TaikozkRollups transitioned from research to production in 2023, with projects like Starknet, zkSync, Scroll, Polygon zkEVM, and Linea launching their solutions.
The zkRollup ecosystem is becoming more efficient and decentralized with the development of new concepts such as co-processors, prover marketplaces, shared provers, and zk aggregating layers.
The operation of zkRollup involves three main stages: execution, proof generation, and proof verification, with various projects focusing on optimizing each of these components in the zkRollup supply chain.
zkRollups like zkSync, Starknet, Merlin, and SNARKnado are developing their infrastructure, but they are still in the early stages of optimizing the supply chain.
In 2022, zkRollups were primarily in the research phase. However, 2023 marked the beginning of their future. Numerous projects, including Starknet, zkSync, Scroll, Polygon zkEVM, and Linea, launched their rollups into production. The benefits were clear, since compared to optimistic rollups, it had shorter finality times, the potential for safer interoperability, and lower operational costs. Despite these advancements, zkRollups, compared to optimistic rollups, remain experimental, and their technical roadmap frequently changed.
So, what's ahead for zkRollups? New terms such as Co-Processor, prover marketplace, shared prover, and zk aggregating layer frequently appear in many projects. zkRollup is being developed in diverse aspects and in the zkRollup ecosystem, many components are being built to make zkRollups more efficient and decentralized. If we consider how zkRollups operate, the process involves three stages: execution, proof generation of the execution, and proof verification. There are projects focusing on each of these stages. To summarize briefly:
Execution: zkVM, Co-Processor
Proof Generation: Proof Marketplace, Proof Aggregator
Proof Verification: Settlement Layer
Each of these categories is in the early stages, but as this supply chain becomes more developed, the zkRollup ecosystem will become more efficient. In this article, we'll first explore the basics of zk and then delve into the projects being built in the zkRollup supply chain, along with some of the major zkRollups in Ethereum and Bitcoin.
The zkRollup, mentioned in the title of this article, is a rollup method that uses Zero Knowledge Proof (ZKP). If you've come across the term Zero Knowledge Proof in the blockchain ecosystem, you probably have some understanding of it (if not, don't worry; it will be explained later). However, if asked why and how this technology is applied to rollups, you might struggle to answer immediately.
To find an answer to this question, in this chapter, we will explore what Zero Knowledge Proof and zkRollup are, how they operate, and why ZKP technology is well-suited for rollups.
1.1.1 ZKP in a Nutshell
Before delving into the details of ZKP, let's first understand the components involved in this process. There are two primary components:
Prover: The prover holds a statement that they want to prove to the verifier in the ZKP process.
Verifier: The verifier participates in the ZKP process to determine whether the prover's statement is true based on the provided evidence.
Now, let's explore ZKP in detail. ZKP is a cryptographic technique where the prover can prove a specific fact without revealing the fact itself or any related information. ZKP has three main characteristics: Completeness, Soundness, and Zero-Knowledge:
Completeness: If the prover's statement is true, the verifier will be convinced that the statement is true.
Soundness: If the prover's statement is false, the prover cannot deceive the verifier into believing it is true.
Zero-Knowledge: During the proof process, the verifier gains no additional information beyond the truth or falsehood of the statement.
1.1.2 Example of ZKP
The definition alone may not be easily understood, so let's explain with a well-known example, "Ali Baba's Cave," which illustrates Zero Knowledge Proof.
Consider the following scenario: In Ali Baba's cave, there are two paths, A and B, which converge deep in the cave but are blocked by a secret door. The prover (P) claims to have the key to pass through this secret door, and the verifier (V) wants to verify if P indeed has the key.
The verification process follows these steps: P enters the cave and chooses either path A or B. V does not know which path P took but can request P to come out through a specific path. If P has the key, P can come out through any path. After repeating this process several times, V can be confident that P has the key. However, V will not learn any information about the shape or nature of the key.
Applying this to the characteristics of Zero Knowledge Proof:
Completeness: If P follows V's instructions consistently over multiple repetitions, V can be convinced that P has the key.
Soundness: If P does not actually have the key but lies about it, there will inevitably be times when P cannot follow V's instructions, proving P's claim false.
Zero-Knowledge: V becomes convinced that P has the key through multiple iterations but learns nothing about the key's appearance or properties.
