Author: Pedro, author of Polygon DAO

Finishing: Hailsman, Chain Catcher

For a long time, the focus of the Ethereum L2 battle has been occupied by ZK Rollup and Optimistic rollup. Because of OP's EVM compatibility and mature technology, it is easier to be adopted by project developers. Therefore, OP is more general and mainstream at present. According to the data of L2BAET, only three projects using the OP solution, Arbitrum, Optimism, and Metis, accounted for 70.8% of the L2 market share. However, due to the high difficulty of development and slow technological progress, ZK rollup currently has a relatively low adoption rate and market share.

As the Ethereum expansion solution with the highest total lock-up volume at present, Polygon firmly bets the future of expansion on zk technology. Last year, Polygon acquired Hermez and Mir in a big way, and made a $1 billion promise for zk expansion.

Now, Polygon has a "whole set" of zk expansion solutions, namely Hermez, Nightfall, Miden, and Zero. Although the four expansion schemes are all based on zk technology, each has its own strengths and strategies. So, what are the specific technical characteristics and development progress of these four solutions? Which one is more likely to kill first?

In this article, we will discuss these four zk solutions in detail, including their development history, operation mechanism and development progress, etc. The following content is compiled from the columnist of Polygon DAOPedrofirst level title

1. Polygon Zero

Polygon Zero is a ZK L2 solution powered by Plonky2, the fastest and most efficient recursive proof system. Formerly known as the Mir Protocol, it was built in 2019 by Predicate Labs, founded by Brendan Farmer and Daniel Lubarov. The characteristic of the Mir protocol is that recursive ZKP (zk-proof) verification will be generated during the execution of the program. In short, recursive proofs are like proofs of generative proofs. Used to verify that a set of transaction proofs are valid.

Recursive proofs are a very young technology, first introduced theoretically in 2014. In 2019, Mir was able to generate a recursive proof within 2 minutes, obviously, this time is not short, and it lacks scalability.

In 2020, due to the exploration of the Aztec team, Mir made a huge breakthrough, realizing the generation of recursive proofs within 60 seconds. Based on this, the Mir team developed Plonky, which allows the Mir protocol to generate recursive proofs within 15 seconds.

In December 2021, Polygon acquired Mir for $400 million, and the agreement was renamed Polygon Zero. The idea of ​​an independent L1 chain that enabled zk technology that Mir was initially building turned into a distributed zk-rollup built on top of Polygon.

secondary title

1、Plonky2

Plonky2 is an iteration of Plonky1, also mentioned earlier that it builds on the verification system built by Aztec in 2020.

One common thread between all three is Plonk, so we need to figure out what Plonk is first.

ZKP refers to generating a proof of validity of a computation without revealing the relevant information. So no information is not leaked, just evidence is generated.

The two main ZKPs areSNARKs and STARKsimage description

SNARK and STARK comparison, source: Consensys official website

SNARKs have smaller proofs, which means less on-chain data storage and less gas paid by end users. Although SNARKs are more developer-friendly, STARKs offer some unique advantages, such as being more transparent, not requiring a trusted setup, and being "quantum-safe", with greater potential in the future. These advantages have also led Vitalik to say that STARK is actually a "newer and more dazzling" technology.

But because SNARK was proposed and put into use as early as 2012, and STARK was only proposed in 2018. Therefore, SNARK has a great first-mover advantage in terms of adoption. At present, Z-Cash, Loopring Protocol, and JPMorgan Chase have all adopted SNARK technology, and because of its wide adoption, SNARK has more released code, developer libraries, projects and developers. However, as a new star, STARK is also being adopted by more projects because of its unique advantages.

Plonk is the name of the proof system, which is a kind of SNARK proof system.

Next, I will analyze several different types of solutions combined with Plonk:

Aztec's recursive proof time using Plonk + KZG is 60 seconds;

Plonky1 uses Plonk + Halo, and the recursive proof time is 15 seconds. First launched by Zcash in 2019, Halo is the first recursive proof scheme that does not require a trusted setup. But the disadvantage of Halo is that it is not compatible with Ethereum, which is why Mir initially wanted to build an independent L1 chain;

Plonky2 uses Plonk + FRI with a recursive proof time of 170 milliseconds. In 2021, Daniel Lubarov, head of Polygon Zero, proposed to combine FRI with Plonk.

