https://blog.matter-labs.io/zksync-is-live-bringing-trustless-scalable-payments-to-ethereum-9c634b3e6823

Experience the magic of the first zkRollup with no application-specific trusted setup.

Six months ago we introduced our vision for zkSync: a trustless L2 scaling solution to enable mass adoption of public blockchains. Today, we invite you to celebrate with us the first big milestone on our roadmap — the launch of zkSync v1.0 on mainnet.

This release solves an acute problem in the Ethereum ecosystem: transactions have become expensive and unreliable due to soaring gas fees. Every month, ETH and ERC20 token transfers alone cost Ethereum users over $2M in gas fees (and rising). zkSync can massively reduce these costs while gradually enabling VISA-scale throughput of up to 2,000 TPS.

What is zkSync?

zkSync is built using Matter Labs’ zkRollup technology: a combination of cutting-edge research in zero-knowledge proofs with on-chain data availability. This approach boasts impressive security properties: if implemented correctly, funds placed in a zkRollup are as safe as in the underlying L1. More on this below.

While security is and always will be the topmost priority of the zkSync architecture, we’ve obsessively seek out the most elegant design ideas to enable unmatched UX and a smooth developer experience. Here are the main highlights:

The best way to understand the system is to try out zkSync yourself. To kickstart your journey into the world of zkRollups, we created a 1-click faucet that will award the first 500 users with a souvenir Matter Labs Trial Token ($MLTT). After you withdraw funds to the mainnet, it will record proof that you were in the early zkRollup gang.

Go ahead and give it a try, it should only take 2 minutes!

https://miro.medium.com/max/1400/1*Zw87dJM7N0xaa8N0blRx2Q.png

While zkSync v1.0 scales crypto payments on Ethereum today, it also lays the technological foundation for the next steps on our roadmap: enabling smart-contract functionality, privacy, and cryptographically secured censorship-resistance.

Our ultimate goal is scalable, privacy-preserving, fair, and fully permissionless crypto infrastructure for billions of people, while making it easy and useful to build on for developers.

https://miro.medium.com/max/1400/1*amvLQ2y8_aQzS6dT3Yx3nw.png

Start building on zkSync today!

zkSync is fully permissionless, you can start using it right now. Integrating it into your project requires only a few lines of code: zksync-js SDK follows the best practices of the client libraries and is modeled after the state-of-the-art ethers-js.

Check out the getting started tutorial on our developer portal.

We are more than happy to offer help, discuss the specifics of your use-case, and provide any support you might require! Please get in touch.

If your use-case involves some complex logic, such as multisig, exchange, escrow, atomic swaps, minting/burning, or even more sophisticated smart contracts, we’d be particularly interested to assist.

While our future releases will enable powerful smart contracts on Zinc, a lot of things can already be achieved today with zkSync v1.0.

To learn more about how zkSync works, you’ll find exhaustive information in the FAQ and documentation area on zksync.io. In the remainder of this post, we focus on the two major properties of the protocol: security and extensibility.

Secure like mainnet

The core technology of zkSync — zkRollup — is the only L2 scaling approach that can provide the same passive security guarantees as L1. This means once you have confirmation that funds landed in your zkSync account, you can go offline for a year, come back, and be sure you will be able to recover your assets without any external help. Your zkSync deposit is completely immune to any manipulations or attacks on the zkSync operators.

This is absolutely unique among the existing L2 scaling solutions: all other approaches require active security efforts, which means their operators need to do some ongoing work to keep funds safe. This increases the attack surface and threats of other kinds (for example in some cases your account can be frozen or seized by the operators).

https://miro.medium.com/max/1400/0*uia-btdDpwC7mjoI

Security of zkSync users’ assets is of paramount importance to us. We are following very strict development and DevOps security practices, have conducted thousands of transactions in load tests, and covered our code extensively with unit and integration tests.

Further, zkSync protocol, smart contracts, and zero-knowledge circuits have been audited ****by one of the most respected expert groups in the zero-knowledge space: ABDK Consulting (the team that co-authored Poseidon, Equihash and Argon2 hash functions and conducted the cryptanalysis of Jarvis cipher, STARK-friendly hash function Friday, AES, ALE, Catena, RC4, IDEA, and many other cryptographic schemes and protocols).

