SlideShare a Scribd company logo

Scaling blockchain poart II: Rollups by Dan Boneh

Download as PPTX, PDF
R
r1tretyakov

Rollups

Technology
1 of 57
Scaling the blockchain part II: Rollups CS251 Fall 2023 (cs251.stanford.edu) Dan Boneh
Scaling the blockchain: the problem Transaction rates (Tx/sec): • Bitcoin: can process about 7 (Tx/sec) • Ethereum: can process about 15 (Tx/sec) • The visa network: can process up to 24,000 (Tx/sec) Can we scale blockchains to visa speeds? … with low Tx fees Tx Fees fluctuate: 2$ to 60$ for simple Tx
How to process more Tx per second Many ideas: • Use a faster consensus protocol • Parallelize: split the chain into independent shards • Today: Rollups, move the work somewhere else • Payment channels: reduce the need to touch the chain • Requires locking up funds; mostly designed for payments. reduces composability
Recall: a basic layer-1 blockchain A layer-1 blockchain (e.g., Ethereum) current world state updated world state updated world state TxA TxB ⋮ World state: balances, storage, etc. Can handle 15 Tx/sec …
Rollup idea 1: batch many Tx into one A layer-1 blockchain (e.g., Ethereum) current world state (Rollup state Merkle root) updated world state (updated Rollup state root) TxB Rollup coordinator Rollup state: Alice’s balance Bob’s balance … updated Rollup state root, and Tx list (Tx list)
Rollup idea 1: batch many Tx into one A layer-1 blockchain (e.g., Ethereum) current world state (Rollup state Merkle root) updated world state (updated Rollup state root) Key point: • Hundreds of transactions on Rollup state are batched into a single transaction on layer-1 ⇒ 100x speed up in Tx/sec • Let’s see how … Rollup state: Alice’s balance Bob’s balance … (Tx list)
Rollup operation (simplified) Rollup coordinator Alice: 5 DAI 3 ETH Bob: 2 ETH … Zoe: 1 ETH 3 USDC Merkle Tree Rollup state root Layer 1 blockchain (e.g. Ethereum) block 354 [A⇾B: 2 ETH], 𝑠𝑖𝑔𝐴 [B⇾Z: 1 ETH] [Z⇾B: 2 USDC] 𝑠𝑖𝑔𝐵 𝑠𝑖𝑔𝑍 atomic swap: Tx
Rollup operation (simplified) Rollup coordinator Alice: 5 DAI 1 ETH Bob: 3 ETH 2 USDC … Zoe: 2 ETH 1 USDC Merkle Tree new Rollup root Layer 1 blockchain (e.g. Ethereum) block 354 [A⇾B: 2 ETH], 𝑠𝑖𝑔𝐴 [B⇾Z: 1 ETH] [Z⇾B: 2 USDC] 𝑠𝑖𝑔𝐵 𝑠𝑖𝑔𝑍 atomic swap: Tx block 361
In more detail Layer-1 blockchain (L1) Alice: state Bob: state Uniswap: state Rollup contract: root … Rollup contract on layer-1 holds assets of all Rollup accounts (and Merkle state root) 7 ETH, 3 DAI, Rollup state (L2) Alice: 4 ETH, 1 DAI Bob: 3 ETH, 2 DAI … (coordinator stores state)
Transfers inside Rollup are easy (L2 ⇾ L2) Alice: state Bob: state Alice: 4 ETH, 1 DAI Bob: 3 ETH, 2 DAI Uniswap: state Rollup contract: … … 7 ETH, 3 DAI, [A⇾B: 2 ETH], 𝑠𝑖𝑔𝐴 (with hundreds of Tx) root Rollup state (L2) Layer-1 blockchain (L1)
Transfers inside Rollup are easy (L2 ⇾ L2) Alice: state Bob: state Alice: 2 ETH, 1 DAI Bob: 5 ETH, 2 DAI Uniswap: state Rollup contract: … … 7 ETH, 3 DAI, new Merkle root, Tx list [A⇾B: 2 ETH], 𝑠𝑖𝑔𝐴 (with hundreds of Tx) Coordinator updates root on Rollup contract root Rollup state (L2) Layer-1 blockchain (L1)
Transferring funds into Rollup (L1 ⇾ L2) Alice: state Bob: state Alice: 2 ETH, 1 DAI Bob: 5 ETH, 2 DAI Uniswap: state Rollup contract: … … 7 ETH, 3 DAI, Alice issues an L1 Tx: slow and expensive root 2 ETH Rollup state (L2) Layer-1 blockchain (L1)
Transferring funds into Rollup (L1 ⇾ L2) Alice: state Bob: state Alice: 4 ETH, 1 DAI Bob: 5 ETH, 2 DAI Uniswap: state Rollup contract: … … 9 ETH, 3 DAI, new Merkle root, Tx list Alice issues an L1 Tx: slow and expensive root 2 ETH Rollup state (L2) Layer-1 blockchain (L1)
Transferring funds out of Rollup (L2 ⇾ L1) Alice: state Bob: state Rollup state Alice: 4 ETH, 1 DAI Bob: 5 ETH, 2 DAI Uniswap: state Rollup contract: … … 9 ETH, 3 DAI, Requires extra gas on L1 to process transfer root [withdraw 4 ETH], 𝑠𝑖𝑔𝐴 (plus hundreds of Tx) Layer-1 blockchain (L1)
Transferring funds out of Rollup (L2 ⇾ L1) Alice: state Bob: state Rollup state Alice: 0 ETH, 1 DAI Bob: 5 ETH, 2 DAI Uniswap: state Rollup contract: … … 5 ETH, 3 DAI, new Merkle root, Tx list Requires extra gas on L1 to process transfer root 4 ETH [withdraw 4 ETH], 𝑠𝑖𝑔𝐴 (plus hundreds of Tx) Layer-1 blockchain (L1)
Summary: transferring Rollup assets Transactions within a Rollup are easy: • Batch settlement on L1 network (e.g., Ethereum) Moving funds into or out of Rollup system (L1 ⟺ L2) is expensive: • Requires posting more data on L1 network ⟹ higher Tx fees. Moving funds from one Rollup system to another (L2 ⟺ L2) • Either via L1 network (expensive), or via a direct L2 ⟺ L2 bridge (cheap)
Running contracts on a Rollup? Alice: state Bob: state Alice: 4 ETH, 1 DAI Bob: 3 ETH, 2 DAI Uniswap: state Rollup contract: root … … 7 ETH, 3 DAI, Uniswap: state Two copies of Uniswap ⇒ Rollup users can cheaply interact with Uniswap on Rollup Rollup state (L2) Layer-1 blockchain (L1)
Running contracts on a Rollup? Alice: 4 ETH, 1 DAI Bob: 3 ETH, 2 DAI … Uniswap: state Coordinator maintains state of all contracts on Rollup system: • It updates the Uniswap Merkle leaf after every Tx to Uniswap • Writes updated Rollup state Merkle root to L1 chain Rollup state (L2)
Running contracts on a Rollup? Alice: 4 ETH, 1 DAI Bob: 3 ETH, 2 DAI … Uniswap: state Rollup functions as Ethereum, but … • It relies on the L1 chain to attest to the current Rollup state Rollup state (L2)
How to send Tx to the coordinator Enduser configures its wallet to send Tx to the RPC points of the selected Rollup. (by default Metamask sends Tx to the Ethereum Mainnet RPC points)
The role of the Coordinator The Coordinator has multiple tasks: • Sequence incoming Tx from Rollup users into a stream of Tx ⇒ can extract MEV from searchers, in addition to Tx fees ⇒ very profitable to be a Rollup coordinator • Execute the stream of Tx on the latest Rollup state • Push updates to the L1 chain Shared coordinator: one coordinator for multiple Rollups (not today)
Coordinator architectures A centralized coordinator: • availability and censorship concerns, … but cannot steal assets (as we will see) A decentralized coordinator: • a set of parties that run a fast consensus protocol • At every epoch one party is chosen to sequence, execute, and push updates to the L1 Importantly: L1 provides ground truth of the Rollup state
Tx rate on L2 is higher than on L1 L2 block Finalize on L1 Finalize on L1 L1 chain L2 chain
An example (StarkNet -- using validity proofs) Source: starkscan.co Block … Tx posted on L1 (Ethereum) about every eight hours
Not so simple …
Problems … Problem 1: what if coordinator is dishonest? • It could steal funds from the Rollup contract • It could issue fake Tx on behalf of users Problem 2: what if coordinator stops providing service? • If Rollup state is lost, how can users issue Tx? … can’t compute updated Rollup Merkle root.
Problem 1: what if coordinator is dishonest? Can coordinator steal funds from Rollup users? No! L1 chain verifies that Rollup state updates are valid. ⇒ all Tx are valid and properly signed by the Rollup users Challenge: how to do this cheaply ?? (with little gas on L1) Alice: state Bob: state Rollup contract: … 7 ETH, 3 DAI, root Layer-1 blockchain (L1)
Verifying Rollup state updates Approach 1: validity proofs (called a zk-Rollup) TxA TxB Rollup coordinator Layer 1 blockchain (e.g. Ethereum) Rollup contract Tx list accept new root only if valid proof Succinct proof proves that a batch of hundreds of Tx is valid
What the SNARK proof proves SNARK proof is short and fast to verify: ⇒ Cheap to verify proof on the slow L1 chain (with EVM support) (usually not a zero knowledge proof) Public statement: (old state root, new state root, Tx list) Witness: (state of each touched account pre- and post- batch, Merkle proofs for touched accounts, user sigs) SNARK proof proves that: (1) all user sigs on Tx are valid, (2) all Merkle proofs are valid, (3) post-state is the result of applying Tx list to pre-state
zkEVM When a contract (e.g. Uniswap) runs on a Rollup: • coordinator builds a SNARK proof of correct execution of an EVM program ⇒ called a zkEVM • Generating proof is a heavyweight computation … verifying proof is fast Rollup coordinator (lots of GPUs) Flavors of a zkEVM: • Prove that EVM bytecode ran correctly (Polygon zkEVM, Scroll) • Compile Solidity to a SNARK-friendly circuit (MatterLabs)
The end result Rollup contract on L1 ensures coordinator cannot cheat: • all submitted Tx must have been properly signed by users • all state updates are valid ⇒ Rollup contract on L1 will accept any update with a valid proof ⇒ Anyone can act as a coordinator (with enough compute power)
Verifying Rollup state updates Approach 2: fault proofs (called an optimistic Rollup) • Coordinator deposits stake in escrow on L1 Rollup contract • Operation: Coordinator submits state updates to L1 w/o a proof • If update is invalid: anyone has seven days to submit a fault proof • Successful fault proof means coordinator gets slashed on L1 • Unsuccessful fault proof costs complainer a fee Challenge: how to prove a fault to the Rollup contract on L1 ?? Naively: L1 can re-execute all Tx in batch ⇒ expensive and slow
Fault Proof game fault claim claimed post-root coordinator different post-root Coordinator computes Merkle tree of all states. Sends Merkle root to L1 break computation into small steps post- state pre- state pre-root Tx list
Fault Proof game pre-root fault claim Tx list claimed 𝑠𝑡𝑎𝑡𝑒𝑛 coordinator different 𝑠𝑡𝑎𝑡𝑒𝑛 ′ 𝑠𝑡𝑎𝑡𝑒0 𝑠𝑡𝑎𝑡𝑒𝑛 𝑠𝑡𝑎𝑡𝑒𝑛/2 we know 𝑠𝑡𝑎𝑡𝑒𝑛 ≠ 𝑠𝑡𝑎𝑡𝑒𝑛 ′ Merkle root hash[0⇾n/2] hash[n/2⇾n] hash[0⇾n/4] hash[n/4⇾n/2]
Fault Proof game: binary search pre-root fault claim Tx list claimed 𝑠𝑡𝑎𝑡𝑒𝑛 coordinator different 𝑠𝑡𝑎𝑡𝑒𝑛 ′ 𝑠𝑡𝑎𝑡𝑒𝑛 𝑠𝑡𝑎𝑡𝑒𝑛/2 Suppose 𝑠𝑡𝑎𝑡𝑒𝑛/2 ≠ 𝑠𝑡𝑎𝑡𝑒𝑛/2 ′ 𝑠𝑡𝑎𝑡𝑒0 Merkle root hash[0⇾n/2] hash[n/2⇾n] hash[0⇾n/4] hash[n/4⇾n/2]
Fault Proof game: binary search pre-root fault claim Tx list claimed 𝑠𝑡𝑎𝑡𝑒𝑛 coordinator different 𝑠𝑡𝑎𝑡𝑒𝑛 ′ 𝑠𝑡𝑎𝑡𝑒𝑛/2 Suppose 𝑠𝑡𝑎𝑡𝑒𝑛/2 ≠ 𝑠𝑡𝑎𝑡𝑒𝑛/2 ′ Coordinator sends hash[0⇾n/2] to L1 Alice sends “left” to L1 𝑠𝑡𝑎𝑡𝑒0 Merkle root hash[0⇾n/2] hash[n/2⇾n] hash[0⇾n/4] hash[n/4⇾n/2]
Fault Proof game: binary search pre-root fault claim Tx list claimed 𝑠𝑡𝑎𝑡𝑒𝑛 coordinator different 𝑠𝑡𝑎𝑡𝑒𝑛 ′ 𝑠𝑡𝑎𝑡𝑒𝑛/2 Suppose 𝑠𝑡𝑎𝑡𝑒𝑛/4 = 𝑠𝑡𝑎𝑡𝑒𝑛/4 ′ Coordinator sends hash[n/4⇾n/2] to L1 Alice sends “right” to L1 𝑠𝑡𝑎𝑡𝑒𝑛/4 𝑠𝑡𝑎𝑡𝑒0 Merkle root hash[0⇾n/2] hash[n/2⇾n] hash[0⇾n/4] hash[n/4⇾n/2]
Fault Proof game: binary search pre-root fault claim Tx list claimed 𝑠𝑡𝑎𝑡𝑒𝑛 coordinator different 𝑠𝑡𝑎𝑡𝑒𝑛 ′ 𝑠𝑡𝑎𝑡𝑒𝑛/2 Suppose 𝑠𝑡𝑎𝑡𝑒𝑛/4 = 𝑠𝑡𝑎𝑡𝑒𝑛/4 ′ Coordinator sends hash[n/4⇾n/2] to L1 Alice sends “right” to L1 𝑠𝑡𝑎𝑡𝑒𝑛/4 Merkle root hash[0⇾n/2] hash[n/2⇾n] hash[0⇾n/4] hash[n/4⇾n/2]
