In-depth understanding of the blockchain's second-tier expansion plan, Rollup: Why did Vitalik praise the plan?

Editor's Note: The original title was "In-depth Understanding of the Blockchain Two-Level Extension Rollup"

The author Zhu Guangyu is a blockchain enthusiast and a former Alibaba JVM expert. Now working at Westar Labs, he is engaged in the research and development of smart contract programming language and its execution engine.

background

Recently, Ethereum founder Vitalik Buterin praised the Rollup solution in an article titled "The Dawn of Hybrid Layer 2 Protocol" [1], and believed that it opened the door to the scalability of smart contracts. So what is Rollup? What mainstream solutions does it include? What are the advantages and disadvantages of each of these solutions? What are their future development prospects? In order to find the answers to these questions, the author did some research on related projects, and compiled the collected information into the following article.

The emergence of Rollup

In the past two years, Ethereum's Layer-2 capacity expansion technology has developed rapidly. The so-called second-tier technology is to store a part of the funds in the smart contract on the main chain as a guarantee. Under the premise of ensuring sufficient security and immutability, a part of the transactions are performed outside the main chain, as if there are more off-chain Second layer network. The two-tier schemes that perform better include state channels and Plasma sidechains. However, these two schemes are still a long way from being widely accepted. The reason behind them is the issue of data availability. What is data availability? Suppose you go to the casino to play poker, you need to go to the counter to exchange cash for chips. This can be understood as creating a status channel on the chain and depositing a deposit. Then you start playing poker, which is called off-chain trading. After winning a big hand, you want to cash out the chips and leave. Suddenly someone gives you a brain and then a sap. After waking up, the chips on the table are missing. You can't remember the details of the hand, so you can't recover the chips you have won. This is called "data unavailable". Regardless of the status channel or Plasma side chain, the complete transaction records and witness data are only stored off-chain. If a participant does not provide the correct transaction and witness data in a timely manner, the security of the transaction cannot be guaranteed. It's as if the player who played poker was slumped and forgot the details of the hand, it is difficult to recover his own chips. Even if the data is not lost, in the face of uncooperative opponents, a very complicated arbitration process is required.

When the second-tier capacity expansion technology was struggling, a developer proposed a new solution called Rollup. Unlike Plasma, it can "package" transactions, and post the "packaged" transaction data along with a SNARK zero-knowledge proof on the chain. The correctness of the packaging can be proven by SNARK, thus ensuring that it is impossible for operators to post malicious or invalid transactions. This is a two-tier capacity expansion plan that Zital Rollup later called Vitalik Buterin. ZK Rollup is not everything. The biggest problem it encounters is versatility. Unless the transaction to prove is very simple, the cost of creating a SNARK proof will be very high. Therefore, a compromise solution called Optimistic Rollup was proposed. Optimistic Rollup also puts transaction data on the chain, but instead of using SNARK for verification, it uses cryptoeconomics effectiveness games to achieve validity verification. We will introduce the principles of these two Rollup schemes in detail in the following sections.

working principle

The core idea of ​​Rollup is to publish the "packaged" transaction data blocks on the chain, thereby greatly reducing the difficulty of transaction validity verification. The on-chain and verification of transaction data are completed based on smart contracts. After the operator collects the off-chain transactions submitted by different participants, the script provided by the Rollup smart contract is executed on the chain, and the packaged transaction data blocks are submitted to the contract as parameters. The contract verification data is recorded for each participant. Account. This is equivalent to executing a batch of off-chain transactions, but only one transaction is executed on the chain.

The following figure is the packaging data submitted by ZK Rollup on the chain. It contains a set of compressed transaction data [Tx] (without any signature), a merkle tree root (Prev state root) that records the user's state before executing this batch of transactions, and a new merkle tree root (after New state root). In addition, it also contains a SNARK zero-knowledge proof, which the contract uses to verify that the batch of transactions [Tx] is applied on the Prev state and the result is the New state. If you are interested in how zero-knowledge proof works, you can refer to the article [2].

The cost of generating SNARK is very high, so Optimistic Rollup uses a different method-"proof of fraud" to verify transaction validity. The "proof of fraud" here is not witness data like SNARK, it actually refers to the Cryptoeconomic Validity Game. In other words, the operator does not need to accept the verification of the Rollup smart contract every time when publishing the new state tree root, everyone assumes that the state transition is correct. If someone issues an illegal state transition, other operators or participants can challenge the illegal transaction and roll back the incorrect block. In order to achieve "proof of fraud", it is not enough to have transaction data [Tx] like ZK Rollup. Tx data needs to include the signature of the transaction submitter. The contract verifies whether the transaction is legal by verifying the signature.

safety

Rollup's security comes from data availability and transaction effectiveness. With data availability and transaction validity, it is possible to guarantee that Rollup operators can never destroy the state or steal funds. Even if the operators do not cooperate, participants can easily recover assets on the Rollup network. Rollup publishes transaction data to the chain, just like the "anchor" anchors the Rollup network to the Ethereum main chain. It's like having a camera installed in the casino. Even if the poker player is beaten up, they can still prove through video records that they have indeed won.