Despite the thorough audit, out of extra precaution we’ve decided to release zkSync v1.0 as a public beta. Practically this means one thing: contracts can be updated by Matter Labs after a shorter notice period, which allows us to quickly respond to any unexpected situation. Users will be notified about the planned upgrade via smart contracts events (an integration with spells.fyi service will soon be available). If users disagree with upcoming changes, they will have the notice period to submit an exit request on L1. By design, no upgrade will go through until all exit requests are processed. The upgrade authorization is secured by a multisig controlled with separate cold-wallets. We will gradually increase the notice period until, eventually, a pure opt-in upgrade mechanism is implemented to remove any potential risks of a mass exit and enact 100% passive security for zkSync accounts.

While zkSync UI will work with any Ethereum wallet, there is an important caveat. The SNARK-friendly signature scheme used in zkSync (a variant of Schnorr) is different from the ECDSA scheme used in Ethereum. We have a Metamask snap prototype with our signature scheme integrated (will be published as soon as snaps are ready for mainnet), as well as a partnership program underway to provide native support for mobile, desktop, and hardware wallets. Until then, zkSync account control keys are handled by the zkSync UI in the browser, which is not ideal from a security perspective. To mitigate this attack vector, we implemented a 2-factor security mechanism: for every transaction, a plain-text authorization must be signed with the native Ethereum signature, which is checked by our servers before the transaction is included in the rollup block. This way, even if our UI website gets hacked, the attacker won’t be able to exploit it. At the same time, we expect native integrations to follow quickly making this security precaution unnecessary.

zkSync is the first zkRollup with no app-specific trusted setup — why this is a game-changer

TL;DR:

The previous generation of SNARK-based blockchain tech (Zcash, Tornado cash, Loopring) used a proof system called Groth16. While it was a state of the art protocol at the time of its release in 2016, we’ve seen a Cambrian explosion in zero-knowledge proof protocols over the last year that have massively improved on Groth16 — especially in regard to the setup of the Common Reference String (CRS).

The CRS is better known as “the trusted setup”. Before SNARK proofs can be generated, CRS must be created once, usually in the course of a Multi-Party-Computation (MPC) ceremony with a number of participants. If at least one of these participants was honest and has securely deleted the entropy (randomness) of their contribution, SNARKs produced by using this CRS are considered secure.

The trusted setup MPC is a huge logistical and operational security challenge. But Groth16 turns it into a logistical and security nightmare — by requiring an application-specific trusted setup. What this means is that a trusted setup needs to be done separately for each application and each update of the logic in this application (every change, every bugfix). Consider the following:

The ideal situation is to get rid of it entirely, or at the very least have to do it only once.

A few efficient proof systems have recently appeared that are transparent — i.e. do not require a trusted setup — such as STARKs, Halo, and SuperSonic. They looked very promising, especially STARKs, as other systems were too expensive to verify on Ethereum. So the Matter Labs team experimented a lot in this direction: we released Hodor, our STARK prover implementation, and later developed RedShift, a hybrid transparent proof system that combines the best of the SNARK and STARK worlds.

Unfortunately, STARK and RedShift proofs are still quite expensive to verify in terms of gas. This makes their current deployment for zkRollups problematic. More work needs to be done to make them efficient enough for this task.

However, we now have a new class of proof systems called SNORKs: SNARKs with a universal and updateable trusted setup. This means a setup is still required, but only once, and can be later reused by many applications. The first of its kind was Sonic (Matter Labs created the first implementation of a succinct version of it), but later more efficient ones followed. Today, PLONK is the most advanced and peer-reviewed proof system of this kind.

In Fall 2019 Matter Labs participated in the Ignition MPC ceremony for PLONK organized by AZTEC Protocol. Further participants included Vitalik Buterin and a number of other prominent members of the crypto community. Buterin also created an independent implementation of the participant’s software. zkSync v1.0 uses PLONK with the CRS from Ignition as its proof system.

This one-time trusted setup means we can rapidly iterate on zkSync design and implement new features or extensions without losing any security properties.

