Validity Proof

A validity proof is a succinct cryptographic argument (e.g., a SNARK or STARK) that proves the correctness of a batch of transactions. This allows a single, small proof to verify massive computational work, enabling layer-2 scaling where the main chain (L1) only needs to verify the proof, not re-execute the transactions.

• Data Compression: Proofs are kilobytes in size, representing gigabytes of computation.
• Throughput: Enables thousands of transactions per second (TPS) off-chain with minimal on-chain verification cost.

The security of the system rests on cryptographic assumptions (e.g., the hardness of discrete logarithms or collision-resistant hashes) rather than economic incentives or honest majority assumptions. A validity proof provides cryptographic guarantees that a state transition is mathematically correct.

• Soundness: It is computationally infeasible to generate a valid proof for an invalid state transition.
• Trust Minimization: Users do not need to trust operators; they trust the math and the underlying blockchain for data availability.

For a validity proof to be meaningful, the input data (transaction data) it proves must be available. Data availability ensures anyone can reconstruct the state and challenge fraud if needed. Systems using validity proofs typically post this data to the L1 blockchain.

• On-Chain Data: Transaction data is published as calldata or in data availability committees (DACs).
• Verification Without Trust: With the data and the proof, anyone can verify the new state is correct.

Once a validity proof is verified on the L1, the state transition is immediately finalized for all users. There is no challenge period, unlike in fraud proof systems. This provides instant strong finality, meaning withdrawals can be processed immediately after proof verification.

• No Waiting Periods: Eliminates the 7-day withdrawal delays common in optimistic rollups.
• Universal Certainty: All observers, including bridges and exchanges, can trust the finality instantly.

Generating a validity proof is a computationally expensive process (proof generation) that requires specialized hardware or services. This creates a distinction between the prover (who creates the proof) and the verifier (the L1 contract that checks it).

• Prover Overhead: Proof generation time and cost are the primary bottlenecks for throughput and latency.
• Asymmetric Efficiency: Verification is cheap and fast, but proof creation is resource-intensive.

Some validity proof systems, particularly those using SNARKs (like Groth16, PLONK), require a trusted setup ceremony to generate public parameters. This is a one-time ritual where participants must destroy a secret "toxic waste" to ensure the system's security.

• Perpetual Security: If the ceremony is compromised, all future proofs could be forged.
• Trustless Alternatives: STARKs do not require a trusted setup, relying only on cryptographic hashes.

Permutations over Lagrange-bases for Oecumenical Noninteractive arguments of Knowledge is a universal, updatable SNARK system.

• Key Innovation: Introduces a universal and updatable trusted setup. A single ceremony can be used for any program up to a certain size, and the setup can be securely updated by new participants.
• Benefits: Reduces the overhead and risk of application-specific trusted setups. Enables efficient proof aggregation and recursion.
• Example Use: Foundational for many zkEVMs like Scroll, Polygon zkEVM, and zkSync's Boojum.

A non-interactive zero-knowledge proof protocol that is short and does not require a trusted setup.

• Key Properties: Proofs are longer and verification is slower than SNARKs, but the lack of a trusted setup is a significant security advantage. They are particularly efficient for range proofs (proving a value lies within a range).
• Primary Use Case: Originally designed for confidential transactions in Monero. Also used in some earlier scaling solutions and as a component in more complex proof systems.

Advanced techniques that combine multiple proofs into one, enabling scalability.

• Proof Aggregation: Bundles many individual transaction proofs into a single, final validity proof for a block. This amortizes the cost of on-chain verification.
• Proof Recursion: A prover generates a proof that validates the correctness of another proof's verification. This creates a proof of proofs, allowing for the creation of a single proof for an entire rollup chain's history.
• Impact: Critical for making zk-Rollups economically viable by minimizing the on-chain footprint of verification.

Zero-Knowledge Ethereum Virtual Machines are a specific application of validity proofs that generate proofs for the execution of EVM-compatible transactions.

• Goal: Provide full Ethereum equivalence (bytecode-level) or high-level language equivalence for developers, allowing them to deploy existing smart contracts with minimal changes.
• Types: Range from Type 1 (fully Ethereum-equivalent) to Type 4 (high-level language equivalence), with varying trade-offs in prover efficiency.
• Examples: zkSync Era, Scroll, Polygon zkEVM, and Starknet (with its Cairo VM) are leading implementations.

Many protocols use validity proofs for specific applications rather than general-purpose scaling. Examples include:

• dYdX: A decentralized exchange that used a ZK-Rollup (v3) for high-throughput perpetual trading.
• Immutable X: A Validium for NFT trading, using STARK proofs for validity but storing data off-chain.
• Loopring: An early ZK-Rollup protocol for decentralized exchange and payment functions. These chains demonstrate the flexibility of validity proofs for optimizing particular use cases.

A validity proof is a succinct cryptographic argument, typically a Zero-Knowledge Succinct Non-Interactive Argument of Knowledge (zk-SNARK) or zk-STARK, that proves a state transition (e.g., a batch of transactions) was executed correctly according to the rules of the underlying blockchain. The proof is generated off-chain by a prover and verified on-chain by a smart contract, requiring only the proof and minimal public data.

Validity proofs rely solely on the mathematical soundness of their underlying cryptographic primitives. The primary trust assumption is that the cryptographic algorithms (e.g., elliptic curve pairings for SNARKs, hash functions for STARKs) are secure and that the initial trusted setup ceremony (for most SNARKs) was performed correctly and is now "toxic waste"-free. If these hold, the system provides cryptographic finality.

While the proof guarantees computational integrity, two other assumptions are critical:

• Prover Liveness: At least one honest and capable prover must be available to generate proofs for new state transitions.
• Data Availability: The transaction data (calldata) for the proven batch must be published and accessible on the base layer (L1). Without it, users cannot reconstruct their state or challenge fraud, breaking the system's self-custody guarantee.

This is the fundamental security dichotomy in scaling:

• Validity Proofs (ZK-Rollups): Provide cryptographic assurance of correctness. Invalid state transitions are mathematically impossible to prove. Offers fast finality.
• Fraud Proofs (Optimistic Rollups): Assume transactions are valid but allow a challenge period (e.g., 7 days) for anyone to submit a proof of fraud. Security relies on the liveness of at least one honest verifier.

Real-world risks stem from implementation flaws, not the core cryptography:

• Verifier Contract Bugs: A bug in the on-chain verification smart contract could accept invalid proofs.
• Prover Centralization: If proof generation is centralized, it creates a liveness failure point and potential censorship risk.
• Upgrade Keys: Admin keys with the ability to upgrade the protocol's proving system or verifier contract introduce a trusted third-party risk.

Projects implement validity proofs differently:

• zkSync Era & Polygon zkEVM: Use custom zk-SNARK circuits (e.g., PLONK, Redshift) to prove EVM-compatible execution.
• Scroll: Utilizes a zkEVM architecture with a zk-SNARK-based rollup and an open-source zkEVM circuit.
• Starknet: Uses zk-STARKs, which do not require a trusted setup but generate larger proofs, trading off cost for post-quantum resistance assumptions.

The security mechanism used by Optimistic Rollups. It operates on a challenge-response model, assuming transactions are valid by default (optimistic execution) but allowing a verifier to challenge and prove fraud within a challenge period (typically 7 days).

• Contrast with Validity Proof: Fraud proofs are dispute-driven, while validity proofs are cryptographically guaranteed.
• Key Difference: Fraud proofs require at least one honest actor to be watching the chain to submit a challenge.

Zero-Knowledge Succinct Non-Interactive Argument of Knowledge. A specific, highly efficient type of zero-knowledge proof used for validity proofs.

• Succinct: Proofs are very small (a few hundred bytes) and verify in milliseconds.
• Non-Interactive: The proof is generated once and can be verified by anyone without further interaction with the prover.
• Requirement: Needs a trusted setup ceremony to generate initial public parameters, which introduces a potential trust assumption.

Zero-Knowledge Scalable Transparent Argument of Knowledge. An alternative to ZK-SNARKs that offers different trade-offs for validity proofs.

• Transparent: Does not require a trusted setup, relying only on publicly verifiable randomness.
• Scalable: Prover and verifier times scale quasi-linearly with computation size.
• Trade-off: Proof sizes are larger than SNARKs (tens of kilobytes), though still compact relative to the computation they prove.

A smart contract deployed on the base Layer 1 blockchain (e.g., Ethereum) whose sole purpose is to verify validity proofs. When a zk-Rollup sequencer submits a new batch, it includes a proof that is checked by this on-chain verifier.

• Function: Executes a fixed verification algorithm. If the proof is valid, the contract accepts the new state root.
• Critical Role: This contract is the cryptographic anchor that connects the off-chain execution of the L2 to the security of the L1.