With Tornado Cash sanctioned, it's a great time to learn about future of privacy tech: ZK-ZK-rollups.
A ZK-ZK-rollup not only provides private transactions, but does so at low gas fees by performing all the heavy computations on a layer 2.
Let's dive into how it works 🧵
A ZK-ZK-rollup not only provides private transactions, but does so at low gas fees by performing all the heavy computations on a layer 2.
Let's dive into how it works 🧵
First, a quick primer on regular ZK-rollups.
ZK-rollups achieve scale by doing two things:
1) They move your balances from Layer 1 to Layer 2, while still allowing you a cryptographic guarantee that you can exit back to L1 anytime
2) They batch transactions within the rollup
ZK-rollups achieve scale by doing two things:
1) They move your balances from Layer 1 to Layer 2, while still allowing you a cryptographic guarantee that you can exit back to L1 anytime
2) They batch transactions within the rollup
To move the balances to the L2, the same gas is required as any L1 transaction because it requires updating the same amount of L1 states.
But to transact within the L2, only the L2 Merkle tree (residing within the smart contract) needs to be updated.
But to transact within the L2, only the L2 Merkle tree (residing within the smart contract) needs to be updated.
When updating L2 balances, computations for the batched transactions are performed off-chain.
All that's submitted to the L1 is the updated Merkle tree and a proof that the computation was performed correctly.
This is why transactions within the rollup are so cheap.
All that's submitted to the L1 is the updated Merkle tree and a proof that the computation was performed correctly.
This is why transactions within the rollup are so cheap.
This is also how ZK-rollups inherit the security guarantees of the L1.
The rollup smart contract requires a correct proof to update the Merkle tree, making it impossible to cheat.
And if a sequencer goes down, the smart contract allows anyone to exit the rollup back to L1.
The rollup smart contract requires a correct proof to update the Merkle tree, making it impossible to cheat.
And if a sequencer goes down, the smart contract allows anyone to exit the rollup back to L1.
But just like Ethereum L1 transactions, the balance updates to the Merkle tree are fully transparent to the world.
This is where @aztecnetwork comes in with the ZK-ZK-Rollup, which creates a privacy shield for transactions within the rollup.
This is where @aztecnetwork comes in with the ZK-ZK-Rollup, which creates a privacy shield for transactions within the rollup.
When you move balances to Aztec, the smart contract issues you an equivalent token beginning with 'zk'. For example, if you move 100 ETH to Aztec, it will consume the 100 ETH and issue you 100 zkETH in return.
zkETH is redeemable for ETH 1 for 1.
zkETH is redeemable for ETH 1 for 1.
The smart contract then stores the zkETH differently than the L1.
Instead of tracking accounts with balances, zkETH is tracked as notes with owners (akin to Bitcoin's UTXO architecture). Think of it like a bank note.
So your 100 zkETH would be stored as a note that you own.
Instead of tracking accounts with balances, zkETH is tracked as notes with owners (akin to Bitcoin's UTXO architecture). Think of it like a bank note.
So your 100 zkETH would be stored as a note that you own.
However, the notes are encrypted.
No one can see how much each note contains, or who the owner is.
You as the note owner hold the private key to decrypt the note to reveal the amount and that you are the rightful owner. You can use this anytime to redeem your ETH.
No one can see how much each note contains, or who the owner is.
You as the note owner hold the private key to decrypt the note to reveal the amount and that you are the rightful owner. You can use this anytime to redeem your ETH.
Now, let's say you want to privately send 20 zkETH to Bob.
First, you generate a zk proof to:
a) Destroy the note for 100 zkETH
b) Create two new notes for 80 and 20 zkETH
This proof would validate that (b) sums to the same zkETH as (a), and that you own both of the new notes.
First, you generate a zk proof to:
a) Destroy the note for 100 zkETH
b) Create two new notes for 80 and 20 zkETH
This proof would validate that (b) sums to the same zkETH as (a), and that you own both of the new notes.
Next, you would reassign ownership of the 20 zkETH note to Bob by changing the encryption of that note so that Bob can decrypt it with his private key.
The note remains shielded to the rest of the world - no one besides you and Bob can tell the amount nor the new owner.
The note remains shielded to the rest of the world - no one besides you and Bob can tell the amount nor the new owner.
Every time these transactions happen, the Aztec Merkle trees on the L1 are updated, but all the new notes remain encrypted, thus preserving privacy.
Technically, Aztec uses two Merkle trees to track the notes, but the effect is the same.
Technically, Aztec uses two Merkle trees to track the notes, but the effect is the same.
The only transactions which are transparent are when moving funds to or from the L1.
This is why Aztec's frontend guides users toward common deposit and withdrawal amounts (0.01 ETH, 0.1 ETH, 1 ETH, etc).
For example, the 0.1 ETH privacy set has about 24,000 ins and outs.
This is why Aztec's frontend guides users toward common deposit and withdrawal amounts (0.01 ETH, 0.1 ETH, 1 ETH, etc).
For example, the 0.1 ETH privacy set has about 24,000 ins and outs.
In addition, Aztec Connect allows you to interact with other L1 smart contracts, including DeFi, from within the rollup.
By doing so, you can greatly increase the time lag before withdrawing from the L2, making it much more difficult to match ins and outs.
By doing so, you can greatly increase the time lag before withdrawing from the L2, making it much more difficult to match ins and outs.
Aztec Connect not only increases the privacy of the rollup, but also allows you to have private DeFi transactions. And the fees are kept lower DeFi on Layer 1 by batching many transactions.
https://twitter.com/jonwu_/status/1545173135367888896
To summarize, ZK-rollups enable scaling by maintaining balances in a Merkle tree instead of updating L1 balances.
Aztec's ZK-ZK-rollup stores those balances as encrypted notes, keeping the amounts and owners private.
And with Aztec Connect, you can even do cheap, private DeFi!
Aztec's ZK-ZK-rollup stores those balances as encrypted notes, keeping the amounts and owners private.
And with Aztec Connect, you can even do cheap, private DeFi!
Congrats! You now (hopefully) have a better understanding of Aztec's ZK-ZK-rollup.
Privacy is a human right, and it's exciting to see how this tech is providing increased privacy, and at greatly reduced costs.
If you enjoy these threads, follow me for more deep dives.
End 🧵
Privacy is a human right, and it's exciting to see how this tech is providing increased privacy, and at greatly reduced costs.
If you enjoy these threads, follow me for more deep dives.
End 🧵
• • •
Missing some Tweet in this thread? You can try to
force a refresh
