ZKVerse: Deep Dive https://wikisongkhoe.com Hermez 2.0 https://wikisongkhoe.com | Blog

Hermez 1.0 is the first-ever decentralised ZK Rollup on the Ethereum mainnet. Polygon Hermez has been busy building Hermez 2.0 — a ZK execution of the Ethereum Virtual Machine ( EVM ) and something that has never been accomplished before. here is what you can expect from this much-anticipated dismissal .

What is Polygon Hermez 2.0?

Polygon Hermez 2.0, henceforth Hermez 2.0, is a decentralized Ethereum Layer 2 scalability solution utilising cryptanalytic zero-knowledge engineering to provide validation and fast finality of off-chain transaction computations .
Hermez 1.0, which has been populate since March 2021, is decentralized, permissionless and scales astir to 2000 transactions per moment ( tps ). It has therefore successfully accomplished the function it was designed for, which was scaling payments and transfers of ERC-20 tokens .
The team has been working on the development of Hermez 2.0 as a zero-knowledge Ethereum Virtual Machine ( zkEVM ), a virtual machine that executes Ethereum transactions in a guileless way, including bright contracts with zero-knowledge-proof validations. Although taking on this revolutionary design approach was a hard decision to make, the aim is to minimise the users and dApps friction when using the solution.

It is an approach that requires refreshment of all EVM opcodes for transparent deployment of existing Ethereum smart contracts. For this aim a new set of technologies and tools are being created and engineered .

The Overall Architecture

Over and above what its predecessor was designed to do, the main functionality of Hermez 2.0 is to provide smart shrink hold .
It will carry out state changes, which come from executions of Ethereum ’ s Layer 2 transactions that users send to the net, and subsequently produce cogency proofread attesting to the correctness of the state deepen computations carried out off-chain .
The Hermez 2.0 system is a zero-knowledge EVM ( zkEVM ) consist of a few necessity components ; the Consensus Algorithm, the zkNode software, the zkProver, the LX-to-LY Bridge, the Sequencers and the Aggregators ( who are the participants requisite in reaching network consensus ), a well as active users of the Hermez 2.0 net who create transactions .
The bony computer architecture of Hermez 2.0 is therefore as follows .
Figure 1 : Skeletal Overview Hermez 2.0 

The Consensus Algorithm

The begging interview is “ What consensus algorithm does Hermez 2.0 use ? ” That is, how do Hermez 2.0 nodes agree on which forget to be added to the chain .
Like its earlier version, which uses Proof-of-Donation ( PoD ), Hermez 2.0 is designed to be decentralized. however, the old Proof-of-Donation gives way to a newer consensus algorithm called Proof of Efficiency .
A detail description of Hermez 2.0 ‘s PoE is found here .

Why the need to replace PoD?

The PoD exemplar fell out of favor for several reasons .
first, the PoD model with the complexity of its auction protocol, is vulnerable to attacks, specially at the bootstrapping phases. besides, since at any given indicate in time, the network is controlled by any permissionless participant, there is a gamble for the network to suffer serve horizontal surface delays should such a third gear party turn malicious or know operational issues .
second, the auction protocol has proved to be not only building complex for coordinators and validators but besides dearly-won. More so considering that not every competing validator gets rewarded but only the most effective .
third, the efficacy of selecting “ the best ” hustler amounts to a winner-takes-all model, which turns out to be unfair to competitors with slightly less performance. consequently, merely a few choose operators validate batches more much than others, defeating the very ideal of net decentralization .

Why the preference for PoE?

The Proof of Efficiency ( PoE ) model is preferred chiefly ascribable to its chasteness .
It solves many of the challenges experienced with the PoD model, such as attacks by design, as discussed above .
A strategic implementation of PoE promises to ensure that the network ,

• maintains permissionless opportunity to produce L2 batches, 
• is efficient, which is key for overall network performance, 
• attains an acceptable degree of decentralization,
• is secure from malicious attacks, especially by validators, and
• keeps proportionate balance between the overall validation effort and the value in the network.

Possibilities of coupling PoE with a PoS are being explored .

