What are Zero Knowledge Proofs?

To answer this question we can refer back to an old Delphi report from 2019. If you still don’t understand then this is a great video too (23m), explaining ZKPs to 5 different knowledge levels.

While the privacy benefits of ZKPs are clear, the scaling benefits may be less so. So what is their purpose in blockchains?

Fraud Proofs vs Validity Proofs

Rollups are the most popular way to try and solve blockchain scalability and there are two main categories: Optimistic Rollups (ORU) and ZK Rollups (ZKR). Both work by executing transactions off-chain and then posting them to the L1 in a consolidated batch. When discussing ORU v ZKR we should really be comparing how they are verified, and that is fraud proofs (ORU) vs validity proofs (ZKR). This is the fundamental difference between the two.

Fraud proofs, as used in Optimistic rollups, are only needed when disputing the transactions posted to the L1. This is where the term Optimistic comes in – all state changes are assumed valid until they are proven to be fraudulent. Validity proofs, on the other hand, do not make such an assumption. A ZKR posts a validity proof to the L1 to mathematically prove that the state changes are valid. The benefit here is that the L2 will always reflect an accurate state, the tradeoff in that proofs need to be posted for every state transition, not just when challenging one (like fraud proofs). Since prover costs are high and require specialized hardware this impacts their scalability.

The main issue with rollups is that they only offer a linear increase in scalability. This is due to what we call the “data availability problem”. All rollups need to post their data on-chain to the L1 and thus with more transactions comes more data comes more fees. But wait! You might ask. I thought ZKRs only posted proofs and did not need to reveal the data behind them? This is a great question and is a common misunderstanding. You see, while verifiers don’t need to know the data to verify, provers do need it to generate proofs and progress the chain. If data is not posted on-chain, the prover role would not be an open, permissionless role. This is important because if existing provers were gone one day, new participants would need to be able to pick up where they left off and continue to advance the chain. In fact, the term “ZK Rollup” is not really appropriate; instead, they should be called “Validity Rollups”.

Posting data on-chain for ORUs is important because we need to be able to independently validate the state and challenge/submit a fraud-proof if needed; without data behind transactions, it is impossible to reconstruct the state and prove that it is fraudulent. For ZKRs it is important because, while the state root is already verified as true, we need to be able to independently reconstruct it in case the sequencer goes offline. If ZKR sequencers did not post the data then there would be no way to independently reconstruct the state and we would be reliant on a permissioned party for liveness. Users would not be able to escape from the L2 if the sequencer went offline and funds could be frozen, potentially forever. So, ZKRs don’t solve the data availability problem and are still constrained by it. In order to maintain all fundamental properties of blockchains, both ORUs and ZKRs have to post the data behind state changes (transaction details) on-chain, but ZKRs do benefit in that they can consolidate all of the witnesses (i.e. signatures of consenting parties) into a single proof. ORUs, on the other hand, must post all the witnesses and thus scale linearly in this respect.

An important detail here is that to save on gas ZKRs tend to only post state diffs (changes in balances) and not all transaction details. For example, let’s dissect this tweet below from Eli (Co-Founder of StarkWare and inventor of zk-STARKS).

In this example, while we would be able to reconstruct the state with the state diffs, we would not actually know everything that happened in that batch (with an ORU you would, by necessity). This is a heated theoretical debate, something Off-Chain labs (Arbitrum team) expressed as a compromise they weren’t willing to make, and that this “compression” is really just hiding important data. ZK proponents will say that while this is true, only a few applications actually need the uncompressed data and that for others where users would prefer lower fees, the tradeoff is worth it (everything’s a tradeoff). We should also highlight that this is not even possible with ORUs, so the flexibility as to what to post compressed data for and what to post uncompressed for does give ZKRs an advantage here. With that being said, when comparing the costs between the two, it is most fair to assume “full accountability”, and that would mean ZKRs posting all details and not just the state diffs. If we assume full accountability, the cost breakdowns between the two are:

Of course, validity proofs have the added benefit of finalizing the L2 state faster on the base layer (stronger guarantees & faster exit times), but we’re comparing costs here.

We could debate ORUs vs ZKRs all day (exit times, EVM compatibility & equivalence, transaction finality, etc.) but that’s not the focus of this report. The main thing to get across here is how state transitions are verified between the two systems. On the topic of data availability, a near-term benefit to rollup scalability is EIP-4844 which will introduce a new transaction type called “blobs”, helping to lower rollup fees by 10-100x. Instead of posting batches of transactions as calldata (which is permanent and expensive), it will be posted as blobs which are cheaper and temporary (pruned after ~30 days