Zero-Knowledge’s Current State of Play
This article is the third in the series of articles exploring Zero-Knowledge Proofs (ZKPs) (first and second here) we’re publishing here at the Occam DAO. In this third article, we’re going to discuss all of the many different ZKP protocols that were outlined in the previous articles.
In the case of the protocols outlined below, the Zero-Knowledge technology sees its application in the realms of privacy and scalability. The privacy application context is rather evident, and to quote Vitalik: “You can prove that you have the right to transfer some asset (you received it, and you didn’t already transfer it) without revealing the link to which asset you received”. This mechanism guarantees security without the need to unnecessarily release information concerning the transacting parties, especially to the public or institutions. In the second context, scalability takes the form of a delegated verification process of sorts; depending on the contents of a block it can take a long time to verify, so one person can verify a block, produce a (zero-knowledge) proof and then the rest of the validators can instead quickly verify that and move on.
We’ll kick off today’s discussion on ZKP protocols with arguably the one that started it all, ZCash!
As a refresher, let’s remind ourselves of ZCash’s affiliation with the world of Zero-Knowledge (which heavily focuses on the privacy context of ZKPs). Back in early 2021, ZIP-224 was introduced, which set out the path forward for the transition to the Electrico Coin Company’s (foundation behind $ZEC) HALO-2. HALO-2 is a significant capabilities increase for ZCash as it does away with “trusted setups,” thereby reducing protocol attack vectors and adding greater assurance of $ZEC supply integrity.
This effort began back in 2021 and has since been completed during Network Upgrade 5 in May of 2022. NU5 introduced the Orchard Shielded Payment Protocol, which utilizes HALO-2. ZCash’s privacy guarantee is built on the notion that shielded transactions in ZCash can be fully encrypted on its blockchain while maintaining verifiability under the ZCash consensus rules via the ZK-Snark proofs.
Within the past few months ZCash has become more in vogue, the Tornado Cash controversy which saw the US Treasury Department imposing sanctions on the currency mixer has spiked up conversations around “privacy coins” (exchanges such as Houbi going so far as to delist assets like $ZEC). While fighting the FUD surrounding Tornado Cash, the Electric Coin Company continues to highlight its work with “our partner network in these endeavors includes think tanks, academic research centers, and nonprofits that provide thought leadership and advocacy for issues that affect Zcash users”. So they’re definitely taking a more proactive approach to halt the US government’s advance on this stringent regulation of cryptos.
Continuing to build on the innovation of their Network Upgrade 5, the Electric Coin Company has announced the “ZCash Posterity Fund” and their research efforts towards potentially transitioning ZCash from a Proof-of-Work system to a Proof-of-Stake system, much like Ethereum has recently accomplished. The ZPF concerns the modification of the $ZEC issuance schedule in an effort to improve the long-term financial sustainability of the network, while also maintaining the 21M $ZEC supply cap and current issuance rate. ZCash hasn’t explicitly committed to going forward with a PoS transition, merely, it has been investing a fair share of manpower and other resources into investigating what a PoS ZCash would look like.
While certainly there isn’t anything too flashy going on with ZCash, their team is definitely continuing to put in the hard work to ensure ZCash continues to have a place within the cryptocurrency ecosystem, and depending on their findings on PoS, we may see a ZCash Merge sometime soon!
Moving onto our friends at $MINA, we’ll begin with a quick refresher! The Mina Protocol bills itself as: “[The] world’s lightest blockchain, powered by participants. Using zero-knowledge technology, Mina is creating the infrastructure for the secure, democratic future we all deserve”. The protocol features a very small total blockchain size, ~22kB specifically, that makes it accessible for mobile and desktop users. Bringing the focus back to ZKPs: “Mina dramatically reduces the amount of data each user needs to download. Instead of verifying the entire chain from the beginning of time, participants fully verify the network and transactions using recursive zero-knowledge proofs (or zk-SNARKs).” Mina’s application of ZKPs is clearly within the realm of scalability more so than privacy.
On Mina, zkApps execute off-chain, privately in a user’s web browser, and generate said zero-knowledge proof. When a user sends a zkApp transaction containing this proof to the Mina network, the zkApp account on Mina will only accept the transaction if the proof is valid, indicating the user ran the computation expected for this smart contract. If it is valid, then the transaction is accepted and any state that the developer has chosen to store on-chain is updated.
