In-depth Analysis of zkEVM: Working Principle, Construction Difficulty, Importance, and Development Progress

Original Title: 《zkEVM Q&A -- Alchemy》

Original Source: Alchemy

The Zero-Knowledge Ethereum Virtual Machine (zkEVM) is a virtual machine that generates zero-knowledge proofs to verify the correctness of programs. The zkEVM is designed to execute smart contracts in a way that supports zero-knowledge technology.

The zkEVM is part of zero-knowledge (ZK) rollups, which are Ethereum Layer 2 scaling solutions that improve throughput by moving computation and state storage off-chain. ZK-rollups submit transaction data to Ethereum along with zero-knowledge proofs that validate the correctness of off-chain transaction batches.

Early ZK-rollups lacked the capability to execute smart contracts and were limited to simple token exchanges and payments. However, with the introduction of EVM-compatible zero-knowledge virtual machines, ZK-rollups began to support Ethereum dApps.

In this article, we will explore how zkEVM works, its importance, and the types of zkEVM that exist.

What is zkEVM?

zkEVM is a virtual machine compatible with EVM that supports zero-knowledge proof computation. Unlike conventional virtual machines, zkEVM proves the correctness of program execution, including the validity of inputs and outputs used in operations.

We will further break down this definition to make it easier to understand:

EVM Compatibility

The EVM (Ethereum Virtual Machine) is the runtime environment for executing smart contracts deployed on the Ethereum network. The EVM acts as a "world computer," powering decentralized applications (dApps) running on the Ethereum blockchain.

If a virtual machine can run programs created to operate in the EVM environment, it is "EVM-compatible." Such a virtual machine can execute smart contracts written in Solidity or other high-level languages used in Ethereum development. The zkEVM is EVM-compatible because it can execute Ethereum smart contracts without requiring significant modifications to the underlying logic.

Support for Zero-Knowledge Technology

The EVM was never designed to support zero-knowledge proofs, making it challenging to build an EVM-compatible, zero-knowledge-friendly virtual machine. However, advancements in research have made it possible to some extent to wrap EVM computations in zero-knowledge proofs.

Different zkEVM projects adopt various approaches to combine EVM execution with zero-knowledge proof computation. Each approach has unique trade-offs, which we will explore later in this guide.

How does zkEVM work?

Like the EVM, zkEVM is a virtual machine that transitions between states through program operations. However, zkEVM goes a step further by generating proofs to demonstrate the correctness of each part of the computation. Essentially, zkEVM uses a mechanism to prove that execution steps (as mentioned) follow the rules.

To understand how zkEVM works (and why it is different), let’s review how the EVM currently operates.

How EVM Works

The Ethereum Virtual Machine is a state machine that moves from an old state to a new state in response to some input. Each execution of a smart contract triggers a change in the EVM state (known as a "state transition"). Here is a high-level overview of what happens during a smart contract transaction:

1. The contract bytecode (compiled from source code) is loaded from the EVM's storage and executed by peer-to-peer nodes on the EVM. The nodes use the same transaction inputs, ensuring that each node reaches the same result (otherwise, they cannot reach consensus).

2. The EVM opcodes (contained in the bytecode) interact with different parts of the EVM state (memory, storage, and stack). The opcodes perform read and write operations—reading (fetching) values from state storage and writing (sending) new values to the EVM's storage.

3. The EVM opcodes perform calculations on the values obtained from state storage before returning new values. This update causes the EVM to transition to a new state (hence, the transaction is called a "state transition"). This new state is replicated by other nodes and maintained until another transaction is executed.

Illustration of how programs execute in the Ethereum Virtual Machine (EVM).[Source]

How zkEVM Works

zkEVM generates zero-knowledge proofs to verify various elements in each computation:

1. Bytecode Access: Was the appropriate program code correctly loaded from the right address?

2. Read and Write Operations: Did the program fetch the correct values from the stack/memory/storage before computation? After execution, did the program write the correct output values back to the stack/memory/storage?

3. Computation: Were the opcodes executed correctly (i.e., one after another, without skipping steps)?

Architecture of zkEVM

zkEVM consists of three parts: the execution environment, the proof circuit, and the verifier contract. Each component contributes to the program execution, proof generation, and proof verification of zkEVM.

1. Execution Environment

As the name suggests, the execution environment is where programs (smart contracts) run in zkEVM. The execution environment of zkEVM functions similarly to that of the EVM: it takes the initial state and the current transaction to output a new (final) state.

2. Proof Circuit

The proof circuit generates zero-knowledge proofs to verify the validity of transactions computed in the execution environment. It uses the pre-state, transaction inputs, and post-state information as inputs to complete the proof generation process. Subsequently, the prover obtains a succinct proof of the validity of that specific state transition.

