chainlink eli5Validity/ZK Rollups ft Eli Ben-Sasson Starknet, Alex Gluchowski ZKSync, Brendan Farmer Polygon

Cardano Poised for Ultra Bullish Surge Following Latest Hydra Hydra is a scalability layer-2 solution allowing developers to add specialized smart contracts on top of Cardano. Why the Ethereum Merge MattersTime In Proof of Stake, energy-guzzling miners are replaced by watchdogs known as validators, who deposit a significant amount of money 32 ETH, which is currently worth about $50,000 into the chainlink eli5 Validity/ZK Rollups ft Eli Ben-Sasson Starknet, Alex Gluchowski ZKSync, Brendan Farmer Polygon
chainlink eli5 The Scandalous History of the... Validity/ZK Rollups ft Eli Ben-Sasson Starknet, Alex Gluchowski ZKSync, Brendan Farmer Polygon
so hi everybody ill quickly do an introduction and kick start this panel uh first of all welcome to this panel on everything about um zk and validity roll-ups theres a little bit of contention on what it should be called but well dig uh deeper into that in just a bit uh but anyways we have the best speakers to come and talk to us about this topic we are going to be doing a technical deep dive on on the technology uh we have ellie from starknet co-founder of stocknet brendan who is the co-founder of polygonzero and alex who is the co-founder of matter labs which built zika sync uh so i dont think the people on this panel need any more intros so i think uh we should get into the motion as soon as possible uh before that just a quick word on how were going to be structuring this panel uh rohit and i are going to be co-hosting it so were going to be uh going around and asking questions uh to the panelists that weve already prepared this would go on for about 40 minutes and towards the end um we would be happy to take a couple of questions from the audience as well so please keep them handy thats about it lets get started ill hand it over to rohit maybe rohit you can start off with the first question to our panelist thanks madhuan hey guys great to meet you eli nice to see you here again uh so maybe i want to ask alex first so i think its its really hard for people to grasp what is zk roll ups slash validity roll ups so maybe you can tell about what rzk roll up slash validity rollups by bringing some differences or explaining some differences between optimistic and and and the ziggurat site absolutely happy to answer this and i actually thought of some interesting metaphor so with both uh types optimistic and zk what we actually using is the technology of containerization so you can think of it as uh you know the early containers that emerged in 1950s on the ships before the shipping containers were introduced it took 100 people around seven days to unload the ship so actually few people would physically go take the sacks of some stuff and move them out and would take very long because you need to to go many times when containers were introduced this time was reduced from 100 people seven days to seven people in one day because you could use cranes and you could transport the same amount of stuff just a lot more efficiently and if you want even deeper intuition where this efficiency is coming from just think youre going to a grocery youre buying a bunch of products and then you need to to go and bring them to your home from the car if you have to carry every single one you know youre going to waste a lot of energy a lot of time just like doing this repetitive moves whereas if you pack everything in one backpack then you can do it in one move and even though the backpack is slightly heavier than each individual or like actually a lot heavier right but you just do it once so your overhead is still minimal so containers are the core of roll-ups because different resources on blockchains have different pricing they have different bottlenecks they have different profile of pricing so we have computation we have storage we have data bandwidth and all of them are slightly different for uh the full nodes that operate a blockchain that verify every single transaction on the blockchain and by full nodes i mean actually like light clients something like full ethereum client not the validator nodes those are separate so the full nodes of individual people have different profiles so in ethereum the ethereums goal is uh and the similar for bitcoin is to make the job of running a full node very easy so that we we can have as many of those nodes as possible so it will keep blockchain truly decentralized and resilient we have tens of thousands of people running them on on their consumer laptops so you want the bandwidth to be low you want the storage requirements uh to remain under what is reasonable to store on a single laptop and you want computationals not to exceed not to heat up the cpus of of this processor right so we we can uh the the job of roll ups is to make sure that we can process large box large blocks on those um hardware nodes much cheaper by packing them together so but the the zero knowledge roll-ups uh are like i think yeah or might have no no i i was just applauding to the fact that thats a great analogy oh please go on yeah so uh the we can go and describe the difference between optimistic and zika roll-ups like in exactly like which is like optimistic roll-ups use fraud proofs ezekiel opps use validity proofs z-roll-ups verify every transaction beforehand right we use proofs of computational integrity to produce a succinct proof that we have processed a very large number of transactions optimistic roll-ups rely on watchers who um like when a sequencer presents the result of the computation it it is up to anyone to challenge this result and then play an interactive game theoretical process on blockchain to actually prove to to the parent system to wear one to ethereum that this was wrong uh but coming back to my analogy uh the you know like if you if you think of roll-ups as containerization mechanisms so zk roll ups or optimistic roll-ups are something like uh sailing ships loaded with containers you know you like you you can still put more data through but you have other factors that you dont really control you know speed of wind the direction of wind uh you know you have to navigate it in the right way to to get from point a to point b like it depends on on some factors how secure how sure you will arrive whereas zika roll-ups