Fault Proof game: binary search pre-root Tx list coordinator After log2 𝑛 rounds: • L1 has 𝑠𝑡𝑎𝑡𝑒𝑖 and 𝑠𝑡𝑎𝑡𝑒𝑖+1 from coordinator • 𝑠𝑡𝑎𝑡𝑒𝑖 = 𝑠𝑡𝑎𝑡𝑒𝑖 ′ and 𝑠𝑡𝑎𝑡𝑒𝑖+1 ≠ 𝑠𝑡𝑎𝑡𝑒𝑖+1 ′ or game times out because one player defects ⇒ Now L1 can verify fault proof by checking one computation step!
A simpler alternative pre-root Tx list claimed 𝑠𝑡𝑎𝑡𝑒𝑛 different 𝑠𝑡𝑎𝑡𝑒𝑛 ′ • Alice submits to L1 contract a SNARK proof that 𝑠𝑡𝑎𝑡𝑒𝑛 is invalid • L1 verifies SNARK, and if valid, slashes coordinator ⇒ SNARK is only needed in a rare fault event
Some difficulties with optimistic approach (1) Transactions only settle after 7 days (after fault window expires) • Alice needs to wait 7 days to withdraw funds from Rollup (Rollup contract will only send her the funds after 7 days) (2) Suppose a successful fault proof 4 days after batch is posted ⇒ all subsequent Tx need to be reprocessed For fungible tokens, a 3rd party can advance the funds to Alice after checking validity of Alice’s withdraw Tx. Does not apply to non-fungible tokens.
The end result Can easily port any smart contract to an optimistic Rollup • The Rollup EVM can be enhanced with new features (opcodes) High Tx throughput: in principle, up to 4000 tx/s • No need for special hardware at the coordinator Anyone can act as a coordinator and a verifier Downside: 7 day finality delay
Solution: setup a new coordinator … but need the latest Rollup state Where to get state?? The data availability problem Problem 2: centralized coordinator, what if it stops providing service? … ok, so coordinator cannot submit invalid Tx.
Ensuring Rollup state is always available The definition of a Rollup: Rollup state can always be reconstructed from data on the L1 chain coordinator Layer 1 blockchain (e.g. Ethereum) Rollup contract Tx list state root Sent to Rollup contract on L1 as part of state update message
Ensuring Rollup state is always available To reconstruct current Rollup state: • Read all Rollup update messages and re-execute Tx. ⇒ anyone can become a coordinator • Rollups use L1 for data storage What to store? • For zk-Rollup: send Tx summary to L1, without user signatures (SNARK proof proves validity of signatures) • For optimistic: need to send Tx summary *and* signatures to L1
Ensuring Rollup state is always available The downside: expensive • Tx list is sent as calldata: 16 gas per non-zero byte (EIP-4844: store Tx list as a cheap blob) Can we do better?
Data Availability Committee (DAC) To further reduce Tx fees: • Store L2 state root (small) on the L1 chain • Store Tx data (large) with a Data Availability Committee (DAC): • a set of nodes trusted to keep the data available • cheaper than storage on L1 • L1 accepts an update only if all DAC members sign it ⇒ ensures that all DAC members accepted Tx data Setting up a new coordinator depends on availability of the DAC
Validium Validium: an L2 using a DAC and validity proofs (SNARKs) • Well suited for lower value assets. • Potential privacy benefits … only DAC members see Tx data An example: StarkEx uses a five member DAC • Users can choose between Validium or Rollup modes (Tx data off-L1-chain vs. Tx data on-L1-chain) cheaper Tx fees, but only secure as DAC More expensive Tx, but same as L1 security
Summary: types of L2 Scaling the blockchain: Payment channels and Rollups (L2 scaling) SNARK validity proofs Fraud proofs Tx data on L1 chain zkRollup optimistic Rollup, 7 day finality Tx data in a DAC Validium (reduced fees, but higher risk) ”Plasma” availability security
Volume of some L2 systems Tx Volume/day average fee/tx (on Nov. 27, 2023) • Ethereum: 1077K Tx 7.8 USD/Tx • Arbitrum: 676K Tx 0.30 USD/Tx (optimistic Rollup) • Optimism: 284K Tx 0.26 USD/Tx (optimistic Rollup) • StarkNet: 537K Tx 0.56 USD/Tx (zkRollup)
Can coordinator censor a Tx? What if coordinators refuse to process a Tx? What to do? One option: • enduser can post Tx directly to the L1 Rollup contract • The L1 Rollup contract will then refuse to accept updates until an update includes that Tx ⇒ censorship will cause the entire Rollup to freeze
Layer 3 and beyond … SNARK recursion
SNARK recursion Two level recursion: proving knowledge of a proof public: 𝑥 witness: 𝑤 SNARK prover 𝑃 (𝑆, 𝑃, 𝑉) π proves 𝑃 knows w s.t. 𝐶(𝑥, 𝑤) = 0 π’ (𝑆′, 𝑃′, 𝑉′) SNARK prover 𝑃′ 𝑥 proves 𝑃′ knows 𝜋 s.t. 𝑉( 𝑥, 𝜋) = 𝑦𝑒𝑠 𝑣𝑝, Use V’( x, 𝜋’) to verify final proof 𝜋’ 𝑣𝑝′,
Application 1: proof compression public: 𝑥 witness: 𝑤 SNARK prover 𝑃 (𝑆, 𝑃, 𝑉) π fast prover, but outputs a large proof π’ (𝑆′, 𝑃′, 𝑉′) SNARK prover 𝑃′ 𝑥 slower prover, small final proof prove 𝑉( 𝑥, 𝜋) = 𝑦𝑒𝑠 𝑣𝑝, prove 𝐶(𝑥, 𝑤) = 0 Use V’( x, 𝜋’) to verify final short proof 𝜋’ 𝑣𝑝′,
Application 2: Layer three and beyond Alice: 2 ETH, 1 DAI Bob: 5 ETH, 2 DAI Uniswap: state Rollup contract: … … 7 ETH, 3 DAI, root L2 Rollup state Layer-1 blockchain (L1) Alice: state L3 Rollup contract: state root Alice: state Bob: state … L3 Rollup state (any VM)
Layer three and beyond One L2 coordinator can support many L3s • each L3 can run a custom VM with its own features • L3 chains can communicate with each other through L2 Each L3 coordinator submits Tx list and SNARK proof to L2 • L2 coordinator: collects batch of proofs, • builds a proof 𝜋 that it has a batch of valid proofs, and • submits the single proof 𝜋 and updated root to L1 chain.
END OF LECTURE Next lecture: final topics

