ZK Rollups — the power of information and its security
Scalability and privacy guaranteed via mathematical models
Scalability on the Ethereum (ETH) network has been a point of contention within the cryptocurrency ecosystem for years, primarily due to high fees and network congestion during periods of peak demand.
During periods of high demand for the Ethereum network — such as the Crypto Kitties craze in 2017, DeFi summer in 2020, and the bull market at the beginning of 2021 — it results in extremely high gas fees, making it incredibly expensive for everyday users to pay for their transactions
The latest solution to emerge as the final fix to Ethereum’s scalability woes is zero-knowledge rollups (zk-Rollups), a form of scaling that runs computations off-chain and submits them on-chain via a validity proof.
Let’s see what we mean by that.
Scaling Ethereum
In general, there are 3 ways to scale Ethereum (and most other blockchains broadly speaking):
- LAYER 1 scaling aka scaling the Blockchain itself;
- LAYER 2 scaling aka building on top of layer 1;
- SIDECHAINS scaling or building on the side of layer 1.
When it comes to Layer 1, ETH2.0 is the chosen solution to scale the Ethereum blockchain.
ETH2.0 refers to a set of interconnected changes such as the migration from Proof-of-Work (PoW) to Proof-of-Stake (PoS) and sharding.
Sharding, in particular, can dramatically increase the throughput of the Ethereum network, especially when combined with ZK rollups.
Different settings have been tried so far with mixed solutions; on one hand, we have Layer 2 solutions — such as channels that are fully secure by Ethereum but work well only for a specific set of applications. On the other hand, we Sidechains, which can scale general-purpose applications but are less secure than layer 2 solutions by not relying on the security of Ethereum and instead of having their own consensus model.
Most rollups aim at achieving the best of these two worlds by creating a general-purpose scaling solution while still fully relying on the security of Ethereum.
This is the holy grail of scaling as it allows for deploying all the existing smart contracts on Ethereum to a rollup with little or no changes while not sacrificing security.
Zero Knowledge Proof (ZKP)
Researchers at MIT first started developing the concept of a zero-knowledge proof in the 1980s, and in 1985 the first zero-knowledge proofs were written about in a paper called “The Knowledge Complexity of Interactive Proof-Systems” by Shafi Goldwasser, Silvio Micali, and Charles Rackoff.
In cryptography, a zero-knowledge proof or zero-knowledge protocol is a method by which one party (the prover) can prove to another party (the verifier) that a given statement is true while the prover avoids conveying any additional information apart from the fact that the statement is indeed true.
Zero-knowledge techniques are, in sum, mathematical methods used to verify things without sharing or revealing underlying data. Think of a payment app checking whether you have enough money in your bank account to complete a transaction without finding out anything else about your balance. Or an app confirming a password’s validity without needing to directly process it. In this way, zero-knowledge proofs can help broker all sorts of sensitive agreements, transactions, and interactions in a more private and secure way.
Zero-knowledge proofs are indirect proofs allowing you to prove you know a secret without ever revealing the secret to anyone else. You prove only that you’re telling the truth.
Introducing the protagonists: provers and verifiers
In zero-knowledge proofs, the basic roles are the prover and verifier.:
- The PROVER must prove they know the secret and
- the VERIFIER must be able to verify the prover is telling the truth.
It works because the verifier asks the prover to do things that can only be done if the prover definitely knows the secret. If the prover is guessing, he or she will eventually be proven wrong by the verifier’s tests. If the secret is known, then the prover will pass the verifiers test every time without a problem. It’s like when a bank or institution asks you for letters of a known secret word to verify your identity. You’re not telling the bank what’s in your bank account, you’re merely telling them that you know the sequence of a given word.
How Rollups actually work?
The rollup scaling solution works by executing transactions outside of Layer 1 but posting transaction data back on Layer 1.
This allows the rollup to scale the network and still derive its security from the Ethereum consensus mechanism.
Moving computation off-chain allows for essentially processing more transactions in total as only some of the data of the transaction has to fit into the Ethereum blocks. To achieve this, rollup transactions are executed on a separate chain that can ever run a rollup-specific version of the EVM (or Ethereum Virtual Machine). The next step after executing transactions on a rollup is to “batch’ them together and post them to the main Ethereum chain;
the whole process in sum, execute transactions, takes the data, compresses it, and rolls it up to the main chain in a single batch, hence the name — a ROLLUP
Although this looks like a potentially good solution, there is a natural question that comes next:
“How does Ethereum know that the posted data is valid and wasn’t submitted by a bad actor trying to benefit themselves?”
The exact answer depends on a specific rollup implementation, but in general, each rollup deploys a set of smart contracts on Layer 1, that are responsible for processing deposits and withdrawals and verifying proofs.
Proofs are also where the main distinction between different types of rollups comes into play.
OPTIMISTIC Rollups
Optimistic rollups use fraud proofs while in contrast, ZK rollups use validity proofs.
Let’s explore these two types of rollups further:
Optimistic rollups post data to layer 1 and assume it’s correct hence the name “optimistic.”
