“(ZK SNARKS are ) as important a technological breakthrough as blockchains themselves”
Vitalik Buterin – Sept 2022
If Vitalik is correct, shouldn’t you know a bit more about them, just in case ? spend 8-10 minutes here to get you started.
TLDR: zk-proofs were the original mathematical innovation. zk-rollups can help batch transactions and scale blockchains. zk-Snarks and zk-Starks are both methods of implementing zk-rollups. ZK-Snarks were originally used as a means of facilitating private transactions on Zcash. Subsequently several projects are working with zk-Rollups in a race to scale blockchains, particularly Ethereum. zkEVM is the latest development in zk-rollups, allowing smart contracts to be included rather than just simple transactions. A future state can be imagined with 100s of thousands or even millions of transactions settling via multi-layered and connected zk-rollup blockchains.
If you are following progress in the blockchain world you will likely have heard the term “zk”. zk-SNARKs, zk-STARKS, zk-Rollups, zk-proofs, zkEVMs – these terms are popping up all the time and more often. If you don’t understand the first thing about them, fear not, we are about to break this down.
This is an introduction into all things “ZK” but without any maths deep dives or getting stuck in the weeds. This is an enormous topic with many rabbit holes, hopefully this is just enough to help start you off. Read on!
So what is zk aka Zero Knowledge. Well this is shorthand for Zk-‘proofs’ which were a breakthrough mathematical approach to sharing information. zk-Proofs are defined as
“ a method by which one party (the prover) can prove to another party (the verifier) that a given statement is true while the prover avoids conveying any additional information apart from the fact that the statement is indeed true.“
A quick metaphor for this: imagine you are looking at a ‘where’s wally’ childrens puzzle and want to prove to a friend you know where wally is without revealing how to find him. Your Friend looks away, you take a piece of card much larger than the puzzle, cut out a hole the size and shape of wally and place that over the picture revealing only wally. The friend is invited to see Wally isolated from his surroundings, proving you knew but without revealing anything about his location.
So, enough about Wally. Why have zk-proofs become so important to blockchain tech?
Well, the first implementations of zk-proofs as a technology in blockchain was in projects such as ZCash $ZEC and later Monero $XMR. They meant that users could transact on privacy-enabled blockchains using proofs to confirm their transactions are valid whilst revealing nothing more.
However, privacy itself isn’t the main reason for Vitalik’s excitement. Ethereum is not privacy enabled (at the base layer at least) and so far we have only mentioned zk-proofs as a a mathematical way of showing that you know a secret without revealing that secret. The big goal for Ethereum is of course, scalability.
Zk related tech is the prime candidate to deliver orders of magnitude of scalability to Ethereum (and other Layer 1 chains). But, so far, we have not mentioned ‘zk’ having anything to do with compression or aggregation of data, so how did we step from privacy tech to scalability?
To answer that lets go a little deeper. Zk-proofs can be of one of two types;
a) Interactive, secure but takes away significant scalability potential. Thus these are not widely used in blockchain tech
b) non-interactive, a single exchange of info suffices both parties. These give the speed of throughput that is exciting and transformational to blockchain projects
With Non-interactive, there is a greater requirement to perform proving calculations to make it work. The ‘Prover’ (and decentralising it) is where most of the engineering challenges are focussed.
Two prominent types of Non-interactive zk-Proofs are zk-SNARKs and zk-STARKs;
SNARK – Succinct Non-Interactive ARguments of Knowledge (SNARK)
STARK – Scalable Transparent ARgument of Knowledge (STARK)
Note; there are also two less prominent types that may occasionally be mentioned;
VPD – Verifiable Polynomial Delegation (VPD)
SNARG – Succinct Non-interactive ARGuments (SNARG)
zk-SNARK, Lets break down what stands for as an acronym;
ZK = Zero-knowledge – only a proof provided, all other transaction info is withheld.
S= Succinct – proof size is compact, saving data space, quick to verify.
N = Non-interactive – proof generation and verification occurs in a single transaction.
ARK = Argument of Knowledge – ‘computational soundness’, impossible to cheat the system without having access to certain verifiable information
Zcash $ZEC is one of the foremost privacy-preserving protocols that have used zk-SNARKs since 2016 to offer a shielded blockchain experience, also providing sufficient proof that every shielded transaction is valid.
