1 of 25

Product Overview

2 of 25

Polygon zkEVM is the first zero-knowledge (ZK) scaling solution that’s fully equivalent to EVM:

All existing smart contracts, developer tools, and wallets work seamlessly. The zkEVM harnesses the power of ZK proofs to reduce transaction cost and massively increase throughput, all while inheriting the security of Ethereum L1.

What is Polygon zkEVM?

3 of 25

Secure Scalability

  • Transactions performed by smart contracts on L2 can be reliably verified on L1 (Ethereum) without nodes having to re-execute the operations.

Cheaper costs

  • ZK-rollups can afford to post minimal data to Ethereum because validity proofs already guarantee the trustworthiness of state transitions. ZK-rollups can make it cheaper to use dApps, like decentralized exchanges, NFT marketplaces, prediction markets, and many more.

Faster finality and capital efficiency

  • With ZK-rollups, transactions executed in the zkEVM are often finalized immediately after they are posted on Ethereum. Faster finality is great for power users, such as NFT traders, DeFi investors, or arbitrage traders who need to move around assets seamlessly (especially between L1 and L2).

Network effects

  • The most important reason for building EVM-compatible zkVMs is to leverage Ethereum's network effects. As the world's biggest smart contracts platform, Ethereum has a large ecosystem that provides value to both developers and projects.

Why Build A zkEVM?

4 of 25

Equivalence

  • Ethereum isn’t just a blockchain. It’s a rich ecosystem of smart contracts, developer tools, infrastructure, and wallets. It’s a vibrant community of developers, auditors, and users. The best way to scale Ethereum is to maintain compatibility with this ecosystem, and the zkEVM will give users and developers an identical experience to Ethereum L1 -- just with a massive scalability improvement.

Performance

  • With the proving system breakthroughs pioneered by Polygon Zero, we can achieve better performance (higher throughput, lower latency, and lower cost) than alt-L1s, optimistic rollups and other ZK rollups.

Closing Thoughts

  • Unique Value Proposition of Polygon zkEVM: EVM-Equivalence + Performance
  • Many people in crypto believed that a zkEVM was years away, and might never be practical or competitive with other ZK L2s. This was framed as an unavoidable tradeoff: we could have full EVM compatibility or high performance, but not both.

Why Polygon zkEVM?

5 of 25

What Makes Building a zkEVM So Difficult?

EVM was not designed as a friendly ZK environment

  • Cryptography in 256 bits field
  • Stack based architecture
  • Signature verification and other operations are super costly in ZK
  • Gas control for transactions execution

Building a new logical EVM processor

  • Emulation of opcodes for users
  • Polynomial outputs of user transations execution
  • EVM processor reusable from network client​

From preconfigured txs to arbitrary code execution

  • Transform all computation to polynomials
  • Validate off-chain computation according to EVM behaviour
  • state machines model to split logical validation in parts
  • Plookup to connect all validations and STARK proving​

Low friction for users, complexity comes inside

  • 500+ polynomials need to be validated on each execution
  • STARK generation needed to be very fast to be feasible
  • L1 ZKP footprint needed to be small for cost efficiency​

6 of 25

Equivalence

  • Many competitors promise EVM compatibility but run a different VM architecture that breaks existing tooling and infrastructure, meaning competitors will need to build a new ecosystem of developer tools and infrastructure from scratch.
  • By preserving compatibility with the Ethereum developer ecosystem zkEVM is building on the foundation of a vibrant community and ecosystem.

Performance

  • Polygon implemented recursive STARKs, a core building block in ZK L2s. We’ve seen huge ~100x improvements in the most expensive operations in the zkEVM: keccak, ECDSA, and recursion, over the previous state of the art.

Security

  • Using ZK proofs allows a ZK L2 to inherit the security of Ethereum. zkEVM offers higher security relative to alt-L1s.

Competitive landscape

7 of 25

Polygon zkEVM Use Cases

DeFi Applications

  • Because of Polygon zkEVM’s high security and censorship resistance nature of it, it is a good fit for Defi applications. Unlike Optimistic Roll-ups where users have to wait for upto 7 days for deposits and withdrawals, zk-Rollups doesn’t have to wait for long periods for deposits and withdrawals i.e Polygon zkEVM offers better capital efficiency for Dapps/users.

NFT, Gamefi and Enterprise Applications

  • Low gas cost, high transactions and greater level of security coupled with Ethereum composability attracts blue chip NFTs, Gamefi and Enterprise applications.

Payments

  • Users interested in transacting with each other in real-time within a near-instantaneous and low fee environment will appreciate the value Polygon zkEVM provides.

