A rollup's proof system is its cryptographic engine, responsible for generating succinct proofs that verify the correctness of off-chain execution. The choice between systems like zk-SNARKs (e.g., Groth16, Plonk) and zk-STARKs (e.g., StarkWare's Cairo) dictates fundamental properties: proof size, verification cost, trusted setup requirements, and quantum resistance. Matching this system to your rollup's design—whether it's a general-purpose ZK-Rollup like zkSync Era or an application-specific chain—is a critical architectural decision with long-term implications for security, cost, and scalability.
LABS
Guides
How to Match Proof Systems to Rollup Designs
A technical guide for developers on selecting and implementing cryptographic proof systems (ZK-SNARKs, STARKs, Validity Proofs) for optimal rollup performance, security, and cost.
Chainscore © 2026
introduction
ARCHITECTURE GUIDE
Introduction
This guide explains how to select and integrate a proof system into your rollup's architecture, covering trade-offs between SNARKs, STARKs, and validity proofs.
The core technical trade-offs are defined by a proof system's trust model and performance profile. SNARKs typically offer smaller proofs and faster on-chain verification but often require a trusted setup ceremony (like the Perpetual Powers of Tau for circuits using the KZG polynomial commitment scheme). STARKs, in contrast, are trustless and post-quantum secure but generate larger proofs, leading to higher Ethereum L1 gas costs for verification. Your rollup's transaction throughput, supported opcodes, and target cost per proof will determine which trade-off is acceptable.
Integration involves mapping your virtual machine's execution trace to an arithmetic circuit or computational trace that the prover can process. For EVM-compatible rollups, this means compiling Solidity bytecode into a circuit-friendly intermediate representation, a process handled by frameworks like Circom or Noir. The prover then executes this circuit to generate a proof, which is posted to L1. The verifier contract on Ethereum, often just a few hundred lines of Solidity, checks this proof against the new state root. This separation of prover (off-chain, computationally heavy) and verifier (on-chain, lightweight) is the essence of ZK-Rollup design.
Practical selection requires benchmarking against your specific workload. For a rollup processing simple token transfers, a Groth16 prover might be optimal for its tiny proof size. For a rollup supporting complex, smart contract logic with frequent upgrades, a universal SNARK like Plonk or a STARK system may be preferable, as they allow circuit updates without a new trusted setup. Tools like the gnark library or StarkWare's SHARP prover service provide different points on the spectrum of developer control versus managed infrastructure.
Ultimately, the proof system is not an isolated component; it influences data availability solutions, sequencer design, and economic security. A well-matched system minimizes the cost of proof verification on L1 while maintaining the security guarantees that make rollups trust-minimized. This guide will walk through evaluating these factors, from initial cryptographic primitives to final integration patterns for production deployment.
prerequisites
PREREQUISITES
How to Match Proof Systems to Rollup Designs
Selecting the optimal proof system is a foundational architectural decision for any rollup. This guide explains the key trade-offs between SNARKs and STARKs and how they align with different rollup designs.
The choice of a zero-knowledge proof system fundamentally shapes a rollup's performance, cost, and security profile. The two dominant paradigms are SNARKs (Succinct Non-interactive Arguments of Knowledge) and STARKs (Scalable Transparent Arguments of Knowledge). SNARKs, like Groth16 or Plonk, require a trusted setup but produce very small, fast-to-verify proofs. STARKs, such as those used by Starknet, are transparent (no trusted setup) and offer superior scalability for large computations, but generate larger proofs. Your rollup's design goals—whether prioritizing low on-chain verification cost, trust minimization, or high throughput—will dictate the initial direction.
For ZK-Rollups aiming for maximum cost-efficiency on Ethereum Mainnet, a SNARK-based system is often preferred. The tiny proof size (a few hundred bytes) minimizes the calldata cost of posting verification on L1. Systems like Plonk or its variants (e.g., Halo2) offer universal and updatable trusted setups, balancing efficiency with practical security. This design is exemplified by applications like zkSync Era and Polygon zkEVM. The trade-off is reliance on the cryptographic security of the trusted setup ceremony and generally more complex circuit development.
Conversely, validium or volition designs, which post data availability off-chain, can better absorb the larger proof sizes of STARKs. Here, the primary bottleneck is proving time and cost, not on-chain data. STARKs provide post-quantum security assumptions and avoid trusted setups, enhancing long-term trust assumptions. This makes them suitable for high-throughput applications where the security of the data availability layer is already a separate consideration, as seen in StarkEx-powered dApps like Immutable X and dYdX.
The computational architecture of your rollup virtual machine (VM) also dictates proof system compatibility. EVM-equivalent zkEVMs, which aim for full bytecode compatibility, generate extremely complex proof statements. This often necessitates STARKs or recursive SNARKs (where a SNARK proves another SNARK) to manage the proving workload. In contrast, native zkVMs (like Cairo or zkWASM) are designed from the ground up for ZK-proving efficiency, allowing for more flexibility in choosing a proof system that aligns with the language's inherent structure.
Ultimately, matching a proof system to your rollup involves evaluating a matrix of constraints: trust assumptions (trusted setup vs. transparency), performance (proof generation speed & size), development ergonomics (tooling, language support), and economic cost (L1 verification fees vs. prover infrastructure). There is no single best choice; the optimal system is the one that aligns with your rollup's specific trade-offs between decentralization, scalability, and compatibility.
key-concepts-text
ARCHITECTURE GUIDE
Key Concepts: Proof Systems and Rollup Types
Understanding the relationship between proof systems and rollup designs is fundamental to building and evaluating Layer 2 solutions. This guide explains how different cryptographic proofs dictate the security model, performance, and decentralization of a rollup.
Rollups scale Ethereum by executing transactions off-chain and posting compressed data back to the mainnet. The critical component that validates this off-chain execution is the proof system. The choice between a Validity Proof (like a zk-SNARK or zk-STARK) and a Fraud Proof fundamentally defines whether you are building a ZK-Rollup or an Optimistic Rollup. This decision impacts finality time, trust assumptions, and computational overhead for provers and verifiers.
ZK-Rollups rely on validity proofs (zk-SNARKs/zk-STARKs) to cryptographically prove the correctness of a state transition. Every batch of transactions includes a succinct proof that is verified by a smart contract on Layer 1. This design offers instant cryptographic finality and strong withdrawal security, as the L1 contract only accepts valid state roots. However, generating these proofs is computationally intensive, especially for general-purpose EVM execution, making them historically better suited for specific applications like payments or swaps.
Optimistic Rollups take a different approach. They assume transactions are valid by default (optimistically) and only compute fraud proofs if someone challenges a state root during a dispute window (typically 7 days). This makes them easier to implement for general-purpose EVM compatibility (Optimism, Arbitrum) but introduces a long delay for trustless withdrawals. The security model shifts from cryptographic guarantees to economic ones, relying on at least one honest validator to submit a fraud proof.
Matching a proof system to your application requires evaluating trade-offs. For a high-throughput DEX where users demand instant finality, a ZK-Rollup using a zkEVM (like zkSync Era, Polygon zkEVM, or Scroll) is ideal. For a complex DeFi protocol that requires full EVM opcode support and where users can tolerate a week-long challenge period, an Optimistic Rollup may be preferable. The proof system is not just an implementation detail; it is the core security primitive that defines the rollup's properties.
Emerging architectures like Validiums and Volitions further illustrate this interplay. A Validium uses validity proofs for integrity but stores data off-chain, trading some data availability for higher throughput. A Volition lets users choose per-transaction between a ZK-Rollup (data on-chain) and a Validium (data off-chain) mode. These designs show how the proof system can be decoupled from data availability layers to create hybrid models.
When designing a rollup, start with the proof system. Ask: What are the latency requirements? What is the cost of proof generation? Who are the provers? A system needing ultra-fast, trustless exits needs validity proofs. A system prioritizing maximum EVM compatibility and lower initial engineering complexity might start with fraud proofs. The ongoing evolution of zkEVM technology is steadily shifting the balance, making validity proofs feasible for an increasingly broad range of decentralized applications.
