At 21:00 on February 26, blockmania AMA 51 continued. The theme of this issue is “how to solve the problem of Ethereum performance with zero knowledge proof”. The sharing guest is anbi Laboratory Engineer p0n1. He explained the development status and future direction of zero knowledge proof in Ethereum expansion. The following is the text arrangement of this sharing.

About ambilab

Secbit laboratory focuses on the security issues of blockchain and smart contract, monitors the security loopholes of smart contract in an all-round way, provides professional contract security audit services, carries out all-round and in-depth research on smart contract security technology, and strives to participate in building a consensus, credible and orderly blockchain economy.

When we talk about blockchain performance, what do we talk about?

Many people like to use the “Impossible Triangle” model to discuss the design problems of a system. Blockchain is no exception. You must have heard the impossible triangle or ternary paradox about security, decentralization and efficiency.

In this popular saying, “efficiency” is actually what we often call “performance”, also called “scalability” or scalability. It can be considered that Ethereum and bitcoin are more focused on “security” and “decentralization” in design, so they are inevitably not very “efficient”.

In particular, Ethereum, as a blockchain platform with the largest number of developers and applications, more and more people are trying to develop interesting and useful applications on it. However, the performance support provided by the platform is extremely limited. Therefore, we have been shouting “Ethereum needs expansion” for a long time!!!

This is why after Ethereum, there are many “Ethereum killers” – many projects that want to surpass Ethereum in terms of performance.

How to surpass Ethereum?

In fact, it is not difficult to transcend. We only need to sacrifice the other two points in the Impossible Triangle.

But perhaps most people still feel that “security” and “decentralization” cannot be given up and choose to stay in Ethereum. As a result, the “Ethereum killers” are desolate and no one cares about them. There are no cars on the roads that can drive airplanes, and there is no room to show their performance “advantages”.

So when we talk about the performance of blockchain, we still hope that the two foundations of blockchain will not be shaken – “security” and “decentralization” will be affected as little as possible.

What can be used to solve Ethereum performance problems

How about the performance of Ethereum?

At present, Ethereum’s performance is very limited. For ordinary blockchain users, the service charge and transaction confirmation time largely determine the user experience. The current experience of Ethereum fluctuates greatly. For example, when the whole network is idle, it is like the expressway during the recent epidemic, while when it is congested, it is like the tourist attractions during the golden week of national day.

From the perspective of TPS, visa international credit card transaction processing speed is at least 2000 transactions / s, while Ethereum transaction processing speed is no more than 30 transactions / s, which is better than big brother bitcoin transaction processing speed of 7 transactions / s.

Moreover, the cost of causing congestion in Ethereum network is very low.

Most of the time, a popular app will make the whole network congested. To tell you the truth, the current TPS level makes it difficult for Ethereum to really apply it on a large scale. As more and more people use it, the transaction fee of Ethereum is bound to be higher and higher, and the confirmation time of ordinary transaction will be longer and longer.

What are the scalability efforts of the Ethereum community?

Ethereum’s embarrassing performance status makes its core development team and community explore various expansion solutions all the time. So you often hear a series of fancy terms: sharding, payment channel, status channel, plasma, truebit, ZK rollup, optimistic rollup and so on, as well as a concept layer-2.

Most of the schemes mentioned above are two-tier expansion schemes. ZK rollup and optimistic rollup are the most popular recently. Today we are going to focus on ZK rollup, and its core is zero knowledge proof technology.

Why is zero knowledge proof useful?

Zero knowledge proof is probably the most promising and imaginative cryptography black technology, which can prove the correctness of a proposition without disclosing any other information. The combination of the two key words – “no leakage” and “proof” can be said to be extremely powerful, which can realize many anti intuitive cool features.

In the expansion direction, we don’t need to pay much attention to the “non disclosure” feature of zero knowledge proof technology, which is often related to privacy protection. We focus on its “proof” ability.

In short, the resources or bandwidth on the chain is limited. We need to migrate a large amount of computing to the off chain, so we need technology to “prove” that these computing have actually happened under the blockchain.

