Open in app

Sign in

Write

Sign in

Layer2 Key Component- An Analysis of Recursive Zero-knowledge Proof

ZKBase
ZKBase
Published in
6 min readApr 12, 2021

Among all Layer 2 solutions, ZK-Rollup is highly recommended for its data availability and same-level security as Layer 1.

ZK-Rollup treats one block as a processing unit, using zero-knowledge proof to verify the validity of the world state changes caused by the block, hence reducing the per-transaction cost of going on-chain while increasing the throughput.

However, in actual implementation, researchers found that the scalability brought by a simple ZK-Rollup scheme could not meet the needs in real use cases. This is caused by many factors, such as the limitation of circuit parameters, and the efficiency of the zero-knowledge proof algorithm. Researchers have made a lot of efforts to improve, such as optimizing the zero-knowledge proof algorithm, using powerful computation servers, and optimizing circuit scale. Although those efforts have brought incremental improvements, there is still a long way to go.

Aggregation Proof and its Limitations

From the researcher's perspective, the more transactions can be processed on-chain at one time, the better. Towards this goal, researchers first discovered Aggregation Proof, which ZKSwap has adopted in its ZKSpeed ​​Protocol. We have introduced the design principle of Aggregation Proof in our previous articles. Simply put, it is to aggregate the proofs of multiple blocks into one proof so that the on-chain verification of multiple blocks can be completed at one time. The average cost of the transaction is greatly reduced, and the principle is shown in the figure below:

Although this scheme has brought substantial performance improvement, it has certain limitations:

  1. Limited by the circuit parameters, there is an upper limit of blocks to be aggregated at one time;
  2. The more blocks aggregated, the larger the circuit, up to the upper limit of the circuit’s scale; and the time to generate proof for such circuit will also be longer, the proof key and verification key will also take up more storage space;
  3. The maximum aggregation currently is 20 blocks, that is, the aggregation process will start only after there are 20 blocks. If generating the proof takes a relatively long time, this will lead to an even longer time for these blocks to be confirmed, especially for those blocks that are generated earliest in the batch;

Limited by the complexity of proof computation and common reference string (CRS) generation, the above zero-knowledge proof algorithm is not scalable. Therefore, researchers are also trying to find a scalable zero-knowledge-proof algorithm, also known as Scalable zk-SNARKs.

Scalable zk-SNARKs

In the paper Scalable Zero Knowledge via Cycles of Elliptic Curves, Eli Ben-Sasson et al. gave the definition of Scalable zk-SNARKs:

  1. Key generation is cheap: the time of Key generation has nothing to do with the computational complexity (if it is Scalable zk-STARKs, it may not be needed);
  2. Proof generation is carried out incrementally: the proof generation process includes both the correctness of the current step and the correctness of all previous calculations. Such zk-SNARKs are incrementally computable;

The above diagram means: the prover is proving in a recursive calculation process. The initial state is S0, and the result of iterative calculation of t times under function F is St, which is very similar to the process of block update in the blockchain.

The first calculation method, the Monolithic option: the prover P writes all t calculations into the circuit, and then proves it at one time. It has the same limitations as we explained above, the higher complexity, the longer time, and larger storage space;

The second calculation method, the Recursive option: the process is as follows:

  1. First, for the initial state S0=>S1, the prover P generates a proof π1 for the calculation process of S1 = F(S0);
  2. For the conversion of S1=>S2, it can be seen from the illustration above that the prover P proved two parts: {S2 = F(S1), V(S1, π1) = 1}. The first half guarantees the validity of the current calculation, and the second half guarantees the validity of the previous calculation process. In zk-SNARKs, the proof generation time is faster than the original calculation, so it is reasonable to prove the verification process;

It can be seen that the Recursive option meets the basic requirements of Scalable zk-SNARKs:

  1. The key generation has nothing to do with the number of cycles, it depends on the complexity of a single F. If it is general zk-SNARKs, it only depends on the security parameters;
  2. The proof is incrementally computable, and each proof contains the validity of all previous calculations;
  3. The size of the proof is fixed, and has nothing to do with the number of iterations t;

It can be seen from the above that Scalable zk-SNARKs adopts the Recursive idea. The current prove step includes the verification circuit of the previous step, as shown in the following diagram:

The P2 verification circuit contains the verification circuit of the previous step P1. Please note that V corresponding to P1 is on the domain Fq, and the proof process of P2 is on Fr. How to represent the arithmetic circuit of V on Fr is a process worth exploring; because Cv can be regarded as a sub-circuit of P, Therefore, q needs to satisfy q = #E(Fr) or q divisible by #E(Fr), that is, q divisible by rk-1, therefore:

  • Attempt 1. Ideally, if r = q, then in Fr, the arithmetic circuit that can perfectly represent V on Fq, but according to the above principle, r != q always holds;
  • Attempt 2. For q != r, because it is necessary to simulate the calculation of Fq in Fr, the calculation complexity will increase by log(r) times;
  • Attempt 3. Using the cycle of elliptic curves, the Recursive process can be perfectly realized;

Specifically, select two large prime numbers, r, and q. Make sure r = #E(Fq) and q = #E(Fr), that is, the domain of the current group is equal to the order of another group, and vice versa. Therefore, the prover P on the domain Fq can perfectly implement the verification circuit of Fr in Fq, and the prover P on the domain Fr can also implement the verification circuit of Fq in Fr; therefore, there will be no defects in Attempt 2.

The following table lists the commonly used cycle of elliptic curves (https://eprint.iacr.org/2014/595.pdf)

Scalable Zero Knowledge via Cycles of Elliptic Curves https://eprint.iacr.org/2014/595.pdf

Key Takeaways

By adopting Recursive Proof Composition, zk-SNARKS becomes Scalable zk-SNARKs, becoming a more efficient and concise zero-knowledge proof algorithm, and can be applied in real and complicated use cases.

Mina Protocol, which has recently launched its mainnet, uses this technology to implement a very light blockchain with a fixed size of around 22KB.

Other projects including Matter Labs, starkWare, etc. are also planning to adopt Scalable zk- SNARKs technology to achieve higher scalability of Layer2. The ZKSwap team continues to research and innovate on the Layer2 track and has also made breakthroughs in Scalable zk-SNARKs, which I believe will be applied to the new version soon.

ZKSwap is a layer2 DEX based on ZK-Rollups technology and using the AMM model.

And You can find us here🥰:

ZKSwap Official Website: https://zks.org/en

ZKSwap APP: https://zkswap.app

ZKSwap Twitter: https://twitter.com/ZKSwapOfficial

ZKSwap Official Telegram group: https://t.me/zkswapofficial

ZKSwap Discord: https://discord.gg/ZRxS8fYTDv

ZKSwap Medium: https://zkswapofficial.medium.com/

ZKSwap Github page: https://github.com/l2labs

ZKSwap Reddit: https://www.reddit.com/r/ZKSwap_Official

Zkswap
Zks
Zksnark
Zkrollup Dex
Zero Knowledge Proofs

--

--

ZKBase
ZKBase

Written by ZKBase

4.4K Followers
Editor for

ZKBase (https://zks.org) is an all-in-one layer2 platform, featuring ZKSwap-DEX, ZKSea-NFT, ZKSquare-payment and ZNS-DID.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams