A zero-knowledge rollup is a Layer 2 blockchain solution that performs computations and storage off-chain while funds are held in a smart contract.
What Are Zero-Knowledge Rollups (ZK Rollups)?
Simply put, zero-knowledge rollups or zk-rollups is a layer-2 scalability solution that allows blockchains to validate transactions faster while also ensuring that gas fees remain minimal. Zk-rollups manage to perform better than traditional layer-1 blockchains because they combine on and off-chain processes.
While the Ethereum mainnet explicitly utilizes on-chain activities to process transactions and validate blocks, layer-2 zk-rollup solutions introduce off-chain functionalities as well.
How do zk-rollups scale Ethereum?
Transaction data compression
ZK-rollups extend the throughput on Ethereum’s base layer by taking computation off-chain, but the real boost for scaling comes from compressing transaction data. Ethereum’s block size limits the data each block can hold and, by extension, the number of transactions processed per block. By compressing transaction-related data, ZK-rollups significantly increase the number of transactions processed per block.
ZK-rollups can compress transaction data better than optimistic rollups since they don’t have to post all the data required to validate each transaction. They only have to post the minimal data required to rebuild the latest state of accounts and balances on the rollup.
Recursive proofs
An advantage of zero-knowledge proofs is that proofs can verify other proofs. For example, a single ZK-SNARK can verify other ZK-SNARKs. Such “proof-of-proofs” are called recursive proofs and dramatically increase throughput on ZK-rollups.
Currently, validity proofs are generated on a block-by-block basis and submitted to the L1 contract for verification. However, verifying single block proofs limits the throughput that ZK-rollups can achieve since only one block can be finalized when the operator submits a proof.
Recursive proofs, however, make it possible to finalize several blocks with one validity proof. This is because the proving circuit recursively aggregates multiple block proofs until one final proof is created. The L2 operator submits this recursive proof, and if the contract accepts it, all the relevant blocks will be finalized instantly. With recursive proofs, the number of ZK-rollup transactions that can be finalized on Ethereum at intervals increases.
Types of Zero-knoweldge Rollup (ZK Rollup)
Factors that differentiate various types of zero-knowledge rollups include:
Proof System: Refers to the type of zero-knowledge proof employed to verify on-chain transactions. Different proof systems possess distinct properties and trade-offs, such as proof size, verification time, prover time or trusted setup. Popular proof systems include zk-SNARKs, zk-STARKs, PLONK and Bulletproofs. Examples of zk-rollups using different proof systems are zkSync (PLONK), StarkWare (zk-STARKs), and Aztec (zk-SNARKs).
Circuit Design: Pertains to the encoding and execution of transactions on the layer-2 chain. Different circuit designs have implications for scalability, usability, and compatibility. Primary circuit designs include account-based, UTXO-based, and ZKVM-based.
Examples of zk-rollups using different circuit designs are zkSync (account-based), StarkWare (UTXO-based), and ZkPorter (ZKVM-based).
Data Availability Solution: Refers to the storage and access of full-block data off-chain. Different data availability solutions offer various pros and cons, such as decentralized storage networks (like IPFS), data availability committees (like Celestia), or data availability sampling (like Validium). Examples of zk-rollups using different data availability solutions are zkSync (IPFS), StarkWare (Validium) and ZkPorter (Celestia).
What Does “Zero Knowledge” Mean for ZK-Rollups?
In zk-rollups, the term “zero-knowledge” refers to the use of zero-knowledge proofs for on-chain transaction verification without requiring interaction or trust. Zero-knowledge proofs are cryptographic proofs that can demonstrate a statement’s truth without disclosing any information about the statement itself.
Benefits of ZK-Rollups
Lower Gas Fees: By generating zero-knowledge proofs for transaction batches and submitting minimal on-chain data, zk-rollups increase efficiency and decrease gas costs.
Higher Throughput: By circumventing base layer congestion and limitations, zk-rollups achieve faster transaction speeds and reduced confirmation times. Some estimates suggest zk-rollups can increase throughput by up to 100x.
Faster Confirmation Times: Users no longer need to wait for block confirmations on the base layer, which could take several minutes or hours depending on network conditions. Instead, they receive immediate feedback and finality on the layer-2 chain.
Privacy Features: Zk-rollups enhance transaction privacy by using zero-knowledge proofs to verify them on-chain without disclosing any information. This means minimal data is posted on-chain, and no information about the transactions is leaked. Zk-rollups also offer privacy features, such as concealing transaction amounts or recipients.
Security and Integrity: Zk-rollups inherit the robustness and trustlessness of Ethereum’s consensus mechanism and validator network. Users don’t need to trust third parties or intermediaries to process their transactions or store their data.
Challenges or Limitations of ZK-Rollups
Proof Generation Cost: The cost of generating a zero-knowledge proof for a transaction batch depends on the complexity of the transactions, the proof system and the circuit design. Proof generation costs can be high for some use cases, potentially affecting zk-rollups’ scalability and usability. Reducing proof generation costs involves using more efficient proof systems or circuit designs or subsidizing or incentivizing provers.
Circuit Complexity: This refers to the complexity of encoding and executing transactions on the layer-2 chain, depending on the circuit design and transaction functionality. High circuit complexity can affect zk-rollups’ scalability and usability for certain use cases. Reducing circuit complexity involves using more optimized or specialized circuit designs or simplifying or standardizing transactions.
Compatibility Issues: Zk-rollups aren’t fully compatible with existing smart contracts and tools running on Ethereum, necessitating changes or adaptations. Developers might need to use different languages, frameworks, libraries, or standards to write smart contracts for zk-rollups. Users might also need different wallets, browsers, or interfaces to interact with zk-rollups. Addressing compatibility issues involves using more interoperable or universal solutions or providing education and support for developers and users.
The ultimate ZK Rollup comparison: which is best?
In the Ethereum-compatible ZK rollup category, four major proponents are building promising solutions: Polygon, Scroll, zkSync, and StarkWare.
Polygon zkEVM
Polygon is one of the earliest projects to work on ZK tech and adopt them as L2 scaling solutions. Their $1 billion commitment towards zero knowledge tech-related efforts is a testament to their belief in ZK tech.
The ZK suite of Polygon currently has 4 products.
Polygon’s ZK ecosystem.
- Hermez: Hermez is Polygon’s decentralized ZK rollup protocol that employs ‘Proof of Efficiency’, allowing any user to become a sequencer (to batch transactions) or aggregator (to generate ZK proofs). This reduces centralization and its associated risks.
- Miden: Miden is Polygon’s EVM- compatible general-purpose ZK rollup that’s supercharged with local execution of smart contracts. Only proofs need to be submitted to the network, enabling parallel transactions (improves efficiency).
- Nightfall: Polygon Nightfall is the union of optimistic rollups and ZK technology to cater to enterprise-level scaling. Nightfall embraces the efficiency of optimistic rollups alongside the privacy elements of ZK technology. It thus opens avenues of enterprise use cases where sensitive data is in play.
- Zero: Polygon Zero is a fully EVM-compatible ZK rollup solution. It employs Plonky2 — a recursive proof system easing the time and resources needed for validity proof generation.
With these products, Polygon offers a wide array of ZK rollup solutions that are:
- Fast: Plonky2 generates a ZK proof in 0.17 seconds
- Efficient: Hermes 2.0 aims to minimize proof sizes.
- Economical: Gas costs to reduce from 5M to 350K
These rollups coupled with Polygon’s zkEVM are solutions to watch out for in the race to Ethereum scalability.
Scroll zkEVM
Scroll is a layer-2 scaling solution for Ethereum that uses zk-rollup technology. It is a general-purpose zk-rollup, which means that it can be used to support any type of Ethereum application.
Scroll has a three-part architecture:
- Scroll node: This is the bridge between layer 2 and layer 1. It constructs blocks from user transactions on layer 2 and submits them to Ethereum.
- Roller network: This network of nodes generates zero-knowledge (ZK) validity proofs to prove the correctness of the transactions in the blocks.
- Rollup and bridge contract: This contract bridges fund transfers between Ethereum and Scroll, verifies ZK validity proofs, and ensures data availability.
In addition to its architecture, Scroll has two unique features that help scale Ethereum:
- Decentralized proving: Anyone can become a roller by staking SCR, the native token of the Scroll network. The amount of SCR staked determines the probability of a roller being chosen to generate proofs. This ensures that proving is decentralized and not controlled by a small group of entities.
- Low cost of proving: Scroll uses a novel technique to reduce the cost of proving. This makes it possible for anyone to participate in the roller network, even if they do not have a lot of computing resources.
- Since its launch in February 2023, Scroll has attracted over 1 million unique addresses and 2+ million transactions.
zkSync Era
zkSync, developed by Matter Labs, is an EVM-compatible ZK rollup that has undergone significant upgrades. Initially launched as zkSync 1.0 (now known as zkSync Lite) with limited functionalities, it has recently evolved into zkSync Era, a full-scale zkEVM. This latest chain introduces new features like native account abstraction and an LLVM compiler.
Since its upgrade, zkSync Era has demonstrated impressive performance, processing over 16 million transactions using ZKPs in less than two months. It has also amassed a total value locked (TVL) of more than $100 million, showcasing its growing popularity and adoption.
The advantages of using zkSync Era are:\
- Data compression: zkSync prioritizes data availability (DA) and its cost, which ultimately determines transaction costs. By publishing only state differences on-chain, zkSync can improve DA and reduce the costs of transactions with large input data.
- Account abstraction: Account abstraction is native on zkSync to improve user and developer experience. The initial use case is limited to paying gas fees in any currency of choice. More use cases like social recovery, subsidizing gas, and batching complex transactions are possible with account abstraction on zkSync.
These features supercharge zkSync Era into a powerful engine for scaling Ethereum.
StarkNet
StarkNet is a general-purpose, EVM-compatible layer-2 scaling solution for Ethereum. It is being developed by StarkWare, a company founded by Eli Ben-Sasson — the co-inventor of ZK STARK proofs and the founding scientist at the privacy-focused crypto payment network Zcash.
By using StarkWare’s ZK technology, StarkNet can scale to millions of transactions per day while still maintaining the security of Ethereum.
StarkNet is still under development, but it has the potential to be a major scaling solution for Ethereum. It has already attracted a number of developers and projects, including dYdX, Immutable, and DeversiFi.
Unlike other ZK protocols, StarkNet uses STARK (Succinct Non-interactive ARgument of Knowledge) proofs instead of the commonly used SNARK (Scalable Transparent ARgument of Knowledge) proofs.
Here’s a brief overview of how STARKs and SNARKs fare against each other:
STARKs
- Rely less on centralization.
- Are more quantum resistant.
SNARK
- Consume less gas to generate proofs.
- Verify proofs quicker.
However, on the EVM-compatibility spectrum, StarkWare’s StarkNet is the least compatible ZK rollup. That’s because StarkWare is developing StarkNet to also function as a standalone chain and not be completely reliant on Ethereum.