ZKP, SNARKs, STARKs & the Cryptography Powering $28B+ in ZK TVL
A zero-knowledge proof (ZKP) is a cryptographic primitive that allows one party (the prover) to prove to another party (the verifier) that a statement is true, without revealing any information beyond the validity of the statement itself. The prover convinces the verifier of knowledge without disclosing the underlying data—the zero-knowledge property.
Zero-knowledge proofs were conceptually invented by Shafi Goldwasser, Silvio Micali, and Charles Rackoff in 1985, one of cryptography's most impactful theoretical breakthroughs. However, for decades, ZKPs remained theoretical curiosities—too slow and complex for practical use. That changed with the invention of zk-SNARKs (2016) and their subsequent blockchain applications. Today, ZKPs power $28 billion+ in TVL across zk-rollups, privacy protocols, and identity systems.
Real-world examples: proving you own Bitcoin without revealing the private key; proving your account balance exceeds $1M without disclosing the exact amount; proving you're a US citizen (for compliance) without sharing your passport; proving you've processed 1000 transactions correctly without detailing each one. The prover has the secret (key, balance, identity, transaction log); the verifier gets cryptographic certainty without learning the secret.
ZK-Secured TVL: $28 billion+ across ZK rollups and systems
ZK Project Market Cap: $11.7 billion+ (Starknet, zkSync, Polygon, etc.)
Major ZK Rollups: Starknet, zkSync Era, Polygon zkEVM, Scroll, Linea
Proof Systems: Groth16, PLONK, STARK, Halo2, and emerging post-quantum variants
Key Innovation (2025-2026): Quantum-resistant STARKs, recursive proof composition, EVM-equivalent rollups
Conceptual Foundation: Goldwasser, Micali, Rackoff (1985)
ZKP systems have three key properties: completeness, soundness, and zero-knowledge. Completeness means a valid proof always convinces the verifier. Soundness means an invalid statement cannot be proven (a dishonest prover cannot fake evidence). Zero-knowledge means the proof reveals nothing except validity—the verifier learns no additional information beyond "the statement is true."
The prover holds a secret (the witness) and wants to prove knowledge of it. Example: the prover knows the SHA-256 preimage of a hash; the witness is the input string. The prover constructs a proof (a cryptographic object, usually a few hundred bytes) and sends it to the verifier. The verifier checks the proof using a public verification algorithm. If the proof is valid, the verifier concludes the statement is true; if invalid, the prover was lying.
Crucially, the verifier never sees the witness (the secret input). The prover could hash a billion-character string; the verifier only sees a small proof, never the string itself. This is zero-knowledge: the verifier gains certainty without gaining knowledge of the underlying secret.
Early ZKPs were interactive: the prover and verifier exchanged multiple rounds of messages. The verifier would challenge the prover ("prove you know x by computing x+5"), and the prover would respond. This process required back-and-forth communication, making it slow for blockchain use cases.
Modern ZKPs are non-interactive: the prover generates a single proof object that the verifier can check alone, without communication. This is achieved using the Fiat-Shamir heuristic, which replaces the verifier's challenges with a cryptographic hash function. Non-interactive proofs enabled ZK rollups: a sequencer generates proofs, and Ethereum validators verify them—all asynchronously, no back-and-forth needed.
Creating a ZKP first requires encoding the computational problem as an arithmetic circuit (a graph of addition and multiplication gates). To prove "I computed the correct SHA-256 hash," the prover encodes SHA-256 as a circuit with tens of thousands of gates. The proof system then converts the circuit into polynomial equations. Proving the computation is correct becomes proving the polynomials satisfy certain constraints—a problem in abstract algebra, solvable with elliptic curve operations.
The security of ZKPs relies on hard problems in elliptic curve math (for SNARKs) or cryptographic hash functions (for STARKs). If an attacker could efficiently solve the discrete logarithm problem, SNARK security collapses. If an attacker found hash collisions, STARK security collapses. So far, neither has happened, making modern ZKPs cryptographically sound.
