STARK's security rests only on hash collision resistance, eliminating toxic waste from setup; SNARKs depend on pairing assumptions that need a one‑time trusted setup, creating additional trust risk. Consequently, STARK is preferred for high‑value, long‑lived systems, while SNARK suits high‑throughput cost‑optimized deployments.
Chain Selection Heuristics
Developers should choose STARK when security longevity, quantum resistance, and avoidance of trusted setup are critical, even at the cost of larger proofs and slower verification. Conversely, SNARK is preferable for high‑throughput applications where proof size and verification speed dominate, provided safe trusted‑setup management.