Illustration of how zkEVM generates validity proofs for programs.[Source]

3. Verifier Contract

ZK-rollups submit validity proofs to a smart contract deployed on the L1 chain (Ethereum) for verification. Inputs (pre-state and transaction information) and outputs (final state) are also submitted to the verifier contract. The verifier then runs computations on the provided proof and confirms that the submitted output was correctly computed based on the input.

What are zkEVM Opcodes?

zkEVM opcodes are low-level machine instructions used to execute programs in EVM-compatible ZK-rollups. Like the EVM, contracts written in high-level languages must be compiled into a low-level language (bytecode) that the VM can interpret. This bytecode specifies the opcodes used to execute the program when deployed in the VM.

We need zkEVM opcodes because conventional EVM opcodes are inefficient when used in zero-knowledge proof circuits. There are generally two approaches to creating opcodes for zkEVM:

Building ZK circuits for native EVM opcodes

Creating a new language for ZK proof computation

Building Zero-Knowledge Circuits for Native EVM Opcodes

This approach requires implementing the entire EVM instruction set in arithmetic circuits—an intricate and time-consuming task. The benefit is that developers can create smart contracts using existing blockchain development tools or port existing Ethereum contracts to ZK-rollups without significant modifications.

Creating a New Language for ZK Proof Computation

This approach requires building a new language—designed to support validity proofs—and developing custom opcodes. Developers need to write contracts directly in the new language or compile Solidity source code into custom zkEVM opcodes.

While this approach is generally easier to implement than the first, it also has drawbacks. For example, developers may not have access to existing Ethereum infrastructure and resources.

Zero-knowledge virtual machines categorized by EVM compatibility.[Source]

What Makes Building zkEVM Difficult?

Since the EVM was not designed with zk-proof computation in mind, it has characteristics that are not friendly to proof circuits. Below is a brief overview of four factors that make building zkEVM challenging:

Special opcodes

Stack-based architecture

Storage overhead

Proof costs

1. Special Opcodes

Unlike conventional VMs, the EVM uses special opcodes to execute programs (CALL, DELEGATECALL) and handle errors (REVERT, INVALID) among other operations. This increases the complexity of designing verification circuits for EVM operations.

2. Stack-Based Architecture

The EVM uses a stack-based architecture, which, while simpler than a register-based structure, increases the difficulty of computing proofs. This is why well-known zero-knowledge VMs, such as zkEVM from ZkSync and StarkNet from StarkWare, use a register-based model.

3. Storage Overhead

The storage layout of the EVM relies on the Keccak hash function and Merkle Patricia Trie, both of which have high proof overhead. Some zkVMs, like ZkSync, attempt to circumvent this issue by replacing the KECCAK256 function—but this may compromise compatibility with existing Ethereum tools and infrastructure.

4. Proof Costs

Even if the above issues are resolved, there remains the challenge of the proof generation process. Generating zero-knowledge proofs requires specialized hardware and a significant investment of time, money, and effort.

While not exhaustive, this list highlights some of the challenges that hinder the construction of an EVM-compatible zkEVM. Nevertheless, several breakthroughs in zero-knowledge technology have made it possible to mitigate these issues—leading to renewed interest in zkEVM solutions.

Why is zkEVM Important?

Building a fully functional zkEVM will encourage the development of EVM-compatible ZK-rollup projects. This has several advantages:

Secure scalability

Lower costs

Faster finality and capital efficiency

Network effects

1. Secure Scalability

According to protocol rules, all validating nodes must re-execute all computations performed in the Ethereum Virtual Machine. This approach ensures security, as Ethereum nodes can independently verify the correctness of programs, but it limits the scalability of the Ethereum network to manage only about 15-20 transactions.

EVM-compatible ZK-rollups can address Ethereum's throughput issues without compromising network security. Like other scaling protocols, ZK-rollups are not burdened by the rules of Ethereum's consensus protocol and can optimize execution speed. Some estimates suggest that ZK-rollups can handle around 2000 transactions per second without incurring high fees on Ethereum.

However, ZK-rollups offer higher security assurances compared to other scaling projects; they use validity proofs to verify the correctness of off-chain computations. This means that transactions executed on L2 can be reliably verified on L1 (Ethereum) without requiring nodes to re-execute operations. This can significantly increase Ethereum's processing speed without compromising security.

2. Lower Costs

Rollups gain security from the Ethereum mainnet by writing transaction data as CALLDATA to Ethereum. However, the difference between optimistic rollups and zero-knowledge rollups lies in how much data they must publish on Ethereum.

Since optimistic rollups do not provide validity proofs for off-chain transactions, they need to publish all data related to transactions (including signatures and transaction parameters) on-chain. Without publishing all data on-chain, challengers cannot construct fraud proofs to dispute invalid rollup transactions.

In contrast, ZK-rollups can publish minimal data to Ethereum because the validity proofs already guarantee the credibility of state transitions. The zkEVM can even omit transaction inputs and only publish final state changes, further reducing CALLDATA requirements.

