Shulou(Shulou.com)06/01 Report--

This article will give you a detailed explanation on how to carry out ZKSwap exploration and research. The content of the article is of high quality, so the editor will share it with you for reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

ZKSwap explores and studies ZK Rollup and Optimistic Rollup-an important expansion direction of Etay Fang

Expansibility has been perplexing the public chain for many years. Some of the solutions for extensibility are in the proof of concept and some are in development. Optimistic Rollup and Zk Rollup are also extensible solutions and have aroused great interest in the encryption community. So, what exactly are Optimistic Rollup and ZK Rollup? Which technical route will win the future where Taifang can be expanded? No matter how tortuous the road is and whether previous efforts are useful (such as technical solutions such as plasma), the expansion of Etay Fong has been moving forward, and meeting the mainstream scenario is not out of reach. Alex Gluchowski, the author of this article, is translated by "JOKO" of the Blue Fox Notes Community.

Brief introduction

Optimistic Rollup is a promising technology to expand the general intelligence contract on ethernet in the near future. If built fast enough, it provides a way to easily migrate existing dApp and services with a reasonable tradeoff between security and scalability. This will enable ETH1.0 to meet the growing demand.

ZK Rollup is a more complex technology. It can now be used for token transfer and specific applications. However, it will take a little longer to implement on a general intelligence contract, and even more research work is needed to efficiently wrap EVM in ZKP. (blue Fox Note: ZKP refers to zero knowledge proof)

However, once ZK Rollup is fully developed, all existing ethernet dApps and services can be smoothly and easily migrated.

ZK Rollup will solve several basic problems on Optimistic Rollup:

Eliminate unpleasant tail risks: steal funds through complex but feasible attack vectors; reduce withdrawal time from 1-2 weeks to a few minutes; support fast transaction confirmation and exit with an unlimited number; introduce privacy by default.

Optimistic Rollup is good news for ZK Rollup. The transition to Layer 2 expansion requires major changes to wallets, prophecy machines, dApp, and user habits. Optimistic Rollup helps prepare the ecosystem for this action, bringing extensibility into these dApp that cannot yet be built on ZK Rollup. This gives ZK Rollup enough time to mature and achieve completely seamless adoption while maintaining the growth momentum of Etay Fong.

Rollup 101

What is Rollup?

Rollup is a Layer-2 extensibility solution similar to Plasma: a single mainchain contract holds all funds and makes concise encryption commitments for larger "side chain" states (usually Merkle trees of accounts, balances, and their status). The state of the side chain is maintained under the chain of users and operators, and does not depend on the storage of Layer 1 (this is the source of the biggest scalability victory).

What distinguishes Rollup from Plasma is that it solves the huge problem of Plasms: data availability by publishing some data for each transaction over the Layer 1 network (in Ethernet Fong, tx CALLDATA is used specifically for this purpose).

So thousands of transactions can be bundled together in a single Rollup block. Although the cost of this method increases strictly linearly (O (n) of the number of transactions), it actually increases throughput by a factor of 100 because CALLDATA is cheaper than Layer 1 for storage and computing.

Rollup has been repeatedly recognized by Vitalik Buterin as its favorite Layer 2 extensibility solution. Depending on how to ensure the correctness of the state transition, there are two ways of Rollup: ZK Rollup and Optimistic Rollup.

What is ZK Rollup?

In ZK-Rollup, the operator must generate a SNARK (Blue Fox Note: concise non-interactive proof of knowledge, Succinct Non-interactive ARgument of Knowledge) for each state transition, which is verified by the Rollup contract on the main chain. This SNARK proves that there are a series of transactions correctly signed by the owner that update the account balance in the right way and make the Merkle root from old to new. Therefore, it is not possible for the operator to submit an invalid or manipulated status.

What is Optimistic Rollup?

