Polygon refutes Offchain Labs: ZK Rollup is the future of Ethereum scaling
ZK VS Optimistic, the Ethereum scaling debate.Original Author: Brendan Farmer, Polygon Engineer
Original Title: 《ZK and the Future of Ethereum Scaling》
Compilation: Hailsman, Chain Catcher
Last month, Offchain Labs published an article titled 《Why Optimistic Rollup Represents the Future of Ethereum Scaling More Than ZK Rollup?》, comparing the two scaling technologies: ZK Rollups and Optimistic Rollup. On January 19, Polygon's zero-knowledge proof engineer Brendan Farmer responded to the OR community's article, stating a desire for a "friendly debate." Through these two articles, we can more objectively and dialectically compare the advantages and disadvantages of both.
Arbitrum recently published a great article arguing that Optimistic Rollups (OR) represent the future of Ethereum because they offer inherent scalability and cost advantages compared to ZK Rollups (ZKR). The article is well-written and worth a read.
In the spirit of friendly debate, we would like to present a different viewpoint. Polygon has invested $1 billion in ZK, which is enough to show that we firmly believe it is the most promising path for Ethereum scaling solutions.
While Optimistic Rollups have the advantage of being "ready," ZK scaling solutions also have two structural advantages:
- ZK Rollups support scaling using both on-chain and off-chain data models, the latter providing higher throughput and lower fees than any Rollup;
- Users can interact without delays during the bridging process with Ethereum and do not rely on liquidity providers.
One thing was clear in 2021: different users prefer to make different trade-offs between security and transaction costs, partly due to Polygon's rapid growth. Optimistic Rollups provide security, but transaction fees are much higher than sidechains or alt-L1s.
ZK does not require users to make specific trade-offs between security and cost. When users choose the rollup model, ZK offers equivalent security and higher capital efficiency compared to Optimistic rollup. When data is off-chain, ZK provides higher scalability and security than sidechains and alt-L1s, with the same fees.
We believe that ZK's scalability, low cost, and capital efficiency will be the best choice for scaling Ethereum to a billion users.
Overview of Rollups
Rollups are a method of scaling Ethereum by executing transactions off-chain while having Ethereum guarantee the validity of each transaction. In practice, we can deposit funds into a smart contract and interact with those funds at a low cost during aggregation, ensuring our funds are as secure as trading on Ethereum.
This is feasible because rollups use Ethereum for data availability and transaction validation. All the data required to restore the latest state of the rollup and add new transactions is published to Ethereum, and transactions are verified through fraud or validity proofs.
The anti-fraud mechanism used in OR requires funds to be locked during a dispute period (currently, Arbitrum and Optimism lock for one week). If an invalid transaction is included in the rollup, anyone can submit a fraud proof during the dispute period to revert it. In contrast, ZK rollups include a validity proof that cryptographically guarantees all transactions are valid, eliminating the need for any delays.
State of ZK
First, it should be acknowledged that ZK rollups have not yet reached a level of widespread adoption. We are still waiting for ZK rollups that support general smart contracts to go into production, and the proof systems currently in use are still relatively inefficient.
However, looking to the future, ZK cryptography is developing at an incredible pace. Recursive proofs are an important primitive for scalable and decentralized ZK rollups, which were only theoretical a decade ago. Two years ago, generating a recursive proof took two minutes. But today, thanks to plonky2, a groundbreaking proof system created by the Polygon Zero team, we can measure proof times in milliseconds. Generating a recursive proof on a laptop takes only 170ms, and we expect proof times and costs to continue to decrease.
Arbitrum's article argues that proof generation incurs significant costs, which will be borne by users due to the thousands of expensive elliptic curve operations involved, necessitating massive parallel recognition or expensive hardware. However, plonky2 does not use elliptic curves at all, and our benchmarks are performed on laptops.
In fact, the cost of rollups is primarily determined by the cost of CALLDATA. We can see this from Arbitrum's current transaction fees, where the cost of token swaps is about $4. By comparison, even assuming it takes 10 minutes (a relatively high estimate for Polygon Zero) to prove a swap on a c6g.8xlarge instance with 32 cores and 64GB of RAM, the added cost is only $0.18.
Compared to CALLDATA, this is not a particularly large cost, and as we will see, it is offset by other advantages of ZK. Zero-knowledge technology is also rapidly developing, and underestimating zero-knowledge scaling solutions is short-sighted.
Validium
Different users make different trade-offs between cost and security on the blockchain. Millions of people use the Polygon PoS chain for low fees and high throughput, even if transaction validity cannot be guaranteed like in rollups.
We believe that when faced with scaling solutions, millions of users will often choose to keep data off-chain rather than use rollups. Validium (a term invented by Starkware) is similar to ZK-rollup in that it publishes validity proofs to Ethereum to ensure transaction validity, but keeps data off-chain to save on CALLDATA costs. Validium has many benefits:
- No longer limited by CALLDATA block size, allowing for over 100 times the throughput of rollups
- Much lower fees
- Fee volatility should be lower, as Validium consumes much less gas, preventing users from getting caught in bidding wars for rollup block space
ZK scaling opens up the design space for L2 that includes Validium, providing higher throughput than Optimism and ZK rollups, along with cryptographic guarantees that funds will not be stolen.
