In a zero-knowledge (ZK) system, state refers to the persistent data that a program or smart contract operates on, such as account balances, NFT ownership, or game scores. Unlike traditional blockchains where state is stored on-chain and publicly visible, ZK systems often keep this data off-chain in a commitment—a cryptographic fingerprint. The core challenge is designing storage that allows a ZK proof to efficiently verify state transitions (e.g., a valid token transfer) without the prover needing to reveal the entire state history. This alignment is critical for scalability and privacy in ZK rollups, co-processors, and private applications.
LABS
Guides
How to Align State Storage With ZK Systems
A technical guide for developers on designing state storage architectures compatible with zero-knowledge proof systems like ZK rollups.
Chainscore © 2026
introduction
ARCHITECTURE
Introduction to State Storage for ZK Systems
Zero-knowledge systems require specialized state management to prove computations without revealing underlying data. This guide explains the core principles and trade-offs.
The most common primitive for ZK-friendly state is the Merkle tree, particularly binary and sparse Merkle trees (SMTs). A Merkle tree hashes data leaves into a single root hash, which serves as a compact commitment. To prove membership or non-membership of a value, you only need a Merkle proof—a path of sibling hashes—not the whole tree. For example, ZK rollups like zkSync and StarkNet use Merkle trees to commit to user balances. A proof can show that a user had sufficient funds before a transaction by providing the Merkle path to their leaf, with all other account data remaining hidden.
However, standard Merkle trees have a significant overhead inside a ZK circuit. Verifying a Merkle proof requires many hash computations, which are expensive in proof generation. Optimizations are essential: Poseidon and Rescue are ZK-friendly hash functions designed for efficiency in arithmetic circuits. Sparse Merkle Trees are often preferred because they provide efficient proofs of non-membership, crucial for default-empty states. Libraries like circomlib and crypto3 provide circuit-optimized implementations of these data structures to manage this complexity for developers.
Beyond simple trees, advanced state models are emerging. Verkle trees, which use vector commitments, can drastically reduce proof sizes. Plasma-style state channels commit to state updates in batches. The choice depends on your application's needs: - Frequency of updates (high-throughput vs. static data) - Proof size constraints (on-chain verification cost) - Privacy requirements (full concealment vs. public state). For instance, an on-chain game might use an SMT for player inventories, while a private voting app might require more sophisticated cryptographic accumulators.
Implementing this requires careful architecture. A typical stack involves an off-chain state tree manager (written in a conventional language like Rust or Go) that calculates new roots, and an on-chain verifier contract that checks proofs against the known root. The ZK circuit logic must mirror the state update logic exactly. Developers can use frameworks like Noir or Circom to define the circuit that takes the old root, a Merkle proof, and transaction data as private inputs, and outputs a new, valid state root as a public output, ensuring the state transition is correct.
prerequisites
FOUNDATIONAL CONCEPTS
Prerequisites for ZK State Storage Development
Building state storage for zero-knowledge systems requires a specific technical foundation. This guide outlines the core concepts and tools you need to align your data layer with ZK constraints.
Zero-knowledge proofs (ZKPs) operate on a fundamentally different computational model than traditional web servers. Instead of processing raw data, a ZK system proves statements about that data. This means your state storage layer must be designed for verifiability and determinism. Data must be structured so that a prover can efficiently generate a proof about its state transitions, and a verifier can check that proof without accessing the underlying data. Common patterns include using Merkle trees for commitments and organizing data into sparse Merkle trees or append-only logs to minimize proof generation costs.
A deep understanding of cryptographic primitives is non-negotiable. You must be comfortable with hash functions (like Poseidon or SHA-256), elliptic curve cryptography (particularly pairing-friendly curves like BN254 or BLS12-381), and the concept of commitment schemes (e.g., Pedersen commitments, KZG polynomial commitments). These are the building blocks for representing state. For instance, storing a user's balance in a ZK-rollup isn't about storing the number 100; it's about storing a leaf in a Merkle tree whose root hash commits to all balances, allowing you to prove inclusion of that 100 in the global state.
Your development environment needs specialized tooling. Familiarity with ZK domain-specific languages (DSLs) is crucial. Circom is used for defining arithmetic circuits, while Noir offers a more developer-friendly syntax. For smart contract integration, you'll work with verifier contracts written in Solidity or Cairo. Setting up a local proving stack, such as snarkjs for Groth16/PLONK proofs or rapidsnark for faster proving, is a key prerequisite. You should be able to compile a circuit, generate a witness, and create a proof as part of your storage layer's update logic.