The ZK ecosystem splits into two main proof families: zk-SNARKs and zk-STARKs. SNARKs are practical and widely deployed but have trust assumptions. STARKs are transparent and quantum-resistant but less efficient. Understanding this distinction is critical to understanding 2026 ZK landscape.
zk-SNARK = Succinct Non-Interactive Argument of Knowledge. SNARKs produce very small proofs (200-300 bytes) that verify in milliseconds. They're the go-to for resource-constrained environments. Used by zkSync Era, Polygon zkEVM, and many Layer 2s.
The catch: SNARKs require a trusted setup ceremony. Before the system launches, a group of participants runs a multi-party computation (MPC) ceremony to generate public parameters. If ceremony participants collude secretly, they can forge fake proofs—a critical security break. Most SNARK systems mitigate this by using 100+ ceremony participants across geographies; the assumption is that at least one participant is honest and deletes their secret share. However, this still requires trust.
SNARKs are also vulnerable to quantum computers. Their security relies on elliptic curve cryptography; Shor's algorithm could break them. As quantum computing advances, SNARKs face long-term obsolescence. However, quantum threats remain years away.
zk-STARK = Scalable Transparent Argument of Knowledge. STARKs use hash functions (SHA-256) instead of elliptic curves. They require no trusted setup—the system is transparent, meaning all parameters are public and derived from public randomness. This eliminates the trust assumptions of SNARKs.
STARKs are quantum-resistant: hash functions are believed safe against quantum computers (they'd face only square-root speedups from Grover's algorithm, not exponential breaks like elliptic curves). This makes STARKs the long-term future as quantum computing matures.
The tradeoff: STARK proofs are larger (several kilobytes) and slower to generate, compared to SNARKs (hundreds of bytes, faster generation). For L2 rollups, this translates to higher costs posting proofs to Ethereum—though still far cheaper than posting all transactions. Starknet uses STARKs exclusively, accepting the proof overhead for quantum safety and transparency.
PLONK is a SNARK variant that enables "universal" trusted setup. Instead of each circuit requiring its own setup ceremony, PLONK uses one ceremony for all circuits. This reduces the ceremony burden: protocols run setup once, then support unlimited circuit variations. Modern systems like Aztec use PLONK, balancing SNARK efficiency with reduced trust overhead.
Halo2, developed by Zcash, eliminates trusted setup through recursive proof composition. Proofs can verify other proofs without additional setup ceremonies. This enables SNARK-like efficiency without SNARK trust assumptions. Halo2 is used by some L2s and privacy protocols. It represents a middle ground: SNARK efficiency with less trust overhead than traditional SNARKs.
| Property | zk-SNARK | zk-STARK |
|---|---|---|
| Proof Size | ~300 bytes | ~100 KB |
| Verification Time | ~1-5 ms | ~10-50 ms |
| Trusted Setup | Required (Groth16, older PLONK) | Not required (transparent) |
| Quantum Resistant | No (elliptic curve) | Yes (hash-based) |
| Cryptographic Assumption | Discrete logarithm | Hash function collision resistance |
| Used By | zkSync, Polygon zkEVM, Scroll | Starknet, StarkWare systems |
| Practical Applications | Most 2024-2026 L2 rollups | Long-term quantum-safe systems |
ZK rollups are the primary blockchain application of ZKPs. They batch thousands of transactions into a single cryptographic proof and post that proof to Ethereum. Ethereum validates the proof (fast, cheap), confirming that all batched transactions are valid. This scales Ethereum 100-1000x: from ~15 TPS to 1,000-30,000+ TPS, with fees dropping from $5-50 to $0.01-1.
A ZK rollup sequencer collects transactions from users into a batch: 1,000 transfers, 500 swaps, 200 contract calls. The sequencer executes all transactions in a local environment, updating the rollup state. Then, the sequencer constructs a ZKP proving "all 1,700 transactions are valid, starting state S1, ending state S2." The proof is ~300-500 bytes.
The sequencer posts the proof to Ethereum in a single transaction. Ethereum's validators verify the proof (takes milliseconds, costs ~100,000 gas—a fraction of posting all 1,700 transactions, which would cost millions of gas). Upon verification, Ethereum updates the rollup's canonical state to S2. Users can withdraw funds backed by Ethereum's settlement, with Ethereum as final arbiter.