We have explored the A to Z of Zero Knowledge Proofs so far. However, it is essential to remember that the main focus of this article is zkRollups. Now, let’s dive into what rollups and zkRollups are.
1.2.1 Quick Overview of Rollup
Rollup is a Layer 2 scaling solution that processes transactions on a Layer 2 blockchain and then post a summarized state to the Layer 1 blockchain for recording and management.
There have been numerous proposals to solve scalability issues in Ethereum before. The earliest was sharding, which involved dividing the Ethereum network into several smaller "shards" to significantly improve transaction throughput. Similar to how multiple computers handle tasks simultaneously, sharding allows the Ethereum network to process more transactions quickly and efficiently.
Despite the promising benefits, Ethereum's developers shifted away from direct sharding due to concerns about potential centralization and technical challenges, leading to delays. Instead, they adopted an indirect sharding approach through Layer 2 solutions. In this approach, the process of batching transaction data to Layer 1 is called rollup. Currently, optimistic rollups and zkRollups are the two main types leading this ecosystem.
For more information on optimistic rollups, refer to this article.
1.2.2 Why ZK Proof and Rollup is a Great Fit
zkRollups differ from Optimistic rollups by using validity proofs instead of fraud proofs. zkRollups employ zk-SNARKs or zk-STARKs to compress numerous transactions into a single, small proof that is recorded and verified on the Layer 1 blockchain. This approach significantly enhances processing speed and efficiency without requiring a dispute period for incorrect results, unlike Optimistic rollups.
The non-interactive nature of zero-knowledge proofs is crucial for zkRollups' efficiency and convenience. It allows rollups to manage the rollup process independently, maximizing efficiency by bundling and sending transaction data to Layer 1 according to its own schedule. This non-interactive approach prevents potential delays and inefficiencies that could arise from a more interactive process between Layer 1 and rollup.
Succinctness is another key factor in zkRollups' effectiveness. The ability of zk-SNARKs and zk-STARKs to compress large amounts of data into small proofs ensures economic efficiency when sending transaction data to the more expensive but more secure Layer 1. This compression capability allows zkRollups to handle multiple transactions as a single batch, greatly enhancing Layer 1's scalability while providing users with a more cost-effective blockchain infrastructure in the rollup environment.
1.2.3 Operation of zkRollup
Let’s further explore how zkRollup operates and which components are involved. There are primarily two components that operate zkRollup:
Sequencer: The sequencer collects and processes transactions occurring on Layer 2 and submits the processed results to Layer 1. While some rollup projects have independent entities for sequencing and generating validity proofs, for simplicity, we will consider them as a combined role here.
Rollup Contract: The rollup contract is a smart contract on Layer 1 that finlizes the state and transactions of the rollup. It receives, stores, and verifies data submitted by the sequencer, ensuring proper storage and management if the data is validated.
The operation process of zkRollup is as follows:
[Sequencer <> L2] Transaction Batching & State Change Calculation: Multiple transactions executed on Layer 2 are collected into a batch. Each transaction in the batch is executed, and the resulting state root, which records the new state changes, is produced.
[Sequencer <> L2] Validity Proof Generation: Using the new state root, a validity proof is generated to prove the correctness of the state root. This proof guarantees that all transactions within the batch were correctly executed without revealing the details of each transaction.
[Sequencer <> L2] Submission of State Root and Validity Proof: The generated validity proof, state root, and concealed transaction data are submitted to the Layer 1 rollup contract. The rollup contract verifies the submitted data.
[Sequencer <> Rollup Contract (L1)] Verification and Update: The Layer 1 rollup contract receives the validity proof, state root, and verification transaction data from the sequencer. It verifies the data, updates the state root, and stores the verification transaction data if there are no issues. If problems are detected, the verification and storage processes are not performed.
From a bird's-eye view, let's look into the overall supply chain of zkRollups through the process of their operation. zkRollups involve three main processes: execution, proof generation, and verification.
Execution: This occurs off-chain, where transactions are batched and executed on a separate rollup network, updating the rollup state.
Proof Generation: Inputs like transaction batches and state roots are compiled. A proving circuit processes the transactions, generating a succinct zk-proof that cryptographically proves the state transition's validity without revealing data.
