arrow-up
social social social

ZK and the Future of Ethereum Scaling

Polygon Team
Polygon Team
Jan 19, 2022
Polygon PoS

Arbitrum recently released a great post arguing that Optimistic Rollups (OR) represent the future of Ethereum, since they offer inherent scalability and cost advantages over ZK Rollups (ZKR). Their piece is well-written and worth reading.

In the spirit of friendly debate, we’d like to present a different perspective. Polygon has committed $1 billion to ZK efforts, reflecting our conviction that it represents the most promising path to scaling Ethereum.

While optimistic rollups have the advantage of being ready now, we believe that ZK scaling solutions offer two structural advantages:

  • They support scaling with on-chain and off-chain data modes, with the latter offering far higher throughput than any rollup and much lower fees. 
  • They allow users to bridge back and forth from Ethereum without delays or reliance on liquidity providers.

It became obvious in 2021, in part from Polygon’s rapid growth, that different users prefer different tradeoffs between security and transaction cost. Optimistic rollups offer security but transaction fees are much higher than on sidechains or alt-L1s.

ZK doesn’t require users to make a specific tradeoff between security and cost. When users opt for rollup mode, ZK offers equivalent security and improved capital efficiency relative to optimistic rollups. When data is off-chain, ZK offers greater scalability and security than sidechains and alt-L1s, with the same low fees. 

We believe that ZK’s scalability, low cost, and capital efficiency make it the best option to scale Ethereum to a billion users.

Rollup Recap

Rollups are an approach to scaling Ethereum where transaction execution is moved off-chain, but Ethereum guarantees the validity of every transaction. In effect, we can deposit funds in a smart contract and cheaply interact with those funds on the rollup, with a guarantee that our funds are as safe as if we were transacting on Ethereum. 

This is possible because rollups use Ethereum for data availability and transaction validation. All data required to recover the latest state of the rollup and add new transactions is posted to Ethereum, and transactions are validated with fraud or validity proofs.

The fraud proof mechanism used in OR requires that funds be locked for a dispute period (currently a week for Arbitrum and Optimism). If an invalid transaction is included in a rollup, anyone can submit a fraud proof during the dispute period and revert it. By contrast, ZK rollups include a validity proof that cryptographically guarantees that all transactions are valid, eliminating the need for any delays.

The State of ZK

First, we concede that ZK rollups haven’t quite measured up to the hype yet. We’re still waiting for ZK rollups that support general smart contracts to go live in production, and the proving systems currently in use are inefficient.

However, if we’re focused on the future, ZK cryptography is developing at an incredible rate. Recursive proofs, an important primitive for scalable and decentralized ZK rollups, were merely theoretical a decade ago. Two years ago, a recursive proof took two minutes to generate. But today, thanks to plonky2, a breakthrough proving system created by the Polygon Zero team, we measure proving times in milliseconds. A recursive proof takes 170ms to generate on a laptop, and we anticipate that proving time and cost will continue to decrease.

Read more: Introducing Plonky2

The Arbitrum post argues that proof generation incurs a huge cost that will be borne by users, as it involves thousands of expensive elliptic curve operations, and thus requires massive parallelization or expensive hardware. However, plonky2 doesn’t use elliptic curves at all, and our benchmarks are performed on a laptop.

In fact, rollup costs are dominated by the cost of CALLDATA. We can see this from current transaction fees on Arbitrum, where a token swap costs around $4 . For comparison, even assuming that it takes ten minutes (an extremely high estimate for Polygon Zero) to prove a swap on a c6g.8xlarge instance with 32 cores and 64gb of RAM, the added cost is just $0.18.

This isn’t a meaningful cost relative to CALLDATA and, as we’ll see, it’s outweighed by the other advantages of ZK. Given how quickly ZK tech is developing, we believe that it would be shortsighted to bet against ZK scaling.

Validia

Different users make different tradeoffs between cost and security on blockchains. Millions of people use the Polygon PoS chain for low fees and high throughput, even though transaction validity isn’t guaranteed in the same way as on a rollup.

We believe that millions of users will opt to use scaling solutions where data is kept off-chain instead of rollups. A Validium[1]Credit to Starkware for inventing this term is similar to a ZK-rollup in that a validity proof is posted to Ethereum to guarantee transaction validity, but data is kept off-chain to save on CALLDATA costs. There are many benefits to the Validium approach: 

  • We’re no longer limited by blocksize limits for CALLDATA, so we can scale to 100x+ higher throughput than on a rollup.
  • Fees are much lower
  • Fee volatility should be lower, as Validia consume far less gas, so users shouldn’t be caught in inter-rollup bidding wars over blockspace

ZK scaling opens the design space for L2 to include Validia, which offers massively higher throughput over both optimistic and ZK rollups, with a cryptographic guarantee that funds can’t be stolen. 

A (Very) Hypothetical Attack on Validia

ZK skeptics will note that in theory, even though the validators on a Validium can’t directly steal user funds, they can launch an attack against users whereby they withhold the latest state of the chain and refuse to process new transactions. Validators could thus take user funds hostage. However, this problem strikes us as overstated.

