Account based zk-Rollup with unlinkable transactions

Tsvetan Dimitrov

Agenda

Requirements
Protocol Overview
Data Structures
Protocol Operations
On-Chain Flow
Off-Chain Components
Performance Optimizations

Requirements / 1

Perform anonymous transactions on Ethereum.
Payments based around accounts and money orders.
Three types of actors:
- Users
- Operators
- Observers

Requirements / 2

Users keep their account data private.
Operators are only aware of account hashes.
Observers collect information about rollup state and transactions (users, operators or outsiders).
Senders create a money order, and register to an Operator.
Receivers redeem a money order and send an update to an Operator.
Sender and Receiver are hidden from any Observer.

Protocol Overview

Data Structures

State Transition Function (STF)

Transaction: tx

Old State Root: R

New State Root: R'

STF (R, tx, accounts, merkle_proofs) -> R'

Zero Knowledge Proof of STF

STF (R, tx, accounts, merkle_proofs) -> R'

witness

Arithmetization

Proving

SNARK Proof

Arithmetic Circuit

DAG where the inputs are your initial nodes.
Nodes go through a network of gates (add, mul).
Eventually an output gets accumulated.

Arithmetization and Proving

R1CS Conversion: A * B = C (dot product).
QAP Conversion (set of quadratic equations that should yield a target polynomial).
The result is a problem that involves checking polynomials at a particular point.
The prover convinces the verifier that they know an assignment of variables that makes all the polynomial equations hold.

Recursive Aggregation / 1

Recursive Aggregation / 2

Create a ZKP for each transaction, resulting in N separate proofs.
Then create another ZKP that attests to the validity of N previous proofs. This is an aggregate proof.
Continue this process, creating a new ZKP each time that attests to the validity of the previous aggregate proof and the next transaction proof.
In the end, you are left with a single proof that can be verified to confirm the validity of all the original transactions.

Protocol Operations

Money Transfer (Sender-> Receiver)

Receiver Money Order Redemption

On-Chain Flow

Operations

Rollup State Management
Depositing Funds
Withdrawing Funds
Proof Verification
State Root Update

Rollup State Management

pragma solidity ^0.8.0;

contract ZkRollup {
    bytes32 public stateRoot;

    constructor(bytes32 _initialStateRoot) {
        stateRoot = _initialStateRoot;
    }
}

Depositing Funds

event Deposit(address indexed depositor, uint256 amount, uint256 index);

function deposit(uint256 amount) external {
    require(msg.sender.transfer(amount), "Transfer failed");

    uint256 depositIndex = ...; // Calculate deposit index
    emit Deposit(msg.sender, amount, depositIndex);
}

Withdrawing Funds

event Withdrawal(address indexed recipient, uint256 amount);

function withdraw(
	address recipient, 
	uint256 amount, 
	bytes calldata proof) external {
    require(
    	verifyWithdrawalProof(recipient, amount, proof), "Invalid proof");

    (bool success, ) = recipient.call{value: amount}("");
    require(success, "Transfer failed");

    emit Withdrawal(recipient, amount);
}

function verifyWithdrawalProof(
	address recipient, 
	uint256 amount, 
	bytes calldata proof) internal view returns (bool) {
    // Implement the actual proof verification 
    // logic based on the chosen zk-proof system
}

Proof Verification and State Root Update

event StateRootUpdated(bytes32 newStateRoot);

function updateStateRoot(
	bytes32 newStateRoot, 
	bytes calldata proof) external {
    require(verifyProof(newStateRoot, proof), "Invalid proof");

    stateRoot = newStateRoot;
    emit StateRootUpdated(newStateRoot);
}

function verifyProof(
	bytes32 newStateRoot, 
	bytes calldata proof) internal view returns (bool) {
    // Implement the actual proof verification 
    // logic based on the chosen zk-proof system
}

Off-Chain Components

Transaction Aggregator

A server or a set of servers responsible for collecting individual transactions from users.
Queues transactions for inclusion in the next proof.

zk-SNARK Circuit Compiler

Translates your protocol rules into a zk-SNARK circuit.
One-time process, but very critical for the operation of the rollup.

zk-SNARK Prover

Takes a batch of transactions and the current state as input.
Generates a zk-SNARK Proof attesting to the validity of these transactions.
A computationally intensive process.

