Zero Knowledge Rollups

Great Intro to the Zero Knowledge Proof System
tldr: What is a Zero Knowledge Proof?
  • Put simply, a zero-knowledge proof is a situation in which each of two parties in a transaction is able to verify to each other that they have a particular set of information, while at the same time not revealing what that information is.
  • A zero-knowledge proof example would involve the user demonstrating to the network (via mathematical proof) that they have the correct password without actually revealing the password itself.
    • The privacy and security advantages in this situation are clear: If the network does not have the password stored somewhere for verification purposes, the password cannot be stolen.
Overview of ZK-Rollups
Intro to ZK-Rollups
  • A "zero knowledge proof" approach is used to present and publicly record the validity of the block on the Ethereum blockchain
  • ZK-Rollups are one of the options being developed for layer 2 construction that increases scalability through mass transfer processing rolled into a single transaction
  • ZK-Rollups bundle hundreds of transfers into a single transaction
  • The smart contract will deconstruct and verify all of the transfers held in a single transaction.
  • ZK reduces computing and storage resources for validating the block by reducing the amount of data held in a transaction; zero knowledge of the entire data is needed
Simple Overview of ZK-Rollups
The ZK-Rollup scheme consists of two types of users: transactors and relayers
Transactors:
  • They create their transfer and broadcast the transfer to the network
  • The transfer data consists of an indexed "to" and "from" address, a value to transact, the network fee, and nonce
    • A shortened 3 byte indexed version of the addresses reduces processing resource needs.
    • The value of the transaction being greater than or less than zero creates a deposit or withdrawal respectively.
  • The smart contract records the data in two Merkle Trees; addresses in one Merkle Tree and transfer amounts in another.
Relayers:
  • They collect a large amount of transfers to create a rollup. It is the relayers job to generate the SNARK proof
  • The SNARK proof is a hash that represents the delta of the blockchain state
    • State refers to "state of being."
    • SNARK proof compares a snapshot of the blockchain before the transfers to a snapshot of the blockchain after the transfers (i.e. wallet values)
    • It then reports only the changes in a verifiable hash to the mainnet
  • It is worth noting that anyone can become a relayer so long as they have staked the required bond in the smart contract. This incentivizes the relayer not to tamper with or withhold a rollup.
User Experience using ZK-Rollups
  • Users on a dApp running the ZK-Rollup scheme will pay less in transaction fees
  • Creating zero knowledge proofs requires a large amount of computing power
  • The implementation is proposed to be a "commit-verify" approach
  • The latency to block confirmation will increase because the SNARK proof will be delayed by a number of blocks
  • How this will affect users will not be known until implementation.
Pros and Cons of ZK-Rollups
Pros:
  • Reduced fees per user transfer
  • Faster than Optimistic Rollup and Plasma
  • Blocks will be computed in a parallel computing model which encourages decentralization
  • Less data contained in each transaction increases throughput and scalability of layer 2
  • Does not require a fraud game verification like Optimistic Rollup, which can delay withdrawals by up to two weeks
Cons:
  • The difficulty in computing zero knowledge proof will require data optimization to get maximum throughput
  • The initial set up of ZK-Rollups promotes a centralized scheme (see Security Considerations)
  • The security scheme assumes a level of unverifiable trust
  • Quantum computing poses a threat to hacking the blockchain
Example of ZK-Rollups Used
  • zkSync is a ZK-Rollup live on Ethereum mainnet.
Summary of ZK-Rollups (And how they differ from Optimistic Roll-ups)
  • Zero knowledge roll-ups (ZK roll-ups) are different than optimistic roll-ups in the sense that there’s no long onboarding/off-ramp timing.
  • Instead, these proofs cryptographically ensure from the onset that a transaction is valid by using a zero-knowledge proof — thus, eliminating the need for a challenge period to detect fraud.
  • Moreover, ZK roll-ups are much faster and more efficient than optimistic roll-ups — where zkSync’s zkPorter promising to process 20K+ TPS, faster than even centralized networks like Visa.
  • ZK roll-ups were long thought to be a tradeoff with optimistic roll-ups because the former doesn’t support EVM compatibility — thus trading off speed with smart contract deployment ease. However, zkSync 2.0 is EVM compatible now.

ZK-SNARKs

Intro to ZK-SNARKs
  • Zk-SNARK is an acronym that stands for “Zero-Knowledge Succinct Non-Interactive Argument of Knowledge.”
  • A zk-SNARK is a cryptographic proof that allows one party to prove it possesses certain information without revealing that information.
    • This proof is made possible using a secret key created before the transaction takes place. It is used as part of the protocol for the cryptocurrency, Zcash.
Cons of ZK-SNARKs
For instance, if someone was able to access the private key that was used to create the parameters of the proof protocol, they could create false proofs that nonetheless looked valid to verifiers.
  • This would allow that person to create new tokens of Zcash through a counterfeiting process. In order to prevent this from happening, Zcash was designed in such a way as to make the proving protocols elaborate and spread out over multiple parties.
ZK-SNARKs require a trusted set up.
  • A trusted setup refers to the initial creation event of the keys that are used to create the proofs required for private transactions and the verification of those proofs.
  • Initially, when those keys are created, there is a hidden parameter linked between the verification key and the keys sending private transactions.
  • If the secrets used to create these keys in the trusted set up event are not destroyed, the secrets could be utilized to forge transactions by false verifications, giving the holder the ability to perform actions such as creating new tokens out of thin air and using them for transactions.
  • Because of the privacy features of zk-SNARKs, there would be no way to verify the tokens created out of thin air were actually created out of thin air. That being said, the trusted set up is only needed initially, not continuously.
They are not quantum resistant
  • Once quantum computing is largely available, the privacy technology behind SNARKs would be broken. Of course, supporters of SNARKs correctly point to the fact that we will have far more problems on our hands, such as the breaking of RSA and most wallet infrastructure, when quantum computers are utilized.
Examples
Key Takeaways
  • Zk-SNARK is a zero-knowledge proof protocol used in encryption, and is an acronym that stands for "Zero-Knowledge Succinct Non-Interactive Argument of Knowledge."
  • This proof was first developed and introduced in the late 1980s, and is now employed by the cryptocurrency Zcash to solve a perceived anonymity problem with Bitcoin-type blockchains.
  • Zk-SNARK proofs rely on an initial "trust system" setup that has been critiqued as an inherent security flaw.

