Zero-Knowledge (ZK) technology has swiftly risen to prominence as a major solution for enhancing blockchain scalability, maintaining its allure for investors even amid recent bearish market trends.
Major players like Polygon have dedicated a staggering $1B to ZK development, while both Aztec and Starkware each secured $100 million in funding in 2022. Numerous other organizations are also allocating substantial resources to advance this groundbreaking technology.
However, the intricacies of ZK technology have led to sparse coverage, leaving many in the dark about its potential impact. This article aims to shed light on the aforementioned projects and more, emphasizing the significance and progress in the ZK landscape, so that readers can gain a deeper understanding and appreciation for this transformative innovation.
In particular, I will cover:
- ZK Rollups vs. Optimistic Rollups
- Zero Knowledge Proofs
- What are zkEVMs?
- Which are the leading ZK rollup projects?
- Which are EVM-compatible, and how do they differentiate?
ZK Rollups vs. Optimistic Rollups
Both optimistic rollups and ZK rollups are Layer 2 (L2) scaling solutions for Ethereum that aim to increase transaction throughput and reduce fees. These rollups work by batching execution of multiple transactions off-chain and then submitting aggregated data to the Ethereum main chain as a single transaction that updates Ethereum’s “state”. Ethereum’s state refers to the collective information that represents the current status of the entire Ethereum network, such as account balances, smart contract code, storage, and so on.
However, both rollup approaches differ in various regards and come alongside tradeoffs.
Optimistic rollups bundle transactions off-chain and send them to Ethereum as a single transaction, assuming that the data is valid. Anyone may challenge a potentially invalid transaction during a challenge period, meaning that a core security assumption is that at least a single honest party exists. If challenged, a dispute process begins. Both the party that submitted the rollup, as well as the challenger, post bonds that are forfeited by the dispute loser.
If no challenges were raised during the challenge period, the rollup transaction is considered finalized, and Ethereum’s state is updated accordingly.
In contrast, ZK rollups use zero-knowledge proofs (which I will cover) to cryptographically validate data off-chain transactions without revealing private input. A cryptographic proof is submitted on-chain, and is verified, which is easier to do compared to verifying every individual transaction. Once approved, Ethereum’s state is updated. Similar to optimistic rollups, transactions are batched off-chain, however, with ZK rollups only the validity proof must be verified. In combination with advanced compression techniques and other ZK technology improvements, the associated computational time is continuing to decrease. The added benefit is the ensuing privacy that comes from not publishing data to the public.
Which approach is better? Both come with tradeoffs.
Optimistic rollups are easier to both implement and integrate with the Ethereum Virtual Machine (EVM). Their transaction costs tend to grow linearly with the number of transactions, while ZK rollups scale at a faster rate. However, they do not have privacy built-in to them, have a slower withdrawal period due to the “challenge period”, and are not as secure.
Below is a general comparison, but it’s worth noting specific implementations of each may have different characteristics. For example, certain ZK rollups may in fact cost less than certain optimistic rollups (e.g. Loopring vs. Optimism).
Scalability in particular has conflicting answers online. In talking to the Metis team, I was informed that ZK rollups have the potential to be more scalable once they have a sufficient amount of ZK verifiers, which is not currently the case.
For those interested, L2Beat is a great site for comparing rollup solutions. Arbitrum and Optimism are leaders in the space and both use optimistic roll-ups, which is in line with optimistic roll-ups being more mature than ZK roll-ups. However, more and more ZK rollup solutions are being introduced which I’ll cover later on.
Zero Knowledge Proofs
Zero-knowledge proofs (ZKPs) are core to ZK rollups and refer to a cryptographic technique that allows one party to prove the truth of a statement to another party without revealing any specific information about the statement or knowledge itself. In other words, ZKPs theoretetically allow for the verification of a claim without disclosing any underlying details. However, most projects today (apart from Aztec) do not in fact implement privacy.
I expect that the real world will slowly but surely see implementations of ZK technology in the coming years, with most likely being in unimaginable ways. Some potential use cases include:
- Identity Verification: proving one is 21 without providing personal details like date-of-birth or ID card.
- Secure Voting: voters can prove eligibility without revealing their identity or vote.
- Financial Services: details such as creditworthiness can be shared without revealing sensitive information such as account balances or transaction history.
