zkEVM: The Future of Ethereum Scaling
The core idea of zkEVM is to use zero-knowledge proofs to verify and execute smart contracts without requiring every node to perform all the computations.Author: Bl ockchain Academy, Geekcartel
Background and Significance of zkEVM
Ethereum is a decentralized computing platform that allows developers to build distributed applications and smart contracts. However, due to the limitations of the Ethereum network, including throughput limitations and high fees, the scalability and performance of these applications are constrained.
To address these issues, the Ethereum community has developed many layer two solutions, including zkEVM. zkEVM is a zero-knowledge proof-based Ethereum virtual machine that can increase the throughput of the Ethereum network and reduce transaction fees without sacrificing decentralization and security.
The core idea of zkEVM is to use zero-knowledge proofs to verify and execute smart contracts without requiring every node to perform all computations. Instead, only the proof verifier needs to perform the calculations and then broadcast the verification results to other nodes in the network. This significantly reduces network load and execution costs while improving the throughput and performance of the network.
Zero-knowledge proofs (ZKP) demonstrate significant application value in saving redundant computations, compressing on-chain space, and protecting user privacy. Several common implementations of zero-knowledge proofs include zk-SNARK, zk-STARK, PLONK, and Bulletproofs.
Among them, zk-SNARK is a succinct non-interactive zero-knowledge proof that achieves the goal of protecting user privacy while saving computational overhead and interaction rounds by compressing the amount of proof data generated to a level smaller than the actual proof data, allowing the prover to send a simple message to the verifier to complete the verification. On the other hand, zk-STARK is a scalable transparent zero-knowledge proof that, compared to zk-SNARK, allows developers to shift computation and storage off-chain to improve scalability, offering greater scalability in terms of computation speed and size, while also being resistant to quantum computer attacks.
zkEVM as a New Solution
zkEVM can protect transaction privacy and integrity without sacrificing performance and decentralization. It utilizes zero-knowledge proofs to verify and execute smart contracts, where only the proof verifier needs to perform calculations, significantly reducing network load and execution costs. Additionally, the implementation of zkEVM can fully leverage the existing infrastructure and ecosystem of the Ethereum network, making it easy to integrate into existing Ethereum applications.
Basic Principles and Design of zkEVM
zkEVM is part of zkRoll-up, which is a layer 2 scaling solution for Ethereum that improves throughput by shifting computation and state storage off-chain. ZK-rollup submits transaction data to Ethereum along with zero-knowledge proofs that validate the correctness of off-chain transaction batches.
Early ZK-rollups lacked the capability to execute smart contracts and were limited to simple token exchanges and payments. However, with the introduction of zero-knowledge virtual machines compatible with EVM, ZK-rollups began to support Ethereum dApps.
The basic principle of zkEVM is to use zero-knowledge proofs to verify the results of smart contract execution, ensuring transaction privacy and integrity. Unlike the traditional Ethereum network, the process of verifying and executing smart contracts in zkEVM is separated, meaning that verifiers only need to verify the zero-knowledge proofs without actually executing the smart contracts. The following are the basic designs of zkEVM:
1. Zero-Knowledge Proof Generator: Users of zkEVM need to use a zero-knowledge proof generator to produce zero-knowledge proofs. The purpose of this generator is to prove the correctness and legality of transactions, including transaction signatures, inputs, and outputs.
2. Zero-Knowledge Proof Verifier: Verifiers in zkEVM need to use a zero-knowledge proof verifier to validate the zero-knowledge proofs generated by users. The verifier needs to check the correctness of the proof, including the proof's format, data integrity, and logical correctness.
3. Smart Contract Executor: The smart contract executor in zkEVM is an offline computation process, meaning that calculations can be performed offline. The executor uses the input and the bytecode of the smart contract to compute the output and returns the output as the computation result to the zero-knowledge proof generator.
4. Privacy Protection: zkEVM uses zero-knowledge proofs to protect the privacy and integrity of transactions, where the proof only needs to demonstrate the correctness of the computation without exposing detailed information about the inputs and outputs.