TECHNICAL SPECIFICATIONS
Proof System Comparison for Rollups
A comparison of key technical and economic attributes for major proof systems used in zero-knowledge and validity rollups.
| Feature | ZK-SNARKs (e.g., Groth16, Plonk) | ZK-STARKs | Validity Proofs (e.g., RISC Zero, SP1) |
|---|---|---|---|
Proof Generation Time | ~1-10 seconds | ~10-60 seconds | ~100ms - 2 seconds |
Proof Verification Cost (Gas) | ~450k gas | ~2.5M gas | ~200k - 600k gas |
Trusted Setup Required | |||
Quantum Resistance | |||
Proof Size | ~200-500 bytes | ~45-200 KB | ~10-50 KB |
Recursion Support | With custom circuits | Native | Native (for some implementations) |
Primary Use Case | Private payments, succinct verification | High-throughput scaling, transparent setup | General-purpose virtual machine execution |
decision-framework
FOUNDATIONAL DESIGN
Step 1: Define Your Rollup's Core Requirements
Before selecting a proof system, you must first define the non-negotiable requirements of your rollup. This foundational step determines which proof technologies are viable and which are not.
The choice of a proof system is a technical decision driven by your rollup's design goals. Start by specifying your core requirements across four key dimensions: throughput, finality time, decentralization, and cost. For example, a high-frequency trading DEX requires sub-second finality and massive throughput, while an NFT marketplace might prioritize low cost and high decentralization. These requirements create a constraint matrix that will filter your proof system options.
Throughput is measured in transactions per second (TPS) and is fundamentally limited by proof generation speed and data availability. A ZK-Rollup targeting 10,000 TPS needs a proof system like Plonk or STARKs that can efficiently batch thousands of transactions. Conversely, an Optimistic Rollup's throughput is bottlenecked by fraud proof window latency, not proof generation. Estimate your target TPS by analyzing expected user activity and transaction complexity.
Finality time—how long users wait for irreversible settlement—varies drastically. ZK-Rollups offer near-instant finality upon proof submission to L1, typically within minutes. Optimistic Rollups have a 7-day challenge window, delaying finality for a week. If your application involves cross-chain composability or requires quick fund withdrawal, ZK-proof finality is critical. Define your maximum acceptable finality period from the user's perspective.
Consider the decentralization of your prover network. Some proof systems like Groth16 require a trusted setup and generate proofs on powerful, specialized hardware, leading to centralization. Others, like STARKs (no trusted setup) or Plonk (universal trusted setup), enable a more decentralized prover ecosystem. Decide if you will run a centralized prover, incentivize a permissionless network, or use a service like Risc Zero or Espresso Systems.
Finally, audit your cost structure. Proof generation cost (prover time/expense) and verification cost (L1 gas fee) must be modeled. A SNARK like Groth16 has a tiny verification cost (~200k gas) but expensive proving. A STARK has higher verification cost but faster, cheaper proving. Use tools like the gnark or circom frameworks to benchmark proving times for your specific transaction logic on target hardware. Your defined requirements will directly point you toward the family of proof systems—SNARKs, STARKs, or fraud proofs—that form the basis of your rollup.
use-case-patterns
ROLLUP ARCHITECTURE
Common Use Case Patterns
Selecting the right proof system is a foundational decision for rollup design, impacting security, cost, and performance. This guide matches proof types to specific rollup use cases.
06
Choosing Based on Application Needs
Map your application's requirements directly to proof system attributes. Use this decision framework:
- Need < 1 min withdrawals? → Choose zkRollup (SNARK/STARK).
- Building a complex EVM dApp? → Start with Optimistic Rollup.
- Processing > 10k TPS? → Consider Validium or STARK-based zkRollup.
- Prioritizing lowest fixed cost? → Optimistic Rollup has cheaper state commitments.
Always benchmark proof generation costs and finality times for your specific transaction mix.
implementation-steps
ARCHITECTURAL ALIGNMENT
Step 2: Implementation and Integration Steps
This section details the practical steps for selecting and integrating a proof system into your rollup's architecture, focusing on performance, security, and developer experience.
