Research on zkswap

slagga 2021-04-16 20:47:40 阅读数:789

research zkswap

ZKSwap Exploration and research

ZK Rollup and Optimistic Rollup - The important expansion direction of Ethereum

Preface : these years , Scalability has been bothering the public chain . Some of the solutions for extensibility are in the proof of concept , Some are in research and development .Optimistic Rollup and Zk Rollup It's also a scalable solution , And has aroused a strong interest in the encryption community . that , What on earth Optimistic Rollup and ZK Rollup? Which technology route will win the future of Ethereum expansion ? No matter how tortuous the road is , Whether the previous efforts were useful ( Such as plasma And so on ), But the expansion of Ethereum has been moving forward , Meeting the mainstream scene is not out of reach . The author of this article Alex Gluchowski, By blue fox notes community “JOKO” translate .

brief introduction

Optimistic Rollup It is a promising technology to expand the general smart contract on Ethereum in the near future . If the build is fast enough , It provides the ability to easily migrate existing dApp And service methods , And can reasonably balance security and scalability . This will make ETH1.0 Be able to meet growing demand .

ZK Rollup It's a more complex technology . It can now be used for token transfers and specific applications . However , It's going to take a little longer to implement on the general smart contract , And if you want to make it more efficient EVM Wrapped in ZKP Even more research work is needed in the future .( Blue fox notes :ZKP Zero knowledge proof )

however , once ZK Rollup Fully developed , All existing Ethereum dApp And services can migrate smoothly and easily .

ZK Rollup Will solve Optimistic Rollup A few basic questions on the subject :

 Eliminate the risk of a nasty tail : Stealing money through complex but viable attack vectors ;
Time the withdrawal of funds from 1-2 Weeks reduced to a few minutes ;
Support fast trade confirmation and exit in unlimited quantity ;
Privacy is introduced by default .

Optimistic Rollup Yes ZK Rollup That's good news . towards Layer 2 Extended transition requirements for wallets 、 Predicting machine 、dApp、 A major change in user habits .Optimistic Rollup Help prepare the ecosystem for this action , Bringing extensibility into this is not yet based on ZK Rollup Built dApp. This gives ZK Rollup Enough time to mature , And make it completely seamless adoption , At the same time, maintain the growth momentum of Ethereum .

Rollup 101

  • What is? Rollup?

Rollup Is similar to the Plasma Of Layer-2 Scalable solutions : A single main chain contract holds all funds , And for the larger “ Side chain ” state ( It's usually an account 、 The balance and its status Merkle Trees ) Make a simple encryption commitment . The state of side chain is maintained by users and operators under the chain , And it doesn't depend on Layer 1 The storage ( This is the source of the biggest scalability victory ).

take Rollup and Plasma The difference is that it solves Plasms It's a huge problem : Data availability , The way is through Layer 1 The Internet publishes some data for each transaction ( In Ethereum , Used exclusively for this purpose tx CALLDATA).

So it can be done in a single Rollup The block bundles thousands of transactions together . Although the cost of this method increases strictly linearly ( The number of transactions O(n) ), But it can actually improve throughput 100 times , because CALLDATA Than Layer 1 Storage and computing are cheaper .

Rollup Has been Vitalik Buterin Repeatedly recognized as his favorite Layer 2 Scalability solutions . According to how to ensure the correctness of the state transition , There are two kinds of Rollup The way :ZK Rollup and Optimistic Rollup.

  • What is? ZK Rollup?

stay ZK-Rollup in , The operator must generate one for each state transition SNARK( Blue fox notes : Simple, non interactive proof of knowledge ,Succinct Non-interactive ARgument of Knowledge), And by the Rollup Contract verification . this SNARK Prove that there is a series of transactions correctly signed by the owner , These transactions update the account balance in the right way , And make Merkle root From old to new . therefore , It is impossible for operators to submit invalid or manipulated status .

  • What is? Optimistic Rollup?

stay Optimistic Rollup in , The new status is released by operators , And it doesn't have to be done every time Rollup Smart contract check . contrary , Everyone wants the state transition to be right . however , If an incorrect state transition is released , Other operators or users ( It must be observed that Layer 1 Rollup The situation in the contract , Execute every single transaction ) Will be able to point out the wrong deal , And restore the wrong block , Reduce the deposit of malicious operators .Optimistic Rollup The concept of the original by John Adler Proposed .