Through this design, zkEVM can effectively protect the privacy and integrity of transactions while maintaining efficiency and scalability. It can bring higher throughput, lower transaction fees, and faster confirmation times to the Ethereum network without compromising decentralization and performance.
Technical Implementation of zkEVM
The technical implementation of zkEVM in the Ethereum layer 2 network includes transaction verification and data verification.
Transaction Verification
Transaction verification refers to validating the correctness and legality of transactions, including verifying transaction signatures, inputs, and outputs. In zkEVM, transaction verification is implemented using zero-knowledge proof technology, with the specific implementation process as follows:
(1) Generating Proof: Users of zkEVM use the zk-SNARKs algorithm to generate zero-knowledge proofs for transactions, proving the correctness and legality of the transactions, which typically include transaction signatures, inputs, outputs, etc.
(2) Verifying Proof: Verifiers in zkEVM use verifiers to validate the zero-knowledge proofs generated by users, checking the correctness of the proof. During the verification process, verifiers only need to verify the correctness of the proof without exposing specific transaction information, thus protecting transaction privacy. Additionally, since zkEVM uses zero-knowledge proof technology, verifiers cannot access the input and output information of the transaction.
Data Verification
Data verification refers to validating the correctness and integrity of the data stored in the Ethereum layer 2 network, including verifying block headers, transaction state trees, storage state trees, etc. In zkEVM, data verification is implemented using a Merkle tree structure, with the specific implementation process as follows:
(1) Building the Merkle Tree: zkEVM adopts a data storage structure based on Merkle trees in the Ethereum layer 2 network, encoding transaction and state information as leaf nodes and generating and storing the Merkle tree in the tree, enabling fast querying and verification of transaction and state information.
(2) Verifying the Merkle Tree: During the verification of the Merkle tree, zkEVM needs to verify the correctness of the Merkle tree's root hash and leaf node hashes. Due to the efficient verification performance of Merkle trees, zkEVM can quickly verify the correctness and integrity of the data stored in the Ethereum layer 2 network.
Through transaction verification and data verification, zkEVM ensures the correctness, privacy, and integrity of transactions in the Ethereum layer 2 network, achieving an efficient, decentralized, and scalable Ethereum layer 2 network.
Equivalence of zkEVM
zkEVM can mimic the same transaction execution environment as the Ethereum mainnet, but its EVM equivalence level differs from that of the traditional EVM, mainly divided into language-level equivalence, bytecode-level equivalence, consensus-level equivalence, and full equivalence.
Language-level equivalence zkEVM can translate EVM-friendly programming languages (such as Solidity) into a custom language optimized for generating zero-knowledge proofs, thus achieving language-level compatibility with EVM. However, this type of zkEVM is the most limited in providing users and smart contract developers with the same experience of interacting with EVM.
Bytecode-level equivalence zkEVM requires ZK Rollups to interpret EVM bytecode compiled from higher-level languages (such as Solidity) and mimic the same high-level programming languages and low-level bytecode as EVM, achieving deeper compatibility. These types of zkEVM are more complex to build and require more advanced engineering design, but they are compatible with EVM-based applications and tools.
Consensus-level equivalence zkEVM can achieve the highest native compatibility with EVM, where the idea is that cryptographic proofs generated by zkEVM can be accepted by EVM without any verification.
Full equivalence zkEVM requires complete compatibility with EVM in all aspects, which often leads to the creation of inefficient and costly ZK systems. Therefore, trade-offs between cost and efficiency are usually necessary. Currently, there are two bytecode-compatible zkEVMs, namely Polygon zkEVM and Scroll zkEVM, which achieve bytecode-level equivalence to varying degrees, but over time, these implementations are striving towards full compatibility.
Structure of zkEVM
zkEVM is a scalability solution based on zero-knowledge proofs that migrates the execution and verification of smart contracts to the L2 chain, achieving higher transaction throughput and lower transaction costs. zkEVM consists of three parts: execution environment, proof circuit, and verifier contract.
The execution environment is similar to the Ethereum Virtual Machine (EVM) and is responsible for executing smart contracts in zkEVM, calculating the new final state based on the initial state and current transactions.
The proof circuit is used to generate zero-knowledge proofs that verify the validity of transactions computed in the execution environment. The proof generation process is completed using the previous state, transaction inputs, and post-state information as inputs. Subsequently, the prover obtains a succinct proof of the validity of that specific state transition.
The verifier contract is used to receive submitted validity proofs and confirm that the inputs and outputs are correctly computed. It is deployed on the L1 chain and integrated with zk-rollups to ensure the security and reliability of zkEVM.
zkEVM opcodes are low-level machine instructions used to execute programs in EVM-compatible zk-rollups. Like EVM, contracts written in high-level languages must be compiled into low-level languages (bytecode) that the virtual machine can interpret. When deploying programs in the virtual machine, this bytecode specifies the opcodes required for executing the program.
To make the opcodes more suitable for use in zero-knowledge proof circuits, there are two common approaches. The first method is to establish zero-knowledge circuits for native EVM opcodes, which requires implementing all EVM instruction sets in arithmetic circuits, a complex and time-consuming task. The second method is to create new languages and custom opcodes for zero-knowledge proof computations, allowing developers to write contracts directly in the new language or compile Solidity source code into custom zkEVM opcodes. Although the second method is generally easier to implement, it may prevent developers from accessing existing Ethereum infrastructure and resources.
Advantages of zkEVM
zkEVM is a privacy protection technology for Ethereum layer 2 networks based on zero-knowledge proof technology, with the following advantages:
1. High Privacy Protection: zkEVM adopts zero-knowledge proof technology to achieve high privacy protection. Specifically, zkEVM realizes the following two aspects of privacy protection through zero-knowledge proof technology:
2. Transaction Privacy Protection: zkEVM processes transaction information off-chain, storing only the verification results of transactions on-chain, thus protecting transaction privacy.
3. Data Privacy Protection: zkEVM encrypts all data and stores it in off-chain zkSNARKs, only storing the hash values of the data on-chain, thereby protecting data privacy.
4. High Security: zkEVM employs zero-knowledge proof technology to achieve high security. Specifically, zkEVM uses zkSNARKs to verify transactions and data, employing a custodial model to manage data and private keys, ensuring the security of transactions and data. Additionally, zkEVM utilizes multi-party secure computation technology and key isolation techniques to prevent attacks and data leaks.
5. Efficient Transaction Speed and Throughput: zkEVM moves transaction computation and data storage off-chain, thereby improving transaction speed and throughput. Specifically, zkEVM uses distributed computing and storage technologies, allowing transaction computation and data storage to occur across multiple nodes, and employs zkSNARK technology to achieve efficient verification and authentication, enabling efficient transaction processing.
6. High Compatibility and Scalability: According to protocol rules, all verification nodes must re-execute all computations in the Ethereum virtual machine to ensure that Ethereum nodes can independently verify the correctness of the program. However, this method limits the scalability of the Ethereum network, as it can only handle about 15-20 transactions.
ZK-rollups compatible with EVM can solve Ethereum's throughput issues without compromising network security. Like other scaling protocols, ZK-rollups are not burdened by Ethereum consensus protocol rules and can optimize execution speed. Some estimates suggest that ZK-rollups can process about 2000 transactions per second without incurring high Ethereum fees.
7. Faster Finality and Capital Efficiency: ZK-rollup has another advantage over op-rollup, which is faster finality. In blockchain, finality refers to the time required for a transaction to become irreversible, which can only be finalized when network participants have objective evidence proving the validity of the transaction.
With ZK-rollups, transactions executed in zkEVM are typically completed immediately after being published to Ethereum. Since each transaction batch comes with an instantly verifiable validity proof, the Ethereum main chain can quickly apply state updates.