The first implementation step is to define your rollup's data availability and execution model, as this directly dictates proof system requirements. For a ZK-Rollup with on-chain data availability (like zkSync Era), you need a proof system optimized for proving the correctness of state transitions with high throughput. For a validium or volition (like StarkEx), where data is kept off-chain, the proof must also attest to data availability commitments, often requiring different cryptographic constructions. An optimistic rollup with a fault proof (like Arbitrum Nitro) uses interactive fraud proofs, which are computationally lighter but have longer finality times.
Next, benchmark proof systems against your specific transaction profile. A rollup processing simple token transfers has different needs than one executing complex DeFi smart contracts. For general-purpose EVM compatibility, SNARKs (e.g., Groth16, PLONK) are common due to their small proof size and efficient on-chain verification, as used by Scroll and Polygon zkEVM. For computations with deep, non-uniform logic, STARKs (used by Starknet) may offer better proving performance and post-quantum security, albeit with larger proofs. Use frameworks like gnark, circom, or starknet-rs to prototype circuits for your core operations and measure proving times on target hardware.
Integrating the prover involves setting up a robust proving infrastructure. This typically requires a separate prover node service that fetches batched transactions from the sequencer, generates the proof, and submits it to the on-chain verifier contract. For SNARKs, you must manage trusted setup ceremonies (for some systems) or use universal setups (like Perpetual Powers of Tau). For STARKs, you can avoid trusted setups but must handle larger proof sizes. The architecture must also account for proof recursion (proving proofs) to aggregate multiple batches, a technique used by zkSync to reduce on-chain costs.
The on-chain verifier contract is a critical security component. It must be gas-optimized and rigorously audited. For Ethereum, write the verifier in Solidity or Yul, leveraging libraries like snarkjs for Solidity verifier generation or using pre-compiled verifiers for specific curves. The contract logic is simple: it accepts a proof and public inputs, verifies the cryptographic proof, and if valid, updates the rollup's state root. Ensure the contract includes mechanisms to handle upgradeability of the verifier logic in case of protocol improvements or security patches, often via a proxy pattern or a governance-controlled upgrade.
Finally, instrument comprehensive monitoring and fallback mechanisms. Track key metrics: proof generation time, success rate, verifier gas costs, and hardware resource utilization. Implement a fallback prover system to ensure liveness if the primary prover fails. For optimistic rollups with fraud proofs, you must also implement and test the challenge protocol, ensuring honest actors can successfully challenge invalid state roots within the challenge window. The entire system should be tested against a forked version of mainnet (e.g., using Foundry or Hardhat) to simulate real network conditions and gas costs before deployment.
ARCHITECTURE
Implementation Deep Dives by Proof System
zk-SNARKs: Succinct Non-Interactive Arguments of Knowledge
zk-SNARKs generate a succinct proof (a few hundred bytes) that can be verified in milliseconds, independent of the original computation size. This makes them ideal for high-throughput, low-cost finality rollups like zkSync Era and Polygon zkEVM. The core trade-off is the requirement for a trusted setup ceremony for each circuit, creating a one-time security assumption.
Key Implementation Steps:
- Circuit Design: Program logic (e.g., a batch of transactions) is expressed as an arithmetic circuit using a domain-specific language like Circom or Noir.
- Trusted Setup: A multi-party computation (MPC) ceremony generates the proving key and verification key for that specific circuit.
- Proof Generation (Prover): The prover runs the computation locally, using the proving key to generate a proof. This is computationally intensive.
- Proof Verification (Verifier): The on-chain verifier contract, using the tiny verification key, checks the proof's validity almost instantly.
Example: Scroll's zkEVM uses a zkEVM circuit to prove the correct execution of EVM opcode batches, enabling Ethereum-equivalent compatibility.
