Photo selection: Filippo Armani
Compiled by: TechFlow
ZK Rollups, also known as Validity Rollups, are a revolutionary way to scale Ethereum that allows transactions to be processed off-chain and merged as a single compressed transaction on the main chain. This process increases transaction throughput and reduces fees while maintaining the security and decentralization of the main chain.
One of the standout features of ZK Rollups is that they leverage zero-knowledge proofs (ZKPs), a type of cryptographic proof that enables one party (the prover) to prove to another party (the verifier) that a statement is correct without revealing any additional information. In the context of ZK Rollups, ZKPs ensure the integrity of off-chain transactions, enabling the prover to demonstrate the validity of a batch of transactions without revealing the specific details of the transactions or requiring the verifier to check all transactions before accepting a new state.
Compared to Optimistic Rollups, ZK Rollups provide a higher level of security because they do not introduce additional trust assumptions on top of Ethereum and rely on Ethereum and mathematics for security. Optimistic Rollups rely on game theory and the 1/n honest node assumption, which means that for each batch of transactions, there will always be at least one honest node that can challenge malicious transactions.
On the other hand, the operators of ZK Rollups, also known as sequencers and provers, do not have any chance to endanger the users' funds, because their role is "only" to collect transaction batches and generate ZK proofs, while the users' funds remain on Ethereum L1, which is ultimately responsible for verifying the ZK proofs submitted by L2 and completing the underlying transactions. The validity proof is generated by performing complex polynomial calculations on the state data. If the state data is invalid, the validity proof cannot be generated. The validator on L1 will input the state data to verify the validity proof, so if the prover changes the state data, the validator will not accept the proof.
ZK Rollups have two more advantages over Optimistic Rollups. First, they make finality faster because transactions are confirmed on Ethereum as soon as proof of validity is provided, while Optimistic Rollups need to wait a week to ensure that there are no challenges, so the transaction is considered legitimate and final. Second, related to data availability, ZK Rollups are more efficient because only state differences need to be published, because there is no need to rebuild all transactions for verification, in contrast, Optimistic Rollups need to publish complete data so that anyone can reconstruct transactions and eventually challenge them.
As a result, ZK Rollups use much less data bandwidth on Ethereum (a scarce resource that all Rollups need to share, no matter which system they use to execute transactions, including ZK circuits), allowing users to get even cheaper fees (or even zero fees).
Zk-rollups are considered the ultimate solution for Ethereum scalability, but implementing them is difficult because the Ethereum Virtual Machine (EVM) is not designed to support ZK circuits. To solve this problem, many organizations and researchers have tried to create a Rollup-supporting virtual machine called zkEVM, which can run smart contracts in a way that is compatible with zero-knowledge proof computations.
The most comprehensive analysis of these different attempts can be found in Vitalik’s blog post, where he outlines four types of zkEVM based on compatibility with Ethereum. It is important to note that the closer the zkEVM is to Ethereum’s functionality, the slower and more expensive it will be to generate Zk proofs. On the other hand, if a blockchain or Rollup is more compliant with Ethereum’s specifications and standards, it will be easier for developers to build applications on it and integrate into the Ethereum ecosystem. In short, blockchains that are highly compatible with Ethereum may have a competitive advantage.
First category: zk rollups that are completely equivalent to Ethereum, replicating Ethereum exactly in all parts (including hashes, state tries, transaction tries, precompiles, or any other consensus logic). So far, no zkEVM has been able to achieve equivalence with Ethereum.
The second category: Zk rollups that are fully equivalent to the EVM strive to be equivalent to the EVM, but are not fully equivalent to Ethereum. They are fully compatible with existing applications, but make some minor modifications to Ethereum to make development easier and proofs faster to generate. Scroll and zkEVM Polygon belong to this category in theory; in practice, they currently belong to the third group.
Category 3: Almost EVM-like, sacrificing more elements and equivalence to make proof generation faster. Polygon zkEVM and Scroll currently fall into this category. This category is often a stepping stone to category 2.
Category 4: High-level language equivalent, meaning they all accept smart contracts written in Solidity and convert them into another custom, zk-friendly language. zkSync and StarkNet fall into this category, although zkSync may add compatibility for EVM bytecode over time and eventually move to higher types.
While Vitalik’s classification is currently the most popular and fair, there are other classification methods. Immutable, a StarkWare-based L2 specifically targeting NFTs, provides the following useful classification in one of its blog posts:
These categories are more clearly based than Vitalik’s on the extent to which the existing zkEVM achieves compatibility or equivalence with Ethereum at a specific level of the stack (high-level language, bytecode, or runtime environment).
Solidity compatible. Compatibility with Ethereum is achieved at the high-level language level Solidity, which means that developers can continue to write smart contracts in the language they are accustomed to using on Ethereum. However, these Rollups immediately convert Solidity to their intermediate representation, which is then compiled in their bytecode and executed in their custom environment. Specifically, these L2s use a transpiler to convert Solidity code into readable code for a custom VM (Cairo for StarkWare, LLVM-IR for zkSync). These transpilers do not support certain Solidity features, so developers may need to adjust their smart contracts. For example: zkSync and StarkNet.