Proof Verification: The zk-proof and related data are submitted to a verifier contract on the settlement layer (mostly on Ethereum) for verification. If valid, the rollup contract updates its state to reflect the new post-state, and after a short time buffer, the change is finalized.
There are projects dedicated to each process to make zkRollups operate more efficiently. In the next section, let’s dive into what each process is about and which projects are working on them.
The execution occurs separate from the settlement layer, where the computation is done in a separate machine, and the proof for the execution is generated in the zk circuit. This execution environment can be categorized into two sector: zkVM and Co-Processor.
2.1.1 zkVM
Source: Foresight Ventures: zk, zkVM, zkEVM and their Future | by Foresight Ventures | Medium
A zkVM (Zero-Knowledge Virtual Machine) is a specialized virtual machine designed to execute computations and generate zero-knowledge proofs that verify the correctness of those computations without revealing the underlying data. There are several types of zkVMs, each tailored to specific virtual machine and programming language. Below are some of the categorization of these projects:
zkEVM: It aims to replicate the EVM environment while incorporating zero-knowledge proof capabilities. This allows existing Ethereum smart contracts and dApps to be seamlessly ported to a zkEVM-based rollup. However, due to the complexity of developing the zk circuits for the EVM and its frequent upgrades, there have been compatibility issues with a pure EVM.
General zkVM based on RISC-V and MIPS: zkRISC is a specific implementation of a zkVM developed by RISC Zero. It is designed to be a general-purpose zkVM capable of executing arbitrary computations and generating zero-knowledge proofs. It allows programming languages like C, Python, and Rust to be deployed and generate proofs for their execution.
CairoVM: The Cairo VM is built to optimize the generation of validity proofs for program execution. Unlike zkEVM solutions that focus on making the EVM compatible with validity rollups, the Cairo VM is designed from the ground up to maximize the efficiency of STARK proofs. This approach allows for better performance and scalability without being constrained by the limitations of the EVM. However, since developers need to learn a new language, there is a barrier to building the dapp.
2.1.2 Co-Processor
Source: Phala's 2024 Path: Coprocessor for blockchains—AI, Hooks and DePin
Co-processors were developed as off-chain processors to assist with specific computations. Graphics processing units (GPUs), for instance, manage the vast parallel computations required for 3D rendering, enabling the central CPU to focus on general-purpose processing. Co-processors in this sense support blockchains for complex execution, which is costly on the blockchain. Each type of co-processor is designed to maximize efficiency in handling its specialized workload.
By leveraging ZKPs, co-processors enable trustless and verifiable off-chain computations, ensuring the correctness and integrity of the results without revealing sensitive data. Some of the known Projects include:
Axiom: Axiom is developing a "ZK co-processor" system that allows smart contracts to query historical blockchain data and perform complex computations off-chain while maintaining data privacy and integrity through ZKPs.
Phat Contracts (Phala Network): Phat Contracts are co-processors that enhance scalability, enable gasless experiences, support multi-chain functionality, and provide secure access to off-chain data for dApps.
To prove the validity of the state transition, the rollup operator (prover) generates a ZKP. This proof confirms that the new state root was correctly computed from the previous state. There are constraints in the proof generation process since generating ZKP requires significant computational resources, especially for large transaction batches or complex smart contracts. This can limit the throughput of zkRollups and the types of applications they can support efficiently.
Also, since the entities generating the zk proof require expertise in this field and need to keep the hardware up to date, the management cost can be high, not to mention the centralization risks. Therefore, there have been developments in this sector to make it more efficient. The approach has two parts: building a proof generation marketplace to outsource the generation process, and creating an aggregation layer to make it more cost-effective.
2.2.1 Proof Generation Marketplace
Source: Introducing Gevulot | Gevulot
The Proof Marketplace offers key features such as Decentralized Proof Generation, Auction Mechanism, and Hardware Utilization and Cost Efficiency. Applications submit proof requests to the network, and provers respond using the proof generation hardware, ensuring efficient handling of proof requests. An auction mechanism matches these requests with provers, enabling competitive pricing for proofs. Furthermore, provers utilize specialized hardware, reducing proving costs, and the decentralized marketplace allows for the aggregation of different applications' proof requests, improving hardware utilization and cost-effectiveness.
The Proof Marketplace also ensures Censorship Resistance and Fast-Finality, as well as implementing a Staking Mechanism. The marketplace guarantees short-term censorship resistance so that bids from provers cannot be unfairly blocked or ignored. Provers are required to stake with the network, preventing malicious activities and ensuring network reliability and integrity.
Lastly, the marketplace capitalizes on Economies of Scale. Coordinating ZKP generation at scale decreases costs for end-users. Aggregated proof order flow enables provers to invest in and operate more efficient infrastructure. Applications also benefit from reduced on-chain verification costs, as proofs can be aggregated for optimization. Some of the projects inculde:
Succinct Network: Succinct Labs is developing a decentralized prover marketplace as part of their Succinct Network, which aims to create a unified protocol for ZKP. This marketplace will allow applications to outsource their proof generation to a network of specialized provers, providing a more efficient and cost-effective solution for ZKP-based systems. The prover marketplace will operate through an auction mechanism that matches proof requests from applications with a diverse set of provers.
=nil; Foundation: The =nil; Foundation has developed a Proof Market, which is a decentralized and distributed system designed as a spot market for ZKP. This marketplace allows proof requesters, such as applications to outsource the generation of zkProofs to specialized proof producers. The Proof Market operates on top of =nil; Foundation's Database Management System, functioning more like a "Proof DEX" rather than a centralized service.
Gevulot: Gevulot is not a traditional prover marketplace, but rather a decentralized proving layer for the modular stack. It is a permissionless and programmable Layer 1 blockchain specifically designed to deploy proof systems as on-chain programs. Unlike typical prover marketplaces, Gevulot allows users to deploy prover and verifier programs directly on the blockchain, similar to deploying smart contracts on Ethereum. This approach enables applications to benefit from decentralized proving without needing to bootstrap their prover networks or rely on centralized solutions.
2.2.2 Proof Aggregation
Source: Prove It: Shared Provers, Proof Aggregation & Prover Marketplaces - Delphi Digital
ZKP aggregation is a technique that combines multiple ZKPs into a single proof, reducing the overall cost of verifying these proofs on-chain. This is particularly beneficial for rollups that rely heavily on ZKPs. Some of the notable projects include:
Polygon AggLayer: It aims to enable smooth interoperability between L2 solutions within the Polygon ecosystem by leveraging aggregated ZKPs and a unified bridge contract (LxLy Bridge.) The aggregated proof ensures that dependent chain states and bundles are consistent, preventing an invalid rollup state from being settled on Ethereum if it relies on an invalid state from another chain.
Nebra: Its product, Universal Proof Aggregation (UPA), is the protocol for aggregating ZKPs. Nebra's UPA can aggregate proofs generated from different circuits, proof systems, and parties, offering over 10x reduction in gas costs for on-chain verification. Nebra has partnered with projects like AltLayer to integrate UPA into their rollup solutions, enabling AltLayer's users and dApps to benefit from substantial cost reductions.
Electron Labs: Electron Labs has developed Quantum, an aggregation layer that leverages zk-recursion to aggregate proofs from different protocols and across various proving schemes into a single "Superproof". This Superproof is then verified on Ethereum, amortizing the verification cost across multiple protocols and enabling cheaper verification for individual protocols.
The proof generation process in zkRollups is computationally intensive. However, verifying these proofs on the Ethereum mainnet is relatively lightweight, enabling scalability while maintaining the security guarantees of the underlying blockchain.
The zk verification smart contract in Ethereum uses efficient cryptographic algorithms to verify the validity proof. If the proof is valid, the proposed state transition is correct, and the new state root is accepted, updating the rollup's state on the mainnet. Some projects like Aligned Layer provides faster and cheaper verification by leveraging the validators in Ethereum.
2.3.1 Aligned Layer
Source: whitepaper.alignedlayer.com
Aligned Layer is a decentralized ZKP verification and aggregation layer designed for Ethereum. As an EigenLayer Actively Validated Service (AVS), it leverages Ethereum's economic security through a process called restaking, ensuring that ZKPs are accurately verified and settled on the Ethereum blockchain.
Aligned Layer offers two distinct modes of operation to cater to different needs. The fast mode is optimized for minimal verification costs and low latency, making it ideal for applications requiring quick and cost-effective proof verification. On the other hand, the slow mode utilizes proof aggregation to provide comprehensive security by fully leveraging Ethereum's security guarantees. This dual-mode approach allows Aligned Layer to offer flexible solutions that can balance between speed and security based on the specific requirements of different use cases.
As explained in section 2, various projects are optimizing the zkRollup supply chain. Let's take a closer look at the most notable zkRollup projects in production, particularly the EVM-compatible projects zkSync and Starknet, as well as the Bitcoin-compatible projects Merlin Chain and SNARKnado.
Source: zkSync Twitter
zkSync is a zkRollup solution developed by Matter Labs, designed to address the scalability challenges faced by the Ethereum network. While zkSync's initial focus was on scaling Ethereum, its ambitions extend far beyond being just an L2 solution. Matter Labs envisions zkSync as the foundation for a comprehensive cross-chain ecosystem, aiming to bridge various zkSync based rollups seamlessly. To achieve this goal, zkSync is developing a sophisticated yet user-friendly cross-chain environment that incorporates zkRollup technology, ZK Chain, and Hyperbridge. Let’s look into each of this concepts.
3.1.1 zkRollup - Optimized for Economic Efficiency
zkSync uses zkRollup technology based on zk-SNARK. The proof generation and verification method of zk-SNARK results in small proof sizes and fast verification. However, as zk-STARK's advantages, such as quantum resistance and large-scale processing, become more prominent, zkSync is also attempting to partially adopt zk-STARK. This effort is seen in the proof generation system called "Boojum," which uses the zk-STARK method for proof generation.
3.1.2 Structural Components
Sequencer: The sequencer in zkSync arranges and processes transactions according to specific rules. The sequencer includes the prover, which generates proofs and transaction data that cannot be viewed in detail and sends them to Layer 1.
Prover: The prover in zkSync generates proofs using zk-SNARK, and the data used in the proof generation process includes transaction data that cannot be viewed in detail and the before-and-after state change data representing L2 chain state changes. The generated proofs are verified by the rollup contract on Layer 1.
Settlement: zkSync uses the data generated on Layer 2 for verification and updates in the Layer 1 smart contract. If verification issues arise, the transactions in the affected batch are not updated. This process is modular, with one or more smart contracts connected to each ZK Chain described below.
3.1.3 ZK Chain
ZK Chain is a blockchain beyond Layer 2 that includes the infrastructure provided by zkSync. It is referred to as beyond Layer 2 because zkSync has adopted an unrestricted layered structure, including fractal structures like L3.
The most well-known ZK Chain currently is zkSync Era, built by zkSync. It is EVM-compatible and allows for the deployment of simple dapps. However, for zkSync's ultimate cross-chain ecosystem goal, the relationship between different ZK Chains is crucial. zkSync is focusing on how to connect with other future ZK Chains.
An example leveraging the ZK Chain environment is Hyperbridge. With Hyperbridge, users can conveniently send all assets from connected chains in their chain-specific wallet. When users need to use assets on their chain, the relayer facilitates asset bridging, burning, and issuance.
For instance, if using cross-chain Uniswap, and a user on era.zksync chain wants to swap 1 ETH for 10,000 DAI, the process would be:
Generate a "1 ETH → 10,000 DAI" transaction from the era.zksync chain wallet.
The relayer transfers 1 ETH to the uni.chain, swaps it for 10,000 DAI.
The relayer then transfers the swapped 10,000 DAI back to the era.zksync chain.
This way, users can easily perform cross-chain transactions using zkSync's environment without needing to know details about the other chains.
3.1.4 EVM Compatibility
zkSync currently claims 99% compatibility with Solidity and Vyper. Initially, zkSync supported Zinc, a language similar to Rust, for a more suitable and efficient zkEVM. However, they shifted their focus to Solidity compatibility, halting Zinc development since September 2021, to ensure full optimization.
Source: Starknet Twitter
While it is similar to zkSync in that it is a zkRollup-based Layer 2 solution, Starknet differs in its technical stack and internal technologies. Notably, it uses zk-STARK instead of zk-SNARK and employs its own smart contract language called Cairo.
