Cross-chain Asset Transfer Without a Bridge - Part Two
Jeroen van de Graaf
Sep 17, 2024
Share on

What constitutes a proof of transaction?

This depends on the type of transaction; see Table.

Type of Transaction Proof of Transaction
Intralayer L1-L1 A smart contract on L1 has direct access to its L1 transaction. So txId serves as a proof-of-transaction.
Intralayer L2-L2 A smart contract on L2 has direct access to its L2 transaction. So txId serves as a proof-of-transaction.
Interlayer L1-L2 (deposit) A smart contract on L2 has indirect access to L1 and its transaction, and the rollup smart contract can communicate the information. So txId serves as a proof-of-transaction.
Interlayer L2-L1 (redeem) A smart contract on L1 does not have direct access to its L2 transaction, since the data is compressed and the stateRoot is a hash. So it needs a zk proof from SEQ/valPROVER.

Key Observation: Other Uses of the zkVM

ZK Attestation About the Correctness of the Rollup Data

As stated earlier, in a zkRollup, by applying verifiable computing on \( \text{STF} \), it is shown that L2 indeed computed \( \text{newState}_2 = \text{STF}(\text{oldState}_2, \text{txBatch}) \) correctly from oldState₂ and txBatch. However, the fact that the Sequencer has access to a zkProver means that the latter can issue verifiable statements, or attestations, about the state of the rollup data in the form of zkProofs. Examples include:

  • ZK Attestation About Layer 2 and the Rollup Data on L1:
    • Produce a proof of transaction for some specific asset transfer on the rollup. For instance, it can issue a zkProof that "Block 73 contains: AssetTransfer(X₂, RollupAcc₂, 25 BTC)." In this case, the rollup smart contract on L1 is the targeted verifier.
    • Produce a balance statement related to some L2 account: "At Block 73, \( X_2 \) has 255 ETH in his account."

Now observe that these statements are all relative to L2 and the rollup. But here comes the real twist!

  • ZK Attestation About Layer 1:
    • Remember Mina? It uses linear recursive proofs to seal all the information on its blockchain—an infinitely growing structure—down to a constant size. How does this work? One knows the genesis block and what constitutes a valid transaction, which can be captured and verified using zkProofs. By using proof recursion, one can guarantee that proof size does not increase.

But note that Mina started before zkVMs existed, so specific SNARKs had to be developed to make this idea work. With zkVMs, the development of this mechanism is much faster.

Note that these zkProofs are like certified checks. By sending them to other chains, cross-chain transfers become possible (see below).

Cross-chain Asset Transfer — Horizontal Bridge

\( A_1 - B_1 \)

Suppose we want to transfer assets from A Layer 1 to B Layer 1; for concreteness, let's use Avalanche and ETH as an example. Since we have two different main chains, an atomic transaction is out of the question, so we resort to first-destroy-then-create.

But how can one convince the ETH blockchain that some asset destruction transaction TX on Avalanche has taken place? Neither main chain has any reason to trust information coming from outside. However, both will accept a full zkProof that some transaction was finalized on the other chain.

There are two strategies for this:

1 -- Backward zkProof-of-Transaction: Suppose a smart contract on Ethereum has the Avalanche genesis block hard-coded in it. Then one can do the following: the transaction data (\( TX \)) is sent to a zkProver who, using recursive proof techniques à la Mina, produces a zkProof. The \( TX \) and the zkProof are sent to the smart contract, which verifies and accepts them. This zkProof functions like a certified check, proving that some asset has been destroyed, thus authorizing the creation of an equivalent value on the other chain. In this way, we implement cross-chain asset transfer from Avalanche to Ethereum, essentially what a bridge does, but without the need for an intermediate entity.

2 -- Forward zkProof-of-Transaction: Say \( TX \) is included in block \( M \). We wait \( N \) blocks, where \( N \) is sufficiently large to guarantee that no rollback has occurred. The hash of block \( M + N \) is included in the proof-of-transaction. The zkProver, who understands the logic of the Avalanche blockchain, produces a validity proof showing that:

  • \( \text{TX} \) is included in \( \text{Block}[M] \)
  • \( \text{Hash}[M] \) was computed correctly
  • \( \text{Hash}[M+N] \) was computed correctly

The reason this constitutes a zkProof that TX has been settled is simple: falsifying such a proof would be equivalent to developing an alternative fork of Bitcoin, which, by assumption, is impossible.

So, like the above example, this zkProof functions as a certified check, proving that an asset has been destroyed, allowing it to be redeemed elsewhere—i.e., cross-chain asset transfer.

Observe that the use of zkProofs here is unrelated to the rollup; it only takes advantage of the existence of a zkVM. Also, the VM on the receiving chain must be powerful enough to support a zkProver. In the case of Bitcoin, this is not true, which requires very specific solutions.

This article was written by Jeroen van de Graaf, Senior Cryptographer at ZKM. Part Three of the series will explore the applications of the Entangled Rollup in more detail.

More articles
Hello World June Newsletter
zkGM and welcome to the June edition of the ZKM Newsletter ☀️.
ZKM
Jun 14
zkMIPS: What “Security” Means for Our zkVM’s Proofs (Part 2)
Now that we have described the broader questions of ZK proofs security, let’s continue with Question 2. In the analysis of a two-party
ZKM
Aug 10
Cross-chain Asset Transfer Without a Bridge - Part Two

What constitutes a proof of transaction?

This depends on the type of transaction; see Table.

Type of Transaction Proof of Transaction
Intralayer L1-L1 A smart contract on L1 has direct access to its L1 transaction. So txId serves as a proof-of-transaction.
Intralayer L2-L2 A smart contract on L2 has direct access to its L2 transaction. So txId serves as a proof-of-transaction.
Interlayer L1-L2 (deposit) A smart contract on L2 has indirect access to L1 and its transaction, and the rollup smart contract can communicate the information. So txId serves as a proof-of-transaction.
Interlayer L2-L1 (redeem) A smart contract on L1 does not have direct access to its L2 transaction, since the data is compressed and the stateRoot is a hash. So it needs a zk proof from SEQ/valPROVER.

Key Observation: Other Uses of the zkVM

ZK Attestation About the Correctness of the Rollup Data

As stated earlier, in a zkRollup, by applying verifiable computing on \( \text{STF} \), it is shown that L2 indeed computed \( \text{newState}_2 = \text{STF}(\text{oldState}_2, \text{txBatch}) \) correctly from oldState₂ and txBatch. However, the fact that the Sequencer has access to a zkProver means that the latter can issue verifiable statements, or attestations, about the state of the rollup data in the form of zkProofs. Examples include:

  • ZK Attestation About Layer 2 and the Rollup Data on L1:
    • Produce a proof of transaction for some specific asset transfer on the rollup. For instance, it can issue a zkProof that "Block 73 contains: AssetTransfer(X₂, RollupAcc₂, 25 BTC)." In this case, the rollup smart contract on L1 is the targeted verifier.
    • Produce a balance statement related to some L2 account: "At Block 73, \( X_2 \) has 255 ETH in his account."

Now observe that these statements are all relative to L2 and the rollup. But here comes the real twist!

  • ZK Attestation About Layer 1:
    • Remember Mina? It uses linear recursive proofs to seal all the information on its blockchain—an infinitely growing structure—down to a constant size. How does this work? One knows the genesis block and what constitutes a valid transaction, which can be captured and verified using zkProofs. By using proof recursion, one can guarantee that proof size does not increase.

But note that Mina started before zkVMs existed, so specific SNARKs had to be developed to make this idea work. With zkVMs, the development of this mechanism is much faster.

Note that these zkProofs are like certified checks. By sending them to other chains, cross-chain transfers become possible (see below).

Cross-chain Asset Transfer — Horizontal Bridge

\( A_1 - B_1 \)

Suppose we want to transfer assets from A Layer 1 to B Layer 1; for concreteness, let's use Avalanche and ETH as an example. Since we have two different main chains, an atomic transaction is out of the question, so we resort to first-destroy-then-create.

But how can one convince the ETH blockchain that some asset destruction transaction TX on Avalanche has taken place? Neither main chain has any reason to trust information coming from outside. However, both will accept a full zkProof that some transaction was finalized on the other chain.

There are two strategies for this:

1 -- Backward zkProof-of-Transaction: Suppose a smart contract on Ethereum has the Avalanche genesis block hard-coded in it. Then one can do the following: the transaction data (\( TX \)) is sent to a zkProver who, using recursive proof techniques à la Mina, produces a zkProof. The \( TX \) and the zkProof are sent to the smart contract, which verifies and accepts them. This zkProof functions like a certified check, proving that some asset has been destroyed, thus authorizing the creation of an equivalent value on the other chain. In this way, we implement cross-chain asset transfer from Avalanche to Ethereum, essentially what a bridge does, but without the need for an intermediate entity.

2 -- Forward zkProof-of-Transaction: Say \( TX \) is included in block \( M \). We wait \( N \) blocks, where \( N \) is sufficiently large to guarantee that no rollback has occurred. The hash of block \( M + N \) is included in the proof-of-transaction. The zkProver, who understands the logic of the Avalanche blockchain, produces a validity proof showing that:

  • \( \text{TX} \) is included in \( \text{Block}[M] \)
  • \( \text{Hash}[M] \) was computed correctly
  • \( \text{Hash}[M+N] \) was computed correctly

The reason this constitutes a zkProof that TX has been settled is simple: falsifying such a proof would be equivalent to developing an alternative fork of Bitcoin, which, by assumption, is impossible.

So, like the above example, this zkProof functions as a certified check, proving that an asset has been destroyed, allowing it to be redeemed elsewhere—i.e., cross-chain asset transfer.

Observe that the use of zkProofs here is unrelated to the rollup; it only takes advantage of the existence of a zkVM. Also, the VM on the receiving chain must be powerful enough to support a zkProver. In the case of Bitcoin, this is not true, which requires very specific solutions.

This article was written by Jeroen van de Graaf, Senior Cryptographer at ZKM. Part Three of the series will explore the applications of the Entangled Rollup in more detail.

Home
Team
whitepapers
BLOG
docs
EVENTS
CONTACT
Brand Guideline
Brand Assets
Terms and Conditions
Privacy Policy for ZKM