In Optimistic Rollup, the new status root is published by the service provider and does not need to be checked by the Rollup smart contract every time. Instead, everyone wants the state transition to be correct. However, if an incorrect state transition is issued, other operators or users (who must observe the situation in the Layer 1 Rollup contract and execute each single transaction) will be able to point out the wrong transaction and restore the wrong block to reduce the deposit of the malicious operator. The concept of Optimistic Rollup was originally put forward by John Adler.

Next, let's compare ZK Rollup and Optimsitc Rollup.

Flexibility: general computing

Optimistic Rollup

Although Optimistic Rollup can be used for specific applications, the most important innovation of Plasma Group is OVM (Optimistic Vitual Machine). OVM supports the implementation of any intelligent contract logic.

Almost anything that can be achieved on ethernet can also be implemented on OVM, including the composability of smart contracts. It is based on EVM,EWASM or any other virtual machine. The advantage about OVM is that if it is used with EVM, it will support writing code in Solidity. As a result, most of the existing code bases can be easily ported to Optimistic Rollup.

It would be ideal if OVM could directly reuse existing EVM bytecode, but it might not be that simple. The correct implementation will require changes to the transaction data (CALLDATA) format and the implementation of complex Truebit/Plasma Leap-style challenge / response protocols to provide proof of fraud.

This can lead to disagreements with EVM, resulting in an inability to properly handle marginal situations, which means that some work still needs to be done to adapt to the current OVM contract. Another implementation challenge is that fraud proofs for large blocks may require more gas than Layer 1 block gas limit allows. Then, these fraud certificates must be broken down into multiple ETH transactions.

ZK Rollup

So far, all existing ZK-Rollup implementations have focused on specific operations, such as token transfer or atomic exchange. There are several main reasons for this.

First of all, there is no effective technique for concise recursive proof combinations for different ZKP, which requires summarizing the execution of different intelligent contracts into one block. Our best approach is to use Groth26 (used by Coda) on elliptic curve loops, which requires calculations on longer fields and is completely inefficient for large calculations.

Second, even if our fields are short, Groth26 requires a separate and trusted setup ceremony for each smart contract and each new version. Obviously, this is absolutely unrealistic. The only valid ZKP technology that does not require trusted settings is FRI-based STARKs. However, the verification program is concise for only a limited class of problems (which can be expressed as concise arithmetic circuits).

The STARK validator must execute each constraint of the proven calculation statement at least once, which means that we cannot iterate over a collection of heterogeneous intelligence contracts.

With the advent of SNORKs, everything changed. SNORK is a new generation of ZKP based on a slightly different set of encryption primitives (the famous polynomial commitment scheme). It was first developed by Sean Bowe in Sonic, followed by PLONK and Marlin in the summer of 2019. All of this has one thing in common: although a trusted setting is still needed, it is now generic and updatable. After completing it once, it can reuse it for any number of different programs at any time.

However, the Kate polynomial commitment scheme used in these proof systems still requires efficient elliptic curve loops for recursion, and it is not available yet. That's why we're excited about the latest proof systems that are completely concise and transparent (no trusted settings), such as Halo, SuperSonic, Fractal, and the exciting things that the Matter Labs team has been working on lately.

To make a long story short: the barrier to building a general intelligence contract on ZKP has now been removed. ZK Rollup is fully capable of supporting the same programming model as EVM, including seamless composability and interoperability. Although the learning curve of Solidity developers will not exceed one day, the initial contract may require a dedicated DSL. In the end, given the current pace of development of ZKP certifier technology, we expect all existing ETH (and even EWASM) contracts to be effectively ported with minimal effort.

Scalability & transaction cost

Optimistic Rollup

According to John Adler, after EIP2028/ Istanbul, the current estimate is about 4k gas per transfer of tx. This means that it is equivalent to about 100tps. With BLS aggregate signatures, this number can rise to about 500tps at most (the tx parameter may be retained for a long time in order not to break EVM compatibility). If EVM compatibility is compromised, throughput may theoretically grow to the limit of ZKP.