Recommended

CRC AND TRANSMIT ERROR REPORT
CRC AND TRANSMIT ERROR REPORTCRC AND TRANSMIT ERROR REPORT
CRC AND TRANSMIT ERROR REPORTAlex TX
 
Unit 06 dbms
Unit 06 dbmsUnit 06 dbms
Unit 06 dbmsanuragmbst
 
Computer Networks
Computer NetworksComputer Networks
Computer NetworksAabha Tiwari
 
Encode x StarkNet Autumn Hackathon: Aave Ethereum / StarkNet Bridge
Encode x StarkNet Autumn Hackathon: Aave Ethereum / StarkNet BridgeEncode x StarkNet Autumn Hackathon: Aave Ethereum / StarkNet Bridge
Encode x StarkNet Autumn Hackathon: Aave Ethereum / StarkNet BridgeMarta Encode
 
Circuitrix@Pragyan 2015 NITT
Circuitrix@Pragyan 2015 NITTCircuitrix@Pragyan 2015 NITT
Circuitrix@Pragyan 2015 NITTSrivignessh Pss
 
MQTC V2.0.1.3 - WMQ & TCP Buffers – Size DOES Matter! (pps)
MQTC V2.0.1.3 - WMQ & TCP Buffers – Size DOES Matter! (pps)MQTC V2.0.1.3 - WMQ & TCP Buffers – Size DOES Matter! (pps)
MQTC V2.0.1.3 - WMQ & TCP Buffers – Size DOES Matter! (pps)Art Schanz
 
Blockchain meets database
Blockchain meets databaseBlockchain meets database
Blockchain meets databaseYongraeJo
 
Humming code error detector 7_communications.ppt
Humming code error detector 7_communications.pptHumming code error detector 7_communications.ppt
Humming code error detector 7_communications.pptnesarahmad37
 

Recommended

CRC AND TRANSMIT ERROR REPORT
CRC AND TRANSMIT ERROR REPORTCRC AND TRANSMIT ERROR REPORT
CRC AND TRANSMIT ERROR REPORTAlex TX
 
Unit 06 dbms
Unit 06 dbmsUnit 06 dbms
Unit 06 dbmsanuragmbst
 
Computer Networks
Computer NetworksComputer Networks
Computer NetworksAabha Tiwari
 
Encode x StarkNet Autumn Hackathon: Aave Ethereum / StarkNet Bridge
Encode x StarkNet Autumn Hackathon: Aave Ethereum / StarkNet BridgeEncode x StarkNet Autumn Hackathon: Aave Ethereum / StarkNet Bridge
Encode x StarkNet Autumn Hackathon: Aave Ethereum / StarkNet BridgeMarta Encode
 
Circuitrix@Pragyan 2015 NITT
Circuitrix@Pragyan 2015 NITTCircuitrix@Pragyan 2015 NITT
Circuitrix@Pragyan 2015 NITTSrivignessh Pss
 
MQTC V2.0.1.3 - WMQ & TCP Buffers – Size DOES Matter! (pps)
MQTC V2.0.1.3 - WMQ & TCP Buffers – Size DOES Matter! (pps)MQTC V2.0.1.3 - WMQ & TCP Buffers – Size DOES Matter! (pps)
MQTC V2.0.1.3 - WMQ & TCP Buffers – Size DOES Matter! (pps)Art Schanz
 
Blockchain meets database
Blockchain meets databaseBlockchain meets database
Blockchain meets databaseYongraeJo
 
Humming code error detector 7_communications.ppt
Humming code error detector 7_communications.pptHumming code error detector 7_communications.ppt
Humming code error detector 7_communications.pptnesarahmad37
 
Renegotiating the boundary between database latency and consistency
Renegotiating the boundary between database latency and consistencyRenegotiating the boundary between database latency and consistency
Renegotiating the boundary between database latency and consistencyScyllaDB
 
Istanbul BFT
Istanbul BFTIstanbul BFT
Istanbul BFTYu-Te Lin
 
Akka-demy (a.k.a. How to build stateful distributed systems) I/II
Akka-demy (a.k.a. How to build stateful distributed systems) I/II Akka-demy (a.k.a. How to build stateful distributed systems) I/II
Akka-demy (a.k.a. How to build stateful distributed systems) I/IIPeter Csala
 
USART - 8251 / usart-8251A Pallav Shukla
USART - 8251 / usart-8251A Pallav ShuklaUSART - 8251 / usart-8251A Pallav Shukla
USART - 8251 / usart-8251A Pallav ShuklaPallav Shukla
 
An overlay network may be a electronic network thats designed on h.pdf
An overlay network may be a electronic network thats designed on h.pdfAn overlay network may be a electronic network thats designed on h.pdf
An overlay network may be a electronic network thats designed on h.pdfannaindustries
 
Dc ch07 : error control and data link control
Dc ch07 : error control and data link controlDc ch07 : error control and data link control
Dc ch07 : error control and data link controlSyaiful Ahdan
 
Transport Layer Description By Varun Tiwari
Transport Layer Description By Varun TiwariTransport Layer Description By Varun Tiwari
Transport Layer Description By Varun TiwariBosco Technical Training Society, Don Bosco Technical School (Aff. GGSIP University, New Delhi)
 
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Thomas Graf
 
23_Advanced_Processors controller system
23_Advanced_Processors controller system23_Advanced_Processors controller system
23_Advanced_Processors controller systemstellan7
 
TCP Over Wireless
TCP Over WirelessTCP Over Wireless
TCP Over WirelessFarooq Khan
 
Concurrency in Distributed Systems : Leslie Lamport papers
Concurrency in Distributed Systems : Leslie Lamport papersConcurrency in Distributed Systems : Leslie Lamport papers
Concurrency in Distributed Systems : Leslie Lamport papersSubhajit Sahu
 
Solution8 v2
Solution8 v2Solution8 v2
Solution8 v2ashish61_scs
 
Blockchain for creative content - What we do in LikeCoin
Blockchain for creative content - What we do in LikeCoinBlockchain for creative content - What we do in LikeCoin
Blockchain for creative content - What we do in LikeCoinAludirk Wong
 
Hyperledger Consensus Algorithms
Hyperledger Consensus AlgorithmsHyperledger Consensus Algorithms
Hyperledger Consensus AlgorithmsMabelOza12
 
Flink Forward SF 2017: Stephan Ewen - Experiences running Flink at Very Large...
Flink Forward SF 2017: Stephan Ewen - Experiences running Flink at Very Large...Flink Forward SF 2017: Stephan Ewen - Experiences running Flink at Very Large...
Flink Forward SF 2017: Stephan Ewen - Experiences running Flink at Very Large...Flink Forward
 
RIPE 80: Buffers and Protocols
RIPE 80: Buffers and ProtocolsRIPE 80: Buffers and Protocols
RIPE 80: Buffers and ProtocolsAPNIC
 
Intro
IntroIntro
IntroMohamed Rayan
 
Protocol Independence
Protocol IndependenceProtocol Independence
Protocol IndependenceOpen Networking Summits
 
01 what is blockchain
01 what is blockchain01 what is blockchain
01 what is blockchainBastianBlankenburg
 
Sept 2017 internetworking
Sept 2017 internetworkingSept 2017 internetworking
Sept 2017 internetworkingshahin raj
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 

More Related Content

Similar to Scaling blockchain poart II: Rollups by Dan Boneh

Renegotiating the boundary between database latency and consistency
Renegotiating the boundary between database latency and consistencyRenegotiating the boundary between database latency and consistency
Renegotiating the boundary between database latency and consistencyScyllaDB
 
