We break down the basics of zkEVMs for all readers, irrespective of their level of familiarity with web3.

Zero-Knowledge Ethereum Virtual Machines (zkEVMs) are seen as a key component of Ethereum’s plan to achieve unbridled scalability. They greatly simplify the process of building for developers, and offer a low-cost and secure environment to innovate.

However, it can often be difficult to fully understand what a zkEVM means and to grasp its importance in the next phase of Ethereum’s evolution. Here, we break down the basics of zkEVMs for you in a manner that is easy to understand for all readers, irrespective of their level of familiarity with web3.

We will begin with a high-level overview of zkEVMs and learn the various components that underpin this new, exciting technology. We will then discuss why zkEVMs are important for scaling web3 and driving adoption. Finally, we will compare Linea to other zkEVM projects in the Ethereum ecosystem.

ELI5: WTF is a zkEVM?

A zkEVM is a virtual machine that executes smart contracts and proves the correctness of execution using zero-knowledge proofs, aka “validity proofs”. ZkEVMs recreate aspects of Ethereum’s design and thus provide an “Ethereum-like” experience for developers and users. When combined with rollup technology, a zkEVM provides unparalleled security and scalability for decentralized applications (dapps) and their users.

We won’t explain zero-knowledge proofs in-depth here, but you can read Zero-Knowledge Proofs: STARKs vs SNARKs for a comprehensive introduction. And while there are different types of validity proofs, all share a key quality: you can prove knowledge of some information (eg. “I own 5 ETH”) without revealing the underlying information (eg. showing your wallet’s balance).

Initially, zero-knowledge proofs were mostly used to enhance the privacy of web3 applications—examples include ZCash (private payments), MACI (anonymous on-chain voting), and Aztec (private smart contracts). But researchers soon figured a more compelling use case for validity proofs: verifiable computation.

Verifiable computation schemes enable a “weak” computer to outsource computation to a more powerful—albeit untrusted—client computer and verify the correctness of results. Here, the client returns the result along with a proof to confirm the computation was performed correctly. Importantly, verifying the proof should require less effort than performing the computation from scratch.

ZkEVMs use zero-knowledge proofs to prove programs are executed correctly, bringing verifiable computation to the realm of public blockchains. In this context, verifiable computation is useful for improving a blockchain’s security and scalability.

Think of the zkEVM as a computer that can perform arbitrary operations, like adding two integers (“func(a + b = c)”). Users pass inputs to the program (eg. “a = 3” and “b = 2”), and a full node executes the program in the zkEVM with those inputs to produce an output (“c = 5”).

Meanwhile, the program’s execution trace is compiled to an “arithmetic circuit” for proving (ie. translated into a series of mathematical statements). This allows the full node to generate a zero-knowledge proof that confirms the program is executed correctly. For context, the proof circuit verifies details about the program’s execution, such as:

• Who called the program’s function?

• Did the caller pass correct inputs to the program?

• Did execution use the correct program?

• Was the final output the result of correctly executing the program with the provided inputs?

As the proof circuit validates the computational integrity of execution, other peers on the network don’t need to re-execute the program to validate the proposed output. Nodes only need to check the zero-knowledge proofs to confirm that the zkEVM’s new state (after executing the program) is correct.

In a “don’t trust, verify” system, a verifier may demand public inputs to the proving circuit, including the program’s initial and final states and arguments passed to the function (or cryptographic commitments to those values). This provides certainty that the computation verified by the SNARK proof was performed using correct input values and resulted in correct outputs.

But this is mostly for redundancy’s sake: constraints on circuit logic prevent provers from creating false proofs (except the proving circuit is broken). Indeed, validiums are zkEVM chains that post all data off-chain while retaining high security guarantees.

The key benefit to this system? Verifying a SNARK (Succinct Non-Interactive Argument of Knowledge) proof for the program’s execution consumes significantly lower resources compared to the original computation. ZkEVM nodes don’t have to re-execute each transaction to confirm its validity, vastly improving the network’s capacity to process more transactions at a faster rate.

ZkEVM as a scaling solution for Ethereum

We can also extend verifiable computation to scaling transaction throughput on another blockchain. In this case, a “resource-constrained” blockchain can offload computation to a secondary, high-throughput network while retaining the ability to verify that transactions are executed correctly. Zero-knowledge rollups, a scaling solution for Ethereum (which uses the zkEVM as a runtime environment), are based on this idea.

Zk-rollups relieve Ethereum of computational loads by executing transactions in a separate environment (described as Layer 2). At intervals, the rollup’s operator will aggregate many user transactions into a batch and submit to a smart contract on Ethereum. It also submits a validity proof confirming off-chain transactions are executed correctly and the new state is correct.

