This article first appeared on Medium.
ZK-Rollup is considered the holy grail of Ethereum Layer 2 scaling solution.
In general, my opinion is that in the short term, optimistic rollups are likely to win for general purpose EVM calculation and ZK rollups are likely to win for simple payments, exchanges and other cases application specific use cases, but in the medium to long term ZK rollups will prevail in all use cases as ZK-SNARK technology improves. — Vitalik
We have implemented the very first ZK-Rollup (ZKR) directly on Bitcoin. Additionally, we show why ZKR performs better on Bitcoin than on Ethereum.
How ZKR works in Ethereum
At its core, ZKR leverages the conciseness of a ZK-SNARK proof: it is much more efficient to verify that a calculation is done correctly than to re-execute it. Instead of processing every transaction on the chain, multiple transactions in a contract are first sent to a coordinator (aka sequencer/relay), instead of miners. The coordinator”rolls”/ bundles them into a single transaction. The transaction contains a brief proof that all these bundled transactions are processed faithfully, changing the contract of state1 at state2and is sent to minors.
Since all the heavy lifting of transaction processing is outsourced off-chain, the blockchain can process more transactions in a given interval and therefore scale. The zkSNARK proof guarantees the correctness of the off-chain state transition, which prevents coordinators from committing an invalid state transition. This makes ZKR an attractive L2 scalability solution because it allows scaling without sacrificing L1 security, unlike many other L2 solutions such as Plasma and Optimistic Rollup.
We use tokens as an example to show how to use ZKR.
Aggregation on Ethereum
There is a Rollup contract on the main chain, which keeps track of a state root. The “state root” is the root of a Merkle tree. Each leaf in the tree is an account consisting of its owner’s public key or address and its properties, such as balance.
In the following example, two deposits are combined into a single transaction.
ZKR on Bitcoin
We have implemented the rollup contract on Bitcoin. It ensures that the current state root is updated to a new correct root after the transaction batch is processed.
The only state tracked is the root of the account tree at line 8. Proof of validity is checked at line 14, using our old zk-SNARK library. The root is updated at line 17. The verification key at line 5 is from the configuration phase of zk-SNARK.
Generate ZKR Proofs
We need to code our transaction processing logic in a zk-SNARK friendly way. A popular language is Circom. Due to lack of space, we do not cover Circom syntax here and instead refer readers to the official Circom website to learn more about it.
Processing a single transaction involves:
- Verify that the sender’s account is in the tree by merkle proof
- Check the sender’s signature
- Update sender balance and verify intermediate merkle root
- Update Receiver Balance
- Update merkle root
We may reuse existing cumulative Circom code such as this.
Here is a detailed explanation of the code above.
The benefit of stacking only appears when multiple transactions are batched together. We can simply add a loop above the above code. The receipt generated is only valid if all the transactions in the batch are valid.
Process multiple transactions
ZKR stores transaction data on-chain at Level 1 (L1) for data availability. The underlying storage cost of L1 puts a cap on ZKR’s scalability gain. Therefore, ZKR performs much better on Bitcoin than on Ethereum, since the storage cost of the former is orders of magnitude cheaper than the latter.
Additionally, because zk-SNARK is universal, once the rollup smart contract is deployed on Bitcoin, many existing ZKR tools designed on other blockchains (like Circom and ZoKrates) can be reused directly in Bitcoin. This means that ZKR can be used to scale applications on Bitcoin today.
Watch: Presentation of the BSV Global Blockchain Convention, Smart Contracts and Computation on BSV
New to Bitcoin? Discover CoinGeek bitcoin for beginners section, the ultimate resource guide to learn more about Bitcoin – as originally envisioned by Satoshi Nakamoto – and blockchain.