- Digital Rights: ownership of digital content may be verified without revealing a buyer’s identity or other purchase details.
Already, we’re seeing novel methods of implementation. For example, Space and Time, a Web3 datawarehouse, uses ZKPs to guarantee that query results are accurate and tamperproof while remaining private.
The two primary systems of computing ZKPs are known as ZK-SNARKs and ZK-STARKs.
(Zero-Knowledge Succinct Non-Interactive Argument of Knowledge)
They provide smaller proof sizes and therefore lower gas costs, but a downside is that their security is reliant upon the secrecy of parameters created during an initial trusted setup process, which could be compromised. Another downside is that they are not considered resistant to quantum computing.
Projects that rely upon ZK-SNARKs include Polygon zkEVM, zkSync, Aztec, and Loopring. I’ll cover these projects below.
(Zero-Knowledge Scalable Transparent Arguments of Knowledge)
They are considered more transparent than ZK-SNARKs and do not require an initial trusted setup process. An off-chain STARK prover conducts calculations, and an on-chain STARK verifies them. They are considered more secure, but come with larger proof sizes and thus higher gas costs.
Starkware is the main ZK-STARK project, with many others reliant upon their StarkEx technology. Examples include dYdX, Immutable X, and DeversiFi.
The comparison between both is a bit complex and best left for another time, but the general takeaway is that they are two approaches that vary a bit. SNARKs tend to be faster but require a setup and may be less secure.
What is a zkEVM?
A zkEVM (Zero-Knowledge Ethereum Virtual Machine) combines the Ethereum Virtual Machine (EVM) with zero-knowledge proofs. ZK technology was not developed to be readily compatible with the EVM, which has made the development of zkEVM networks difficult.
This graphic shows the top ZK rollup projects categorized as either EVM-compatible or not, and I will cover each project in turn later.
For those unfamiliar with the EVM, it is the runtime environment for smart contracts on the Ethereum blockchain, responsible for executing the code and updating the state of the blockchain. Many of the leading blockchain networks are EVM-compatible, including Binance Smart Chain, Avalanche, Fantom, Tron, and of course all Layer 2 networks. Therefore, a readily compatible ZK rollup is a significant milestone.
By integrating zero-knowledge proofs into the EVM, zkEVMs enable the creation and execution of privacy-preserving smart contracts on the Ethereum network. This allows users to interact with decentralized applications (dApps) without exposing sensitive information, such as transaction amounts or user identities, while still maintaining the transparency and security of the blockchain.
Vitalik’s blog post from August 2022 details four different “levels” of zkEVMs, that come with a tradeoff between Ethereum compatibility and performance. The levels are:
- Level 1: perfect Ethereum compatibility, but slow proof verification times.
- Level 2: EVM-equivalent, but not Ethereum-equivalent. Therefore, there are some differences such as in their block structure and state trees. Still, quite compatible, but proof verification times remain slow.
- Level 3: compatible with most Ethereum apps but not all, and faster proof generation time.
- Level 4: compiles high-level code (e.g. Solidity) into a ZK-SNARK or STARK friendly format. Less compatible with Ethereum applications, but very fast proof generation time.
Polygon is a longstanding sidechain and Layer 2 scaling solution for Ethereum that announced the beta launch of their ZK rollup on March 27, 2023. Historically they have used both their Plasma Bridge and PoS Bridge to bundle together transactions and send them to Ethereum, with neither being reliant upon ZK technology. Both of these have suffered from certain drawbacks, such as a 7-day waiting period for the Plasma Bridge.
The Polygon zkEVM uses an initial STARK proof for their first proof, which optimizes for speed. They then use recursive SNARKs, which optimize for size. A recursive SNARK refers to where a single validity proof can attest to the correctness of other validity proofs. In the context of ZKs, throughput is increased while latency is reduced. By combining both STARK and SNARK technology, they improve the cost, speed, and throughput of transactions. For further reading, I recommend this blog post.
This is the next big focus for the Polygon community and their treasury pledged to invest a whopping $1B+ into the field.
Beyond this, they have a few other ZK products, including:
- Polygon Zero: a ZK rollup that relies upon recursive proofs and is expected to reach 3,000 TPS once live.
- Polygon Nightfall: this product combines optimistic rollups and ZK rollups, and is focused on enterprise clients.
