Privacy solution ZK² Rollup: how to achieve high-speed, cheap privacy transactions on Ethereum

According to vitalik, co-founder of Ethereum, the privacy protocol team Aztec is developing a ZK-ZK rollup solution to achieve hundreds of private transactions per second on the Ethereum mainnet while reducing the cost of each private transaction.

隐私方案ZK² Rollup:如何在以太坊上实现高速、廉价的隐私交易

Some readers may already know about the ZK rollup solution. What is this ZK-ZK rollup? Let's look at the official explanation given by Aztec:

What is ZK² Rollup

The Aztec team is conducting ZK-ZK Rollup R & D work for PLONK certification to reduce the gas cost of conducting private transactions on the Ethereum mainnet.

The traditional ZK Rollup uses the "simplicity" property of SNARKs to extend the public blockchain. This technology allows a large number of transactions to be "aggregated" into an aggregate transaction, so Ethereum can execute 100 or 1000 transactions at a time, The gas cost consumed is equivalent to the cost of an Ethereum transaction.

So ZK-SNARKs can also be a core tool for capacity expansion. In addition, we have realized that users can use ZK-SNARKs to protect privacy. Can both have both?

The answer is: "yes".

Aztec is currently actively deploying ZK-ZK Rollup, or ZK² for short, because it contains two or more layers of SNARKs:

  1. "Low-level" ZK-SNARKs each represents a privacy transaction;
  2. The "upper" ZK-SNARKs (ie Rollup SNARK), simply prove the correctness of the lower SNARK;

Note: This term is a bit rough, because it is not really necessary to aggregate the "upper layers" into ZK (zero-knowledge), once the "lower layer" SNARKs (privacy transactions) are created, the privacy of these transactions is guaranteed. In fact, Rollup only relies on the "S" attribute in the abbreviation "SNARK", which means "simplicity". We need to pay a high price to check the private transactions and replace them with a concise rollup proof, and then its cost will be shared among all transactions.

隐私方案ZK² Rollup:如何在以太坊上实现高速、廉价的隐私交易

100 transactions "aggregated" into a single SNARK proof

Aztec will soon allow you to send private transactions at 100 tps on the Ethereum mainnet, which takes into account both balance privacy and user privacy.

In the ideal case, rollup can theoretically reach 2,000 tps.

So why are privacy rollup transactions so difficult?

What makes ZK² Rollup so difficult?

1. Recursion: proof of proof

In the standard ZK rollup, rollup SNARK proved to be very suitable for SNARK's mathematical reasoning, and the logic surrounding the transmission of public tokens can be easily converted into "arithmetic circuits".

But for ZK² Rollup, you need to verify a SNARK certificate (lower privacy SNARK) in another SNARK circuit (upper Rollup SNARK).

This is called recursion (referring to proving the behavior of SNARKs in SNARKs) .

Recursion is difficult because you either need very special mathematical conditions, or you will face a huge amount of calculations like a mountain.

Specifically, you need one of the following:

  1. To find the so-called "pair-friendly" curve cycles, which are very rare, and where they exist, their security is very low, you need to choose a very large and computationally expensive number system to describe them (For example, MNT4 and MNT6 curves), or
  2. Binary arithmetic in analog circuits, and binary arithmetic can be used to simulate prime field operations. This requires extensive use of range proofs, and range proofs are costly;

2.Status update

In addition to computational disadvantages, the management of status updates has more overhead than a public ZK Rollup. ZK² Rollups need more status updates and need to send more data:

  1. For standard (public) ZK Rollup, users can use an account-based model, which requires 2 status updates per transaction. However, in order to prevent statistical attacks, privacy-protected ZK² Rollups require twice as much data. Two state variables are added to the state tree and the other two variables are added to the nullifier tree .
  2. Perhaps a bigger bottleneck is the data transmission requirements. Traditional rollups involve a load of 4–8 bytes per transaction, while privacy covert rollups involve a load of 32–64 bytes per transaction, and data on Ethereum. Still expensive.

3.Provable randomness

Aztec also needs to verify the source of randomness (the magic of converting "interactive proof" to "non-interactive proof" so you don't have to endure painful interactions with Ethereum every time you spend money).

This randomness means hashing. And hashing in SNARKs is a real problem:

  1. SNARK-friendly hashing algorithms (such as Pedersen hashing) lack the pseudo-randomness of traditional hash functions: change part of the input to Pedersen hashing and you will know what happens to the output. Due to the lack of this attribute, we cannot easily generate numbers that the prover cannot manipulate;
  2. We can move to the less widely accepted SNARK-friendly hash functions (such as Poseidon, Rescue), but the two attributes of "typed" and "widely adopted" are the foundation of our confidence in cryptographic primitives, and in It may be too early to deploy these unproven hash functions in a valued cryptosystem;
  3. Therefore, we have no choice but to resort to SNARK "unfriendly" hashing algorithms (such as Blake2 or SHA256), which make heavy use of binary logic and range proofs.

However, Aztec has made some key R & D breakthroughs in 2020, including its latest published research paper, PLOOKUP , which enables practitioners to efficiently perform non-SNARK-friendly tasks in SNARKs.

In combination with other innovations, the door to recursion is broken.

PLONK: a new ZK standard

It is reported that Aztec's SNARK certification was constructed using the latest mathematical result called PLONK created by the company's CTO Zac Williamson and the current chief scientist Ariel Gabizon.

Over the past few months, a number of leading scalability and privacy projects have opted to join the PLONK ecosystem, including:

  1. Dusk Network recently announced that they are switching to PLONK;
  2. Matter Labs is implementing PLONK in a transparent setting environment;

Aztec's universal SNARK system describes a new way to connect circuits (R1CS is an existing standard), and converting standards always comes at a cost, which requires rewriting the industry standard code base. With the launch of TurboPLONK, the accepted standard for the selection of "custom doors" is currently only in the early stages of its formation.