As the most active development platform in the blockchain world, the Ethereum network, daily congestion and higher and higher handling fees, make the applications and users in the ecosystem miserable. Recently, the average cost of a single transfer has been as high as US$24.7. If this bad experience is not improved, it will have a negative impact on the development of Ethereum.

Therefore, in recent years, more and more blockchain researchers and developers have devoted themselves to the research of the underlying technology, trying various technical means to improve the state of the entire network. There are technical solutions for Layer-1, such as the sharding technology of ETH 2.0, which improves the block generation efficiency of the network by modifying or optimizing the consensus network of the block chain, thereby speeding up the block confirmation time and achieving the purpose of fast transaction on the chain ; There are also technical solutions for Layer-2. On the premise that the functions of Layer-1 are sufficiently simple and powerful and stable, some calculations and operations originally on Layer-1 are put on the chain to do, and then through cryptography Technology to ensure the accuracy of these off-chain operations.

But from a long-term perspective, the expansion technology solution based on Layer-2 will be more suitable for the healthy development of blockchain

Because the blockchain infrastructure is relatively clear, stable, and easy to maintain, imposing complex logic based on this may make Layer-1 more and more vulnerable. Therefore, the development direction of the blockchain structure should be Layer-1 as much as possible to remain unchanged, unless there is a major change, such as a breakthrough in cryptography, which leads to the modification of the cryptographic primitives used at the bottom. Other complex logic and innovative applications are placed in Layer-2, and Layer-1 and Layer-2 complement each other.

Researchers have gradually discovered this, and therefore, the expansion technology solutions based on Layer-2 are emerging one after another. However, the ideal is full, the reality is very skinny. When the theory needs to be practiced, the developers discovered that there are too many places to weigh the pros and cons in order to achieve expectations. For different application scenarios, they may have to make different compromises.

So far, among the Layer-2 expansion plans, the most discussed are zkRollup, Optimistic Rollup, Validium and Plasma. Here is a picture of Avihu Levy in StarkWare to distinguish them:

**(Comparison of 4 expansion plans for Ethereum)**

The features of these four programs are as follows:

zkRollup: Proposed by a researcher of Ethereum , the feature is that all calculation processes are calculated off-chain and stored on-chain, and the plaintext data involved in the calculation is sent to the on-chain contract in the form of calldata, reducing storage costs, and at the same time, the correctness of off-chain calculations It is guaranteed by the zero-knowledge proof algorithm; it can also be seen that this scheme can indeed greatly increase the TPS and reduce the cost of a single transaction.

Optimistic Rollup: As can be seen from the figure, Optimistic Rollup and zkRollup are located in the same row, which means that their common point is: plaintext data is sent to the chain contract in the form of calldata; the difference is that Optimistic Rollup uses interactive error proof To ensure the accuracy of off-chain calculations, if deliberate evil is recognized, it will be punished; compared to zkRollup, Optimistic Rollup’s security assumptions are weaker.

Validium: This scheme was proposed by StarkWare and was approved by God V, so it was named. The characteristic is that the calculation process is completed off-chain, the correctness of the calculation is guaranteed by the zero-knowledge proof algorithm, the verification is completed on the chain and the final world state is stored; one more thing to note is that in order to obtain better scalability, this solution The transaction data is also stored off-chain, and the credible “data availability” committee provides proof of data availability. Compared with the previous two solutions, this solution loses a certain amount of data availability, but it does provide better data availability. Scalability; therefore, in actual application scenarios, this solution may be more favored.

Plasma: Proposed by V God, compared to the other three proposals, this proposal was proposed the earliest. The features of the scheme are more significant. It is calculated off-chain, stored on-chain, and transaction data is also stored off-chain. It is simple and rude. Users can initiate error-type proofs to prove the executor’s malicious behavior, thereby obtaining rewards and punishing the executors.

Although the above schemes are now available, since there is no real application that runs on Layer-2, it is difficult to make a conclusion about which is better. Currently, the most active application concept on Ethereum is Defi. Among them, DEX occupies the most network resources. The proposal of Layer-2 will obviously bring more room for DEX development. Below we can see the landing of Layer-2 from a specific case.

ZKSwap, which is currently very hot in the market, is one of the explorers. The Layer-2 expansion solution proposed by ZKSwap is called ZKSpeed (A Pratical and Scalable Zk-rollup Solution, a practical and scalable zk-rollup protocol).

Here is a picture to show the relationship between the ZKSwap design scheme and the above scheme:

As can be seen from the picture, the ZKSpeed infrastructure of ZKSwap’s first version of the expansion solution combines the features of ZK-rollup and Validium and Plasma solutions. On this basis, it has been greatly improved through three solutions: aggregation proof, GPU optimization, and proof circuit optimization. Improve the throughput of the entire network.

Before doing a detailed introduction, it is necessary to explain why the storage scheme under the transaction data chain is adopted. In fact, the original intention of ZKSwap is to completely follow the zkRollup solution, so it can not only reduce transaction costs, but also ensure the availability of data on the chain. With this, users can provide proof of the validity of the Merkel tree at any time. Withdraw your own money from the chain. Unfortunately, after a real test, the cost of the chain is still very expensive under this scheme. The Gas Limit of each layer2 transaction is about 6000. As a comparison, the Gas Limit of Ethereum on Layer1 is 21000 and that of ordinary ERC20. The Gas Limit for transfer transactions is around 50,000. This is far from the high throughput and low gas expansion goals of Layer-2; it has a fast chain speed, but the transaction cost is high, which is believed to reduce the willingness of users to actively make transactions; therefore, if the average value of Layer 2 is The transaction cost is too high, and the high TPS of Layer 2 is also difficult to achieve. Therefore, if you want to use Layer-2’s expansion plan in real scenarios, you first need the absolute security of Layer2 funds; second, you need Layer2’s TPS fast enough (ZKSwap Layer2’s TPS is above 100 and can continue to be improved). The gas cost of each transaction of Layer 2 is only 5%, or 2%, of the transaction cost of the main network.