- Polygon Miden: while most ZK products are SNARK-based, Miden is STARK-based and relies upon the Miden Virtual Machine. It is still in prototype phase but it will be EVM-compatible and will manage over 1,000 TPS.
The pages discussing Polygon Zero, Polygon Nightfall, and their former STARK-based Polygon Hermez all appear to direct the reader to their Polygon zkEVM page now. In speaking with the Polygon team, I was informed they are no longer working on Nightfall, while Zero is powering other products. I was also informed that Polygon Hermez in now their zkEVM, so I expect that this was part of a rebranding effort.
Overall, the Polygon team has an impressive number of partnerships with establish firms, and seems to be working on many different projects. I like that they’ve invested a large sum into their ZK efforts, but at the time of writing they have only $26M in TVL. This may be more-so a reflection of their nascent zkEVM product.
Scroll is an open-source zkEVM that launches the first version of their testnet in August 2022, and more recently the second version of their testnet in February 2023. Comparably to other zkEVMs, they promote themselves as being scalable, EVM-equivalent, and secure.
Not many project details have been released thus far, but it appears that the team is based out of Mountain View California. They’ve had over 100,000 users, 15M transactions, and 1.8M blocks as of February 2023.
Several top DeFi projects appear to be building on Scroll, such as Aave, Sushi, Synapse, Ankr, Stargate, and more. Their mainnet launch is the next phase of their rollout but details remain unknown.
zkSync is run by Matter Labs and their first product released was zkSync Lite in June 2020, a non-zkEVM Layer 2 that did not support smart contracts. Their zkEVM product known as zkSync Era more recently launched publicly in March 2023 and is the first zkEVM to officially deploy Ethereum.
They use a ZK-SNARK architecture, and have operators who carry out the essential ZK rollup functions, such as producing blocks, packaging transactions, conductions calculations, and submitting data to the main Ethereum chain. They’ve also put a lot of effort into their security measures, with 7 independent code audits, 3 internal audits, 2 public security contests, and an open-ended bug bounty program.
An important feature of zkSync is native account abstraction. For context, blockchain users have externally owned accounts (EOAs) which differ from smart contract accounts (CAs). If I send my friend $50, funds are transferred from one EOA to another. If I interact with a DeFi application, funds are transferred from an EOA to a CA. Account abstraction upgrades EOAs to become CAs, which improves user experience greatly through features such as being able to pay gas fees in any token, recovering an account with lost keys, defining flexible security rules, and more.
zkSync Era has already received widespread attention and has surpassed $240M in TVL. While speculation over an impending airdrop has helped this, they undoubtedly have a great product with many top protocols preparing to launch on the network, including Uniswap, Curve, and MakerDAO. Their full ecosystem can be viewed here.
ZK Solutions, non-EVM
Loopring protocol is an open-source application-specific ZK rollup protocol that provides smart contracts and “ZK circuits”. A ZK circuit refers to the complex operations used to create ZKPs, which can then be confirmed by any verifier with minimal computational effort (this is how ZK-SNARKs work).
Their Layer 2 application is focused on both trading (AMMs and order book-based DEXs) and payment applications, and is built upon the Loopring protocol. It is gas-free, high-speed (2,200+ TPS), and inherits Ethereum’s security, which is why it is well suited for high-throughput activities such as trades.
Their relayer helps the protocol run by creating rollup blocks, generating proofs, publishing data to Ethereum, and so on. While anyone may use their open-source data to create their own relayer, Loopring has its own unique relayer that comes with an API, through which anyone may use the network.
ZKSpace originally launched V1 of their product in February 2021 as the first Layer 2 AMM reliant upon ZK-rollups. They use ZK-SNARK technology, as well as an algorithm known as PLONK in order to generate fraud proofs. As only a proof is generated, transaction privacy remains. A distributed architecture is used, meaning that the Prove server issues tasks that require proofs, with various “Provers” then generating these proofs.
In fact, Vitalik himself even wrote about PLONK (it gets very complex, very fast).
One key benefit of ZKSpace is that it only requires a one-time setup. In ZK-SNARK systems, a trusted setup is required whereby cryptographic parameters are generated in order for the system to work securely. Every time that a new application is introduced, a new trusted setup must be performed and each setup could be compromised. In contrast, POLONK
The ZKSpace platform contains three main components:
- ZKSwap v3: a Layer 2 AMM DEX
- ZKSquare: a payment service
- ZKSea: NFT marketplace
They primarily promote ZKSwap which appears to be their main product. They enable trades with zero gas fees, a theoretical limit of 6,000 TPS, and real-time execution of trades.
Their goal is to bridge various L2 applications as well as Layer 3’s. This makes sense, as I hadn’t quite followed the large emphasis on this swap technology given that swaps on other either affordable L1s or other L2s are already extremely cost-efficient.
It appears that they plan to partner with exchanges and crypto wallet service providers in order to facilitate inexpensive transactions and private transactions, likely receiving small commissions in return.
StarkWare founded ZK-STARK technology and is a leader in the space, having pioneered on multiple fronts, such as their programming language Cairo.
They have developed two solutions:
- StarkEx: a permissioned toolbox and network that helps applications scale by computing transactions off-chain.
- StarkNet: a permissionless Layer 2.
Much of their innovation comes from their new programming language Cairo, specially designed to enable more intuitive ZK-STARK proof creation on behalf of developers.
StarkEx launched in June 2020 and is a toolbox/framework for creating permissioned, application-specific scaling solutions. They enable applications to achieve inexpensive off-chain computations, with the transactions being sent to a STARK verifier to be approved on-chain. Therefore, StarkEx essentially helps to reduce costs for protocols that have a high number of transactions, such as dYdX (perpetual-swaps), DeversiFi (a DEX), and Immutable (NFT minting and trading). In the context of dYdX, user trades are computed off-chain to reduce Ethereum-associated gas fees and then sent on-chain using the StarkEx verifier. Notably, last June the dYdX team announced their imminent move to Cosmos which may impact daily StartEx volume.
More recently, StarkNet launched in November 2022 and is an L2 where developers may deploy smart contracts in the Cairo language. A few differences of StarkNet compared to StarkEx include: a) it is permissionless rather than permissioned b) it sequences batch transactions, whereas with StarkEx the transactions are batched via its backend (managed by StarkWare) and c) it is more comparable to a traditional L2, rather than a toolbox.
While StarkNet itself is not a zkEVM, some zkEVM projects being built on top of it at the moment, such as the Kakarot zkEVM.
Despite blockchains being pseudonymous, there are times when identities may be correlated and there’s therefore a need to have built-in privacy. For example, when businesses begin to increasingly accept cryptocurrency payments, they do not want payees to see their entire financial history.
Aztec is an open-source, privacy-preserving extension to Ethereum that raised $125M+ in late 2022. They provide both public and private state, as well as public and private functions. Private state refers to data that is encrypted and kept confidential, while public state is visible to the network, similar to a traditional blockchain. Similarly, private functions refer to those restricted to authorized parties, such as voting, confidential transactions, access control, and sensitive data storage.
There are three pillars to their focus on privacy:
- User privacy: transactions may hide information about the sender, reception, transaction amount, and/or asset type.
- Data privacy: smart contracts may have private state as well as private functions, as described above.
- Code privacy: developers have the ability to implement private functions.
As is usual with ZK projects, the details get very complex, very quickly. But Aztec uses what’s known as a nullifier which is an encryption of an encrypted state, in order to establish privacy.
Their former products, zk.money and Aztec Connect, have been shut down by the team in order to solely focus on Aztec 3. Aztec 3 is their most up-to-date product with encrypted zkRollups and relies upon the Noir programming language.
ZK rollups are challenging enough to create, let alone and end-to-end encrypted version with public functionality. Therefore, our team at Multichain Media is quite impressed by Aztec and consider it a project worth following.
The above piece covered the ZK space which is a very challenging domain. While I tried to be as accurate as possible, much of this is cutting-edge and it’s possible that I missed something. If so, please let me know.
Overall, a lot of innovation is happening in this space, but it remains a large challenge for ZK rollups to become EVM-compatible. Various projects are working hard on this but in my opinion, it will be another year or two before we see significant progress, such as users relying upon zkEVM Layer 2’s over the more commonly used optimistic rollups.
That being said, ZK rollups, especially those compatible with Ethereum, have significant implications for the space as a whole and will help the industry to scale in a privacy-focused manner.
If you liked the above, make sure to follow along: