Detailed Explanation of Polygon's Full-Stack zk Scaling Solutions: Hermez, Nightfall, Miden, and Zero

Author: Pedro, Author of Polygon DAO

Organizer: Hailsman, Chain Catcher

For a long time, the focus of the Ethereum L2 debate has been dominated by ZK Rollup and Optimistic Rollup. Due to OP's EVM compatibility and more mature technology, it is easier for project developers to adopt, making OP more common and mainstream at present. According to L2BAET data, only three projects using OP solutions—Arbitrum, Optimism, and Metis—account for 70.8% of the L2 market share. In contrast, ZK Rollup has a lower adoption rate and market share due to higher development difficulty and slower technological progress.

As the Ethereum scaling solution with the highest total locked value, Polygon is firmly betting on zk technology for the future of scaling. Last year, Polygon made a significant acquisition of Hermez and Mir, committing $1 billion to zk scaling.

Now, Polygon has a "full suite" of zk scaling solutions, namely Hermez, Nightfall, Miden, and Zero. Although all four scaling solutions are built on zk technology, each has its own strengths and strategies. So, what are the specific technical characteristics and development progress of these four solutions? Which one is more likely to emerge first?

In this article, we will discuss these four zk solutions in detail, including their development history, operational mechanisms, and development progress. The following content is organized from a series of Medium articles on Polygon research by Pedro, a columnist for Polygon DAO, with appropriate simplifications and clarifications made by Chain Catcher.

1. Polygon Zero

Polygon Zero is a ZK L2 solution supported by the fastest and most efficient recursive proof system, Plonky2. Originally the Mir protocol, it was built by Predicate Labs, founded by Brendan Farmer and Daniel Lubarov, in 2019. The characteristic of the Mir protocol is that it generates recursive ZKP (zk-proof) verification during the execution of the program. In simple terms, recursive proof is like a proof of the proof generated. It is used to verify whether a set of transaction proofs is valid.

Recursive proof is a very young technology, first introduced theoretically in 2014. In 2019, Mir was able to generate recursive proofs in 2 minutes, which is obviously not short and lacks scalability.

In 2020, due to the exploration by the Aztec team, Mir achieved a significant breakthrough, generating recursive proofs in 60 seconds. Based on this, the Mir team developed Plonky, allowing the Mir protocol to generate recursive proofs in 15 seconds.

In December 2021, Polygon acquired Mir for $400 million, and the protocol was renamed Polygon Zero. The initial idea of Mir building an independent L1 chain using zk technology transformed into building a distributed zk-rollup on Polygon.

In January of this year, Polygon Zero released Plonky2, a technology that can generate recursive proofs on a MacBook Pro in less than 170 milliseconds. This is the fastest recursive proof ever. The breakthrough in recursive proof technology will also serve Polygon Zero—Plonky2 will support the most scalable zkEVM.

1. Plonky2

Plonky2 is an iteration of Plonky1, which, as mentioned earlier, is built on the verification system developed by Aztec in 2020.

A common point among these three is Plonk, so we need to understand what Plonk is first.

ZKP refers to generating a proof of the validity of a computation without revealing related information. Therefore, no information is leaked; only evidence is generated.

The two main ZKP types are SNARK and STARK (As these two proof systems will be repeatedly mentioned below, Chain Catcher has added a detailed comparison of the two here). The main differences between them include: SNARK relies on elliptic curves for security, while STARK relies on hash functions for security, using hash functions means quantum resistance.

Comparison of SNARK and STARK, Source: Consensys Official Website

SNARK has a smaller proof size, which means less on-chain data storage and lower gas fees for end users. Although SNARK is more developer-friendly, STARK offers some unique advantages, such as being more transparent, not requiring trusted setups, and being "quantum-safe," which has greater potential in the future. These advantages have led Vitalik to describe STARK as "a newer, shinier" technology.

However, since SNARK was proposed and put into use as early as 2012, while STARK was proposed in 2018, SNARK has a significant first-mover advantage in adoption. Currently, Z-Cash, Loopring Protocol, and JPMorgan have adopted SNARK technology, and due to its widespread adoption, SNARK has more published code, developer libraries, projects, and developers. But STARK, as a rising star, is also being adopted by more projects due to its unique advantages.

