Scroll: a Layer-2 ecosystem based on zk-Rollup

Scroll
10 min readMar 29, 2021

--

This article is out-of-date! We make huge and marked modifications to our roadmap and technology. See a new overview here.

Abstract

Scroll is a new Layer-2 solution aiming at providing unlimited scalability, lightning-fast confirmation latency, full decentralization, and trustless privacy. It does so by building upon zk-Rollup and high-performance off-chain distributed systems, with several key improvements:

  • First, Scroll adopts a new hierarchical zero-knowledge proof system. Compared to existing solutions, this new proving scheme enables easy deployment of most, if not all, popular DApps on Layer 2 and efficient verification through succinct proofs.
  • Second, inspired by novel cryptographic protocols, Scroll is able to establish efficient communication channels between DApps and their counterparts on other Layer 2 solutions. This allows us to build an open and complete ecosystem for Layer 2.
  • Third, Scroll introduces Layer 2 mining, robust and permissionless mining which incentivizes miners to generate zero-knowledge proofs for us. We can also relieve the problem of MEV by separating the transaction packing and mining process.

We hope to support existing leading DeFi projects on the Ethereum network by reducing their transaction fees and increasing the transaction speed. Integrate with us today by contacting bd@scroll.tech.

Introduction

Last year has witnessed the explosion of various DApps on blockchains. They allow full decentralization with programmability and are becoming more valuable with high market capitalization. For example, Decentralized Finance (DeFi), a blockchain-based financial system, is recently getting increasingly popular. The total value locked in DeFi has exceeded 25 billion USD and is still growing rapidly.

The largest and most decentralized platform for developing DApps is Etherum. However, Ethereum routinely experiences significant congestion during the time of high usage due to its current throughput limit of roughly 20 transactions per second (TPS). This has a severely negative impact on its user experience. For example, each transaction may cost 20 USD for the gas fee which is unaffordable to normal users.

Scroll is a new Layer-2 solution aiming at solving the problems in Ethereum and enabling more features such as more rigorous privacy. Scroll’s team members are from the world’s most esteemed universities with a strong background in computer systems, hardware, blockchain, and cryptography. Our mission is to solve this problem together, by creating a more efficient solution that leverages zk-Rollup. We propose a new hierarchical zero-knowledge proof system architecture, a new interaction model for DApps on Layer 2, and a new Layer 2 mining mechanism.

We believe our solution could provide the best user experience in the future, including both the lowest fees and the fastest transaction speed. Background

Background

zk-Rollup is the most popular and commonly adopted Layer-2 solution.

Hermez Network, zkSwap, and Loopring are targeting scalable payment use cases (token transfer, AMM, and DEX) using zk-Rollup with different underlying zero-knowledge proof systems. However, they rely on application-specific circuits and cannot support general DApps.

zkSync can support DApps with SyncVM and the Zinc compiler. However, their transaction throughput is limited by the on-chain storage, and the proof generation is costly due to their underlying proof system. StarkWare also supports DApps with the Cairo compiler, but their proof size is large and the on-chain verification cost is very high.

Our proposal mitigates the above problems by using a more efficient hierarchical (potentially recursive) zero-knowledge proof system and a novel Layer-2 mining mechanism. The scalability bottleneck is relieved; miners can also provide much stronger computing power for the proof generation.

Other Rollup solutions like Arbitrum and Optimistic VM use fraud proofs to support general VM. Users can migrate DApps more easily to their Layer 2. However, their security guarantee relies on a challenge model (Optimistic Rollup) and they need a longer confirmation time. We believe that zk-Rollup will be the best choice for Layer 2 with a stronger security guarantee and a shorter confirmation time.

Technical Overview

Scroll is a new Layer-2 solution based on Rollup and PoW. It is the fastest and cheapest Layer-2 solution supporting various DApps. From the high level, Scroll uses the most advanced zero-knowledge proof technology to support both zk-Rollup and Validium. Users can even make high-frequency tradings on Scroll and interact with all DeFi applications with the lowest gas fee.

