ZK-Rollups, ZK-SNARKs, ZK-STARKs and Validity Proofs: Everything you need to know

Zero-Knowledge Rollups (ZK-Rollups) are L2 scalability solutions designed to increase the performance of distributed technologies (DLT), particularly in the context of blockchains, by moving state computation and storage off-chain. They can process thousands of transactions in batches, sending only minimal summary data and cryptographic proofs to the main chain (L1) to ensure the correct execution of those transactions.

What are ZK-rollups?

ZK-rollups are L2 solutions that aggregate and process off-chain transactions to minimize the amount of data published on the main chain. They use cryptographic validity proofs, known as zero-knowledge proofs (ZK-proofs), to confirm that state changes are correct without revealing sensitive information.

By performing computation off-chain, ZK-rollups significantly improve efficiency while maintaining security. Instead of sending each transaction individually, operators or sequencers send a cryptographic proof that summarizes all state changes. A smart contract on L1 manages the rollup state and updates it based on these validity proofs.

ZK-rollups are different from optimistic rollups in that they provide immediate verification of transaction validity, eliminating the delays in withdrawals common to optimistic rollups. In addition, ZK-rollups use data compression techniques to minimize the amount of information stored on-chain, providing a scalable and cost-effective solution ideal for decentralized exchanges and other complex decentralized applications.

The blockchain trilemma

As mentioned in the previous article, one of the biggest challenges in distributed networks is the blockchain trilemma, which states that improving one aspect – scalability, decentralization, or security – often means compromising one of the others. In this context, ZK-rollups present themselves as a promising solution to address this trilemma.

Decentralization: Although ZK-rollups are typically managed by a centralized operator, they allow participants to independently verify the validity of transactions by submitting validity proofs on-chain. This reduces the concentration of control and encourages greater participation in the validation process.

Security: Unlike optimistic rollups, which can cause delays in validation, ZK-rollups guarantee the correctness of transactions through zero-knowledge proofs. These proofs provide strong assurance that state changes are valid and cannot be altered without invalidating the proof.

Scalability: By moving the main state computation and storage off-chain, ZK-rollups can process thousands of transactions in batches, submitting only the minimal data and cryptographic proofs needed on the main chain. This not only improves processing capacity, but also reduces the costs associated with submitting data to the main chain.

How do ZK-rollups work?

ZK-rollups work by processing off-chain transactions while ensuring security and validity through cryptographic proofs published on-chain (L1). The following is a detailed breakdown of how ZK-rollups work:

Off-chain transaction processing

In ZK-rollups, transactions are executed outside of L1, specifically on L2. Users send their transactions to L2, where an operator batches them. These transactions are processed off-chain, but their integrity is guaranteed by cryptographic proofs so that they can be verified on L1 without having to be processed there. This method allows ZK rollups to handle a large volume of transactions while avoiding overhead L1, significantly improving scalability.

On-chain compressed data submission

After batch processing, ZK-rollups publish the compressed transaction data to L1 via the calldata, a special feature of smart contracts. This minimizes storage costs on-chain as only essential data is published in compressed format. Even though the data is compressed, any participant in the network can reconstruct the rollup state to independently verify the transactions, ensuring transparency and security of the system.

State commitments and cryptographic verification

The state of the ZK-rollup is efficiently stored in a structure known as a Merkle tree. After processing a batch, the operator generates a new “state root”, a hash summarizing the updated rollup state. This root, along with a cryptographic validity proof, is published on L1. Merkle’s proof allows any user to verify that a particular transaction was included in the batch without having to download the entire rollup history. This ensures that transactions are verifiable, maintaining the integrity of the system without overloading the L1.

Zero-knowledge proofs (ZK-SNARKs and ZK-STARKs)

To ensure that transactions processed off-chain are valid, ZK-rollups rely on validity proofs that cryptographically ensure that the state transition presented is correct. These validity proofs prevent malicious actors from altering the state (e.g., by transferring funds to their own accounts). ZK-rollups use two main types of zero-knowledge proofs: ZK-SNARKs and ZK-STARKs.

ZK-SNARKs (Zero-Knowledge Succinct Non-Interactive Arguments of Knowledge)

ZK-SNARKs allow for quick verification of complex calculations in the chain. A set of public parameters known as the Common Reference String (CRS) is used to generate and verify these proofs. The CRS is essential to ensure that transactions are securely validated, but its creation requires a trusted setup where participants contribute randomness that must be destroyed after use to avoid vulnerabilities. If the CRS generation process were compromised, it could result in the generation of false validity proofs. To mitigate this risk, some ZK-rollups perform a multi-party computation ceremony MPC in which multiple participants collaborate on CRS generation. As long as at least one of them destroys its randomness, the process is considered secure. ZK-SNARKs are particularly valued for their efficiency, as they produce small proof sizes and low verification costs, making them a popular choice for rollups that require high scalability.

ZK-STARKs (Zero-Knowledge Scalable Transparent Arguments of Knowledge)

ZK-STARKs, on the other hand, eliminate the need for a trusted setup by relying on publicly verifiable randomness to generate their parameters. This improves both the transparency and security of the system by eliminating the risks associated with the trust configuration required by ZK-STARKs. In addition, ZK-STARKs are scalable, and the time required to validate and verify computations grows almost linearly with the complexity of the underlying computation, making them ideal for cases involving large data sets or more complex operations.

A key aspect of ZK-STARKs is their quantum-resistant computation, which makes them more secure against future attacks by quantum computers than ZK-SNARKs, which rely on Elliptic Curve Cryptography (ECC) and could be vulnerable to such attacks. However, ZK-STARKs also have a disadvantage: they generate bigger proofs, resulting in higher verification costs on the main chain. However, both types of proofs ensure that state transitions in the rollup are valid, thus keeping the computational burden off the main chain.

On-chain verification

Once a batch of transactions is processed on L2, the operator sends the corresponding validity proof to the smart contract on L1. This contract verifies the proof and, if valid, accepts the new state root, thereby confirming that the rollup state has changed correctly. This process ensures that any malicious activity is detected and invalid lots are rejected, ensuring the security of the rollup.

Deposits and Withdrawals

Deposits: Users can access the ZK-rollup by depositing funds into the rollup’s smart contract on L1. Once a user makes a deposit, it is placed in a queue to be processed by the rollup operator. Once the transaction is processed, the user’s account in the ZK-rollup is updated to reflect the deposit, allowing the user to begin executing transactions within the rollup.

Withdrawals: To withdraw funds from the ZK rollup, the user must initiate a transaction within the rollup that sends their funds to a designated burn account. This transaction will be included in the next batch of transactions to be processed. To complete the withdrawal in L1, the user must submit a withdrawal request to the rollup contract in L1 that includes the following elements:

• A Merkle proof that verifies the user’s withdrawal transaction within the rollup.
• The transaction details and the batch root.
• The address where the user wants to receive their funds.

The rollup contract on L1 hashes the transaction data and compares it to the batch root using the Merkle proof. If everything is valid, the contract releases the funds to the address specified by the user on L1. This process ensures that the ZK-rollup securely and efficiently handles a large volume of off-chain transactions while maintaining scalability and trustless settlement.

Key components of ZK-rollups

ZK-rollups operate under smart contracts on-chain that manage their state and verify validity proofs generated off-chain. Key components include:

On-chain contracts

These smart contracts are the core of the ZK-rollup management. Their features include:

• Rollup block storage: Contracts store compressed transaction data and update the rollup status on L1.
• Deposit and withdrawal management: Monitor the inflow and outflow of funds between L1 and L2.
• Verifier contracts: These contracts are responsible for validating the validity proofs generated outside the main chain by the rollup operators, ensuring that changes to the rollup status are correct.