Istanbul BFT
Istanbul BFTIstanbul BFT
Istanbul BFTYu-Te Lin
 
Akka-demy (a.k.a. How to build stateful distributed systems) I/II
Akka-demy (a.k.a. How to build stateful distributed systems) I/II Akka-demy (a.k.a. How to build stateful distributed systems) I/II
Akka-demy (a.k.a. How to build stateful distributed systems) I/IIPeter Csala
 
USART - 8251 / usart-8251A Pallav Shukla
USART - 8251 / usart-8251A Pallav ShuklaUSART - 8251 / usart-8251A Pallav Shukla
USART - 8251 / usart-8251A Pallav ShuklaPallav Shukla
 
An overlay network may be a electronic network thats designed on h.pdf
An overlay network may be a electronic network thats designed on h.pdfAn overlay network may be a electronic network thats designed on h.pdf
An overlay network may be a electronic network thats designed on h.pdfannaindustries
 
Dc ch07 : error control and data link control
Dc ch07 : error control and data link controlDc ch07 : error control and data link control
Dc ch07 : error control and data link controlSyaiful Ahdan
 
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Thomas Graf
 
23_Advanced_Processors controller system
23_Advanced_Processors controller system23_Advanced_Processors controller system
23_Advanced_Processors controller systemstellan7
 
TCP Over Wireless
TCP Over WirelessTCP Over Wireless
TCP Over WirelessFarooq Khan
 
Concurrency in Distributed Systems : Leslie Lamport papers
Concurrency in Distributed Systems : Leslie Lamport papersConcurrency in Distributed Systems : Leslie Lamport papers
Concurrency in Distributed Systems : Leslie Lamport papersSubhajit Sahu
 
Blockchain for creative content - What we do in LikeCoin
Blockchain for creative content - What we do in LikeCoinBlockchain for creative content - What we do in LikeCoin
Blockchain for creative content - What we do in LikeCoinAludirk Wong
 
Hyperledger Consensus Algorithms
Hyperledger Consensus AlgorithmsHyperledger Consensus Algorithms
Hyperledger Consensus AlgorithmsMabelOza12
 
Flink Forward SF 2017: Stephan Ewen - Experiences running Flink at Very Large...
Flink Forward SF 2017: Stephan Ewen - Experiences running Flink at Very Large...Flink Forward SF 2017: Stephan Ewen - Experiences running Flink at Very Large...
Flink Forward SF 2017: Stephan Ewen - Experiences running Flink at Very Large...Flink Forward
 
RIPE 80: Buffers and Protocols
RIPE 80: Buffers and ProtocolsRIPE 80: Buffers and Protocols
RIPE 80: Buffers and ProtocolsAPNIC
 
Sept 2017 internetworking
Sept 2017 internetworkingSept 2017 internetworking
Sept 2017 internetworkingshahin raj
 

Similar to Scaling blockchain poart II: Rollups by Dan Boneh (20)

Renegotiating the boundary between database latency and consistency
Renegotiating the boundary between database latency and consistencyRenegotiating the boundary between database latency and consistency
Renegotiating the boundary between database latency and consistency
 
Istanbul BFT
Istanbul BFTIstanbul BFT
Istanbul BFT
 
Akka-demy (a.k.a. How to build stateful distributed systems) I/II
Akka-demy (a.k.a. How to build stateful distributed systems) I/II Akka-demy (a.k.a. How to build stateful distributed systems) I/II
Akka-demy (a.k.a. How to build stateful distributed systems) I/II
 
USART - 8251 / usart-8251A Pallav Shukla
USART - 8251 / usart-8251A Pallav ShuklaUSART - 8251 / usart-8251A Pallav Shukla
USART - 8251 / usart-8251A Pallav Shukla
 
An overlay network may be a electronic network thats designed on h.pdf
An overlay network may be a electronic network thats designed on h.pdfAn overlay network may be a electronic network thats designed on h.pdf
An overlay network may be a electronic network thats designed on h.pdf
 
Dc ch07 : error control and data link control
Dc ch07 : error control and data link controlDc ch07 : error control and data link control
Dc ch07 : error control and data link control
 
Transport Layer Description By Varun Tiwari
Transport Layer Description By Varun TiwariTransport Layer Description By Varun Tiwari
Transport Layer Description By Varun Tiwari
 
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
 
23_Advanced_Processors controller system
23_Advanced_Processors controller system23_Advanced_Processors controller system
23_Advanced_Processors controller system
 
TCP Over Wireless
TCP Over WirelessTCP Over Wireless
TCP Over Wireless
 
Concurrency in Distributed Systems : Leslie Lamport papers
Concurrency in Distributed Systems : Leslie Lamport papersConcurrency in Distributed Systems : Leslie Lamport papers
Concurrency in Distributed Systems : Leslie Lamport papers
 
Solution8 v2
Solution8 v2Solution8 v2
Solution8 v2
 
Blockchain for creative content - What we do in LikeCoin
Blockchain for creative content - What we do in LikeCoinBlockchain for creative content - What we do in LikeCoin
Blockchain for creative content - What we do in LikeCoin
 
Hyperledger Consensus Algorithms
Hyperledger Consensus AlgorithmsHyperledger Consensus Algorithms
Hyperledger Consensus Algorithms
 
Flink Forward SF 2017: Stephan Ewen - Experiences running Flink at Very Large...
Flink Forward SF 2017: Stephan Ewen - Experiences running Flink at Very Large...Flink Forward SF 2017: Stephan Ewen - Experiences running Flink at Very Large...
Flink Forward SF 2017: Stephan Ewen - Experiences running Flink at Very Large...
 
RIPE 80: Buffers and Protocols
RIPE 80: Buffers and ProtocolsRIPE 80: Buffers and Protocols
RIPE 80: Buffers and Protocols
 
Intro
IntroIntro
Intro
 
Protocol Independence
Protocol IndependenceProtocol Independence
Protocol Independence
 
01 what is blockchain
01 what is blockchain01 what is blockchain
01 what is blockchain
 
Sept 2017 internetworking
Sept 2017 internetworkingSept 2017 internetworking
Sept 2017 internetworking
 

Recently uploaded

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 

Recently uploaded (20)