Technically, Scroll follows the classical zk-Rollup diagram. The basic idea is to aggregate a huge number of state transactions into one rollup block and generate a succinct proof for the block off-chain. Then the smart contract on Layer 1 verifies the proof and directly applies the updated state resulting from those transactions. Different from all previous solutions, we use a new hierarchical zero-knowledge proof system and let miners generate proofs for us. For users, all deposited funds are locked in a smart contract on Layer 1 with the same security guarantees as the mainnet. However, they can now spend the lowest transaction fees, and enjoy plenty of other benefits from the batched transactions off-chain.

The high-level architecture of Scroll is shown in Figure 1. More specifically, Scroll’s architecture can be divided into five aspects.

1. Smart contract

2. Zero-knowledge proof system

3. Circuit deployment

4. Layer-2 mining mechanism

5. zk-Rollup and Validium

We provide more specific descriptions in the following subsections. Scroll’s high-level architecture.

Figure 1. Scroll’s high-level architecture

1. Smart Contract

The first aspect is the on-chain smart contract. Specifically, Scroll’s smart contracts can be classified into three different types:

(1) The first type is the fact register contracts. They are used for proof verification and fact recording. The off-chain prover needs to send the proof along with the state updates of different smart contracts to the fact register contract. The fact register contract then verifies the proof and records the updated states if the verification passes. Different DApp contracts can interact with the fact register contract to update their states directly.

(2) The second type is different DApp state contracts. They are used to store and update the states for different DApps. Each DApp in Scroll is divided into two parts. One is heavy business logic. It contains complicated computations and state transactions. It is moved off-chain (circuit form) and the integrity of the computations will be verified through succinct proof. The other is the simpler state update logic. It contains simple interaction and limited states. It will be updated after interacting with the fact register contract.

(3) The third type is staking pool contracts. It is used when users need to deposit into or withdraw from our Layer 2. All stake is safely stored with the same security level as Layer 1. The pool interacts with the fact register contract and executes corresponding operations for transferring tokens.

2. Zero-Knowledge Proof System

The second aspect is the off-chain zero-knowledge proof system. Different from all previous solutions, Scroll’s zero-knowledge proof system contains two separate layers, and each adopts a different zero-knowledge proof system. One can think of this as on-layer recursion or proof aggregation.

The first layer generates proofs for different DApp circuits directly. We use a universal and transparent zero-knowledge proof system as our first layer. The zero-knowledge proof system needs to satisfy three properties:

(1) Fast proving with short (or none) proving keys;

(2) Unlimited scalability, which requires low space complexity;

(3) One (or none) setup for all DApp applications.

The first requirement enables users to generate proofs efficiently even just by themselves. This enables privacy-preserving smart contracts in the future with a much smaller proving effort at the user’s side. Users can also outsource the proof generation to miners, in which case miners will generate proofs efficiently without having to store large proving keys for various DApps. The second and third requirements enable all smart contract logic to be supported without doing a trusted setup and regardless of how complicated the computation is. The choice of the zero-knowledge proof system in the first layer may sacrifice verification time and proof size to satisfy these required properties.

The second layer aggregates the proofs generated in the first layer and produces one succinct proof for them. This is a wrapping layer; one can think of it as a direct bridge between Layer 2 and Layer 1. The zero-knowledge proof system used here needs to satisfy two properties:

(1) Short proofs;

(2) EVM-friendly verification algorithm.

These two requirements make on-chain verification more efficient. The purpose of this wrapping layer is a universal on-chain verifier. With this wrapping, the on-chain verification smart contract could be universal for various DApps. Miners will generate proofs for this layer with a universal proving key. The choice of the zero-knowledge proof system here may sacrifice proving time to satisfy these required properties.

The considerations behind such a layered architecture are flexibility and efficiency. There is no perfect zero-knowledge proof system winning in all aspects; if you want a fast prover, you need to sacrifice the verifier’s efficiency or proof size. Our approach to combine two proof systems can achieve the best performance in both worlds. It is also easier to support more features (i.e., privacy) and clearly separate different parts (i.e., wrapping). We also have a universal efficient on-chain verifier with a lower gas fee.