Off-chain Virtual Machine (VM)

The real execution of transactions in ZK-rollups takes place in an off-chain virtual machine acting as L2. The following tasks are performed in this environment:

• Transaction submission: User transactions are executed off-chain, allowing for high scalability.
• Generation of validity proofs: This machine generates zero-knowledge cryptographic proofs (ZK-SNARKs or ZK-STARKs) that are sent to L1 for verification, proving the correctness of transactions without having to execute them directly on the main chain.

How ZK-Rollups ensure security

ZK-rollups rely on the main chain (L1) for several important functions:

Data availability

Each off-chain transaction in a ZK-rollup generates essential data that is published to L1, allowing the rollup state to be reconstructed and independently verified. This process is performed using calldata, which minimizes the amount of data that needs to be stored on-chain. Although validity proofs validate transactions, the availability of some data on L1 remains critical to ensure transparency and prevent operators from censoring or blocking users.

Transaction finality

The main chain acts as the settlement layer for ZK rollups. Transactions are not considered final until the corresponding validity proof is accepted by the contract on L1. This approach ensures that all off-chain transactions are verified and, once accepted on L1, become irreversible, guaranteeing the security of the system.

Censorship resistance

Although ZK-rollups rely on a trader to aggregate and process transactions, these systems are designed to resist censorship attempts. In the event that a trader attempts to block a user’s transactions, the user can interact directly with the smart contract on L1 to withdraw their funds or complete other transactions, protecting their ability to interact with the network.

ZK-rollups workflow summary

• Transaction submission: Users submit their signed transactions to a ZK-Rollup operator.
• Batching and aggregation: The operator groups multiple transactions into a batch for efficient processing.
• Proof generation: A validity proof (ZK-SNARK or ZK-STARK) is generated to ensure the validity of the batch.
• On-chain commitment: The batch and proof are sent to L1 as calldata. The main chain verifies the proof without having to process each transaction individually.
• State root update: If the proof is valid, the rollup state root is updated on L1, ensuring state transitions and validating transactions processed off-chain.

How do validity proofs work in ZK-Rollups?

Validity proofs are the core of security in ZK-rollups. These cryptographic proofs allow the correctness of transactions processed off-chain to be verified without having to execute each transaction on L1. The process is described in detail below:

Proof generation

Before processing a batch of transactions, the ZK-rollup operator performs a series of basic proofs to validate each transaction:

• Account verification: both the sender and receiver of the transaction are verified to exist in the rollup status tree.
• Balance check: The operator ensures that the sender has sufficient funds to complete the transaction.
• Transaction validity: The transaction is confirmed to match system rules, including matching the sender’s public key.
• Nonce validation: The nonce is verified to match the expected nonce, preventing replay attacks.

Once enough transactions are collected, a cryptographic proof (based on ZK-SNARK or ZK-STARK) is created that compresses all relevant batch information into a compact proof. This proof includes:

• Merkle tree root: Represents all accounts and transactions within the batch.
• Merkle proofs: Confirm that each transaction is correctly included in the state tree.
• Intermediate state roots: Reflect changes in the rollup state as each transaction is processed.

Validation process

The validation process performs a series of checks on each transaction, emulating the work of the operator, but in a cryptographically secure manner. For each transaction, the process follows the steps below:

• Sender verification: The circuit verifies the existence of the sender in the current rollup state tree using a Merkle test.
• Update Sender’s State: The sender’s funds are deducted and its nonce is updated, generating a new version of the account data, which is re-hashed to generate a new state root.
• Receiver update: Similarly, the circuit checks the receiver’s account and adjusts its balance, generating another new state root.
• State root update: This process is repeated for each transaction, continuously updating the rollup state root to ensure that all changes are correctly reflected.

At the end of the processing of all transactions, the last calculated status root becomes the new official or canonical status root of the ZK-rollup.

Proof verification

Once the validity proof is generated, the operator sends it to the verifier contract on the main chain (L1). The verifier contract checks the following elements:

• Pre-state root: The status of the rollup before the transaction batch is processed.
• Post-state root: The updated state of the rollup after all transactions have been processed.
• Batch root: The Merkle tree that represents the entire transaction batch.
• Transaction inputs: The specific details of each transaction in the batch.