But why do we need to scale Ethereum, anyway?

As you know, the Ethereum Virtual Machine (EVM) is a distributed computing environment (aka “world computer”) that powers dapps. The EVM provides many benefits—like security and decentralization—but trades off scalability in the process. In short, the EVM is a very secure computer, but it is also very slow and expensive to use.

Over the years, “EVM-compatible” sidechains and rollups have emerged as the most popular solutions to Ethereum’s scalability problems. These blockchains implement a forked version of Ethereum’s execution layer (the EVM), but optimize it for faster execution and lower cost-per-transaction.

Some will argue these solutions don’t scale Ethereum directly, but they do enable developers to run Ethereum dapps on a scalable off-chain layer and allow users to use these applications at a fraction of Ethereum’s costs. Ethereum also (indirectly) benefits as users moving to other blockchains reduces congestion on the base layer and lowers gas prices for existing users.

This doesn’t mean all scaling solutions are equally good, though. For example, a sidechain isn’t secured by Ethereum—so the safety of users’ funds depends on the honesty of the sidechain's validators. In a worst-case scenario, a corrupt validator set can easily steal funds deposited in a bridge or block users from withdrawing funds (by censoring transactions).

Rollups settle transactions on Ethereum and inherit its security and decentralization; even so, different rollup constructions have varying levels of security. “Optimistic rollups” assume transaction batches posted to Ethereum L1 are valid and rely on incentivized parties (“watchers”) to challenge invalid executions via fraud proofs. However, this approach has a few problems:

• Honesty assumptions: For optimistic rollups to remain secure, someone must be available to validate rollup transactions and challenge invalid operations. Optimistic rollups assume the existence of an honest validator (a “1-of-N security model”), an assumption that may fail to hold in certain circumstances.

• Delays in withdrawals: Since watchers need time to issue challenges, optimistic rollups impose a delay on withdrawals. This delay (between one and two weeks) can negatively affect the experience of users transacting on L2.

• Increased transaction fees: Optimistic rollups don’t trust sequencers to avoid data withholding attacks and consequently publish full transaction data on Ethereum to enable decentralized verification of rollup blocks. This improves security, but also increases transaction fees as the cost of storing data on-chain is passed on to users.

In comparison, general-purpose zk-rollups running a zkEVM are considered the “Holy Grail of scaling” because they provide the benefits you would expect from an Ethereum scaling solution without sacrificing security or introducing trust assumptions. We discuss the benefits of a zkEVM in more detail below:

EVM-compatibility

ZkEVMs are fully compatible with smart contracts written or compiled to run in the Ethereum Virtual Machine. Furthermore, a Type 2 zkEVM like Linea integrates seamlessly with EVM infrastructure including developer tools, block explorers, and wallets. The implication? Web3 developers can migrate existing Ethereum applications to L2 without incurring switching costs. Even better, you can build new applications from scratch using a familiar development stack—for example, zkEVMs can execute smart contracts written in Solidity.

Security

The security guarantees of a zkEVM are straightforward: zero-knowledge proofs guarantee that block producers cannot execute invalid state transitions. That is, provided cryptographic assumptions about the underlying proving circuit—like the impossibility of forging false proofs—hold. In short, a zkEVM asks you to “trust math, not validators”.

Now validity proofs guarantee safety, but do not guarantee liveness and data availability—which is why zkEVM blockchains depend on Ethereum to enforce those security properties. We won’t go into technical details here, but it is enough to say this arrangement provides the following assurances:

• Users can always withdraw funds from the zk-rollup to L1 by sending an exit transaction to the L2 contract on Ethereum.

• A malicious rollup operator cannot freeze the rollup or conceal the blockchain’s state; the Ethereum network will finalize an L2 block only if the data is published on-chain. This ensures users always have access to state data and honest nodes can reconstruct the L2’s last state and produce new blocks.

Scalability

ZkEVMs are designed to be highly scalable. Whereas the EVM requires every network participant to re-execute transactions before reaching consensus, zkEVMs use non-interactive proofs. This increases throughput and reduces latency, as verifying proofs for L2 blocks is faster than replaying every transaction in a newly proposed block.

But wait, there’s more! ZkEVMs can further boost throughput through the use of “recursive proofs”. Recursive proofs are generated by combining multiple validity proofs such that verifying a single proof also verifies the validity of all underlying proofs.

When submitted to the proof verifier contract on Ethereum L1, a recursive proof allows several L2 blocks to be finalized simultaneously. This significantly frees up the L2 sequencer to generate blocks faster instead of spending time on submitting proofs to L1 on a block-by-block basis.

