jakiro
Author: janos nick, blockstream
Compilation: Bai Ding & Amp; Faust, Geek Web3
summary:This article is concise but blessed, but another blood point out how to make Bitcoin support the ZK verification function. The specific topics involved include Bitcoin UTXO and script’s functional defects, TAPROOT and OP_CAT, BITVM and Chain State Proof.content.There is a relatively clear point of view in the article:
It is an inevitable trend to introduce ZK in the Bitcoin agreement. There are two routes:One is to allow Bitcoin script to directly support SNARK verification. You need to use the OP_CAT operating code, and the probability of OP_CAT’s ultimate pass is very high.The CHAIN State Proofs is proposed to reduce the cost of node client verification of historical data.
>
text:In order to understand Bitcoin deeper, we better treat it as a social system.When Bitcoin was launched early, developers determined the software program that Bitcoin nodes needed to run, just like determining the rules followed by a set of social systems.The reason why Bitcoin’s social system can operate stably is because everyone has a consensus on “what is the essence of Bitcoin” and “what should be” and other key issues.Of course, the achievement of consensus is not easy. When facing the above problems, people still have extensive and evolutionary differences.
>
This can be traced back to the historical source of Bitcoin.When Middle School Bencong released the Bitcoin White Book, I said, “I am studying a new electronic payment system. This system is completely P2P and does not need to rely on any third party.”This paragraph is published in the list of password punk emails (an email discussion group established in 1992, consisting of a group of cryptologists and technical enthusiasts focusing on privacy protection and cryptography technology).
However, Bitcoin limits data throughput at the product design level.The number of transactions that can be handled during the unit time is limited. If the number of transactions to be treated quickly increases, the user will initiate a price war and quickly increase the handling fee for the successful transaction.After a single transaction with the highest handling fee in the Bitcoin network appeared in 2024, after the decoration was halved, a medium transaction fee for a priority of the chain reached $ 150.It can be said that the expensive trading fee for the Bitcoin network has become a problem.
In order to solve the problem of transaction fees, people have invested a lot of resources into the development of Lightning Network.However, according to a paper published in 2016, the Lightning Network can only support tens of millions of users in practice and cannot realize the vision of its global payment system.
In addition to the transaction fee is too expensive, there is another problem, which isBitcoin has always been unable to achieve anonymity that you want to achieve in his vision.Nakamoto pointed out in the password punk email discussion group that Bitcoin has privacy protection functions, and the sponsors of transactions can be completely anonymous.However, although the trading initiator does not need KYC, the transaction data on the Bitcoin chain leaks a lot of information, which largely exposes user privacy.
Although some wallet clients with privacy functions have solved the above problems to a certain extent, the developers of these wallet clients are facing a threat of large and small.For example, the developers of the Samourai Coinjoin wallet were arrested by the FBI in April 2024, and a week later, the developers of the WASABI wallet closed their Coinjoin coordinated components.Obviously, these so -called privacy wallets are not completely worthy of user trust.
To sum up, many of the concepts of Bitcoin are far realized today, and related technologies are still developing.Even so, many people in the Bitcoin community believe that the agreement design of Bitcoin should remain unchanged, but many people are passionate about improving Bitcoin like me.So, what direction should Bitcoin improve?
>
For the above problems,There are many proposals in the Bitcoin community. The best theoretical effect should be related to ZK and SNARKS.With ZK and Snarks,The following features can be achieved:
1. Significant improvement of privacy: use the same Peterson to promise to significantly improve user privacy (such as the Element side chain of Blockstream); hidden traces of trading traces through linked signatures (such as Monero); realize the true realPrivate transactions (such as Zcash).
2. Improve transaction throughput
-
You can reinstate the stack and equal check (using the equal formula to verify whether the specific conditions are met to ensure the security and effectiveness of the transaction), and you can perform a branch of IF-EESE.
-
You can perform limited arithmetic operations on 32 digits, that is, addition and subtraction.
-
Data can beh, and you can check the signatures of ECDSA and Schnorr.
-
There is no cycle, jumping, recursion, that is, non -Turing complete, and the programming ability is very limited.
-
Can not be performed by position.
-
Lack of operating code for multiplication method.
-
Can not connect elements on the stack.
-
There is almost no ability to read and check the transaction data on the chain.Bitcoin scripts cannot directly access the amount of each transaction, and there is no way to pass the status (UTXO is used in one -time, and each transfer will destroy the old generation).
