Rollups: ZK vs Optimistic

Intro

Technical advances in crypto include Polkadot and Solana, which can process thousands of TPS as opposed to Ethereum's 15 TPS. Many methods have been developed to ensure ETH's competitiveness and challenge its slowness and cost.

The most popular scalability solution is rollups, which offer tremendous throughput while preserving decentralization and security. Rollups carry out transactions on a secondary, faster blockchain (known as a layer 2) before sending the transaction data back to the main blockchain (layer 1 or mainnet) at a significantly lower cost. Users can benefit from both the affordability of the roll-speed-up and the security of the wider blockchain through this solution. Rollup sends the bare minimum amount of information to the mainchain to allow any participant to recreate the transaction states to spot inconsistencies or errors. Since the transactional information is kept on the Ethereum main chain, security is not compromised and allows for high scalability.

The two main types of rollups are zero-knowledge (ZK) and optimistic.

ZK Rollups

The main idea of ZK-rollups is that they process batches of transactions off-chain and update the L1 state by supplying the proposed changes and cryptographic proof that the changes are valid. The phrase "zero-knowledge" rollup describes the idea of validating a transaction with only a few key details required for its verification and without full access to private information. This technology is used by the roll-up to create the validity evidence that attests to the reliability of the transaction processing on an L2. The validity proof, which can be constructed using either STARKs (Scalable Transparent Arguments of Knowledge) or SNARKs (Succinct Non-Interactive Arguments of Knowledge), allows the offloading of transaction processing without sacrificing security.

Internal mechanisms of ZK-rollups

• The L2 operator receives the transaction data that transactors post. This operator manages the entire cycle—from transaction validation to data compression and on-chain publication—and is in charge of producing L2 blocks. The operators receive indexed addresses, value, network fees, and a nonce in addition to this data.
• ZK rollups utilize a Merkle tree structure to maintain the integrity and consistency of account information and transaction values. This structure allows for efficient processing of transactions and provides a high level of data integrity. The use of cryptographic proofs and zero-knowledge techniques enables transactions to be processed off-chain while still providing the same level of security and trustlessness as the underlying blockchain.?

• After processing each transaction, the operator updates the Merkle roots of the rollup to reflect the current state. The new Merkle root is submitted to the layer 1 blockchain.
• The operator must also submit a zero-knowledge validity proof that proves that the batched transactions are correct. Most ZK-rollups and ZK-rollup projects employ ZK-SNARK or ZK-STARK based proofs.?

Strengths of ZK-Rollups

• Operators are prevented from carrying out invalid state transitions by validity proofs, which guarantee the accuracy of off-chain transactions.?
• Provides a quicker transaction latency/finality because state modifications are approved once the validity of the proofs has been confirmed on L1.?
• Ensures security, censorship resistance, and decentralization by storing the data required to recover the off-chain state on L1.?

Weaknesses of ZK-Rollups

• Although rollup technology has the potential to significantly reduce transaction costs, users may face high costs due to data availability issues.
• The complexity of zero-knowledge technology makes it difficult to construct ZK-rollups that are EVM-compliant.

Popular projects:

Leading zero-knowledge rollup solutions include Polygon Hermez, Starkware, zkSync, and Loopring.

Optimistic Rollups

Another L2 method that scales Ethereum using off-chain computing and state storage is optimistic rollups. They are regarded as "optimistic" since they don't provide proof of validity for transaction batches submitted on-chain and assume that off-chain transactions are valid. This distinguishes optimistic rollups from zero-knowledge rollups that broadcast cryptographic proofs of validity for off-chain transactions. Optimistic rollups instead look for instances of inaccurate calculation of transactions using a fraud-proving technique. Any user on Ethereum has a limited amount of time (known as a challenge period) to create a fraud-proof and contest the results of a rollup transaction. If the fraud-proof is successful, the roll-up protocol re-runs the transaction(s) and makes any necessary modifications to the rollup's state.

Internal mechanisms of optimistic rollup

The roll-up smart contract, the subchain-sequencer, and a fraud-proof contract in case of challenging any faulty transactions make up the framework for optimistic roll-ups.