8 of 25

Want More Information?

zkEVM 1 pager (Features and Benefits)

zkEVM External FAQs

Polygon zkEVM Blog​

Polygon zkEVM website

9 of 25

Thankyou!

10 of 25

Appendix!

11 of 25

Ethereum Scaling Spectrum

Polygon aggregates several solution types which cover every type of use case

12 of 25

Polygon zkEVM features

Main features:

  • Ethereum-equivalence: all smart contracts, wallets, tools, etc work on zkEVM seamlessly.
  • Ethereum security.
  • ZKP-powered scalability, orders of magnitude higher throughput than L1.

Polygon zkEVM is an open-source zk-rollup providing EVM opcode compatibility for a frictionless user experience and the security of Ethereum

13 of 25

Polygon zkEVM benefits

Polygon zkEVM is a Layer Two (L2) scaling solution for Ethereum that leverages the scaling power of zero-knowledge (ZK) proofs while maintaining Ethereum-compatibility. Developers and users on Polygon zkEVM can use the same code, tooling, apps, etc that they use on Ethereum, but with much higher throughput and lower fees

Developers will deploy their existing contracts to the zkEVM, and users can deposit assets from Ethereum and transact off-chain. These transactions are grouped into batches with a zero-knowledge proof proving the validity of each transaction. This ensures that the operators of the zkEVM can’t steal user funds, so we can say that it inherits the security of Ethereum L1. Polygon zkEVM offers compatibility and scalability without compromise

14 of 25

zkEVM Blocks

15 of 25

Open Source https://github.com/0xPolygonHermez

Core repos:

zkEVM specific tools and libraries

generic tools and libraries

  • pilcom
  • pil-stark

16 of 25

zkEVM Prover

17 of 25

pol op = A*inA + B*inB + C*inC + D*inD + E*inE + freeIn*inFreeIn + CONST;

A’ = (op - A) * setA + A;

B’ = (op - B) * setB + B;

C’ = (op - C) * setC + C;

D’ = (op - D) * setD + D;

E’ = (op - E) * setE + E;

18 of 25

pol isZero = 1 -op * inv;

isZero * op = 0;

pol jmp = JMPIZ*isZero;

PC’ = jmp * (addr - (PC+INC)) + (PC+INC);

19 of 25

EVM Processor

ROM

RAM

Storage

  • Multiple R/W
  • 1 Access per CLOCK
  • Paged for handling Ethereum CALL contexts.
  • 32 byte alignment sub stat machine.
  • The Code that always execute the prover
  • It cannot be modified
  • Sparse Merkle Tree
  • Goldilocks Poseidon hash function
  • Single tree for the system.
  • Hashes of the smart contracts are in the tree.

20 of 25

EVM Processor

ROM

RAM

Storage

Arithmetic

Binary

Keccak

  • Operations done byte to byte with a carry from a plookup table.
    • ADD
    • SUB
    • LT & SLT
    • EQ
    • AND, OR, XOR
  • 256 bits arithmetic operations.
  • A*B + C = D*2^256 + E
  • Range check of inputs and outputs.
  • 32 CLOCKs per operation.
  • Includes EC addition formulas for ECDSA multiplication.
  • Binary circuit of ANDn and XOR. 
  • We use a plookup to do various circuits in parallel.
  • We currently can do 468 keccakf’s in the current circuit. (N = 2^23)

21 of 25

zkasm-rom

  • Ethereum Transaction processor
  • FREE Input the Transactions and the hash must match.
  • About 16 clocks per gas unit.
  • zkCounters to prevent the proof to fail (DoS).
  • Some examples:

    • Opcodes
    • RLP Processing

22 of 25

Recursion and on-chain verification

23 of 25

pil-stark

  • Automatically generates a STARK from PIL.
  • This includes:
    • A prover
    • A verifier
    • A circom circuit to verify the circuit.
  • It generates a STARK from a circom circuit.
  • So we have RECURSIVE STARK!

24 of 25

Benchmarks

In a single CPU with 64 cores (2.5$/h in AWS), a 500K gas proof takes about 5 minutes to be generated

  • Cost per TX: 0.00875$

 

  • There is still some margin to improve:
    • Coding optimizations
    • Mathematical optimizations
    • GPU / FPGA
    • Improve the design

25 of 25

Testing

  • We are using Ethereum test suit to verify the zkEVM.
  • The goal is to maintain a high level of equivalence.

  • Current status:
    • Total tests in Ethereum test suit: 13.434
    • zkEVM today passes: 3.881 tests  (29%)

  • Aiming to be close to 100% of tests that apply.