In-depth analysis of zkEVM: how it works, build difficulty, importance, and development progress

2022-11-11 22:00

Read this article in 29 Minutes

Different zkEVM projects take different approaches to combining EVM execution with zero-knowledge proof-of-calculation, each with its own unique tradeoffs.

Original title: zkEVM Trivia --Alchemy

原文来源： Alchemy

The Zero-knowledge Ethereum Virtual Machine (zkEVM) is a virtual machine that generates zero-knowledge proofs to verify the correctness of a program. ZkEVM Designed to enforce smart contracts in a way that supports zero-knowledge technologies.

ZkEVM Is zero knowledge. (ZK) Part of the roundup, this is Ethereum. 2 Layer scaling solution that improves throughput by moving computation and state storage down the chain. ZK-rollup Submit transaction data to Ethereum and zero-knowledge proof to verify the validity of the down-chain transaction batch.

Early ZK-rollup It lacks the ability to enforce smart contracts and is limited to simple Token exchange and payment. However, as with EVM The introduction of compatible zero-knowledge virtual machines, ZK-rollups Support for Ethereum DApp.

In this article, we will explore. zkEVM How it works, why it's important, and what types of it exist. ZkEVM.

What is ZkEVM?

zkEVM Is with EVM Compatible virtual machines that support zero-knowledge proof computing. Unlike regular virtual machines, Demonstrate the correctness of program execution, including the validity of inputs and outputs used in the operation.

We'll break down this definition further to make it easier to understand:

EVM Compatibility

An EVM (Ethereum Virtual Machine) is a runtime environment that executes smart contracts deployed on the Ethereum network. EVM To act as a "world computer" for decentralized applications running on the Ethereum blockchain. (dApps) Provide motivation.

If the virtual machine can run as in EVM Run in the environment and create a program, it is "compatible with EVM nbsp;". Such a virtual machine can be executed using the Solidity Or smart contracts written in other high-level languages used in Ethereum development. ZkEVM With & have spent EVM Compatible, as they can execute Ethereum smart contracts without requiring significant changes to the underlying logic.

Support zero knowledge technology

EVM Never designed to support zero-knowledge proofs, this makes building with EVM Compatible, zero-knowledge friendly virtual machines become difficult. However, advances in research have made it possible, to some extent, to bring EVM Computational wrapping becomes possible in zero-knowledge proof.

Different zkEVM The project will take different approaches. EVM Execution is combined with zero knowledge proof computation. Each approach has unique trade-offs, which we will explore later in this guide.

zkEVM How does it work?

With & have spent EVM Neil: Same thing. Is a virtual machine that transitions between states through programmatic operations. But... zkEVM Further, the correctness of each part of the calculation is proved by generating proofs. Eg. In essence, Use a mechanism to demonstrate that the execution steps (as described earlier) follow the rules.

To understand zkEVM Let's review how it works (and why it's different). EVM Current working principle.

EVM How it works

An Ethereum virtual machine is a state machine that moves from an old state to a new state in response to some input. Every smart contract execution is triggered. EVM A change in state (called a "state transition"). Here's a high-level overview of what happens during smart contract trading:

1. Contract bytecode (compiled from source code) from EVM Stored and loaded by EVM The point-to-point node on. The nodes use the same transaction input, which guarantees that each node reaches the same result (otherwise they cannot reach a consensus).

2. EVM The opcode (contained in the bytecode) and EVM Different parts of the state (memory, storage, and stack) interact. Opcodes perform read-write operations -- read (get) values from the state store and write (send) new values to EVM The storage.

3. EVM The opcode performs an evaluation of the value obtained from the state store before returning a new value. This update causes The EVM transitions to a new state (hence, the transaction is called a "state transition"). This new state is copied by other nodes and held until another transaction is executed.

Shows how the program works in the Ethereum virtual machine. (EVM) The diagram executed in [source]

zkEVM The working principle of the

zkEVM Generate zero-knowledge proofs to verify the various elements in each calculation:

1. Bytecode access: Is the appropriate program code correctly loaded from the correct address?

2. Read and write operations: Did the program get the correct values from the stack/memory/storage before the calculation? Bay. Does the program write the correct output value to stack/memory/storage after completing execution?

3. Calculation: Are the opcodes executed correctly (i.e., one by one, without skipping steps)?

zkEVM Structure of the

zkEVM There are three parts: execution environment, proof circuit and validator contract. Each component helps. zkEVM Program execution, proof generation and proof verification.

1. Execution environment

As the name implies, the execution environment is in. zkEVM Where the program (smart contract) is running. zkEVM The execution environment function and EVM Very similar: it takes the initial state and the current transaction to output the new (final) state.

2. Verification circuit

Proof circuits produce zero-knowledge proofs to verify the validity of transactions calculated in the execution environment. The proof generation process is completed using pre-state, transaction input, and post-state information as inputs. The prover then obtains a succinct proof of the validity of that particular state transition.