Data Availability

A distinctive zk-rollup schema requires that both the data ( which is required by users to reconstruct the full state ) and the validity proof be published on-chain .
however, given the Ethereum typeset, publishing data on-chain means incurring boast fees. This leads to a hard choice between full zk-rollup configuration and an low-cost network .
Unless, among early things, the proving module can be highly accelerated to mitigate costs for the validators, a hybrid schema remains inevitable .
Although the team is however to finalise the best consensus configuration, the obvious options are ;

1. Validium option: the proofs remain on-chain but the data is stored somewhere else,
2. Volition option: full zk-rollup for some transactions, with both data and proofs on-chain, while for other transactions only the proofs go on-chain.

The PoE Smart Contract

Rollups entail two processes, batch of transactions and validation of the batch transactions. Hermez 2.0 will use Sequencers and Aggregators to respectively carry out the two processes, batching and validation of transactions .
That is, Sequencers will collect transaction-requests into batches and add them to the PoE smart abridge, while Aggregators will check cogency of transaction batches and provide cogency proof .
The PoE ache contract therefore makes two basic calls ; A call to receive batches from Sequencers, and another call to Aggregators, requesting batches to be validated. See Figure 2 below .

Proof of Efficiency Tokenomics

The PoE smart contract imposes a few requirements on Sequencers and Aggregators .
Sequencers’ Constraints ;

• Anyone running the zkNode, which is the software necessary for running a Hermez 2.0 node, can be a Sequencer.
• Every Sequencer must pay a fee in $Matic in order to earn the right to create and propose batches.
• A Sequencer who proposes valid batches, which consist of valid transactions, is incentivised with fees paid by transaction-requestors, the users of the network.
• Specifically, a Sequencer collects L2 transactions from users, preprocesses them as a new L2 batch, then proposes the batch as a valid L2 transaction to the PoE smart contract.

Aggregators’ Constraints ;

• An Aggregator’s task is to produce validity proofs for the L2 transactions proposed by Sequencers.
• In addition to running Hermez 2.0’s zkNode software, Aggregators need to have specialised hardware for creating the zero-knowledge validity proofs. We herein call it the zkProver.
• The Aggregator who is the first to submit a validity proof for a given batch or batches, earns the Matic fees paid by the Sequencer(s) of the batch(es).
• The Aggregators need only indicate their intention to validate transactions and then run the race, to produce validity proofs, based on their own strategy.

​
Figure 2 : Simplified Proof of Efficiency

The zkNode

The network requires the passing of the client that implements the synchronism and covers the roles of participants as Sequencers or Aggregators. zkNode is such a customer. It is the software needed to run a Hermez 2.0 node .
Polygon Hermez 2.0 participants will choose how they participate ; either as merely a node, to know the state of matter of the network ; or participate in the process of batch production in any of the two roles, as a Sequencer or an Aggregator. An collector will be running the zkNode but besides performs establishment using the core part of the zkEVM, called the zkProver ( this is labelled Prover in Figure 3 below. )
early than the sequence and the validate processes, the zkNode besides enables synchronization of batches and their robustness proof, which happens only after these have been added to L1. It uses a subcomponent called the Synchronizer .
The Synchronizer is consequently responsible for reading events from the Ethereum blockchain, including fresh batches, in ordain to keep the state in full synced. The data read from these events must be stored in the database. Synchronizer besides handles possible reorgs, which will be detected by checking if last `ethBlockNum` and end `ethBlockHash` are synced .
​
Figure 3 : Hermez 2.0 zkNode Diagram 
​
The architecture of zkNode is modular and implements a fix of functions as depicted in the Figure 3 above .
The RPC ( outback procedure calls ) interface is a JSON RPC interface which is Ethereum compatible. It is implemented to enable integration of the zkEVM with existing tooling, such as Metamask, Etherscan and Infura. RPC adds transactions to the Pool and interacts with the State using read-only methods .
The State subcomponent implements the Merkle Tree and connects to the DB backend. It checks integrity at block flat ( i, information related to ; gasoline, block size, etc. ) and some transaction-related information ( for example, signatures, sufficient proportion, and so forth ). State besides stores smart shrink ( SC ) code into the Merkle corner and processes transactions using the EVM .

The zkProver

Hermez 2.0 employment state-of-the-art zero-knowledge engineering. It will use a zero-knowledge prover, dubbed zkProver, which is intended to run on any waiter and is being engineered to be compatible with most consumer hardware.

Every Aggregator will use the zkProver to validate batches and provide robustness proof .
zkProver has its own detail architecture which is outlined below. It will consist chiefly of the Main State Machine Executor, a collection of junior-grade State Machines each with its own executor, the STARK-proof builder, and the SNARK-proof builder. See Figure 4 below for a simplified diagram of the Hermez 2.0 zkProver .