Plonk is the name of a proof system, which belongs to a type of SNARK proof system.

Next, I will analyze several different types of solutions that combine with Plonk:

Aztec uses Plonk + KZG with a recursive proof time of 60 seconds;

Plonky1 uses Plonk + Halo, with a recursive proof time of 15 seconds. Halo was first introduced by Zcash in 2019 and is the first recursive proof scheme that does not require a trusted setup. However, the drawback of Halo is that it is incompatible with Ethereum, which is why Mir initially wanted to build an independent L1 chain;

Plonky2 uses Plonk + FRI, with a recursive proof time of 170 milliseconds. In 2021, Daniel Lubarov, head of Polygon Zero, proposed combining FRI with Plonk.

FRI is a scheme used for STARK, which means that by using FRI, Plonk becomes STARK (Plonk was originally a type of SNARK), also meaning increased transparency of the system. At that time, only one project (Fractal) had implemented recursive FRI proof, and the proof time of that protocol was about 10 minutes and not scalable.

To ensure speed, Polygon Zero adopted the first version of Plonky and replaced Halo with FRI. As shown in the chart above, the proof speed of FRI is "variable"; the less data submitted, the faster the proof obtained. However, the less data, the lower the security.

2. What is Plonky2 building?

As mentioned earlier, Polygon Zero ultimately aims to build the most scalable zkEVM supported by Plonky2.

That is, each zk-rollup needs a zkEVM to truly handle computations. The zkEVM for the zk-rollup used by Polygon Zero will be supported by Plonky2, which is currently the most efficient and fastest zk proof system.

Developers will be able to deploy smart contracts on Polygon Zero, leveraging both Polygon's high performance and Ethereum's security. According to one of the founders, this L2 will allow the construction of applications with more operations and functionalities.

3. Differences between Polygon Zero and Starkware

Most rollups, including Starkware, will package transactions and generate a proof that each transaction in that package is valid.

Polygon Zero uses recursive proofs, so each transaction simultaneously generates a set of very fast proofs. These individual transaction proofs are then bundled together to create a larger proof, which verifies the validity of other proofs.

This means that Polygon Zero can achieve horizontal scaling. Therefore, if there are a bunch of machines generating these transaction proofs in parallel, adding more machines (e.g., MacBooks) can prove more transactions. By using recursive proofs, it can scale to more transactions without incurring time delays.

Polygon Zero Related Data

2. Polygon Hermez

Five years ago, three MBA colleagues—Jordi Baylina, David Schwartz, and Antoni Martin—founded a company called Iden3, where their first project was a self-sovereign identity solution, which at that time was referred to as "Self Sovereign ID" (SSI), a concept similar to the currently popular decentralized identity (DID).

However, during the development of the SSI project, the three gradually realized that to make SSI mainstream, existing blockchains must first achieve sufficient scalability. After that, they decided to pivot to the new project, Hermez.

Hermez is a decentralized L2 rollup solution based on zk technology. Hermez 1.0 is the currently operational payment platform that allows users to transfer any registered ERC-20 token from one Hermez account to another through a simple web or mobile interface. Last July, the team announced the development of zkEVM, Hermez 2.0, which will bring a fully compatible zkEVM to Ethereum upon completion.

Last August, Polygon announced the acquisition of Hermez for $250 million. The new project will be named Polygon Hermez, merging the tokens MATIC and HEZ of the two projects, and the 26 employees of Hermez will join Polygon's 80-person team.

1. Hermez 1.0

Hermez initially started as a zk-rollup focused on scaling payments and token transfers on Ethereum.

Rollup refers to packaging a batch of transactions (thousands) and executing them off-chain at once. When these thousands of transactions are executed off-chain, in the case of Hermez, a zk-SNARK is generated. The SNARK proves the validity of each transaction in the batch, which is then verified by Ethereum (SNARK), rather than individual transactions.

Compared to Optimistic rollups, zk rollups can take effect immediately, allowing for instant withdrawals, while Optimistic rollups must wait 7 days. This ability to efficiently verify proofs in constant time is at the core of all zk rollups.