3.2.1 zk Rollup - Focused on High-Volume Rollup Processing
Starknet uses zk-STARK for proof generation and verification related to rollups. Similar to zkSync, it uses only the before-and-after state changes to manage rollup data more efficiently on Layer 1.
Additionally, since Starknet employs zk-STARK, it benefits from a trustless environment and the ability to handle a large number of transactions simultaneously. This makes Starknet favorable for DeFi dApps or gaming dApps that experience high transaction volumes.
3.2.2 Structural Characteristics
Structurally, Starknet adopts a similar architecture to other zkRollups. However, it differentiates itself by actively utilizing the zk-STARK Zero Knowledge Proof model and maintaining EVM compatibility through its proprietary programming language, Cairo.
Source: Starknet architecture: Overview
Sequencer: The sequencer in Starknet plays a crucial role in managing the verification and execution of transactions and proposing blocks. Its primary function is to batch and process transactions. Transactions that do not pass verification are restricted by the sequencer, and only verified transactions are included in the block. The sequencer also includes a prover and is responsible for sending the completed rollup data to Layer 1.
Prover: The prover in Starknet generates proofs using zk-STARK. During the proof generation process, the prover saves each transaction execution step to create an Execution Trace and tracks state changes in the L2 chain, recording the State Diff. The proof generation process requires substantial computational resources and is designed to support parallel processing, allowing multiple provers to divide and perform tasks simultaneously.
Settlement: Data generated on Layer 2 is transmitted to Layer 1 (such as Ethereum), where components accept transactions and manage proofs and state differences. These components are processed by two smart contracts: the verifier contract and the Starknet core contract. The verifier contract analyzes the proofs received from Layer 2 and exercises veto power on transactions if any issues are found. If the proof's validity is confirmed, it is transferred to the Starknet core contract, which updates the Layer 1 chain with the provided state changes. This updated state is added to the Layer 1 chain block, and once the block passes through Layer 1's processes, it falls under Layer 1's influence.
3.2.3 EVM Compatibility
Starknet is developing its own unique path to EVM compatibility through the Cairo language. To deploy smart contracts on Starknet, one must use Cairo. While many Solidity features are not yet supported by Cairo, and although the number of Cairo developers is increasing, it still lags behind Solidity in terms of community size and adoption rate.
Cairo, Starknet's smart contract language, inherits features from Rust. It is optimized for zk-STARK proof generation, enabling efficient execution and proof generation of smart contracts. Overcoming the barrier to using Cairo could allow for the deployment and execution of smart contracts in a better environment, with secure data rollup to Layer 1.
The key differences between Cairo and Solidity are outlined in the table below.
Source: Merlin Chain Twitter
Merlin Chain is a Bitcoin-based Layer 2 zkRollup solution developed by Bitmap Tech, which has been predominantly focused on Ethereum. Merlin Chain, based on Polygon's Zero Knowledge Proof technology, offers the advantage of being EVM-compatible while securely storing rollup data to the Bitcoin L1. Through this, Merlin Chain aims to increase liquidity and expand the ecosystem within the Bitcoin network, including BTC, under the slogan "Make Bitcoin Fun Again."
3.3.1 zkRollup - Hybrid Approach Tailored to Bitcoin's Characteristics
Merlin Chain uses zkRollup technology incorporating both zk-SNARK and zk-STARK. Originally, due to Bitcoin network's structural characteristic of being Turing incomplete, direct verification of ZKPs on the Bitcoin network was not possible. However, after the Taproot upgrade, partial verification became feasible. Merlin Chain leverages Taproot to record off-chain generated rollup data and proof data onto the Bitcoin network.
In Merlin Chain, the zkProver is responsible for verifying the validity of transaction data and generating proofs based on verified data. The stages of this process are as follows:
The sequencer node of Merlin Chain stores the current state information in the database.
The sequencer node sends transactions to the zkProver.
The zkProver accesses the database to retrieve data necessary for transaction verification.
Once the zkProver completes the transaction verification, it generates a proof and sends it to the sequencer node.
This process involves several steps. Initially, transactions are verified and processed using zkEVM based on zk Assembly Language (zkASM) developed by the Polygon zkEVM team. The resulting data is then aggregated using zk-STARK's high-capacity processing capabilities and compressed to optimize rollup economic efficiency. Finally, zk-SNARK is used to generate proofs that produce a consistent proof size. The generated data and proofs are then verified within the decentralized Merlin Chain oracle network environment and uploaded to the Bitcoin network via Taproot.