Upper limit of actual throughput (token transfer): 500tps

It's probably not bad so far.

ZK Rollup

The public data cost per transfer of tx in Matter Testnet is currently 16bytes, which will incur 272gas fees after EIP2028/ Istanbul.

In addition, there will be certified amortization costs, which are expected to be approximately 300000 gas.

Even if we assume a worst-case scenario that requires 1 million gas to prove the cost, the estimated transfer ceiling will still exceed 2140tps.

In some discussions, people can be heard arguing that ZKP will generate a lot of computing overhead, which makes it expensive. In fact, compared with gas costs, computational costs are negligible, which is the real bottleneck because of the decentralization of anti-censorship. We also expect this factor to decline significantly over time.

Upper limit of actual throughput (token transfer): exceeds 2000tps-a scale similar to Visa.

However, in many use cases, ZK Rollup will save more because you can omit large chunks of common data (as proved by moving them to the ZK circuit) without having to reconstruct state transition increments.

The core insight is that although Optimistic Rollup always requires users to publish full transaction input, in ZK Rollup, we have the flexibility to choose between the following two: 1) transaction input minus witnesses that do not affect state transition 2) transaction output only. This choice can be implemented very elegantly without too much complexity.

A famous example:

On multi-signature wallets, wallets with Argent-style account abstractions, or decentralized exchanges, users need to submit signatures to validate the contract. These signatures are not necessary for incremental status updates and can be omitted from the public data. Contracts such as Gnosis's Dfusion Dutch DEX require a large number of dataset inputs, which do not directly affect storage, but are only used to validate calculation results.

After ETH 2.0,

Since any Rollup will reside in a single shard, the cost of CALLDATA (and Rollup transaction costs) is unlikely to change much unless bandwidth is generally cheaper.

Yuan transaction

Both types of Rollup are well suited for supporting meta-transactions and account abstractions.

Safety

Optimistic Rollup

Unlike payment channels, all money in Rollup is held by a single smart contract. Since Rollup is the most promising expansion direction, we should see a large number of users migrating, and a lot of value is concentrated in such contracts. With assets worth tens of millions (or even billions) of dollars, Rollup contracts are becoming an attractive honeypot for well-known hackers, and if an attack has a chance, it is possible to try it, no matter how complex it is.

Optimistic Rollup's security model is based on two assumptions:

At least one honest node in n nodes performs all Optimistic Rollup transactions and submits a fraud certificate when the invalid state transition is issued

The underlying Layer 1 network has strong anti-censorship.

At least one honest node participant in N nodes

For the first point, the realistic expectation is that only Rollup operators will actually monitor and execute transactions. The average user has neither the motivation nor the technical ability to handle high-load transactions (if they can, where does the extension come from? Fortunately, operators naturally have the incentive to check the correctness of each other's blocks, because building blocks based on invalid blocks will reduce assets.

It is a reasonable assumption that there are enough trusted participants and one honest node operator in N nodes. However, since the number of active participants is limited (hundreds? Some complex attacks may include infrastructure against all operators (very difficult but not impossible), bribing / blackmailing development engineers to secretly install malicious code, distribution channels for updates to Rollup software, and, of course, a combination of these attacks.

These attacks are difficult to achieve, but should be actively defended, but they are more realistic than attacking Yitaifang miners in the same way, especially since successful attacks on Optimistic Rollup are not noticed until they are completed.

Strong anti-censorship of Layer 1

The second assumption is a tricky one. In fact, the design of Tai Fong provides an economic mechanism, which is very effective against general censorship. However, when anti-mechanisms appear, these mechanisms will stop working. Attackers can create fully automated bribery mechanisms to coordinate 51% of miners' attacks, which prevents honest miners from including fraud certificates in their blocks.