Improved user experience

In the world of crypto, a transaction or block is “finalized” when it is accepted by the majority in a blockchain network and cannot be reversed (not without expending considerable resources). Finality is a good heuristic for comparing rollup solutions as it determines how long users must wait to withdraw funds deposited in a rollup.

You’ll often hear something about zkEVMs having “fast finality”. This simply means Ethereum finalizes transactions conducted on a zkEVM rollup—including withdrawal operations—in less time compared to regular optimistic rollups. This has significant implications such as better liquidity for investors in the decentralized finance (DeFi) industry.

Lower costs

A zkEVM rollup can choose to solely publish commitments to its final state on Ethereum L1, reducing on-chain storage costs. Since validity proofs guarantee the correctness of the zkEVM’s new state, the sequencer doesn’t have to publish all the data (including uncompressed transaction inputs) required to re-execute state transitions changes. In comparison, optimistic rollups must publish raw transaction data on L1 so honest watchers can independently compute the L2’s new state and potentially challenge invalid transitions.

What can you do with a zkEVM?

• DeFi: With low delays on withdrawals from a zkEVM rollup, traders and investors will enjoy better capital efficiency and more access to liquidity. And without the need to pay liquidity providers for faster exits, the cost savings from using DeFi on a zkEVM are bound to grow exponentially.

• NFTs: With ultra-low gas fees and high TPS (transactions per second), a zkEVM chain is perfect for minting and trading NFTs at scale. Plus, you get a better user experience when moving NFTs to Ethereum L1 since withdrawals are finalized immediately (once the on-chain verifier contract accepts the submitted proof).

• Gaming: ZkEVMs are ideal for on-chain gaming applications that process a high volume of transactions. Besides the scalability benefits described earlier, on-chain gamers pay a lower cost-per-transaction—due to the zkEVM’s data compression capabilities.

• Enterprise applications: Enterprises can leverage the zkEVM’s support for general-purpose computation to develop scalable applications for users. We should also note zkEVM rollups are well-positioned to bootstrap highly secure “Layer 3” blockchains.
  With L3 infrastructure, institutions can build application-specific blockchains that can be customized to deliver unique features. A good example is a validium that posts validity proofs to a zkEVM blockchain (which are eventually verified on Ethereum L1), but stores data off-chain to preserve privacy of users.

• Payments: A zkEVM is optimized for scale (read: this decentralized computer is blazingly fast and extremely cheap to use) and thus suited for making peer-to-peer payments and conducting institutional settlements. You also have strong finality guarantees on transactions, directly enforced by Ethereum’s highly decentralized network (500k+ validators and counting).

Linea: A zkEVM for All Seasons

Linea is an EVM-equivalent zk-rollup, with a Type 2 zkEVM as its execution engine. Developed by teams with deep experience in proving and scalability technology, Linea aims to bring the Ethereum experience to developers and users at a fraction of the cost.

As a Type 2 zkEVM, Linea prioritizes compatibility with all Ethereum applications and infrastructure above everything else. Analyzing different zkEVM designs is out of scope (Vitalk’s Type of zkEVMs treats the topic in greater detail); nevertheless, you can expect the following benefits from using the Linea zkEVM:

• Seamless integration with EVM wallets (MetaMask), developer tooling (Truffle, Remix, Brownie, Foundry, Hardhat, et al.), and critical infrastructure like node providers (Infura) and execution clients (Besu)

• A near-identical experience to that of using Ethereum—Linea uses ETH for gas payments, for example

• All the upside of an Ethereum scaling solution (low fees, near-instant confirmations, high TPS) and none of the downsides inherent in competing projects (delayed finality, high costs, and poor security)

• EVM-equivalent infrastructure for you to unlock new use cases and build novel applications while benefiting from Ethereum’s security, decentralization, and developer experience

Linea’s public testnet is already live, and we have recorded incredible levels of participation since the initial announcement. And now you too can join others in building Linea’s future:

• Are you a developer looking to build the next generation of scalable dapps with Linea? Start your journey by participating in the Linea Voyage and helping us stress-test the network. You can also check out the developer quickstart, documentation, and tutorials.

• Are you a user interested in trying out Linea? Get some ETH from the Goerli faucet, bridge funds to L2, and start using dapps on the Linea testnet. To make things easier, Linea is a default network on MetaMask—so you don’t have to manually import a new network.

Looking for more ways to contribute?

Join the conversation on Twitter, Lenster, and Discord (#linea-general channel). Contribute to Linea’s documentation. Edit the open-source zk glossary. Spread the word about the new zkEVM changing the scaling game. With your support, we can collectively build an L2 committed to the Ethereum ecosystem and aligned with the community’s principles.

To infinite scaling and beyond! 🤖⚡