zkBitcoin: Zero-Knowledge Applications for Bitcoin
"We introduce a light multi-party computation protocol to verify zero-knowledge circuits on Bitcoin."
- "This enables two use-cases: stateless zkapps (zero-knowledge applications) that lock funds on Bitcoin until users unlock them using zero-knowledge proofs, and stateful zkapps that allow users to update, deposit, and withdraw from a zkapp using zero-knowledge proofs."
- "Since zero-knowledge proofs can’t be verified directly on Bitcoin (for lack of optimized opcodes) we use a multi-party committee to verify them off-chain and compute a single on-chain signature."
- "The protocol is akin to a minimal layer 2 on top of Bitcoin that uses Bitcoin as a data-availability layer."
- "Specifically, the committee in charge of verifying zero-knowledge proofs does not have to be connected to the chain as hashes of circuits (verifier keys) are stored in UTXOs on-chain, and the latest state of a (stateful) application is also stored and kept on-chain."
- "In the initial version of zkBitcoin we support PLONK proofs built using circom and snarkjs with parameters supporting circuits of 2 16 constraints maximum. We ignore proof systems like Groth16 which are heavily used on other networks like Ethereum, as it would mean supporting different parameters for different circuits."
"From what we understand, a better way to verify zero-knowledge proofs on Bitcoin is not going to happen, and this is the best we ca have. And we built it! And we're running it in testnet. Try it here!"
- "Our future plans include supporting larger circuits and more proof systems as there are no tangible blockers to enable that, finding an MPC committee that users can trust, and augmenting the protocol to allow for committee updates (in case of shares or members being compromised, and for new members to be able to join the committee)."
- "You can read more about zkBitcoin in our whitepaper, our documentation, and about advanced usage in our developer documentation."