The security model is elegant: ZK rollups inherit Ethereum's security. Ethereum validates every state transition through ZKP verification. Invalid transactions cannot be rolled up because the proof would fail Ethereum's verification. This means ZK rollups achieve Ethereum-level security without trusting the sequencer.
Optimistic rollups (Arbitrum, Optimism) assume transactions are valid unless proven otherwise. If someone disputes a transaction, the rollup goes through a fraud-proof process (can take weeks). ZK rollups validate immediately: the proof guarantees all transactions are correct. No fraud-proof delays, no dispute windows, faster finality.
However, ZK rollups are more complex: constructing proofs is computationally expensive (requires specialized provers), and proof systems are newer (less audited than OP stack). Optimistic rollups are simpler and thus have more blockchain infrastructure support. The 2026 trend favors ZK rollups for their superior finality guarantees.
A major challenge: ZK rollups must encode EVM bytecode into arithmetic circuits. This is hard. Many rollups target "EVM equivalence" (byte-for-byte compatible with Ethereum) rather than "EVM compatibility" (functionally equivalent). Full EVM equivalence enables seamless Ethereum smart contract deployment; compatibility requires minor changes.
As of 2026, Polygon zkEVM has achieved bytecode-level EVM equivalence. zkSync Era and Scroll provide near-equivalence with minor modifications. Starknet uses Cairo (a different language) requiring smart contract rewrites. This tradeoff shapes developer adoption: stronger compatibility attracts more developers but requires more complex proving systems.
Five ZK rollups dominate the 2026 landscape. Each has distinct technical approaches, proving systems, and trade-offs. Here's how they compare:
| Feature | zkSync Era | Starknet | Polygon zkEVM | Scroll | Linea |
|---|---|---|---|---|---|
| Proof System | SNARK (Boojum) | STARK (STWO) | SNARK (Groth16) | SNARK (Halo2) | SNARK (PLONK variant) |
| Trusted Setup | Yes (multi-party) | No (transparent) | Yes (Groth16) | No (Halo2) | Yes (PLONK) |
| EVM Compatibility | High (custom VM) | Kakarot EVM (limited) | Bytecode equivalent | Bytecode equivalent | High (ConsenSys) |
| Market Cap | ~$370M | ~$940M | Polygon ecosystem | ~$500M+ (pre-airdrop) | ~$200M (ConsenSys) |
| TVL | ~$370M | $150M+ | 10M txns/month | ~$1B+ | ~$1B (peak) | ~$200M |
| TPS | 30,000+ (Atlas) | 1,000-3,000 | ~2,000 | ~1,500 | ~1,000 |
| Quantum Resistant | No (elliptic curve) | Yes (STARK) | No (elliptic curve) | No (elliptic curve) | No (elliptic curve) |
| Key Innovation | 30K TPS post-Atlas | STWO next-gen prover | Bytecode equivalence | Halo2 no-setup ZKP | Enterprise focus |
| Launched | 2023 (Era mainnet) | 2021 (Alpha mainnet) | 2023 (mainnet) | 2023 (mainnet) | 2024 (mainnet) |
Matter Labs' zkSync Era is the throughput leader. The Atlas upgrade (2025) increased TPS from 1,000 to 30,000+, rivaling traditional payment networks. Uses Boojum (custom SNARK), not fully EVM-equivalent but highly efficient. Market cap ~$370M. zkSync\'s Airbender cross-chain solution and native account abstraction attract developers building high-frequency applications.
StarkWare\'s Starknet uses STARKs (quantum-resistant) and Cairo language. Processes 10M+ transactions monthly with $150M+ TVL. Slower proof generation but transparent system (no trusted setup). Kakarot EVM compatibility layer enables limited Ethereum smart contracts. Strong research team; positioning as the long-term quantum-safe solution.
Polygon\'s zkEVM achieved bytecode-level EVM equivalence (full compatibility without modifications). This enables instant migration of Ethereum smart contracts. TVL exceeds $1B. Uses Groth16 proofs. Part of Polygon ecosystem with $1B+ committed to ZK development. Leader in institutional adoption.
