In August last year we released Zeth, the first Type-1 zkEVM built using the RISC Zero zkVM, which allowed developers to enshrine EVM execution in ZK. Then this year in May we upgraded Zeth to support Optimistic rollups as part of the Optimism Foundation’s RFP, empowering developers to generate validity proofs that consecrate rollup derivation in zero-knowledge.
Today, we’re announcing Kailua, a software suite for upgrading optimistic rollups to Hybrid ZK rollups, with its first implementation backed by Optimism’s Kona rollup state transition engine. Kailua not only transparently executes Kona unmodified in the zkVM, but introduces its own novel fault proof game that advances the current state-of-the-art in dispute resolution by reducing collateral requirements and finality delays!
Not to be confused with the town in the Hawaiian district of Kona, Kailua is a suite of tools and contracts to migrate rollups from long interactive fault proving systems to short non-interactive ZK fault proofs generated using the RISC Zero zkVM. Its main components are:
Note: The minimum OP stack version required to use Kailua is V1.4 because it leverages the DisputeGameFactory contract instead of the deprecated L2OutputOracle contract.
Kailua’s dispute game combines zero-knowledge proving with the optimistic rollup paradigm in a novel hybrid system that improves security and performance while reducing operational costs and finality delays! This is summarized in the table below:
ㅤ | Optimistic Rollups | ZK Rollups | Hybrid Rollups (Kailua) |
Collateral for N Challenges | N deposits | N/A | 1 deposit |
Collateral for N Proposals | N deposits | N/A | 1 deposit |
Cost of proposing N blocks | 1 transaction | 1 transaction
| 1 transaction
|
Maximum cost of challenging an N block proposal | D + log(N) transactions
D is max comp. depth | N/A | 3 transactions
|
Minimum Finality Delay for an N block proposal | D + log(N) timeouts
| N proof times | 1 timeout
|
Unlike ZK Rollups, Kailua’s hybrid paradigm permits rollups not only to operate normally without worrying about constant proving costs and times, but also to relieve their users of any added costs for proving, which add up and become non-negligible in cases where:
In Kailua’s novel design, the costs to resolve a dispute using ZK are fully borne by the dishonest parties, whether they are a faulty proposer or validator!
A rollup using Kailua can safely maintain its security while outsourcing any proving workloads! This is because Kailua validators can still issue the necessary challenge transactions to ensure the safety of their rollups even before having computed the proofs to justify them. Consequently, this means that instead of worrying about setting up potentially complex and expensive proving infrastructure, Kailua Hybrid Rollups can depend on decentralized proving market infrastructure like RISC Zero’s Boundless in times of need with safety and liveness guarantees for their proof requests!
Reduced running operational costs compared to ZK Rollups are great, but it gets better! Kailua also reduces the collateral costs required to run a rollup from “linear in the number of proposals/challenges” down to constant! This means that even under long finality periods, the minimum collateral required by honest parties to sustain the security and liveness of the system can be reduced by orders of magnitude from tens of thousands down to hundreds (in USD)!
First, let’s recap the core mechanic behind current rollup dispute games. Truebit’s bisection game introduced the ability to resolve disputes on the result of a long deterministic computation through repeated rounds of challenge-response interactions. This mechanism has been the foundation of security in optimistic rollups, which grant a time-sensitive opportunity for playing the game to ensure the integrity of the second-layer ledger. The time-sensitivity ensures the liveness of the rollup, but carries a risk towards its safety, as honest players in the bisection game might not make their moves on time, or might not have enough funds to play as many instances of the game as can dishonest players. However, its underlying cryptographic assumptions are minimal, which made it a very practical choice.
The rules for playing dissection-based dispute games involve several kinds of “timeout” periods granted to players to make moves. The most notable two are:
These two timeouts contribute to what’s commonly referred to the “Finality Period”. In current designs, an attacker could sacrifice its own collateral to trigger the latter timeout several times, potentially even exhausting the resources of the defenders. This attack vector has been central to the security of rollups, including Arbitrum, which is currently adopting a new dispute protocol (BoLD) that aims to provably set a constant upper-bound of ~6.3 days on the timeout for open disputes.
Spoiler: Kailua reduces this timeout to a little as an hour! And removes the potential for resource-exhaustion attacks!
Zero-knowledge proofs can be used in lieu of the bisection game as a non-interactive mechanism to resolve any disputes on the state of the rollup. This one-shot nature means that the time allotted for dispute resolution can be greatly reduced to just the time needed for proving a single block!
