Detailed explanation of Polygon's full-stack zk expansion scheme
Last updated
Last updated
Polygon has made a heavy commitment of $1 billion for zk expansion. Although the four expansion plans are all based on zk technology, each has its own advantages and different strategies. So, what are the specific technical characteristics and development progress of these four schemes?
For a long time, the focus of the Ethereum L2 battle has been occupied by both ZK Rollup and Optimistic rollup. Because of OP's EVM compatibility and mature technology, it is easier to be adopted by project developers. Therefore, OP is more general and mainstream at present. According to the data of L2BAET, only three projects using the OP solution, Arbitrum, Optimism and Metis, account for 70.8% of the L2 market share. However, ZK rollup has a relatively low adoption rate and market share due to its high development difficulty and slow technological progress.
As the Ethereum expansion plan with the highest total lock-up volume at present, Polygon firmly bets the future of expansion on zk technology. Last year, Polygon acquired Hermez and Mir generously, and made a heavy commitment of $1 billion for the expansion of zk.
Now, Polygon has a "full set" of zk expansion plans, namely Hermez, Nightfall, Miden and Zero. Although the four expansion schemes are all based on zk technology, each has its own merits and strategies. So, what are the specific technical characteristics and development progress of these four schemes? Which one is more likely to be killed first?
In this article, we will discuss these four zk solutions in detail, including their development history, operation mechanism, and development progress. The following content is compiled from the Medium series of articles on Polygon research by Polygon DAO columnist Pedro. The chain catcher has made appropriate simplifications and additions to facilitate understanding on the basis of the original text.
Polygon Zero is a ZK L2 solution powered by Plonky2, the fastest and most efficient recursive proof system. Formerly known as the Mir protocol, it was built in 2019 by Predicate Labs, founded by Brendan Farmer and Daniel Lubarov. The feature of the Mir protocol is that recursive ZKP (zk-proof) verification is generated during the execution of the program. In short, recursive proofs are like generative proofs. Used to verify that a set of transaction proofs are valid.
Recursive proofs are a very young technique, first introduced theoretically in 2014. In 2019, Mir was able to generate a recursive proof in 2 minutes, which is obviously not a short time and lacks scalability.
In 2020, thanks to the exploration of the Aztec team, Mir made a huge breakthrough, achieving the generation of recursive proofs in 60 seconds. Building on this, the Mir team developed Plonky, which allows the Mir protocol to generate recursive proofs in 15 seconds.
In December 2021, Polygon acquired Mir for $400 million, and the agreement was renamed Polygon Zero. The original idea of a zk-enabled independent L1 chain that Mir was building became a distributed zk-rollup on top of Polygon.
In January, Polygon Zero released Plonky2, a technique that generates recursive proofs in less than 170 milliseconds on a Mac-Book Pro. This is the fastest recursive proof ever. And the breakthrough of recursive proof of this technology will also serve Polygon Zero - Plonky2 will support the most scalable zkEVM.
Plonky2 is an iteration of Plonky1, which was also mentioned earlier to build on the verification system built by Aztec in 2020.
One thing in common between these three is Plonk, so we need to figure out what Plonk is first.
ZKP refers to generating a proof of validity of a computation without revealing relevant information. So no information is not leaked, only evidence is generated.
The two main ZKPs are SNARKs and STARKs (since these two proof systems will be mentioned repeatedly below, the chain catcher has added a detailed comparison of the two here). The main differences between the two include: SNARKs rely on elliptic curves for security, while STARKs rely on hash functions for security, and the use of hash functions means quantum resistance.
SNARK proofs are smaller, which means less data storage on-chain and less gas paid by end users. While SNARKs are more developer-friendly, STARKs offer some unique advantages, such as being more transparent, not requiring a trusted setup, and being "quantum safe" with greater potential in the future. These advantages have also led Vitalik to say that STARK is actually a "newer and more dazzling" technology.