are something like um you know nuclear-powered chips loaded with containers where you can use them in a roll-up mode just carrying over containers much more efficiently much more reliably because you you just depend on the laws of physics you dont know like which you control like on on pure engineering on on some mathematical calculations you made beforehand you checked your system and now its its secure like it will surely get you there no matter what weather it is but it can be also used separately you can like if you if you detach it from the containers from from the ship you can use it to build railway or hybrid hyperloops or something like this where you use this atomic energy which is very powerful which essentially scales infinitely because we have a lot of uh uh nuclear fuel material to to use on earth so we we like you know we its not like fossil fuels its not like renewable energy which is very still in very early stages we have a lot of that it will be enough to go around for everyone but you dont use containers like you can power uh you can power electric cars for example which everyone owns their own sort of container they own vehicle to transport things but you they get this energy which is infinite scalable so like zika roll-ups are interesting in this regard because you can use them in validium mode where you use this infinite scalability of for computation but everyone will have their own storage data availability for storage and data availability sorry managed on their own but still having the full security that transactions are not messed with by validators that no funds can be stolen uh no state can go corrupt and so on so sorry for a long answer but i thought that this will be a comprehensive one hey uh i love that answer um this is the first time im kind of hearing that analogy um alex is it kind of fair to say that optimistic roll-ups are based on game theory uh and um zk roll of solidity roll-ups are based more on math can you can you just double click on that point that you made a little while absolutely correct thats absolutely correct so maybe we can let other penalties expand on this maybe and i just want to add uh to say a word of congratulations to ali and the entire star party who just raised a big round thank you oh yes absolutely can congratulate the entire stacker team yeah maybe if i could pull an ellie on this on this um follow-up question uh any uh when i was like talking to you coordinating for this conversation you mentioned a very interesting point that hey probably uh zk rhodops is not the right way to address this technology but validity roll ups is something better can we use this opportunity to um uh pick your brain on why you feel so and also give us an understanding of what zk roll ups are not or what is this technology not okay um so so um the the rollups called zk roll ups um they have one very small problem which is that mathematically speaking speaking they do not employ zk proofs um zero knowledge is a mathematical and cryptographic term that has a um very specific meaning so the reason i quibble about this is like you know you could say theres this amazing car um its a really great car its very efficient its an electric car but then what if you know and youre describing a car that is lets say you know a prius or or even just some other car thats very efficient but not an electric car so you know you dont want to call it an electric car and then the term zk roll ups hints that uh people are using something called zk proofs in them well theyre not um all of the rollups that are called zk roll ups do not use zk proof for instance start net is not a zk proof and uh to best of my knowledge i think the plonks used in in in zk sync are also not necessarily zero knowledge and so on and so forth so thats my quibble with it now i i just want to explain a little bit how it works and the difference with optimistic roll-up its all all of these roll-ups and if you think about it blockchains are all of them basically just innovations on integrity and integrity was beautifully defined by c.s lewis as meaning doing the right thing even when no one is watching and in the context of computation you can specify a program that defines what is the right thing to do with data for instance you know you transfer funds from one account to the other only if the owner of the first account consented lets say via a digital signature so a program should check whether theres a digital signature on a payment and if so you know you can sort of change the amount in that account and move it to wherever the sender wants okay so we would like the world to operate with integrity but uh you know we would like our banks to operate with integrity and the question is how is integrity achieved so in the conventional world its achieved by some manual process in which uh you know auditors and accountants look into various computers and reports and make sure that everythings okay and if something is not okay then you can call the police and file a complaint and things like that thats the conventional world bitcoin and following it all blockchains made a huge innovation in offering a different way to reach integrity basically integrity in in numbers in big numbers everyone is invited uh to check the integrity of every transaction and this is a beautiful you know democratic inclusive um you know its an amazing principle of transparency and so on and thats why we love love love blockchains however it is inefficient because now we all need to run these computers to check everything so thats why we have a bottleneck and scale okay so optimistic roll-ups say we will incentivize economically a protocol in which anyone who wants can be an accountant an auditor and run some big computer and check some other computers and if you trust an optimistic rollup youre putting trust in this game theoretic incentives right that the renumeration is correct and the auditors wont cheat you and uh that theyre incentivized not to cheat and so on and so forth in a validity roll up youre putting your trust in math because the way a validity roll up works is that every time there is an update to the state of the system the integrity of this update is supported with a proof and the proof proves integrity and mathematically speaking and cryptographically speaking it is impossible to generate a