Reaction: Bitcoin zero-knowledge arms race begins

In case you missed it, Starkware, a company historically active in the Ethereum ecosystem, yesterday announced plans to dedicate significant resources to new Bitcoin expansion opportunities that have emerged over the past few months.

The group, a pioneer in zero-knowledge systems, has revealed plans to leverage OP_CAT to bring STARK technology to Bitcoin. The soft fork proposal allows zero-knowledge proofs to be verifiable natively, opening up a whole new design space for developers.

This announcement is considered by many to be a significant technical milestone for the Bitcoin protocol. Here are my unsolicited two cents on the matter.

It’s been a while since I came here

As Starkware CEO Eli Ben-Sasson pointed out in his announcement post, the idea of ​​using ideas about which you have zero knowledge to improve Bitcoin is not new. Developers have been discussing the application of this technology for more than a decade already. Ben-Sasson himself presented a very early concept of this idea at the 2013 Bitcoin Conference in San Jose. In 2017, Blockstream developers Gregory Maxwell, Pieter Wuille, and Andrew Poelstra co-published a research paper on the use of Bulletproof, a zero-knowledge protocol that supports confidential transactions in Bitcoin.

In recent years, BitVM creator Robin Linus began work on ZeroSync, a compression technology used to create zero-knowledge proofs of the Bitcoin blockchain. Once fully implemented, the resource requirements associated with running a Bitcoin node will be significantly reduced. In 2022, the Human Rights Foundation commissioned John Light, now a researcher at Alpen Labs, to write a full report on the feasibility of Bitcoin’s validity rollup using zero-knowledge proofs.

Zero-knowledge proofs have a wide range of applications, and we rarely hear about them. Many are expecting this technology to define the next era of computing, and I would be hard-pressed to bet against them. It is almost guaranteed that higher-level Bitcoin applications will start leveraging this soon and we can expect this trend to only increase from here.

It’s still too early

Most of the technological advantages associated with zero-knowledge cryptography have been achieved in the past decade. The field is developing rapidly as more cryptographers become interested in applying the technology. Researchers are competing to see who can save the most time and resources needed to generate and verify such evidence. As of now, most proof systems are still computationally expensive. Although each protocol has different pros and cons, it has been improved with a focus on verification so that general users can quickly and efficiently verify proofs. The pace of innovation has been relentless, but generating this evidence at scale can require specialized hardware and large-scale operations.

Despite the massive unlocks and significant achievements in the field, it is worth noting that 10 years is not an exceptionally long time in the cryptocurrency space. Many of the most recent proposals, while considered technically sound, utilize technology that is not as battle-hardened and tested as Bitcoin. In 2018, a hidden inflation bug was discovered in Zcash’s ZK-SNARK implementation that could allow attackers to counterfeit the currency. To be fair, the STARK configuration proposed by Starkware is considered much more secure due to its more transparent nature.
It’s hard to get excited about rollups.

It’s hard to get excited about rollups.

One of the motivations for this project is to enable zk-rollup in Bitcoin. For those unfamiliar, Rollup is a very popular product that uses off-chain sequencing to scale applications and throughput. Zk rollup or validity rollup proposes to generate evidence of the system’s transaction history so that users can independently verify it, allowing for off-chain systems that do not require additional trust assumptions.

Currently, none of the major rollup implementations on Ethereum have fully implemented this system. Each relies on a central operator who is responsible for verifying and ordering transactions. In the odd case where evidence is actually produced, only authorized actors can submit it to prevent fraud. Starkware’s Starknet does not currently provide a mechanism for users to force transactions to end on the system if the operator stops collaborating or the infrastructure goes down.

Almost all projects have billions of dollars in deposits that are effectively secured by multi-signature key sets. The same group of people that handle those keys can also upgrade the rollup contract and control the associated funds. A few days ago, Linea, the 6th largest rollup on Ethereum, was unilaterally shut down by the operator and all user funds were frozen due to the hack.

There is a more optimistic alternative. This may not be the place to write about, but a lot of work and resources are put into solving the problems described above. A significant amount of research will be required for a complete, unreliable vision to be realized.

Additionally, like Ethereum, rollups may evolve into curious complexities that only a few can tame.

BitVM Side Quest

The zero-knowledge race for Bitcoin began in earnest last year with the introduction of BitVM by Robin Linus. While Starkware is making headlines for its resume, several teams such as Alpen Labs, Citrea, and Bitlayer are actively researching ways to optimize zero-knowledge proofs for implementation.

It will be interesting to see what choices they make in the future and whether they are stubborn. There may be a strong case that OP_CAT offers a lot of efficiency, but it’s not yet clear what the trade-offs are. I expect many companies will continue to explore the BitVM path and simply emulate zero-knowledge computation. In both cases, it is important to point out that linking funds from the Bitcoin chain to other systems involves lightweight client security that is susceptible to reconfiguration attacks.

Last month, liquidity issues related to BitVM were given a lot of airtime. Considering the current user profile for these types of solutions, I find the idea that this will discourage anyone from participating is a bit vague. It may not be practical or sustainable, but honestly I’m not sure what market exists for it. Again, with users now depositing billions of dollars in multisig, everything else will seem almost untrustworthy in comparison.

More developer funding

Each million dollars allocated to fund research has a positive impact on the ecosystem. This is an encouraging development in increasing awareness of OP_CAT. It’s unlikely that the bug bounty will lead anywhere, but I’d be interested to see what more intensive work on the proof of concept and application yields. It’s easy to frown on where that money comes from, but ultimately the results of the effort will be judged on its technical merits. Bitcoin’s development process is not as easily influenced as some may believe.

It’s also important to remember that OP_CAT is only one piece of the script puzzle. Breakthroughs for specific use cases are exciting, but not enough to make you miss the big picture. None of these technologies are mature enough to pay significant dividends in the short term. Promoting upgrades seems somewhat imprudent today, when these systems still take years to reliably implement. If people want a centralized virtual machine, there are many sidechains to choose from.

We’re breaking new ground every day at this point, and it’s hard to even predict where we’ll be a month from now. I am cautiously optimistic about the progress being made in improving Bitcoin Script, but I feel it would be unfair to take any action at this time. You’ll need to let the dust settle for a while.