But because SNARK was proposed and put into use as early as 2012, and STARK was only proposed in 2018. Therefore, SNARK has a great first-mover advantage in adoption. Currently Z-Cash, Loopring and JPMorgan Chase all adopt SNARK technology, and because of its widespread adoption, SNARK has more released code, developer library, projects and developers. But STARK, as a new star, is also being adopted by more projects because of its unique advantages.
Plonk is the name of the proof system, which is a type of SNARK proof system.
Next, I will analyze several different types of scenarios combined with Plonk:
Aztec's recursive proof time using Plonk + KZG is 60 seconds;
Plonky1 uses Plonk + Halo, and the recursive proof time is 15 seconds. Halo, first introduced by Zcash in 2019, is the first recursive proof scheme that does not require a trusted setup. But the disadvantage of Halo is that it is not compatible with Ethereum, which is why Mir initially wanted to build an independent L1 chain;
Plonky2 uses Plonk + FRI with a recursive proof time of 170ms. In 2021, Polygon Zero head Daniel Lubarov proposed combining FRI with Plonk.
FRI is a scheme for STARK, which means that by using FRI, Plonk becomes a STARK (Plonk was originally a type of SNARK), which also means increasing the transparency of the system. At the time, there was only one project (Fractal) that had implemented recursive FRI proofs, which had a proof time of about 10 minutes and was not scalable.
To keep things fast, Polygon Zero took the first version of Plonky and replaced Halo with FRI. As can be seen from the above chart, the proof speed of FRI is "variable", the less data submitted, the faster the proof will be obtained. But less data means less security.
As mentioned earlier, Polygon Zero is ultimately building the most scalable zkEVM powered by Plonky2.
That is, each zk-rollup requires a zkEVM to actually handle the computation. The zkEVM for Polygon Zero's zk-rollup will be powered by Plonky2, the most efficient and fastest zk proof system available.
Developers will be able to deploy smart contracts on top of Polygon Zero, leveraging not only the high performance of Polygon, but also the security of Ethereum. According to one of the founders, this L2 will allow building applications with more operations and features.
Most rollups, including Starkware, package transactions and generate a proof that every transaction in that package is valid.
Polygon Zero uses recursive proofs, so each transaction produces a bunch of very fast proofs at the same time. These individual transaction proofs are then bundled together to create larger proofs, ones that verify the validity of other proofs.
This means that Polygon Zero can scale horizontally. So if you have a bunch of machines generating these transaction proofs in parallel, adding more machines (e.g. Macbooks) can prove more transactions. By using recursive proofs, it is possible to scale to more transactions without the cost of time delay.
Five years ago, three MBA colleagues, Jordi Baylina, David Schwartz and Antoni Martin, started a company called Iden3, and their first project was a self-sovereign identity solution, which at the time was called "Self-Sovereign Identity". "(Self Sovereign ID, SSI for short), is actually the same concept as our current popular decentralized identity DID.
But in the process of developing the SSI project, the three people gradually realized that in order to further make SSI mainstream, the existing blockchain must first be fully scalable. After this, the trio decided to turn to a new project, Hermez.
Hermez is a decentralized L2 rollup solution based on zk technology. Hermez 1.0 is a currently working payment platform that allows users to transfer any registered ERC-20 token from one Hermez account to another through a simple-to-use web or mobile interface. Last July, the team announced the development of zkEVM, Hermez 2.0, which when completed will bring a fully compatible zkEVM to Ethereum.
Last August, Polygon announced the acquisition of Hermez for $250 million. The new project will be named Polygon Hermez, and the tokens of the two projects, MATIC and HEZ, will be merged, and Hermez's 26 employees will also join Polygon's 80-person team.
Hermez started out as a zk-rollup focused on scaling payments and token transfers on Ethereum.
A rollup refers to packing a dozen transactions (thousands) and executing them off-chain at one time. When these thousands of transactions are executed off-chain, in the case of Hermez, a zk-SNARK is generated. SNARKs prove the validity of each transaction in a batch, which is subsequently verified by Ethereum (SNARKs), not individual transactions.
