Alice Liu: We have a very special guest with us today, Eli Ben-Sasson, co-founder and CEO of StarkWare. Eli has been in the cryptography space for over 20 years, a true veteran, and has co-invented major protocols such as STARKs, FRIs, and Zcash. Eli, it's an honor to have you here today. We're looking forward to hearing about your vision and philosophies for the ZK space, Circle STARKs, and some of the projects StarkWare is currently focusing on. Thank you so much for joining us today.
Eli Ben-Sasson: Thank you, Alice, for having me. It's great to be here and I look forward to our conversation.
Alice: I'd love to start by asking about your motivation for being in this space. What first got you interested in cryptography, and what's kept you here all these years?
Eli: Initially, it was curiosity. But I had an "aha" moment about 11 and a half years ago at a Bitcoin conference. I realized that a lot of the deep math I'd been researching - specifically around cryptographic proofs - had major relevance not just to privacy, but also to blockchain scalability. It was a moment where everything clicked for me. It felt like destiny, almost. I was doing research on this particular class of technologies, which ended up being STARKs, and that realization helped me see their broader potential, especially in the blockchain world.
Alice: I love how you mention that ZK technology is about more than privacy - it's also about scaling. Can you elaborate on Starknet and its role in advancing what you call "integrity webs"? You often describe Starknet as the next step in this evolution, building on ecosystems like Bitcoin and Ethereum. Could you tell us more about that progression?
Eli: Sure. So, what is an integrity web? At a conceptual level, think of it as a layer that sits on top of the World Wide Web. The World Wide Web gives us information and the ability to communicate globally. But on top of that, imagine a new layer that assures a very high level of integrity - something that ensures that the right thing is being done even when you're not watching.
Imagine a system where your reputation cannot be tarnished out of nowhere, your funds cannot be taken without your consent, and information cannot simply disappear or be manipulated. Integrity webs are peer-to-peer networks that ensure such properties, giving people control over their data and their interactions.
We've already seen some initial building blocks for this in Bitcoin and Ethereum. They adhere to three key principles: openness and broad participation, incentivized integrity, and public verifiability. The challenge for Ethereum and Bitcoin is their scalability - they can't handle the sheer volume of interactions the future demands while keeping those principles intact. This is where Starknet and STARKs come in. They allow us to exponentially boost the capacity of these integrity webs while ensuring everything remains verifiable by users with commonly available technology.
Alice: That's a fantastic overview. Integrity webs like StarkNet are trying to build a version of the web where integrity is guaranteed, where users regain control, and where value distribution is ensured. And I love how you broke that into the three principles: openness, incentivized integrity, and public verifiability.
You've been in the ZK space for quite some time now. How have you seen it evolve? What were some of the challenges you faced early on, and what are the current challenges that you think we need to address?
Eli: First of all, on a personal note, it's been great to see the growth. I’ve been talking about the power of cryptographic proofs for over a decade now, and it's incredible to see how much it’s being adopted. Concepts that we’ve been pushing, like hash-based cryptography and post-quantum secure STARKs, have gone from being laughed at and considered impractical to being widely recognized as the gold standard.
However, there are still big challenges - especially in UX and privacy. Everyone talks about ZK, but many of the systems labeled "ZK" are not really providing zero-knowledge privacy. They focus on scalability, which is great, but we’re still far from offering easy-to-use privacy solutions to end users. Another challenge is that current virtual machines weren’t designed with proof generation in mind. We need VMs that can natively support proof systems, and that’s where new developments like the Cairo VM and others are really making a difference.
Alice: Absolutely, I think privacy and UX are definitely among the most pressing issues, and a lot of teams are working hard on those. Let's shift gears a bit and talk about some of the design considerations and motivations behind the protocols you've developed, such as STARKs and FRIs. What were some of the main factors you prioritized during their development?