In the ZKSpeed solution, the off-chain data processing is divided into two parts. All data related to Layer 1 transactions will be uploaded to the chain in real time to ensure the safety of funds, and generate zero-knowledge proofs and verification proofs in real time, but for those only related to Layer 2 The transaction adopts a distributed storage solution, reveals the original transaction data in real time, and puts the data summary on the chain in real time. Currently, the data summary is released by the Layer 2 operator itself, and anyone can verify the accuracy of the summary in real time. In the long run, the data summary The calculation and release of the can be carried out in a distributed manner, and the introduction of community verification. The ZKSpeed solution categorizes off-chain data and greatly improves the scalability of data. Regarding data availability, the scalability of the ZKSpeed solution is better than the Optimistic Rollup solution where all transactions are on the chain in the long run. , Subject to the limitations of each Block Gas Limit of Ethereum’s layer1, if all data is stored on the chain, there is a clear ceiling in the scalability of the Layer2 system. Considering the huge cost of gas on the chain, such a Layer2 In the actual application of the system, its TPS is difficult to exceed 20, and its practicality will be greatly reduced.

The ZKSpeed expansion protocol realizes the trade-off between data availability and data scalability by classifying off-chain data. The problem of data availability is solved, then the next goal is to improve the availability and processing speed of the zero-knowledge proof system. The ZKSpeed solution is based on a zero-knowledge proof algorithm to ensure that the changes in the world state caused by all transactions in a block are correct. Multiple transactions are processed at one time to achieve the first improvement in system performance and bring a higher TPS. However, the improvement effect brought by this solution can only be said to be barely acceptable. The ZKSwap team is dissatisfied with this, and insists on looking for new technical solutions to achieve higher system capacity and lower transaction costs; after disdainful efforts, finally A new solution was found, namely Aggregative Proof.

Aggregative Proof

The logic of aggregate proof is actually very simple. As you all know, in the basic Layer-2 expansion plan, a block corresponds to a proof of validity, and the contract on the chain verifies the validity of the proof. At present, the average block generation speed of Ethereum is 15s per block. If the validity of multiple blocks can be verified on the chain at one time, the cost amortized on each transaction will be greatly reduced. Based on this thinking, ZKSwap adopted an aggregate certification scheme. The so-called aggregation proof scheme is that it is now a proof for each block, and multiple proofs generated within a period of time or a fixed number of blocks are used to prove that the proofs of these blocks are valid. (Think of the verification process as a kind of circuit). In this way, only one verification is needed on the chain, and the validity verification of multiple block proofs can be realized.

After actual testing, after ZKSwap adopts the aggregation proof scheme, the cost of a single transaction is reduced to 1000 (Gas Limit), which is 1/50 of the ERC20 transfer cost of the Ethereum mainnet (the Gas Limit for Ethereum mainnet transfer is about 50,000) Around), this result is surprising enough. Imagine that if more zero-knowledge proofs can be generated within the block generation interval of the main network, then the TPS of the entire system will be greatly improved. For this reason, ZKSwap has also made a lot of efforts to achieve GPU Compared with the CPU version of the PLONK algorithm, the calculation speed of the PLONK algorithm is more than 3 times faster. At the same time, ZKSwap uses large-scale high-performance machines to generate zero-knowledge proofs. For large circuits, it takes less than 2 minutes to generate a proof. But at the same time, limited by the elliptic curve parameters used by the algorithm, there is an upper limit on the maximum number of transactions and the number of proofs that can be proved in each block, which limits the upper limit of the system’s performance. Despite this constraint, the final measured TPS of ZKSwap still far exceeds that of other existing products. At present, in the latest stress test, the TPS of the ZKSwap project using the ZKSpeed solution can reach more than 100.

ZKSpeed has set its sights on recursive SNARKs that do not require trusted settings. Compared with aggregated proofs, recursive SNARKs will not require trusted settings, and the number of blocks that can be verified at one time will not be limited, only depending on the output The speed of the block and the speed of generating the certificate.

System measured results

The following lists the fees corresponding to several commonly used transaction types, see the table for details:

Because the Deposit and Withdraw operations involve interaction with Layer-1, the transaction cost is more than that of Layer2 transfer and Swap transaction operations. However, regardless of the type of transaction, the cost of each transaction is already ahead of other products in the industry. ZKSwap based on the ZKSpeed solution has achieved a comprehensive trade-off between fund security and high TPS and low gas cost, and has a very Great practical value, in the practical application of Layer2, has great technical advantages.

Outlook

The ZKSpeed Layer2 expansion solution is a zk-rollup solution that combines practicality and engineering optimization. Through the aggregation proof of zero-knowledge proof, the parallel processing of the Plonk algorithm, and the classification of off-chain data, it greatly improves the TPS of the Layer2 system, and Significantly reduces the gas cost of Layer 2 transactions. Compared with other Layer 2 solutions (zk-Sync, optimistic rollup and Plasma), the ZKSpeed solution has made greater breakthroughs in practicality, and will be the first to support the large-scale deployment of DeFi applications in Layer 2. Regarding the details of the ZKSpeed solution, please Please pay attention to the upcoming technical white paper and system examples (zkspeed.org)