Figure 4 : A Simplified zkProver Diagram 
​
In a nutshell, the zkEVM expresses state changes in polynomial class. therefore, the constraints that each proposed batch must satisfy are in fact polynomial constraints or polynomial identities. That is, all valid batches must satisfy sealed polynomial constraints .

The Main State Machine Executor

The Main Executor handles the execution of the zkEVM. This is where EVM Bytecodes are interpreted using a new zero-knowledge Assembly language ( zkASM ), particularly developed by the team. The executor besides sets up the polynomial constraints that every valid batch of transactions must satisfy. Another new speech, besides a particularly developed linguistic process by the team, called the Polynomial Identity Language ( or PIL ) is used to encode all the polynomial constraints .

A Collection of Secondary State Machines

Every calculation required in proving correctness of transactions is represented in the zkEVM as a state machine. The zkProver, being the most complex part of the unharmed project, consists of several state machines ; from those carrying out bitwise functionalities ( for example, XORing, padding, etc. ) to those performing hash ( for example, Keccak, Poseidon ), tied to verifying signatures ( for example, ECDSA ) .
The collection of secondary coil State Machines consequently refers to a collection of all state machines in the zkProver. It is not a subcomponent per selenium, but a collection of assorted executors for individual secondary country machines. These are ; the Binary SM, the Memory SM, the Storage SM, the Poseidon SM, the Keccak SM and the Arithmetic SM. See design 5 below for dependencies among these SMs .
Depending on the specific operations each SM is responsible for, some use both zkASM and PIL, while others use only one .

Figure 5 : Hermez 2.0 State Machines

STARK-proof Builder

STARK, which is short-change for scalable Transparent ARgument of Knowledge, is a proof system that enables provers to produce verifiable proof, without the need for a entrust frame-up .
STARK-proof Builder refers to the subcomponent used to produce zero-knowledge STARK-proofs, which are zk-proofs attesting to the fact that all the polynomial constraints are satisfied .
State machines generate polynomial constraints, and zk-STARKs are used to prove that batches satisfy these constraints. In especial, zkProver utilises Fast Reed-Solomon Interactive Oracle Proofs of Proximity ( RS-IOPP ), colloquially called FRI, to facilitate firm zk-STARK prove .

SNARK-proof Builder

SNARK, which is similarly light for Succinct Non-interactive ARgument of Knowledge, is a proof arrangement that produces confirmable proof .
Since STARK-proofs are way larger than SNARK-proofs, Hermez 2.0 zkProver uses SNARK-proofs to prove the correctness of these STARK-proofs. consequently, the SNARK-proofs, which are much cheaper to verify on L1, are published as the robustness proofread .
The calculate is to generate a CIRCOM circuit which can be used to generate or verify a SNARK proof. As to whether a PLONK or a GROTH16 SNARK proof will be used, is even to be decided on .

The LX-to-LY Bridge

A typical Bridge chic abridge is a combination of two smart contracts, one deploy on the first chain and the other on the second .
The L2-to-L1 Bridge smart contract for Hermez 2.0 is besides composed of two smart contracts ; the Bridge L1 Contract and the Bridge L2 Contract. The two contracts are practically identical except for where each is deployed. Bridge L1 Contract is on the Ethereum mainnet in order to manage asset transfers between rollups, while Bridge L2 Contract is on a particular rollup and it is responsible for asset transfers between mainnet and the rollup ( or rollups ) .

The Bridge L1 Contract

first, Bridge L1 Contract carries out two operations, `bridge` and `claim`. The `bridge` operation transfers assets from one rollup to another, while the `claim` operation applies when the contract makes a claim from any rollup .
Bridge L1 Contract requires two Merkle trees in holy order to perform the above operations ; `globalExitTree` and `mainnet passing tree`. The `globalExitTree` contains all the information of exit trees of all rollups, whereas the `mainnet die tree` has information of transactions made by users who interact with the mainnet .
A shrink named the global exit root manager L1 is responsible for managing exit roots across multiple networks .
The exit tree structure is depicted in Figure 6, below .