Display zkEVM How to generate a proof of validity diagram for a program. [source]

3. Verifier Contract

ZK-rollups Submit proof of validity to deployment in L1 The smart contract on the chain (Ethereum) is verified. Inputs (pre-status and transaction information) and outputs (final status) are also submitted to the validator contract. The verifier then runs the calculation on the provided proof and verifies that the submitted output is calculated correctly against the input.

What is zkEVM The operation code?

ZkEVM Opcodes are used in the EVM Compatible ZK-rollup A low-level machine instruction to execute a program. With & have spent EVM Again, contracts written in high-level languages must be compiled to VM Interpretable low-level language (bytecode). The bytecode is specified in the VM The opcode used to execute the program when it is deployed in

We need to. zkEVM Opcodes, because the regular EVM The use efficiency of opcodes in zero-knowledge proof circuits is very low. There are usually two ways to write zkEVM Create an opcode:

Is native EVM Opcode construction ZK circuit

For & have spent ZK Proof computing creates a new language

Is native EVM Opcodes build zero-knowledge circuits

This method requires the implementation of all EVM in the arithmetic circuit; Instruction set - This is a complex and time-consuming task. The benefit is that developers can use existing blockchain development tools to create smart contracts, or port existing Ethereum contracts to them. ZK-rollups without much modification.

For & have spent ZK Proof computing creates a new language

This approach requires building a new language -- designed to support proof of validity -- and developing custom opcodes. Developers need to either write the contract directly in the new language, or write the contract in the new language. Solidity Source code compiled to custom zkEVM The operation code.

While this approach is generally easier to implement than the first, it does have drawbacks. For example, developers may not have access to existing Ethereum infrastructure and resources.

According to EVM Zero-knowledge VMS classified by compatibility. [source]

What makes build zkEVM Becoming difficult?

Due to EVM Not considered at build time. zk-proof Calculation, so it has the property of being unfriendly to the proof circuit. The following is a brief overview of making the build zkEVM Four things that have become difficult:

Special opcodes

Stack-based architecture

Storage overhead

Cost of proof

1. Special opcodes

With conventional VM Different, EVM Special opcodes are used to execute programs (CALL, DELEGATECALL) and error handling (REVERT, INVALID), among other operations. This increases for EVM The complexity of the process of operating design validation circuits.

2. Stack-based Architecture

EVM Using stack-based architectures, while simpler than register-based architectures, increases the difficulty of computational proof. That's why the famous zero knowledge. VM, for example ZkSync The & have spent zkEVM And & have spent StarkWare The & have spent StarkNet Use a register-based model.

3. Storage overhead

EVM The storage layout depends on the Keccak Hash function and Merkle Patricia Trie, both have high certification overhead. Some of them. zkVM, such as ZkSync, attempting to replace KECCAK256 Function to get around the problem -- but this could break compatibility with existing Ethereum tools and infrastructure.

4. Cost of proof

Even if the above problems are solved, the proof generation process still needs to be dealt with. Generating zero-knowledge proofs requires specialized hardware and a significant investment of time, money, and effort.

Although by no means exhaustive, this list suggests some obstacles to building with. EVM Compatible zkEVM ". Despite this, several breakthroughs in zero-knowledge technology have made it possible to alleviate these problems -- leading to a growing concern about zkEVM Renewed interest in solutions.

Why? zkEVM Very important?

Build fully functional zkEVM Will be encouraged with EVM Compatible with ZK-rollup Project development. This has several advantages:

Secure scalability

Lower cost

Faster final certainty and capital efficiency

Network effect

1. Secure scalability

According to protocol rules, all validation nodes must re-perform all calculations performed in the Ethereum virtual machine. This approach ensures security because the Ethereum node can independently verify the correctness of the program, but it limits the Ethereum network to manage only about. 15-20 Scalability of a transaction).

With & have spent EVM Compatible ZK-rollup Can solve Ethereum throughput issues without breaking network security. Like other extension protocols, ZK-rollups Not burdened by Ethereum consensus protocol rules, and can optimize execution speed. Eg. Some estimates suggest that rollups can process about per second; 2000 Transaction, without incurring Ethereum's high fees.

Eg. However, it is true that Compared with other expansion projects, it has higher security guarantee; They used proof of validity to verify the correctness of the down-chain calculation. That means smart contracts are in the air. L2 Transactions executed on the Reliable validation on L1 (Ethereum) without requiring the node to re-perform the operation. This can significantly improve Ethereum's processing speed without compromising security.

2. Lower cost

Rollups By using transaction data as CALLDATA Write to Ethereum to get security from the Ethereum mainnet. However, the difference between optimistic aggregates and zero-knowledge aggregates is how much data they must publish on Ethereum.

Because optimistic aggregations do not provide proof of the validity of off-chain transactions, they need to publish all transaction-related data (including signatures and transaction parameters) on the chain. Without putting all the data on the chain, challengers cannot build proof of fraud that can be used to dispute invalid summary transactions.

On the contrary, ZK-rollups Minimal data can be published to Ethereum because the proof of validity already guarantees the reliability of the state transition. zkEVM You can even reduce this further by omitting the transaction input and publishing only the final state changes. CALLDATA Requirements.

