Polygon believes in a vision that sees many companies in the near future interacting with each other through smart contracts for executing business logic and managing the exchange of goods and services.
In collaboration with Ernst & Young, Polygon offers a public, privacy-focused Layer 2 rollup solution called Polygon Nightfall to enable accessibility and privacy for companies wanting to use Ethereum.
A ZK-Proof Protocol for Enterprises
Polygon Nightfall is part of Polygon's suite of scalability solutions, which include Polygon Hermez, Polygon Miden and Polygon Zero. The key difference is that Nightfall is a privacy-focused rollup designed for enterprise use cases by combining the concepts of optimistic rollups and Zero-Knowledge (ZK) cryptography to offer private and scalable transactions.
While Nightfall enables scalability, it is also set to remove a major barrier companies face today when using blockchain: the lack of privacy of transactions. Nightfall adds a layer of privacy so that key transaction parameters (e.g. value and destination) cannot traceback. These two features have fed the interest of private enterprises that see Nightfall as a way to execute their business logic and coordinate with their supply chain in a decentralized network at a sustainable price, all while maintaining security and privacy.
Polygon Nightfall's main value proposition is to enable secure, private, low-cost transfers of data in a decentralized network.
Polygon Nightfall uses ZK proofs to send private transactions. A user can generate a ZK proof of the transaction without revealing key transaction parameters such as the destination or the value of the transaction. More details about the privacy component of Nightfall are available in the protocol guide.
Nightfall is currently undergoing a security audit, and it is expected to complete around mid-June 2022. Once the audit process is complete, the results will be posted here.
As a new network with a bootstrap period, Nightfall has transitory security measures to protect the system with the objective to remove them and leave it fully decentralized.
Polygon Nightfall is a Layer 2 construction because it leverages Ethereum by borrowing its security as a robust public blockchain. Nightfall relies on certain assumptions that guarantee asset recovery. These assumptions are based on several design and architectural decisions revolving around ZK-SNARKS. These ZK-SNARKs use certain cryptographic primitives, such as hashes and signatures, that make additional security assumptions. Finally, Nightfall embeds operating rules in different smart contracts to guarantee that operators don't block user transactions and that users can withdraw their assets at all times.
As a summary, Nightfall makes the following security assumptions:
- Security assumptions of Ethereum.
- Groth16 assumptions (knowledge of exponent assumption).
- Certain cryptographic assumptions from primitives such as hashes and signatures.
- Software security assumptions that rely on correct design and implementation.
Block proposers collect transactions from various users and batch them together into an L2 Block. Typical L2 block sizes contain about 32 transactions.
The expected gas costs for a deposit, single transfer, double transfer, and withdrawal are 8200, 11400, 12200, 8500 respectively. This cost is due to store 634Bytes of calldata per transaction, plus some fixed calldata and computation to process an L2 block. Costs will be up to 80% lower after EIP 4488.
As part of the transfer transaction ZK proof, Nightfall includes encrypting the secrets (token address, value, id, and salt) required to process the transferred commitment. This forces the user to encrypt the secrets with a key known to the recipient. As the key is part of the ZK proof, the receiver relies on plausible deniability as the sender can prove that the correct encryption key was used.
Validators and Challengers are an integral part of Nightfall. They ensure that transactions and L2 blocks produce timely and correctly. A proof-of-stake (PoS) based consensus mechanism is used to select the next Proposer of the network. On the other hand, Challengers monitor the correct operation of the network by raising challenges when an incorrect block is detected and by retaining the stake advanced by the Proposer.