For transaction validity verification, ZK Rollup and Optimistic Rollup have adopted different methods [3]. ZK Rollup uses zero-knowledge proofs to ensure transactions are valid. Its security is based on cryptography, and smart contracts will only accept state transitions after transaction data is proven to be correct. Each state transition has a zero-knowledge proof, which ensures that the chain always corresponds to a correct second-level state. Optimistic Rollup uses error proofs based on the validity game of cryptoeconomics. It does not need to provide proof for each state transition, only when someone thinks that the state transition is wrong. So it requires that the transaction parties must be online because silence will be considered as consent. Therefore, compared to ZK Rollup, the security of Optimistic Rollup is reduced. It needs to take additional measures to prevent acquiescence caused by DDoS attacks.

Scalability

Rollup can execute a large number of packaged off-chain transactions through one on-chain transaction. The main chain does not need to verify the validity of each transaction by executing each transaction, and the transaction data is published as function parameters. Discard it so that it doesn't take up Ethereum storage space. Therefore, Rollup can greatly improve the scalability of Ethereum.

However, this increase is not unlimited. Although there is only one on-chain transaction, it will be restricted by the gas cost of the transaction data itself. The gas cost of Ethereum data before the Istanbul upgrade was 68 units per byte, and each address on Ethereum would occupy 20 bytes, so the Ethereum transaction data structure to represent the gas cost of off-chain transactions would be very high, so Rollup compresses transaction data.

ZK Rollup uses merkle trees to record addresses in smart contracts, so that addresses can be expressed as tree index values, and the size of address data is reduced from the original 20 bytes to only 3 bytes to 4 bytes. Each transaction is compressed into 10 bytes, plus a SNARK of about 100-300 bytes. In theory, the Ethereum throughput can be increased from 32 TPS to about 680 TPS. After Istanbul upgrade, it can reach 2000 TPS. . The following figure is the format of each transaction data of ZK Rollup after compression:

Optimistic Rollup's throughput is theoretically only 100 TPS, the main reason is mentioned above. In order to support fraud proof, every transaction data of Optimistic Rollup needs to include the signature of the transaction submitter. The size of each signature is 64 bytes, which greatly increases the number of bytes of transaction data submitted to the chain, thereby quickly reaching the gas limit. In order to reduce the number of bytes of transaction data, a BLS aggregation signature mechanism was proposed. As shown in the figure below, the BLS aggregation signature mechanism is that after the operator collects all transactions, the packaged transaction is sent to each transaction submitter for signature. Because each signature is for the same data, it can be aggregated by the operator. Into a BSL signature. The contract data sent to the chain will be the compressed transaction data plus the aggregated BLS signature, thereby greatly reducing the gas consumed by the transaction data. The BLS signature can increase the throughput of Optimistic Rollup from 100 TPS to 450 TPS, and it can also reach 2000 TPS after the Istanbul upgrade.

delay

Optimistic Rollup is based on the validity game of cryptoeconomics. Only after the challenge period of 1-2 weeks can the transaction be validated. The delay of ZK Rollup is relatively small. If there are 1000 transactions in a packaged block, it takes about 20 minutes on an ordinary server to construct a proof. Developers have proposed many ways to reduce latency, such as using GPU acceleration to reduce the construction time of zero-knowledge proofs to 1 minute. There is also a method called "instant tx receipts". Both Rollup schemes are applicable. It is mainly completed by economic games, that is, the operator responsible for packaging needs to mortgage a portion of the security deposit. If a transaction is not packaged into the block, the money will be confiscated. In theory, the "instant transaction receipt" can reduce the transaction confirmation time to less than 1 second, but the implementation is relatively complicated and the security is reduced.

Versatility

In terms of generality, Optimistic Rollup is significantly better than ZK Rollup. Of course, its design goal is to support arbitrary smart contracts. ZK Rollup is currently only applicable to specific transactions such as payments. For general smart contracts, the cost of creating a zero-knowledge proof is very high, making deployment difficult. To improve efficiency, developers are developing specialized zero-knowledge proof virtual machines, such as ZEXE. It can shorten the time to create a certificate to some extent, but the disadvantage is that contract developers need a lot of expertise. The Matter Labs team is based on ZK Sync [4], a new generation of blockchain expansion scheme developed by ZK Rollup. It has designed and developed a sandbox virtual machine that generates zero-knowledge proofs in a commissioned manner. The technical details of the field can write efficient and secure smart contracts.

Summary and outlook

This article briefly introduces the working principle of the blockchain capacity expansion scheme Rollup, and compares and analyzes the advantages and disadvantages of the two Rollup schemes ZK Rollup and Optimistic Rollup in terms of scalability, latency, versatility, and security.

(Scalability * 2000 TPS after Istanbul upgrade; delay ** up to 1 second after optimization using "Instant Transaction Receipt")

According to the above comparative analysis, in the short term, Optimistic Rollup will be favored by developers due to its good generality; but in the long run, with the evolution of zero-knowledge proof virtual machines, ZK Rollup will continue to improve in generality. Can it dominate the future of smart contract scalability? This question can only be left to answer.

Reference article

1. "The Dawn of Hybrid Layer 2 Protocol" 2. "Zero-Knowledge Proof-Introduction to zkSNARK" 3. "Validity Proof and Error Proof" 4. "Introduction to ZK Sync"