At 2:30 pm on September 8, Loopring CTO Steve Guo was invited to participate in the “2nd BLOCKCHAIN2140 Shenzhen Blockchain Week” online live event hosted by Shenzhen Nanshan Blockchain Technology Application Association.
At the meeting, Steve gave a keynote speech on “What is the real future of the Layer-2 networks”. He spoke about the evolution of Layer-2 technology in a simple way, with an in-depth analysis of the advantages and disadvantages of each Layer-2 project. He finished the speech by laying out the future development direction of Layer-2 networks.
The transcript of Steve’s speech:
Good afternoon everyone. I am Steve Guo, CTO of Loopring Protocol. The topic I want to share with you today is NFTs and DeFi. I don’t know if anyone tried to make a transaction on (Ethereum) Layer-1 last night. I tried to SWAP and it cost hundreds of dollars. The most annoying thing was that it failed! Obviously, the high cost of this kind of transaction is difficult to accept for large-scale applications and promotions. This is also the topic I want to share today: what is the real future of the Layer-2 networks.
Now we enter the topic. First, look at this picture, this picture summarizes what is referred to as a Layer-2 network. In my definition, a Layer-2 network is a Layer-2 network whose asset security depends on a Layer-1 network. So I excluded some sidechains, such as xDai and BSC.
In addition, Layer-2 technology can be classified into three types of technology at present, the earliest being State Channel technology, which then evolved to Plasma, and then to the latest, and relatively hot, Rollup technology. Rollup is divided into two schemes, Optimistic Rollup and zkRollup. There are many projects in each of these two tracks. The Loopring protocol was the first protocol to launch zkRollups.
Next, let’s look at the first Layer-2 technology, which is the State Channel. The core idea of the State Channel is actually derived from Bitcoin’s Lightning Network. For example, if Alice and Bob have to transfer money, the cost will be very high if they are both on-chain. So, it can be agreed that Alice and Bob will each deposit their funds into a smart contract first. After the two are stored, Alice and Bob can transfer money, without consuming any gas, indefinitely off-chain, and then use the smart contract for settlement when everyone exits. This picture demonstrates that at the beginning, everyone had 5 yuan each, and then after the off-chain transfer, the final settlement was 3 yuan and 7 yuan.
The core idea of such a process is called a State Channel. This method of off-chain transfer can indeed be very fast, and it is also very cheap.
But it has some problems. First of all, it needs funds deposited at both ends, and its share of funds is very high. Also, it is point-to-point. For example, if A wants to transfer money with B and then C, several state channels need to be established. Such interaction is not advisable.
Afterward, the direction of technological evolution such as Raiden Network and Celer has been expanded, and can now be point-to-center. Anyone who wants to trade needs to deal with the center, using the State Channel to connect.
But this still has the same problem, because the center itself has to deposit a large number of funds to ensure the capital turnover utilization rate, and so this solution can only be used for the application of transfers/payments. Because of these limitations of State Channels, it naturally evolved into a technology called Plasma. Plasma technology is trying to solve the capital utilization problem of State Channels.
Plasma provides a structure model such as UTXO (Unspent Transaction Output) under the chain. Everyone’s transfer records are similar to Bitcoin UTXO transactions. After the transaction is confirmed on the Plasma chain, Plasma will submit all of the Merkle states to, for example, a smart contract on Ethereum.
The smart contract records all off-chain states, and finally, Plasma relies on the challenge mechanism to ensure that all off-chain transactions are executed correctly so that, for example, transfers cannot be double-spent.
Plasma goes a step further than the State Channel, that is, it solves the problem of capital utilization, but the new problem it brings is a challenging exit period. Plasma needs an exit period of at least one week to ensure the final confirmation of the transaction. At the same time, Plasma requires everyone to monitor all UTXO transactions on the Plasma chain. Users must monitor these transactions themselves before they can challenge the transaction problems based on these historical transactions. This is also unacceptable for ordinary users.
Therefore, Plasma also needed to evolve naturally, which then evolved into the next relatively hot Optimistic Rollup technology. Optimistic Rollups actually solve the problems I mentioned in Plasma. That is to say, the data on the Plasma chain is ultimately only the Merkle root, so it will be more difficult to challenge.
To solve this, Optimistic Rollups submit all off-chain raw transaction data, including the root of the world state, to the chain, which then allows anyone to make a challenge based on all the original information recorded on the chain.
As shown in the figure, Optimistic Rollups allows users to submit the world state and submit the original transaction data on the chain, and then anyone can challenge whether the transfer is valid based on this data. This idea is called Optimistic Rollups.
This idea has actually been implemented in two live mainnet projects.