First, a data withholding attack would require participation from two-thirds of validators, meaning a huge amount of staked value would be put at risk. The attack would crash the token price, decimating the value of the attackers’ own staked tokens and eliminating all future fee revenue. Since validators can’t steal user funds directly, they would need to coordinate ransom payouts from affected users, so the payout is uncertain. Moreover, whales are likely to stay in rollup mode, so attackers would need to successfully extract ransoms from a large number of users to cover the loss of stake. It’s difficult to see how this attack could possibly be profitable in practice.

Further Scalability Advantages

Beyond the huge scalability benefits offered by Validia, ZK rollups are also more scalable than OR, as they offer developers the option to reduce CALLDATA usage for lower fees, without sacrificing security. All rollups are required to post the minimal data required to rebuild the latest state, but ORs are forced to post all data required to validate each individual transaction to Ethereum. By contrast, ZKR can post the minimal state delta for each batch of transactions to Ethereum, posting only the information needed to recover the final state of accounts. This is important for compressing state updates for contracts like AMM pools.

One response from OR partisans is that this compression is actually hiding important chain data, and that rollups should provide trustless visibility into the history of every transaction. I think that this argument misses an important point. While developers on ZKR can opt to post uncompressed CALLDATA for the few applications that require it, most apps and users will prefer lower fees instead, which is a tradeoff that only ZKR can provide. 

Therefore, ZK offers scaling benefits for both on-chain and off-chain data availability. We have to offer users the ability to make cost and security tradeoffs if we’re going to bring Ethereum to a billion people.

Capital Efficiency

OR require a dispute period, usually lasting a week, which imposes a withdrawal delay for users wishing to exit the rollup. There’s been some bad-faith criticism of the withdrawal delay, including hypothetical weeklong censorship attacks by Ethereum miners or validators, which seem extremely implausible.

However, the withdrawal delay does introduce capital inefficiency. Early withdrawals are possible, but market makers can’t completely eliminate capital inefficiency, especially at scale. A week is an extremely long time when faced with crypto volatility, and if there’s an imbalance between liquidity entering and exiting the OR, then liquidity providers will need to accept the risk of holding locked funds for the duration of the withdrawal period. While liquidity providers will compete to offer low fees for fast withdrawals, they’ll face significant opportunity cost for locked funds that must be passed on to users.

By contrast, ZK scaling solutions allow users to withdraw funds whenever a proof is posted to Ethereum, eliminating the need for liquidity providers and improving capital efficiency. The Arbitrum post claims that ZK rollups only have an advantage when bridging to Ethereum L1, but validity proofs can be checked on other chains as well, guaranteeing transaction validity and fast withdrawals.

ZK Drawbacks

It’s true that ZK rollups face several disadvantages. Our colleagues at Polygon Hermez are making impressive progress toward a full zkEVM rollup, where execution of EVM bytecode is directly verified with a validity proof. Other teams focused on compiling Solidity to a ZK-friendly bytecode, such as our team at Polygon Zero or Polygon Miden, StarkWare, and zkSync, may face challenges in using existing Ethereum developer tools.

But in practice, the vast majority of Solidity code should behave identically, as the modifications that we make to move from EVM to ZK bytecode don’t really affect functionality and mainly involve replacing primitives that are expensive to compute in an arithmetic circuit, like Keccak-256, with primitives that are arithmetic circuit-friendly.

Ultimately, the structural advantages that ZK scaling offers should provide a sufficient incentive to improve and adapt developer tooling to make it easier to deploy on ZK L2s.

Conclusion

In sum, we believe that ZK scaling is the future of Ethereum. Optimistic rollups are an amazing technology and they offer an immediate solution to the high gas fees plaguing Ethereum (go try them out!). But, they impose a particular tradeoff on users, whereby security comes at the expense of higher fees and capital inefficiency.

By contrast, ZK accommodates many different types of users, from fee-insensitive whales transacting in rollup mode, to users making lower-value transactions in validium mode. ZK offers the best route to bringing Ethereum to a billion users.

ZK also has benefits beyond scalability and capital efficiency. ORs are limited by what’s possible on L1, since fraud proofs must be able to be executed on Ethereum. ZK doesn’t face this limitation. We can use different signature schemes (did someone mention the P-256 curve used in the Apple Secure Enclave?) and primitives that aren’t supported by the L1[2]Arbitrum can support primitives that aren’t supported in the EVM on the AVM, via interactive fraud proofs, though other ORs cannot. Users can do things like batching transactions in private on L2 to access L1 liquidity at lower cost, an approach pioneered by Aztec. 

ZK has a bright future. Join us on Github or tune in to our blog to learn more about zero-knowledge proofs. Let’s bring the world to Ethereum!

Website | Twitter | Ecosystem Twitter | Developer Twitter | Studios Twitter | Telegram | LinkedIn | Reddit | Discord | Instagram | Facebook

References

References
1 Credit to Starkware for inventing this term
2 Arbitrum can support primitives that aren’t supported in the EVM on the AVM, via interactive fraud proofs, though other ORs cannot

Sign up for our Newsletter

More from Polygon blogs