Source | aztec-protocol

Author | Zac

Hello everyone 👋

I'm Zac, the CEO of Aztec. We invented Plonk, a general-purpose ZK-SNARK technology, and zk.money, the world's first private rollup project and one of the L2 protocols recently deployed to the Ethereum mainnet.

As more and more Layer-2 teams deploy their technology to the Ethereum mainnet and continue to turn the vision of scaling Ethereum into reality, the landscape on Layer 2 becomes more and more fascinating.

But if the user has not yet integrated into this ecology, and has not understood the terms related to Layer-2, then the user may step on the thunder.

Disappointingly, most people explain Layer-2 solutions because of their interests and tend to favor a specific technology (ie yes, the one their protocol uses!)

So how am I different from them? Absolutely not! But at least I'm speaking straight and not pretending to be impartial, right?

secondary title

Eth 1.0 has limited transaction throughput, resulting in extremely high transaction fees.

ETH transaction fees mainly come from:

➤ Fees for state storage changes

➤ Fees for transaction data

➤ Calculated Fees

Layer-2 solutions delegate one or more of the above tasks to a secondary network built on top of Ethereum.

Generally speaking, there are two types of Layer-2, each with its own security requirements and trade-offs: optimistic rollups and zk rollups. And Aztec defines a third category:secondary title

An optimistic rollup is like a miniature version of Ethereum, which itself as a network can also host smart contracts and transactions.

Optimistic rollup periodically broadcasts transaction blocks to a smart contract on Layer-1. These "blocks" include the complete transaction data for every transaction in the block, and nothing else. Smart contracts on Layer-1 do not perform any calculations or make any storage updates. This drastically reduces the cost of publishing a block.

It is called an optimistic rollup because the scheme assumes that every transaction is valid by default - smart contracts on Layer-1 do not directly check their validity.

Conversely, if a user believes that a transaction is improper (e.g., a double spend transaction), they can issue a "fraud proof". At this time, the smart contracts on Layer-1 can use the block data released by rollup to verify the validity of those suspected fraudulent transactions.

This operation is very costly, but must only be done if wrongdoing is suspected.

If the malicious behavior is confirmed, the entity that issued the optimistic rollup block (often called a validator) will lose some of the cryptocurrency they pledged.

Optimistic rollups rely on this economic consensus to ensure transactions are legitimate.

image description

Waiting for fraud proof slows down withdrawal times drastically

The main cost of executing a transaction in an optimistic rollup is the cost of publishing the transaction data to the chain. All rollups face this data availability problem, whether optimistic or otherwise. In order to prevent their own funds from being frozen, users need to have permission to access all transaction data of rollup. Either publish these data on Layer-1, or require additional trust assumptions from users (for example, believe that some side chains will allow users to access these data).

As of this writing, if the rollups you are using are not posting their transaction data on-chain, that means you can only hope that the centralized service you rely on doesn’t freeze your funds.

advantage:

➤ Rich in functions. The architecture of Eth1.0 can be copied and smart contracts can be supported.

shortcoming:

shortcoming:

➤ The withdrawal time is longer. It takes about a week from the time the transaction is executed until the transaction is deemed 'safe and valid' (ie no proof of fraud is presented).

secondary title

Computation and storage are handled by the secondary network.

L2 broadcasts the transaction data to the mainnet and provides proof of validity - a mathematical proof that the transaction is valid. That is to say, aggregate the batch transactions on L2 into one big transaction and send it to a smart contract in L1.

The prefix "zk" in zkRollups stands for "zero knowledge". However, zkRollups provide no privacy protection - all transactions are public by default, like optimistic rollups. It is called "zk" because such validity proofs are typically generated by zero-knowledge proof systems (eg, ZK-SNARK or ZK-STARK).

The advantage of this is that there is less overhead for storage item updates and calculations on the Ethereum mainnet. There is no need to optimistically assume that the transaction is valid, and if it proves to be valid, it can be determined that the transaction is valid.

This means that zkRollups have much faster withdrawal times than optimistic rollups and require fewer trust assumptions.

The white elephant in the room is that zero-knowledge proofs add a staggering amount of computational overhead to a transaction.

Creating a zero-knowledge proof for a computation is about a million times slower than running the computation directly! This is a rough estimate that will vary depending on the calculations involved, but is accurate for the types of calculations in Solidity smart contracts.

zkRollups handles this by delegating the generation of proofs to third-party "rollup providers" with massive computational resources. Users will rely on these third-party service providers to create transactions for them. Rollup providers can censor or front-run transactions, just like Ethereum miners can. The more computing power required, the fewer subjects can be rollup providers, so we must fully solve the review problem from the protocol architecture.

When it comes to porting smart contracts to L2, the high computational overhead poses some challenges for us. It is our goal to be fully compatible with the EVM. To achieve this goal, we must solve this 1 million times slowdown problem. The EVM is extremely SNARK-unfriendly, since the word size is 256-bits, and natively supports SHA3 and other SNARK-unfriendly hash algorithms. Even delegating proof of computation to a third party with vast computing resources may not be sufficient. One possible solution is to write the zkSNARK prover algorithm directly into silicon via FPGAs or ASICs. Rollup providers will need this hardware to create proofs.

Creating a zk turns out to be much slower than running a normal program. The Plonk and Plookup we studied improved the speed of SNARKs by an order of magnitude, but zkRollups still have performance issues compared to optimistic rollups.

