Understanding ZK Rollups

Blockchains like Ethereum are slow and expensive. To complete a transaction a user needs to pay hundreds of dollars worth of gas fees if the gas prices are high, this is not ideal and that's why scaling solutions have emerged. In this article, we will be focusing on Zero-knowledge rollups (ZK-rollups) which are layer 2 scaling solutions that increase transaction throughput (the rate of how fast a blockchain processes transactions) on Ethereum Mainnet by moving computation and state storage off-chain. For better understanding let's break this into 2 topics: ZK proofs and Rollups.

ZK Proofs

In zero-knowledge proof systems, the prover convinces the verifier that some statement is true without revealing any other underlying information, thus the name "Zero-Knowledge". A zero-knowledge protocol should satisfy these three properties:

• Completeness — if the statement is true then a prover can convince a verifier
• Soundness — a cheating prover can not convince a verifier of a false statement
• Zero-knowledge — the interaction only reveals if a statement is true and nothing else

Why are ZK Proofs Needed?

While transparency is essential for any public blockchain, it is still one of the major drawbacks because you don’t want the whole world to know your personal transactional data. Adding a privacy layer on the blockchain helps to keep your transactional data unknown. Zk-proofs can solve this problem by only publishing the validity proofs and keeping the underlying transactional data obscure. Zk Proof’s are not limited to blockchain only, it can also be used in Voting. The traditional paper based voting systems were full of flaws like time consuming, requiring a lot of people, security of ballot boxes and a lot more. To tackle this online E-Voting systems were introduced but they were still incapable of handling security attacks, but with the help of blockchain and Zk-Proofs we can create a completely secure and anonymous voting system where users can vote easily by sitting at home. This is particularly essential during pandemics like Covid-19.

Rollups

Roll Ups are layer-2 chains that process transactions on their network, batch them, and submit the data to the underlying blockchain thus still maintaining the security of the base-layer network. The layer-1 validates the validity proof generated by layer-2 which is a cryptographic assurance that the state change proposed by the rollup is really the result of executing the given batch of transactions. Rollups can reduce the transactional costs and increase the transaction throughput by computing the transactions and moving the state storage off-chain.

ZK-Rollup Architecture

The ZK-rollup's core architecture is made up of the following components:

• On-chain contracts: The ZK-rollup protocol is governed by the smart contracts deployed on Ethereum. The main contract stores rollup blocks, tracks deposits, and monitors state updates. Another contract - the verifier contract, verifies zero-knowledge proofs.

• Off-chain virtual machine (VM): The transaction execution and state storage happen on a separate virtual machine (VM) which serves as the layer-2 for the ZK-rollup protocol. Validity proofs verified on Ethereum mainnet guarantee the correctness of state transitions in the off-chain VM.

How do ZK Rollups work?

Let's break the flow step by step for better clarity:

• Users sign and submit transactions to the layer-2 operators for processing and batching of the transactions. These operators can be a centralized entity if only a single node or sequencer is allowed to produce blocks or decentralized if the network follows a consensus mechanism for choosing the operator node from the network.

• The Operator compresses the data and passes it to the rollup contract deployed on layer-1, this compressed data is passed as calldata to reduce gas costs. (calldata is used to pass arguments to a function in a smart contract and it behaves similarly to memory. It is not stored as part of Ethereum’s state but persists on-chain as part of the Ethereum chain's history logs, making it a cheap way to store data on-chain.)

• ZK-rollups maintain a Merkle tree to represent the state of layer-2 accounts and balances. After every transaction, the state of the rollup changes, and the operator node is responsible for computing and submitting the new state root (cryptographic hash of the Merkle tree’s root) based on the changes resulting from the executed transactions. The operator also creates a batch root which is the root of a Merkle tree consisting of all transactions in a batch. This batch root is also provided to the rollup contract as it verifies the correctness of batched transactions without the need to re-execute them on Ethereum.

• The operator also generates a validity proof which is a cryptographic commitment verifying the correctness of batched transactions without revealing the actual data of the transactions. These are also known as Zero-Knowledge Proofs. They are sent to the verifier contract to validate the off-chain state transitions without having to re-execute transactions on Ethereum. This proof can be a ZK-SNARK or ZK-STARK, depending on the implementation. Once the validity proof is accepted, the new state root which was generated by the operator is updated in the on-chain contract.

How to use ZK-Rollups on Ethereum?

To interact with rollups, you bridge your funds to the layer 2 network and complete the transactions you want to do on the rollup and once the transactions are done, you can port your funds back to Ethereum. Here’s a brief guide on how that works: Firstly, you should have some tokens in your Ethereum wallet. Then switch your wallet to the layer-2 network. After you’ve connected your wallet to layer-2, bridge your tokens back which will cost some transaction fees. Now you can transact on layer-2 and once you’re done, bridge your funds back to Ethereum. Now that we know how a Zk Rollup works, let's understand how a Zk proof works.

How does a Zk Proof (Validity Proof) Work?