All other private inputs from the user are never sent to or seen by the network. A developer must explicitly indicate which data they want to be public in order for it to be stored on-chain. In this way, the user’s privacy can be maintained, the network remains highly scalable due to off-chain computation, and developers have powerful smart contracts with unlimited off-chain computation that support both private data inputs and optional public state!
The Mina Protocol has been making quite good use of the ongoing bear market, making important new hires: a former PM for IOHK, a Performance and Optimization PhD., the new Head of People, and a new COO from the famous Facebook DIEM project, among many others. Mina has been going on a people and staffing hunt and based on these recent accounts, it’s doing a fairly good job!
The protocol was also able to secure a series of private and strategic sales to the tune of $92M led by FTX Ventures and others. Moreover, “Mina’s raise represents FTX Ventures’ first major backing of zero knowledge smart contract technology, reflecting the crypto industry’s increased focus on bringing zero knowledge-based apps to Web3 to ensure user privacy and end-to-end security”. This extra funding cushion should also help ensure Mina is going to be capable of competing with the many other ZKP projects building their own ecosystems and will likely be deployed in a much more active way as we eventually progress into the next bull cycle.
Mina partnered with AMD and other leading ZKP ecosystems in sponsoring a $7M challenge centered around cultivating more projects and applications utilizing ZKPs. This is in line with their focus on zkApps, “Mina’s zero knowledge smart contracts,” and increasing interoperability with Ethereum. They’re working to include token standards like Ethereum’s ERC20, develop their zkApp ease of programmability, and eventually zkOracles. All of these efforts will surely increase Mina’s attractiveness within the industry as a go-to destination for an ecosystem centered around native ZKPs.
Starting with the Ethereum side of the house let’s take a look at Loopring! Loopring is a zkRollup, “a layer 2 scalability solution,” that “provides a low-fee, high-speed platform for trading, swapping, liquidity providing, and payments — without sacrificing Ethereum security at all”. The rollup’s goal is to build and deploy the best zkRollup exchange and payment solution for Ethereum; the DEX aspect of $LRC currently features “as high as 2,025 trades per second, with the cost per transaction reduced to as little as 1/100th the cost on Ethereum,” and while Loopring inherits the privacy aspects of ZKPs, their focus is much more on the scalability improvements, hence their emphasis on speed and trades per second.
Loopring’s zkRollup architecture is built upon zkSNARKs. Quoting Vitalik Buterin: “[Within Loopring’s architecture] there are two classes of user: (i) transactor, and (ii) relayer. A relayer takes a set of operations from transactors, combines them all into a transaction and makes a ZK-SNARK to prove the validity, and publishes the ZK-SNARK and the transaction data in a highly compressed form to the blockchain. A relayer gets rewarded for this by transaction fees from transactors.”
With all of this in mind, Loopring has developed a battle-tested, efficient DEX over the past few years and they are now looking to expand their mission set. Having deployed functionality for NFTs on their L2, around this time last year, Loopring made other headline news with the announcement of their partnership with GameStop; specifically, Loopring’s L2 will be the foundation upon which GameStop’s NFT marketplace is to be deployed. The GameStop beta went live back in April of ’22 but, since July, has gone live and is fully operational in a live production environment.
Very recently in the middle of August, Loopring announced the start of their DAO voting; their voting will support Ethereum L1 and Loopring L2 venues for $LRC holders. This voting marks a continued advance towards further decentralization within the $LRC protocol and the voting, taking place quarterly, will decide which liquidity providers will be incentivized by Loopring protocol fees. Voters will decide which major pools will be allocated with the extra rewards generated by the various fees on Loopring. Then, at the end of August, Loopring introduced $ETH staking in conjunction with LIDO, allowing users to supply $ETH via Loopring in return for $wstETH and allowing Loopring-ers to easily interface with this major $ETH staking protocol.
Finally, Loopring released a look-ahead of sorts; they reiterated their dedication to financial freedom and self-sovereignty and more importantly outlined three areas of focus. The first is their efforts to release and optimize the Loopring Mobile wallet, which would drastically increase the accessibility of Ethereum’s zkRollup realm to the vast population of mobile users. Secondly, the team will be releasing and open-sourcing the code of the upcoming Loopring NFT marketplace to help builders develop their own projects and NFT toolings. Third, Loopring intends to “integrate more DeFi products onto L2, enabling greater access to investment opportunities from across the Ethereum ecosystem.”
Loopring’s mandate is obvious; they’ve made a high-functioning and quality DEX product, netted major partnerships with well-known successful companies, and are now looking to improve their suite of products and introduce more people to the world of Ethereum zkRollups!
