Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Luozhu Profile picture
@LuozhuZhang
Jun 18, 2022 41 tweets 12 min read Read on X
#zkEVM has been the holy grail of layer2 and Ethereum scaling and is at the forefront of the blockchain && ethereum

There's a lot of zkp and engineering innovation here, bringing together all the most talented people in the Ethereum ecosystem
This is a very interesting and well-worth research topic, in this thread I will dive into zkEVM and explain the native zkEVM architecture of EF and @Scroll_ZKP
1/4 Three levels of zkEVM

1) First of all not all zkVM is equivalent to zkEVM, even for zkEVM itself it is divided into three levels (thanks to @drakefjustin for the research) Image
2) The first level is "language-level" (EVM-compatible), that is, transpile an EVM-friendly language (e.g. Solidity or Yul) into a zk-friendly language (e.g. @zksync' Zinc, and @StarkWareLtd's Cairo)
And then translate The later Zinc and Cairo code runs on their own VM, which may be completely different from Ethereum's EVM Image
The advantage of this solution is that we can design a zk-friendly VM from scratch without being limited by the past design of the EVM
@gavofyork never thought that zk-snark would be used in EVM one day, so if the zero-knowledge circuit is directly applied in many places of EVM, it will cause a huge overhead

Especially Keccak hash and MPT. For details, refer to @yezhang1998's article
hackmd.io/@yezhang/S1_KM…
The disadvantage is that it is difficult for developers to get the best development experience. These zkVMs use the instruction set of their own language at the bottom and do not support many important EVM opcodes
Therefore, if developers want to get the best development experience, they may need to learn these zkVM own languages (Cairo), which may cause zk-Rollup to be unable to directly inherit the Layer1 ecology, and Layer2 developers and languages are separated
3) The second level is "bytecode-level" (EVM-equivalent), which can not only achieve compatibility at the solidity language level but also achieve full compatibility at the EVM opcode level
Only when it reaches the bytecode level can it be called "zkEVM". On this zkEVM, solidity developers can get the best development experience, and L1 applications and development tools can basically be migrated to L2 without modification
The current stage of @Scroll_ZKP and EF’s native zkEVM (including the efforts of @ConsenSys and @0xPolygonHermez), both target bytecode-level zkEVM
4) The third level is "consensus-level", which is also the final zkEVM. It will not only achieve compatibility at the language and bytecode levels but also at the consensus level
After achieving consensus layer compatibility, each miner will generate a proof for each block when generating a block

When all nodes are synchronized, they only need to verify that the proof is valid, and there is no need to recalculate all transactions
And based on the recursive proof of Halo2, a proof can be used to prove that the history of the entire block is valid

At that time, the synchronization node does not even need to verify each proof, but only needs to verify the last proof to access the network Image
In the long run, when it only takes minutes or even seconds to synchronize an Ethereum node, anyone can easily join the Ethereum network, and Ethereum will become more decentralized and robust

I'm really looking forward to seeing it happen
5) So the ultimate goal of zkEVM is actually to apply it to L1, replacing our current EVM (Very ambitious!)

This is also the ultimate goal of EF(@PrivacyScaling), @Scroll_ZKP, and all of us working together
For details, see the last part of the ethereum roadmap sent by @VitalikButerin - "zk-snark everything"

I believe @VitalikButerin and @barrywhitehat will also explore stack solutions
2/4 zero-knowledge proof

1) What makes zkEVM around the corner

There are many cryptographic breakthroughs behind it that can make zkevm from imagination to reality, the most important of which is the Plonk and Halo2
For details, can see this thread by @Zac_Aztec, and he is also the founder of Plonk and @aztecnetwork
2) Plonk is an innovation based on Sonic and polynomial commitment

Based on sonic, Plonk has a "universal and updateable" trusted setup, that is, only one setup is required, and then it can be reused
And based on polynomial commitment (very beautiful math), we can use more expressive PLONKish Arithmetization, better than R1CS which is widely used by groth16 and other zk-snark proof schemes
3) zkEVM also uses two very important features of Plonkish, namely "custom gate" and "lookup table argument"
These two features of Plonk (halo2 inherited) allow us to write highly customized constraints, which are very helpful to reduce the overhead of the circuit (you will find that we frequently use these two features in the native zkEVM architecture later)
Thanks to @zeroknowledgefm for accumulating so many zkp resources for anyone to understand the amazing magic and wonderful math behind zkp
3/4 Architecture of native zkevm

1) As we mentioned earlier, the native zkEVM will not only be used in the zk-Rollup but also will replace our current L1 EVM and become the L1 zkEVM

So its design/code and architecture are very worth learning (the most cutting-edge innovation!)
2) The well-known EVM is essentially a state machine, which drives state1 to state2 through transactions

So it can be understood that the operation that drives the smallest state change is a transaction (actually trace) Image
If we can get transactions and constrain/prove them, in fact, it can constrain/prove the entire state machine
3) The basic idea of zkEVM is to create an evm circuit to constrain the EVM (the state machine) and prove that all the execution logic of the EVM is correct
This EVM circuit can get all transactions, and each specific opcode called by this transaction

Then prove that each transaction, as well as all opcodes called by each transaction, the operation logic of opcodes, and even the sequence of operations, are completely correct ImageImage
4) But in our practice, we found that if only one circuit (EVM circuit) is used to constrain the EVM, this circuit will become very huge, and finally it will increase unnecessary complexity and overhead
So we designed many different sub-circuits/tables according to different modules in EVM. When proving, we only need to query the corresponding table (a table probably looks like this, fill in different variables according to requirements) Image
5) For example, if it is the logic of memory/stack/stoarge read & write, the EVM circuit will query the state table

