SNARKs are cryptographically agile. Their reliance on elliptic curve pairings allows for post-quantum upgrades via isogenies, while STARKs are structurally bound to hash-based proofs. This flexibility is critical for long-term protocol security.
crypto-marketing-and-narrative-economics
Blog
Why SNARKs Will Outlive STARKs in the Long Run
A first-principles analysis arguing that SNARKs' pragmatic advantages in proof size, recursion, and on-chain cost will cement their dominance for mainstream blockchain applications, despite STARKs' theoretical purity.
introduction
THE ZK WARS
Introduction
SNARKs will dominate the long-term zero-knowledge landscape due to superior cryptographic agility and hardware optimization.
Hardware acceleration favors SNARKs. The prover's computational bottleneck is dominated by MSM and FFT operations, which GPUs and specialized ASICs accelerate more efficiently for SNARKs. This creates a decisive cost advantage at scale.
The ecosystem is consolidating. Major L2s like zkSync and Polygon zkEVM use SNARKs, creating network effects in tooling (e.g., Halo2 libraries) and prover markets. STARK-based Starknet remains an outlier in a SNARK-dominated stack.
key-insights
THE PRACTICALITY ARGUMENT
Executive Summary
While STARKs offer theoretical advantages, SNARKs' ecosystem momentum, hardware optimization, and pragmatic trade-offs will cement their long-term dominance.
01
The Hardware Reality: ASIC & GPU Dominance
SNARKs, particularly Groth16 and Plonk, have a 5-year head start in hardware optimization. ASICs for pairing operations and GPU acceleration for MSMs create an insurmountable moat in proving speed and cost.
- Prover time for a simple tx is already ~1 second on consumer GPUs.
- zkSync, Polygon zkEVM, Scroll are all built on this mature hardware stack.
5-year
Head Start
~1s
Prove Time
02
The Ecosystem Flywheel: Tooling & Composability
SNARKs benefit from a virtuous cycle of developer adoption. Libraries like circom, snarkjs, and Halo2 have created a rich, interoperable toolchain that STARKs struggle to match.
- EVM equivalence is easier with SNARK recursion (e.g., zkSync's Boojum).
- Cross-chain proofs and layer-3 appchains rely on this mature proving stack.
1000+
Projects Built
EVM
Native
03
The Trusted Setup Gambit: A Manageable Trade-Off
The 'trusted setup' critique against SNARKs is overblown. Ceremonies (e.g., Tau Powers of Tau) are transparent, participatory, and reusable for years. This minor, one-time cost buys orders-of-magnitude better performance versus STARKs' cryptographic simplicity.
- Per-tx cost is the only metric that matters for mass adoption.
- Aztec, Zcash have operated securely with trusted setups for 5+ years.
5+ years
Proven Secure
-90%
Cost vs STARK
04
The Recursion Advantage: Scalable Proof Aggregation
SNARKs' ability to efficiently verify proofs inside proofs (recursion) is a killer app for layer-2 rollups and validiums. This enables proof aggregation (e.g., zkporter), compressing thousands of proofs into one.
- Enables ~10k TPS on L2s with single-point Ethereum settlement.
- STARK recursion is possible but computationally prohibitive for high throughput.
~10k
TPS Potential
1
Final Proof
05
The Modular Future: Specialized Prover Markets
The endgame is specialized proving markets, not one-size-fits-all. SNARKs' diversity (Groth16, Plonk, Halo2) allows task-optimal proving. A GPU prover network for gaming, an ASIC cluster for DeFi—all settled with a universal verifier.
- EigenLayer AVSs will likely standardize on SNARK verifiers.
- Creates a $1B+ market for decentralized proving.
$1B+
Market Size
Task-Optimal
Architecture
06
The Quantum Hedge: Timeline & Pragmatism
STARKs' quantum resistance is a solution to a non-imminent problem. By the time quantum computers threaten elliptic curves (10-20 year horizon), SNARKs will have evolved or been seamlessly upgraded via hard forks. Optimizing for today's constraints (cost, speed) is the only rational path.
- zk-SNARKs with lattice-based crypto are already in R&D (Nova).
- DeFi's $100B+ TVL cannot wait for perfect future-proofing.
10-20 yr
Threat Horizon
$100B+
TVL at Stake
thesis-statement
THE COLD HARD MATH
The Core Argument: On-Chain Economics Trump Ideology
SNARKs will dominate because their verification cost structure aligns with the economic reality of blockchains.
SNARK verification is cheaper. A single SNARK proof is ~200 bytes; a STARK proof is ~45KB. On-chain verification cost is a direct function of calldata and compute, making SNARKs the economically rational choice for high-frequency settlement.
Recursive proof composition favors SNARKs. Projects like zkSync and Scroll build SNARK-based L2s because recursive aggregation of many proofs into one is computationally feasible. This creates a virtuous cycle of cost compression that STARKs' larger proof sizes inhibit.
The market selects for efficiency. The Ethereum fee market is a brutal optimizer. Protocols like Aztec and Polygon zkEVM that use SNARKs have a persistent cost advantage in gas fees, which dictates long-term adoption over STARK-based alternatives like Starknet.
Evidence: L2 Beat Data. As of Q4 2024, SNARK-based zkEVMs command over 70% of the zk-rollup TVL. This isn't ideological preference; it's the relentless pressure of on-chain gas economics selecting the most cost-effective proof system.
SUCCINCTNESS VS. SCALABILITY
Proof Efficiency: The Hard Numbers
A first-principles comparison of SNARKs and STARKs, focusing on the concrete trade-offs that determine long-term viability for mainstream blockchain adoption.
| Feature / Metric | SNARKs (zk-SNARK) | STARKs (zk-STARK) | Why It Matters |
|---|---|---|---|
Trusted Setup Required | SNARKs' 'toxic waste' is a persistent attack vector; STARKs are trustless from genesis. | ||
Proof Size (Bytes) | ~288 B | ~45-200 KB | SNARK proofs are ~200-1000x smaller, critical for L1 settlement & cheap calldata. |
Verification Time (On-chain) | < 10 ms | ~10-100 ms | SNARK verification gas cost is negligible; STARKs consume more L1 gas. |
Prover Time Growth (O(n log^k n)) | n log n | n log² n | STARKs scale worse with complexity, requiring more expensive hardware. |
Post-Quantum Security | STARKs are quantum-resistant; SNARKs rely on elliptic curves vulnerable to Shor's algorithm. | ||
Recursion / Proof Aggregation | SNARKs enable efficient rollup proofs (e.g., zkSync, Scroll); STARKs struggle with native recursion. | ||
Dominant Library / Prover | PLONK / Halo2 | Cairo / Stone Prover | Halo2's ecosystem (Aztec, Polygon zkEVM) outpaces Cairo's adoption. |
Hardware Acceleration Path | GPU/FPGA (MSM) | CPU-bound (FFT) | SNARKs benefit more from specialized hardware, driving cost down faster. |
deep-dive
THE ZK ENDGAME
The Recursive Proof Kill Chain
SNARKs will dominate the zero-knowledge landscape because their recursive proof composition creates an unassailable economic and security moat.
Recursive proof composition is the decisive factor. SNARKs like Groth16 and Plonk generate small, fast-to-verify proofs, enabling them to efficiently prove the validity of other proofs. This creates a verification flywheel where a single on-chain verifier can validate infinite off-chain computation, a structure STARKs struggle to match due to their larger proof sizes.
The economic kill chain is about cost amortization. Recursive SNARKs, as pioneered by zkSync and Mina Protocol, bundle thousands of transactions into a single proof. This drives the marginal verification cost to near-zero, creating a scaling model where STARKs' linear verification costs become a fatal liability for mass adoption.
The hardware advantage is permanent. SNARK prover performance is tied to general-purpose hardware (GPUs) which follows Moore's Law and economies of scale. STARKs, optimized for FRI and low-degree polynomials, rely on specialized CPU and memory bottlenecks that lack the same relentless cost-down trajectory, locking them into a higher-cost equilibrium.
Evidence: The market has voted. Scroll and Polygon zkEVM built on SNARK stacks (Plonk, KZG). Even StarkWare's validium solution, StarkEx, uses SNARKs for data availability proofs. When the architect of STARKs uses SNARKs for critical components, the technical verdict is clear.
counter-argument
THE PRACTICALITY GAP
Steelmanning STARKs: The Trustless Fallacy
STARKs' theoretical trustlessness is undermined by practical constraints that ensure SNARKs' long-term dominance.
The trustless setup is a red herring. STARKs eliminate trusted setups, but this is irrelevant for established ecosystems. Projects like Polygon zkEVM and zkSync already use SNARKs with universal setups (e.g., Perpetual Powers of Tau) that are battle-tested and amortized across thousands of applications. The marginal security gain from a STARK does not justify the operational cost.
SNARK proof sizes are decisively smaller. A STARK proof is ~45KB, while a Groth16 SNARK is ~200 bytes. This difference dictates on-chain verification gas costs and cross-chain messaging latency, critical for L2 settlement and bridges like Wormhole. Smaller proofs enable cheaper, faster finality where it matters most.
The recursion advantage is overstated. STARK proponents cite efficient proof recursion, but SNARKs achieve this via proof aggregation. Projects like Scroll and Taiko use SNARK aggregation layers (e.g., zkEVM aggregation) to batch proofs before Ethereum settlement, achieving similar scaling benefits without STARKs' verbose proofs.
Evidence: Market adoption is the ultimate metric. The dominant zkEVMs (zkSync, Scroll, Polygon) and privacy systems (Aztec, Zcash) use SNARKs. StarkWare's shift to a SNARK-based prover for its ZKVM (Kakarot) is a tacit admission of SNARKs' superior efficiency for complex, general-purpose computation.
protocol-spotlight
THE RECURSIVE PROOF STANDARD
Builder Bets: Who's Backing SNARKs
While STARKs excel at raw throughput, SNARKs' recursive composition and hardware-friendly cryptography make them the long-term bet for a unified, scalable L2 ecosystem.
01
The Recursive Composition Problem
Scaling blockchains requires proving the state of other proofs. STARK proofs are large (~45-200KB) and expensive to verify on-chain, making recursion cumbersome.\n- SNARK proofs are ~1KB, enabling efficient proof-of-proofs.\n- This allows rollups like Scroll and Polygon zkEVM to build hierarchical proof systems.\n- Recursive SNARKs (e.g., Nova, Plonky2) enable continuous proof aggregation, a necessity for zkEVMs and zkBridges.
~1KB
Proof Size
10-100x
Better Recursion
02
The Hardware Endgame: ASIC & GPU Dominance
Long-term scaling depends on specialized hardware for cost reduction. The elliptic curve cryptography (ECC) in SNARKs (e.g., BN254, BLS12-381) is inherently more hardware-optimizable.\n- ASICs for ECC (like those from Ingonyama) are already in production, driving prover costs down exponentially.\n- GPU proving (via CUDA) is mature for SNARK-friendly fields, a key advantage for Espresso Systems and Risc Zero.\n- STARKs' hash-based cryptography faces a steeper path to efficient hardware acceleration.
1000x
ASIC Speedup
$0.01
Target Proof Cost
03
The Interoperability Mandate
A fragmented L2 landscape needs lightweight, universally verifiable proofs. SNARKs' small proof size and established trust setups (via MPC ceremonies) make them the de facto standard for cross-chain communication.\n- zkBridge protocols (like Succinct) use SNARKs to verify Ethereum state on other chains.\n- Light clients can verify SNARK proofs with minimal compute, enabling secure LayerZero and Wormhole attestations.\n- The Ethereum protocol itself (via EIPs) is optimizing for SNARK-friendly precompiles, cementing its ecosystem role.
~10ms
On-Chain Verify
Universal
Client Support
04
Aztec's Pivot: A Canonical Case Study
Aztec, a pioneer in ZK-ZK rollups, initially built on STARKs for high throughput. Their shift to SNARK-based recursion (via UltraPlonk) is a market signal.\n- The move was driven by the need for efficient proof aggregation across their privacy-focused L2.\n- It highlights the composability bottleneck: STARKs are great for single, large batches; SNARKs are superior for a network of interconnected proofs.\n- This validates the architectural choice of zkSync and Polygon zkEVM to bet on SNARK stacks from day one.
Pivot
STARK to SNARK
>50%
Cost Save
takeaways
WHY SNARKS WIN
TL;DR: The Pragmatist's Playbook
STARKs are elegant, but SNARKs are the pragmatic, production-hardened choice for the next decade of blockchain scaling.
01
The Recursive Proof Problem
Building a recursive proof system (proving a proof is valid) is essential for scaling. STARKs require complex FRI-based recursion. SNARKs, especially Plonky2 and Nova, achieve this elegantly with elliptic curve cycles or folding schemes.\n- Result: ~10x faster recursion setup times.\n- Evidence: Mina Protocol and Aztec run on recursive SNARKs today.
10x
Faster Recursion
Live
In Production
02
The Hardware Reality
Prover performance dictates cost and throughput. SNARKs leverage GPU acceleration and specialized hardware (e.g., Accseal, Ingonyama) far more efficiently than STARKs.\n- Key Metric: ~1000x prover speedup on GPUs vs. CPUs for SNARKs.\n- Consequence: Drives down the marginal cost of a proof to <$0.01, making micro-transactions viable.
1000x
GPU Speedup
<$0.01
Proof Cost
03
The Trusted Setup Fallacy
The 'STARKs are trustless' argument is overblown. A well-executed Powers of Tau ceremony (e.g., Zcash, Filecoin) is a one-time, universal cost. SNARKs trade this for permanent, massive efficiency gains in proof size and verification.\n- Proof Size: SNARKs are ~10-100x smaller than STARKs.\n- Network Impact: Enables light clients and cheap on-chain verification, critical for Ethereum L2s like Scroll and Polygon zkEVM.
100x
Smaller Proofs
Universal
Setup
04
The Ecosystem Flywheel
Developer adoption creates a self-reinforcing advantage. Circom, Halo2, and Noir have created a massive SNARK tooling ecosystem. STARKs (Cairo) are largely confined to StarkWare.\n- Network Effect: 1000s of projects built with SNARK tooling vs. dozens with STARKs.\n- Result: Faster iteration, better audits, and a deeper talent pool, as seen with zkSync, Worldcoin, and Tornado Cash.
1000s
Projects
Dominant
Market Share
05
The Mobile-First Future
The end-user device is the ultimate verification frontier. SNARK verification is constant-time and lightweight, perfect for mobile wallets. STARK verification is slower and requires more memory.\n- Verification Gas: SNARKs cost ~200k gas on Ethereum; STARKs can be >1M gas.\n- Real-World Use: Enables privacy-preserving identity (Worldcoin) and light client bridges that run in a browser.
200k gas
On-Chain Cost
Mobile
Native
06
The Quantum Hedge
Post-quantum security is a long-term requirement, not an immediate advantage. STARKs are quantum-resistant today, but SNARKs can be upgraded via post-quantum cryptographic accumulators. The transition will be gradual.\n- Timeline: 10-15 year horizon for quantum threat.\n- Pragmatic Path: Build scalable systems with SNARKs now, layer in PQ-security later, as planned by Zcash and Aleo.
10-15 yrs
Timeline
Upgradable
Security
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall