July proved to be a banner month for efforts to scale Bitcoin utilizing zero-knowledge proofs.
First, StarkWare demonstrated a STARK verifier on Bitcoin’s Signet check community on July 17.
Then final week on the Bitcoin 2024 convention in Nashville, two competing groups behind BitcoinOS and BitVMX verified zk proofs on Bitcoin mainnet. Each make use of BitVM, or “Bitcoin Digital Machine,” an strategy to create Turing-complete Bitcoin contracts with out the necessity for a smooth fork.
Learn extra: Bitcoin analysis expands on design house for good contracts
A key distinction between the 2 approaches is the diploma of trustless execution, based on L2 Iterative Ventures’ Weikeng Chen, who labored on the STARK verifier with StarkWare.
“BitVM has a belief assumption that also requires [a multisignature scheme],” Chen advised Blockworks. “This assumption could be eliminated if we have now OP_CAT.”
The excellence is just like that between optimistic and zk, or validity rollups, on Ethereum.
Although the BitcoinOS and BitVMX groups are verifying zk proofs, they’re doing so inside a BitVM. In comparison with a future model of Bitcoin with OP_CAT, they’re fairly totally different belief fashions, Willem Schroe, Botanix Labs founder, agreed. Botanix Labs is constructing a decentralized proof-of-stake layer-2 utilizing BTC, referred to as Spiderchain.
“BitVM means that you can run any sort of code, and the belief assumption to run any sort of code is optimistic,” Schroe advised Blockworks. “So now you’ll be able to say, ‘With an optimistic fraud proof assumption of the BitVM, we are able to confirm a zk proof within the BitVM.’”
Rootstock Labs labored with Sovereign Labs on BitVMX. BitcoinOS, of which Sovryn — to not be confused with Sovereign Labs — is one implementation, is a framework for interoperable rollups.
There’s “no clear winner,” based on Chen, as a result of even when OP_CAT will get added to Bitcoin, “the BitVM strategy is less expensive to do onchain.” One potential tradeoff is that “the challenge-response can result in an extended settlement interval,” he mentioned.
Learn extra: Bitcoin’s zero-knowledge future will get a check
For instance, 52 small transactions have been performed on the Bitcoin mainnet to display BitcoinOS’ BitSnark verification protocol.
The setup includes two events: the Prover, who needs to entry funds locked in a Taproot tackle, and the Verifier. The protocol begins with each events co-signing all transactions. If the Prover is trustworthy, the protocol completes following the preliminary transaction, and the Prover can entry the funds after a set lock time.
Nonetheless, if the Verifier detects a dishonest proof, they will problem, initiating a sequence of transactions the place every get together takes turns — problem and response — as much as 26 iterations, based on the BitcoinOS group.
It’s too early to inform how scalable this strategy will likely be in follow, based on Matt Black, co-founder and chief expertise officer at Atomic Finance.
“Everybody likes to speak about limitless scalability with optimistic rollups, however in actuality there are vital limits,” Black mentioned within the BitVM Builders telegram group.
Black factors out the belief assumptions are solely 1-of-n, that means “there should be one trustworthy get together out of n, or funds could be stolen,” he advised Blockworks — higher than your typical Ethereum multisig.
Robin Linus, one of many authors of the BitVM white paper, has careworn that when designing a bridge utilizing BitVM, the expectation was that it will solely be used sometimes for coping with massive quantities of bitcoin, akin to wrapping BTC to be used on one other community.
Within the BitcoinOS demonstration, the ultimate transaction that sought to execute one CPU instruction onchain on block 853626 concerned the Prover performing a particular arithmetic operation within the digital machine, which when validated, allowed the Prover to entry the funds as anticipated.
However Chen want to see extra details about the way to problem the proof, noting that posting the proof “is the straightforward half.”
“Difficult a proof might be probably the most tough half within the BitVM panorama,” Chen defined. “The issue of their development is that they aren’t supporting fraud proofs in reminiscence — a malicious prover can modify the state to get an invalid proof handed — it’s straightforward to interrupt.”
It is a normal challenge with BitVM, Chen mentioned. “We shouldn’t have a transparent reply on the way to do the state passing between the challenge-response items effectively.”
Each of those options are a methods off from being production-ready. It’s not even clear how precisely, not to mention when, Bitcoin Core may very well be upgraded to utilize OP_CAT.
Black thinks it could be awhile. “Personally, I doubt this will likely be activated anytime quickly,” he mentioned.
In idea, the usage of StarkWare’s Circle STARKs enhances the proving course of’s effectivity, positioning StarkWare’s resolution as a extremely scalable and safe various for zk proof implementation on Bitcoin.
Nonetheless, by enabling proof verification — on this case a SNARK proof — with out altering the Bitcoin protocol, BitVMX and BitcoinOS open up the potential for superior functions like Ethereum-style good contracts which have been beforehand infeasible on Bitcoin and subsequently associated to sidechains.