However the zk-breakthrough that has Vitalik stirred is not privacy but scalability, in the form of ‘zk-rollups’.
zk-Rollups are zk-based approaches that can increase scalability by bundling thousands of transactions in a batch and then only post some minimal summary data to the base layer.
The term ‘ZK rollup’ is somewhat ambiguous as it covers any approach using SNARKs or STARKs (and conceivably also VPD or SNARGs) to bundle up transactions before providing proof to a base layer of a summary of changes it needs to apply to the blockchain state.
So, lets look at ZK-STARKs:
ZK – again, only a proof provided, all other tx info is withheld
S – this case means ‘Scalable’ (in Snarks it was ‘Succint’). STARKs enable developers to execute computation and store data ‘off-chain’, increasing scalability exponentially.
T – Transparent, one of the most significant differences between zk-STARKs and zk-SNARKs. They use publicly-available randomness to generate parameters, eliminating the need for a trusted setup. More on that in a bit
ARK- “Argument of Knowledge” same as in zk-SNARKs, but use a different computation approach. They use hash functions resistant to collisions, again effectively eliminating the need for trusted setups.
Trusted Setups. SNARKs depend on an initial trusted setup between prover/verifier. This creates a centralisation issue as they are setup by a small group. Dishonest actors could create false proofs. STARKs don’t require trusted setup, relying instead on special hash functions
zkSTARK technology is more recent (2018) than zk-SNARKs, but so far at least it has been less prominent than zkSNARK. Pioneered by Starkware with rollup solutions. zk-STARKs, like SNARKs, can compute several thousands of transactions in batches off-chain and submit a sole zkSTARK proof to confirm the transactions’ validity on-chain.
Both approaches allow for fast verification and less block space which means more scalability for networks like Ethereum. Scalability rather than privacy is the primary driver for the increasing excitement and adoption in the Ethereum ecosystem.
A really fantastic overview of the similarities and differences by Panther Protocol team can be found here https://blog.pantherprotocol.io/zk-snarks-vs-zk-starks-differences-in-zero-knowledge-technologies/amp/
zkEVM – so far we have discussed ZK proofs, snarks, starks and rollups. So what is zkEVM?
ZK-rollups are not readily compatible with the Ethereum Virtual Machine (EVM). Proving general-purpose EVM computation in circuits is more difficult and resource-intensive than proving simple computations like the token transfers.
However, advances have been made in wrapping EVM computation in zero-knowledge proofs. These efforts are geared towards creating a zero-knowledge EVM (zkEVM) implementation that can efficiently verify the correctness of program execution.
zkEVM recreates existing EVM opcodes for proving/verification in circuits, allowing them to execute smart contracts.
Like the EVM, a zkEVM transitions between states after computation is performed on some inputs. The difference is that the zkEVM also creates zero-knowledge proofs to verify the correctness of every step in the program’s execution.
Validity proofs could verify the correctness of operations that touch the VM’s state (memory, stack, storage) and the computation itself (i.e., did the operation call the right opcodes and execute them correctly?).
There are several reasons for the excitement around zkEVM. Other non-zk implementations of rollups such as optimistic (see Arbitrum/Optimism/Boba) and state channels/plasma (OMG/Polygon) are successfully processing the full capabilities of ethereums virtual machine.
Despite some perceived disadvantages of both these approaches these solutions have dominated the Layer 2 scaling approach to date.
- It was believed that full EVM compatibility with zk rollups may take may years to solve, however this timeframe has shortened quite drastically
- Zk rollups without EVM functionality (i.e. just for non-smart contract transactions) lacked support or demand from users.
zkEVM represents the best of both worlds and if it can be delivered successfully the possibilities for scaling and interoperability is hotly anticipated. There are those who see this as the foundation for mainstream adoption of blockchain and integration with internet technology.
So who are the key players currently using this zk EVM technologies and how far along are they?
This is a wildly competitive field and the answers will change depending on who you talk to, but as far as scaling Ethereum is concerned these are the main contenders;
1. StarkNet – starkware.co/starknet/
StarkNet Alpha launched in Nov 2021, an experimental early version.
On July 13, 2022, StarkWare released its plans to decentralize StarkNet further as a Layer 2 to Ethereum.
Targeting up to 100,000 transactions per second.