1. The roll-up contract transmits the transaction to Layer 2 for computation off-chain from the Ethereum mainnet.
2. The Layer 2 transaction is received by the sequencer, who sends back a signed receipt that promises to execute and arrange the data accurately. In the future, the system's crypto-economic security is planned to be provided by the staking mechanism of sequencers, who will be rewarded for following the rules and carrying out planned transactions.
3. In order to spread transaction costs across many transactions and reduce transaction costs, the sequencer groups together several transactions into a batch and submits that batch back to Ethereum via a single transaction. The old state Merkle hash (before transaction execution), a bunch of transactions, and the new state Merkle hash (after transaction execution) are all contained in each bundle.??
4. Optimistic rollups are designed to be optimistic and to presume that the sequencer will act in good faith. No transaction is censored, all transactions are properly validated and processed, and the modified Merkle state of the child chain is then submitted.?
5. After submission, everyone has a chance to challenge or dispute a transaction for a predetermined amount of time. Suppose someone thinks they have evidence of fraud. In that case, they can alert an adjudication contract on the Ethereum mainnet, which can check the legitimacy (or lack thereof) of the outcomes generated by the Sequencer using the Optimistic Virtual Machine. If the challenge is successful, the guilty sequencer will be terminated, and the challenger will get a portion of the terminated funds. In order to store the right state, the fraudulent transactions are reversed.

Strengths of Optimistic Rollups

• Developers may leverage existing tooling to build new dApps or migrate Ethereum-native smart contracts to rollups due to compatibility with EVM and Solidity.
• Allow for faster and cheaper transactions compared to on-chain transactions.
• Fraud proving can provide a high degree of finality without the need for trust, and it can allow honest minorities to help secure the chain.?

Weaknesses of Optimistic Rollups

• Delays in transaction finality due to potential fraud challenges.
• A malicious operator can steal money by uploading invalid blocks and state commitments if there are no honest nodes.
• In order to contest improper state transitions, the security model depends on at least one honest node conducting roll-up transactions and reporting fraud proofs.
• The process may not be entirely trustless, as some level of trust may be required to validate the proofs.
• The storage requirements for detecting fraud may increase as the throughput of the L2 solution increases, potentially limiting scalability and cost-effectiveness.

Popular projects:

Leading optimistic rollup solutions include Arbitrum, Optimism, and Boba network.

Differences

The method used to validate the transaction bundling is the main distinction between the two systems. While each strategy has its advantages and disadvantages, they all have downstream impacts.

Validity Proofs

ZK-rollups rely on a party to deliver succinct cryptographic proof that proves they are aware that the chain is legitimate and know its current updated state. The proving party is required to carry out the transactions and create the proof by performing a number of complex cryptographic procedures. An on-chain L1 contract verifies the succinct and inexpensive proof.

Optimistic rollups can be thought of as an "honor system" where state transitions are not checked by the Layer-1 chain's smart contract until fraud-proof is submitted. A disputed claim regarding the correct outcome of a set of transactions can be published by any network participant. The same transactions are carried out by other nodes, and if they disagree with the initial node's claim, they may lodge a challenge. An efficient dispute resolution process is used to settle any disagreements and guarantee that the party who is correct will win the challenge. The parties have strong incentives to post only correct claims and to challenge incorrect claims and the whole procedure is controlled by an L1 contract.

Transaction finality/Latency (time-to-verifiable-finality)

Transaction finality can be measured by how quickly tokens processed in layer 2 transactions can be withdrawn or by how long it takes for a transaction to become irreversible. Optimistic rollups face a one-week delay in transaction finality due to the challenge period under the current implementation. ZK-Rollups, on the other hand, see no large latency in transaction finality from when the validity evidence is submitted on the chain. Because of this, optimistic rollups are significantly less advantageous than their ZK counterparts.

This has further consequences, such as the case of bridging. While ZK rollups provide bridging as soon as a ZK proof has been uploaded to the L1, optimistic systems suffer the weeklong delay to transfer funds out of a rollup. Since latency may be a crucial factor in cross-chain applications, ZK-based apps offer a significant benefit.

Transaction Costs

Transaction costs are a crucial factor when evaluating scalability technologies, as they are a fundamental consideration for users. Optimistic rollups and ZK rollups have different trade-offs when it comes to transaction costs. While optimistic rollups don't require additional off-chain computation, they may have higher costs due to the need to wait for dispute periods to ensure the validity of transactions. On the other hand, ZK rollups involve more off-chain computation to generate cryptographic proofs, which can be expensive in terms of computational resources. However, advancements in ZK rollup technology are being made to improve efficiency and reduce costs, such as using recursive proof composition or batching proofs to reduce the number of elliptic curve operations needed.