In contrast, optimistic rollups only publish VM transactions without proofs, thus requiring a challenge period for transactions to achieve finality. The challenge period generally lasts 1-2 weeks, during which anyone can challenge the transaction after it has been submitted to Ethereum. Slower finality can negatively impact user experience. For example, users cannot withdraw assets from the rollup until the delay period expires. While liquidity providers may address this issue, it could be invalid if the withdrawal involves high-value assets or even NFTs.
In comparison, zkEVM does not have the above issues. Faster finality is particularly suitable for advanced users, such as NFT traders, DeFi investors, or arbitrage traders who need to move assets seamlessly (especially between L1 and L2).
Challenges of zkEVM
The main difficulties in building zkEVM arise from the fact that the original design of the EVM virtual machine did not consider zero-knowledge computation. Some characteristics resulting from this are not very friendly for the design of proof circuits, mainly including the following four aspects:
- Special Opcodes
- The EVM uses special opcodes in operations such as program execution and error handling, such as CALL, DELEGATECALL, REVERT, and INVALID, which complicate the design of proof circuits.
- Stack-Based Architecture
- The stack-based structure used by EVM, while simpler than a register-based structure, increases the difficulty of proof computation. To address this, some well-known zkVMs, such as ZkSync and StarkWare's StarkNet, choose to use a register-based model to implement zkEVM.
- Storage Overhead
- The storage layout of EVM relies on the Keccak function and Merkle Patricia Trie, both of which have high proof overhead. To avoid this issue, some zkVMs, such as ZkSync, attempt to solve it by replacing the Keccak 256 function, but this may compromise compatibility with existing Ethereum tools and infrastructure.
- Proof Cost
- Even if the above issues are resolved, building zkEVM still requires addressing the proof generation process, which necessitates specialized hardware and incurs significant time, money, and energy costs.
These challenging factors hinder the establishment of zkEVM compatible with EVM. However, with continuous breakthroughs in zero-knowledge technology, the impact of these issues can be alleviated to some extent, rekindling interest in zkEVM solutions.
zkEVM Track Projects
The following is a comparison of different types of zkEVM protocols and their working principles.
Polygon zkEVM
Polygon Hermez is a zero-knowledge virtual machine based on Polygon ZK-rollup, designed to support EVM compatibility. It compiles EVM bytecode into micro-operations and executes them in uVM, using SNARK and STARK proofs to verify the correctness of program execution. Polygon Hermez zkEVM uses STARK proof circuits to generate validity proofs for state transitions, which are then submitted to Ethereum for verification. The combination of STARK and SNARK proofs allows for faster generation of STARK proofs while reducing the verification cost of SNARK proofs.
zkSync zkEVM
zkSync is an EVM-compatible ZK-rollup developed and supported by Matter Labs. It compiles contracts written in Solidity into an intermediate language called Yul and then recompiles it into a custom, circuit-compatible bytecode set designed for zkSync's zkEVM. Similar to Polygon Hermez, zkSync zkEVM achieves EVM compatibility at the language level rather than the bytecode level. For example, zkSync's zkEVM does not support traditional addition opcodes (ADDMOD, SMOD, MULMOD).
Scroll zkEVM
Scroll is a new zero-knowledge EVM implementation currently under development. The Scroll team plans to design zero-knowledge circuits for each EVM opcode. This will allow developers to deploy Ethereum-native smart contracts on Scroll without modifying the underlying EVM bytecode. Additionally, Scroll zkEVM will use cryptographic accumulators to verify the correctness of stored data and provide a circuit that links bytecode with execution traces to verify that computations are consistent with the original bytecode.
ZK Hardware Acceleration
Although the production speed of ZKP is slow and costly, its efficiency will be significantly improved with the proliferation of specialized hardware such as FPGAs and ASICs. As the demand for privacy computing continues to grow, the complexity of ZKP statements will further increase, necessitating the use of specialized hardware to enhance proof generation speed. This will lead to the emergence of a complete ZK mining and proof industry, where enthusiasts can generate proofs on their CPUs or use GPUs and FPGAs.