In fact, there are many technical means to solve the problems existing in Bitcoin, but why did these technologies have not been added to the Bitcoin agreement to this day?This is because the Bitcoin agreement is difficult to modify.There is no organization similar to the Ethereum Foundation in the Bitcoin ecosystem. Any modification of the agreement requires the community to reach a high degree of consensus. Here is a large number of games and power checks and balances.Therefore, different from Ethereum, the EVM operating code is updated every year, and the Bitcoin agreement has changed very little since its inception.
In fact, it is a good thing to be modified to a certain extent. If it is easy to modify the Bitcoin agreement, it will be easy to make malicious changes and attacks.This leads to a problem:In the absence of the design of the Bitcoin protocol, what means can improve the performance of Bitcoin?
>
To answer this question, we must first review the knowledge about Bitcoin.If we want to transfer Bitcoin to others, we need to create a transaction first and broadcast it into the Bitcoin network.The output data of the transaction will explain the amount of BTC of the transfer, and the BTC receiver can create a new transaction to spend the BTC received.Since then, this new transaction will generate new output data and send BTC to others.
It should be noted here that Bitcoin does not have a global state like Ethereum, especially the state of no account, only transaction output data.There are two states of each transaction output: the recipients have been spent or have not been spent.The output of not being spent is the UTXO we are familiar with.
certainly,Except for the associated BTC, each transaction output has an additional program, which is written in a language called a Bitcoin script.Who can show the correct proof of Witness to this program, who can spend the transaction output (UTXO).Bitcoin script itself is a stack -based programming language, including a series of operating codes. The additional program of the aforementioned UTXO is often composed of multiple operating codes. They complete the calculation based on the stack and put the result back to the stack.
There are many types of common Bitcoin scripts, which have existed since the start of Bitcoin.For example, the most common scripting program in Bitcoin consists of the operating code of the public key+checking the digital signature.The operation code stipulates that it is necessary to show/unlock a certain UTXO, and the number signature of the corresponding public key must be shown.
Recommended reading: “Background Knowledge of Understanding BITVM (1)” (1) “(1)”
>
Here we will summarize the function of the bitcoin script.What can Bitcoin script do first?
What can’t Bitcoin script do?
In the early version of Bitcoin, some of the above scripts could not be done, but some of them could actually be done, but some functions were later banned by Satoshi Nakamoto, because Nakamoto found that these operating codes had vulnerabilities.For example, the operating code OP_CAT that can merge 2 elements in the stack can be used for long -range attack Bitcoin nodes to cause it to collapse. Nakamoto is cautious and disables OP_CAT, and some other operating codes have also been disabled.
So,Can Bitcoin script verify SNARK?In theory, although the Bitcoin script is not complete, its basic operation is sufficient to verify any calculations. It can be implemented in practice.Because the program size required for the verification steps exceeds the largest block limit of Bitcoin -4MB.
Maybe we can try to perform arithmetic operations in large -scale limited domains, but this cost is very high. For example, the two 254 -bit integer multiplications implemented by BITVM have a related bitcoin script size of nearly 8KB.
and,The cost of verifying Merkle’s proof without OP_CAT is also very high.Because this needs to be similar to the operation of the for loop.
>
SoBack to the previous question: Why can’t we simply change the bitcoin agreement and add more powerful operating codes?
As mentioned earlier, it is difficult to reach a majority consensus on the new agreement rules, because the Bitcoin ecosystem does not have a centralized decision maker.Any improvement proposal to Bitcoin script has a lot of objections,Everyone’s position and angle are different.In the Bitcoin network, there is no good way to measure whether the community has reached a majority consensus. Forcibly promoting update in this case will lead to a chain fork.
certainly,Bitcoin is not exactly the same. The recent update is SEGWIT in 2017 and Taproot in 2021.
>
The Taproot upgrade has changed many rules, and it took three and a half years from theoretical release to being truly activated.The key factor of Taproot’s enlightenment is that it has not changed the existing security assumptions and has made significant improvements on the Bitcoin agreement.For example, it allows the use of Schnorr to sign instead of ECDSA. Both are based on discrete couples and use the same oval curve, but the former is more efficient than the latter and less calculated.
Furthermore, the improvement of Taproot Bitcoin is mainly divided into the following three parts:
First, TAPROOT reduces the verification cost of a large number of selective branches, which can allow Bitcoin to support more complicated programs;
Second, Taproot reduces the script data that needs to be revealed on the chain. You can assemble multiple sections of script programs as a Merkle tree. Each script is located on different leaves. If you want to trigger a script, you only need to reveal it to show itThe leaves and Merkle proof;
Third, Taproot also added other mechanism design.
>
Speak,Since Bitcoin has a precedent for adding more powerful features such as TARPOOT, why not add a dedicated operating code to verify Snark?This is because adding a so -called OP_SNARK operating code is very different from the Taproot upgrade.
First of all, there are many design ideas of OP_SNARK, which is difficult to allow most people to support some single solution. Second, if such proposals are passed, all bitcoin nodes will support this specific OP_SNARK solution, which will increase huge technologyburden.
In addition, the complexity of OP_SNARK itself is not a small challenge.If it does not include testing, Taproot only adds about 1,600 rows of code, which is acceptable to people. In contrast, OP_SNARK’s code contains much more complicated.
Anyway, who will review OP_SNARK operation code should it be activated?How to get consensus in the Bitcoin ecosystem when few people understand their details?These are all problems.thereforeTaken together, the OP_SNARK upgrade will not happen in a short time.
>
However, there are other ways to verify SNARK in Bitcoin script.We can add a simpler operation code to make the bitcoin script more powerful, allowing people to implement the Snark verification program in the script.But in fact, it is very difficult to write the Snark verification program in Bitcoin script language.
Therefore, the Blockstream research team is developing Simplicity, a programming language designed to replace Bitcoin script.Simplicity is designed for the blockchain consensus system, which is deliberately designed as a complete and complete analysis and formal verification.
>
Below we have to talk about a very simple but heavy proposal. It can make the Bitcoin script stronger, that is, OP_CAT operating code.As I mentioned earlier, OP_CAT exists in the original version of Bitcoin, but this operating code can be attacked by DOS under certain conditions, so it is banned by Satoshi Nakamoto. Now some people in the Bitcoin community want to re -use them againit.
The function of OP_CAT is two elements that pop up the top of the stack, connect them, and then put them back to the stack.This sounds very simple, but it can bring huge functional improvements to the Bitcoin script.
For example, the Bitcoin script program could not access the amount of the amount of the transaction on the chain, but it would be possible to have OP_CAT; OP_CAT can also be used to verify Merkle proof.In short, OP_CAT is an upgrade of the underlying operation code level, which will derive a lot of new features. Many people have proposed the effect that OP_CAT can achieve.
Does OP_CAT help verify SNARK in the script?The answer is help, because supporting verification Merkle proof will help verify the FRI -based Snark, and OP_CAT can support this.In the past, the script programs involved in Snark may be too large and cannot be put in the Bitcoin block. OP_CAT can compress the program size.
OP_CAT has been discussed for many years in the past, and more and more people have realized its role in the trading inspection.Compared with other proposals, the advantage of OP_CAT is that it has previously existed in Bitcoin script, so it is easier to reach consensus in the community.However, OP_CAT may also cause some people’s MEV income to be damaged, so the Bitcoin community has not yet reached a consensus on it.
In summary,Bitcoin may have a potential path. By enabling simple operating codes such as OP_CAT, everyone can verify SNARK with Bitcoin script.It is also worth mentioning that there is a recent proposal called “Great Script RESTRATON”, which enables the multiplication operating code to allow all arithmetic operation codes to operate arbitrarily.
>
In addition, when we consider the influence of the OP_CAT Bitcoin network, we can examine its impact on the operator of Bitcoin node after passing.In order to enable Bitcoin to have anti -review and decentralization, the Bitcoin community hopes to run node verification data as much as possible.If Bitcoin supports SNARK verification operations, the cost of running the Bitcoin node will not increase significantly, which is not much harmful to the security and resistance of Bitcoin.
At present, a Bitcoin block can contain up to 4MB of data. It is expected to dig out a block every 10 minutes. Almost all blocks can fill the Bitcoin script and Witness witness (similar to digital signatures).Completed, each block can currently include up to 80K signature verification, with an average of 7K to 10K signature verification per block. My 2020 Edition Intel CPU verification a Bitcoin block consumes an average of 3.2 seconds.Of course, it is not only time -consuming of signature verification that affects the speed of block verification.
In addition, if Bitcoin transactions support ZK in the future, even if the transaction generation time is extended, it seems that it is not harmful.For hardware wallets for long -term storage assets, they often have screens and their volume is not large. The function is to store keys and generate signatures.The CPU of the hardware wallet is generally weak, such as 240MHz dual -core CPUs and a certain memory, which responds very quickly when signing a Bitcoin transaction.
>
I made a small survey and asked the user that the user could accept the longest delay. Many people could accept the longer waiting time, especially when they could get significant benefits.So if we introduce ZK into Bitcoin transactions, it seems that there is not much trouble.
We spend a lot of space to discuss how to change the underlying design of Bitcoin, but there are actually many application scenarios that can be achieved without changing bitcoin.Here I want to emphasize an application related to Bitvm -Chain State Proofs, which combines ZK to prove the effectiveness of the block hash.
>
What changes have brought this technology to Bitcoin?first,With the Chain State Proofs, it can compress the synchronization and verification workload of the Bitcoin calendar data, which greatly reduces the cost of running nodes.At present, it takes 5 hours and 30 minutes to synchronize from the creation block and verify the latest Bitcoin blocks on a hardware.It can be greatly reduced to this time.Secondly,The chain -like state is an important part that can be used with BITVM, which will promote the implementation of Bitvm.
The ZEROSYNC team conducted in -depth research on the Chain State Proofs and created a lighter “Header Chain Proofs”. This solution combined with ZK, only proves the effectiveness of the Bitcoin block head, which constitutes a “Header Chain” “” Header Chain “” “”, Include all 850,000 block heads in Bitcoin history, and generate 80 bytes for each block head.
This scheme requires a dual SHA-256 calculation of each Bitcoin block head to verify the corresponding POW certificate.Zerosync uses Starks to generate Bitcoin Header Chain Proof. The cost of generating a proof is about $ 4,000. It only takes 3 seconds to verify that the certificate is verified by my browser.
>
However, because the verification process does not include the content of the transaction content in the block, the Header Chain Proof can only assume that the blockchain with the most POW certification is valid, and the latest block on the Bitcoin client synchronizes this chain by default.In this scenario, although the attacker can create a block containing invalid transactions, add more blocks after the block, and generate the Header Chain Proof to blind the Bitcoin client with synchronous historical data, but the attack is done if you do soThe cost is extremely expensive and will be directly exposed by the existing Bitcoin full -node client.
>
However, although the success rate of this attack scenario is very low, if the attacker can steal the huge amount of BTC, the Header Chain Proof cannot be recognized as a foolproof solution.If we want to prove a complete chain, we need to directly prove that all the contents of the Bitcoin block are effective, including the SECP256K1 oval curve ECDSA and Schnorr signature verification.
Bitcoin can include 30 million signatures in the historical blocks of each month. Historically contains a total of 2.5 billion signature operations and a large number of SHA-256 operations.In this way, the block data generated by the bitcoin network is about 7GB per month, and all historical data exceed 650GB.In the actual situation, this number may be 2 to 3 times.
>
Now let’s look at Bitvm again.Bitvm allows Bitcoin to verify any computing tasks. It is the best path that does not need to change protocols to implement SNARK verification.BITVM uses two technologies to bypass the limit on the size of the Bitcoin block.First, it uses the script structure of Taproot Merkletree;
Secondly, it enables the KV storage scheme that can be accessed across a single script to allow connecting to a super script program.However, the Bitcoin Agreement does not force the integrity of the above KV storage scheme.BITVM needs to check the malicious Prover through fraud proof. If the ProVer issues a invalid statement or a KV storage with a problem, others can initiate a transaction on the Bitcoin chain, indicating that the Prover is improper and takes away its pledged assets in advance.
>
To sum up, Bitcoin is facing major challenges. Everyone raised various solutions to solve these problems. However, these proposals will not be adopted by the Bitcoin community quickly, and changes to the agreement can be completed in a short period of time.Bad things also means that Bitcoin is decentralized and safer.
Many people in the Bitcoin community are excited about Snark/Stark’s potential.The most viable method for implementing Snark verification in the medium and long term is BITVM, but it requires more R & D investment to play a role in practice;
It is also an idea to reinstate the OP_CAT operating code, but the income of restarting the operating code needs to be more than risk, and which simple operating codes can be allowed to verify SNARK in Bitcoin script, or explore what scenarios similar to OP_CAT functions can be achieved.EssenceNo matter which plan is selected, the ultimate purpose of the Bitcoin community must be to make the product practical and support more scenes.
Original link: https://www.youtube.com/watch? V = grsczmfuy7u