Hermez has a processing speed of 2000 TPS. According to the Hermez team, the processing speed will be significantly improved in the future.

Three different types of transactions can be conducted on Hermez:

Deposits: Sending any registered ERC-20 token from L1 Ethereum to L2 Hermez. Deposits require paying Ethereum gas fees.

Transfers: Sending any registered ERC-20 token from one Hermez account to another Hermez account. Such transfer transactions are very cheap and instant.

Withdrawals: Sending ERC-20 tokens from L2 Hermez back to L1 Ethereum. Withdrawals require paying Ethereum gas fees.

One point to note during withdrawals is that Hermez provides a protection mechanism called "forced withdrawal," allowing users to transfer funds from L2 Hermez back to L1 Ethereum at any time, even if the coordinator attempts to act maliciously.

Coordinators and Donation Proofs

Coordinators are the block producers in the Hermez version. These individuals prove the validity of off-chain transactions by generating zk-proofs.

Coordinators are the ones who bundle transactions; they aggregate all transaction requests into a unit, executing thousands of transactions per rollup, then generating zk-proofs, which are verified by smart contracts on Ethereum.

Hermez is decentralized because anyone can become a coordinator and earn rewards through their services. There can be any number of coordinators on the network simultaneously, but only one can actually process transactions and earn rewards within any given time period (10 minutes long).

The Hermez network selects the next coordinator through an auction process. Essentially, anyone can bid using MATIC tokens, and the highest bidder wins the right to process as many transactions as possible within 10 minutes until the next coordinator is chosen. This is a very efficient process because it requires coordinators to conduct as many transactions as possible within this 10 minutes to ensure that the rewards exceed their bids.

If a coordinator fails to win the bid, the MATIC tokens will be returned to the original wallet, while the funds from successful bids will have the following three uses:

• 30% permanently destroyed
• 40% allocated to a donation account managed by the Ethereum Foundation
• 30% used for network incentives to help promote further adoption of the Hermez network.

It is worth mentioning that Hermez supports atomic transactions. Atomic transactions are a series of indivisible transactions that either all occur or none occur. For example, if Alice wants to send Bob 1000 DAI in exchange for 1 ETH, in an atomic transaction, both parties must send tokens to each other for the transaction to succeed; if one step is missing, the transaction will fail. Therefore, this transaction method effectively prevents fraud.

2. Hermez 2.0

Last July, during the EthCC 4 conference, the Hermez team announced that they were developing zkEVM, i.e., Hermez 2.0.

We all know that the key point for the current L2 to adopt Optimism while ZK has not truly taken off is that zk cannot yet achieve EVM compatibility. Therefore, zkEVM aims to solve this problem by running smart contracts on zk-rollups.

Currently, many projects are also developing zkEVMs, and within the Polygon ecosystem, there are two solutions: Polygon Zero and Polygon Hermez. However, each project is addressing this issue in different ways, and each has its own trade-offs.

Hermez's feature is that it can be compatible with Ethereum in terms of tools, ecosystem, and security. This means that ideally, smart contracts running on Ethereum can run on L2 Hermez, providing developers with a frictionless experience. Optimism and Arbitrum attracted a batch of projects and users to migrate as soon as they launched. It is not hard to imagine that when zk-rollups mature, they will generate even stronger network effects.

Hermez founder Antoni Martin describes zkEVM: "If you leverage the best parts of each solution, you can create the best car…" Therefore, Hermez is developing zkEVM by simultaneously adopting both SNARKS and STARKS ZKP solutions, striving for the best of both worlds.

Specifically, when Hermez processes transactions and generates new blocks off-chain, it will generate a STARK proof to prove that these transactions are valid. The problem with STARK proofs is that the cost of verifying them on-chain (Ethereum) is very high, while SNARK comes into play at this point, as it only needs to verify the validity of the STARK proof on Ethereum.

If you want to delve deeper into the architecture of this zkEVM, you can click here to view the Hermez 2.0 development documentation.