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

Scaling blockchain poart II: Rollups by Dan Boneh

  • 1. Scaling the blockchain part II: Rollups CS251 Fall 2023 (cs251.stanford.edu) Dan Boneh
  • 2. Scaling the blockchain: the problem Transaction rates (Tx/sec): • Bitcoin: can process about 7 (Tx/sec) • Ethereum: can process about 15 (Tx/sec) • The visa network: can process up to 24,000 (Tx/sec) Can we scale blockchains to visa speeds? … with low Tx fees Tx Fees fluctuate: 2$ to 60$ for simple Tx
  • 3. How to process more Tx per second Many ideas: • Use a faster consensus protocol • Parallelize: split the chain into independent shards • Today: Rollups, move the work somewhere else • Payment channels: reduce the need to touch the chain • Requires locking up funds; mostly designed for payments. reduces composability
  • 4. Recall: a basic layer-1 blockchain A layer-1 blockchain (e.g., Ethereum) current world state updated world state updated world state TxA TxB ⋮ World state: balances, storage, etc. Can handle 15 Tx/sec …
  • 5. Rollup idea 1: batch many Tx into one A layer-1 blockchain (e.g., Ethereum) current world state (Rollup state Merkle root) updated world state (updated Rollup state root) TxB Rollup coordinator Rollup state: Alice’s balance Bob’s balance … updated Rollup state root, and Tx list (Tx list)
  • 6. Rollup idea 1: batch many Tx into one A layer-1 blockchain (e.g., Ethereum) current world state (Rollup state Merkle root) updated world state (updated Rollup state root) Key point: • Hundreds of transactions on Rollup state are batched into a single transaction on layer-1 ⇒ 100x speed up in Tx/sec • Let’s see how … Rollup state: Alice’s balance Bob’s balance … (Tx list)
  • 7. Rollup operation (simplified) Rollup coordinator Alice: 5 DAI 3 ETH Bob: 2 ETH … Zoe: 1 ETH 3 USDC Merkle Tree Rollup state root Layer 1 blockchain (e.g. Ethereum) block 354 [A⇾B: 2 ETH], 𝑠𝑖𝑔𝐴 [B⇾Z: 1 ETH] [Z⇾B: 2 USDC] 𝑠𝑖𝑔𝐵 𝑠𝑖𝑔𝑍 atomic swap: Tx
  • 8. Rollup operation (simplified) Rollup coordinator Alice: 5 DAI 1 ETH Bob: 3 ETH 2 USDC … Zoe: 2 ETH 1 USDC Merkle Tree new Rollup root Layer 1 blockchain (e.g. Ethereum) block 354 [A⇾B: 2 ETH], 𝑠𝑖𝑔𝐴 [B⇾Z: 1 ETH] [Z⇾B: 2 USDC] 𝑠𝑖𝑔𝐵 𝑠𝑖𝑔𝑍 atomic swap: Tx block 361
  • 9. In more detail Layer-1 blockchain (L1) Alice: state Bob: state Uniswap: state Rollup contract: root … Rollup contract on layer-1 holds assets of all Rollup accounts (and Merkle state root) 7 ETH, 3 DAI, Rollup state (L2) Alice: 4 ETH, 1 DAI Bob: 3 ETH, 2 DAI … (coordinator stores state)
  • 10. Transfers inside Rollup are easy (L2 ⇾ L2) Alice: state Bob: state Alice: 4 ETH, 1 DAI Bob: 3 ETH, 2 DAI Uniswap: state Rollup contract: … … 7 ETH, 3 DAI, [A⇾B: 2 ETH], 𝑠𝑖𝑔𝐴 (with hundreds of Tx) root Rollup state (L2) Layer-1 blockchain (L1)
  • 11. Transfers inside Rollup are easy (L2 ⇾ L2) Alice: state Bob: state Alice: 2 ETH, 1 DAI Bob: 5 ETH, 2 DAI Uniswap: state Rollup contract: … … 7 ETH, 3 DAI, new Merkle root, Tx list [A⇾B: 2 ETH], 𝑠𝑖𝑔𝐴 (with hundreds of Tx) Coordinator updates root on Rollup contract root Rollup state (L2) Layer-1 blockchain (L1)
  • 12. Transferring funds into Rollup (L1 ⇾ L2) Alice: state Bob: state Alice: 2 ETH, 1 DAI Bob: 5 ETH, 2 DAI Uniswap: state Rollup contract: … … 7 ETH, 3 DAI, Alice issues an L1 Tx: slow and expensive root 2 ETH Rollup state (L2) Layer-1 blockchain (L1)
  • 13. Transferring funds into Rollup (L1 ⇾ L2) Alice: state Bob: state Alice: 4 ETH, 1 DAI Bob: 5 ETH, 2 DAI Uniswap: state Rollup contract: … … 9 ETH, 3 DAI, new Merkle root, Tx list Alice issues an L1 Tx: slow and expensive root 2 ETH Rollup state (L2) Layer-1 blockchain (L1)
  • 14. Transferring funds out of Rollup (L2 ⇾ L1) Alice: state Bob: state Rollup state Alice: 4 ETH, 1 DAI Bob: 5 ETH, 2 DAI Uniswap: state Rollup contract: … … 9 ETH, 3 DAI, Requires extra gas on L1 to process transfer root [withdraw 4 ETH], 𝑠𝑖𝑔𝐴 (plus hundreds of Tx) Layer-1 blockchain (L1)
  • 15. Transferring funds out of Rollup (L2 ⇾ L1) Alice: state Bob: state Rollup state Alice: 0 ETH, 1 DAI Bob: 5 ETH, 2 DAI Uniswap: state Rollup contract: … … 5 ETH, 3 DAI, new Merkle root, Tx list Requires extra gas on L1 to process transfer root 4 ETH [withdraw 4 ETH], 𝑠𝑖𝑔𝐴 (plus hundreds of Tx) Layer-1 blockchain (L1)
  • 16. Summary: transferring Rollup assets Transactions within a Rollup are easy: • Batch settlement on L1 network (e.g., Ethereum) Moving funds into or out of Rollup system (L1 ⟺ L2) is expensive: • Requires posting more data on L1 network ⟹ higher Tx fees. Moving funds from one Rollup system to another (L2 ⟺ L2) • Either via L1 network (expensive), or via a direct L2 ⟺ L2 bridge (cheap)
  • 17. Running contracts on a Rollup? Alice: state Bob: state Alice: 4 ETH, 1 DAI Bob: 3 ETH, 2 DAI Uniswap: state Rollup contract: root … … 7 ETH, 3 DAI, Uniswap: state Two copies of Uniswap ⇒ Rollup users can cheaply interact with Uniswap on Rollup Rollup state (L2) Layer-1 blockchain (L1)
  • 18. Running contracts on a Rollup? Alice: 4 ETH, 1 DAI Bob: 3 ETH, 2 DAI … Uniswap: state Coordinator maintains state of all contracts on Rollup system: • It updates the Uniswap Merkle leaf after every Tx to Uniswap • Writes updated Rollup state Merkle root to L1 chain Rollup state (L2)
  • 19. Running contracts on a Rollup? Alice: 4 ETH, 1 DAI Bob: 3 ETH, 2 DAI … Uniswap: state Rollup functions as Ethereum, but … • It relies on the L1 chain to attest to the current Rollup state Rollup state (L2)
  • 20. How to send Tx to the coordinator Enduser configures its wallet to send Tx to the RPC points of the selected Rollup. (by default Metamask sends Tx to the Ethereum Mainnet RPC points)