proof for anything that was not the right computation so thats basically what a validity roller gives you and now if there is a if you have a validity roll up you could have a single prover that you dont need to trust um process a very large number of number of transactions and then submit an update to the state of the system along with a succinct proof that is easily verifiable and then all the blockchain needs to do is verify this proof and you know for instance our systems the starkic systems have been settling transactions say for dydx upwards of 600 billion dollars have been settled um over the last year or so and um the integrity of all of these settlements is basically guaranteed by the start proofs that are attached to these updates thanks for that explanation ally and just wanted to like ask this specifically once again so that it is clear to uh everyones mind so when you say that validium rollups does not use zk proofs most people when they think about zk they think about like zero knowledge and they understand zk from very analogical perspective which is you are trying to prove a statement without telling what the statement is you are basically proving that a statement is true without telling what is the exact statement so do like are you saying we do not even we cannot even use that analogy in case of validium rollups or you are just mathematically speaking that z proofs are specific to the term itself well well what i mean is first of all what mathematically speaking what a zk proof guarantees is something a little bit different than what you stated so there is a statement and it is essential that everyone sees a statement so now the statement may reveal may or may not reveal some information but but it is what is proved and everyone sees it okay you say that a proof is zero knowledge if when you watch the proof right the proof is sometimes a protocol there are some questions and answers and then you go back and ask yourself did i learn anything additional from watching this proof so if the answer is mathematically speaking no you provedly have not learned anything from watching this process and even more mathematically what it means is you could have whatever information you think you got from watching this process you could have gained by yourself by by playing some game with yourself so if the proof can be proven to reveal no information beyond the integrity of the statement then one can say its a zero knowledge proof now as a matter of fact the starks using starknit or star kicks are not zero knowledge they do leak information the plonks used in in in zk sync to best of my knowledge but alex incorrectly do need information and so on and so forth so the actual proof systems that are deployed on validity roll-ups just are not zk proofs so you know i dont want to call a system that is not you know i dont want to call a very nice car that is not an electric car i dont want to call it an electric car even if i like it a lot so by the same token i do not want to call you know systems that do not deploy zk proofs i dont want to call them zk um you know zk systems and it also leads you down a direction of asking about privacy and whether it gives you privacy and again the fact of the matter is that starknet and the zk sync are not promising any privacy right now theyre about scalability but everything there is completely transparent so you know i just think that the sort of a historical mistake calling these things uh zk roll ups uh theyre just not thanks a lot for that explanation eli and like uh this is the first time ive been able to get that into my mind uh so i also wanted to like ask brandon since polygon has been working on various kind of validity roll-ups ill let brendan clarify if they use any kind of zk in their roll up what are the differences in the different kind of validity roll ups or zk roll ups uh polygon is working on uh and like maybe give some insights on what are the basic take differences and like uh we keep hearing these terms like stocks snacks so what is all these very high high on my mind technology or terms are all about uh yeah sure so i guess uh to your first question uh they would technically be validity roll-ups because we dont use blinding uh in our proofs so they dont as oh i said they dont satisfy the z-kid property um i think for polygon we can broadly distinguish between roll-ups that are evm compatible and roll-ups that are evm equivalent and so uh if you want to build a roll-up um you need that they can support arbitrary contracts um were effectively building a vm whose operations can be verified with azure knowledge proof um and so we have two options in doing that we can either build a vm thats efficient inside the snark whose operations can be efficiently verified or represented in an arithmetic circuit or we can build a zero-knowledge proof that that efficiently verifies evm bytecode so something that actually takes a evm bytecode and and is able to verify that the execution of some program was was actually valid and so um so so at polygon we sort of have the luxury of being able to to pursue both an evm compatible roll-up which is migan and also i think i think this is really exciting uh an evm equivalent roll up so we uh have polygon hermes and polygon zero that are pursuing um this approach of being able to actually take uh existing uh solidity or evm programs and uh verify that their execution is correct um and so there are trade-offs on kind of either side of this of this category so evm compatible roll-ups are a little bit faster but they also require compiling from solidity or from mule into a different bytecode representation whereas evm uh equivalent roll-ups allow us to use uh existing tooling and sort of have um a closer user and dev experience to uh to the ethereum l1 um and so i guess uh for your second uh or your third question um uh within polygon all of our zk teams are extremely collaborative and so were all converging on using very similar primitives so we use starks to actually verify the um like dm execution for transaction proofs simply because air based stocks are more efficient to verify um that i guess format of computation um and so we all use the the goldilocks field which we pioneered thats extremely efficient um we all use uh recursion in slightly different ways um and uh and we uh all focus on