Zooming into Starkware, we remember that the most developed product within their product suite is StarkEx. StarkEx supported DyDx (past tense as the exchange has since moved to Cosmos), Sorare, Immutable X, and the Celer Bridge, among others. StarkEx is Starkware’s all-in-one STARK operational kit which is the forerunner to the main offering, which just entered its alpha testing — StarkNet. StarkNet is the decentralized ZK-rollup built as an Ethereum L2 and written in Cairo. Cairo is StarkWare’s specific language for creating “STARK-provable programs” but it is still a general purpose turing complete language. Moreover, Cairo currently powers their StarkEx engines and is now the native language of StarkNet. Starkware’s robust suite of products all place heavy emphasis on the scalability enhancements enabled by STARKs; this speed and finality is all present in their partners utilizing Starkware tech.
Before we continue any further, another refresher is in order! The cool property of STARKs, compared to the predominantly used SNARKs, is that they can run generalized proofs because they do not need an application-specific trusted setup. This allows batching proofs for various applications together. The disadvantage is that the verification of each individual proof is computationally more expensive because it scales with a run time of O(poly-log(N)).
With the major pieces of the ecosystem out of the way, StarkWare announced, literally last week, the next major release of their Cairo lang, Version 1.0, which is built on a specific feature: Sierra: Safe Intermediate Representation. Sierra adds further “Future-proof[ability]” and stability as the contracts won’t need recompiling due to underlying physical hardware/software improvements. Sierra then ensures that a “Cairo run will never fail,” only ever resulting in a True or False.
This release of Sierra then coincides with StarkNet’s regenesis event: “The existing StarkNet Alpha will run for as long as necessary. In parallel, we will deploy a new leaner version of StarkNet Alpha that will start afresh, with a new state. This means that in the new instance all the contracts and accounts will need to be redeployed and assets will need to be migrated from the old StarkNet Alpha to the new one.”
While there is a focus on the regenesis event, continued development of the underlying technology, StarkNet, is ongoing. With the most recent release of version 0.10.0, continued work is underway on StarkNet in preparation for their eventual full release. This also ties into the release of Recursive STARKs on both StarkEx and StarkNet. These STARKs enhance the scaling of both offerings, all with a “single proof”. More importantly, “the development of the Recursive Verifier statement in Cairo also opens up the possibility of submitting proofs to StarkNet, as that statement can be baked into a StarkNet smart contract. This allows building L3 deployments on top of the public StarkNet (an L2 network).”
The StarkWare team certainly has their work cut out for them! Their ecosystem is continuing to expand on StarkNet as more and more DeFi and NFT offerings continue to make their way onto the L2. The team is pushing the boundaries of innovation with improvements to their smart-contract language, both their scaling solutions and even looking to L3 and beyond!
Moving on to another Ethereum ZK-rollup, the Aztec team released zk.money in 2021. Sidenote: Aztec are one of the great pioneers of SNARKS as they developed the original PLONK paper that made SNARKs viable! The app is an L2 privacy app deployed on top of the Aztec network where users are able to shield their transactions via Aztec’s zkSNARK tech. Batching transactions through zk.money saves users multiple magnitudes in overall transaction fees while also ensuring their privacy is preserved (though the protocol could potentially be targeted in the future similar to how Tornado Cash was taken down) in the process. Zk.money has been continually improved since its launch and now supports interactions with major Ethereum DeFi players: AAVE, Uniswap, Compound, and Ribbon, among others. Zk.money’s mission statement was also recently expanded, in tandem with the release of Aztec Connect, to become a private DeFi aggregator, more than its original payments platform mission. Aztec and zk.money fall into the privacy camp of ZKP applications; their projects, while still being rather fast, are more so geared to audiences intent on protecting their privacy while navigating Web3.
Then in early July, Aztec Connect was announced and billed as “Aztec’s private DeFi ZK-rollup.” Aztec Connect is an “SDK [designed for] any Ethereum protocol to be integrated into Aztec’s private rollup with a simple Solidity interface and front-end SDK.” Aztec Connect is a decentralized zero-knowledge network, built with the UTXO accounting model — similar to Bitcoin’s architecture. “Aztec Connect enables anyone to add privacy to Ethereum applications with two easy-to-use tools: Bridge Contracts: interfaces connecting Ethereum smart contracts to Aztec’s rollup. SDK: a front-end toolkit enabling beautiful, seamless web interfaces to access Aztec Connect.”