Next , Let's compare ZK Rollup and Optimsitc Rollup.

flexibility : General purpose computing

  • Optimistic Rollup

Even though Optimistic Rollup Can be used for specific applications , however Plasma Group The most important innovation is OVM(Optimistic Vitual Machine).OVM Support the implementation of arbitrary smart contract logic .

Almost anything that can be realized in Ethereum can also be realized in OVM Implemented on , This includes the composability of smart contracts . It's based on EVM,EWASM Or any other virtual machine . About OVM Are the benefits of , If it's with EVM Use it together , It will support the use of Solidity Write code . therefore , Most of the existing code bases can be easily ported to Optimistic Rollup On .

If OVM You can reuse existing EVM Bytecode , That would be the ideal choice , But it may not be that simple . The right way to do it will require changes to the transaction data (CALLDATA) Format , And it requires complex Truebit/Plasma Leap The challenge of style / Implementation of response protocol , To provide proof of fraud .

This may lead to a conflict with EVM Divergence , As a result, the edge condition cannot be handled correctly , This means that there is still some work to be done to adapt to the current OVM contract . Another challenge of implementation is , Fraud proofs for large blocks may require more than Layer 1 block gas limit More is allowed gas. that , These fraud proofs have to be broken down into multiple ETH transaction .

  • ZK Rollup

so far , All existing ZK-Rollup Implementation focuses on specific operations , Such as token transfer or atom exchange . There are several main reasons for this .

First , There is no effective technology for different ZKP Simple recursive proof combination of , This requires aggregating the execution of different smart contracts into one block . Our best method is to use it on the loop of elliptic curve Groth16( from Coda Use ), This requires calculations on longer fields , And it's completely inefficient for large-scale computing .

secondly , Even if our fields are short ,Groth16 A separate trusted setup ritual will also be required for each smart contract and each new version . obviously , This is absolutely unrealistic . The only valid... That doesn't need to be trusted ZKP Technology is based on FRI Of STARKs. however , The verifier only works on a limited class of problems ( It can be expressed as a simple arithmetic circuit ) Is concise .

STARK The validator must execute at least once for each constraint of the proved computation statement , This means that we cannot iterate over the set of heterogeneous smart contracts .

With SNORKs Appearance , Everything has changed .SNORK Is based on a slightly different set of encryption primitives ( The famous polynomial commitment scheme ) A new generation of ZKP. from Sean Bowe stay Sonic China is the first to develop , stay 2019 Summer in summer PLONK and Marlin come after . All of these have one thing in common : Although trusted settings are still needed , But now it's universal and Renewable . After one time , It can reuse it for any number of different programs at any time .

However , Used in these proof systems Kate Polynomial commitment schemes still need efficient elliptic curve loops for recursion , Not yet available . That's why we're completely concise and transparent to the latest ( No trusted settings ) I'm excited about the proof system , for example Halo、SuperSonic、Fractal, as well as Matter Labs What's exciting about the team these days .

Cut a long story short : stay ZKP The barriers to building generic smart contracts on the Internet have now been removed .ZK Rollup Fully able to support and EVM Same programming model , Including seamless composability and interoperability . Even though Solidity The learning curve for developers won't take more than a day , But the initial contract may need to be dedicated DSL. Final , Whereas ZKP The current pace of development of demonstrator Technology , We expect all the existing ETH( even to the extent that EWASM) Contracts can be effectively transplanted with minimal effort .

Extensibility & Transaction costs

  • Optimistic Rollup
 according to John Adler That's what I'm saying , stay EIP2028/ After Istanbul , The current estimate is that every transfer tx about 4k Of gas.
It means , Equivalent to about 100tps.
Use BLS Aggregate signature , This number can go up to about 500tps( In order not to destroy EVM Compatibility ,tx Parameters will probably stay for a long time ).
If EVM Compatibility is compromised , In theory, the throughput may increase to ZKP The limits of .

The actual throughput limit ( Token transfer ):500tps

It's probably not bad at the moment .