While such a shift in mechanics might sound reasonable, it’s still not an optimal introduction of ZK into the optimistic dispute game! Instead of requiring proofs only to demonstrate that a proposed rollup state is invalid, one could also leverage zk proofs to demonstrate validity, even in an optimistic setting! With the duality of proofs in mind, Kailua only requires challengers to signal their “intent” to dispute a proposal, preventing the finalization of that proposal until either a fault or validity proof is submitted to refute either the challenger or the proposer, and remove their respective actions from play. Consequently, this allows Kailua to relieve the rollup from worrying about proving times potentially not being as short as the latter timeout.
But not only does Kailua do away with long finality delays due to interactive challenge-response transactions, but it also does away with much of the collateral required for maintaining rollups! Players in the bisection game have to stake separate pieces of collateral in each instance of the game they play. This is mainly due to the fact that a player can lose in a game instance due to simply not responding on time, which tells nothing of their honesty in general. Remarkably, Kailua overcomes this limitation with ZK disputes! In Kailua, if a player challenges a proposal, and that proposal later gets proven valid, then Kailua disqualifies that player due to their proven dishonesty! This simple change means that challengers now only need to put up collateral to take on the role of a challenger, and then issue as many challenges as needed, rather than put up separate collateral per challenge or game. Remarkably, the same collateral reduction applies safely to proposers as well due to the same reasoning without fear of attack by a wealthy proposer that can spam the system.
However, rarely do so many advantages come for free! Compared to optimistic rollups, there is an added data-publication cost in this hybrid design that’s necessary to remove the interactions required in a dissection game. We’ve designed Kailua to make this DA cost overhead negligible compared to the costs of full proving in a ZK Rollup, leading the cost overhead per transaction in Kailua to be inversely related to TPS!
In a Kailua rollup where a challenge/proof pertains to a sequence of K rollup blocks, the Kailua proposer has to publish at most N/K hashes as “checkpoint data” when proposing a state transition that advances the rollup by N blocks. K is the number of non-empty blocks covered by every challenge/proof, and is a configurable parameter that determines the dispute costs. We say at most N/K, because the number of required checkpoints can be largely reduced if there are many empty blocks in a proposal.
In case of a relatively active rollup with very few empty blocks, the above overhead would be negligible, as it would be an added cost of publishing only 32/K additional bytes per block. With K=1, for Optimism’s mainnet for example, this amounts to publishing a single blob every 2 hours and 15 minutes, which is on par with OP mainnet’s existing proposal rate, and well below the DA costs for such a period. At the current TPS and $3 cost per blob, that’s less than $0.0001 per tx!
However, in case of a rollup that experiences low block space utility (e.g. due to very low block times), the overhead of naively publishing N/K hashes can be impractical, but Kailua is not naive! In this case, the condition for creating a checkpoint can utilize a second parameter, E, which denotes the maximum number of empty blocks that the checkpoint may cover. A 32-byte checkpoint (block/state hash) is then required to cover a sequence of blocks containing at most E empty blocks or K non-empty blocks. Luckily, E can be a significantly larger number than K, depending on how cheap it is to prove empty blocks.
Kailua is currently undergoing rapid development and is suitable only for testing environments and not in production. We will continue to improve and evolve Kailua by adding new features, optimizing costs and performance, and possibly supporting more rollup stacks! Kailua is a fully open-source project published under RISC Zero’s Github.
The Kailua CLI allows you to easily deploy a local OP devnet and upgrade it to use ZK fault proofs with just a few commands. Afterwards, you can use the CLI to launch the proposer and validator, and interact with your local devnet as you normally would have. If you’re interested in testing out the actual dispute game in case of faults, you can use the CLI to instead interact abnormally as you wouldn’t have, and induce some faulty proposals and watch the validator challenge and strike them down using the RISC Zero zkVM!
Finally, this wouldn’t be a RISC Zero blog post about a new release without some cycle counts! The table below shows some OP Mainnet benchmarks, which come with a few caveats.
Block | Cycles | Transactions | Bonsai Proving Cost |
126223114 | 17,121,252,466 | 108 | $22 |
126223244 | 16,202,792,886 | 98 | $21 |
126223597 | 15,194,355,377 | 85 | $20 |
126229327 | 14,245,181,555 | 81 | $19 |
126210813 | 10,663,051,955 | 43 | $14 |
126210550 | 10,596,525,804 | 37 | $14 |
Despite the almost four-fold increase in cycle counts compared to op-zeth, the proving costs per transaction in this table are two to five times better due to improvements in the RISC Zero prover.