If the proof is valid, the verifier contract confirms that the rollup has passed correctly and securely between the upstream and downstream states. This ensures the integrity of the transaction batch. The state tree on L1 is then updated to reflect the new post-state root, which now represents the current and correct state of the ZK-rollup.

Advantages of ZK-rollups

• Scalability: ZK-rollups can handle thousands of off-chain transactions, offloading the L1.
• Trustless security: They use cryptographic mechanisms that guarantee security, eliminating reliance on the honesty of incentivized actors, a critical aspect of optimistic rollups.
• Truth assurance: Validity proofs provide strong assurance that off-chain transactions are correct, preventing operators from executing invalid state transitions.
• Data security: They store essential data to retrieve the off-chain state directly in the L1, providing greater security, censorship resistance, and decentralization.
• Cost efficiency: By processing off-chain transactions and submitting only the necessary data to the main chain, ZK rollups significantly reduce gas costs for users.
• Instant confirmation: Validity proofs provide immediate confirmation of transaction validation, eliminating long wait times.
• Interoperability: They can be easily integrated with different applications and smart contracts on L1, allowing for greater flexibility in the use of assets and services.
• Privacy: ZK-rollups can implement private transactions because zero-knowledge proofs allow transactions to be validated without revealing details about them. This is particularly useful for applications that require data confidentiality.
• Resilience to attacks: By relying on cryptographic proofs instead of operator honesty, ZK-rollups are less vulnerable to malicious attacks such as abuse of centralized power.
• Potential decentralization: Although they often have a centralized operator, the verification mechanisms allow participants to independently verify the validity of transactions, which can encourage further decentralization as more users become involved in validation.
• Ease of use: Users can more easily interact with the ZK-rollup because transactions can be processed quickly, improving the overall user experience compared to slower solutions.

Disadvantages of ZK-rollups

• High cost of validity proofs: The computational overhead associated with generating and verifying validity proofs can be significant, which could result in higher fees for rollup users.
• Complexity of EVM compatibility: Developing EVM-compliant ZK-rollups presents significant challenges due to the inherent complexity of zero-knowledge technology.
• Centralization risk: Producing validity proofs often requires specialized hardware, which can encourage centralization and leave the process under the control of a small number of parties.
• Transaction ordering influence: Centralized operators or sequencers have the ability to influence the order of transactions, which can lead to unfair practices or preferential treatment.
• Participant limitations: Hardware requirements associated with ZK-rollups can limit the number of participants able to advance the chain, increasing the risk of malicious actors freezing the rollup state and censoring users.
• Trusted setup vulnerabilities: Some proofs of systems, such as ZK-SNARKs, require trust setup that, if mishandled, could compromise the overall security model of the ZK-rollup.

These disadvantages are important to consider when evaluating the implementation of ZK-rollups in blockchain projects, as they may affect their long-term viability and effectiveness.

Conclusion

In summary, ZK-rollups are an innovative Layer 2 scaling solution that uses validity proofs to perform off-chain computations, minimizing the amount of transaction data stored on the main chain. While they offer significant scalability and security benefits, the high cost of SNARK test generation and data availability challenges pose significant operational headaches. These factors may make ZK-rollups less attractive for general purpose applications on the Ethereum Virtual Machine (EVM).

In the following article, we will compare optimistic rollups and ZK-rollups in detail to analyze their differences.

In addition, we invite you to watch an instructional video on YouTube that explains how ZK-rollups work in a visual and detailed way.

Resources:
[1] Ethereum.org – zk-rollups
[2] Hacken.io – zk-rollups explained
[3] Zkproof.org
[4] ieeexplore.ieee.org – Blockchain Scaling Using Rollups

FAQs

At Block&Capital, we strive to create an environment where growth and success are accessible to all. If you’re ready to take your career to the next level, we encourage you to join us.