uh using pairing-based proofs to wrap our final start proofs um so that we can reduce gas consumption uh on ethereum um so does that sort of get to uh to your question sorry its kind of a rambling answer i i didnt come prepared with a very elaborate uh analogy so i apologize if i like uh double click on that brandon maybe for the interest of the audience like uh what is the differences between a stark and a snark uh maybe at a high level maybe alex you could also uh chime in because i know zika singers uh based on snarks if im not wrong yeah so so stark is uh uses a different arithmetization and so if we think about an arithmetic circuit um we can think about how gates are wired to one another and so if you if you think about something like plaque we can express an arbitrary computation and any gate or any sort of like step in the trace of this computation can access any other gate in the circuit um whereas with airbase starks it fundamentally is designed to uh to verify a computation with repeated structure so we have uh steps in the trace and each step um has access to uh the step uh immediately before and after um and so it just uh im sure ellie can can talk about this with with a little bit more eloquence but it uh it just refers to um like how we write constraints uh and which computations are sort of efficient to to represent sure uh la alex uh do you want to add on anything uh to the stark was a snark uh differentiation i can i can say a few words um so these are two um mathematical or cryptographic definitions and each one of them defines a class of protocols or proof systems and really one can focus on what the acronyms mean in each one of them so ill start with um snark so snark the letter s means succinct which often refers to a constant number of group elements as part of the proof so its already assuming often that youre working inside some group and often this group is actually some elliptic curve group even though thats not essential one could also define succinct as just being logarithmic in the amount of computation and then n means non-interactive which means that your proof is basically a string and you must have one string and theres no interaction going on however in a snark youre allowed to have actually you must have some setup process and the setup is allowed to be even something that involves various secrets that cannot be revealed um known as a trusted setup or toxic waste and things like that so thats what a snark is now a and and by the way the keys generated can be as large as the computation needed to be proved thats fine according to the definition of a snark a stark um the letter s there means scalable which means that the proving time must be extremely efficient nearly linear and at the same time the verification time cannot be more than logarithmic in the amount of computation and the second letter is more interesting transparent means that all the verifier does is generate public random coins in particular there can be no secrets no trusted setups and also no long keys uh you know proving keys or you know prior information this is uh extremely useful for uh for uh scaling because you know you need ever larger and larger circuits and with the start you dont need to have some ceremony for generating them each time a new um other than that starks also allow interaction whereas snarks do not allow now practically speaking i think often snarks are uh you know practice in the practical usage things like you know z cash and plonks and other things that are usually referred to as snarks one thinks of something that uses a lot of elliptic curve cryptography and things that are prone to be broken by quantum computers the proving time there is slightly larger than in starks however they have the individual proof size is extremely small its uh under one kilobyte and sometimes even under 200 bytes and starks um they are post quantum safe they have uh very very efficient proofers however the the size of the proof is uh roughly a hundred times larger an individual proof is is a hundred times larger than an individual uh smart proof so instead of 200 bytes or one kilobyte they could be in the range of 20 to 100 kilobytes so those are roughly the differences but both have their use cases and theyre deployed in many many places snarks appear in uh of course zcash was the first thing and then you have them also in file coin and you know plonks and other areas they appear in mina in aztec and zika sink in other places and starks appear on starknet and starkex and the mir protocol and other teams inside the polygon are also working on them so they both have their uses and will be around for a while perfect uh alex i know you got cut off a little bit a little while earlier is there anything that you would want to add to our weapon and really just mention or maybe like share a perspective on why zeke is saying choose to build using snugs what advantages do you feel it it gets you sure i i yeah yeah so we are using plonk uh which is very similar in arithmetization to starks so arithmetization is the way to represent your program that youre trying to prove in uh mathematical form as a is a big polynomial or as a set of polynomials and um the the the primitives and the approach were using there for clunk is very similar so eventually i think that all projects will just pick uh the proof systems that that are most efficient most advanced and uh will not like it will be easy to switch between these proof systems because they are all converging so the the only big difference today between starks and snarks like like a really big one is the footprint on ethereum when you verify proof on ethereum starks are roughly 10 times more expensive but they are transparent they do not require any trust whatsoever from from anyone well snarks are much cheaper to verify 500 600 000 guests but they involve this trusted setup ceremony which most people reuse existing trust like this the ceremonies with they we use the one called ignite uh organized by artstech uh two years ago where vitalik buterian participated a lot of famous people participated like something like 200 participants and if at least one of them was honest then its safe but that thats roughly the biggest practical difference today in the future i think we will all move towards transparent proof systems like fully