Compared with Optimistic rollup, zk rollup can take effect immediately, enabling instant withdrawal, while Optimistic rollup has to wait 7 days. This ability to efficiently verify proofs in constant time is at the heart of all zk rollups.
Hermez has a processing speed of 2000 TPS. According to the Hermez team, the processing speed will be greatly improved in the future.
Three different transactions are available on Hermez:
Deposit: Send any registered ERC-20 token from L1 Ethereum to L2 Hermez. Deposits require an Ethereum gas fee.
Transfers: Send any registered ERC-20 token from one Hermez account to another Hermez account in a very cheap and instant transaction.
Withdrawal: Send ERC-20 tokens from L2 Hermez back to L1 Ethereum. Withdrawals are subject to Ethereum gas fees.
One thing to be aware of when making withdrawals is that Hermez provides a protection mechanism, a “forced withdrawal” that allows users to transfer funds from L2 Hermez back to L1 Ethereum at any time, even if the coordinator is trying to do evil.
Coordinator and proof of donation
The coordinator is the Hermez version of the block producer. These people prove the validity of off-chain transactions by generating zk-proofs.
The coordinator is the person who bundles the transactions. They aggregate all transaction requests in one unit. Each rollup will execute thousands of transactions, then generate zk-proof, and then verify this through the smart contract on Ethereum. zk proof.
Hermez is decentralized because anyone can become a coordinator and earn rewards for serving. There can be any number of coordinators on the network at the same time, but only one can actually process transactions and receive rewards for any given period of time (10 minutes long).
The Hermez network selects the next coordinator through an auction process. Basically anyone can bid using MATIC tokens, and the highest bidder wins the right to process as many transactions as possible in 10 minutes until the next coordinator is selected. This is a very efficient process as it requires the coordinator to trade as many times as possible within those 10 minutes in order to get more returns than bids.
If the coordinator fails to bid, the MATIC tokens will be returned to the original wallet, and those funds that are successful in the bid will be used for the following three purposes:
30% permanent destruction
40% for donation accounts managed by the Ethereum Foundation
30% goes to network incentives to help drive further adoption of the Hermez network.
It is worth mentioning that Hermez supports atomic transactions. An atomic transaction is a series of indivisible transactions that either all or none of the transactions take place. For example, Alice wants to send 1000 DAI to Bob in exchange for 1 ETH. In the case of an atomic transaction, both must send tokens to each other before the transaction can succeed. Without a step, the transaction will fail. Therefore, this transaction method can effectively prevent fraud.
Last July, during the EthCC 4 conference, the Hermez team announced that it was developing zkEVM or Hermez 2.0.
We all know that the key point that Optimism is currently used in L2 and ZK has not really taken off is that ZK is not yet compatible with EVM. So, zkEVM is to solve this problem and run smart contracts on zk-rollup.
At present, many projects are also developing zkEVM. In the Polygon ecosystem alone, there are two solutions, Polygon Zero and Polygon Hermez. However, each project is addressing this problem in a different way, and each project has its own tradeoffs.
Hermez is characterized by being compatible with Ethereum in terms of tools, ecosystem and security. This means that, ideally, smart contracts running on Ethereum can run on L2 Hermez. Provide a frictionless experience for developers. As soon as Optimism and Arbitrum were launched, they attracted a number of projects and users to migrate. It’s not hard to imagine that when zk-rollup matures, there will be even stronger network effects.
Antoni Martin, founder of Hermez, describes zkEVM: "If you take advantage of the best parts of each solution, you can make the best car...". Therefore, Hermez used both SNARKS and STARKS ZKP solutions when developing zkEVM, striving for the best of both worlds.
Specifically, when Hermez processes transactions and produces new blocks off-chain, a STARK proof is generated, proving that these transactions are all valid. The problem with STARK proofs is that it is expensive to verify on-chain (Ethereum), and SNARKs come into play at this point. All it needs to do is to verify the validity of STARK proofs on Ethereum.