  • ZK Rollup

stay Matter Testnet In every transfer tx The current cost of public data is 16bytes, This will be EIP2028/ After Istanbul, it costs 272gas cost .

Besides , There will be proven amortization , It is expected to be about 30 ten thousand gas.

Even if we assume the worst , need 100 ten thousand gas The cost of proof , But the estimated transfer ceiling will still exceed 2140tps.

In some discussions , People can be heard arguing that ZKP There's a lot of computing overhead , So it's expensive . actually , And gas Cost comparison , The calculation cost is negligible , This is the real bottleneck , Because of the decentralization of anti censorship . We also expect this factor to decline significantly over time .

The actual throughput limit ( Token transfer ): exceed 2000tps —— Be similar to Visa The scale of .

however , In many use cases ,ZK Rollup Will save more , Because you can omit large chunks from public data ( By moving them to ZK Circuit proof ), Instead of refactoring state transition increments .

The core idea is : Even though Optimistic Rollup Always ask users to publish full transaction input , And in the ZK Rollup in , We can flexibly choose between the following two :1) The transaction input minus the witness that does not affect the state transition 2) Only trade output . It can be done very gracefully , Without too much complexity .

A famous example :

 Sign more wallets , have Argent Style accounts Abstract wallets or decentralized exchanges , The user needs to submit the signature to get the verification of the contract . These signatures are not required for incremental state updates , It can be omitted from the public data .
image Gnosis Of Dfusion Dutch DEX Such a contract requires a large amount of data set input , These inputs do not directly affect storage , But it is only used to verify the calculation results .
  • ETH 2.0 after

Due to any Rollup Will be in a single slice , therefore ,CALLDATA Cost of ( as well as Rollup Transaction costs ) It's unlikely that much will change , Unless bandwidth is usually cheaper .

Yuan Trading

There are two types of Rollup Both are very suitable for supporting meta transaction and account abstraction .


  • Optimistic Rollup

Unlike payment channels ,Rollup All of the funds in are held by a single smart contract . since Rollup Is the most promising expansion direction , We should see a large number of users migrate among them , And a lot of the value is focused on this kind of contract . Holding tens of millions of ( Even billions ) Dollar value assets , For well-known hackers ,Rollup Contracts are becoming a very attractive honeypot , If the attack has a chance , that , No matter how complicated , It's possible to try .

Optimistic Rollup Our security model is based on two assumptions :

  1. At least in the n There are 1 An honest node performs all Optimistic Rollup transaction , And submit fraud proof when invalid state transition is released ;
  2. Bottom Layer 1 The network has a strong anti censorship
  • N There is at least one honest node participant

For the first point , The real expectation is , Only Rollup It's the operators that actually monitor and execute transactions . Ordinary users have neither the motivation nor the technical ability to handle high load transactions ( If they can , Where does the expansion come from ?) Fortunately, , Operators naturally have the incentive to check the correctness of each other's blocks , Because building blocks based on invalid blocks will reduce assets .

There are enough credible participants ,N There are 1 An honest node operator is a reasonable assumption . however , Since the number of active participants is limited ( Hundreds ?), Some complex attacks may include : Infrastructure for all operators ( Very difficult, but not impossible ), Bribe / Blackmail development engineers secretly install malicious code , in the light of Rollup Software update distribution channels, etc , Of course , It could also be a combination of these attacks .

These attacks are hard to achieve , But we should actively defend , But rather than attacking the Ethereum miners in the same way , These attacks need to be more realistic , Especially for Optimistic Rollup The successful attack will not be noticed until it is completed .

  • Powerful Layer 1 Resistance review

The second assumption is the tricky one . actually , Ethereum's design provides an economic mechanism , It's very effective against ordinary censorship . however , When there is a counter mechanism , These mechanisms will stop working . An attacker can create a fully automatic bribery mechanism to coordinate the miners 51% attack , This will prevent honest miners from including fraud proof in their block .

Interestingly , For the miners involved , The direct cost of this attack is zero , If it can be clearly attributed to censorship , The social cost of angry community reaction is not included . This part is also tricky , Because the mechanism provides reasonable deniability for the attack participants :“ Given the credible commitment of most attackers , If I'm not involved , My block will be abandoned , therefore , I have to do this , Not for profit , But to avoid loss .”