If the posted data is valid, we are on the happy path, and nothing else has to be done. The optimistic rollup benefits from not having to do any additional work in the optimistic scenario.
In case of an invalid transaction, the system has to be able to identify it, recover the correct state, and penalize the party that submits such a transaction. To achieve this, optimistic rollups implement a dispute resolution system that is able to verify fraud proofs, detect fraudulent transactions, and disincentive bad actors from submitting other invalid transactions or incorrect fraud proofs. In most of the optimistic rollup implementations, the party that is able to submit batches of transactions to layer 1 has to provide a bond, usually in the form of ETH.
Any other network participant can submit a fraud proof if they spot an incorrect transaction. After a fraud-proof is submitted, the system enters the dispute resolution mode. In this mode, the suspicious transaction is executed again this time on the main Ethereum chain. If the execution proves that the transaction was indeed fraudulent, the party that submitted this transaction is punished, usually by having their bonded ETH slashed.
To prevent the bad actors from spamming the network with incorrect fraud proofs, the parties wishing to submit fraud proofs usually also have to provide a bond that can be subject to slashing.
In order to be able to execute a rollup transaction on layer 1, optimistic rollups have to implement a system that is able to replay a transaction with the exact state that was present when the transaction was originally executed on the rollup.
This is one of the complicated parts of optimistic rollups and is usually achieved by creating a separate manager contract that replaces certain function calls with a state from the rollup. It’s worth noting that the system can work as expected and detect fraud even if there is only 1 honest party that monitors the state of the rollup and submits fraud proofs if needed.
It’s also worth mentioning that because of the correct incentives within the rollup system, entering the dispute resolution process should be an exceptional situation and not something that happens all the time. When it comes to ZK rollups, there is no dispute resolution at all. This is possible by leveraging a clever piece of cryptography called Zero-Knowledge proofs hence the name ZK rollups. In this model, every batch posted to layer 1 includes a cryptographic proof called a ZK-SNARK. The proof can be quickly verified by the layer 1 contract when the transaction batch is submitted and invalid batches can be rejected straight away.
Sounds simple, right?
Maybe on the surface. In practice to make it work, multiple researchers spent countless hours iterating on these clever pieces of cryptography and math.
There are a few other differences between optimistic and ZK rollups, so let’s go through them one by one. Due to the nature of the dispute resolution process, optimistic rollups have to give enough time to all the network participants to submit the fraud proofs before finalizing a transaction on
layer 1.
This period is usually quite long to make sure that even in the worst-case scenario, fraudulent transactions can still be disputed. This obviously causes the withdrawals from optimistic rollups to be quite long as the users have to wait even as much as a week or two to be able to withdraw their funds back to layer 1.
Fortunately, there are a few projects that are working to improve this situation by providing fast “liquidity exists.” These projects offer almost instant withdrawals back to layer 1, another layer 2, or even a sidechain and charge a small fee for convenience. ZK rollups don’t have the problem of long withdrawals as the funds are available for withdrawals as soon as the rollup batch, together with validity proof, is submitted to layer 1.
So far, it looks like ZK rollups are just a better version of optimistic rollups, but they also come with a few drawbacks. Due to the complexity of the technology, it’s much harder to create an EVM-compatible ZK rollup which makes it more difficult to scale general-purpose applications without having to rewrite the application logic.
Saying this, ZKSync is making significant progress in this area and they might be able to launch an EVM-compatible ZK rollup quite soon. Optimistic rollups have a little bit of an easier time with the EVM compatibility. They still have to run their own version of the EVM with a few modifications, but 99% of contracts can be ported without making any changes.
ZK rollups are also way more computation-heavy than optimistic rollups.
This means that nodes that compute ZK proofs have to be high-spec machines, making it hard for other users to run them. When it comes to scaling improvements, both types of rollups should be able to scale Ethereum from around 15 to 45 transactions per second (depending on the transaction type) up to as many as 1000–4000 transactions per second.
It’s worth noting that it is possible to process even more transactions per second by offering more space for the rollup batches on layer 1. This is also why Eth2 can create a massive synergy with rollups as it increases the possible data availability space by creating multiple shards - each one of them able to store a significant amount of data. The combination of Eth2 and rollups could bring Ethereum transaction speed up to as many as 100k transactions per second.
ARBITRUM
Now, let’s talk about all the different projects working on both optimistic and ZK rollups.
Optimism and Arbitrum are currently the most popular options when it comes to optimistic rollups.
Optimism has been partially rolled out to the Ethereum mainnet with a limited set of partners such as Synthetix or Uniswap to ensure that the technology works as expected before the full launch.
Arbitrum already deployed its version to the mainnet and started onboarding different projects into its ecosystem. Instead of allowing only limited partners to be able to deploy their protocols first, they decided to give a window of time for all protocols that want to launch on their rollups. When this period of time is finished, they will open the flood gates to all the users in one go.
Some of the most notable projects launching on Arbitrum are Uniswap, Sushi, Bancor, Augur, Chainlink, Aave and many more.
Arbitrum has also recent partnership with Reddit. They’ll be focusing on launching a separate rollup chain that will allow Reddit to scale their reward system. Optimism is partnering with MakerDAO to create the Optimism Dai Bridge and enable fast withdrawals of DAI and other tokens back to layer 1.