FRI is a solution for STARK, which means that by using FRI, Plonk becomes STARK (Plonk was originally a type of SNARK), which also means increasing the transparency of the system. At the time, only one project (Fractal) implemented recursive FRI proofs, and the protocol had a proof time of ~10 minutes and was not scalable.

secondary title

2. What is Plonky2 building?

As mentioned earlier, Polygon Zero is ultimately building the most scalable zkEVM powered by Plonky2.

That is, each zk-rollup requires a zkEVM to actually handle the computation. The zkEVM for Polygon Zero's zk-rollup will be powered by Plonky2, the most efficient and fastest zk proof system currently available.

secondary title

3. The difference between Polygon Zero and Starkware

Most rollups, including Starkware, bundle transactions and generate proof that each transaction in that bundle is valid.

Polygon Zero uses recursive proofs, so every transaction simultaneously makes a bunch of very fast proofs. These individual proofs of transactions are then bundled together to create larger proofs, proofs that verify the validity of other proofs.

image description

first level title

2. Polygon Hermez

Five years ago, three co-MBA colleagues Jordi Baylina, David Schwartz and Antoni Martin started a company called Iden3 and their first project was a self-sovereign identity solution, which at the time was called Self-Sovereign Identity. "(Self Sovereign ID, SSI for short), is actually the same concept as our popular decentralized identity DID.

But these three people gradually realized in the process of developing the SSI project that in order to further make SSI mainstream, it is necessary to make the existing blockchain fully scalable. After that, the trio decided to move on to a new project, Hermez.

Hermez is a decentralized L2 rollup solution based on zk technology. Hermez 1.0 is the currently live payment platform that allows users to transfer any registered ERC-20 token from one Hermez account to another through a simple to use web or mobile interface. Last July, the team announced the development of zkEVM, Hermez 2.0, which will bring a fully compatible zkEVM to Ethereum when completed.

secondary title

1、Hermez 1.0

Hermez originally started as zk-rollup, focused on scaling payments and token transfers on Ethereum.

Rollup refers to packing a dozen transactions (thousands) and executing them off-chain at once. When these thousands of transactions are executed off-chain, in Hermez's case, a zk-SNARK is generated. Instead of individual transactions, SNARKs prove the validity of each transaction in the batch, which is subsequently verified by Ethereum (SNARKs).

Compared with Optimistic rollup, zk rollup can take effect immediately and realize instant withdrawal, while Optimistic rollup has to wait for 7 days. This ability to efficiently verify proofs in constant time is at the heart of all zk rollups.

Hermez has a processing speed of 2000 TPS. According to the Hermez team, the processing speed will be greatly improved in the future.

Three different transactions are available on Hermez:

deposit:Send any registered ERC-20 token from L1 Ethereum to L2 Hermez. Deposits require an Ethereum gas fee.

transfer:Send any registered ERC-20 token from one Hermez account to another, cheap and instant.

Withdrawal:Send ERC-20 tokens from L2 Hermez back to L1 Ethereum. Withdrawals are subject to Ethereum gas fees.

One thing to note when withdrawing is that Hermez provides a protection mechanism, "forced withdrawal", which allows users to transfer funds from L2 Hermez back to L1 Ethereum at any time, even if the coordinator is trying to do evil.

Coordinator and proof of donation

The coordinator is the Hermez version of the block producer. These people prove the validity of off-chain transactions by generating zk-proofs.

The coordinator is the person who bundles the transactions. They will aggregate all transaction requests into one unit. Each rollup will execute thousands of transactions, and then generate zk-proof, and then verify this through the smart contract on Ethereum. zk proof.

Hermez is decentralized because anyone can become a coordinator and earn rewards for their services. There can be any number of coordinators on the network at the same time, but only one can actually process transactions and receive rewards at any given time period (10 minutes long).

The Hermez network selects the next coordinator through an auction process. Basically anyone can bid using MATIC tokens, and the highest bidder wins the right to process as many transactions as possible within 10 minutes until the next coordinator is selected. This is a very efficient process as it requires the coordinator to make as many trades as possible during those 10 minutes in order to get more rewards than bids.

If the coordinator fails to bid, MATIC tokens will be returned to the original wallet, and those funds that have won the bid will be used for the following three purposes:

• 30% permanently destroyed

• 40% goes to a donation account managed by the Ethereum Foundation

• 30% goes to network incentives to help drive further adoption of the Hermez network.

secondary title

2、Hermez2.0

Last July, during the EthCC 4 conference, the Hermez team announced that it is developing zkEVM, Hermez 2.0.