Data Availability Layer

The transaction data (sender, receiver, amounts, etc.) can be stored off-chain in a separate layer.
This can be a distributed file system, a peer-to-peer network or any other reliable system.

Client Software

Users interact with the zk-Rollup through web/mobile apps or command line tools.
This software creates transactions, sends them to the transaction aggregator, verify proofs and checks the state of the system.

Monitoring and Alerting Systems

Ensure smooth operation of off-chain components.
Alert developers or operators to any issues or anomalies in real-time.

Load Balancers and Networking Infrastructure

Handle the communication between clients, the transaction aggregator, the prover and the blockchain.
Ensure network traffic is efficiently routed and no single point of failure exists.

Notes on Decentralization

Components can be run by different entities to enhance security and trustlessness.
They could run their own transaction aggregators or provers.
Users can opt to verify proofs themselves if they don't trust the operators.

Performance Optimizations

Tune transaction batch size.
Parallel Proof Generation.
Optimize Circuit Design.
Fast Data Availability.
Efficient Signature Verification inside a zk-SNARK.
Choose Efficient zk-SNARK Constructions.
Caching and DB Optimization for Account Data.

Summary

Defined an Account based anonymous zk-Rollup protocol.
Defined Account and Rollup State data structures.
Defined protocol operations, on-chain and off-chain flow and components.
Suggested some performance optimizations.

Account based zk-Rollup with unlinkable transactions

Tsvetan Dimitrov

Agenda

Requirements

Protocol Overview

Data Structures

Protocol Operations

On-Chain Flow

Off-Chain Components

Performance Optimizations

Requirements / 1

Perform anonymous transactions on Ethereum.

Payments based around accounts and money orders.

Three types of actors:

Users

Operators

Observers

Requirements / 2

Users keep their account data private.

Operators are only aware of account hashes.

Observers collect information about rollup state and transactions (users, operators or outsiders).

Senders create a money order, and register to an Operator.

Receivers redeem a money order and send an update to an Operator.

Sender and Receiver are hidden from any Observer.

Protocol Overview

Data Structures

State Transition Function (STF)

STF (R, tx, accounts, merkle_proofs) -> R'

Zero Knowledge Proof of STF

STF (R, tx, accounts, merkle_proofs) -> R'

witness

Arithmetic Circuit

DAG where the inputs are your initial nodes.

Nodes go through a network of gates (add, mul).

Eventually an output gets accumulated.

Arithmetization and Proving

Recursive Aggregation / 1

Recursive Aggregation / 2

Create a ZKP for each transaction, resulting in N separate proofs.

Then create another ZKP that attests to the validity of N previous proofs. This is an aggregate proof.

Continue this process, creating a new ZKP each time that attests to the validity of the previous aggregate proof and the next transaction proof.

In the end, you are left with a single proof that can be verified to confirm the validity of all the original transactions.

Protocol Operations

Money Transfer (Sender-> Receiver)

Receiver Money Order Redemption

On-Chain Flow

Operations

Rollup State Management

Depositing Funds

Withdrawing Funds

Proof Verification

State Root Update

Rollup State Management

Depositing Funds

Withdrawing Funds

Proof Verification and State Root Update

Off-Chain Components

Transaction Aggregator

A server or a set of servers responsible for collecting individual transactions from users.

Queues transactions for inclusion in the next proof.

zk-SNARK Circuit Compiler

Translates your protocol rules into a zk-SNARK circuit.

One-time process, but very critical for the operation of the rollup.

zk-SNARK Prover

Takes a batch of transactions and the current state as input.

Generates a zk-SNARK Proof attesting to the validity of these transactions.

A computationally intensive process.

Data Availability Layer

The transaction data (sender, receiver, amounts, etc.) can be stored off-chain in a separate layer.

This can be a distributed file system, a peer-to-peer network or any other reliable system.

Client Software

Users interact with the zk-Rollup through web/mobile apps or command line tools.

This software creates transactions, sends them to the transaction aggregator, verify proofs and checks the state of the system.

Monitoring and Alerting Systems

Ensure smooth operation of off-chain components.

Alert developers or operators to any issues or anomalies in real-time.

Load Balancers and Networking Infrastructure

Handle the communication between clients, the transaction aggregator, the prover and the blockchain.

Ensure network traffic is efficiently routed and no single point of failure exists.

Notes on Decentralization