3. Faster Finality and Capital Efficiency

In addition to better security, ZK-rollups have another advantage over optimistic rollups: faster finality. Finality in a blockchain refers to the time required for a transaction to become irreversible; a transaction can only be finalized when network participants have objective evidence of its validity.

With ZK-rollups, transactions executed in zkEVM are typically completed immediately after being published to Ethereum. Since each batch of transactions comes with instantly verifiable validity proofs, the Ethereum main chain can quickly apply state updates.

Since optimistic rollups only publish VM transactions without proofs, they must go through a challenge period before transactions achieve finality. The challenge period lasts 1-2 weeks, during which anyone can challenge the transaction after it is submitted to Ethereum.

Slower finality has many implications for user experience. For example, users cannot withdraw assets from the rollup until the challenge period expires. Liquidity providers may address this issue, but it may be invalid if the withdrawal involves high-value assets or even NFTs.

zkEVM does not have these issues. Faster finality is particularly beneficial for advanced users, such as NFT traders, DeFi investors, or arbitrage traders who need to move assets seamlessly (especially between L1 and L2).

4. Network Effects

The most important reason for building an EVM-compatible zkVM is to leverage Ethereum's network effects. As the world's largest smart contract platform, Ethereum has a vast ecosystem that provides value to developers and projects.

For example, developers can access battle-tested and audited codebases, extensive tools, documentation, and more. Creating a new zkVM that is incompatible with Ethereum infrastructure would prevent projects and development teams from leveraging Ethereum's network effects.

What Types of zkEVM Exist?

Current zkEVM projects can be divided into two main categories: zkVMs that support native EVM opcodes and zkVMs that use custom EVM opcodes. Below, we compare different zkEVM protocols and explain how they work:

Polygon zkEVM

Polygon Hermez is a Polygon ZK-rollup with a zero-knowledge virtual machine designed to support EVM compatibility. To this end, EVM bytecode is compiled into "micro-opcodes" and executed in a uVM—a virtual machine that uses SNARK and STARK proofs to verify the correctness of program execution.

The decision to combine these two types of proofs is strategic. STARK (Scalable Transparent Argument of Knowledge) proofs are generated faster, while SNARK (Succinct Non-Interactive Argument of Knowledge) proofs are smaller and cheaper to verify on Ethereum.

Polygon Hermez zkEVM uses STARK proof circuits to generate validity proofs for state transitions. STARK proofs verify the correctness of STARK proofs (considered as generating "proofs of proofs") and are submitted to Ethereum for verification.

zkSync zkEVM

zkSync is an EVM-compatible ZK-rollup developed by Matter Labs and powered by its own zkEVM. zkSync implements compatibility with Ethereum using the following strategies:

1. Compiling contracts written in Solidity into Yul, an intermediate language that can be compiled into bytecode for different virtual machines.

2. Recompiling Yul bytecode (using the LLVM framework) into a custom, circuit-compatible bytecode set specifically designed for zkSync's zkEVM.

Like Polygon Hermez, zkSync zkEVM achieves EVM compatibility at the language level rather than the bytecode level. For example, zkSync's zkEVM does not support traditional multiplication and addition opcodes (ADDMOD, SMOD, MULMOD).

Scroll zkEVM

Scroll is a new zero-knowledge EVM implementation currently under development. The Scroll team plans to design zero-knowledge circuits for each EVM opcode. This will allow developers to deploy Ethereum-native smart contracts on Scroll without modifying the underlying EVM bytecode.

Additionally, Scroll zkEVM will use a "cryptographic accumulator" to verify the correctness of storage. This is used to prove that the contract bytecode is correctly loaded from a given address.

It also provides a circuit that links bytecode to execution traces. An execution trace is a sequence that specifies which VM instructions were executed and in what order. The prover will submit the execution trace during proof generation to verify that the computation aligns with the original bytecode.

Applied ZKP zkEVM

Applied ZKP is a project funded by the Ethereum Foundation aimed at developing an EVM-compatible ZK-rollup and a mechanism for generating validity proofs for Ethereum blocks. The latter part is crucial, as pairing blocks with validity proofs will eliminate the need for nodes to re-execute blocks.

The innovation of Applied ZKP lies in the separation of computation and storage. It uses two types of validity proofs—state proofs and EVM proofs:

State Proofs

Check whether operations involving storage, memory, and stack occurred correctly. State proofs essentially verify the accuracy of read and write operations.

EVM Proofs

Check whether the correct opcodes were called at the right times. EVM proofs validate the computation itself and confirm that state proofs executed the correct operations for each opcode.

Applied ZKP zkEVM uses bus mapping to link state proofs and EVM proofs. Furthermore, both proofs must be verified before an Ethereum block is considered valid.

Where Are We in the Development Progress of zkEVM?

Apart from zkSync, most zero-knowledge EVMs are still under development. However, the continuous advancement of zero-knowledge technology means that the prospects for a fully functional zkEVM are better than ever.