EVM Compatibility

EVM compatibility means that all Defi protocols running on the Ethereum network, such as Uniswap, can easily transition to the desired roll-up type. This is one of the primary problems preventing the adoption of ZK Rollup. Because the EVM was not created with ZK technology in mind, generating practical zero-knowledge proofs via EVM operations is very difficult. Although there has been significant effort toward the creation of ZK-EVMs, none of them have yet achieved a main net launch.

On the other hand, optimistic rollups can operate the Ethereum Virtual Machine (EVM). The Arbitrum solution is entirely EVM compatible since it uses the same RPC interface and bytecode as the EVM. Any protocol created for Ethereum runs automatically on Arbitrum.

Privacy?

One of the benefits of ZK rollups is that they offer a degree of privacy by design. This is due to the fact that transaction data is not individually posted on the base layer, which can provide some privacy benefits compared to optimistic rollups. However, it's worth noting that this may not always be the case for all ZK rollups. For example, in public ZK rollup solutions like Starknet or ZKSync, anyone who operates a Layer 2 node can see all transactions. Nonetheless, ZK rollups may still be a more suitable option for private instances that prioritize privacy without sacrificing security.

Security

ZK rollups have an advantage over their competitors in security because ZK proofs serve as the foundation of their consensus method. Optimistic rollups merely require that the majority of validators agree that a transaction is valid, while ZK rollups are driven by ZK-SNARKs and STARKs that assure that all transactions are cryptographically valid. As a result, it is possible for a malicious transaction to generate invalid transactions that could be added to an optimistic roll-up, which is not feasible in a ZK configuration. Optimistic rollups submit transactions based solely on the presumption that they are true, but ZK-rollups give cryptographic proofs to authenticate transactions on-chain.

Trust

Some ZK-rollups, such as SNARKs, depend on trusted setup in the underlying system which could significantly reduce the rollup's security if compromised, There are trustless setups known as STARKs that can help with this, but they have their own challenges. Optimistic rollups also require users to trust that the validators will not collude to invalidate transactions, resulting in the 1-of-N honest participant's assumption.

Leading Solutions

Abritrum (Optimistic Rollups)

Arbitrum, a Pantera portfolio company, is a comprehensive technology suite that offers a solution to the limitations of Ethereum, a widely used blockchain platform. With Ethereum's transaction throughput capped at a mere 20-40 transactions per second (TPS) and high transaction fees due to its design, where every transaction must be processed by every node in the network, Arbitrum steps in with its layer 2 solution called Arbitrum Rollup, which is an optimistic rollup protocol that inherits Ethereum-level security.

Arbitrum operates by processing transactions on a separate chain that functions as a sub-module within Ethereum, distinguishing it from regular Ethereum transactions that require processing by every Ethereum node. In contrast, Arbitrum transactions follow an "innocent until proven guilty" approach, assuming that activity on Arbitrum complies with the established rules. In the event of a violation, such as a fraudulent claim, it can be disputed back on Ethereum's layer 1 (L1), and the fraudulent party will face penalties.

A key feature of Arbitrum is its ability to prove fraud on Ethereum transparently and openly. The data fed into Arbitrum is directly posted on Ethereum, making it visible to anyone interested. Validators, who are responsible for advancing the Arbitrum chain state on Ethereum's layer 1, play a critical role in detecting and proving fraud. Becoming an Arbitrum validator requires no special permission, and as long as there is at least one honest validator, the chain remains secure, rendering the system "trustless" as users are not reliant on any designated party for fund security.

The team at Offchain Labs, the company behind Arbitrum, is composed of experienced blockchain experts and entrepreneurs. Co-founders Ed Felten, Steven Goldfeder, and Harry Kalodner lead the team, bringing a wealth of knowledge and experience in computer science, cryptography, and blockchain technology. Other key team members include renowned researchers and developers with expertise in Ethereum scaling solutions.?

Arbitrum aims to provide Ethereum users with a scalable and cost-effective solution that enables them to continue utilizing Web3 applications, deploying smart contracts, and conducting transactions with reduced fees and faster speeds. By leveraging Ethereum's security and introducing an innovative approach to transaction processing, Arbitrum aims to address Ethereum's limitations and create a more efficient and user-friendly blockchain ecosystem.

