I am not aware of modern cryptographic protocols, hence my next questions may be too stupid for experts. If so, I am sorry in advance. Instead, I am an academic researcher in (fast secure implementation of) elliptic curve cryptography, so I want to better understand the state of the art in my area.
I am wondering if there is a real-world usage of zk-SNARKs (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge) not based on elliptic curve cryptography. For example, the popular blockchains ZCash and Mina both use the so-called Pasta curves as far as I know, i.e., a $2$-cycle of two non-pairing-friendly curves. And curves appropriate for zk-SNARKs are called SNARK-friendly.
It is not a secret that there exists another type of zk-proofs, namely zk-STARKs (Zero-Knowledge Scalable Transparent Argument of Knowledge). I heard that (STARK-friendly) hash functions underlie them. For instance, StarkWare Industries is probably the main company developing the given direction. Is it possible to create a quite efficient zk-STARK protocol on (pairing-friendly) elliptic curves?
I encountered two curves whose names contain the word "STARK": the first and the second. What is a definition of STARK-friendly curves? My first thought was that these are curves appropriate for implementing the DLP-based Pedersen hash function, which is known to be STARK-friendly. However, I am not sure about that.
Finally, are there real-world technologies employing any zk-proof system (possibly with properties distinct from SNARKs, STARKs) built on other mathematical objects, e.g., on lattices or codes rather than on elliptic curves or hash functions? I suppose that some scientific articles consider such post-quantum schemes, but I am interested in their practicality.