Unfortunately , stay PoW Next , This kind of attack is very realistic . There is no effective way to punish the anonymous miners who participate in it . Turning around PoS after , The community will be able to punish miners by reducing their pledge rights , If there is a broad social consensus .

After all , Such censorship attacks can be seen as an invasion of the entire network , Although it can also be said that , The miners simply follow the agreement honestly , And no obligation to act in a manner contrary to its best economic interests .

however , stay DAO After the fork , To say the least , It's going to be a very controversial discussion , The results are unpredictable . stay Vitalik In a recent community poll , No matter what level of attack ,63% The voters of the group are opposed to any manual intervention on the immutable blockchain to rescue users . Needless to say , To remove even a verifier's rights ( Blue fox notes : This refers to the pledged funds ) It's also very difficult , Not to mention eliminating the rights of most verifiers .

More research has recently been published on Collusion , And aiming at PoS New attacks on fraud proof in the environment , This shows that in PoS in Optimistic Rollup The risk of censorship attacks is at least as high as PoW As high as .

A more realistic way to resist such attacks is in UASF( User activated soft bifurcation ) The rapid mobilization of communities in China , To force miners to include certain deals . From an engineering and social point of view , This kind of scene is complex , And will definitely require a relatively long challenge window , To provide proof of fraud , At least a week , Two weeks, best .

meanwhile , In view of the main DeFi Operators are in a good position to determine the outcome of this bifurcation , And it's in their best interest to avoid noisy interference . therefore , Their best choice may be to quietly follow the attacker ( This will keep Ethereum in the longest chain , And generate less controversy than successful soft forks ).

in general , The risk of fraud proof review is relatively low , But don't ignore .

Due to the existence 1-2 Weeks of fraud proof challenge , And there's not much money at stake ,Optimistic Rollup Maybe there is no problem : Operator, / The collusion of miners will not be worth the trouble and the risk . however , If rollup The rise in value in , The lurking black swan will become more and more worrying .

  • ZK Rollup

stay ZK Rollup in , Before it becomes effective , Every state transition goes through Rollup Smart contract verification . Strictly speaking , Operators cannot steal money or destroy Rollup state .ZK Rollup Depend on Layer 1 Anti censorship of , Just for its activity , Not for security . There's no need for anyone to monitor ZK Rollup, After block validation , User funds are always guaranteed to be recovered in the end , Even if operators refuse to cooperate .

therefore ,ZK Rollup More fully embodies the basic concept of the encryption world : Through cryptography and game theory incentive mechanism to replace the trusted party , To achieve flexibility . however , For the sake of completeness , I have to mention ZK Rollup Some unique potential risks .

Trusted settings

If in ZK Rollup Used in ZKP General trusted settings are required , Then we will come to the conclusion that “N One of the points ” The assumption of honest participants . Depending on the number and quality of participants , It could be an acceptable risk , It could also be an unacceptable risk . But safety is safe , That's why I don't have to trust efficiency SNARKs Why are you so excited about the latest developments , In especial Matter Labs Building on .


And Groth16 comparison , The latest generation of SNARKs More practical encryption primitives are being used .Matter Lab My work is based on FRI, So it can even be said that it has post quantum security . however , Calm down completely , Two mitigation strategies should be applied :

  • And RSA The challenge is similar to , You have to deploy a lot of bonuses with lower security parameters than the actual product version . If an actual attack is found , Researchers will overcome the challenge years before the product code is destroyed .

  • All state transitions must be made only by ZKR The carrier of the , and ZKR In essence, the operators of the network act as the protective layer of double verification .

Delay ( Time required to achieve verifiable finality )

  • Optimistic Rollup

Due to the problems mentioned in the security section above , Only in 1-2 During the challenge window of weekly fraud proof Optimistic Rollup Talent is safe . Before this time passes , No deal can be considered final , Inside Rollup tx And exit is not final .

Unfortunately , For end users , Check whether the transaction is final , There's no faster way to execute all transactions than through the last challenge period . Here's the thing to watch out for , Users cannot rely solely on game theory to ensure the finality of the block , Because of the vulnerability or ( Hacker intrusion ) It can still cause a reduction .