transparent and they will be cheap to verify because either we will get something that uh some improvements in in start generation or star verification or improvements in ethereum itself that will make this transparent proofs much cheaper to verify so eventually everyone will converge its its not a big you issue it uh i think thats a great uh wrap up to this particular subsection on uh starts with this noise thank you for uh summarizing that really well alex with the trade-offs um with that um ellie i want to uh bring you in on one of the points that uh brendan was referring to a little while earlier that is around evm compatibility and i know that starknet is not evm compatible and can you explain what aspects of the virtual machine architecture uh like make it sub-optimal to run validity roll-ups like what what is the um uh the reasoning behind choosing an architecture that is distinct from evm yeah um i mean uh ill just give my analogy um you know when ethereum started um there were a large number of um programming languages out there that are really great you know python c go whatever um so one could ask why in the early days of ethereum that people construct you know a new model the evm and new um programming languages you know yule viper solidity and so on why uh its not because you know vitalik and others were not aware of the existence of amazing uh programming languages right there was something different and theres something different is that um you have a new set of constraints that you suddenly have to deal with um so so it just doesnt work as well with existing uh programming language that were built for something else now enter proof systems they are defined very naturally over weird settings you know finite fields the complexity parameters there what makes something efficient or not efficient uh these parameters are are very different than than what you have uh both in solidity and also in existing programming languages okay so now what happened was for us um you know we started initially by writing basically constraint systems uh the analog of like circuits by hand and this took us to a certain place right we could do some things but then at some point we figured out that its just impossible for us for for humans to sort of uh define more elaborate computations using uh you know just placing polynomials uh on some fmerial board okay so what do you do um the solution we decided to go with was we developed internally a very simple um cpu architecture that has like you know program counter and like two registers thats all and a very simple uh memory model read wants continuous and a bunch of other things that are very simple but at the same time powerful enough to allow you to express a lot of computations and then we started internally to write all kinds of systems in this new framework and it worked extremely well for us uh you know all of the star kick systems are written in this programming language which is called cairo so we figured that its good enough for us internally and you can get much much much more scale if you write in this language so since the thing we want to deliver is the maximal amount of scaling via a validity proof we found ourselves using a programming language that is not as elaborate and as a standard as something like ethereum or python or go or anything else but it was extremely useful in reaching the one thing we wanted which was to create scale and then we said well if its working so well for us why not you know why not uh expose it to the world and thats so we said you know lets start make use that now there is a transpiler from solidity to uh uh cairo and um there will be more and more you know tools that will take you from various programming languages and into cairo um so at some point maybe you can use just plain solidity or c or something like that and press a button and everything will run efficiently but the fact of the matter is that today a lot you know there are dozens of teams that are developing on startnet and they even though they would have preferred to write in python or c they also share our vision and our realization that to reach scale through a validity roll up your best bet is to learn a new program a programming language and write code in it thats basically how we ended where we are so i agree with you a lion like we have been writing cairo for the last seven months or eight months i guess and i i agree with the experience so wanted to hear a little bit from brandon as well since polygon zero is evm compatible like what are the challenges did you face when like or what are the challenges biggest challenges you are trying to solve when you are approaching it from an evm compatibility perspective yeah yeah great question so um so i think before we joined polygon we were mere we had a very similar experience and perspective to the one that eli has where we were really focused on optimizing for proving time efficiency and we sort of viewed that as as the main constraint and i remember before we joined polygon um we were thinking about sort of the approach that hermes uh is taking the the evm equivalent approach um and we just thought you know its impossible that this could ever be efficient that we could ever generate proofs in a reasonable amount of time because the evm uses primitives that are really expensive to to verify in in an arithmetic circuit so uh things like kept check and ecdsa um so we profiled uh ethereum transactions and found out that the average ethereum transaction uses uh catch act like 13 times and we were estimating the proving time to verify a single invocation of tetrac at like one to two minutes optimistically and whats interesting is in the last six months uh our view and our perspective has completely flipped because weve been able to uh make so many uh improvements and advances in our underlying proving systems but actually we we no longer view the main constraint uh as prover efficiency we view it as like the thing that we want to optimize for is the developer and user experience and because were trying to attract ethereum developers um and sort of piggyback on this this really well developed ecosystem around ethereum tooling we actually view evm equivalents uh as the optimal path forward um and so to give an example uh like i said we we thought that ketchup would take uh one to two