We all know that the key point why L2 mostly adopts Optimism and ZK has not really taken off yet is that ZK is not yet EVM compatible. Therefore, zkEVM is to solve this problem and run smart contracts on zk-rollup.

At present, many projects are also developing zkEVM. In the Polygon ecosystem alone, there are two solutions, Polygon Zero and Polygon Hermez. However, each project is addressing this problem in a different way, and each has its own tradeoffs.

The characteristic of Hermez is that it is compatible with Ethereum in terms of tools, ecosystem and security. This means that, ideally, smart contracts that run on Ethereum can run on L2 Hermez. Provide a frictionless experience for developers. As soon as Optimism and Arbitrum were launched, they attracted a number of projects and users to migrate over. It is not difficult to imagine that when zk-rollup matures, it will have even stronger network effects.

Hermez founder Antoni Martin described zkEVM saying: "If you take advantage of the best parts of each solution, you can make the best car...".Therefore, Hermez adopted both SNARKS and STARKS ZKP schemes when developing zkEVM, striving for the best of both worlds.

Specifically, when Hermez processes transactions and generates new blocks off-chain, a STARK proof will be generated proving that these transactions are all valid. The problem with the STARK proof is that the verification cost on the chain (Ethereum) is very high, and SNARK comes into play at this time. All it needs to do is to verify the validity of the STARK proof on the Ethereum.

If you want to learn more about the architecture of this zkEVM, you canClick here to viewimage description

Hermez 2.0 (zkEVM) Features

first level title

3. Polygon Nightfall

In September last year, Polygon established a partnership with global professional services and technology company Ernest & Young (EY, Ernest & Young), and then released Polygon Nightfall.

Ernst & Young announced the initial version of Nightfall in 2019. The most different point from other zk solutions is that,Nightfall is a privacy-focused rollup, which EY has positioned as “one of the most prominent privacy solutions on Ethereum.” Specifically, every transaction on Nightfall includes privacy, meaning that if Alice sends an asset to Bob, no one else can see what that asset is, how much value it contains, or where it went.

The reason why we pay more attention to the privacy of transactions is becauseErnst & Young's target customers are enterprises. At the beginning, Nightfall tried to build the first enterprise-level blockchain directly on Ethereum, but finally found that having privacy on the Ethereum mainnet was too expensive, so they switched to L2 and finally chose to cooperate with Polygon.

The Polygon Nightfall jointly released by the two is the Nightfall 3.0 version after many iterations.Its most prominent feature is to effectively combine the backbone concept of Optimistic Rollup with the zero-knowledge (ZK) cryptography commonly used in ZK-Rollups, thus achieving the fusion of scalability and privacy.

secondary title

1. How does Nightfall work?

Polygon Nightfall is essentially an Optimistic Rollup that uses zk encryption to protect privacy. The cooperation between Polygon and Ernst & Young focuses on using Nightfall technology to build an industrial chain, enabling enterprises to link to L1 at a predictable low cost and under regulatory guidance.

The following figure shows the specific operation mechanism of Nightfall:

We can currently attribute the scalability bottleneck to "state" because of the high cost of storing data on-chain. Therefore, the goal of scaling solutions is to continuously reduce the amount of data stored on-chain. Nightfall uses lower-cost Optimistic rollup in reducing storage.

Usually, there will be a 7-day challenge period when using the Optimistic rollup scheme, which means that you need to wait 7 days to withdraw from L2 to the Ethereum mainnet. But Nightfall improves on this by giving users the option to "quit instantly". Its mode of operation is that the liquidity provider exchanges positions with the user in this transaction, first advances the funds required for instant withdrawal for the user, and occupies the position within the 7-day waiting period.

Nightfall wants transactions to be private at the same time. So, on Optimistic Rollup,Nightfall adds an additional layer of zk privacy to keep transactions private.

Nightfall VS Aztec

The image above shows two different ways to enable privacy. Polygon Nightfall on the left uses Optimistic rollup of zk cryptography, and Aztec on the right uses zk rollup and zk cryptography. I believe that the ideal solution is a zk/zk approach like Aztec, but at the moment, this solution is too expensive. So, to a certain extent,Nightfall is more like a compromise solution that can be used immediately. The Nightall team will eventually switch to the zk/zk scheme once the zk fee is resolved.

secondary title

2. Specific use cases

• Financial corporates and institutional investors: Nightfall's unique privacy creates a huge opportunity for portfolio managers looking to keep transactions and swaps private.

