ZK-Rollups: A layer 2 scaling solution based on zero-knowledge proofs
Unlike fraud proofs [1], Zk-Rollup uses validity proofs, which use zero-knowledge proofs to ensure the validity of transactions. The data is verified through zero-knowledge proofs before being uploaded to the chain to prove that there are no problems with the transaction. The updated status, proof of the transaction, and compressed transaction data are then uploaded to the main chain to ensure the validity of the corresponding data on the chain and the security of funds.
The security of Zk-Rollup relies on cryptographic principles, and one of its main advantages is that it does not require a challenge period [2].
Currently, the general computing power of Zk-Rollup is relatively poor, and most of the versions that have been launched can only realize transfers and specific application scenarios, which is not friendly to developers. Now some of the latest Zk-Rollup solutions are studying L2 expansion solutions that are compatible with general EVM, which will be of great significance if successful.
Zk-Rollup is more in line with the style of the crypto world, using cryptographic principles to prove the correctness of transactions instead of waiting for others to report incorrect transactions.
Zero-knowledge proof
Zero-knowledge proof is a cryptographic concept, also known as zero-leakage proof, consisting of a prover and a verifier.
The prover needs to run on specialized hardware and is trustless, which means that the security of the system does not require the assumption that the prover is trustworthy, or that the hardware on which they run is trustworthy, because there is no mathematical way to forge a false zero-knowledge proof.
The verifier does not require special hardware and can be run on any node. In laymans terms, the prover creates a proof from the systems input, and the verifier checks to confirm that the calculation result uploaded by the prover is real without the need to recalculate it.
To put it philosophically, if I want to prove that a Bitcoin account is mine, I want to prove that I know the private key of this account, but I cannot tell the private key to others. (Private key signature, public key verification)
zk-SNARK
The most commonly used one in blockchain is zk-SNARK, which is a special zero-knowledge proof that requires non-interactivity (the previous example of zero-knowledge proof verifying Bitcoin was not non-interactive. To change it to non-interactivity, I just need to issue a transfer transaction to transfer the coins in the account to another account. In this way, all nodes can verify that this Bitcoin account is mine. For the blockchain scenario, the prover only needs to publish the message to the blockchain, and all nodes can verify it without interacting with the prover. This type of verifier is called a Public Verifier) and simplicity (only a few hundred bytes are needed, so even if the original input is large, the generated proof is very small).
The disadvantage is that the workload of the prover to generate the proof is very large. It takes several seconds to initiate an anonymous transfer transaction, while it only takes a few milliseconds to verify the legitimacy of the transaction.
zk-SNARK requires trust setup, which requires that a set of public parameters shared by all members be randomly generated during initialization. The random source used during initialization must be destroyed. If leaked, the security system will collapse and malicious attackers can create false proofs. To avoid this risk, the initialization process of zk-SNARK involves multiple parties. As long as any party destroys the random source used during initialization, the system is secure.
Application of zk-SNARK in blockchain
One of the representative applications is Zcash and the other is Filecoin. These two projects are not L2. They are used here just to illustrate the application scenarios of zk-SNARK.
Zcash uses zk-SNARK to hide transaction information, the identities of both parties and the transaction amount. Zcash can verify the legitimacy of transactions without knowing sender.address, receiver.address, iuput.value, and out.value. This is very different from Bitcoin, where each Bitcoin transaction must state the source of the coin and which previous transaction the coin came from, so as to prove that the coin we spend is legal and not fabricated out of thin air. For Zcash, it only needs to use mathematical methods to prove that the coin you spend is a legal coin in the current system, without specifying which one it is, so that the source of the coin cannot be tracked.
Filecoin is the largest zk-SNARK network deployed to date, generating millions of zero-knowledge proofs every day. Filecoin miners earn block rewards by storing data and need to regularly prove that they are storing the data they promised. These miners are the provers in the zk-SNARK protocol and need to provide two types of proofs: proof of replication[3] and proof of spacetime[4].
Proof of replication is only given once. When the user and the storage provider initially reach a storage deal, the storage provider needs to prove that they do store the users data. Proof of space and time needs to be provided periodically to prove that the storage provider continues to store the original data over time. When the storage provider first agrees to store data for a customer, it needs to stake the corresponding File token. If the provider fails to provide proof of space and time during the agreement, it will be penalized and may lose the staked File token.
The advantage of zk-SNARK technology is that the generated proof is very short, which saves network bandwidth and has a fast verification speed. Filecoin has not achieved true privacy computing. zk-SNARK is only used for Filecoins consensus mechanism and is not used for user data. So far, almost all zk-SNARK circuits are special-purpose integrated circuits, that is, zero-knowledge proof technology specially customized for different applications. Ethereums smart contracts are Turing complete, and zk-SNARK technology cannot currently realize general smart contracts.
ZK-Rollup Representative Projects
ZK Rollup has two representative projects, zkSync and STARKWARE.
zkSync
zkSync uses the zero-knowledge algorithm of zk-SNARK, and its security relies on the initialization of the trust setup (a random number is formulated by some participants including Ethereum founder Vitalik Buterin, and at least one participant is required to be honest, so that the system can be proven to be secure).
In terms of EVM compatibility, zkSync has a compiler that can convert smart contracts into opcodes supported by zkEVM to achieve Solidity compatibility.