Interestingly, for the miners involved, the direct cost of the attack was zero, and if it could be explicitly attributed to censorship, it did not include the social costs incurred by the reaction of angry communities. This part is also tricky because the mechanism provides reasonable acceptability for the participants in the attack: "given the credible commitment of most of the attackers, if I do not participate, my block will be abandoned, so I have to do this, not for profit. But to avoid loss."

Unfortunately, under PoW, this kind of attack is very real. There is no effective way to punish the anonymous miners involved. After turning to PoS, the community will be able to punish miners by reducing their pledge rights, if a broad social consensus is reached.

After all, such censorship attacks can be seen as an invasion of the entire network, although it can also be said that miners simply honestly follow the agreement and are not obliged to act in a manner contrary to their best economic interests.

However, after the DAO bifurcation, it will be a very controversial discussion, to say the least, and the outcome is unpredictable. In a recent community poll conducted by Vitalik, 63 per cent of voters opposed any manual intervention in immutable blockchains to help users, regardless of the degree of attack. Needless to say, it is very difficult to remove the rights and interests of even one verifier (Blue Fox Note: in this case, pledge funds), let alone most verifiers.

The recent release of more research on collusion and new attacks on fraud proof in the PoS environment suggest that the risk of censorship attacks in PoS is at least as high as that in PoW.

A more realistic way to resist such attacks is the rapid mobilization of communities in UASF (user-activated soft bifurcations) to force miners to include certain transactions. From an engineering and social point of view, this scenario is complex and will certainly require a relatively long challenge window to provide proof of fraud, at least one week, preferably two weeks.

At the same time, given that the major DeFi operators are in a good position to determine the outcome of such bifurcations, it is in their best interest to avoid noisy interference. Therefore, their best option may be to quietly follow the attacker (this will keep the etheric place in the longest chain and generate less controversy than successful soft bifurcations).

Generally speaking, the risk of fraud proof review is relatively low, but it can not be ignored.

With a 1-to 2-week fraud challenge and not much money at stake, Optimistic Rollup may be fine: operator / miner collusion will not be worth the trouble and risk. But if the value in rollup rises, the lurking black swan will become more and more worrying.

ZK Rollup

In ZK Rollup, each state transition is validated by an Rollup smart contract before it becomes valid. Strictly speaking, operators cannot steal funds or destroy Rollup status. ZK Rollup depends on the anti-censorship of Layer 1 only for its activity, not for safety. There is no need for anyone to monitor ZK Rollup, after block verification, user funds are always guaranteed to be eventually recovered, even if the operator refuses to cooperate.

Therefore, ZK Rollup more fully embodies the basic concept of the encryption world: through cryptography and game theory incentive mechanism to replace the trusted party, in order to achieve flexibility. However, for the sake of completeness, I must mention some potential risks that are unique to ZK Rollup.

Trust setting

If the ZKP used in ZK Rollup requires a common trust setting, then we will make the assumption of "one in N" honest participants. Depending on the number and quality of participants, this may be an acceptable or unacceptable risk. But security is secure, which is why I'm so excited about the latest developments in efficient, untrusted SNARKs, especially when Matter Labs is being built.

Cryptography

The latest generation of SNARKs is using more proven encryption primitives than Groth26. Matter Lab's work is based on FRI, so it can even be said to have post-quantum security. However, to calm down completely, two mitigation strategies should be applied:

Similar to the RSA challenge, large bonuses must be deployed with lower security parameters than the actual product version. If an actual attack is found, the researchers will overcome the challenge years before the product code is destroyed.

All state transitions must be sent only by the operator of ZKR, and the operator of ZKR essentially acts as a protective layer for double authentication.

Delay (time required to achieve verifiable finality)

Optimistic Rollup

Due to the problems mentioned in the security section above, Optimistic Rollup can only be safe during the challenge window of 1-2 weeks of fraud proof. Until that time goes by, no deal can be considered final, and neither internal Rollup tx nor exit is final.