In August last year we released Zeth, the first Type-1 zkEVM built using the RISC Zero zkVM, which allowed developers to enshrine EVM execution in ZK. Then this year in May we upgraded Zeth to support Optimistic rollups as part of the Optimism Foundation’s RFP, empowering developers to generate validity proofs that consecrate rollup derivation in zero-knowledge.
Today, we’re announcing Kailua, a software suite for upgrading optimistic rollups to Hybrid ZK rollups, with its first implementation backed by Optimism’s Kona rollup state transition engine. Kailua not only transparently executes Kona unmodified in the zkVM, but introduces its own novel fault proof game that advances the current state-of-the-art in dispute resolution by reducing collateral requirements and finality delays!
Not to be confused with the town in the Hawaiian district of Kona, Kailua is a suite of tools and contracts to migrate rollups from long interactive fault proving systems to short non-interactive ZK fault proofs generated using the RISC Zero zkVM. Its main components are:
Note: The minimum OP stack version required to use Kailua is V1.4 because it leverages the DisputeGameFactory contract instead of the deprecated L2OutputOracle contract.
Kailua’s dispute game combines zero-knowledge proving with the optimistic rollup paradigm in a novel hybrid system that improves security and performance while reducing operational costs and finality delays! This is summarized in the table below:
ㅤ | Optimistic Rollups | ZK Rollups | Hybrid Rollups (Kailua) |
Collateral for N Challenges | N deposits | N/A | 1 deposit |
Collateral for N Proposals | N deposits | N/A | 1 deposit |
Cost of proposing N blocks | 1 transaction | 1 transaction
| 1 transaction
|
Maximum cost of challenging an N block proposal | D + log(N) transactions
D is max comp. depth | N/A | 3 transactions
|
Minimum Finality Delay for an N block proposal | D + log(N) timeouts
| N proof times | 1 timeout
|
Unlike ZK Rollups, Kailua’s hybrid paradigm permits rollups not only to operate normally without worrying about constant proving costs and times, but also to relieve their users of any added costs for proving, which add up and become non-negligible in cases where:
In Kailua’s novel design, the costs to resolve a dispute using ZK are fully borne by the dishonest parties, whether they are a faulty proposer or validator!
A rollup using Kailua can safely maintain its security while outsourcing any proving workloads! This is because Kailua validators can still issue the necessary challenge transactions to ensure the safety of their rollups even before having computed the proofs to justify them. Consequently, this means that instead of worrying about setting up potentially complex and expensive proving infrastructure, Kailua Hybrid Rollups can depend on decentralized proving market infrastructure like RISC Zero’s Boundless in times of need with safety and liveness guarantees for their proof requests!
Reduced running operational costs compared to ZK Rollups are great, but it gets better! Kailua also reduces the collateral costs required to run a rollup from “linear in the number of proposals/challenges” down to constant! This means that even under long finality periods, the minimum collateral required by honest parties to sustain the security and liveness of the system can be reduced by orders of magnitude from tens of thousands down to hundreds (in USD)!
First, let’s recap the core mechanic behind current rollup dispute games. Truebit’s bisection game introduced the ability to resolve disputes on the result of a long deterministic computation through repeated rounds of challenge-response interactions. This mechanism has been the foundation of security in optimistic rollups, which grant a time-sensitive opportunity for playing the game to ensure the integrity of the second-layer ledger. The time-sensitivity ensures the liveness of the rollup, but carries a risk towards its safety, as honest players in the bisection game might not make their moves on time, or might not have enough funds to play as many instances of the game as can dishonest players. However, its underlying cryptographic assumptions are minimal, which made it a very practical choice.
The rules for playing dissection-based dispute games involve several kinds of “timeout” periods granted to players to make moves. The most notable two are:
These two timeouts contribute to what’s commonly referred to the “Finality Period”. In current designs, an attacker could sacrifice its own collateral to trigger the latter timeout several times, potentially even exhausting the resources of the defenders. This attack vector has been central to the security of rollups, including Arbitrum, which is currently adopting a new dispute protocol (BoLD) that aims to provably set a constant upper-bound of ~6.3 days on the timeout for open disputes.
Spoiler: Kailua reduces this timeout to a little as an hour! And removes the potential for resource-exhaustion attacks!
Zero-knowledge proofs can be used in lieu of the bisection game as a non-interactive mechanism to resolve any disputes on the state of the rollup. This one-shot nature means that the time allotted for dispute resolution can be greatly reduced to just the time needed for proving a single block!
While such a shift in mechanics might sound reasonable, it’s still not an optimal introduction of ZK into the optimistic dispute game! Instead of requiring proofs only to demonstrate that a proposed rollup state is invalid, one could also leverage zk proofs to demonstrate validity, even in an optimistic setting! With the duality of proofs in mind, Kailua only requires challengers to signal their “intent” to dispute a proposal, preventing the finalization of that proposal until either a fault or validity proof is submitted to refute either the challenger or the proposer, and remove their respective actions from play. Consequently, this allows Kailua to relieve the rollup from worrying about proving times potentially not being as short as the latter timeout.
But not only does Kailua do away with long finality delays due to interactive challenge-response transactions, but it also does away with much of the collateral required for maintaining rollups! Players in the bisection game have to stake separate pieces of collateral in each instance of the game they play. This is mainly due to the fact that a player can lose in a game instance due to simply not responding on time, which tells nothing of their honesty in general. Remarkably, Kailua overcomes this limitation with ZK disputes! In Kailua, if a player challenges a proposal, and that proposal later gets proven valid, then Kailua disqualifies that player due to their proven dishonesty! This simple change means that challengers now only need to put up collateral to take on the role of a challenger, and then issue as many challenges as needed, rather than put up separate collateral per challenge or game. Remarkably, the same collateral reduction applies safely to proposers as well due to the same reasoning without fear of attack by a wealthy proposer that can spam the system.
However, rarely do so many advantages come for free! Compared to optimistic rollups, there is an added data-publication cost in this hybrid design that’s necessary to remove the interactions required in a dissection game. We’ve designed Kailua to make this DA cost overhead negligible compared to the costs of full proving in a ZK Rollup, leading the cost overhead per transaction in Kailua to be inversely related to TPS!
In a Kailua rollup where a challenge/proof pertains to a sequence of K rollup blocks, the Kailua proposer has to publish at most N/K hashes as “checkpoint data” when proposing a state transition that advances the rollup by N blocks. K is the number of non-empty blocks covered by every challenge/proof, and is a configurable parameter that determines the dispute costs. We say at most N/K, because the number of required checkpoints can be largely reduced if there are many empty blocks in a proposal.
In case of a relatively active rollup with very few empty blocks, the above overhead would be negligible, as it would be an added cost of publishing only 32/K additional bytes per block. With K=1, for Optimism’s mainnet for example, this amounts to publishing a single blob every 2 hours and 15 minutes, which is on par with OP mainnet’s existing proposal rate, and well below the DA costs for such a period. At the current TPS and $3 cost per blob, that’s less than $0.0001 per tx!
However, in case of a rollup that experiences low block space utility (e.g. due to very low block times), the overhead of naively publishing N/K hashes can be impractical, but Kailua is not naive! In this case, the condition for creating a checkpoint can utilize a second parameter, E, which denotes the maximum number of empty blocks that the checkpoint may cover. A 32-byte checkpoint (block/state hash) is then required to cover a sequence of blocks containing at most E empty blocks or K non-empty blocks. Luckily, E can be a significantly larger number than K, depending on how cheap it is to prove empty blocks.
Kailua is currently undergoing rapid development and is suitable only for testing environments and not in production. We will continue to improve and evolve Kailua by adding new features, optimizing costs and performance, and possibly supporting more rollup stacks! Kailua is a fully open-source project published under RISC Zero’s Github.
The Kailua CLI allows you to easily deploy a local OP devnet and upgrade it to use ZK fault proofs with just a few commands. Afterwards, you can use the CLI to launch the proposer and validator, and interact with your local devnet as you normally would have. If you’re interested in testing out the actual dispute game in case of faults, you can use the CLI to instead interact abnormally as you wouldn’t have, and induce some faulty proposals and watch the validator challenge and strike them down using the RISC Zero zkVM!
Finally, this wouldn’t be a RISC Zero blog post about a new release without some cycle counts! The table below shows some OP Mainnet benchmarks, which come with a few caveats.
Block | Cycles | Transactions | Bonsai Proving Cost |
126223114 | 17,121,252,466 | 108 | $22 |
126223244 | 16,202,792,886 | 98 | $21 |
126223597 | 15,194,355,377 | 85 | $20 |
126229327 | 14,245,181,555 | 81 | $19 |
126210813 | 10,663,051,955 | 43 | $14 |
126210550 | 10,596,525,804 | 37 | $14 |
Despite the almost four-fold increase in cycle counts compared to op-zeth, the proving costs per transaction in this table are two to five times better due to improvements in the RISC Zero prover.