minutes to to generate a proof for a single indication so if you extrapolate that to proving a transaction we would be it would take us like you know 15 minutes to prove uh that a single ethereum transaction is valid um but with the proving system uh improvements that weve made uh were now proving uh 100 ketchup indications per second on my macbook air and so like weve weve seen this wild improvement uh improving time improver efficiency and that sort of led us to uh to focus on evm equivalence and and delivering um uh a really good experience for for developers and for users of ethereum and so um you know i i think that there are uh still challenges and areas of inefficiency um i think ketchup is one i think uh 256-bit arithmetic in the evm is one ecdsa but but weve actually managed to address all of these and and were really confident that were going to have um a rollup thats low latency low cost and high throughput uh while maintaining evm equivalents so thats thats sort of our perspective and and where were headed got it uh thanks thanks thanks for sharing light on that uh brandon uh with that i want to uh pull in alex alex when we uh visit your website it uh says and bull letters stress math not validators um so can you help us understand like what are these validators and what are the other moving parts um in a validity roll-up or zika roll-up uh i know thats like a validator prover sequencer these are like terms that i keep hearing about what are the most important uh moving parts in in this type of rollup sure so lets start with validators which uh which is easiest its something all the systems have roll-ups or not roll-ups uh those are people who value their transactions so its a network of of nodes that check verify the validity of the transactions you dont need them in easy role you rely on the validators of your base network which is ethereum you just rely on on all the nodes of the theorem so they are your validators now uh and in ethereum you dont really rely on you dont trust them as well because any honest minority can always away so with bitcoin ethereum you dont trust them its its those are trusted systems um the next role which you have in any roll up would be a sequencer it can be centralized it can be decentralized it can be permissionless where anyone can act as a sequencer in certain moment of time uh lets define define sequencer as a block producer with someone who gets the transactions together rolls them up in a block and then submits this block along with some things and proofs and some other things on layer one and then for zero knowledge roll-ups uh and yeah ellie had a point that they should not be called zika roll-ups that should be called validity roll-ups which is technically correct uh but vitalik came up with a nice correction uh which keeps things historical and and and we can just say zk stands for zipped by cryptography and then everything works so with ziggy rollups you need also proverbs people who will or notes or actors who will pro generate the proofs for your block which youre going to submit to layer one because you will need to submit also so you mentioned about the sequencer as well as the um validator but uh i think we also been talking a lot about the prover what what role does the approver have to play well the prover generates the proofs right so we it can be the same entity that also runs the sequencer it can be decentralized marketplace for proofs uh distributed protocol to generate the proofs or crowd source the proofs and thats and so on so you can you can like this is a separate role but it can be taken on by the same entity does this make sense so your just as a sequencer it can be a single server that accepts transactions from the users and then rolls them together in in the block or it can be some consensus protocol that is run by multiple uh nodes that all get transactions from the users in a decentralized manner through a peer-to-peer network and then they decide in a in a way of consensus on what is going to be the next block and then they elect someone who will submit this block on ethereum got it got it yep that that makes a lot of sense thank you hey uh you want to go i know you have a question yeah uh so just wanted to ask uh brendan like so you also use stock proofs uh so in that case like is it different compared to likes what stockwear uses uh and like why why do you choose those kind of differences like can you first go about like are there any differences when you use stock proofs compared to stockwear uh yeah yeah sure uh good question so so we um in the past weve weve really obnoxiously said that were no longer living in a snark versus stark world were living in a plonky two world and thats like a totally obnoxious thing to say but we you know its just tongue-in-cheek um but i i think it gets to this uh um point that uh you know we have fully transparent post-quantum safe snarks that use fry as a polynomial commitment scheme uh which is the same thing used in starks um and so we are able to take advantage of a few things there the the first is that were able to uh use really small fields that are particularly efficient um on modern cpus uh on modern gpus and nfpgas um and the second is that were able to take advantage of this really important trade-off thats present in fry and in starks and so with fry theres this trade-off between proving time and proof size and so on the one hand we can have really really fast proofs that are really big so theyd be way too big to efficiently verify on ethereum uh without consuming way too much gas and on the other hand we can have uh slow proofs uh that are more size optimized so we can actually verify them on ethereum um and so that creates this uh sort of difficult trade-off um for starks which is we need to make our proofs uh fast enough to generate in a reasonable time but also small enough to be verified on ethereum without uh being way too expensive uh to fit in a block um and so one of the things that weve done uh that i think has been a big leap forward for the industry is weve made recursive fry and recursive proofs that verify starks really efficient so we no longer are bound by this tradeoff because we can have like for our expensive proofs for us thats verifying uh ethereum transactions we can have really really fast proofs um and the proof size is big but