For a pairing friendly elliptic curve available in Ethereum, the maximum PLONK circuit size is 2²⁶. This leads to a limitation of the maximum block size in zkSync v1.0 which caps throughput at 300 TPS — instead of the 2,000 TPS that both our tech stack and Ethereum bandwidth would enable today. However, this is not a problem for two reasons:

  1. The current capacity exceeds the [average transaction load of Paypal](https://www.statista.com/statistics/419783/paypals-annual-payment-volume/#:~:text=In 2019%2C PayPal's total payment,to 227 million U.S. dollars.) (200 TPS). We believe that it will be perfectly sufficient for the first few months of zkSync operation.
  2. More importantly, there are few effective recursion strategies available for PLONK even without cycles of elliptic curves. We have implemented several variants of recursion and will choose one of the strategies based on more exhaustive tests. Recursion allows us to make blocks in zkSync v1.1 uncapped without reimplementing the already audited basic block circuit. Moreover, it is the key to the future implementation of privacy and smart contracts. We will provide more details later in a separate post.

As we said at the start, our goal is scalable, privacy-preserving, resilient, fair, fully permissionless blockchain technology for billions of people. Today we start with a scalability solution that meets all these needs, sans privacy. Once at scale, we will do the same for privacy on Ethereum.

To Scalability and beyond! Got questions?

The zkSync website contains a comprehensive FAQ and documentation area.

Want to learn more or discuss a partnership? Talk to us!

Join the conversation with us on Twitter: @the_matter_labs

We are incredibly thankful to everybody who helped to make this milestone possible: to our investors and advisors for their ongoing assistance; to @vbuterin for his old (2017!) blog posts that inspired us to dive into the world of zero-knowledge proofs, and for his idea of zkRollup; to Sean Bowe for “bellman” — the golden standard of how cryptography implementation should look like; to the Ethereum Foundation — and personally to @BarryWhitehat and Albert Ni — for believing in us and for their support during the most critical early phase of the project; to Eli Ben-Sasson for the inspiration to bring ZKPs to the new level; and to the ZKP community, especially Mary Maller, Zac Williamson and Ariel Gabizon for the ideas and incredible work on proof systems with universal trusted setups.

zkSync 上线了!为以太坊带来无需信任、可扩展的支付

体验第一个 zkRollup 的魔力,无需特定于应用程序的可信设置。

六个月前,我们介绍了我们对 zkSync的愿景:一种无需信任的 L2 扩展解决方案,以实现公共区块链的大规模采用。今天,我们邀请您与我们一起庆祝我们路线图上的第一个重要里程碑——在主网上发布 zkSync v1.0。

此版本解决了以太坊生态系统中的一个严重问题:由于汽油费飙升,交易变得昂贵且不可靠。每个月,仅 ETH 和 ERC20 代币转移就让以太坊用户花费了超过 200 万美元的汽油费(并且还在上涨)。zkSync 可以大幅降低这些成本,同时逐步实现高达 2,000 TPS 的 VISA 规模吞吐量。

什么是 zkSync?

zkSync 是使用 Matter Labs 的zkRollup技术构建的:将零知识证明的前沿研究与链上数据可用性相结合。这种方法拥有令人印象深刻的安全属性:如果实施得当,放在 zkRollup 中的资金与底层 L1 中的资金一样安全。更多关于这下面。

虽然安全性一直是并且将永远是 zkSync 架构的重中之重,但我们痴迷于寻找最优雅的设计理念,以实现无与伦比的 UX 和流畅的开发人员体验。以下是主要亮点:

了解系统的最好方法是自己尝试 zkSync。为了开启您进入 zkRollups 世界的旅程,我们创建了一个一键式水龙头,它将向前 500 名用户奖励一个纪念品 Matter Labs 试用代币 ($MLTT)。在您将资金提取到主网后,它会记录您在早期 zkRollup 帮派中的证据。

快来试试吧,它应该只需要 2 分钟!

https://miro.medium.com/max/1400/1*Zw87dJM7N0xaa8N0blRx2Q.png

虽然 zkSync v1.0 今天在以太坊上扩展了加密支付,但它也为我们路线图的下一步奠定了技术基础:启用智能合约功能、隐私和加密保护的抗审查性。

我们的最终目标是为数十亿人提供可扩展、保护隐私、公平且完全无需许可的加密基础设施,同时为开发人员提供简单且有用的基础设施。

https://miro.medium.com/max/1400/1*amvLQ2y8_aQzS6dT3Yx3nw.png

今天开始在 zkSync 上构建!