Scroll uses Halo2 (recursive ZKPs without trusted setup), balancing SNARK efficiency with transparent cryptography. Reached $1B TVL pre-airdrop. Bytecode-equivalent to Ethereum. Less institutional buzz than Polygon but strong technical credibility. Represents the future of transparent-yet-efficient ZK systems.
Linea (ConsenSys) targets enterprise adoption with strong regulatory compliance focus. ~$200M market cap, growing enterprise customer base. Uses proven SNARK technology with corporate backing. Less community-focused than zkSync/Starknet but strong B2B positioning.
ZKPs power far more than rollups. In 2026, ZK is reshaping identity, privacy, compliance, and cross-chain interoperability. These applications are less publicized but rapidly growing.
ZK-ID systems prove identity attributes without revealing the identity itself. Worldcoin pioneered this: proving you\'re human without ID exposure. World\'s AgentKit enables AI agents to carry proof of human backing via ZKPs—agents can act on behalf of verified humans without exposing personal data. Polygon ID offers credential verification for institutions: banks can verify KYC compliance without collecting personal information, using verifiable credentials proven through ZKPs.
This enables a privacy-preserving identity layer: prove "I\'m a US resident" (for compliance) without showing a passport; prove "my credit score exceeds 700" without revealing the score; prove "I own $100K+ in assets" without showing accounts. Essential for institutional DeFi adoption.
ZKPs enable private transactions within transparent blockchains. Prove you sent a transaction without revealing sender/recipient/amount; prove your collateral exceeds liquidation thresholds without exposing balances; trade without front-running by hiding order details until settlement. This is critical for institutional trading: fund managers won\'t trade on public blockchains if every transaction is visible. ZKPs enable selective disclosure: prove compliance (no sanctions violations, legal counterparties) without exposing position details.
Projects like Aztec build private smart contracts using ZKPs. Users deposit tokens into a private pool, trade with hidden state, withdraw. Zero-knowledge proofs ensure the pool operator can\'t steal funds (proofs validate all trades), and other users can\'t see individual trade details. This privacy is essential for DeFi to compete with traditional finance.
ZKPs enable compliance without surveillance. A bank needs to screen counterparties for sanctions—but doesn\'t want to share customer transaction history with regulators. Using ZKPs: prove "I\'ve screened my users for sanctions and passed the check" without revealing which users or transactions were screened. This is critical for institutional DeFi: regulators require compliance checks, but users demand privacy. ZKPs split the difference.
ZK bridges enable trustless transfers between blockchains. Instead of trusting a bridge operator or multisig committee, use ZKPs to prove "Ethereum validators have confirmed this deposit; here\'s cryptographic proof." Rollups can become fully modular: one rollup settles to Ethereum, another to Bitcoin, another to Solana—all connected through ZK bridges without custodians.
ZKPs enable hidden game state and instant settlement. In chess, you prove you\'ve made a valid move without revealing your strategy until settlement. In games requiring quick settlement but privacy, ZKPs enable faster gameplay. NFT marketplaces can use ZKPs to prove ownership without revealing collections. Enables gaming on transparent blockchains with privacy comparable to centralized servers.
ZKPs are transformative but not without risks. Understanding limitations is essential for informed decision-making.
All proof systems rest on cryptographic assumptions. If elliptic curve cryptography is broken (unlikely but possible), all SNARK-based rollups collapse immediately. Quantum computers could pose this threat in 10+ years. STARK systems are more resilient but rely on hash function integrity. While current cryptography is robust, novel mathematical breakthroughs could undermine them. Migration to post-quantum cryptography is ongoing but not urgent yet.
Generating ZKPs is computationally expensive and requires specialized hardware (high-end GPUs/FPGAs). Only well-capitalized teams can build provers. This creates prover centralization: if one company\'s prover has bugs, the entire rollup fails. 2026 focus: open-source, decentralized provers (zkEVM provers, Risc0, etc.) reducing prover risk. However, current production rollups have centralized provers—a significant trust assumption often overlooked.