More background knowledge and technical details about zero knowledge proof will not be introduced here. You are welcome to pay attention to the series of articles of anbi laboratory, such as “getting to know” zero knowledge “and” proof ” https://mp.weixin.qq.com/s/XQL_ taBhPkCHGZOBc24MyQ。 If you really want to understand zero knowledge proof, it may burn your brain, but it’s really interesting. If you’re interested, you might as well try it.

Well, back to today’s topic.

Why is the expansion scheme based on zero knowledge proof a better direction?

Let’s review the first question at the beginning. When we talk about the performance of blockchain, we still hope that the two foundations of blockchain – “security” and “decentralization” will be as little affected as possible. If there is a capacity expansion plan to achieve this, it is really very valuable.

ZK rollup, a two-tier expansion scheme based on zero knowledge proof, can really solve the problem of blockchain performance without sacrificing “security” and “decentralization”!

Unfamiliar students may ask: what is ZK rollup?

First of all, we’d better understand what rollup is.

Rollup, as the name suggests, means “roll up” and “roll up”. It can be regarded as a general term for a large class of layer-2 expansion schemes.

Rollup specifically refers to the complex calculation and state maintenance under the chain, and then the data related to the state change is called through the contract, and the cheaper calldata is used to save the data on the chain. A large number of transactions are “rolled up / summarized” and packaged into a transaction. Finally, the TPS is improved on the premise of ensuring the “data availability”.

The common point of rollup scheme is to emphasize the “data availability” on the chain, that is, anyone can recover the global state according to the data stored on the chain, so as to eliminate the security risk caused by the data availability problem.

This feature makes the design of rollup scheme (data on chain) simpler and easier to implement than that of data off chain such as plasma.

In fact, the concept of layer-2 is particularly good, because the design idea of this kind of scheme is that the bottom layer of Ethereum almost does not need any changes, and the bottom layer still yearns to process transactions as usual, so it will not affect the security of the bottom layer, and let all kinds of massive transactions be processed in the second layer, so as to reduce the pressure of the bottom chain.

Plasma is the most popular two-tier expansion concept of Ethereum in the past two years. The whole community has spent a lot of energy to discuss and implement it. In the process, a series of solutions have evolved, such as plasma MVP, plasma cash, plasma debit and plasma prime. ..。 .

There are many intermediate solutions for the plasma family, which are feasible in theory, but they can not be implemented. The core reason is that all kinds of plasma solutions do not guarantee the “data availability”, which makes the protocol more complex and difficult to implement.

ZK rollup scheme originated in the second half of 18 years, which was proposed by Barry WhiteHat and vitalik.

The key lies in ZK (zero knowledge). Every state transition needs to provide zero knowledge proof, which is verified by the contract on the main chain. Only when the verification is passed can the state be changed. That is to say, every state transition strictly depends on cryptography proof.

ZK rollup scheme uses the most popular zero knowledge proof technology, zksnark, to reduce the amount of computation on the chain and ensure the correctness of the data.

A Merkle tree is used to store the account status, and the contract only stores the Merkle root. The operator collects the user’s transactions, packages these transactions in batch, and generates zksnark proof, which specifically proves the legitimacy of the transaction (such as verifying the signature), as well as the Merkle root before and after the status.

The operator submits the Merkle root together with the transaction data and zksnark certificate to the contract, and the new status is written only after the contract is verified.

Since the calculation process of all transactions does not need to be executed in the contract, there is no need to write a large number of states into the contract storage, and zksnark proves that the size (very small) and verification time (very fast) are constant and do not follow the growth of the number of transactions, so ZK rollup can greatly improve the transaction efficiency.

ZK rollup’s on chain performance limitation only depends on the cost of calldata to store data. With the upgrade of Ethereum Istanbul, the use cost of calldata is reduced to 1 / 4 of the original, the performance of ZK rollup is improved by 4 times, and the TPS can reach nearly 2000!

The principle of TLDR, ZK rollup can be explained in one sentence: complex calculation and proof generation under the chain, proof verification and key state maintenance on the chain.

As mentioned above, some students may ask: what is the core difference between ZK rollup and other rollup schemes?