3. Faster Certainty and Capital Efficiency

In addition to better security, ZK-rollups And Optimism rollups There is another advantage: faster final certainty. Certainty in a blockchain is the time it takes for a transaction to become irreversible; The transaction can only be finalized when the network participants have objective evidence of its effectiveness.

Use ZK-rollups, in zkEVM Transactions that are executed in Ethereum are usually completed immediately after being published to Ethereum. Because each transaction batch comes with an instantly verifiable proof of validity, the Ethereum backbone can quickly apply status updates.

Because optimistic summaries are only published without proof. VM Transaction, and therefore must undergo a challenge period in order for the transaction to reach final certainty. The challenge is. 1-2 Week, during which anyone can challenge a transaction after it has been submitted to Ethereum.

Slower final determinism has many implications for the user experience. For example, users cannot extract assets from the summary until the delay period expires. The liquidity provider may fix the problem, but if the withdrawal involves high-value assets or even more. NFT, may not be valid.

zkEVM There is no such problem. Faster final certainty is ideal for power users, such as those who need seamless mobile assets (especially in L1 And & have spent L2 Between) NFT A trader, a DeFi An investor or carry trader.

4. Network effects

Construction and EVM Compatible zkVM The most important reason is to take advantage of the network effects of Ethereum. As the world's largest smart contract platform, Ethereum has a huge ecosystem that provides value to developers and projects.

For example, developers have access to a battle-tested and audited code base, extensive tools, documentation, and more. Create a new one that is not compatible with the Ethereum infrastructure. zkVM Will prevent projects and development teams from taking advantage of Ethereum's network effects.

What types are available? ZkEVM?

Current zkEVM Projects fall into two main categories: Support Native EVM Opcode zkVM And use custom EVM Opcode ZkVM. Here we compare the different. zkEVM Protocols and explain how they work:

Polygon zkEVM

Polygon Hermez Is a Polygon ZK-rollup with a zero-knowledge virtual machine, designed to support EVM Compatibility. To this end, EVM Bytecodes are compiled into "microopcodes" and stored in uVM -- one using SNARK And & have spent STARK A virtual machine used to verify that a program executes correctly.

The decision to combine these two types of proof makes strategic sense. STARK (Extensible Transparent Knowledge Demonstration) proofs are faster to generate, but. SNARK (Concise non-interactive proof of Knowledge) proofs are smaller and less costly to verify on Ethereum.

Polygon Hermez zkEVM uses STARK Proof of the effectiveness of the circuit to generate state transitions. STARK Proof Verification STARK The correctness of the proof (think of it as generating the "proof of the proof") and submit it to Ethereum for verification.

zkSync zkEVM

zkSync It is an association with EVM Compatible ZK-rollup, by Matter Labs Developed and supported by its own zkEVM. ZkSync Use the following strategies to achieve compatibility with Ethereum:

1. Will & have spent Solidity Write contract code compiled into Yul, an intermediate language that can be compiled into bytecode for different virtual machines.

2. Will & have spent Yul Bytecode (using LLVM Framework) was recompiled specifically for zkSync The & have spent zkEVM Designed custom, circuit-compatible bytecode sets.

With & have spent Polygon Hermez Neil: Same thing. Implement at the language level, not the bytecode level. EVM Compatibility. For example, zkSync The & have spent zkEVM Traditional multiplication and addition opcodes (ADDMOD, SMOD, MULMOD) are not supported.

Scroll zkEVM

Scroll is a new zero knowledge being developed. EVM Implementation. Scroll Team plan for each EVM Opcode design zero-knowledge circuit. This will allow developers to create a new version of the Scroll Deploying Ethereum native smart contracts on EVM without modifying the underlying EVM Bytecode.

In addition to the Scroll, "cryptographic accumulator" will be used to verify the correctness of the storage. This is used to prove that the contract bytecode was loaded correctly from the given address.

It also provides a circuit to link the bytecode to the execution trace. An execution trace is a sequence that specifies what has been executed. VM Instructions and order of execution. The prover commits an execution trace during proof generation to verify that the calculation is consistent with the original bytecode.

Applied ZKP zkEVM

Applied ZKP is a project funded by the Ethereum Foundation, which aims to develop a network with EVM Compatible ZK-rollup And a mechanism for generating proof of validity for Ethereum blocks. This last part is critical because pairing the block with proof of validity eliminates the need for the node to re-execute the block.

Applied ZKP The innovation lies in the separation of computing and storage. It uses two types of proof of validity - state proof and EVM Proof:

Proof of state

Check that operations involving storage, memory, and stack occur correctly. The state proof essentially verifies the accuracy of read and write operations.

EVM prove

Check that the calculation calls the exact opcode at the right time. EVM The proof verifies the computation itself and confirms that the state proof performed the correct action for each opcode.

AppliedZKP zkEVM Use bus mapping to link state proofs and EVM Prove it. In addition, both proofs must be verified before an Ethereum block can be considered valid.

We are in the zkEVM Where are you in the development schedule?

In addition to zkSync, most zero knowledge. EVM Still under development. However, the continuous development of zero-knowledge technology means that fully functional. zkEVM Is better than ever before.