SNARK ceremonies remain security-critical weak points. Most ceremonies involved 100+ participants, but are they truly geographically distributed? Could state actors pressure participants to collude? This is hard to verify. STARKs and transparent schemes (Halo2) eliminate this risk but at efficiency cost. PLONK\'s universal setup reduces ceremony burden, but risk remains. 2026 trend: migration toward transparent systems where possible.
Encoding a complex system (like the EVM) into an arithmetic circuit is error-prone. Off-by-one errors, incorrect constraint formulation, or edge cases can introduce bugs that proofs won\'t catch. These bugs allow invalid transactions to be proven valid. Multiple audits help but don\'t guarantee safety. This risk is inherent to ZKPs: the proof is only as good as the circuit it proves.
Ethereum validates ZKP proofs through smart contracts (e.g., Groth16 verifier contract). Bugs in the verifier contract could allow invalid proofs to pass. Several rollups have had verifier bugs caught pre-deployment. Risk mitigation: multiple audits, formal verification (proving the verifier is correct), careful deployment. As systems mature, implementation risk decreases.
Privacy ZKPs may face regulatory backlash. Regulators worry about money laundering via private transactions. Identity ZKPs may violate Know-Your-Customer regulations in some jurisdictions. Governments may restrict certain ZKP applications. This regulatory tail risk could reshape the ZK landscape: some ZK applications may be banned while others thrive.
A zero-knowledge proof lets you prove you know a secret without revealing the secret itself. Imagine proving you know the password to a vault without saying the password: you enter the password, the vault opens, proving you know it. The person watching learns the vault opened (you know it), but doesn\'t learn the password. ZKPs work similarly using cryptography. Applied to crypto: prove you own Bitcoin without revealing the private key; prove your balance without revealing the exact amount; prove you\'re a US citizen without sharing your passport.
zk-SNARKs produce small, fast-to-verify proofs but require a trusted setup ceremony. They\'re used by zkSync and Polygon zkEVM. However, SNARKs are vulnerable to quantum computers. zk-STARKs produce larger proofs but don\'t require trusted setup (transparent) and are quantum-resistant. Starknet uses STARKs. The tradeoff: SNARKs are practical today but rely on trust assumptions; STARKs are safer long-term but less efficient. Think SNARKs = trusted-but-efficient, STARKs = transparent-but-bulky.
zk-STARKs are quantum-resistant because they use hash functions (SHA-256), which are believed secure against quantum computers. zk-SNARKs are NOT quantum-resistant—they use elliptic curve cryptography vulnerable to Shor\'s algorithm on quantum computers. As quantum computing advances, the ecosystem will shift toward STARKs and post-quantum cryptography. However, quantum threats remain many years away; current SNARKs are safe for near-term use. Starknet is positioning itself as the quantum-safe ZK leader.
A ZK rollup batches 1,000+ transactions into one ZKP (proof) and posts it to Ethereum. Ethereum verifies the proof (cheap, fast), confirming all batched transactions are valid. Instead of paying for 1,000 transactions on Ethereum (~millions of gas), you pay for one proof (~100K gas). This reduces costs 100-1000x. zkSync Era\'s Atlas upgrade enables 30,000 TPS with fees under $0.01. The security guarantee: Ethereum validates every state transition through ZKP verification, inheriting Ethereum\'s security.
A trusted setup is a cryptographic ceremony where participants generate public parameters used to create SNARK proofs. If ceremony participants collude, they could forge false proofs (critical security issue). zk-SNARKs require trusted setup; zk-STARKs do not. Most SNARK systems use 100+ ceremony participants—the assumption is at least one is honest and deletes their secret. This introduces trust assumptions SNARK systems must manage carefully. Transparent systems (STARKs, Halo2) eliminate this risk but may be less efficient.
As of April 2026, Polygon zkEVM leads with ~$1B+ TVL due to EVM equivalence and institutional adoption. Scroll follows with ~$1B peak TVL. zkSync Era has ~$370M TVL but highest TPS (30,000+) post-Atlas. Starknet has $150M+ TVL with quantum-resistant STARKs. Rankings fluctuate with market conditions and airdrops. Starknet\'s quantum-safe positioning and growing ecosystem make it a long-term growth leader. zkSync\'s throughput leadership makes it attractive for high-volume applications.