Finally, you must adopt a circuit-constrained mindset. Every state transition or storage query you want to prove must be expressible as a set of arithmetic constraints. Operations that are trivial in a database, like arbitrary string searches or non-deterministic floating-point math, become prohibitively expensive or impossible in a ZK circuit. Your data schema and access patterns must be designed upfront for this model, often favoring indexed lookups, fixed-size data types, and operations that minimize the number of constraints to keep proving times and costs manageable.
key-concepts-text
ZK SYSTEM FUNDAMENTALS
Key Concepts: State, Proofs, and Data Availability
Understanding how state is stored, proven, and made available is critical for designing and interacting with zero-knowledge rollups and validity proofs.
In blockchain systems, state refers to the current snapshot of all account balances, smart contract code, and storage variables. For ZK systems like rollups, this state is typically maintained off-chain. The core challenge is ensuring this off-chain state can be cryptographically proven to be correct and is available for anyone to reconstruct it. This triad—state management, proof generation, and data availability—forms the foundation of secure and scalable Layer 2 solutions. Misalignment between these components is a primary source of security vulnerabilities.
Validity proofs, specifically zk-SNARKs or zk-STARKs, are the mechanism that aligns off-chain state with the base layer (Layer 1). A prover (e.g., a rollup sequencer) executes a batch of transactions, computes the new state root, and generates a cryptographic proof. This proof attests that the state transition from root S_n to S_{n+1} was executed correctly according to the protocol's rules, without revealing the transaction details. The verifier (a smart contract on L1) checks this proof cheaply, accepting the new state root as valid.
Data Availability (DA) is the guarantee that the transaction data needed to compute the state is published and accessible. Without the raw data, even with a valid proof, users cannot independently verify state transitions or rebuild the state if the sequencer fails. Solutions include posting calldata to Ethereum (expensive but secure), using data availability committees (DACs), or leveraging dedicated DA layers like Celestia or EigenDA. The chosen DA strategy directly impacts security, cost, and decentralization.
To align storage with proof systems, developers must architect state trees for efficient proof generation. Using a sparse Merkle tree or Verkle tree for state storage allows provers to generate inclusion/exclusion proofs for specific accounts with minimal computational overhead. The state transition logic, encoded in a circuit, must be designed to efficiently verify updates to this tree. Libraries like circom or Halo2 are used to define these constraints, ensuring the proof can attest to the correct application of business logic against the state tree.
A practical example is a zkRollup for an AMM. The state tree stores each user's balance and pool reserves. The circuit logic proves that for a swap transaction: the user had sufficient input tokens, the constant-product formula was applied correctly to calculate output, fees were deducted, and the new balances were computed. The proof validates this entire sequence. The corresponding transaction data (sender, amount, pool ID) must be published to a DA layer, allowing anyone to challenge the sequencer or reconstruct the state from scratch.
storage-architectures
ARCHITECTURE GUIDE
ZK State Storage Architecture Patterns
Zero-knowledge systems require specialized state management. This guide covers proven patterns for storing and proving state in ZK rollups, coprocessors, and privacy applications.
03
State Trees for ZK Proofs
Using cryptographic accumulators like Merkle or Verkle trees to commit to state. The root is stored on-chain, while proofs verify inclusion.
- Sparse Merkle Trees: Standard for rollup state (e.g., zkSync). Enable efficient non-membership proofs.
- Verkle Trees: Proposed for Ethereum, use vector commitments for smaller proof sizes (~1 KB vs. ~1 MB for Merkle).
- Proof Overhead: Every state update requires generating a ZK-SNARK/STARK proof of the new root, which is the primary computational cost.
04
Stateless Clients & Witnesses
Clients do not store full state; they receive a witness (a Merkle proof) alongside transactions to validate state transitions.
- Witness: Contains all the data needed to prove the pre-state and compute the post-state.
- ZK Rollup Provers: Act as stateless clients. They take a witness and old state root, execute transactions, and output a proof of the new root.
- Benefit: Dramatically reduces the data a prover must hold, shifting storage burden to data availability layers.
06
Choosing a Storage Pattern
Selecting an architecture depends on security needs, cost, and throughput.
- High Security / Low Cost: Rollup (On-Chain Data).
- High Throughput / Medium Trust: Validium (Data Committee).
- Pure Privacy / High Trust: ZK Rollup with Private State (e.g., Aztec).
- Key Trade-off: The Data Availability (DA) layer is the primary security vs. scalability lever. Less secure DA (committees) enables >20,000 TPS.