Aztec Connect can be understood as a VPN; developers can utilize Aztec’s rollup contract as a proxy for interacting with native Ethereum services from within the Aztec Network. The encrypted instructions are passed to Aztec’s rollup contract on Layer 1, which then executes said commands. Additionally, Aztec is able to batch transactions and reduce user fees to sizes on the order of 1/16 to 1/100 of the traditional transaction cost, depending on batch size (similar to how zk.money batches transactions). The batching mechanism comes as a double-edged sword; users need to wait until the batch is processed (when the batch is full of transactions and at least every four hours) or pay a premium to process the whole batch immediately to see transactions finalized.
Looking ahead, Aztec Network is preparing to deploy Noir into late ’22 and beyond. Noir will be Aztec’s “programmable private smart contract platform secured by zkSNARKs,” all of it coded in Aztec’s Rust-based programming language. Noir will be Aztec’s own solution to zkSNARK natively supported smart contracts and will allow for seamless construction of privacy-preserving zero-knowledge circuits.
Reminding ourselves of zkSync’s work, they released their version 1.0 in 2020 on Ethereum mainnet, which supported up to ~300 TPS. The initial 1.0 and 1.1 versions are trustless L2 ZK-rollups on Ethereum. Version 1.1, which came at the behest of the Great Reddit Scaling Bakeoff, saw the addition of several major pieces: implementation of recursive ZK proofs, added support for automatic recurring payments (subscriptions), enabled transactions for batching and paying fees in a separate token, and made burning and minting tokens possible inside zkSync. zkSync is another Layer 2 which will support a whole ecosystem dApps, DeFi, guilds, and other typical Web3 entities. zkSync straddles the line a bit more than some of their peers, while marketing and focusing development on the scalability of the protocol first and foremost, they’ve built on the ZKP technology; they’ve certainly left room in the future for the eventual inclusion of the privacy features enabled by ZKP technology.
zkSync rolls up all transactions that occur on the network into a single block via SNARKs that is then verified by the network’s validators. SNARK verification is much cheaper than verifying every transaction individually, and storing the state off-chain is significantly cheaper than storing it on EVM. Hence enabling a huge boost of scalability (~100–200x mainnet capacity) and tx cost savings.
Coming off the back of several successful funding rounds and raises in late ’21, most notably by Andreessen Horowitz, the Matter Labs team has been working at full steam ahead preparing to deploy the zkSync 2.0 mainnet. With less than 50 days to go (at the time of writing), zkSync 2.0 is nearly bringing a host of features. The ZK-rollup will be EVM (though currently, it isn’t) and Web3 compatible, native support for Solidity and Vyper, inheritance of full Ethereum security, and higher TPS at lower overall gas costs.
As the project heads into October and November of this year, they’ll begin project onboarding, working with their ecosystem partners to onboard them from Ethereum and zkSync 1.0 to 2.0. Then they’ll launch the mainnet, without any live projects, putting the rollup through a series of “real-money stress tests” to ensure security and operational capabilities. Following the mainnet testing, they’ll begin onboarding all projects from the registration phase with a focus on ensuring that all projects have a solid onboarding experience. Finally, at the end of ’22, the mainnet will be completely open to the public with all users and developers having access to use, interact with and build on the rollup.
The Matter Labs team is in the final stages of launching zkSync 2.0 and with a plethora of projects looking to migrate to their rollup, things are definitely heating up for them, and they’re even managing to hint (at the bottom of the article) about the coming zkSync 3.0!
Polygon has quite the selection of potential ZK candidates and we commend their substantial efforts at pressing forward all of the research efforts around ZK — we’ll begin with Polygon Zero! Polygon Zero is built with Plonky2, a recursive SNARK that is 100x faster than existing alternatives and natively compatible with Ethereum. Polygon Zero is designed as a high-throughput “fully compatible EVM” which is among the fastest offerings in the realm of ZK-rollups on the market. As you’ll come to see, Polygon’s suite of ZK offerings runs the gamut in terms of privacy and scalability. Both Hermez and Zero focus on scalability primarily, while Miden and Nightfall focus on more privacy based applications.
Polygon’s Miden is the next ZK construct borne out of the Polygon team and is designed as a general-purpose ZK-rollup based on ZK-STARKs. Miden features the Miden-VM, a Turing-complete STARK-based virtual machine that provides a level of safety and supports advanced features currently not available on Ethereum. Miden is a fully-open source community-driven development platform. Most importantly, Miden supports arbitrary smart contracts written in Solidity and other languages.