Indeed, there are many other rollup schemes, such as optimistic rollup, which is the more popular one. The core difference between it and ZK rollup is how to ensure the correctness of state change.

The optimal rollup scheme was first proposed by John Adler in the second half of 19. Later, it was mainly improved and expanded by plasma group from plasma, ZK rollup, shadow chain and other schemes.

The biggest difference with ZK rollup is that each state transition does not need to be strictly verified, and it is optimistic to assume that each transition is correct, which is the origin of the word optimal. Then, a certain transition can be challenged within a certain time limit. If the challenge is successful, it will prove that there is a problem with the previous submission, punish the committer and roll back the state. It can be considered that optimal rollup ultimately relies on economic incentives and games to constrain the correct state transition.

The differences between the two schemes can also be compared from the perspective of proof model: ZK rollup is validity proof, and only the status that provides “proof of correctness” will be written into the main chain contract; while optimal rollup is fraud proof, and the user needs to provide “proof of fraud” for the exception during the challenge period to report the incorrect status.

The students who pay attention to Ethereum will be familiar with plasma.

Two researchers, Alex gluchowski and ryuya Nakamura, proposed attack models against optimal rollup or fraud proof based two-tier expansion protocols under the consensus of POW and POS respectively, And the cost of attack is not high: this kind of two-tier scheme must make complaints and reports during the challenge period. When a large number of assets are gathered in the contract, it is hoped to construct a scenario (cooperators share the proceeds of attack), so that the miners can cooperate in doing evil and refuse to submit fraud proof during the challenge period In the end, all the money can be stolen from the contract. This attack is invalid for ZK rollup, because the contract is always guaranteed by correctness check.

What is the development status of ZK rollup?

At present, many teams have developed a new generation of products based on ZK rollup scheme. There is no doubt that ZK rollup is the fastest and most promising two-tier expansion scheme at present, taking the lead in many expansion schemes.

For example, the loopring team has taken the lead in launching a decentralized exchange (DEX) based on ZK rollup, which does not require users to mortgage assets. However, its performance is comparable to that of the centralized exchange (CEX), which is no longer restricted by the performance of the underlying chain. The TPS of order trading has reached an amazing 2025!

In addition, matter labs has released a trusted expansion and privacy solution ZK sync.

The underlying layer of ZK sync also relies on ZK rollup, aiming at improving transaction performance while ensuring security. The product route is to focus on improving the performance and ease of use of simple transfer first, then realize the expansion of general smart contract, and finally add privacy protection. At present, the goal of capacity expansion is close to being achieved. As for privacy protection, it still relies on zero knowledge proof technology.

ZK sync also includes a new snark scheme redshift and zero knowledge proof contract programming framework zinc, which may be the key to its future implementation of general privacy smart contract.

It can be said that ZK rollup is developing vigorously in Ethereum.

What are the specific development trends of zero knowledge proof in the expansion direction of Ethereum?

Let’s review again. The biggest advantage of the zero knowledge proof two-tier expansion scheme is that it can achieve huge performance improvement without sacrificing “security” and “decentralization” and without any changes to the bottom layer of Ethereum.

All this comes from the rapid development of zero knowledge proof technology in recent years, and the Ethereum team has made technical preparations for all this at the bottom chain level about four or five years ago, providing the necessary cryptographic operation support.

Zero knowledge proof technology really makes the expansion of Ethereum from theory to practice. I believe there will be more new breakthroughs in this direction in the future.

The Ethereum community is likely to explore further expansion from the aspects of solving the universality of smart contracts, reducing the difficulty of zero knowledge proof application development, and trying more types of applications.

Under the concept of two-tier expansion, all kinds of ordinary or performance oriented transactions can run efficiently in the second tier, enjoying faster response speed and low cost. The first tier, that is, the main chain, is specially responsible for carrying higher value transactions and paying higher cost.

In addition, zero knowledge proof is the only solution to solve the problem of blockchain privacy. On the one hand, the Ethereum community has made great progress.

I think ZK rollup has more advantages in security.

So I think Ethereum can fight for several years even if it doesn’t upgrade to 2.0.

Editor in charge: CT

Leave a Reply

Your email address will not be published. Required fields are marked *