The diagram above shows the different capabilities provided by the Hermez zkEVM. Of course, 2.0 is still in the development process. According to the 2.0 roadmap released on the main network, Hermez 2.0 is planned to be launched on the public beta network in the first quarter of this year, and the main network is expected to be launched in the second quarter. Another important point is that Hermez 2.0 is developing a permissionless cross-chain bridge that allows users to transfer assets from Hermez L2 to other L2s.
Polygon launched Polygon Nightfall last September after a partnership with global professional services and technology firm EY, Ernest & Young.
Ernst & Young announced the initial version of Nightfall in 2019, and unlike other zk solutions, Nightfall is a privacy-focused rollup, which Ernst & Young positions as “one of the most prominent privacy solutions on Ethereum.” Specifically, every transaction on Nightfall includes privacy, meaning that if Alice sends Bob an asset, others won't be able to see what the asset is, how much value it contains, or where it went.
The reason for the greater emphasis on transaction privacy is that Ernst & Young is targeting businesses. At first, Nightfall tried to build the first enterprise-grade blockchain directly on Ethereum, but finally found that it was too expensive to have privacy on the Ethereum mainnet, so it switched to L2 and finally chose to cooperate with Polygon.
The Polygon Nightfall jointly released by the two is a version of Nightfall 3.0 after multiple iterations. Its most prominent feature is to effectively combine the backbone concept of Optimistic Rollup with the zero-knowledge (ZK) cryptography commonly used in ZK-Rollups to achieve A fusion of scalability and privacy.
Polygon Nightfall is currently in the testnet phase and the mainnet is expected to go live this year.
Polygon Nightfall is essentially an Optimistic Rollup that utilizes zk encryption to protect privacy. The collaboration between Polygon and Ernst & Young focuses on building an industry chain using Nightfall technology, enabling companies to link to L1 at predictable low fees and under regulatory guidance.
The following picture shows the specific operation mechanism of Nightfall:
We can currently boil down the scalability bottleneck to "state" because of the high cost of storing data on-chain. Therefore, the goal of scaling solutions is to continuously reduce the amount of data stored on-chain. Nightfall employs a lower cost Optimistic rollup in reducing storage.
Usually, there is a 7-day challenge period when using the Optimistic rollup scheme, which means that it takes 7 days to withdraw from L2 to the Ethereum main network. But Nightfall improves on this, giving users the option to "instant logout". The way it works is that the liquidity provider exchanges positions with the user for the transaction, first advances the user with the funds required for instant withdrawal, and occupies the position during the 7-day waiting period.
Nightfall wants transactions to be private at the same time. So, on Optimistic Rollup, Nightfall adds an additional zk privacy layer to keep transactions private.
Nightfall VS Aztec
The image above shows two different methods of enabling privacy. Polygon Nightfall on the left uses Optimistic rollup of zk cryptography, and Aztec on the right uses zk rollup and zk cryptography. I believe that the ideal solution would be something like Aztec's zk/zk approach, but at the moment, this solution is too expensive. So, to a certain extent, Nightfall is more of a compromise that can be used right away. Once the zk fee is resolved, the Nightall team will eventually switch to the zk/zk scheme.
The following figure shows the architecture of Nightfall:
Financial Corporations and Institutional Investors: Nightfall's unique privacy creates a great opportunity for portfolio managers who wish to keep their transactions and swaps private.
Supply chain traceability for businesses: Businesses can process supplies, execute sales orders, pay privately, and more through Nightfall. One brewery is already using EY's Nightfall supply chain for traceability transactions, allowing businesses to easily track how much beer is in, where it is, how much is shipped, and more. In addition, a pharmaceutical company uses Nightfall to mint every product on the production line into NFTs, generating about 60,000 NFTs per day.
ESG: ESG rating is to evaluate enterprises in environmental, social and corporate governance, and to judge whether the enterprise has the value of sustainable development from a long-term perspective. There are already platforms that use Nightfall technology to allow users to donate to a charity without revealing the exact charity. secured funding
Last November, Polygon announced Miden, a scaling solution based on zk-STARKs. This project is led by a former core zero-knowledge proof technology researcher at Facebook who once led the development of Winterfell technology.