Polygon’s zkEVM is also known as Hermez. “Polygon zkEVM, henceforth zkEVM, is a decentralized Ethereum Layer 2 scalability solution utilizing cryptographic zero-knowledge technology in order to provide validation and fast finality of off-chain transaction computations. It has been designed and developed to emulate the Ethereum Virtual Machine (EVM) by recreating all existing EVM opcodes for the transparent deployment of existing Ethereum smart contracts.” Though something to keep in mind, the outstanding property of a zkEVM is going to be complete EVM opcode parity. This has not been achieved by other teams because some EVM opcodes are difficult to simulate efficiently in ZK proofs.
Lastly, Polygon is developing their Nightfall solution, which is an interesting hybrid ZK-Optimistic rollup and is specifically designed to lower the cost of privately transferring ERC20, ERC721, and ERC1155 tokens. Considering the rest of Polygon’s offerings, Nightfall differs dramatically as “a privacy-focused rollup designed for enterprise use cases by combining the concepts of optimistic rollups and Zero-Knowledge (ZK) cryptography to offer private and scalable transactions.”
Scroll is the final piece of the “zkEVM” puzzle for Ethereum and is currently preparing to head into its testnet phase, having moved through its first primary phase: Scroll’s Proof-of-Concept. Scroll has been working with the Privacy and Scaling Explorations group from the Ethereum foundation and has released the pre-alpha version of Scroll for public external testers. Important to note is that Scroll differs from other zkRollups in that they create zkCircuits for each EVM opcode in an effort to achieve this aforementioned EVM opcode parity. While Scroll is working with Etherum’s PSE group, their focus (based on the current available documentation) is on scaling at the moment, but I wouldn’t rule out the introduction of privacy aspects sometime in their future roadmap or developments.
zkCircuits refer to the “program representation used in zero-knowledge proofs. For example, if you want to prove hash(x) = y, you need to re-write the hash function using the circuit form. The circuit form only supports very limited expressions (i.e., R1CS only supports addition and multiplication). So, it’s very hard to write a program using the circuit language — you have to build all your program logic (including if, else, loop, and so on) using add and mul.”
ZK Virtual Machine Architecture
This pre-alpha testnet release marks an important milestone for the Scroll team as they move towards deploying a more open and permissionless alpha testnet (which will be deployed on a public Ethereum testnet). This next version of the Scroll testnet will support developers deploying their own smart contracts, anyone being capable of running a Scroll archival node and the generation and aggregation of more pieces of their zkEVM proof to be verified on-chain.
Scroll’s unique zkEVM setup places an outsized emphasis on its Rollers who function in the “Roller network, a permissionless and decentralized network of provers who generate proofs for Scroll Layer 2 blocks.” Scroll’s Roller Network has two major technical benefits; first, their proving infrastructure is highly parallelizable. This means that Scroll is able to massively scale proving compute simply by adding more proving nodes. Secondly, the community will be incentivized to build substantially better hardware solutions and run provers themselves instead of relying only on the Scroll team in a centralized way.
To bootstrap in the initial phase of the Scroll network, the team is building GPU prover solutions internally which will be open-sourced for public usage. As this matures, they are exploring ASIC and FPGA solutions with several hardware companies. In the long run, the team is looking forward to the vibrant competition in this domain and firmly believe that latency and cost for proof generation will decrease exponentially.
Scroll’s team is very hard at work behind the scenes building and is a welcome addition to Ethereum’s field of ZK-rollups. Their recent post on the architecture of Scroll adds much needed information to what Scroll brings to the world of ZK-rollups.
Through this multipart article series, we’ve explored the history of ZKPs, the major milestones leading up to their adoption within the cryptocurrency industry, and now the important players within the ZKP realm. As it stands right now, Ethereum and its many L2s hold the vast majority of building efforts that are currently utilizing ZKPs, but protocols like ZCash and Mina are certainly making important strides in advancing the tech outside of the realm of Ethereum and ZK-rollups.
The world of ZKPs and cryptocurrencies is experiencing a revival before our very eyes and its importance is only continuing to grow as more and more folks enter the space. This revival is very fast moving, which is saying something because Cryptocurrencies are already a high speed and high risk industry(!), and considering this trajectory, it will soon be efficient and capable enough to become the favorable roll-up solution, out-competing optimistic ones. ZKP technology will be a core, foundational, building block for many applications (on Ethereum and elsewhere) leveraging scalability, speed and privacy.