it actually doesnt matter because were aggregating those proofs recursively um and so theyre never actually being verified on ethereum theyre being verified as part of a recursive proof thats been shrunk and wrapped in a pairing-based proof um and so if you think about like starkware and you know this is nothing against starkware like theyre amazing researchers and and this work is only possible because of uh the work that theyve done but they have to pick between this this trade-off where a batch uh has to be fast enough to be to be generated in a reasonable amount of time while also being small enough uh to be verified in ethereum and we uh are no longer bound by by that trade-off and so thats a big part of the reason why we can generate proofs uh extremely efficiently because we can take advantage of fry in uh in a fast configuration to generate um the expensive proofs and then uh wrap them and uh aggregate so were were not paying uh an exorbitant uh gas cost on there great uh thanks for that explanation so i wanted to touch a little bit on the decentralization decentralized expect on led roll-ups as well maybe li you can share like so as far as i understand uh none of the validity roll-ups are decentralized today so what aspect of validity roll-ups architecture are we referring to and when we talk about decentralization and can you explain like what part of it is actually decentralized or maybe lets call it name it trustless instead of just calling them decent life and what parts are maybe require some form of trust or or maybe not decentralized okay thats a terrific question um so okay the the proof systems and the math behind them mean that um with when you go with a validity roll up even when its not decentralized its uh pretty safe let me explain what i mean um so suppose theres just one entity running the whole system and now im referring to a rollup soon well touch also on validium which has a different trade-off so lets take for instance dydx is such a system its a full roll-up but it is operated only by uh basically the dydx and starcraft so lets you know put them together as a single team so even if uh dydx and starkware are completely malicious and want to do wreck the most havoc that they want so they cannot um steal funds right so in the uadx system theres roughly 1 billion dollars of usdc locked even if we wanted very much to take those one billion dollars and move them um somewhere um this is this is not possible because theres a verifier on chain that is needed you know theres a smart contract that every change to the state of the system must be accompanied by a stark proof and we dont know how to it is mathematically intractable to generate the proof of something that that didnt transpire okay now what we could do if we would were to turn malicious would be to shut down the service meaning you know we would stop to service everything in a roll-up system its its a big inconvenience but you could um start retrieving funds from the l1 system um directly okay so it would of course be uh very very inconvenient for a while to the users of lets say the dydx system um but they would get their funds eventually by just talking to the um l1 smart contract through something called an escape hatch so just to summarize this even before decentralization if youre working in a rollup mode with a single operator if you have an escape hatch mechanism then the worst thing that could happen is that for a period of time your funds would be locked and it would take you some time and some process to take them out but funds cannot be stolen now um in a validium system before decentralization again what happens is that the full state of the system is not uh you know does not appear on layer one ethereum so now theres more danger and what is this danger so theres a uh committee a data availability committee that need to sign that they have the data before the system could be advanced so what could happen is that if all of these entities turn malicious so all of the data availability committee members along with the operator lets say starkware in the case of immutable or surveyor so on were to turn evil again funds cannot be stolen but now the data availability committee along with the operator could ransom the system and say look its stuck in us in a state that we are not telling you about and you know pay up or do something so before we release it which of course would be very unfortunate so thats why you want decentralization um both for the l1 and for the l2 so what would decentralization mean lets say in starting it would mean that there are two well two and maybe three new entities one is a sequencer which is the analog of the miner or block producer right this is a an entity and now its decentralized so theres some way to pick for each block a sequencer and the sequencer will basically put a sequence of valid transactions theres also a role for a decentralized prover which is the entity that will take either one block or several blocks and produce a proof that is submitted to layer one of the validity of all transactions here and then a third entity that is not needed in a rollup case but in a validium or a zk porter or volition or things like that you would want it is um you know a decentralized data availability committee so if you want to move from roll-up to volidium and have things decentralized and safe theres room for this third class of entities so decentralization just to sum up would give you decentralized sequencers decentralized provers and maybe decentralized data availability nodes and all of these are to prevent basically freezing the system and leaving it stuck in a state that no one can can advance but theft of funds direct festive funds is prevented by the stark proofs wow that is quite an elaborate answer thank you so much alright on that uh alex do you want to uh add anything or to whatever i just uh mentioned as well uh and just just for the audience after this well take one question from the audience i dont think well have uh time for more than that alex yeah i would love to add to this uh yeah ellie has explained that validity proofs itself prevent um you dont have to trust your sequencer your rollup of validators operators whatever you call them um but for for the integrity for honesty uh however there is one aspect where you still have to trust them