Now that we know what validity proof does, let's dive into how it works. Here's a step-by-step explanation of the proof generation and verification process in ZK-rollups:

Proof Generation

Transaction Collection and Initial Checks:

The operator node gathers transactions and before executing and batching them certain checks are performed to ensure:

• Both sender and receiver accounts are present in the state tree of the rollup.
• The sender possesses sufficient funds.
• The transaction matches the sender’s public key.
• The nonce (number used once) of the sender is correct.

Aggregation into a Batch:

Once enough transactions are collected, they are aggregated into a batch. This is a crucial step for efficiency, as processing transactions in batches significantly reduces the computational load and transaction costs on the blockchain.

Compilation of Inputs for the Proving Circuit:

Inputs include

• Merkle Tree Root: A single root hash of all transactions in the batch.
• Merkle Proofs for Transactions: To demonstrate each transaction's inclusion in the batch.
• Account Pair Proofs: Merkle proofs showing that each sender-receiver pair is part of the rollup's state tree.
• Intermediate State Roots: A set of intermediate state roots that are generated after applying transactions to the state tree, updating account balances accordingly.

Proving Circuit Operations:

The proving circuit then iteratively processes each transaction in the batch by:

• Verifying sender account inclusion using its Merkle proof.
• Adjusting the sender’s balance and nonce.
• Hashing the updated account data and combining it with the Merkle proof to generate a new Merkle root
• All of the above processes are repeated on the receiver's account and the state tree is updated accordingly.

Proof Verification

Submission to Layer-1

After generating the ZK-proof, the operator node submits this proof to a verifier contract on the Layer-1 blockchain which consists of:

• Pre-state Root: The state of the rollup before the batch transactions.
• Post-state Root: The state after batch processing.
• Batch Root: The Merkle root of all transactions in the batch.
• Transaction Inputs: Specific data related to the transactions in the batch.

Proof Validation

The Layer-1 verifier contract checks if the sequence of transactions represented by the proof validly transitions the rollup from its pre-state to its post-state. If the proof is valid, the rollup contract updates its state to reflect the new post-state root. This ensures the integrity and finality of transactions within the ZK-rollup.

Now that we know how Zk Rollups works, let's talk about the problem while interacting with EVM. Zk Rollups face challenges in proving general-purpose EVM computation. This involves recreating the EVM's operations (opcodes) in a way that they can be proven and verified within zero-knowledge circuits. This process is resource intensive and complex as it requires proving the correctness of every step in a computation without revealing the details of the computation itself. That's why ZkEVMs are being developed which can execute smart contracts, maintain the EVM's logic and state transition mechanisms, and also add a layer of creating zero-knowledge proofs for each step. This ensures that the execution of programs is not only correct but also verifiable without revealing any sensitive information. On the other hand, Optimistic Rollups don't face this issue as it executes transactions in a similar environment to Ethereum itself.

Pros of Zk Rollups

• Lower Gas Fees: By submitting minimal verifiable data to layer-1, they increase efficiency and decrease gas costs. Users benefit from greater capital efficiency and can withdraw funds from L2 without delays.

• Higher Throughput: Executing and batching transactions off-chain helps to achieve faster transaction throughput and reduced block confirmation times.

• Better security: It Relies on cryptographic mechanisms for security and not the honesty of incentivized validators as with optimistic rollups, so users don't have to validate the chain to protect their funds.

• Privacy Features: With the help of Zk-rollups you can transact on-chain without revealing any information on-chain, thus creating a trustful environment.

ZK-rollups are "hybrid scaling solutions" that operate independently but depend on Ethereum for security, scalability, and data availability. Users need not trust any intermediaries to process their transactions or store their data, creating a safer environment.

Cons of Zk Rollups

• Sequencers (Centralized Operators) can influence the ordering of transactions.

• Hardware requirements act as a significant barrier to running operator nodes, increasing the risk of malicious sequencers.

• Building EVM-compatible zk-rollups is difficult due to the complexity of zero-knowledge technology.

• The cost of generating a zk proof depends on the complexity of the transactions, the proof system, and the circuit design. Proof generation costs can be high for some use cases, potentially affecting zk-rollups' scalability and usability.

Some proving systems (ZK-SNARK) require trustworthy nodes which, if misbehaved, could potentially compromise a ZK-rollup's security model.

About Bitquery

Bitquery is a set of software tools that parse, index, access, search, and use information across blockchain networks in a unified way. Our products are:

• Coinpath® APIs provide blockchain money flow analysis for more than 24 blockchains. With Coinpath’s APIs, you can monitor blockchain transactions, investigate crypto crimes such as bitcoin money laundering, and create crypto forensics tools. Read this to get started with Coinpath®.
• Digital Assets API provides index information related to all major cryptocurrencies, coins, and tokens.
• DEX API provides real-time deposits and transactions, trades, and other related data on different DEX protocols like Uniswap, Kyber Network, Airswap, Matching Network, etc.

If you have any questions about our products, ask them on our Telegram channel or email us at sales@bitquery.io. Also, subscribe to our newsletter below, we will keep you updated with the latest in the cryptocurrency world.