EVM compatible. These Rollups are compatible with EVM at a language level, but they have their own bytecode, which means Solidity can be compiled directly into EVM opcode/bytecode and then converted to custom bytecode before the custom VM runtime. In practice, these Rollups are compatible with most Ethereum programs, but some applications may need to be rewritten. In addition, some bytecode features (such as precompilation) are not supported. For example: Polygon zkEVM.
Equivalent to the EVM. These Rollups create a zk-verification circuit that can directly read EVM opcodes and bytecodes, although the VM itself is different from the EVM. These Rollups are fully compatible with existing applications, but can make some minor modifications to Ethereum to make development easier and make proof generation faster. For example: Scroll.
Equivalent to Ethereum. This would mean replicating Ethereum across all components, similar to how Polygon does it. So far, no zk Rollup falls into this category.
Combining this framework with the one proposed by Immutable, and adding some additional information, the following chart can be outlined, highlighting some of the design differences and similarities to consider when comparing different zkEVM implementations before any performance data is available:
zkSync 2.0 (renamed zkSync Era just before the mainnet launch) is a scaling solution for the Ethereum network that is fully compatible with the Solidity programming language. With zkSync, users can choose between two types of data availability: zkSync Rollup and zkSync Porter. The former publishes data directly on Ethereum, making it as secure as Ethereum L1, while the latter stores data off-chain, resulting in faster transactions and lower costs, but with a lower level of security.
zkSync is EVM-compatible in that it can convert smart contract code written in Solidity to Yul, and Yul to LLVM-IR, which is then recompiled into a custom circuit-compatible bytecode set specifically designed for the EVM for zkSync. While this requires intermediate steps, it also allows for the addition of other non-EVM features such as Account Abstraction. In addition, Matter Labs, the company behind zkSync, plans to gradually make it more compatible with Ethereum toolkits and is preparing to launch its first three-layer prototype, zkSync Opportunity, on a testnet as part of its ambitions in the areas of scalability and interoperability.
At the time of writing, zkSync Era has just been launched, so it is too early to comment on its performance. zkSync 1.0 (now called zkSync Lite), which only supports simple transactions, is one of the largest zk rollups, with over $83 million locked in TVL and over 19 million cumulative transactions, while StarkNet has a TVL of just over $19 million and 4 million cumulative transactions.
StarkNet is a type 4/Solidity-compatible zk-rollup that employs a different type of zero-knowledge proof, called STARKs (Scalable Transparent ARgument of Knowledge), to ensure the integrity of off-chain transactions. STARKs are considered more efficient and scalable than SNARKs, but may require a more complex technical setup.
While StarkNet also supports smart contracts, its capabilities are relatively limited due to the use of STARKs and the fact that StarkNet contracts and the StarkNet OS are written in the Cairo language. To make development easier, StarkWare recently upgraded to Cairo 1.0, which emulates Rust. Like zkSync Era, StarkNet can be classified as "Solidity compatible" because it does not execute programs within the EVM, but instead creates a completely new, specially designed VM with a custom bytecode. StarkWare uses the Warp transpiler to convert Solidity code to Cairo VM bytecode.
However, unlike zkSync Era and other zkEVM implementations, the StarkNet team is not aiming to be compatible with the EVM or other Ethereum components, but rather aims to make StarkNet's VM as efficient as possible by rolling its custom client API, JavaScript library, and wallet system, which will force Ethereum-compatible tools to manually add StarkNet support. Although Cairo 1.0 also introduces Sierra - Secure Intermediate Representation - as a new intermediate representation layer between Cairo 1.0 and Cairo bytecode, the Warp transpiler does not support certain Solidity features and is still a long way from matching zkSync Era's EVM compatibility.
Polygon zkEVM is a zk-rollup that uses a custom language zkASM to interpret zkEVM code and verify the execution of smart contracts in a non-EVM runtime environment. The project began in 2021 with the acquisition of Hermez Network for $250 million to develop an EVM-equivalent system that combines the security and efficiency of STARKs and SNARKs. While STARKs are used to generate validity proofs for transaction states, SNARKs are used to evaluate the correctness of STARK proofs. The combination of these solutions enables security, speed, and low transaction fees.
In July 2022, Polygon announced the rebranding of Polygon Hermez to Polygon zkEVM, which has just been launched at the time of writing. The latest testnet version of Polygon zkEVM introduces recursion, allowing one ZK validity proof to verify batches of other ZK proofs, each of which can verify multiple transactions. This feature is made possible by Plonky2, a recursive SNARK that is 100 times faster than existing alternatives and is natively compatible with Ethereum itself.
In addition to Polygon zkEVM, Polygon has also developed Polygon Avail, a blockchain that optimizes data availability only. The network will be permissionless, allowing anyone to join as a validator, and unlike existing DACs (Data Availability Committees), it will have hundreds of nodes collaborating to provide network security. Avail will work in pairs with Polygon Hermez (Rollup), uploading state data from Hermez instead of publishing it on Ethereum, providing a solution between Validium and Rollup.