Figure 6 : The Exit Tree Structure

The Bridge L2 Contract

second, Bridge L2 Contract will be deployed on L2 with Ether on it. The Ether will be set on the genesis in order to enable mint/burn of native Ether .
Bridge L2 Contract besides requires all the information of exit trees of all rollups contained in the `globalExitTree` Merkle tree. In this shell, a smart narrow named the global exit root manager L2 is creditworthy for managing exit roots across multiple networks .
note that when a batch is verified in the PoE smart condense in L1, the rollup exit beginning is updated in the ball-shaped exit root coach L1. Bridge L2 Contract handles the rollup side of the `bridge` and the `claim` operations, angstrom well as interacting with the `globalExitTree` and the `rollup exit tree`, chiefly to update passing roots .

Concluding the LX-to-LY Bridge

typically, a Bridge chic contract is an L2-to-L1 Bridge, but the Hermez 2.0 Bridge is more elastic and interoperable. It can function as a bridge between any two arbitrary Layer 2 chains, L2_A and L2_B, or between any Layer 2, L2_X and L1, the Ethereum blockchain. It consequently allows asset transfers among multiple rollups. Hence the condition “ LX-to-LY Bridge ” .

Hermez 2.0 Design Ideals

The decisions described above about engineering and execution will help Hermez 2.0 reach its design ideals. That is, a network which is ; permissionless, decentralized, secure, effective and with confirmable block data .
Development efforts draw a bead on at permissionless-ness, that is, allowing anyone with the Hermez 2.0 software to participate in the network. For exemplify, the consensus algorithm will give everyone the opportunity to be a Sequencer or an Aggregator..
Data handiness is most crucial for decentralization, where every user has sufficient data needed to rebuild the full state of a rollup. As discussed above, the team hush has to decide on the best shape of the data handiness. The draw a bead on is to ensure that there is no censoring and no one party can control the network .
Hermez 2.0 was designed with security in mind. As a L2 solution, most of the security is inherited from Ethereum. Smart contracts will warrant that anyone who executes state changes must ; first, do it correctly ; second, create a proof that attests to the cogency of a state change ; and third, avail cogency proofs on-chain for confirmation .

Efficiency and the Overall Strategy

efficiency is key to network performance. Hermez 2.0 consequently applies respective execution strategies to guarantee efficiency .
The first scheme is to deploy PoE, which incentivizes the most effective aggregators to participate in the proofread genesis process .
The second strategy is to carry out all computations off-chain while keeping only the necessity data and zk-proofs on-chain .
respective other strategies are implemented within specific components of the Hermez 2.0 system. For example ;

1. The way in which the Bridge smart contract is implemented, such as settling accounts in an UTXO manner, by only using the Exit Tree Roots.
2. Utilisation of specialised cryptographic primitives within the zkProver in order to speed up computations and minimise proof sizes, seen in;

1. Running a special zero-knowledge Assembly language (zkASM) for interpretation of byte codes,
2. Using zero-knowledge tools such as zk-STARKs for proving purposes, which are very fast, though yielding hefty proofs. So instead of publishing the sizable zk-STARK proofs as validity proofs, a zk-SNARK is used to attest to the correctness of the zk-STARK proofs. These zk-SNARKs are in turn published as the validity proofs to state changes. The gas costs reduce from 5M to 350K.

Conclusion

Given the EVM OPCODE-Compatibility, Hermez 2.0 is designed to seamlessly serve smart contracts and efficiently verify express changes. It is promising not only to be secure and efficient, but besides to accomplish competitive decentralization .
In the campaign to achieve high-speed prove and compendious proof for promptly verification, the team is focused on the optimization of the zkProver .
The team besides leverages the synergies among the different Polygon teams that are besides looking into zk-rollups solutions for achieving Ethereum scalability .
Although development is still afoot, it was significant for this document to be released in keeping with the transparency of open-source projects, arsenic well as keeping the Polygon community of developers and users of Hermez 1.0 updated .
The adjacent step is to prepare for a populace testnet. Although it is difficult to set a definitive date, the plan is to launch the testnet in mid-2022.

Polygon is constantly on the lookout for new ZK endowment. You can browse all the open vacancies here, and besides follow our LinkedIn foliate. Check out Hermez 2.0 software documentation and tune in to our web log to keep up with the most excite experiments in this space .
Let ’ s bring the universe to Ethereum !
Website | Twitter | Ecosystem Twitter | Developer Twitter | Enterprise Twitter | Studios Twitter | Telegram | Reddit | Discord | Instagram | Facebook | LinkedIn