The first project is called Optimism. The development team of this project is actually inherited by Plasma. I have just explained its core idea. So what is its breakthrough point? Of course, it expands the application scenarios of Plasma. The previous State Channel and Plasma are all just for the application of transfers/payments. How to expand transfers/ payments?
For example, using Turing’s complete programming to be compatible with EVM instructions off-chain, so that everyone can directly execute Solidity programs off-chain.
Optimism’s idea is to deploy a smart contract on the chain, and then use the smart contract to accept the execution of off-chain EVM-compatible instructions, also called OVM. Optimism tries to do one thing, that is, to ensure that the byte code of OVM is mapped to the byte code of EVM one by one, but in fact, it may be difficult to do this kind of mapping with only about 20 byte codes. So a big problem with Optimism at present is that it cannot achieve 100% EVM compatibility. It is precise because Optimistic has this problem that Arbitrum has proposed an improvement plan. Arbitrum has been launched on the mainnet as of the end of August. You can try it out first.
An ingenious improvement of Arbitrum on the basis of Optimism is that instead of executing EVM bite code on the chain, it defines its own AVM byte code. The byte code of AVM is a very streamlined subset. In this way, when users challenge on the first level, the gas will be lower and the consumption will be lower.
The current effect is that Arbitrum’s transfer fee is about 1/2 of Optimism’s transfer. Arbitrum has also improved the challenge mechanism to allow users to challenge by fragments.
What is a fragmentation challenge? For example, there are 1000 transactions in a block, but only one of them is wrong. Then you can use the idea similar to the dichotomy, let the user prove whether the first 512 is correct, if it is correct, then challenge the next, for example, 256, and continue to use the dichotomy to challenge, this is Arbitrum.
So is this the future of Layer-2 networks? I don’t think it is.
Ethereum’s (founder) Vitalik said at the beginning of the year that the Optimistic Rollup solution is most likely to be compatible with EVM in the short term, but he is more optimistic about zkRollups in the medium and long term.
In fact, the essential difference between zkRollups and Optimistic Rollups is that it does not rely on any challenge mechanism, but instantly guarantees the final certainty of liquidation on the chain. zkRollups rely on a set of mathematical systems called zk (zero-knowledge) proofs. This picture roughly explains what a zk proof is.
zk proofs essentially do one thing, that is, they prove to the other person that you know the answer without telling the other person the answer.
For example, there is a function f for problem y. I can calculate y according to my private secret x and get y through this function. Finally, what I open to you are the function f and problem y. But my x can’t tell you, I want to let everyone know that I know an x to calculate Y, which is called a zk proof.
This may be quite abstract. Let me give a practical example, such as looking for Waldo in this picture.
What I want to prove to everyone is that I know where Waldo is on this map, and how can I do such a thing? Because I can’t tell you the location directly, I can do it like this: for example, find a large enough black cloth to cover the picture, then cut out the little figure on the black cloth, and then show the little figure out. Now you will understand that I must know Waldo’s position on this map, but I didn’t reveal this position to you. This is how zk proofs work.
I proved one thing, but I didn’t tell you the secret. Such a set of technologies that sound a bit like dark magic, and its core technical ideas are collectively known as zkRollups. This picture roughly describes the core idea.
In fact, the core idea of zkRollups is to classify all world states as a big Merkle tree, and then all off-chain transactions are essentially just changing the world state of an account.
Finally, a relay system is used to collect all off-chain transactions, and then the hash of the root of the world state after these transactions are processed is also recorded on the chain, and the tx information of the metadata of these transactions is also recorded. At the same time, a certificate called a zero-knowledge proof was also submitted. As long as this proof has been verified on the chain, it means that the calculation under the chain has faithfully processed all of the tx information. This is the biggest difference between zkRollups and Optimistic Rollups.
Optimistic Rollups only submit metadata and a root hash to the chain, while zkRollups also submit a zk proof certificate, so that it can ensure the final settlement without relying on any challenge mechanism.
Our Loopring protocol was launched at the end of 2019, and it is the world’s first zkRollup on mainnet. We have gone through several versions so far: the first version only supported DEX transactions in order books, then in the second version it supported transfer payments, and then in the third version it supported AMM Swaps. We just officially released the latest version that now supports Layer-2 NFTs at the beginning of September this year. This version supports NFTs for minting, transfers, and trading on Layer-2, which can reduce the overall gas cost.
At the same time, there are several projects on the zkRollup track, such as zkSync by Matter Labs that everyone is more familiar with.
The biggest difference between Loopring and zkSync is that the zero-knowledge proof algorithm used is different. Loopring uses a set of algorithms called Groth16, and zkSync uses an algorithm called Plonk. The essential difference between the two algorithms lies in whether there is an earliest initial trusted setup. Loopring is needed. Changing the behavior of any circuit requires a trusted setup, where with zkSync this is not required.