PROOF SYSTEM COMPARISON
Cost and Performance Breakdown
Key metrics for selecting a proof system based on rollup design priorities.
| Metric / Feature | SNARKs (e.g., Groth16, Plonk) | STARKs (e.g., StarkEx, Cairo) | Validity Proofs (e.g., zkEVM) |
|---|---|---|---|
Prover Time (Tx Batch) | 2-5 minutes | 5-15 minutes | 10-30 minutes |
Verifier Gas Cost (on L1) | ~500k gas | ~2-3M gas | ~3-5M gas |
Proof Size | ~200 bytes | ~45-100 KB | ~10-50 KB |
Trusted Setup Required | |||
Quantum Resistance | |||
Developer Tooling Maturity | High | Medium | Emerging |
Recursion Support | With custom circuits | Native | With custom circuits |
Approx. Cost per Tx (Batch of 10k) | $0.10 - $0.30 | $0.50 - $1.50 | $1.00 - $3.00 |
resource-links
ROLLUP PROOF SYSTEMS
Tools and Resources
Key tools and reference implementations for selecting and evaluating proof systems based on rollup architecture, security assumptions, and execution model.
ROLLUP PROOF SYSTEMS
Frequently Asked Questions
Common questions about selecting and implementing proof systems for different rollup architectures.
Validity proofs (e.g., ZK-SNARKs, ZK-STARKs) are cryptographic proofs that mathematically guarantee a state transition is correct. The sequencer submits a proof with each batch, and the L1 contract verifies it before accepting the new state. This provides instant finality and strong security but is computationally intensive.
Fraud proofs (used in Optimistic Rollups) assume transactions are valid by default. A "challenge period" (typically 7 days) allows anyone to submit a fraud proof if they detect invalid state transitions. This is less computationally expensive for the prover but introduces a long withdrawal delay and requires at least one honest actor to monitor the chain.
conclusion
SYSTEM DESIGN
Conclusion and Next Steps
This guide has explored the critical relationship between proof systems and rollup architectures. The next step is to apply these principles to your specific design.
Selecting a proof system is a foundational decision that dictates your rollup's security model, cost structure, and performance ceiling. The choice is rarely about finding a single "best" option, but rather the optimal fit for your application's constraints. For a high-throughput, general-purpose L2 like Arbitrum or Optimism, the balance of prover cost and fast finality offered by fraud proofs and interactive games is compelling. Conversely, a rollup for a privacy-focused application or one requiring absolute, trust-minimized finality would prioritize the cryptographic guarantees of a validity proof system like a zk-SNARK or zk-STARK, despite higher proving overhead.
To make this decision, systematically evaluate your requirements against the proof system's properties. Create a weighted checklist: What is your time-to-finality tolerance? Is proving cost or verification cost the primary economic constraint? What level of trust in centralized operators or committees is acceptable? For example, a gaming rollup might prioritize ultra-low latency and accept higher costs, pointing to a validity rollup with a specialized zkVM. A rollup for institutional asset settlement would prioritize maximal security and censorship resistance, potentially favoring the battle-tested, decentralized security of an optimistic rollup's fraud proof mechanism.
The ecosystem is rapidly evolving. Hybrid approaches and proof aggregation are emerging as next-generation solutions. Projects like EigenDA and Avail are decoupling data availability from execution, which changes the security calculus for all rollups. New proof systems, such as Plonky2 and Boojum, are reducing zk-proof generation times and costs. Stay informed by following research from teams like Ethereum Foundation, StarkWare, zkSync, and Arbitrum. Engage with their documentation and testnets to understand the practical implementation trade-offs.
Your next practical steps should involve prototyping. Use development frameworks like the OP Stack (for optimistic rollups) or ZK Stack (for zkSync) to bootstrap a testnet. For validity proofs, experiment with zk-friendly VMs and DSLs like Cairo (StarkNet) or Zinc (zkSync). Benchmark critical metrics: transaction throughput, end-to-end latency from submission to finality on L1, and the actual cost in gas to post proofs or challenges. This data will validate your theoretical design choices against real-world blockchain economics.
Finally, remember that rollup design is iterative. Start with a minimal viable architecture that meets your core security and functional needs. You can initially use a permissioned prover or a smaller committee to simplify deployment, with a clear roadmap to decentralize these components. The goal is to launch a secure, functional system and evolve its proof mechanism alongside advancements in the underlying cryptography and Ethereum's own roadmap, including future EIPs that will further optimize rollup efficiency.