Hypothetical Attacks on Validium (Complete)
ZK skeptics may note that theoretically, even if validators on Validium cannot directly steal user funds, they could attack users by withholding the latest state of the chain and refusing to process new transactions. Thus, validators could hijack user funds. However, we feel this issue is exaggerated.
First, a "data withholding attack" requires two-thirds of the validators to participate, meaning a large amount of staked assets would be at risk. The attack would cause token prices to crash, reducing the value of the staked tokens held by the attackers and offsetting future fee income. Since validators cannot directly steal user funds, they need to coordinate ransom payments from affected users, making payment uncertain. Additionally, whales may prefer to maintain the rollup model, so attackers would need to successfully extract ransoms from a large number of users to compensate for their stake losses. It is hard to see how such an attack could be profitable in practice.
Further Scalability Advantages
In addition to the significant scalability advantages provided by Validium, ZK rollups are also more scalable than OR because they offer developers options to reduce costs by minimizing CALLDATA usage without sacrificing security. All rollups need to publish the minimum data required to reconstruct the latest state, but OR must publish all the data needed to validate each individual transaction to Ethereum. In contrast, ZKR can publish the minimum state increments for each batch of transactions to Ethereum, only releasing the information necessary to restore the final state of accounts. This is crucial for compressing state updates for contracts like AMM pools.
One response from OR proponents is that this compression effectively hides important chain data, and rollups should provide trustless visibility into the history of each transaction. I believe this argument overlooks an important point: while developers on ZKR can choose to publish uncompressed CALLDATA for a few applications that need it, most applications and users would prefer lower fees, which is a compromise that only ZKR can offer.
Thus, ZK provides scalability advantages for both on-chain and off-chain data availability. If we are to bring Ethereum to a billion people, we must enable users to make trade-offs between cost and security.
Capital Efficiency
OR has a one-week dispute period, which causes withdrawal delays for users wanting to exit the rollup. There are many negative reviews regarding withdrawal delays, including hypothetical review attacks by Ethereum miners or validators lasting a week, which are of course highly implausible.
However, withdrawal delays do lead to capital inefficiency. Early withdrawals are feasible, but market makers cannot completely eliminate capital inefficiency, especially at scale. A week is a long time when facing crypto volatility, and if there is an imbalance between liquidity entering and exiting OR, liquidity providers will need to bear the risk of holding locked funds during the withdrawal period. While liquidity providers will compete to offer low fees for quick withdrawals, they will face significant opportunity costs that must be passed on to users for the locked funds.
In contrast, ZK scaling solutions allow users to withdraw funds while submitting proofs to Ethereum, eliminating the need for liquidity providers and improving capital efficiency. Arbitrum's article claims that ZK rollups only have advantages when bridging to Ethereum L1, but in fact, ZK rollups can also check validity proofs on other chains, ensuring transaction validity and quick withdrawals.
Disadvantages of ZK
ZK rollups do face several disadvantages. The Polygon Hermez team has made remarkable progress on a complete zkEVM rollup, where the execution of EVM bytecode can be directly verified through validity proofs. Other teams focused on compiling Solidity into ZK-friendly bytecode, such as those at Polygon Zero or Polygon Miden, StarkWare, and zkSync, may face challenges when using existing Ethereum developer tools.
But in practice, the behavior of the vast majority of Solidity code should remain the same, as the modifications we make when transitioning from EVM to ZK bytecode do not affect functionality, primarily involving replacing expensive primitives in arithmetic circuits, such as Keccak-256, with primitives that are friendly to arithmetic circuits.
Ultimately, the structural advantages provided by zero-knowledge scaling should provide sufficient incentives to improve and adjust developer tools, making it easier to deploy on ZK L2.
Conclusion
In summary, we believe that zero-knowledge scaling is the future of Ethereum. Optimistic rollups are an amazing technology that provides a direct solution to the high gas fees plaguing Ethereum. However, Optimistic rollups force users to face specific trade-offs, where security comes at the cost of higher fees and capital inefficiency.
In contrast, ZK accommodates more different types of users, whether they are trading in rollup mode, whales insensitive to fees, or users making low-cost transactions in validation mode. ZK provides the best path to bring Ethereum to a billion users.
Moreover, ZK has advantages beyond scalability and capital efficiency. OR is limited by the possibilities on L1, as fraud proofs must be executable on Ethereum. ZK does not have this limitation and can utilize different signature schemes (does anyone think of the P-256 curve used in Apple Secure Enclave?) and primitives not supported by L1. Users can conduct private batch transactions on L2 to obtain L1 liquidity at a lower cost, which is a method pioneered by Aztec.