Starkware (ZK-rollups)

Starkware, a Pantera portfolio company, is at the forefront of developing layer-two blockchains for Ethereum using zk-STARKs (Zero-Knowledge Scalable Transparent Arguments of Knowledge) to ensure computational security. Invented by Starkware, zk-STARKs are transparent cryptographic proofs that use lightweight hash functions to verify computational integrity in a scalable manner. Starkware's proof system is claimed to be faster and more scalable than others, while relying on safer cryptographic assumptions.

Starkware has two main products: StarkNet and StarkEx. StarkNet is a permissionless decentralized layer-two blockchain based on zk-rollups, which executes transactions and relays transaction data back to the Ethereum mainnet in batches, secured by STARK proofs. This allows StarkNet to benefit from Ethereum's security and composability while scaling transactions through EVM-compatibility. StarkNet Alpha went live on the Ethereum mainnet on Nov. 29, 2021.

On the other hand, StarkEx is a layer-two scaling solution tailored for specific decentralized applications (DApps), particularly DeFi trading applications like dYdX, DeversiFi, and Immutable X, an NFT blockchain. StarkEx offers three data availability modes: zkRollup mode, Validium mode, and a hybrid mode called Volition, providing DApps flexibility in processing off-chain data. This is enabled by Cairo, the programming language used by Starkware products. Additionally, Shared Prover (SHARP) technology allows for sharing of gas costs between transactions in a batch, resulting in very low gas fees on Starkware.

Starkware is a prominent player in the zk-rollup space, competing with other scaling solutions such as optimistic rollups and zkSync. However, Starkware distinguishes itself by offering faster transaction verification without a dispute period and using STARK cryptographic proofs that are considered more complex but potentially more secure.?

The team behind Starkware includes co-founder Eli Ben-Sasson, who is also the co-inventor of STARK proofs and a computer science professor, as well as Alessandro Chiesa, and Uri Kolodny.?

Starkware is a pioneering company that is building layer-two blockchains for Ethereum using zk-STARKs for computational security. With its innovative products StarkNet and StarkEx, and its strong ecosystem and investor support, Starkware is well-positioned to contribute to the scalability and adoption of Ethereum in the future.

Conclusion

Rollups have quickly become important tools for addressing Ethereum's fundamental speed and cost inefficiencies. The two main solutions, optimistic and zero-knowledge rollups, offer creative solutions to the problem. Using cryptographic proofs, ZK rollups seem to offer a more secure solution. However, optimistic rollups offer high EVM compatibility, which could serve as a crucial buffer until a ZK-EVM is introduced. In any case, these scaling solutions are spurring innovation, making the future of Ethereum quite exciting.?

- Paul Veradittakit

DISCLAIMER

Pantera Capital Puerto Rico Management, LP and its affiliates (“Pantera”) makes investments in crypto assets and in blockchain-related companies.?Pantera and/or its affiliates or personnel may be an investor in, or have relationships or other business arrangements related to, certain instruments, companies and/or projects discussed herein.?This document does not contain any advertisement for Pantera’s investment advisory services, or any other services or products, whether provided by Pantera or otherwise.?The information and opinions presented in this document are solely those of Paul Veradittakit; they do not represent, and should not be interpreted as representative of, the views of Pantera or any other individual working for Pantera, and do not represent investment, legal, tax, financial, or any other form of, advice or recommendations.?Neither Pantera nor Mr. Veradittakit is acting, or purports to act, as an investment adviser or in a fiduciary capacity with respect to any recipient of this paper.?Information contained in?this document?is believed to be reliable, but no representation is made regarding such information’s fairness, correctness, accuracy, reasonableness or completeness.?There is no obligation to update this document or to otherwise notify a reader if any matter stated statement or information contained here changes or subsequently is shown to be inaccurate.?Nothing contained herein constitutes any representation or warranty as to future performance of any financial instrument or company.?Forward-looking statements should not be relied upon, and performance or outcomes may differ materially from what is contemplated herein.?Opinions included here incorporate subjective judgments or may be based on incomplete information.?This document does not constitute or contain an offer to sell or a solicitation to buy any securities or a recommendation to enter into any transaction, and no reliance should be placed on this document in making investment decisions.?