Arbitrum recently released a great post arguing that Optimistic Rollups (OR) represent the future of Ethereum, since they offer inherent scalability and cost advantages over ZK Rollups (ZKR). Their piece is well-written and worth reading.
In the spirit of friendly debate, we’d like to present a different perspective. Polygon has committed $1 billion to ZK efforts, reflecting our conviction that it represents the most promising path to scaling Ethereum.
While optimistic rollups have the advantage of being ready now, we believe that ZK scaling solutions offer two structural advantages:
It became obvious in 2021, in part from Polygon’s rapid growth, that different users prefer different tradeoffs between security and transaction cost. Optimistic rollups offer security but transaction fees are much higher than on sidechains or alt-L1s.
ZK doesn’t require users to make a specific tradeoff between security and cost. When users opt for rollup mode, ZK offers equivalent security and improved capital efficiency relative to optimistic rollups. When data is off-chain, ZK offers greater scalability and security than sidechains and alt-L1s, with the same low fees.
We believe that ZK’s scalability, low cost, and capital efficiency make it the best option to scale Ethereum to a billion users.
Rollups are an approach to scaling Ethereum where transaction execution is moved off-chain, but Ethereum guarantees the validity of every transaction. In effect, we can deposit funds in a smart contract and cheaply interact with those funds on the rollup, with a guarantee that our funds are as safe as if we were transacting on Ethereum.
This is possible because rollups use Ethereum for data availability and transaction validation. All data required to recover the latest state of the rollup and add new transactions is posted to Ethereum, and transactions are validated with fraud or validity proofs.
The fraud proof mechanism used in OR requires that funds be locked for a dispute period (currently a week for Arbitrum and Optimism). If an invalid transaction is included in a rollup, anyone can submit a fraud proof during the dispute period and revert it. By contrast, ZK rollups include a validity proof that cryptographically guarantees that all transactions are valid, eliminating the need for any delays.
The State of ZK
First, we concede that ZK rollups haven’t quite measured up to the hype yet. We’re still waiting for ZK rollups that support general smart contracts to go live in production, and the proving systems currently in use are inefficient.
However, if we’re focused on the future, ZK cryptography is developing at an incredible rate. Recursive proofs, an important primitive for scalable and decentralized ZK rollups, were merely theoretical a decade ago. Two years ago, a recursive proof took two minutes to generate. But today, thanks to plonky2, a breakthrough proving system created by the Polygon Zero team, we measure proving times in milliseconds. A recursive proof takes 170ms to generate on a laptop, and we anticipate that proving time and cost will continue to decrease.
Read more: Introducing Plonky2
The Arbitrum post argues that proof generation incurs a huge cost that will be borne by users, as it involves thousands of expensive elliptic curve operations, and thus requires massive parallelization or expensive hardware. However, plonky2 doesn’t use elliptic curves at all, and our benchmarks are performed on a laptop.
In fact, rollup costs are dominated by the cost of CALLDATA. We can see this from current transaction fees on Arbitrum, where a token swap costs around $4 . For comparison, even assuming that it takes ten minutes (an extremely high estimate for Polygon Zero) to prove a swap on a c6g.8xlarge instance with 32 cores and 64gb of RAM, the added cost is just $0.18.
This isn’t a meaningful cost relative to CALLDATA and, as we’ll see, it’s outweighed by the other advantages of ZK. Given how quickly ZK tech is developing, we believe that it would be shortsighted to bet against ZK scaling.
Different users make different tradeoffs between cost and security on blockchains. Millions of people use the Polygon PoS chain for low fees and high throughput, even though transaction validity isn’t guaranteed in the same way as on a rollup.
We believe that millions of users will opt to use scaling solutions where data is kept off-chain instead of rollups. A ValidiumCredit to Starkware for inventing this term is similar to a ZK-rollup in that a validity proof is posted to Ethereum to guarantee transaction validity, but data is kept off-chain to save on CALLDATA costs. There are many benefits to the Validium approach:
ZK scaling opens the design space for L2 to include Validia, which offers massively higher throughput over both optimistic and ZK rollups, with a cryptographic guarantee that funds can’t be stolen.
A (Very) Hypothetical Attack on Validia
ZK skeptics will note that in theory, even though the validators on a Validium can’t directly steal user funds, they can launch an attack against users whereby they withhold the latest state of the chain and refuse to process new transactions. Validators could thus take user funds hostage. However, this problem strikes us as overstated.
First, a data withholding attack would require participation from two-thirds of validators, meaning a huge amount of staked value would be put at risk. The attack would crash the token price, decimating the value of the attackers’ own staked tokens and eliminating all future fee revenue. Since validators can’t steal user funds directly, they would need to coordinate ransom payouts from affected users, so the payout is uncertain. Moreover, whales are likely to stay in rollup mode, so attackers would need to successfully extract ransoms from a large number of users to cover the loss of stake. It’s difficult to see how this attack could possibly be profitable in practice.