Matter Labs has actually gone through two versions, called 1.0 and 2.0. 2.0 is called zkPorter and 1.0 is called zkSync. The main difference between them is that in order to further reduce gas consumption on 2.0, Merkel tree and metadata transaction data are not on the chain, but use an off-chain Proof similar to Community POA to save data.
But everyone, please remember that once the metadata is not on the chain, the security of user assets cannot be truly guaranteed by Layer 1.
Such a system, in my opinion, essentially allows users to make their own choices. If you want to be safe, go with 1.0, and if you want to be cheaper (but less secure), go with its zkPorter. At the same time, we also know that Matter Labs is also working on a zkRollup system that is EVM compatible. It defines a programming language called Zinc. In short, the Layer-2 project aims to eventually become a zkEvm.
Another well-known zkRollup project is StarkEx launched by StarkWare.
In the early days, people criticized it because it claimed to be a zkRollup when it first went online, but in fact it didn’t put the metadata of the application on the chain. In fact, such a system cannot be called a zkRollup, so Vitalik named it Validium at the time. Later, it has been extended to support a mode of submitting metadata to the chain. We can now also call it a true zkRollup.
StarkEx defined its own programming language in the early days, and wanted to make a zkRollup system with programmability from the start. The language defined by StarkEx is called Cairo, and its core idea is to allow users to write smart contracts in the Cairo language. Then it will help you convert it into, for example, EVM byte code, and then perform verification and calculation on StarkEx’s entire zkRollup system.
I have talked so much, and you can see now that there is no perfect Layer-2 solution. All have limitations, or they don’t have data availability. In my opinion, the final fully usable Layer-2 network should be zkEVM. What is zkEVM?
As the name implies, as long as the developer writes a smart contract with EVM, the byte code of this smart contract can be directly executed in a zkRollup type environment. It is not executed in the virtual machine of EVM as it is now, but executed in a virtual machine called zkEVM. zkEVM can guarantee that after the byte code is executed, zkEVM can prove to the Layer-1 network that the smart contract executed by zkEVM off-chain is indeed executed.
For zkEVM, the current design ideas actually fall into two categories.
Like I mentioned earlier, Matter Labs’ Zinc and StarkWare’s Cairo languages, including another project called Hermez, also recently proposed zkEVM. Their core idea is to define a set of languages by themselves, and then translate this language into the language of EVM. That is, they will define an EVM language by themselves, and then translate the EVM byte code into their EVM code, and then essentially execute their own byte code in zkEVM. Unfortunately, this solution is likely to fail to achieve 100% compatibility.
Another new solution is a project being done by the Ethereum Foundation. In fact, Loopring is also participating in this project, which is just called “zkEVM”.
Its idea is to directly compile the Solidity code into the byte code of the EVM without any translation, and directly execute the byte code in the virtual environment of zkEVM. Its virtual environment does the two biggest things. The first is to prove that the execution of byte code is correct, called EVM proof; the second is to prove that the modification of the world state is correct.
I think this solution may be the final Layer-2 network.
Developers only need to write a set of EVM code to run on layer-1, which can then also run seamlessly on Layer-2. And this scheme is a zkRollup, which can guarantee the immediacy of the final settlement. Of course, I think this solution is not so easy to bring online. It is estimated that in a year or so, everyone should be able to see a prototype or even a first commercial version.
Thank you all, this is the end of my speech.
Finally, the community also asked:
Dr. Steve, what do you think of Solana and Cardono?
What I said earlier is a Layer-2 network. Layer-2 network security must be guaranteed from Layer-1, so projects like Solana and Cardono can only be defined as side chains in my opinion. Similar to Ethereum’s own sidechains such as xDAI and Polygon, these are all sidechains of Ethereum.
What is the biggest problem with the side chain?
The security of your assets can only be guaranteed by the side chain itself. To put it bluntly, once your currency crosses the side chain, the security of your currency can only depend on how this chain handles it. But the existence of these chains is also meaningful.
What is the significance?
In my opinion, a future evolution direction may be similar to the concept of the App chain. A chain is a dedicated chain, and this chain is used to handle some special scenarios. Similar to Solana, it actually focused on solving order book transactions when it was first launched.
I think there is still an opportunity for this kind of App chain designed for specific applications in the future. I think the future pattern may be a large Layer-1 network, and then the Layer-2 network below, and there are also sidechains. There are three networks in total, which is a coexistence relationship.
Loopring is an Ethereum zkRollup protocol for scalable, secure exchanges & payments. Loopring builds non-custodial, high-performance products atop our layer-2, including the Loopring Wallet — a mobile Ethereum smart wallet, and the Loopring Exchange — an L2 orderbook and AMM DEX. To learn more, you can sign up for our Quarterly Update or see Loopring.org.