Unfortunately, for the end user, there is no faster way to check whether the transaction is final than to execute all transactions through the entire previous challenge. It should be noted that users cannot rely solely on game theory to ensure the finality of the block, because a loophole or (hacker intrusion) in a single operator node may still lead to restoration.

Final time (under PoW): 2 weeks

Final time (under PoS): 1 week

ZK Rollup

At present, ZKP is computationally intensive. Currently, for 1000tx chunks, we can prove the generation time in 20 minutes on normal server hardware. The ongoing implementation of the GPU certification program (Matter Labs and Coda implementation) is expected to increase the tx speed by at least 10 times. In the near future, dedicated hardware may have higher computing power. Finally, we expect to see the finality of the block in one minute.

Final sex time (now): 20 minutes

Final time (future): within 1 minute

Quick confirmation within Rollup transactions

In both types of Rollup, operators can issue real-time transaction confirmations to users by depositing a certain security margin (which will be reduced if the transaction does not include the promised block). This provides an economic guarantee for the ultimate.

This method has its limitations. It works well for the transfer of interchangeable tokens, but it is not suitable for NFT and general contract requests. The NFT may have no market value, or when the owner of these assets does not want to "sell" it immediately under any circumstances. General contract requests do not apply because it is not easy to accurately quantify the value of the currency if some previous transactions on the chain are restored. Simple example: in order to accept the final price broadcast of the stable currency prediction machine, how much money should the operator pledge?

Rapid withdrawal of funds

Quick exit is similar to fast internal Rollup confirmation. Operators can work with liquidity providers to withdraw interchangeable tokens to users in real time without waiting for the exit transaction to become the final transaction in Rollup. This requires a large amount of collateral, which is proportional to the time when the final sex is reached. Assuming that the real final time for Optimistic Rollup in the near future is 1 week and ZK Rollup is 5 minutes, then Optimistic Rollup will need 2000 times more collateral than ZK Rollup to support the same amount of withdrawals each week.

Privacy

Optimistic Rollup

Optimistic Rollup can support any privacy solution available on Layer 2 Ethernet Square (Mixer, etc.). Since Optimistic Rollup itself is Layer 2, any privacy solution implemented on it will act as Layer 3. This may lead to more decentralized privacy services and smaller anonymous sets, which makes privacy very unpractical (we can even observe on zcash that transactions are not hidden by default)

ZK Rollup

In order to achieve true privacy, the system must support it by default. From a technical point of view, ZK Rollup can easily support private transactions of token transfer at the protocol level by default in some cases, and it can also distinguish between public and private smart contracts.

At the same time, building completely anonymous zcash-style transactions (that is, hiding not only the amount, but also the participants of the transaction) will require a change in ZK Rollup's storage model from an account-based model to an UTXO-based model, which creates a lot of problems and is unlikely to happen.

Optimistic Rollup is currently in the PoC phase. We hope to achieve product-level implementation soon. If it proves relatively easy to migrate existing code, the project will gradually start adopting it and building a new infrastructure: Layer 2 support will appear in the wallet, prophecy machines will start broadcasting to Optimistic Rollup, and so on.

ZK Rollup has become more mature in specific applications (such as the transfer of ERC20 tokens), but will gradually move towards fully generic smart contracts. In the end, it is also possible to migrate any EVM and WASM-based smart contracts to ZK Rollup, which could take years to complete at the current rate of technological development.

For both types of Rollup, similar infrastructure changes occur in wallets, prophecy machines, and other smart contract components. This requires a lot of work, which will accelerate as more projects are interested in Layer 2 extension technologies. Since Optimistic Rollup promises to implement generic EVM-based smart contracts earlier than ZK Rollup, it will greatly motivate the community to adopt Layer 2.

For users and dApp, it will be easier to jump from one Rollup to another Rollup than to migrate from ETH to Layer 2 initially. Bridging will make the process smoother. Because of the ease of switching, this solution will gain a significant advantage in UX and is likely to be the only winner in the long run.

On how to carry out ZKSwap exploration and research to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.