The final time of sex (PoW Next ):2 Zhou

The final time of sex (PoS Next ):1 Zhou

  • ZK Rollup

At present ZKP It's computationally intensive . at present , about 1000tx Block of , We can have... On normal server hardware 20 Minutes prove generation time . Ongoing GPU Proof program implementation (Matter Labs and Coda The implementation of ) It is expected that tx Speed up at least 10 times . In the near future , Dedicated hardware may have higher computing power . Final , We expect to see the finalization of the block completed in one minute .

The final sex time ( Now? ):20 minute

The final sex time ( future ):1 Within minutes

Rollup Quick confirmation within the transaction

In both types of Rollup in , By depositing a certain security deposit ( If the transaction is not included in the committed block , The margin will be reduced ), Operators can issue instant transaction confirmations to users . This provides an economic guarantee for finality .

There are limitations to this approach . It works well for the transfer of interchangeable tokens , But not for NFT And general contract request . The NFT There may be no market value , Or when the owners of these assets don't want to immediately... In any case “ sell ” it . The general contract request does not apply because if some previous transactions on the chain are restored , It's not easy to accurately quantify the value of money . A simple example : To accept the final price of the stable currency Oracle price broadcast , How much capital should operators pledge ?

Quick withdrawal of funds

Fast exit is similar to fast internal Rollup confirm . Operators can work with liquidity providers , To extract the exchangeable token to the user in real time , There's no need to wait to exit the deal in Rollup To be the ultimate deal in the world . This requires a lot of collateral , It's in direct proportion to the time it takes to achieve finality . Suppose to be right Optimistic Rollup Come on , The ultimate time of reality in the near future is 1 Zhou , and ZK Rollup by 5 minute , that ,Optimistic Rollup Will need 2000 Twice as much as ZK Rollup To support the same amount of withdrawals per week .


  • Optimistic Rollup

Optimistic Rollup Can support Layer 2 The etheric fang ( Mixers, etc ) Any privacy solution available on . since Optimistic Rollup Itself is also Layer 2, Any privacy solution implemented on it will serve as Layer 3. This can lead to more decentralized privacy services , And leads to smaller anonymous sets , This makes the utility of privacy very low ( We can even be in zcash It was observed on , By default, transactions are not hidden )

  • ZK Rollup

For real privacy , The system must support it by default . From the perspective of Technology ,ZK Rollup In some cases, it can easily support the private transaction of token transfer at the protocol level by default , You can also distinguish between public and private smart contracts .

meanwhile , Build completely anonymous zcash Style trading ( That is, it's not just the amount that's hidden , Also hide the participants in the transaction ), It will require change ZK Rollup The storage model of , From account based model to UTXO Model , It's going to create a lot of problems , And it's unlikely to happen .


Optimistic Rollup Currently in PoC Stage .( Blue fox notes :PoC It refers to the proof of concept stage . From a long-term and landing point of view , Blue fox notes are better ZK Rollup) We hope to achieve product level implementation soon . If it turns out that it's relatively easy to migrate existing code , that , The project will gradually begin to adopt it and build a new infrastructure :Layer 2 Support will appear in the wallet , The Oracle will start broadcasting to Optimistic Rollup etc. .

ZK Rollup Has become more mature in specific applications ( for example ERC20 Token transfer ), But it will gradually develop towards a fully universal smart contract . Final , Porting anything based on EVM and WASM Smart contract to ZK Rollup It is also possible , At the current speed of Technological Development , This can take years to complete .

For both types of Rollup, Similar infrastructure changes will happen in wallets 、 Oracle and other smart contract components . It requires a lot of work , With more projects on Layer 2 I'm interested in extension technology , The work will accelerate . since Optimistic Rollup Commitment is better than ZK Rollup It's based on EVM Smart contract , It will greatly promote community adoption of Layer 2 The motive of .

For users and dApp, From a Rollup Jump to another Rollup, It will be better than from ETH Initially moved to Layer 2 More easily . Bridging will make the process smoother . Because of the simplicity of this switching , The solution is UX There will be significant advantages , In the long run , It's likely to be the only winner .

Whatever the outcome , It's going to be a very important and exciting development . in any case , The ultimate winners are the Ethereum community .