OPTIMISM and ARBITRUM comparison
Although both Arbitrum and Optimism try to achieve the same goal — building an EVM-compatible optimistic rollups solution — there are a few differences in their design.
Arbitrum has a different dispute resolution model. Instead of rerunning a whole transaction on layer 1 to verify if the fraud proof is valid, they have come up with an interactive multi-round model which allows narrowing down the scope of the dispute and potentially executes only a few instructions on layer 1 to check if a suspicious transaction is valid. This also resulted in a nice side effect where smart contracts deployed on Arbitrum can be larger than the maximum allowed contract size on Ethereum.
Arbitrum will be initially running a sequencer that is responsible for ordering transactions, but they want to decentralize it in the long run. Optimism prefers another approach where the ordering of transactions and can be auctioned off to other parties for a certain period of time. It’s also worth mentioning a few other projects working on optimistic rollups. Fuel, the OMG team with OMGX and Cartesi to name a few.
Most of them try to also work on an EVM-compatible version of their rollups.
Although it looks like the Ethereum community is mostly focusing on optimistic rollups, at least in the short run, let’s not forget that the projects working on ZK rollups are also progressing extremely quickly. With ZK rollups, we have a few options available. Loopring uses ZK rollup technology to scale its exchange and payment protocol. Hermez and ZKTube are working on scaling payments using ZK rollups, with Hermez also building an EMV-compatible ZK rollup. Aztec is focusing on bringing privacy features to their ZK rollup technology, while StarkWare-based rollups are already extensively used by projects such as DeversiFi, Immutable X, and dYdX.
Rollups should also have a big impact on DeFi. Users who were previously not able to transact on Ethereum due to high transaction fees will be able to stay in the ecosystem the next time the network activity is high. They will also enable a new breed of applications that require cheaper transactions and faster confirmation time. All of this while being fully secured by the Ethereum consensus. It looks like rollups may trigger another high growth period for DeFi.
There are however a few challenges when it comes to rollups.
Composability is one of them. In order to compose a transaction that uses multiple protocols, all of them would have to be deployed on the same rollup.
Another challenge is fractured liquidity. For example, without the new money coming into the Ethereum ecosystem as a whole, the existing liquidity present on layer 1 in protocols such as Uniswap or Aave will be shared between layer 1 and multiple rollup implementations. Lower liquidity usually means higher slippage and worse trade execution.
This also means that naturally there will be winners and losers.
At the moment, the existing Ethereum ecosystem is not big enough to make use of all scaling solutions.
This may and probably will change in the long run, but in the short run, we may see some of the rollups, and other scaling solutions, becoming ghost towns.
In the future, we may also see users living entirely within one rollup ecosystem and not interacting with the main Ethereum chain and other scaling solutions for long periods of time. This could be particularly visible if we’re going to see more centralized exchanges enabling direct deposits and withdrawals to and from rollups. Nevertheless, rollups seem like the ultimate strategy for scaling Ethereum, and the challenges will be most likely mitigated in one way or another.
A threat to sidechains?
One question that comes up very often when discussing rollups is if they are a threat to sidechains.
Personally, I think that sidechains will still have their place in the Ethereum ecosystem. This is because, although the cost of transactions on Layer 2 will be much lower than on Layer 1, it will most likely still be high enough to price out certain types of applications such as games and other high-volume apps.
This may change when Ethereum introduces sharding, but by then, sidechains may create enough network effect to survive long term. It will be interesting to see how this plays out in the future, and also, the fees on rollups are higher than on sidechains because each rollup batch still has to pay for the Ethereum block space.
It’s worth remembering that the Ethereum community puts a huge focus on rollups in the Ethereum scaling strategy — at least in the short to mid-term and potentially even longer.
Further interesting reading about rollups on Vitalik Buterin’s post on a rollup-centric Ethereum
Decentralization and Security are the keys
On centralized platforms like Facebook, Amazon, and Google, our data is sold for profit in an effort to manipulate our behavior through advertising. On completely open blockchain networks, all our activities are recorded and public hence why ZK-Rollups are so important: they are about to change the way the crypto community uses Ethereum.
As high-speed, low-cost networks like zkSync and StarkNet materialize, transactions on Ethereum mainnet will increasingly be outsourced to Layer 2. This should allow Ethereum to move closer to its vision of becoming a scalable, secure, and decentralized blockchain network, offering a public and transparent network that protects people from the snoopers, peepers, and creepers of our digital age.
For updates & the latest news and analysis — follow me on Twitter @FilandroMi
Extra Resources:
- Uncovering Ethereum:
https://medium.com/the-capital/beyond-the-skies-of-ether-54a4a9976c44 - WEB 3 — the next evolution of the Internet:
https://medium.com/the-capital/web-3-0-the-next-evolutionary-step-of-the-internet-fc6146202a90 - The Blockchain-powered Tokenized Economy:
https://medium.com/the-capital/the-token-economy-771cce54955e
Check out our new platform 👉 https://thecapital.io/