Further Scalability Advantages
Beyond the huge scalability benefits offered by Validia, ZK rollups are also more scalable than OR, as they offer developers the option to reduce CALLDATA usage for lower fees, without sacrificing security. All rollups are required to post the minimal data required to rebuild the latest state, but ORs are forced to post all data required to validate each individual transaction to Ethereum. By contrast, ZKR can post the minimal state delta for each batch of transactions to Ethereum, posting only the information needed to recover the final state of accounts. This is important for compressing state updates for contracts like AMM pools.
One response from OR partisans is that this compression is actually hiding important chain data, and that rollups should provide trustless visibility into the history of every transaction. I think that this argument misses an important point. While developers on ZKR can opt to post uncompressed CALLDATA for the few applications that require it, most apps and users will prefer lower fees instead, which is a tradeoff that only ZKR can provide.
Therefore, ZK offers scaling benefits for both on-chain and off-chain data availability. We have to offer users the ability to make cost and security tradeoffs if we’re going to bring Ethereum to a billion people.
OR require a dispute period, usually lasting a week, which imposes a withdrawal delay for users wishing to exit the rollup. There’s been some bad-faith criticism of the withdrawal delay, including hypothetical weeklong censorship attacks by Ethereum miners or validators, which seem extremely implausible.
However, the withdrawal delay does introduce capital inefficiency. Early withdrawals are possible, but market makers can’t completely eliminate capital inefficiency, especially at scale. A week is an extremely long time when faced with crypto volatility, and if there’s an imbalance between liquidity entering and exiting the OR, then liquidity providers will need to accept the risk of holding locked funds for the duration of the withdrawal period. While liquidity providers will compete to offer low fees for fast withdrawals, they’ll face significant opportunity cost for locked funds that must be passed on to users.
By contrast, ZK scaling solutions allow users to withdraw funds whenever a proof is posted to Ethereum, eliminating the need for liquidity providers and improving capital efficiency. The Arbitrum post claims that ZK rollups only have an advantage when bridging to Ethereum L1, but validity proofs can be checked on other chains as well, guaranteeing transaction validity and fast withdrawals.
It’s true that ZK rollups face several disadvantages. Our colleagues at Polygon Hermez are making impressive progress toward a full zkEVM rollup, where execution of EVM bytecode is directly verified with a validity proof. Other teams focused on compiling Solidity to a ZK-friendly bytecode, such as our team at Polygon Zero or Polygon Miden, StarkWare, and zkSync, may face challenges in using existing Ethereum developer tools.
But in practice, the vast majority of Solidity code should behave identically, as the modifications that we make to move from EVM to ZK bytecode don’t really affect functionality and mainly involve replacing primitives that are expensive to compute in an arithmetic circuit, like Keccak-256, with primitives that are arithmetic circuit-friendly.
Ultimately, the structural advantages that ZK scaling offers should provide a sufficient incentive to improve and adapt developer tooling to make it easier to deploy on ZK L2s.
In sum, we believe that ZK scaling is the future of Ethereum. Optimistic rollups are an amazing technology and they offer an immediate solution to the high gas fees plaguing Ethereum (go try them out!). But, they impose a particular tradeoff on users, whereby security comes at the expense of higher fees and capital inefficiency.
By contrast, ZK accommodates many different types of users, from fee-insensitive whales transacting in rollup mode, to users making lower-value transactions in validium mode. ZK offers the best route to bringing Ethereum to a billion users.
ZK also has benefits beyond scalability and capital efficiency. ORs are limited by what’s possible on L1, since fraud proofs must be able to be executed on Ethereum. ZK doesn’t face this limitation. We can use different signature schemes (did someone mention the P-256 curve used in the Apple Secure Enclave?) and primitives that aren’t supported by the L1Arbitrum can support primitives that aren’t supported in the EVM on the AVM, via interactive fraud proofs, though other ORs cannot. Users can do things like batching transactions in private on L2 to access L1 liquidity at lower cost, an approach pioneered by Aztec.
There is no standardized measure of how many Zero Knowledge (ZK) rollup projects are in development. By one count, it's more than 300. By another it's closer to 20. But by either metric, the overwhelming majority of ZK rollups are still maturing. And as these rollups mature to testnet and mainnet, they will be faced...
The ZK Whiteboard Sessions recently published Module 13 of their dev-driven educational series for everything Zero Knowledge. The episode, titled “Fast Recursion with Plonky2,” features Polygon’s own Brendan Farmer and William Borgeaud, part of the team working on Plonky2. Unveiled by Polygon in January, Plonky2 represented a major step forward for ZK proving systems. That...
As part of our ongoing efforts to inform the Ethereum community about the efforts of Polygon’s zero-knowledge (ZK) teams, we will be posting a series of technical papers by our engineers and researchers. We hope that everyone who’s interested in the inner workings of Polygon’s ZK projects, Ethereum itself, and cryptographic engineering in general will...