In terms of data availability, zkSync provides two data availability solutions. Users can choose to put data on the chain (that is, store it on the L1 chain or on Ethereum for higher security, and pay a higher gas fee than off-chain), or they can choose to store data off-chain (which can maximize capacity expansion and further save gas fees, but will sacrifice some decentralization and security). In other words, zkSync supports both on-chain and off-chain data storage modes. Some people believe that off-chain data is not L2 in the true sense, because L2 must ensure the same security as L1. If the data is stored off-chain, the availability is different from L1. If it is stored in a cloud service provider off-chain, it runs counter to the concept of decentralization. If it exists in a decentralized storage like IPFS, there is still no way to guarantee the availability of the data (it is different in IPFS and on Ethereum). Blockchains such as Ethereum and Bitcoin will not lose the data stored on them, but IPFS does not guarantee immutability.
StarkWare
The two most popular systems for generating zero-knowledge proofs on the market are zk-SNARK and zk-STARK.
zk-Sync uses zk-SNARK, and StarkWare is a cryptographic technology based on zk-STARK proof. The zk-STARK technology was invented by the StarkWare team and can be seen as an upgraded version of the zk-SNARK technology, which can make the blockchain more scalable. The underlying blockchain using this algorithm allows developers to transfer the transaction data on the chain and the storage of some data to the chain. The data processed in batches off the chain can be packaged to generate a STARK proof, which can be sent to the chain for any interested party to verify its authenticity. STARK has three main advantages over the SNARK used by zk-Sync. The first advantage is transparency, which means that the system does not require trust settings to run, while SNARK proofs require trust settings. The use of zk-SNARK must be subject to mandatory initial trust settings. If the participants in the initial settings are dishonest, false proofs can be created to forge transactions. zk-STARK does not require external trust settings. It can prevent any party from destroying or modifying parameters through random public verification. It is not clear how much practical value this advantage has. (Teacher Xiao thinks this advantage is not very significant)
The second advantage is scalability. StarkWare claims that zk-STARK reduces computational complexity and generates STARK proofs faster than SNARK, but this statement is somewhat controversial.
The third advantage is resistance to quantum attacks. Theoretically, zk-STARK uses collision-resistant hash functions to improve the ability to resist quantum attacks, but this advantage is not very meaningful.
The disadvantage of STARK is that its technology is far less mature than SNARK and its popularity is not good. The advantage of StarkWare is that its technical team is extremely small, including the inventors of both STARK and SNARK. The disadvantage is that the community ecology is still far from complete, which is also related to the low popularity of STARK.
Another issue is the compatibility of EVM. Ethereums EVM is Turing complete, and it is difficult for STARK to be compatible with EVM if it wants to achieve Turing completeness. It is very complicated to convert Ethereums smart contract language Solidity into a STARK-compatible format, so the StarkWare team created a specific programming language Cario to run programs supported by STARK. The learning cost of Cario is relatively high, and it is not compatible with EVM, which makes it difficult to migrate existing Dapps on Ethereum. This is one of the reasons why the StarkWare ecosystem is not easy to build. From another perspective, adopting a new language also has advantages. It has no historical baggage and can implement some functions that Ethereum cannot do.
In terms of data availability, StarkWare provides two data availability solutions. StarkWare has a Voluation system that allows users to choose whether each transaction uses the Rollup solution with available on-chain data or the Validium solution with available off-chain data.
The data availability committee of the validium scheme is composed of some reputable cryptographic entities. From the perspective of data security, data storage on the chain is the safest. The disadvantage is that the cost is relatively high, which is suitable for situations where the amount of funds is relatively large and the real-time requirements are not high. Storing data off the chain will sacrifice a certain degree of security. The advantage is that the cost is low, which is suitable for application scenarios with relatively small amounts of funds and high real-time requirements, such as: GameFi.
Noun interpretation
Fraud Proofs: In distributed systems, fraud proofs are used to detect and correct incorrect state updates, typically used in Optimistic Rollups, assuming that the majority of operations are correct but providing a mechanism to challenge and correct incorrect operations.
Challenge period: The challenge period is a specified time window that allows validators to check and confirm the correctness of state updates, which is critical in ensuring the security and fairness of the system.
Proof of Replication: Proof of Replication indicates that a certain data is indeed stored in a specified location at a certain point in time and has multiple copies.
Proof of Space and Time: Proof of Space and Time is a proof mechanism that combines space (storage) and time (continuous storage) to show that certain data is stored continuously over a period of time.
Conclusion
In January 2021, Ethereum founder Vitalik Buterin said: In the short term, Optimistic-Rollups will win because of EVM compatibility, and ZK-Rollups are more likely to win in some use cases such as simple transactions. In the medium and long term, as zk-SNARK technology improves, ZK-Rollups will eventually win all use cases.
Lianyuan Technology is a company focused on blockchain security. Our core work includes blockchain security research, on-chain data analysis, and asset and contract vulnerability rescue. We have successfully recovered many stolen digital assets for individuals and institutions. At the same time, we are committed to providing project security analysis reports, on-chain traceability, and technical consulting/support services to industry organizations.
Thank you for your reading. We will continue to focus on and share blockchain security content.