• Provide supply chain traceability for enterprises: enterprises can process supplies, execute sales orders, private payments, etc. through Nightfall. At present, a brewery is already using Ernst & Young's Nightfall supply chain for traceability transactions, and enterprises can easily track how much beer is there, where it is, how much it is transported, etc. In addition, a pharmaceutical company uses Nightfall to mint every product on the production line into an NFT, generating approximately 60,000 NFTs per day.

• first level title

4. Polygon Miden

In November last year, Polygon announced the launch of Miden, a zk-STARKs-based scaling solution. This project is led by Facebook's former core zero-knowledge proof technology researcher who once led the development of Winterfell technology.

Polygon Miden is a zk rollup based on STARK.The feature of Polygon Miden is that it aims to solve the challenge that rollup is difficult to support arbitrary logic and transactions.Rollup reduces on-chain data storage by packaging transactions, which can reduce congestion and lower transaction costs, but it is difficult to support the verification of an arbitrary transaction in the transaction package, which affects its ability to verify all off-chain transactions. Polygon Miden solves this one of the biggest challenges of zk rollup today by using the Miden VM (Virtual Machine).

There are two core components of the Polygon Miden framework: Distaff VM and Winterfell.

Distaff VM is a zk-EVM. Whenever a program is executed in zk-VM, a zk-proof of execution is generated to verify that the program runs correctly without actually running the program. Distaff is a STARK based virtual machine.

For any program executed on the Distaff VM, a STARK-based proof of execution is automatically generated. Anyone can then use this proof to verify that the program executed correctly without re-executing the program or even knowing what the program was.

Miden VM adopts Distaff VM and adds a more effective proof system - Winterfell to it. Winterfell is a full-featured multi-threaded STARK prover and verifier forArbitrary calculation. Essentially the latest version of STARK proofs with higher performance.

Once developed, any project can deploy smart contracts on top of this zk-rollup.

secondary title

The transaction will first be distributed to the execution node of Miden;

• The transaction will first be distributed to the execution node of Miden;

• These execution nodes bundle 5000 transactions into blocks at a time and generate a STARK proof;

• A STARK certificate is generated for every 200 transaction-bound blocks to prove the validity of the transaction;

• secondary title

2. Highlights of Miden VM:

• Developer friendly:The goal of Miden is to allow developers to run smart contracts on top of this zkVM without even having to learn anything about cryptography or zk proofs.

• Multiple programming languages ​​are supported:The team is working on adding support for multiple programming languages, but at the same time keeping Solidity a priority.

• Focus on safety:Through zk technology, Miden VM is more secure than EVM itself.

• Focus on privacy:Although this is not the current focus, the Miden team has deployed relevant development plans in the roadmap.

Summarize:

Summarize:

Finally, let’s quickly compare Polygon’s four zk expansion solutions:

Polygon Zero has developed a SNARK-based recursive proof system, Plonky2, which can generate recursive proofs in less than 170 milliseconds on a Mac-Book Pro. On such an efficient and fast Plonky2 proof system, Polygon Zero will eventually develop the most scalable zkEVM.

The characteristic of the zk rollup developed by Hermez is that the coordinator is selected through auction during the transaction process. The successful coordinator will conduct transactions as much as possible within a unit of time in order to make a profit. Therefore, this competition mechanism will bring high transaction efficiency. In addition, Hermez is also developing zkEVM, and adopts two ZKP schemes, SNARK and STARK, to strive for the best of both worlds.

Nightfall is more special. The most different point from other zk solutions is that Nightfall is a privacy-focused rollup, and its customers are enterprises. In addition, Nightfall effectively combines the backbone concept of Optimistic Rollups with zero-knowledge (ZK) cryptography commonly used in ZK-Rollups, resulting in a fusion of scalability and privacy.

The core product of Miden is Miden VM. Unlike other rollups, it adopts the relatively unpopular STARK proof system to build a virtual machine, aiming to solve the challenge that rollup is difficult to support arbitrary logic and transactions, and improve the ability to verify all off-chain transactions.

At present, most of the four solutions are in the development and testing stage, and all will be officially launched this year or next year. With the aforementioned new zk solution put into use, Layer 2 will largely resolve the doubts about the backwardness of previous technical solutions, and occupy a place in the mainstream Layer 2 solution, bringing more choices for encryption users.