  • 21. The role of the Coordinator The Coordinator has multiple tasks: • Sequence incoming Tx from Rollup users into a stream of Tx ⇒ can extract MEV from searchers, in addition to Tx fees ⇒ very profitable to be a Rollup coordinator • Execute the stream of Tx on the latest Rollup state • Push updates to the L1 chain Shared coordinator: one coordinator for multiple Rollups (not today)
  • 22. Coordinator architectures A centralized coordinator: • availability and censorship concerns, … but cannot steal assets (as we will see) A decentralized coordinator: • a set of parties that run a fast consensus protocol • At every epoch one party is chosen to sequence, execute, and push updates to the L1 Importantly: L1 provides ground truth of the Rollup state
  • 23. Tx rate on L2 is higher than on L1 L2 block Finalize on L1 Finalize on L1 L1 chain L2 chain
  • 24. An example (StarkNet -- using validity proofs) Source: starkscan.co Block … Tx posted on L1 (Ethereum) about every eight hours
  • 26. Problems … Problem 1: what if coordinator is dishonest? • It could steal funds from the Rollup contract • It could issue fake Tx on behalf of users Problem 2: what if coordinator stops providing service? • If Rollup state is lost, how can users issue Tx? … can’t compute updated Rollup Merkle root.
  • 27. Problem 1: what if coordinator is dishonest? Can coordinator steal funds from Rollup users? No! L1 chain verifies that Rollup state updates are valid. ⇒ all Tx are valid and properly signed by the Rollup users Challenge: how to do this cheaply ?? (with little gas on L1) Alice: state Bob: state Rollup contract: … 7 ETH, 3 DAI, root Layer-1 blockchain (L1)
  • 28. Verifying Rollup state updates Approach 1: validity proofs (called a zk-Rollup) TxA TxB Rollup coordinator Layer 1 blockchain (e.g. Ethereum) Rollup contract Tx list accept new root only if valid proof Succinct proof proves that a batch of hundreds of Tx is valid
  • 29. What the SNARK proof proves SNARK proof is short and fast to verify: ⇒ Cheap to verify proof on the slow L1 chain (with EVM support) (usually not a zero knowledge proof) Public statement: (old state root, new state root, Tx list) Witness: (state of each touched account pre- and post- batch, Merkle proofs for touched accounts, user sigs) SNARK proof proves that: (1) all user sigs on Tx are valid, (2) all Merkle proofs are valid, (3) post-state is the result of applying Tx list to pre-state
  • 30. zkEVM When a contract (e.g. Uniswap) runs on a Rollup: • coordinator builds a SNARK proof of correct execution of an EVM program ⇒ called a zkEVM • Generating proof is a heavyweight computation … verifying proof is fast Rollup coordinator (lots of GPUs) Flavors of a zkEVM: • Prove that EVM bytecode ran correctly (Polygon zkEVM, Scroll) • Compile Solidity to a SNARK-friendly circuit (MatterLabs)
  • 31. The end result Rollup contract on L1 ensures coordinator cannot cheat: • all submitted Tx must have been properly signed by users • all state updates are valid ⇒ Rollup contract on L1 will accept any update with a valid proof ⇒ Anyone can act as a coordinator (with enough compute power)
  • 32. Verifying Rollup state updates Approach 2: fault proofs (called an optimistic Rollup) • Coordinator deposits stake in escrow on L1 Rollup contract • Operation: Coordinator submits state updates to L1 w/o a proof • If update is invalid: anyone has seven days to submit a fault proof • Successful fault proof means coordinator gets slashed on L1 • Unsuccessful fault proof costs complainer a fee Challenge: how to prove a fault to the Rollup contract on L1 ?? Naively: L1 can re-execute all Tx in batch ⇒ expensive and slow
  • 33. Fault Proof game fault claim claimed post-root coordinator different post-root Coordinator computes Merkle tree of all states. Sends Merkle root to L1 break computation into small steps post- state pre- state pre-root Tx list
  • 34. Fault Proof game pre-root fault claim Tx list claimed 𝑠𝑡𝑎𝑡𝑒𝑛 coordinator different 𝑠𝑡𝑎𝑡𝑒𝑛 ′ 𝑠𝑡𝑎𝑡𝑒0 𝑠𝑡𝑎𝑡𝑒𝑛 𝑠𝑡𝑎𝑡𝑒𝑛/2 we know 𝑠𝑡𝑎𝑡𝑒𝑛 ≠ 𝑠𝑡𝑎𝑡𝑒𝑛 ′ Merkle root hash[0⇾n/2] hash[n/2⇾n] hash[0⇾n/4] hash[n/4⇾n/2]
  • 35. Fault Proof game: binary search pre-root fault claim Tx list claimed 𝑠𝑡𝑎𝑡𝑒𝑛 coordinator different 𝑠𝑡𝑎𝑡𝑒𝑛 ′ 𝑠𝑡𝑎𝑡𝑒𝑛 𝑠𝑡𝑎𝑡𝑒𝑛/2 Suppose 𝑠𝑡𝑎𝑡𝑒𝑛/2 ≠ 𝑠𝑡𝑎𝑡𝑒𝑛/2 ′ 𝑠𝑡𝑎𝑡𝑒0 Merkle root hash[0⇾n/2] hash[n/2⇾n] hash[0⇾n/4] hash[n/4⇾n/2]
  • 36. Fault Proof game: binary search pre-root fault claim Tx list claimed 𝑠𝑡𝑎𝑡𝑒𝑛 coordinator different 𝑠𝑡𝑎𝑡𝑒𝑛 ′ 𝑠𝑡𝑎𝑡𝑒𝑛/2 Suppose 𝑠𝑡𝑎𝑡𝑒𝑛/2 ≠ 𝑠𝑡𝑎𝑡𝑒𝑛/2 ′ Coordinator sends hash[0⇾n/2] to L1 Alice sends “left” to L1 𝑠𝑡𝑎𝑡𝑒0 Merkle root hash[0⇾n/2] hash[n/2⇾n] hash[0⇾n/4] hash[n/4⇾n/2]
  • 37. Fault Proof game: binary search pre-root fault claim Tx list claimed 𝑠𝑡𝑎𝑡𝑒𝑛 coordinator different 𝑠𝑡𝑎𝑡𝑒𝑛 ′ 𝑠𝑡𝑎𝑡𝑒𝑛/2 Suppose 𝑠𝑡𝑎𝑡𝑒𝑛/4 = 𝑠𝑡𝑎𝑡𝑒𝑛/4 ′ Coordinator sends hash[n/4⇾n/2] to L1 Alice sends “right” to L1 𝑠𝑡𝑎𝑡𝑒𝑛/4 𝑠𝑡𝑎𝑡𝑒0 Merkle root hash[0⇾n/2] hash[n/2⇾n] hash[0⇾n/4] hash[n/4⇾n/2]
  • 38. Fault Proof game: binary search pre-root fault claim Tx list claimed 𝑠𝑡𝑎𝑡𝑒𝑛 coordinator different 𝑠𝑡𝑎𝑡𝑒𝑛 ′ 𝑠𝑡𝑎𝑡𝑒𝑛/2 Suppose 𝑠𝑡𝑎𝑡𝑒𝑛/4 = 𝑠𝑡𝑎𝑡𝑒𝑛/4 ′ Coordinator sends hash[n/4⇾n/2] to L1 Alice sends “right” to L1 𝑠𝑡𝑎𝑡𝑒𝑛/4 Merkle root hash[0⇾n/2] hash[n/2⇾n] hash[0⇾n/4] hash[n/4⇾n/2]
  • 39. Fault Proof game: binary search pre-root Tx list coordinator After log2 𝑛 rounds: • L1 has 𝑠𝑡𝑎𝑡𝑒𝑖 and 𝑠𝑡𝑎𝑡𝑒𝑖+1 from coordinator • 𝑠𝑡𝑎𝑡𝑒𝑖 = 𝑠𝑡𝑎𝑡𝑒𝑖 ′ and 𝑠𝑡𝑎𝑡𝑒𝑖+1 ≠ 𝑠𝑡𝑎𝑡𝑒𝑖+1 ′ or game times out because one player defects ⇒ Now L1 can verify fault proof by checking one computation step!
  • 40. A simpler alternative pre-root Tx list claimed 𝑠𝑡𝑎𝑡𝑒𝑛 different 𝑠𝑡𝑎𝑡𝑒𝑛 ′ • Alice submits to L1 contract a SNARK proof that 𝑠𝑡𝑎𝑡𝑒𝑛 is invalid • L1 verifies SNARK, and if valid, slashes coordinator ⇒ SNARK is only needed in a rare fault event
