An article to understand zkEVM, the key to Ethereum scaling
On the early morning of September 1, Arbitrum, the Ethereum Layer 2 (L2) scaling network, announced that the public beta version of its mainnet was officially launched. Meanwhile, Optimism had already been open for some time to selected whitelist applications. This marked the official launch of the Optimistic Rollup, one of the Ethereum L2 scaling solutions. Indeed, this is the season of L2s.
While Optimistic Rollups such as Arbitrum and Optimism take the limelight, let’s shine a light on another of the L2 scaling solutions, zk Rollup:
The past month or so has seen some key developments. First, zkSync announced that it was delaying the launch of its version 2.0 on August 31. Based on zkEVM, zkSync 2.0 is expected to become the first zk Rollup compatible with EVM;
Then, on August 13, Polygon announced the acquisition of Hermez, an Ethereum Layer 2 scaling solution for $250 million, whose core technology is its zkEVM solution;
Also on August 13, the Ethereum Foundation stated in a regular update announcement on research and development progress that it had been funding a team to work on zkEVM in the past few months.
As we know, when comparing the two scaling solutions of Optimistic and ZK Rollups, Vitalik Buterin has opined that Optimistic Rollups will probably win in the short term for general purpose EVM calculations. But in the long term, ZK rollups will win in all scenarios with the improvement of ZK-SNARK technology. The so-called ‘Improvements in ZK-SNARK technology’ mainly refers to the success of zkEVM.
Increasingly, we are seeing that zkEVM has become the key to scaling Ethereum. We hope that this article will help you understand the basic principles and development status of zkEVM.
The role of zkEVM
To figure out the role of zkEVM, we need some background knowledge.
Let’s start with Ethereum which is, in essence, a transaction-based state machine. In computer science, a state machine is a machine that transitions from an old state to a new state by reading a series of inputs.
Starting from the genesis state, Ethereum transitioned through block after block of transactions to the current state of Ethereum. The state contained all account addresses and their mapped account states.
Among them, the EVM, or The Ethereum Virtual Machine, is responsible for processing transactions. The EVM operates as a stack machine, where the programmer writes code in a high-level language such as Solidity, which is then compiled into EVM bytecode that the EVM understands. The EVM performs standard stack operations as various EVM opcodes which eventually produces a new state.
And now comes the problem. We know that the zk Rollup solution needs to generate zero-knowledge proofs for transactions on L2 and pass them back to L1 for verification. To generate zero-knowledge proofs, the processing of the transactions needs to conform to the zk circuit proof specification. And at the beginning of the EVM design, the designers did not consider supporting zero-knowledge proofs (it was 6 or 7 years ago and zero-knowledge proofs were not on the minds of most people). Thus we need zkEVMS. Technically, the meaning of zkEVM is:
A virtual machine that runs on the zk Rollup network, is EVM-compatible and zero-knowledge proof friendly.
Two implementation strategies
For zkEVM, there are currently two main implementation strategies.
- Direct support for the existing set of EVM opcodes, which is fully compatible with the set of Solidity opcodes. Those using this solution include Hermez and the Ethereum Foundation zkEVM.
- Maintaining Solidity compatibility by designing a new virtual machine that is zero-knowledge proof-friendly and adapting EVM development tools. This solution is mainly used by zkSync;
For the first strategy, since it fully supports the existing set of EVM opcodes and uses the same compiler as EVM, it is naturally fully compatible with the existing ecosystem and development tools, and also inherits the security model of Ethereum better.
For the second strategy, it is not bound by the original set of EVM opcodes, so it is more flexible to compile the code into a more zero-knowledge proof-friendly set of opcodes. It is also free from the hard and heavy work required to be compatible with all of the original set of EVM opcodes.
Overall, the first strategy is more compatible and safer, but with more work; the second strategy is more flexible and less work, but extra effort in adaptation is required.
Comparison of the main solutions
Hermez uses the first strategy, which translates the entire set of EVM opcodes into micro opcodes.
It is well known that there are some variable EVM opcodes, such as CALL, EXP, CREATE, etc., which are inherently unfriendly to zk circuit proofs, and the logic of these opcodes can be expressed in a more friendly way using micro opcodes. The micro opcodes are executed in uVM, which uses a large number of cryptographic tools to achieve zk completion, and uses the Plookup algorithm to improve proof and verification efficiency.
Another highlight of the implementation of Hermez zkEVM is that it uses two proof systems at the same time, specifically generating a STARK proof and then using PLONK or Groth16 to generate a proof of the STARK proof and verify it on L1, which is like a proof of the proof. The reason for this is that while STARK is excellent, the proof size is large and the cost of verification on the chain is high, while Groth16 or PLONK has a smaller proof size and faster verification speed. This combination of the two, each with its strengths, is easy to think of as a scenario where asymmetric and symmetric encryption algorithms are used in combination.
Like Hermez, AppliedZKP zkEVM uses the first strategy.
AppliedZKP uses the Bus Mapping idea to separate storage and computation. Based on the correct storage data extracted by Bus Mapping, the State proof proves the consistency of the data, and the EVM proof proves the correctness of the calculation logic.
The specific process is as follows.
1. The EVM reads the required relevant state via Bus Mapping. The state consists of Storage, Memory, and Stack.
2. The EVM executes the opcode.
3. The EVM writes back the new state via Bus Mapping.
4. State proof is responsible for the consistency and correctness of the Bus Mapping read and write data, and the EVM proof is responsible for the correctness of the execution of EVM opcodes.
Unlike Hermez and AppliedZKP, zkSync chose the second strategy. zkSync’s zkEVM is not a replica of EVM but is newly designed to run 99% of Solidity contracts and ensure that it works properly under a variety of conditions (including rollbacks and exceptions). At the same time, zkEVM can be used to efficiently generate zero-knowledge proofs in the circuit.
zkSync EVM uses TinyRAM to implement the common set of opcodes, while opcodes that consume a lot of gas, such as SHA256 and keccak, will implement its circuit especially, and finally uses recursive aggregation technology to aggregate all proofs into one for improved efficiency.
zkSync has also developed two compiler front-ends for zkEVM: Yul and Zinc. Yul is a micro Solidity representation that can be compiled into bytecode for different back-ends; Zinc is a language based on Rust for smart contracts and general purpose zero-knowledge proof circuits. This gives developers greater choice.
Also, when building its compiler, zkSync chose LLVM, the most advanced compiler framework for producing industrial-grade products, to ensure that the compiler is sufficiently complete and has all the classic optimizations.
Outlook for the future
We see that zkEVM technology is maturing with the continued efforts of several outstanding teams, and will be implemented in about six months when the EVM-compatible zk Rollup scaling solutions blossom.
Today, blockchain technology is entering an unprecedented era of great controversy. From the battle of public chains to the battle of Ethereum scaling solutions, even to a specific scaling solution, different projects are competing, catching up, and surpassing one another, with huge real world impact not too far away. We are very fortunate to be in the most vibrant era of blockchain technology.
1. How does Ethereum work, anyway?
2. zkSync 2.0: Hello Ethereum!
3. Episode 175: zkEVM & zkPorter with Matter Labs
4. Episode 194: zkEVM with Jordi & David from Hermez
5. Exploring Popular zkEVM Solutions: AppliedZKP, Matter Labs, Hermez, and Sin7Y