Typically, SNARK and STARK programming languages ​​have had to adapt to the inefficiencies of their underlying proof systems. These two languages ​​generally have difficulty implementing variable-length loops and dynamic memory access (such as dynamic arrays and vectors). Some of these issues were mitigated in our latest Plookup study, but not all.

This means that zkRollup may require developers to port their contracts into a custom language (such as Starkware's Cairo language).

One benefit of zkRollups that do not aim for full EVM compatibility is that transactions are cheaper. It is possible to reduce the amount of broadcast data per elementary transaction without having to follow EVM semantics. The Hermes network does just that.

advantage:

➤ Transaction costs may be cheaper than optimistic rollups

shortcoming:

shortcoming:

➤ Adding features is slower compared to optimistic rollups

➤ Rely on third parties using custom hardware to generate proofs

PrivacyRollups

Aztec has launched a privacy rollup on the mainnet in March 2021. Users can wrap ETH into a privacy shield and send private transactions through zk.money, our online privacy wallet.

The technique of privacy rollups is very similar to that of zkRollups, but their purpose is completely different. Privacy rollups are designed to provide strong privacy guarantees to L2 users. Users hold funds anonymously. When executing a transaction, both the sender and receiver are anonymous, and even the transfer amount is encrypted.

For this, we use Plonk, a state-of-the-art zero-knowledge proof system. We invented Plonk in 2019, and it quickly became the industry standard among teams developing zero-knowledge proofs on blockchains.

Achieving privacy by design requires a very different rollup architecture than zkRollup. Our approach is "privacy first" because we know that retrofitting a public L2 with programmable privacy often requires sacrificing user experience or radically refactoring the entire protocol.

The current Ethereum-based privacy solution is a mixer. Mixers can be used to anonymize a user's amount of funds, but have little else to do. The full version of our Privacy L2 will include more features:

➤ Fully programmable privacy smart contracts. Privacy currencies will have more advanced transaction logic

➤ Privacy Ownership of NFTs

➤ The attributes of an NFT can be completely hidden and only visible to the owner of the NFT

➤ Anti-money laundering and KYC checks can be programmed directly into privacy tokens/dApps (e.g. KYC tokens - users can transact with trusted counterparties without knowing their real identity)

➤ Private DeFi! This is a broad topic that deserves a whole article (coming soon!)

advantage:

advantage:

➤ Realize private transactions. Users' financial activities will not be analyzed by third parties

➤ Rollup providers also cannot censor or frontrun user transactions. To those providers, every transaction is like a string of random numbers

➤ No fraud proof required, short withdrawal times

shortcoming:

shortcoming:

➤ More expensive than public L2 (but cheaper than mainnet) until data availability/Eth 2.0 launch

➤ Users must build private transaction zk proofs locally and cannot entrust to a third party. Thus the zk proof system must be lightning fast

➤ Privacy rollups are slower to add features than zkRollup and optimistic rollup due to the performance limitations of client-side build proofs. Programmability is possible, but it will be a while before full EVM compatibility is achieved.

secondary title

The competition in the L2 field is fierce, and it is necessary to withstand great pressure to release solutions before peers and gain a large number of users.

This can lead to some cutting corners and the need to add additional trust assumptions that are ambiguous to the user.

The biggest problem right now is data availability.

Every L2 team is working hard to push the boundaries of current scaling solution technology. While this is admirable, there's a good chance they're using some technical jargon to hide the protocol's flaws.

If users are considering using L2, they should judge whether a solution can adequately solve the following problems:

➤ How does this L2 achieve data availability? If their transaction fee is more than 20 times lower than the normal transfer fee on Ethereum, then they may not broadcast all the data to the chain

➤ Can users unilaterally withdraw funds from L2 based only on information posted to the Ethereum mainnet?

➤ Does the protocol have a public technical description for third-party verification?

In addition, for zkRollups and privacy rollups, users also need to consider the following issues:

➤ Is the data on the chain provably valid? Will all this data be sent as a common input to the rollup's circuitry?

➤ Does the L2 rely on a centralized compute cluster to create rollups? If so, what plans do they have to prevent censorship and frontrunning? How many rollup providers might there be when fully decentralized?

secondary title

The coming year promises to be a very exciting time in the L2 space. Numerous protocols will be officially deployed on the main network, and years of R&D and engineering work in this industry will usher in the most prosperous moment.

For Aztec's privacy rollup, our focus is on bringing programmable privacy smart contracts to everyone. Our Plonk and Noir programming languages ​​are designed to compile high-level programs into highly optimized ZKSNARK circuits fast enough to build proofs in the browser. This technology will be the cornerstone of Aztec 3.0 rollup architecture, users will be able to use Noir custom circuits.

By combining programmable privacy with scaling, we've added the last missing link to making web3 technology mainstream. Ultimately, web3 will be able to compete on the same platform as traditional web2 technologies, with strong privacy guarantees as the standard. We hope to foster a thriving private cryptocurrency and NFT ecosystem that can interact with more DeFi protocols and more traditional financial services in a privacy-preserving manner.

We've launched zk.money to show everyone that this isn't some crazy futuristic technology. We've developed some key technologies to build this ambitious project, and now we're going to start working hard to realize our vision.