zkSync 完全无需许可,您可以立即开始使用它。将其集成到您的项目中只需要几行代码:zksync-js SDK 遵循客户端库的最佳实践,并以最先进的 ethers-js 为模型。

在我们的开发者门户上查看入门教程。

我们非常乐意提供帮助,讨论您的用例细节,并提供您可能需要的任何支持!请联系

如果您的用例涉及一些复杂的逻辑,例如多重签名、交换、托管、原子交换、铸造/燃烧,甚至更复杂的智能合约,我们将特别有兴趣提供帮助。

虽然我们未来的版本将在Zinc上启用强大的智能合约,但今天使用 zkSync v1.0 已经可以实现很多事情。

要了解有关 zkSync 工作原理的更多信息,您可以在 zksync.io 上的常见问题解答和文档区域中找到详尽的信息。在本文的其余部分,我们将重点关注协议的两个主要属性:安全性和可扩展性。

像主网一样安全

zkSync 的核心技术——zkRollup——唯一可以提供与 L1 相同的被动安全保证的 L2 扩展方法。这意味着一旦您确认资金已进入您的 zkSync 账户,您可以离线一年,然后再回来,并确保您能够在没有任何外部帮助的情况下收回您的资产。您的 zkSync 存款完全不受对 zkSync 运营商的任何操纵或攻击。

在现有的 L2 扩展解决方案中绝对是独一无二的:所有其他方法都需要积极的安全措施,这意味着他们的运营商需要做一些持续的工作来保证资金安全。这会增加攻击面和其他类型的威胁(例如,在某些情况下,您的帐户可能会被运营商冻结或扣押)。

https://miro.medium.com/max/1400/0*uia-btdDpwC7mjoI

zkSync 用户资产的安全性对我们来说至关重要。我们遵循非常严格的开发和 DevOps 安全实践,在负载测试中进行了数千次事务,并通过单元和集成测试广泛覆盖了我们的代码。

此外,zkSync 协议、智能合约和零知识电路已经过零知识领域最受尊敬的专家组之一的审计: ABDK 咨询(该团队共同编写了 Poseidon、Equihash 和 Argon2 哈希函数并进行了Jarvis 密码的密码分析、STARK 友好的哈希函数 Friday、AES、ALE、Catena、RC4、IDEA 以及许多其他密码方案和协议)。

尽管进行了彻底的审核,但出于额外的预防措施,我们决定将 zkSync v1.0 作为公开测试版发布。实际上,这意味着一件事:Matter Labs 可以在较短的通知期后更新合同,这使我们能够快速响应任何意外情况。将通过智能合约事件通知用户计划升级(与 spells.fyi 的集成服务即将推出)。如果用户不同意即将发生的更改,他们将有通知期在 L1 上提交退出请求。按照设计,在处理完所有退出请求之前不会进行升级。升级授权由使用单独的冷钱包控制的多重签名保护。我们将逐步延长通知期,直到最终实施纯选择加入升级机制,以消除大规模退出的任何潜在风险,并为 zkSync 账户制定 100% 的被动安全性。

虽然 zkSync UI 可以与任何以太坊钱包一起使用,但有一个重要的警告。zkSync( Schnorr 的一种变体)中使用的 SNARK 友好签名方案与以太坊中使用的 ECDSA 方案不同。我们有一个集成了我们的签名方案的Metamask snap原型(将在 snap 准备好用于主网时发布),以及一个正在进行的合作计划,为移动、桌面和硬件钱包提供本地支持。在此之前,zkSync 帐户控制密钥由浏览器中的 zkSync UI 处理,从安全角度来看,这并不理想。为了减轻这种攻击向量,我们实施了2 因素安全机制:对于每笔交易,必须使用原生以太坊签名对纯文本授权进行签名,在交易被包含在汇总块之前,我们的服务器会对其进行检查。这样,即使我们的 UI 网站被黑,攻击者也无法利用它。同时,我们希望本机集成能够迅速跟进,从而使这种安全预防措施变得不必要。

zkSync 是第一个没有特定于应用程序的可信设置的 zkRollup——为什么这是一个游戏规则改变者

TL;博士:

上一代基于SNARK的区块链技术(Zcash、Tornado cash、Loopring)使用了一个名为Groth16的证明系统。虽然它在 2016 年发布时是最先进的协议,但我们已经看到去年寒武纪零知识证明协议的爆炸式增长,在 Groth16 上得到了巨大改进——尤其是在设置方面公共参考字符串 (CRS)。

CRS 更广为人知的是“可信设置”。在生成 SNARK 证明之前,必须创建一次 CRS,通常是在有多个参与者的多方计算 (MPC) 仪式的过程中。如果这些参与者中至少有一个是诚实的并且已经安全地删除了他们贡献的熵(随机性),则使用此 CRS 生成的 SNARK 被认为是安全的。

可信设置 MPC 是一个巨大的后勤和运营安全挑战。但 Groth16 将其变成了后勤和安全的噩梦——需要特定于应用程序的可信设置。这意味着需要为每个应用程序和该应用程序中的逻辑的每次更新(每次更改,每个错误修复)单独完成受信任的设置。考虑以下:

理想的情况是完全摆脱它,或者至少只需要这样做一次。

最近出现了一些高效的证明系统,它们是透明的——即不需要可信设置——例如 STARKs、Halo 和 SuperSonic。它们看起来很有前途,尤其是 STARK,因为其他系统太昂贵而无法在以太坊上验证。因此,Matter Labs 团队在这个方向上做了很多实验:我们发布了Hodor,我们的 STARK 证明者实现,后来开发了RedShift,一个混合透明证明系统,结合了 SNARK 和 STARK 世界的精华。

不幸的是,就 gas 而言,STARK 和 RedShift 证明的验证成本仍然很高。这使得他们当前对 zkRollups 的部署存在问题。需要做更多的工作才能使它们足够高效地完成这项任务。

但是,我们现在有一类新的证明系统,称为SNORKs:具有通用且可更新的可信设置的 SNARKs。这意味着仍然需要设置,但只需要一次,以后可以被许多应用程序重用。同类中的第一个是 Sonic(Matter Labs创建了它的第一个简洁版本的实现),但后来更高效的版本紧随其后。今天,PLONK是此类最先进且经过同行评审的证明系统。

2019 年秋季,Matter Labs 参加了由 AZTEC Protocol 组织的 PLONK点火MPC 仪式。其他参与者包括Vitalik Buterin和加密社区的其他一些杰出成员。Buterin 还创建了参与者软件的独立实现。zkSync v1.0 使用 PLONK 和 Ignition 的 CRS 作为其证明系统。

这种一次性可信设置意味着我们可以快速迭代 zkSync 设计并实现新功能或扩展,而不会丢失任何安全属性。

对于以太坊中可用的配对友好椭圆曲线,PLONK 电路的最大尺寸为 2²⁶。这导致 zkSync v1.0 中的最大块大小受到限制,将吞吐量限制在 300 TPS——而不是我们的技术堆栈和以太坊带宽今天将启用的 2,000 TPS。但是,这不是问题,原因有两个:

  1. 当前容量超过[Paypal 的平均交易负载](https://www.statista.com/statistics/419783/paypals-annual-payment-volume/#:~:text=In 2019%2C PayPal's total payment,to 227 million U.S. dollars.)
  2. 更重要的是,即使没有椭圆曲线的循环,PLONK 也很少有有效的递归策略可用。我们已经实现了几种递归变体,并将根据更详尽的测试选择其中一种策略。递归允许我们使 zkSync v1.1 中的块无上限,而无需重新实现已经审计的基本块电路。此外,它是未来实施隐私和智能合约的关键。稍后我们将在单独的帖子中提供更多详细信息。

正如我们一开始所说,我们的目标是为数十亿人提供可扩展、保护隐私、有弹性、公平、完全无需许可的区块链技术。今天,我们从满足所有这些需求的可扩展性解决方案开始,没有隐私。一旦规模化,我们将对以太坊的隐私做同样的事情。

可扩展性和超越性!有问题吗?

zkSync 网站包含一个全面的常见问题解答和文档区域

想了解更多或讨论合作伙伴关系?和我们谈谈!

在 Twitter 上加入与我们的对话:@the_matter_labs