and that is for like two aspects one is liveness and one is um censorship resistance inside layer two so yes you can rely on escape hatch on layer one to enforce transactions on layer 2 and to bring your funds out through a sequence of complex calls and we can design uh different it the the devil is in in in details there like do we need to think about it as a contract developer or is it by default like all contracts enjoy the same properties do you as a user have to produce your knowledge proofs to use the escape hatch like how expensive is that if you have to spend one thousand dollars but you only have 50 dollars in the roll up then youre not protected really right so like there are a lot of questions which we cannot cover now but they are very important uh but regardless of the escape h discussion we also want to guarantee that you will have censorship resistance inside layer 2. this is very important because otherwise you can have a system that is controlled by very powerful actors and that will only allow certain types of transactions maybe most transactions most types most classes of transactions just not yours because they dont like you personally or because you belong to a certain minority or because you have you know like certain um powerful players just want to to exercise their power and and uh silence you because youre a political dissident or what you know you can come up with a lot of different cases so for this its crucial if we want to remain in the trustless spirit of blockchains like ethereum like bitcoin like this true maximalism in the best sense of this work we have to preserve this interpretation also at the sequencer level and that includes decentralized technology to decentralize like some consensus mechanism or maybe different approaches or something what i really like how arbitrarily solving this this problem where they allow anyone to be a sequencer anyone can produce a block uh and but also like even if you have a consensus you need to to make sure that the the system is broadly decentralized and you need to come up with ways to decentralize it uh so that it doesnt end up being controlled again by by a small group of people with a lot of capital who will then dictate the rules so ill just leave it for you to think about uh thanks alex i i think i have one last question which is about is there any possibility of uh since like all of you are working on different kind of proofs is there a possibility of lets say snap proofs getting accepted on stock uh maybe ella you can answer that or maybe like thats not even a relevant question uh can can you like give a light on that yes um its a its a terrific question and not only is this possible its actually uh already being done so people um so so people have written code for verifying wait im not sure if um no no im taking that back im not sure if people have published a cairo code for verifying a pairing so maybe thats not quite but people have posted code for verifying a whole bunch of other cryptography like uh i think snore signatures over different curves and things like that and its very much doable i think actually it will be it will actually be done um yep but but im not sure its already i dont think someone wrote it already but its not that hard to write it and it will be done so people will be verifying snarks and stocks that awesome thank you so much uh i think we are now running out of time this was like super super enlightening uh maybe with uh that i would like to thank all the panelists for joining here and giving so many insights i might have to re-listen to this multiple times to digest all of it but maybe before we sign off if you have any advice for our developers in this audience especially in the bear market maybe we could use that as a final remark ill start ill say you know look at the look beyond the markets and build something that you believe will exist once you go back you know once the bear market ends so you know and do your own research explore all of these uh roll ups you know optimistic uh validity rollups and make your choice wisely because the most important resource that we have is the time we spend on various things alex you can go next sure i just want to add that uh the systems that we represent here in this panel have been built in bear markets so dont get discouraged by the uh cycle movements of the you know financial markets just build stuff focus on the only fundamentals be uh um frugal with your resources with with their costs and just get a team of people who really believe in what youre building think whats going to be the next problem after the current problems are solved and and its the best time to build because you dont have a lot of noise you dont have this formal of uh oh i should have launched uh some scam project you know you you just you can only work on something that makes sense and you will have a lot of people who are doing the same which will encourage you and you will build good networks which are also very very important if you want to promote uh to make what youre building successful awesome thank you uh brendan last comment before we drop off uh sure yeah just to echo what um what alex and i said i i think the bear markets are uh are great for for building and my advice would be to focus on the newly possible so things that uh were not practical or possible to build on ethereum so whether thats uh taking advantage of higher throughput on rollups or building things and building zk applications that are that are now possible with with more efficient primitives im really excited to see uh what comes out of our next few years thanks awesome awesome it has been pretty amazing to have all of you here and like if if any of you are curious to build on anything like reach out to any of us me ma madhwan eli alex or brandon and like im sure all of us would like to help each other and build together thank you husband thank you rohit thank you folks thank you so much this was amazing see you then bye thank you guys you Differences between Validity/ZK Rollups and Optimistic RollupsWhy ZK Rollup is not a technically correct name, why Validity Rollups is a better representation How it works under the hood What are the challenges and advantages of evm compatibility What are the moving parts in a Validity/ZK Rollup What is decentralized right now, what is not