3.3.3 Future Upgrades: On-Chain Fraud Proof
Although zkRollup seems well applied to the Ethereum ecosystem's L2 solutions as explained in section 3.2.1, it alone cannot perfectly guarantee the validity and accuracy of transactions within the rollup. To bridge the gap caused by differences in Bitcoin network structure, Merlin Chain uniquely plans to introduce an on-chain fraud proof mechanism similar to optimistic rollups.
The on-chain fraud proof mechanism operates in a relationship between rollup data proposers and challengers. If a challenger believes the rollup data is incorrect, they can challenge the transaction data, ZK state information, and ZK proof uploaded to the Bitcoin network. Most L2 transactions do not need to be re-verified on the Bitcoin network (L1), but if a challenge is raised against previously proposed rollup data, the data and transactions must be re-executed and verified. If a role is found to be at fault, they will incur a slashing penalty.
3.3.4 EVM Compatibility
Merlin Chain achieves EVM compatibility by using zkEVM based on zkASM in its zkProver. This allows smart contracts developed with existing Ethereum development tools and infrastructure to be executed on the Bitcoin network, providing the advantage of extending Ethereum's capabilities to Bitcoin.
Source: Alpen Labs Twitter
SNARKnado is a Bitcoin-based Layer 2 solution implemented by Alpen Labs using zk-SNARK. Alpen Labs aims to use SNARKnado to specialize blockchain more in verification rather than computation, thereby achieving higher scalability and efficiency within the Bitcoin ecosystem.
3.4.1 zkRollup - The Successor to BitVM
SNARKnado is a model that has been modified to be more optimized for zk-SNARK from the prover-challenger structure used in BitVM's optimism method. This has resulted in an approximately eightfold performance improvement compared to BitVM. However, it still falls short of BitVM2's advantage of allowing anyone to issue a challenge, as SNARKnado currently restricts challenge capabilities to permitted roles.
3.4.2 Structural Characteristics
Proof Verification Method - Bisecting Polynomials
Using zk-SNARK allows SNARKnado to manage rollup data and proof data on Bitcoin with small proof sizes, but Bitcoin's limitation on complex computations necessitates optimization for proof verification. SNARKnado addresses this by using bisecting polynomials to convert proof data. The verification process is carried out via on-chain computations enabled by the Taproot upgrade.
When a prover receives a challenge, they disclose some of the data needed for the challenge and proceed with the verification process alongside the challenger. The bisecting polynomial method is used for verification, determining which role, prover or challenger, is at fault.
3.4.3 SNARKnado vs. BitVM or BitVM2
SNARKnado shares many similarities with BitVM, particularly appearing as a midpoint between BitVM and BitVM2. So, what are the differences between them? (As BitVM2 is a more advanced model than BitVM, comparisons will primarily focus on BitVM2.)
First, consider the use of resources within Bitcoin. BitVM2 inherently shows a linear increase in on-chain resource usage, whereas SNARKnado reduces this increase to a square root level, optimizing on-chain resource usage. Another difference lies in the accessibility of roles capable of issuing challenges. While SNARKnado restricts challenges to permitted roles, BitVM2 allows anyone to issue a challenge without permission.
3.4.4 EVM Compatibility
Based on recent records from Alpen Labs, EVM compatibility is not officially supported, nor are there any future plans regarding EVM compatibility at this time.
Reflecting on the recent mainnet launch of zkRollups, we saw the introduction of zkSync Era in August 2023 and the launch of Polygon zkEVM in December 2023. It hasn’t been long since these projects were launched, so most of them, are still in active development. Also, the developments have expanded beyond just zkEVM. General zkVMs, zkWasm, and off-chain Co-processors are also being developed in the execution part, where custom zk-circuits are being used.
As basic execution and proof generation become more reliable, efforts are being made to increase supply chain efficiency. Strategies range from building a prover marketplace, aggregating multiple proofs, to creating a verification layer for cost-effective verification. This supply chain of zkRollups is anticipated to become more efficient and affordable in the future.
Initia
Cosmos
Arbitrum
Base