If it is some operation involving opcode, the EVM circuit will query the bytecode table. Similarly, tx and block will query tx table and block table respectively Image
Here, the state circuit needs to operate MPT when constraining storage-related operations (state table), so the corresponding MPT table is queried

The Tx circuit also needs to query the corresponding Keccak and Sig table when calculating the hash and transaction sig verification Image
6) This table is not fixed, but filled in with different values according to different operations (this is one of the reasons why zkEVM can become universal)

So prover has the ability to fill in false values to forge an invalid table
Therefore, in order to ensure the correctness of the table, we design a circuit for each table, and each circuit has some special polynomial constraints on the table to ensure that the table is completely correct Image
7) When a transaction/trace enters the EVM circuit, all operations (opcode, stack/storage, etc.) involved in it will be reordered and then assigned to different sub-circuits

These sub-circuits will prove the correctness of these operations and generate a proof
Finally, the proofs generated by these sub-circuits will be input into an aggregation circuit as public input, and the aggregation circuit will aggregate these single proofs into an aggregate proof Image
After that, the aggregate proof can be sent to the L1 contract to verify the validity of the proof, which is also the workflow of Scroll at the High-level Image
4/4 Ending and the beginning

zkEVM is a milestone of "zk everything" and innovation that can only appear after the practical zk-proving systems are mature
While researching zkEVM, I was deeply impressed by the mathematical mechanism behind it, I believe zk is a huge innovation and we are at the forefront of this innovation

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Luozhu

Luozhu Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @LuozhuZhang

Luozhu Profile picture
Nov 17, 2022
We are gradually achieving effective "Proof of Humanity"

PoH is actively used by many projects as a Sybil-Resistance mechanism (e.g. Gitcoin, Worldcoin, Proof of humanity, etc.). While they still have many unsolved issues, innovation is going
1) We want blockchain not only to be a toy for the rich and geeks but to go mainstream. This requires efforts from all sides

Rollup and L2s make Ethereum cheaper
Account abstraction makes Ethereum simpler
PoH makes Ethereum a neutral democratic platform
2) With PoH, we can build many human-centric applications

- Voting and Democracy dApps
- Quadratic funding (wtfisqf.com)
- UBI
- Human DAOs
- Better Airdrop System
Read 13 tweets
Luozhu Profile picture
Oct 15, 2022
I haven't looked into Hermez's zkevm solution in-depth (and parts of Hermez's code aren't fully open source yet)

But it's an interesting topic, comparing @Scroll_ZKP and @0xPolygonHermez's zkevm is a very good perspective to help everyone understand the zkVM and zkEVM
1) Basically, @Scroll_ZKP / @PrivacyScaling's zkEVM solution does EVM equivalence by "re-implementing" the entire EVM

All operations of EVM are defined in zkevm-circuits, which require a lot of steps (constraints) to prove
2) Hermez's zkEVM solution is different

Instead of re-implementing an EVM, they implement a specific zkVM and map the EVM operations to their own zkVM
Read 20 tweets
Luozhu Profile picture
Oct 11, 2022
As we all know, the consensus protocol of PoS Ethereum is “Gasper”, which is constructed by applying the Casper FFG (a finality gadget) on top of LMD-GHOST (fork-choice rule)
So if you want to figure out the full Ethereum consensus protocol, it’s necessary to understand these two Ingredients (Casper + Ghost). Besides, these designs are really fun
I plan to sort out the background and evolution of these two protocols, as well as their simple workflow (which is very interesting!), and I will introduce Gasper in another article in the future
Read 27 tweets
Luozhu Profile picture
Oct 6, 2022
In this thread, I want to clarify my misunderstanding of consensus mechanisms and clarify their definitions

- PoW, PoS, and PoA are not consensus protocols
- PoW, PoS, and PoA are essentially Sybil resistance mechanisms
- Consensus protocol and consensus mechanism are not equal
- For PoW-based Ethereum, Nakamoto is its consensus protocol
- And for PoS-based Ethereum, Gasper is its consensus protocol
1) Proof of work and Proof of stake are not consensus protocols in themselves, people calling them consensus protocols is a lazy way of saying

They are essentially Sybil resistance mechanisms, and understanding this requires first understanding "what is a Sybil attack"
Read 17 tweets
Luozhu Profile picture
Oct 2, 2022
When learning the blockchain consensus mechanism, there is an inescapable concept, which is the "Byzantine Generals Problem"

Around this problem, many solutions were born, some of which were abandoned, others were feasible (and inspired Nakamoto PoW and Ethereum PoS)
1) In the blockchain world, the consensus mechanism is to require all individual nodes (generally the number of nodes will be very large) to agree on a single fact (this single fact is the transaction history)

So in simple terms, the consensus is about reaching an agreement
2) Also, a situation makes it more difficult for nodes to reach a consensus, which Leslie Lamport proposed in his 1982 paper👇:
Read 12 tweets
Luozhu Profile picture
Sep 25, 2022
The next big goal of Ethereum after the merge is sharding (Danksharding)

And because merge and sharding (including other upgrades of Ethereum) work in parallel, sharding has made a lot of progress
1) Danksharding is a new sharding design proposed by @dankrad that focuses on data availability rather than code execution
This is a long-term upgrade goal of Ethereum, and its purpose is to further reduce the cost of Ethereum as a data settlement layer

Rollups as a mid/long-term scaling solution for Ethereum, the cost will be further reduced after Danksharding
Read 12 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(