  • 41. Some difficulties with optimistic approach (1) Transactions only settle after 7 days (after fault window expires) • Alice needs to wait 7 days to withdraw funds from Rollup (Rollup contract will only send her the funds after 7 days) (2) Suppose a successful fault proof 4 days after batch is posted ⇒ all subsequent Tx need to be reprocessed For fungible tokens, a 3rd party can advance the funds to Alice after checking validity of Alice’s withdraw Tx. Does not apply to non-fungible tokens.
  • 42. The end result Can easily port any smart contract to an optimistic Rollup • The Rollup EVM can be enhanced with new features (opcodes) High Tx throughput: in principle, up to 4000 tx/s • No need for special hardware at the coordinator Anyone can act as a coordinator and a verifier Downside: 7 day finality delay
  • 43. Solution: setup a new coordinator … but need the latest Rollup state Where to get state?? The data availability problem Problem 2: centralized coordinator, what if it stops providing service? … ok, so coordinator cannot submit invalid Tx.
  • 44. Ensuring Rollup state is always available The definition of a Rollup: Rollup state can always be reconstructed from data on the L1 chain coordinator Layer 1 blockchain (e.g. Ethereum) Rollup contract Tx list state root Sent to Rollup contract on L1 as part of state update message
  • 45. Ensuring Rollup state is always available To reconstruct current Rollup state: • Read all Rollup update messages and re-execute Tx. ⇒ anyone can become a coordinator • Rollups use L1 for data storage What to store? • For zk-Rollup: send Tx summary to L1, without user signatures (SNARK proof proves validity of signatures) • For optimistic: need to send Tx summary *and* signatures to L1
  • 46. Ensuring Rollup state is always available The downside: expensive • Tx list is sent as calldata: 16 gas per non-zero byte (EIP-4844: store Tx list as a cheap blob) Can we do better?
  • 47. Data Availability Committee (DAC) To further reduce Tx fees: • Store L2 state root (small) on the L1 chain • Store Tx data (large) with a Data Availability Committee (DAC): • a set of nodes trusted to keep the data available • cheaper than storage on L1 • L1 accepts an update only if all DAC members sign it ⇒ ensures that all DAC members accepted Tx data Setting up a new coordinator depends on availability of the DAC
  • 48. Validium Validium: an L2 using a DAC and validity proofs (SNARKs) • Well suited for lower value assets. • Potential privacy benefits … only DAC members see Tx data An example: StarkEx uses a five member DAC • Users can choose between Validium or Rollup modes (Tx data off-L1-chain vs. Tx data on-L1-chain) cheaper Tx fees, but only secure as DAC More expensive Tx, but same as L1 security
  • 49. Summary: types of L2 Scaling the blockchain: Payment channels and Rollups (L2 scaling) SNARK validity proofs Fraud proofs Tx data on L1 chain zkRollup optimistic Rollup, 7 day finality Tx data in a DAC Validium (reduced fees, but higher risk) ”Plasma” availability security
  • 50. Volume of some L2 systems Tx Volume/day average fee/tx (on Nov. 27, 2023) • Ethereum: 1077K Tx 7.8 USD/Tx • Arbitrum: 676K Tx 0.30 USD/Tx (optimistic Rollup) • Optimism: 284K Tx 0.26 USD/Tx (optimistic Rollup) • StarkNet: 537K Tx 0.56 USD/Tx (zkRollup)
  • 51. Can coordinator censor a Tx? What if coordinators refuse to process a Tx? What to do? One option: • enduser can post Tx directly to the L1 Rollup contract • The L1 Rollup contract will then refuse to accept updates until an update includes that Tx ⇒ censorship will cause the entire Rollup to freeze
  • 52. Layer 3 and beyond … SNARK recursion
  • 53. SNARK recursion Two level recursion: proving knowledge of a proof public: 𝑥 witness: 𝑤 SNARK prover 𝑃 (𝑆, 𝑃, 𝑉) π proves 𝑃 knows w s.t. 𝐶(𝑥, 𝑤) = 0 π’ (𝑆′, 𝑃′, 𝑉′) SNARK prover 𝑃′ 𝑥 proves 𝑃′ knows 𝜋 s.t. 𝑉( 𝑥, 𝜋) = 𝑦𝑒𝑠 𝑣𝑝, Use V’( x, 𝜋’) to verify final proof 𝜋’ 𝑣𝑝′,
  • 54. Application 1: proof compression public: 𝑥 witness: 𝑤 SNARK prover 𝑃 (𝑆, 𝑃, 𝑉) π fast prover, but outputs a large proof π’ (𝑆′, 𝑃′, 𝑉′) SNARK prover 𝑃′ 𝑥 slower prover, small final proof prove 𝑉( 𝑥, 𝜋) = 𝑦𝑒𝑠 𝑣𝑝, prove 𝐶(𝑥, 𝑤) = 0 Use V’( x, 𝜋’) to verify final short proof 𝜋’ 𝑣𝑝′,
  • 55. Application 2: Layer three and beyond Alice: 2 ETH, 1 DAI Bob: 5 ETH, 2 DAI Uniswap: state Rollup contract: … … 7 ETH, 3 DAI, root L2 Rollup state Layer-1 blockchain (L1) Alice: state L3 Rollup contract: state root Alice: state Bob: state … L3 Rollup state (any VM)
  • 56. Layer three and beyond One L2 coordinator can support many L3s • each L3 can run a custom VM with its own features • L3 chains can communicate with each other through L2 Each L3 coordinator submits Tx list and SNARK proof to L2 • L2 coordinator: collects batch of proofs, • builds a proof 𝜋 that it has a batch of valid proofs, and • submits the single proof 𝜋 and updated root to L1 chain.
  • 57. END OF LECTURE Next lecture: final topics

Editor's Notes

  1. Tx summary recorded on L1 chain as calldata into Rollup contract.
  2. Tx summary recorded on L1 chain as calldata into Rollup contract.
  3. Why do we need an L1 if the L2 runs its own consensus? The L2 consensus can b tuned differently from L1 consensus and can be faster.
  4. https://starkscan.co/blocks
  5. EIP-4444: history expiry makes it possible to remove user signatures from chain after the dispute window elapses.
  6. Comparison to Eth is taken from EIP-4488.
  7. https://pro.nansen.ai/multichain/eth-vs-optimism https://viewblock.io/starknet/stat/avgTxFee
  8. Three level: proving knowledge of a proof of knowledge of a proof.
  9. Bridging between L3’s is done without touching L1.