While some experts have pointed out that the specifications provided by Polygon are better described as EVM-compatible, the team is working hard to create the first solution that is fully equivalent to the EVM.
Scroll is an EVM equivalent zk-rollup developed by the Scroll team in collaboration with the Ethereum Foundation's PSE (Privacy and Scaling Explorations) group. It is currently in the Pre-Alpha testnet stage and is designed to be fully compatible with the Ethereum Virtual Machine (EVM) at the bytecode level. This means that developers can create smart contracts in any EVM-compatible language and deploy them to Scroll. Although Scroll does not currently support EVM opcode, it plans to do so by building a 1:1 opcode mapping and directly accepting EVM opcode without the need for a compiler.
Scroll's architecture consists of a centralized serialization node and a decentralized proof network. The centralized serialization node is responsible for sorting transactions, creating blocks, and submitting transaction data as calldata to the Rollup contract on Ethereum for data availability. Scroll plans to gradually decentralize the serialization nodes. On the other hand, a decentralized proof generator called Roller will generate proofs and publish them on the L1 network, leveraging distributed computing power. Rollers are randomly selected, and multiple proofs for different blocks can be generated in parallel on different Rollers to increase speed.
*While only on-chain data availability is currently supported, Scroll’s original design also included a Validium mode.
Indeed, both Scroll and Polygon took a bytecode-level approach to building their zkEVMs. This approach eliminates the transpilation step entirely, meaning these zkEVMs do not convert Solidity code to some other language before compiling and interpreting it. However, while Scroll’s only difference from Ethereum is the runtime environment, Polygon creates a custom VM and optimizes it, then converts EVM bytecode to that VM’s bytecode. Unlike Scroll, Polygon’s runtime (“zkExecutor”) runs custom “zkASM” opcodes (micro-ops in the diagram) instead of EVM opcodes to optimize EVM interpretation (i.e. reduce the number of constraints instead of proving the EVM directly). The Polygon zkEVM will probably not be compatible with 100% of Solidity code, tools, and applications, though most will be.
While these are the most visible projects focused on rolling out a general-purpose zkEVM implementation, other application-specific projects also use zk technology in practice.
Looping is an application-specific zk-rollup for supporting decentralized exchange (DEX) protocols. Loopring is also a platform that uses zk proofs to let anyone build a dex. Immutable X is another application-specific zk-rollup built on StarkWare for NFT trading and gaming. Aztec is a privacy-focused zk-rollup on Ethereum that encrypts data to keep it transparent and available to the protocol while protecting the privacy of users. In addition, Aztec invented the PLONK proof system, which is also used by zkSync and other projects.
Multiple protocols such as Immutable X, Sorare, rhino.fi, ApeX, dYdX, etc. are built on StarkEx. In projects using StarkEx ZK-Rollup, data is sent to Ethereum as calldata and published on the chain. In Validium mode, data is stored off-chain and only hashes are stored on-chain. While the Rollup mode ensures higher security (users only need to interact with the Ethereum blockchain to recreate the ledger state), the Validium mode ensures lower costs and higher privacy.
Overall, while zkSync Lite is the largest zk rollup, StarkWare has the largest ecosystem, including projects built on StarkEx, and has the largest TVL and market share.
Summarize
In summary, zk-rollup is a promising solution for scaling blockchain networks, with various implementations available to meet different needs and requirements. While some classifications exist, it’s worth noting that they are approximate interpretations, lacking consensus on definitions and technical differences. As Scroll co-founder Sandy Peng admits: “There is no definition that has clear consensus. The entire research team at Scroll “favors a certain narrative or a certain view, but it’s not a clear-cut thing. Our research team doesn’t even agree on what everything means.”
Nonetheless, some common trends emerge among zk rollup implementations. First, they all seem to take a hybrid approach to data availability, providing a rollup version for traditional on-chain data storage and a validium version for off-chain data storage. “In my opinion, you’ll find that every rollup will have a rollup version and a validium version,” Avail CEO Anurag Arjun told Blockworks.
Second, they mostly avoid using pure open source code until they are actually running, which is also related to the fierce competition from optimistic rollups like Arbitrum and Optimism. Zk-rollups promise to be more efficient but are technically more difficult to implement. In addition, as is clear from the table above, optimistic rollups, especially Arbitrum, are benefiting from first-mover advantage and are leading the market in terms of applications, transaction volume, and market share. If proven successful, optimistic rollups can combine the validity proof model with their already established user base (for example, Optimism's upgrade Bedrock may introduce validity proof).
Furthermore, while all implementations started with centralized sequencers for efficiency, they are all committed to gradually decentralizing to address concerns about centralization. Interestingly, decentralized sequencers may require an economic incentive in a native token, so all mentioned projects should take this step.
Finally, the amazing results achieved by these zkEVM implementations over the past year have led to a new round of attention for zk technology in general, with companies focusing on developments in various areas, including the development of new zk hardware to increase proof generation speeds.
While there are still some challenges to be addressed, the progress made in zkEVM design in just over a year is remarkable, and 2023 could be a decisive year for this technology.
Original link