Hermez 2.0 (zkEVM) Features

The above image shows the different features offered by Hermez zkEVM. Of course, 2.0 is still in development, and according to the roadmap for the mainnet release of 2.0, Hermez 2.0 is planned to launch a public test network in the first quarter of this year, with the mainnet expected to go live in the second quarter. Another key point is that Hermez 2.0 is developing a permissionless cross-chain bridge that allows users to transfer assets from Hermez L2 to other L2s.

3. Polygon Nightfall

Last September, Polygon partnered with global professional services and technology company Ernst & Young (EY) and subsequently released Polygon Nightfall.

EY announced the initial version of Nightfall in 2019, and what sets it apart from other zk solutions is that Nightfall is a privacy-focused rollup, which EY positions as "one of the most prominent privacy solutions on Ethereum." Specifically, every transaction on Nightfall includes privacy, meaning that if Alice sends an asset to Bob, others will not be able to see what the asset is, how much value it contains, or where it went.

The emphasis on transaction privacy is because EY's target customers are enterprises. Initially, Nightfall attempted to build the first enterprise-grade blockchain directly on Ethereum, but later found that having privacy on the Ethereum mainnet was too costly, so it pivoted to L2 and ultimately chose to collaborate with Polygon.

The collaboration between the two resulted in Polygon Nightfall, which is the 3.0 version of Nightfall after multiple iterations. Its most prominent feature is effectively combining the core concept of Optimistic Rollup with the commonly used zero-knowledge (ZK) cryptography in ZK-Rollups, thus achieving a fusion of scalability and privacy.

Polygon Nightfall is currently in the testnet phase, with the mainnet expected to launch this year.

1. How does Nightfall work?

Polygon Nightfall is essentially an Optimistic Rollup that uses zk cryptography to protect privacy. The focus of the collaboration between Polygon and EY is to use Nightfall technology to build an industrial chain, enabling enterprises to connect to L1 with predictable low fees and under regulatory guidance.

The following diagram illustrates the specific operational mechanism of Nightfall:

We can currently attribute the bottleneck of scalability to "state," as the cost of storing data on-chain is high. Therefore, the goal of scaling solutions is to continuously reduce the amount of data stored on-chain. Nightfall adopts the lower-cost Optimistic rollup to reduce storage.

Typically, using Optimistic rollup solutions involves a 7-day challenge period, meaning that withdrawing from L2 to the Ethereum mainnet requires a 7-day wait. However, Nightfall improves this by providing users with an "instant exit" option. The way it works is that liquidity providers swap positions with users for that transaction, advancing the funds needed for the user’s instant withdrawal and occupying that position during the 7-day waiting period.

Nightfall aims for transactions to have privacy. Therefore, on Optimistic Rollup, Nightfall adds an additional zk privacy layer to ensure the confidentiality of transactions.

Nightfall vs. Aztec

The above image shows two different approaches to enabling privacy. On the left, Polygon Nightfall uses zk cryptography with Optimistic rollup, while on the right, Aztec uses zk rollup and zk cryptography. I believe the ideal solution is a zk/zk approach similar to Aztec, but currently, this solution is too costly. Therefore, to some extent, Nightfall is more like a compromise solution that can be put into use immediately. Once zk costs are resolved, the Nightfall team will ultimately switch to a zk/zk solution.

The following diagram illustrates the architecture of Nightfall:

2. Specific Use Cases

• Financial enterprises and institutional investors: Nightfall's unique privacy creates a huge opportunity for portfolio management companies that wish to keep transactions and swaps confidential.
• Providing supply chain traceability for enterprises: Enterprises can use Nightfall to process supplies, execute sales orders, make private payments, etc. Currently, a brewery is using EY's Nightfall supply chain for traceable transactions, allowing enterprises to easily track how much beer there is, where it is, and the quantity transported. Additionally, a pharmaceutical company is using Nightfall to mint each product on its production line as an NFT, generating about 60,000 NFTs daily.
• ESG: ESG ratings assess companies in terms of Environmental, Social, and Governance factors, judging whether a company has sustainable value from a long-term perspective. Currently, some platforms are using Nightfall technology to allow users to donate to a charity without revealing the exact charity, ensuring the confidentiality of fund usage. Moreover, by adding the charity's supply chain on-chain, the public can monitor the charity's progress and where the funds go.