3. Circuit Deployment

The third aspect is circuit deployment. For the actual deployment of DApp circuits in the first layer, we take the following mixed approaches.

(1) The first type is customized ASIC circuits. For the frequently used DApps like AMM and DEX, we design customized circuits to achieve high efficiency. We can also adopt other customized proof systems and cryptographic primitives inside. They can interact through cryptographic commitments and the proofs can be linked through randomized linear combinations. It can also serve as the prototype in our early stage.

The ASIC circuits and their internal interactions are illustrated in Figure 2. We use two account systems to model different DApps. If the user wants to make a transfer between the two account systems, she needs to generate a commitment as the middle medium. Those commitments can be thought of as a huge UTXO pool. One needs to transfer to this pool and then deposit to another account system. This comes along with two proofs. In this way, the interactions are modelled more clearly.

Figure 2. An example of token transfer between two ASIC circuits

(2) The second type is a generic CPU circuit. To support Turing-complete computations and convenient contract deployment, we use a universal CPU circuit with optimized IR inside. A smart contract can be compiled into the circuit IR and then be verified step-by-step inside the CPU circuit. We improve the efficiency by proof recursion. More specifically, the proof for the next step contains verification in the previous step. We can achieve this since the CPU circuit is fixed for different IR operations. We can embed the verification circuit inside and prove each CPU computation step sequentially with a recursive proof and a minimized space complexity.

This eventually leads to zkVM and makes DApps easier to migrate. The CPU circuit and its internal proof recursion are shown in Figure 3. Users can interact with solidity code and generate traces (state transformations). Then the traces are sent to the CPU circuit which verifies the state updates are correct recursively (or in parallel) along with one succinct proof.

Figure 3. The workflow of CPU circuit

We are also considering building a stronger compiler that can compile solidity-liked language directly to the ASIC circuits instead of the traced-based CPU circuit for universality.

There are many existing zero-knowledge proof systems that can satisfy all the above requirements (layered requirement and circuit deployment). Some promising candidates we are considering include Halo2, Plookup, and some other SNARK with non-FFT polynomial commitments.

4. Layer-2 Mining Mechanism

The fourth aspect is for miners. We let the miners do the proof wrapping in the second zero-knowledge proof system layer, as well as the outsourced proof generation in the first zero-knowledge proof system layer. We will also allow randomized proof outsourcing for privacy-preserving smart contracts.

Miners will be incentivized to provide enough computation power for the two zero-knowledge proof systems. We have designed a new reward model different from the standard PoW platform, in order to encourage miners to generate proofs as fast as possible in parallel with randomness. We can also avoid the problems of MEV by separating the transaction packing process and mining.

5. zk-Rollup and Validium

The last aspect is the concrete choice of Rollup. We provide two choices for the users, zk-Rollup and Validium, which offer a flexible tradeoff between security and cost.

In standard zk-Rollup, all transactions are uploaded on-chain as calldata and the security level is strictly equal to Layer 1. The disadvantage is the higher transaction fee, but it will still be just 1% of the transaction fee compared to Layer 1.

If users are willing to slightly sacrifice security for lower fees, they can instead use Validium. The proofs are uploaded on-chain but the transaction data will be recorded off-chain. We use a highly efficient distributed system, a class of famous committees, and decentralized storage (miners) to record the data in a secure way. This provides a slightly weaker security guarantee, but unleashes almost unlimited transaction throughput, and even enables more interesting usages like high-frequency trading.

A more detailed overview of Scroll’s architecture is shown in Figure 4. The DApp circuits and the CPU circuit in the first layer interact through a huge commitment pool. The proof generation is outsourced to the miners. Then, again, miners aggregate the proofs and generate one final proof instead. This realizes a universal and efficient on-chain verifier.

Figure 4. A detailed overview of Scroll’s architecture

--

--

No responses yet