- Rollups- are the core technology for layer 2 protocols for Ethereum. Many rollup solutions use a zero-disclosure proof method. Such technologies are combined in a group called ZK-Rollups.
- The use of rollups allows for high transaction privacy and scaling of the core Ethereum network: multiple transactions are combined into a single packet that is validated in the first layer blockchain.
- There are several popular Layer 2 protocols in the Ethereum ecosystem based on ZK: StarkNet, zkSync, Loopring, Polygon Miden and others. There is also a separate technology Optimistic Rollups, which is used in the L2 platforms Arbitrum One and Optimism.
How does Zero-Knowledge proof work?
The Zero-knowledge proof method (ZKP) was formulated by scientists Shafi Goldwasser and Silvio Micali in their 1985 article “The Complexity of Knowledge of Interactive Proof Systems”. They proposed a way to prove the validity of a message without revealing its details.
To do this, a special “confirmation” must be generated, with which the checker can verify the correctness of the input data. The sender needs to perform a series of calculations, which will be correct if he has the necessary knowledge. The checker knows the value of the correct answer, which allows him to confirm the validity of possession of the information. Thus, both parties have only limited data about the content of the message.
To demonstrate the method, consider a situation in which a colorblind person is shown two balls. One is red and the other is green, but the person can’t see the difference.
You need to prove the opposite without naming the colors of the balls. To do this, you hand the objects to your interlocutor, who hides them behind his back. Then he/she takes out a ball and shows it to you. Then the person hides it and repeats the action. You need to answer the question of whether he/she changed the ball behind his/her back. Since you know the correct answer, after a series of experiments, you’ll prove you’re right. However, you will not have to divulge any additional information.
How is zero-disclosure proof-of-concept used in ZK-Rollups?
The ZKP method created a group of technologies collectively called ZK-Rollups, which is the basis of many key layer 2 protocols in the Ethereum ecosystem today. Vitalik Buterin called ZKP the most important technology for scaling the main blockchain platform.
Rollups form packets of multiple transactions in which the data of each transfer is compressed. Such “rollups” provide proof to the underlying first-level network (in this case, Ethereum), which allows the validation of all the transactions in the packet without reviewing each one of them. After verification, the packet is included in one of the blocks. A single rollup packet can contain thousands of transactions, but a minimum amount of data is placed in the layer 1 blockchain.
Three elements make ZK-Rollups work:
- An L2-protocol virtual machine that groups transactions;
- A verifier smartcontract that verifies packets;
- a module that sends packets to the first-level blockchain and updates the state.
The Layer 2 network node performs basic verification of incoming transactions. After receiving a certain number of transfers, it combines them into a packet and generates a ZK proof-of-concept. The packet verifies the smart contract deployed in the first layer network. It also provides input and output to the L2-blockchain.
“Rollups” also include user balances in the L2 network, represented in the form of a Merkle tree. Its root is stored in the contract, which allows us to track changes in the state of the network. Values confirming each transaction are also sent to the first-level blockchain. The data includes the Merkle root, which is calculated in several steps. Intermediate values are written to the blockchain and confirm each transfer in the batch.
What are the advantages of ZK-Rollups technology?
Initially, zero-disclosure proofs were used in anonymous cryptocurrency projects, but in recent years they have found wide application as Ethereum scaling solutions.
ZK-Rollups allow user data to be processed without revealing private information about them. In particular, the algorithm can check the availability of funds without showing the user’s balance. These features are important for companies that need to protect personal customer data.
Also, using solutions based on ZK-Rollups significantly reduces transaction fees. Multiple transfers are bundled into one package in which all data is compressed – for example, an index is used instead of an address. This allows less information to be stored in the first-level blockchain. Costs are shared among all senders, so each user pays less.
ZK-Rollups provide low latency for withdrawals to the main network because the smart contract verifies the validity of the data before the packet is included in the blockchain.
What kinds of ZK proofs are available?
There are many implementations of ZK rollups, the most popular being ZK-SNARKs (and its variant Plonky2), ZK-STARKs, zkSync and others. Each of the technologies differs in the size of the “proof” and the computational cost required for verification.
ZK-SNARK
ZK-SNARK creates a proof that is small in size and easy to verify. To produce a proof using elliptic curves. Computing their values is less expensive than hashing, so the algorithm is less costly. The method requires destroying the proof immediately after it is sent. For the algorithm to work, the node generates a public and a private key, after which the latter is destroyed. The public key is used to generate another key pair. The private key is then used to generate the confirmation and the public key is used to verify it.
ZK-STARK
ZK-STARKs generate a proof that does not involve interaction between the verifier and the verifier. Data validation takes less time, making the technology easier to scale. The algorithm uses hashing, making it resistant to a quantum computer attack.
zkSync
zkSync is an L2 protocol based on the rollup algorithm of the same name. The platform allows the transfer of assets and supports smart contracts. The algorithm features a low gas limit per transaction, which does not exceed 500 Gwei. The main advantage of zkSync 2.0 is compatibility with Ethereum Virtual Machine.
What projects use ZK-Rollups and Optimistic Rollups?
There are several popular solutions in the Ethereum ecosystem today that use ZKP:
- The StarkNet platform. Based on its private version called StarkEx, the major DeFi protocols are Rhino, Immutable X, dYdX and Sorare.
- Mina Protocol is a lightweight blockchain that uses ZK-SNARK technology to create blocks of 22 Kb in size. The platform allows to perform smart contracts and run decentralized applications.
- LoopRing – a decentralized trading protocol that uses an order book. Implemented on the Ethereum network, it uses ZK proofs to work.
- Polygon Miden – a “rollup” based on zk-STARKs, working with a special Miden VM.
In addition to ZKP-based rollups, there is also a group of solutions called Optimistic Rollups. The difference between them lies in the way transactions are validated: in Optimistic, transaction packets are considered valid, while transactions are validated only if someone has challenged it.
Zero-disclosure proofs retain data on the underlying network after each transfer is validated. This ensures that the technology maintains the current state of the network. At the same time, unlike ZK-Rollups, Optimistic Rollups-based protocol withdrawals require a fraud check, which can take up to two weeks. The specified period determines the time to withdraw funds to the first-level blockchain. However, the need for data validation in ZK-Rollups increases resource consumption and financial costs.
Optimistic Rollups are based on two popular L2 Ethereum protocols – Arbitrum and Optimism.
What is a validium?
There are complex solutions – validiums. It is a compromise technology that combines proofs stored at different levels. The proofs are sent to the underlying blockchain and the data is stored outside of it. The solution reduces fees, but involves reliance on external storage. If the latter fails, users will not lose money, but they will not be able to make transactions.