4. Polygon Miden

Last November, Polygon announced the launch of the Miden scaling solution based on zk-STARKs. This project is led by a former core zero-knowledge proof researcher at Facebook who previously led the development of Winterfell technology.

Polygon Miden is a zk rollup based on STARK. The feature of Polygon Miden is that it aims to solve the challenge of rollups having difficulty supporting arbitrary logic and transactions. Rollups reduce on-chain data storage by packaging transactions, which can reduce congestion and lower transaction fees, but they struggle to verify any arbitrary transaction within the transaction package, affecting their ability to verify all off-chain transactions. Polygon Miden addresses one of the biggest challenges facing today's zk rollups by using the Miden VM (virtual machine).

The core components of the Polygon Miden framework are two: Distaff VM and Winterfell.

Distaff VM is a zk-EVM. Whenever a program is executed in the zk-VM, a zk execution proof (zk-proof of execution) is generated to verify whether the program runs correctly without actually running the program. Distaff is a STARK-based virtual machine.

For any program executed on the Distaff VM, a STARK-based execution proof is automatically generated. Then, anyone can use this proof to verify whether the program executed correctly without re-executing the program or even knowing what the program is.

Miden VM adopts Distaff VM and adds a more efficient proof system—Winterfell. Winterfell is a fully functional multi-threaded STARK prover and verifier for arbitrary computations. Essentially, it is a higher-performance latest version of STARK proof.

Once developed, any project can deploy smart contracts on this zk-rollup.

What sets Miden apart from other projects is that it generates STARK proofs. Although using STARK proofs is more expensive, it is relatively more secure. The founder of Miden also plans to further research recursive STARK proofs to reduce their costs.

1. Miden's Architecture

• Transactions are first distributed to the execution nodes of Miden;
• These execution nodes bundle 5000 transactions into a block at a time and generate a STARK proof;
• Every 200 transactions bundled into a block generate a STARK proof to prove the validity of the transactions;
• Finally, the final STARK proof result is uploaded to L1 Ethereum for consensus and determinacy.

2. Highlights of Miden VM:

• Developer-friendly: Miden aims to allow developers to run smart contracts on this zkVM without needing to learn anything about cryptography or zk proofs.
• Supports multiple programming languages: The team is working to increase support for multiple programming languages while prioritizing Solidity.
• Security-focused: Miden VM is made more secure than EVM itself through zk technology.
• Privacy-focused: Although this is not the current focus, the Miden team has deployed relevant development plans in the roadmap.

According to information released on the official website, Miden is expected to launch in the first quarter of 2023.

Conclusion:

Finally, let's quickly compare the four zk scaling solutions from Polygon:

Polygon Zero has developed a SNARK-based recursive proof system, Plonky2, which can generate recursive proofs on a MacBook Pro in less than 170 milliseconds. On such an efficient and fast Plonky2 proof system, Polygon Zero will ultimately develop the most scalable zkEVM.

Hermez's zk rollup is characterized by selecting coordinators through auctions during the transaction process. The successful bidding coordinators will conduct as many transactions as possible within a unit of time to profit, so this competitive mechanism will bring efficiency to transactions. Additionally, Hermez is also developing zkEVM and is simultaneously adopting both SNARK and STARK ZKP solutions, striving for the best of both worlds.

Nightfall is more special; what sets it apart from other zk solutions is that Nightfall is a privacy-focused rollup targeting enterprises. Moreover, Nightfall effectively combines the core concept of Optimistic Rollup with the commonly used zero-knowledge (ZK) cryptography in ZK-Rollups, achieving a fusion of scalability and privacy.

Miden's core product is Miden VM, which differs from other rollups in that it uses the relatively obscure STARK proof system to build the virtual machine, aiming to solve the challenge of rollups having difficulty supporting arbitrary logic and transactions, thus improving the ability to verify all off-chain transactions.

Currently, all four solutions are in various stages of development and testing, and are expected to officially launch this year or next. With the deployment of these new zk solutions, Layer 2 will largely address previous criticisms of technological lag and secure a place among mainstream Layer 2 solutions, providing more options for crypto users.