ZK SYSTEM INTEGRATION
Data Availability Layer Comparison
Comparison of primary data availability solutions for zero-knowledge rollups and validity proofs.
| Feature / Metric | Ethereum (calldata) | Celestia | EigenDA | Avail |
|---|---|---|---|---|
Data Availability Guarantee | Full Ethereum consensus | Data availability sampling | Restaking security pool | Validity proofs & KZG |
Cost per MB (approx.) | $800-1200 | $2-5 | $0.5-2 | $1-3 |
Throughput (MB/sec) | ~0.06 | ~50 | ~100 | ~15 |
Finality Time | 12-15 minutes | ~15 seconds | ~5 minutes | ~20 seconds |
ZK Proof Verification | ||||
Fault Proofs | ||||
Decentralization | Very High | High | Medium | High |
Mainnet Launch | 2015 | 2023 | 2024 | 2024 |
implementation-steps
ARCHITECTURE
Implementation Steps for a ZK Rollup State Manager
This guide details the process of designing a state manager that efficiently aligns with the cryptographic proofs of a ZK rollup, ensuring data integrity and availability.
A ZK rollup state manager is responsible for maintaining the canonical state of the L2 chain—such as account balances and smart contract storage—in a way that is verifiable by the L1 settlement layer. Unlike an optimistic rollup, which posts full transaction data and assumes honesty, a ZK rollup posts a succinct zero-knowledge proof (like a zk-SNARK or zk-STARK) that cryptographically attests to the correctness of a batch of state transitions. The state manager's core challenge is to store data off-chain while guaranteeing its availability and consistency with the proofs posted on-chain. This requires a tight coupling between the state tree (typically a Sparse Merkle Tree or Verkle Tree), the proof system, and the data availability layer.
The first implementation step is to define the state tree structure. A Sparse Merkle Tree (SMT) is commonly used because its empty leaves have a known, constant hash (usually zero), allowing for efficient proofs of non-inclusion. Each leaf represents a piece of state, such as an account's storage slot. The root of this tree becomes the state root, a single 32-byte commitment representing the entire rollup state. This root must be updated and published with every new batch. Libraries like @openzeppelin/merkle-tree in JavaScript or circomlib's SMT implementation in Circom can be used to construct and manage this tree. The prover circuit must be designed to take the old state root, a set of transactions, and the new state root as private inputs, and prove the transition is valid.
Next, you must implement the state update and proof generation pipeline. When a batch of transactions is sequenced, the state manager computes the new SMT root by applying each transaction. This involves:
- Fetching the current leaf values for affected accounts from the database.
- Calculating the new leaf values after the transaction logic.
- Updating the SMT and computing the new root. The critical step is feeding the pre-state root, post-state root, and the Merkle proofs for the modified leaves into the ZK circuit. The circuit logic verifies that for each transaction, the old Merkle proof is valid against the old root, the state transition follows the rules (e.g., sufficient balance), and the new proof is valid against the new root. A successful proof confirms the integrity of the entire batch without revealing the transaction details.
Finally, the system must handle data availability to allow users to reconstruct the state. While the proof validates the transition, the actual transaction data (calldata) must be published. The standard method is to post the compressed batch data to Ethereum calldata or, post-EIP-4844, to blob storage. The state manager must index this data and make it accessible for any participant to sync the rollup state from genesis. Furthermore, a challenge mechanism for data withholding must be considered, often implemented as a permissionless service that allows anyone to submit a fraud proof if specific data is unavailable, forcing the sequencer to publish it or face slashing. This completes a robust state management system that is both trust-minimized and scalable.
IMPLEMENTATION PATTERNS
Code Examples: State Commitment and Proof Verification
On-Chain Verification Contract
This example shows a simplified Solidity interface for a verifier contract, such as those used by Scroll, zkSync Era, or Polygon zkEVM. The verifier checks a ZK proof against public inputs that include state roots.
solidity// SPDX-License-Identifier: MIT pragma solidity ^0.8.19; interface IZkVerifier { /// @notice Verifies a zero-knowledge proof. /// @param proof The serialized zk-SNARK proof bytes. /// @param publicInputs An array of public inputs to the verification. /// @return True if the proof is valid, false otherwise. function verifyProof( bytes calldata proof, uint256[] calldata publicInputs ) external view returns (bool); } contract StateBridge { IZkVerifier public verifier; bytes32 public l2StateRoot; constructor(address _verifier) { verifier = IZkVerifier(_verifier); } /// @notice Updates the stored L2 state root after verifying a proof. /// @param newStateRoot The new Merkle root committing to L2 state. /// @param proof The ZK proof for the state transition batch. function updateStateWithProof( bytes32 newStateRoot, bytes calldata proof ) external { // Public inputs: [oldStateRoot, newStateRoot] uint256[] memory publicInputs = new uint256[](2); publicInputs[0] = uint256(l2StateRoot); publicInputs[1] = uint256(newStateRoot); require( verifier.verifyProof(proof, publicInputs), "StateBridge: Invalid ZK proof" ); // State update is verified, commit the new root. l2StateRoot = newStateRoot; } }
The updateStateWithProof function is a critical security checkpoint. It ensures the new l2StateRoot is only accepted after a valid ZK proof confirms the entire batch of transactions leading to it is correct.