Eli: We prioritized scalability, security, and efficiency. We wanted to deliver scalability at a level that hadn't been seen before - essentially removing the limitations on blockchain computation. Another priority was security, specifically removing the need for trusted setups, which is a major downside of many other proof systems.
One example is how we chose the parameters for our initial implementation. Our first commercial deployment used a prime field of size 252 bits. We made that choice partly because of Ethereum's pricing structure for arithmetic operations, which didn’t favor smaller fields. So we optimized to reduce on-chain costs, knowing that gas costs were a critical concern. We also focused on building something that could scale quickly - to bring STARKs from theory into production as efficiently as possible.
Alice: That makes sense - prioritizing scalability and cost, and avoiding trusted setups. How would you compare STARKs to other cryptographic proof systems, like PLONK or Groth16?
Eli: Great question. All of these proof systems share the concept of "arithmetization," which is converting computation into algebraic problems that can be verified. Where they differ is in the assumptions and trade-offs they make.
Many of these other systems, like Groth16 and PLONK, rely on number-theoretic assumptions, which make them susceptible to quantum attacks, and they often require trusted setups. Their advantage is that they have very short proofs - sometimes less than half a kilobyte. STARKs, on the other hand, are hash-based and post-quantum secure, don’t need trusted setups, and can scale more effectively. The trade-off is that STARK proofs are larger, typically in the range of dozens of kilobytes.
Alice: That really helps clarify the landscape. Now, I want to shift to one of the newer developments - Circle STARKs. Could you share more about the motivation behind Circle STARKs and how they differ from traditional STARKs?
Eli: Circle STARKs are a fascinating advancement, and I have to give full credit to their inventors, including folks from StarkWare and Polygon Labs. The motivation was to improve efficiency. The original STARK proof system uses a large prime field, which has limitations in terms of efficiency, especially in handling certain types of operations.
Circle STARKs tackle this by using what's called a "circle curve" to emulate some of the properties we need for efficient proving. Essentially, it lets us use a more computationally efficient prime field while still benefiting from the kinds of recursive structures that are valuable in proof generation. The goal is to get the best of both worlds: computational efficiency and proof robustness.
Alice: Where do you see Circle STARKs fitting into the future of the ecosystem? Do you think they could replace traditional STARKs, or do they have distinct roles?
Eli: Ideally, I'd like to see all STARK constructions coexist in a unified framework that forms the backbone of the integrity web. Different STARK variants - whether Circle STARKs or others - will serve different roles, depending on the specific needs. Circle STARKs, being more efficient, are likely to become the default for many applications, but the traditional STARKs will still be relevant, especially where they are already widely adopted and proven. Long-term, I think we’ll see a blend of these approaches, leveraging small fields for efficiency.
Alice: One last question from the audience: if you could see a dream project implemented using STARKs or Circle STARKs in the next decade, what would it be?
Eli: My dream is an all-encompassing integrity web that brings true ownership of assets, reputation, and actions to individuals in the digital space. It would be a world where people genuinely own their digital lives without relying on custodians or centralized authorities. I hope that this integrity web will be built on top of the World Wide Web, using validity proofs as a foundational layer - a layer that ensures integrity behind the scenes without people even needing to know about it.
Alice: That sounds like a truly transformative vision. Before we wrap up, do you have any final thoughts or advice for the readers, especially for those who are thinking of building in this space?
Eli: My advice is simple..think long-term. This technology is still in its early days, and we're not anywhere close to realizing its full potential. Pick the projects and platforms that can truly support openness, incentivized integrity, and public verifiability on a global scale. Be cautious of hype and stay focused on projects that genuinely make a difference. And most importantly, spend your time wisely - this is a space where, if you do it right, your time will be well spent.
Alice: Incredible advice. Thank you so much, Eli, for joining us today and sharing your insights on integrity webs, STARKs, Circle STARKs, and the importance of staying true to core values. It's been a pleasure having you.
Eli: Thank you, Alice.