ZK-STARKs

History and intro to ZK-STARKs
  • ZK-STARKs were created by Eli-Ben Sasson, a professor at the Technion-Israel Institute of Technology.
  • As an alternative version of ZK-SNARK proofs, ZK-STARKs are, generally, considered a more efficient variant of the technology - potentially faster and cheaper depending on the implementation.
  • But more importantly, zk-STARKs do not require an initial trusted setup (hence, the “T” for transparent).
What are ZK-STARKs?
  • ZK-STARKs (Zero-Knowledge Scalable Transparent Arguments of Knowledge) are a type of cryptographic proof technology that enables users to share validated data or perform computations with a third party without the data or computation being revealed to the third-party, also known as a zero-knowledge proof, in a way that is publicly verifiable.
  • In simpler terms, a zero-knowledge proof can prove something is true without having to reveal what exactly it is proving.
    • For example, ZK-STARKs would allow Alice to verify Bob's banking information using a zero-knowledge cryptographic proof instead of revealing the confidential information to Alice.
  • Prior to the creation of ZK-STARKs, ZK-SNARKs were used to create ZK proof systems, but required a trusted party or parties to initially setup the ZK proof system which introduced the vulnerability of those trusted parties compromising the privacy of the entire system.
    • ZK-STARKs improve upon this technology by removing the need for a trusted setup.
Why do ZK-STARKs not require an initial trusted setup?
  • Technically speaking, ZK-STARKs do no require an initial trusted setup because they rely on leaner cryptography through collision-resistant hash functions.
    • This approach also eliminates the number-theoretic assumptions of ZK-SNARKs that are computationally expensive and theoretically prone to attack by quantum computers.
  • In other terms, ZK-STARK proofs present a simpler structure in terms of cryptographic assumptions.
  • However, this novel technology comes with at least one major disadvantage: the size of the proofs is bigger when compared to ZK-SNARKs.
    • Such a difference in data size may present limitations depending on the context of use, but it is probably something that can be figured out as the technology is further tested and investigated.

ZK-SNARKs vs ZK-STARKs

tldr
  • A ZK-Snark (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge) is a cryptographic proof used for various things like computation verification, anonymous cryptocurrencies (like Zcash), and authentication without passwords.
  • ZK-Starks (Zero-Knowledge Scalable Transparent Arguments of Knowledge) is a type of cryptographic proof that can prove something is true without revealing what exactly it is proving.
  • ZK-Snarks was created before ZK-Starks came along.
  • The main difference between ZK-SNARKs and ZK-STARKs is that a ZK-STARK uses collision resistant hash functions instead of elliptic curves.
  • ZK-STARKs are more scalable than ZK-SNARKs, and with Validiums, which store data off-chain, the gas ceiling that developers have had to deal with on L1s is effectively gone.
  • ZK-SNARKs require a trusted setup phase whereas ZK-STARKs use publicly verifiable randomness to create trustlessly verifiable computation systems.
  • ZK-STARKs are more scalable in terms of computational speed and size when compared to ZK-SNARKs.
  • ZK-SNARKs are vulnerable to attacks from quantum computers due to the cryptography they use. ZK-STARKs are currently quantum-resistant.
  • However, this novel technology comes with at least one major disadvantage: the size of the proofs in ZK-STARKs is bigger when compared to ZK-SNARKs.
    • Proof sizes are much larger in a ZK-STARK proof than a ZK-SNARK proof, and take longer to verify as well as cost more gas. This tradeoff is worth it, however, because the effective TPS and throughput ceiling is much higher than a ZK-SNARK.
  • A more in-depth comparison here
A simplified way of thinking this through
  • Zero Knowledge Proof is a system or concept
  • ZK-Rollups is an approach or technique to the Zero Knowledge Proof System
  • ZK-Rollups are often compared to Optimistic Rollups
  • ZK-Rollups use technology (a cryptographic proof) having integration using ZK-SNARKs or ZK-STARKs
Trusted Setups in ZK-SNARKs
Eliptic Curves
  • Elliptic Curve Cryptography (ECC) is a key-based technique for encrypting data. ECC focuses on pairs of public and private keys for decryption and encryption of web traffic.
  • ECC, an alternative technique to RSA, is a powerful cryptography approach. It generates security between key pairs for public key encryption by using the mathematics of elliptic curves.