ZK STATE MANAGEMENT
Common Implementation Challenges and Solutions
Aligning application state with zero-knowledge proof systems introduces unique technical hurdles. This guide addresses frequent developer questions and provides solutions for managing state in ZK environments.
This is a state synchronization error. A ZK proof is a cryptographic snapshot of a computation at a specific block or state root. If the underlying data (e.g., a Merkle root in a smart contract) changes after the proof is generated but before it's verified, the verification will fail because the public inputs no longer match.
Solution: Implement a state commitment pattern. Use a provable data structure like a Merkle tree or a Verkle tree. Your circuit's public input must be the exact state root used during witness generation. The verifying contract must then check the proof against a stored, historical root or enforce that the proven root is an ancestor of the current state.
solidity// Example: Verifying against a historical Merkle root function verifyAndApply(bytes32 _stateRoot, Proof calldata _proof) public { require(_stateRoot == historicalRoots[block.number - 1], "Root mismatch"); require(verifier.verifyProof(_proof, [_stateRoot]), "Invalid proof"); // Apply state changes... }
resource-links
ZK STATE DESIGN
Essential Tools and Documentation
Tools and references that help developers align state storage layouts, access patterns, and verification logic with zero-knowledge proving systems. These resources focus on making state transitions provable, efficient, and compatible with modern ZK circuits.
DEVELOPER FAQ
Frequently Asked Questions on ZK State Storage
Common questions and technical troubleshooting for developers integrating state storage with zero-knowledge proof systems like zkEVMs, zkRollups, and zkVMs.
In ZK systems, on-chain state refers to data permanently committed to the L1 blockchain (e.g., Ethereum), typically as a hash in a smart contract. This is the source of truth. Off-chain state is the full, mutable data managed by the prover (sequencer/operator), which is never published directly to L1.
The core relationship is defined by a state commitment, like a Merkle root. The prover updates the off-chain state and generates a ZK proof that the new state root is a valid transition from the previous on-chain root, according to the rules of the VM. Users only need the on-chain root and the proof to verify correctness, not the entire state data. This separation is why ZK rollups can scale: computation and storage happen off-chain, with only tiny proofs and commitments posted on-chain.
conclusion
KEY TAKEAWAYS
Conclusion and Next Steps
Aligning state storage with ZK systems is a foundational task for building scalable, verifiable applications. This guide has outlined the core principles and patterns.
Effectively aligning state storage with ZK systems requires a shift in mindset from traditional database design. The primary goal is to structure data so that its integrity and transitions can be efficiently proven. This often involves merkleization—representing state as a Merkle tree where the root hash becomes the single, succinct commitment. Storage operations must be designed as state transitions that can be expressed within a ZK circuit, using tools like incremental merkle trees in Circom or Sparse Merkle Trees in Cairo. The choice between storing data on-chain (as calldata, in a smart contract) or off-chain (with a commitment posted on-chain) is critical and depends on your application's cost, latency, and data availability requirements.
To move from theory to implementation, start by defining your state model and the proofs you need. For a rollup, this means specifying the structure of your state tree and the format of your transactions. Use established libraries like circomlib for Circom circuits or the starkware-crypto-utils for Cairo to handle cryptographic primitives. Implement a state transition function within your circuit or program that takes the previous state root, a set of valid transactions, and outputs a new state root and a ZK proof. Your off-chain prover will execute this, while your on-chain verifier contract (written in Solidity for EVM chains) will check the proof and update the canonical state root.
The next step is to explore advanced optimization techniques. Consider parallel proof generation to handle high throughput and recursive proof aggregation to reduce on-chain verification costs. Investigate specialized data structures like Verkle trees for more efficient proofs or Plonky2 for fast recursive proving. It's also essential to integrate robust data availability solutions, ensuring the underlying state data is accessible for reconstruction, which is a security requirement for validiums and volitions.
For further learning, engage with the developer communities and documentation of leading ZK toolchains. Study the source code of production systems like Starknet's state model, zkSync Era's storage design, or Polygon zkEVM's bridge architecture. Experiment with frameworks like Noir for more accessible ZK development. The field evolves rapidly, so following research from teams like Ethereum Foundation, zkSecurity, and a16z crypto will keep you informed of new storage paradigms and cryptographic improvements essential for building the next generation of verifiable applications.