Polygon Miden is a STARK based zk rollup. The specialty of Polygon Miden is that it was designed to solve the challenge of rollup being difficult to support arbitrary logic and transactions. Rollup reduces on-chain data storage by packaging transactions, which can reduce congestion and transaction fees, but it is difficult to support the verification of an arbitrary transaction in the transaction package, affecting its ability to verify all off-chain transactions. Polygon Miden solves one of the biggest challenges of this zk rollup today by using Miden VMs (virtual machines).
There are two core components of the Polygon Miden framework: Distaff VM and Winterfell.
Distaff VM is a zk-EVM. Whenever a program is executed in zk-VM, a zk-proof of execution is generated to verify that the program ran correctly without actually running the program. Distaff is a STARK-based virtual machine.
A STARK-based proof of execution is automatically generated for any program executed on the Distaff VM. Anyone can then use this proof to verify that the program executed correctly without re-executing the program or even knowing what the program was.
Miden VM takes Distaff VM and adds a more efficient proof system, Winterfell. Winterfell is a full-featured multi-threaded STARK prover and verifier for arbitrary computations. Essentially the latest version of STARK proofs with higher performance.
Once developed, any project can deploy smart contracts on top of this zk-rollup.
Unlike other projects, Miden generates STARK proofs. Although using STARK proofs is more expensive, it is relatively more secure. The Miden founders also plan to further research recursive STARK proofs to lower their price.
The transaction will first be distributed to Miden's execution node;
These execution nodes bundle 5000 transactions into a block at a time and generate a STARK proof;
A STARK proof is generated for every 200 transaction bundled blocks to prove the validity of the transaction;
Finally, the final STARK proof result is uploaded to L1 Ethereum to achieve consensus and finality.
Developer friendly: Miden's goal is to allow developers to run smart contracts on top of this zkVM without even having to learn anything about cryptography or zk proofs.
Support for multiple programming languages: The team is working on adding support for multiple programming languages while keeping Solidity first.
Security-centric: Make Miden VM more secure than EVM itself through zk technology.
Privacy-focused: While this is not the focus right now, the Miden team has development plans in place on the roadmap.
According to the information released on the official website, Miden is expected to be launched in the first quarter of 2023.
Summarize:
Finally, let’s briefly and quickly compare Polygon’s four zk expansion schemes:
Polygon Zero has developed a SNARK-based recursive proof system, Plonky2, which can generate recursive proofs in less than 170 milliseconds on a Mac-Book Pro. On such an efficient and fast Plonky2 proof system, Polygon Zero will finally develop the most scalable zkEVM.
The feature of the zk rollup developed by Hermez is that the coordinator is selected through auction during the transaction process. The coordinator who successfully bids will trade as much as possible within the unit time in order to make a profit, so this competition mechanism will bring about the efficiency of the transaction. In addition, Hermez is also developing zkEVM, and uses two ZKP solutions, SNARK and STARK, to achieve the best of both worlds.
Nightfall is a little more special, and the most different thing from other zk solutions is that Nightfall is a privacy-focused rollup, and his target customers are enterprises. Additionally, Nightfall effectively combines the backbone concept of Optimistic Rollups with zero-knowledge (ZK) cryptography commonly used in ZK-Rollups, enabling a fusion of scalability and privacy.
The core product of Miden is Miden VM. Unlike other rollups, it uses the less popular STARK proof system to build a virtual machine. It aims to solve the challenge that rollup is difficult to support arbitrary logic and transactions, and to improve the ability to verify all off-chain transactions.
At present, most of the four programs are in the development and testing stage, and all of them will be officially launched this year or next year. With the launch of the aforementioned new zk solution, Layer2 will largely solve the previous doubts about the backward technical solution, and occupy a place in the mainstream Layer2 solution, bringing more choices for encryption users.
If you want to learn more about the architecture of this zkEVM, Hermez 2.0 development documentation.
