# Zero-Knowledge Glossary

This glossary is open source and consistently being updated. If you'd like a term to be added, please create an issue or create a pull request and define one yourself!

## A

### arithmetization

Arithmetization is the process of turning computational problems into equations. It can be summarized as turning computer programs into "math," so that they can be analyzed using cryptographic algebraic techniques.

### appchain

A blockchain network custom-made and optimized for a specific application's needs. An appchain is generally not a full-blown blockchain, but offers an optimized execution environment for the application, while still relying on an underlying blockchain for consensus.

Deploying appchains on top of L2 networks like Linea offers significant cost and customization capabilities.

See also: "blockchain trilemma", "modular blockchain", "Layer 2", "Layer 3".

## B

### blockchain trilemma

Blockchain network builders face a tradeoff between three factors: decentralization, security, and scalability (or speed). Often, designing a system that optimizes for one compromises another.

### Brakedown

The first built system that provides linear-time SNARKs for NP, meaning the prover incurs O(N) finite field operations to prove the satisfiability of an N-sized R1CS instance. Brakedown’s prover is faster, both concretely and asymptotically, than prior SNARK implementations.

Brakedown does not require a trusted setup and is plausibly post-quantum secure.

## C

### circuit

A circuit uses logic gates to depict the flow of data and the sequence of operations performed on that data in a given computational task. Circuits are used at many levels to create processing capability, including virtual machines like the Ethereum Virtual Machine, and Linea's implementation of a zk-EVM.

### constraint

A constraint refers to a condition imposed on mathematical operations or computation to ensure the correctness, efficiency, or security of an algorithm.

## D

### data availability

Data availability is the guarantee that the block proposers are required to publish the data for each block, which nodes participating in Ethereum's consensus store locally. Rather than having to trust that block producers are honest, all nodes on the Ethereum network execute the transactions to verify that the new information is valid.

Data availability is one of the ways in which a L2 differs from a sidechain.

## E

### elliptic curve cryptography

A method of encrypting information used in many applications, including in public blockchain networks. It is commonly used to create "public-private key pairs": a pair of cryptographic elements. The public key can be used to encrypt things which can then only be decrypted by the private key.

ECC uses mathematical theories surrounding elliptic curves to render the encryption extremely difficult to decipher without the correct private key.

### Ethereum Virtual Machine (EVM)

A stack-based virtual machine that executes bytecode. In Ethereum, the execution model specifies how the system state is altered given a series of bytecode instructions and a small tuple of environmental data. This is specified through a formal model of a virtual state machine.

### execution trace

This is a record of what happened during the execution of a transaction. This is usually represented as a list, in which each item is the state of the machine at a specific clock time, which includes information such as:

- Who was the caller
- Block number
- What contracts were invoked
- What data was changed
- And more!

This is relevant to zk-rollups because execution traces are used to construct the validity proof verified by the verifier contract on Ethereum.

## F

## G

### gnark

gnark is a software library that offers users the ability to design and run computational circuits in zk-SNARKs through a high-level API.

The library is open source and developed under the Apache 2.0 license.

### Groth16

Groth16 is a circuit-specific preprocessing general-purpose zk-SNARK construction. It has become a de-facto standard used in several blockchain projects due to the constant size of its proof, and its appealing verifier time.

On the downside, Groth16 needs a circuit-specific trusted setup for its preprocessing phase.

## H

### hash function

A mathematical function that converts a data input of any chosen length and size into an output that is encrypted and has a fixed length and size. Once converted, the hash cannot be reverse-engineered to reveal the original input of data. This makes the data input more secure against decryption.

## I

## J

## K

### keccak

Keccak (pronounced “ketchak”) is a versatile cryptographic function best known for its uses in hashing. It provides increased levels of security when compared to older hash algorithms.

See also: SHA, hash function.

## L

### Layer 1

Layer 1 (L1) is the underlying foundation and base blockchain that various layer 2 (L2) networks build on top of. For example, Ethereum is an L1 that is comprised of node operators to secure and validate the network, block producers, the history of transaction data, and the consensus mechanism of the blockchain itself.

### Layer 2

Layer 2 (L2) is a separate blockchain that increases transaction speed and throughput, while fully or partially deriving its security from Ethereum. Additionally, L2 projects must rely on Ethereum for data availability by posting their transaction data onto Ethereum. L2s decrease L1 congestion by bundling transactions to be submitted to Ethereum, thus increasing scalability while inheriting Ethereum’s data availability, security, and decentralization.

## M

## N

## O

### Oracle

This is a computational entity or service that provides information or answers to specific queries.

### Optimistic rollup

A rollup of transactions that use fraud proofs to offer increased L2 transaction throughput while using the security provided by Mainnet (L1). Unlike Plasma, a similar L2 solution, optimistic rollups can handle more complex transaction types – anything possible in the EVM. However, in order to release assets back on the L1, users must wait for a 7 day challenge period. Liquidity providers can help alleviate distributing L1 ETH immediately, but this relies on trust in the security of the provider, and does not provide a mechanism for transferring NFTs.

## P

### Polynomial commitment

A polynomial commitment scheme is a cryptographic primitive that allows a party to publicly commit to a value or a piece of information without ever revealing the actual value itself. This allows us to prove that a polynomial satisfies some properties without every revealing what the polynomial is. Additionally, this is useful for zk-rollups because the commitment is smaller than the polynomial itself.

### Polynomial IOP (Interactive Oracle Proof)

An Interactive Oracle Proof (IOP) is a protocol in which the verifier is not required to fully read the prover's messages (the traces and constraints generated from arithmetization). Instead, the verifier has oracle access to the prover’s messages. This oracle is repeatedly queried to create the concrete proof system, or polynomial commitment for the validity proof.

## Q

## R

### Rollup

A type of L2 scaling solution that batches multiple transactions and submits them to the Ethereum main chain in a single transaction. This allows for reductions in gas costs and increases in transaction throughput. There are optimistic and zero-knowledge rollups, which use different security methods to offer these scalability gains.

Rollup architecture is made up of the following components:

**Rollup contract**: contract on the L1 stores rollup blocks, monitors state updates on the rollup, and tracks user deposits**Off-chain VM**: computation and state storage on another virtual machine separate from the Ethereum Virtual Machine**Aggregators/sequencers/operators/validators**: nodes that aggregate transactions, compress the underlying data, and publish the block on Ethereum**Verifier contract**: contract on the L1 that verifies the validity proof

## S

### Scaling

The main goal of scalability is to increase transaction speed (faster finality), and transaction throughput (high transactions per second), without sacrificing decentralization or security.

### Sidechain

A scaling solution that uses a separate chain with different, often faster, consensus rules. A bridge is needed to connect these sidechains to Mainnet. Rollups also use sidechains, but they operate in collaboration with Mainnet instead. Sidechains are NOT considered L2 solutions, because they do not leverage Ethereum for data availability and security.

## T

### Transaction fee

A fee you need to pay whenever you use the Ethereum network. Examples include: sending funds from your wallet, or a dapp interaction, like swapping tokens or buying a collectible. You can think of this like a service charge. This fee will change based on how busy the network is. This is because miners or sequencers, the people responsible for processing your transaction depending on the network, are likely to prioritize transactions with higher fees – so congestion forces the price up.

## U

## V

### Validity proof

A security model for certain L2 solutions where, to increase speed, transactions are rolled up into batches and submitted to Ethereum in a single transaction. The transaction computation is done off-chain and then supplied to the main chain with a proof of their validity. This method increases the amount of transactions possible while maintaining security. Some rollups use fraud proofs.

### Verifiable computation

Verifiable computation allows a “weak computer” (Ethereum L1) to offload computation to a potentially untrusted, but “powerful computer” (Linea L2). The “powerful computer” must return a validity proof of the correctness of its results. Verifying the proof is cheaper than performing the computation from scratch.

## W

## X

## Y

## Z

### Zero-knowledge proof

A zero-knowledge proof, or zk-proof, is a cryptographic method that allows an individual to prove that a statement is true without conveying any additional information. This is commonly associated with privacy, but is great for *scaling* blockchain networks through rollups, because it reduces the amount of information you have to provide to lower layers. This is the validity proof that the “powerful computer” must provide for verifiable computation.

### Zero-knowledge rollup

This is a L2 scaling solution that uses a zero-knowledge proof as its validity proof to post data back to Ethereum L1. As compared to optimistic rollups, this validity proof allows for a more secure trust assumption and removes the need for a challenge period.

### zkEVM

A zkEVM is a virtual machine that executes smart contracts and proves the correctness of execution using zero-knowledge proofs. ZkEVMs recreate aspects of Ethereum’s design, which provides an “Ethereum-like” experience for developers and users. For Ethereum developers, this means you can write in Solidity, but leverage the zkEVM to perform off-chain computations to offload execution from Ethereum, enabling the scalability provided by zk-rollups!

### zk-SNARK (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge)

This is a type of zk-proof where the prover and verifier don’t have to interact. With zk-SNARKs, you can verify 1 transaction or 1 billion transactions in the same amount of time, which is great for scaling. You can read more about zk-SNARKs here and here.