The performance bottlenecks of ZKPs mainly focus on vector multiplication of numbers (field elements or group elements) and FFT computations. To improve the performance of ZKPs, the following measures can be taken:
Optimize the multiplication of numerical vectors. More efficient algorithms and parallel computing can be used to accelerate the computation of vector products, thereby reducing the time required for proof generation. Additionally, using smaller fields can reduce the size of numerical vectors, further decreasing computation time.
Optimize FFT computations. More efficient FFT algorithms can be employed to speed up calculations, and distributed computing can be utilized to share the computational burden, thus reducing the time required for proof generation. Furthermore, smaller fields and shorter FFT periods can be used to decrease computation time.
Optimize the implementation of proof systems. More efficient compilers and optimizers can be used to generate more efficient code, thereby reducing the time required for proof generation.
Optimize hardware and software environments. Faster computers and optimized operating systems, compilers, and libraries can be used to enhance the performance of proof generation.
Before Ethereum's merge, approximately 27 million graphics cards were working on its network, with computing power peaking at 1.13P in May. Following Ethereum's merge, this computing power will switch to forked chains like ETC. In addition to the vast existing computing power devices like Filecoin (FIL) and AR, ZK proof computation may provide new opportunities for mining hardware.
The main dimensions affecting ZKP proof speed are proof systems, the scale of the circuit to be proven, and algorithmic hardware and software optimizations.
For proof systems, mainstream ZK-SNARK algorithms (Groth16, Galois2, PLONK) use elliptic curve (EC) algorithms to produce polynomial commitments, involving large scalar multiplication (MSM) operations, which are a time-consuming bottleneck in the proof process. In contrast, FRI-based algorithms, such as ZK-Stark, use hash functions to generate polynomial commitments without involving EC algorithms, thus eliminating the need for MSM operations.
The proof system is fundamental, and the scale of the circuit to be proven is also one of the core demands for hardware optimization. For example, zkEVM has different circuit complexities due to its compatibility with native Ethereum. For instance, Zksync and Starkware have built virtual machines different from native Ethereum, thus avoiding issues where some Ethereum-native code is unsuitable for zk processing, reducing circuit complexity; while projects like Scroll and Hermez aim for compatibility with the underlying zkEVM, making their circuit designs more complex. Hardware acceleration is more urgently needed for designing more complex circuits, but this is also a variable issue, which applies to ZK-EVM as well.
In summary, hardware acceleration is one of the keys to implementing ZKP scaling solutions. In the field of hardware acceleration, there are expectations to see the application of Moore's Law in zk hardware acceleration, which will greatly enhance proof speed and accelerate the development of scaling solutions. Additionally, the field of hardware zk acceleration presents opportunities and challenges for new hardware acceleration technologies and business models, which will become a focus area in the future.
Blockchain Academy is an educational platform under Talentre, dedicated to cultivating and developing the next generation of Web3.0 talent. Supported by renowned universities such as the Hong Kong University of Science and Technology, Hong Kong Polytechnic University, the University of Hong Kong, and Chinese University of Hong Kong, as well as leading industry participants like BNB, Fenbushi Capital, and Aptos, Blockchain Academy is the largest Web3.0 GenZ education platform and community in Asia. Students come from over 35 universities, and the academy has impacted over 110,000 GenZ individuals, aiming to leverage platform resources to share knowledge and skills related to Web3.0, bringing the next billion people into Web3.0. Join the Blockchain Academy community to build the Web3.0 world together.
Geekcartel is a venture capital firm focused on investing in early-stage Web3 projects. We are a group of passionate and knowledgeable geeks from diverse professional backgrounds in cryptocurrency. Our mission is to add value to startups by providing practical assistance in technology and operations, including technical solutions, security services, fundraising strategies, and global marketing.