Token ? Yes
ERC-20 StarkNet Token, slated for release in Q4 2022. The initial supply will be 10 billion, with the potential for the protocol to mint more as decided by the community in the future
StarkWare have also delivered StarkEx which works much like StarkNet, but is centralized and tailored for apps that wish to make use of ZK-STARK technology to provide a smoother and cheaper experience for their users.
dYdX and Immutable X use StarkEx, which means transactions sent using these platforms are processed and batched off-chain by StarkEx and then validated on-chain, exactly like StarkNet.
2. ZKSync – zkSync.io
A trustless protocol for scalable low-cost payments on Ethereum. The ZK-rollup technology launched in 2020 by Matter Labs, it aims to achieve a VISA-like scale of throughput of thousands of transactions per second.
zkSync is also the only zk-rollup protocol that claims to support full EVM compatibility. With zkSync, you’re able to take existing live smart contracts from Ethereum and seamlessly redeploy them. This makes it attractive to developers who prefer to have the same code across Layer 1 and Layer 2.
ZK sync is launching mainnet on Oct 28th 2022. This will be the first production zkEVM zkRollup.
Token: Yes – details still tbc but likely some sort of airdrop to testnet users and early adopters
3. Polygon Zero (formerly Mir Protocol)
Polygon Zero is a ZK-rollup solution specifically designed to reduce the computational cost of generating validity proofs through recursive proofs.
Not only is Polygon Zero the fastest proving technology, but it also requires significantly less computational power than other ZK-rollups. In fact, a regular Macbook Air can complete a proof in 0.3 seconds! This is important for decentralization as Polygon Zero can use recursive proofs to scale horizontally without sacrificing latency.
This is in testnet.
There is also another approach being taken Polygon zkEVM. In fact Polygon seems to be running several concurrent approaches to rollups which can be explored here https://polygon.technology/solutions/polygon-zkevm/
Token: $MATIC is the current token, it is not yet clear if tokenomics or new tokens would be issued to support new implementations
4. SCROLL Scroll.io
An EVM-equivalent zkRollup, used to prove the correctness of EVM execution in Layer 2. Scroll have been building ‘in the open’ with the Privacy and Scaling Explorations group at the Ethereum Foundation for over a year. Currently launching TestNet zkEVM whilst continuing to build a complete L2 architecture around it.
Token: not yet
Competition: All 4 of the above mentioned competing solutions are racing to become the standard for Layer 2. Much of the race is focussed on a component called the ‘Prover’ which is the key facilitator of speed and robustness of ZK tech. There are challenges around decentralising this aspect.
Beyond zkEVM as Layer 2 enabler there is the promise of ‘Layer 3’. A layer where anyone can operate independent blockchain tailored to their specific need. Even incorporating existing Layer 1s and 2. This layer of ‘fractal hyperchains’ is where the promise of massive growth and real world adoption is inspiring lofty ambitions in many zk-believers.
ZK-EVM – the future:
Hopefully this post has provided a basic grasp of zk-terminology and the ‘why?’, but what could the future hold?, why did Vitalik say “(ZK SNARKS are ) as important a technological breakthrough as blockchains themselves”.
This is what we need to explore in another thread, for now I’ll close with this;
Steve Newcomb of ZKSync speaking recently on Bankless put forward a vision of the future
“I always liken it to when nobody trusted their credit cards on the browser and (then) we finally agreed on SSL everywhere, we got that ‘lock’ icon up in the browser window and suddenly people started trusting using their credit cards online.
It created e-commerce it didn’t change it, it created the use case of e-commerce and I think that this is going to be the same thing with this (zkEVM rollup tech) hyperlinking native bridging (which is like actually the elimination of bridges).
Where you have much stronger cryptographic assurances about where your assets are in the blockchain ecosystem.
If it is all on the same ‘circuit’ (underlying blockchain) .. instead of a little lock icon there’ll be a little new icon that says ‘secured by Ethereum’ or .. ‘secured by ZK sync’
. That’s kind of the metaphor here..
TCP/IP is a protocol we all agree on… HTTPS is protocol we all agree on.. when we get to a point (with zk-Rollups) where there are hundreds of thousands of transactions per second gas, fees are minimal and it’s as easy to create a blockchain as it is to create a Squarespace site.. as featureful as we want it to be … we have the features of like Shopify right at our fingertips to create anything .. or Unreal Engine is on the blockchain and we trust that it’s secure …
that’s when we see that lock icon change into the Ethereum icon and everything we do in the world is on Ethereum”
