Why did H33 invest heavily in STARK proofs when SNARKs are more common? The answer is simple: quantum computers. STARKs (Scalable Transparent Arguments of Knowledge) are built on hash functions, not elliptic curves—making them immune to quantum attacks that will eventually break SNARKs.
The Quantum Threat to SNARKs
Most zero-knowledge systems today use SNARKs (Succinct Non-Interactive Arguments of Knowledge), typically based on elliptic curve pairings like BN254 or BLS12-381. These are elegant and efficient—but they share a fatal flaw with RSA and ECDSA: they rely on the hardness of the discrete logarithm problem.
Shor's algorithm, running on a sufficiently powerful quantum computer, can solve discrete logarithm in polynomial time. When that day comes—and cryptographers estimate it could be within 10-15 years—every SNARK-based system becomes vulnerable.
STARKs vs SNARKs: Key Differences
- Security basis: STARKs use hash functions (Blake3, SHA-3); SNARKs use elliptic curves
- Quantum resistance: STARKs are quantum-safe; SNARKs are not
- Trusted setup: STARKs need none; SNARKs require trusted setup ceremonies
- Proof size: STARKs are larger (~45KB vs ~200 bytes) but worth it for security
H33's STARK Implementation
We use the Winterfell library for our STARK implementation, with custom circuits optimized for identity and biometric verification. Here's what our January 2026 benchmarks show:
| Operation | Time | Target |
|---|---|---|
| ZKP Stark Lookup Prove (128-bit) | 0.067µs | <100ms |
| Identity Verify (128-bit) | 8.2ms | <15ms |
| Identity Prove (192-bit) | 68.4ms | <150ms |
| Identity Verify (192-bit) | 12.8ms | <25ms |
| Biometric Prove | 156ms | <250ms |
| Biometric Verify | 24.3ms | <50ms |
Security Levels
We offer three STARK security configurations to match your threat model:
| Level | FRI Queries | Blowup Factor | Proof Size |
|---|---|---|---|
| 128-bit (Standard) | 30 | 8x | ~45 KB |
| 192-bit (High) | 45 | 16x | ~68 KB |
| 256-bit (Maximum) | 60 | 32x | ~95 KB |
No Trusted Setup
One of STARK's biggest advantages is transparency. Unlike SNARKs, there's no "toxic waste" from a trusted setup ceremony. No coordinator who could be compromised. No multi-party computation that might have been subverted.
The security of STARKs depends only on the collision resistance of the hash function—a well-understood property that's been studied for decades.
When to Use STARKs vs Groth16
H33 offers both proof systems. Here's when to choose each:
- Use STARKs when: You need quantum resistance, long-term security guarantees, or regulatory requirements for post-quantum cryptography
- Use Groth16 when: Proof size is critical (on-chain verification), you need sub-5ms verification, or quantum computers aren't in your threat model
Our Groth16 implementation verifies in 3.83ms with ~200 byte proofs. STARKs verify in 8.2ms with ~45KB proofs. The 2x slowdown and larger proofs are the price of quantum resistance.
Try STARK Proofs Today
Generate your first quantum-resistant zero-knowledge proof in minutes.
Get API Key