In July at Bitcoin Nashville, the BitcoinOS team achieved a groundbreaking milestone: we successfully verified the first zk-SNARK proof on the Bitcoin blockchain.
Today, we are proud to announce that we have open-sourced the BitSNARK verification protocol that made this technical feat possible. This makes us the first project to open-source technology that enables zero-knowledge cryptography on Bitcoin mainnet.
The initial open-sourcing applies to BitSNARK v0.1. BitcoinOS has already implemented a more advanced version in our existing tooling, which will be the next version to be open-sourced. However, BitSNARK v0.1 still represents a significant breakthrough for what is possible on Bitcoin.
Our technology showcases how zk-SNARKs—traditionally associated with Ethereum and other smart contract blockchains—can now be efficiently verified on Bitcoin. By bringing this powerful cryptographic tool to Bitcoin, we have entered a new era in which Bitcoin can absorb all of the features and functionality built out in the wider crypto ecosystem in a single, interoperable package.
Specifically, the BitSNARK Verification Protocol is a system that allows zk-SNARK proofs to be run on Bitcoin with no changes to Bitcoin’s core protocol. This opens the door for more complex decentralized applications and chains to roll up to the world's most secure blockchain. Therefore, developers can effectively upgrade Bitcoin in any fashion they like, all while inheriting Bitcoin’s ironclad security.
With this release, we want to expose our growing community to an early version of how this breakthrough was made possible on Bitcoin.
Our repo can be accessed here: BitSNARK Verification Repo.
This article will give an overview of the workflow of the BitSNARK verification protocol, explaining it in detail and invite more discourse and development.
Why zk-SNARKs Matter
A zk-SNARK is a cryptographic proof that allows one party (the Prover) to prove to another party (the Verifier) that they know a particular piece of information or that a computation was performed correctly—without revealing any additional details about the computation itself.
Through cryptography, it facilitates incredible compression of large computations into small verifiable proofs, enabling it to interact with a blockchain where blockspace is a scarce resource.
A key challenge is verifying these proofs efficiently on the Bitcoin mainnet. In the context of BitSNARK, zk-SNARKs are used to prove the validity of external events, such as the transfer or burn of funds on another blockchain, without having to reveal the specifics of those events on Bitcoin. Once those events are verified on the Bitcoin chain, through verifying a zk-proof we have essentially verified transactions with Bitcoin network security.
The BitSNARK Verification Protocol
At its core, BitSNARK is a highly optimized protocol for efficient zkSNARK verification that includes strong economic incentives to maintain honesty among all participants.
BitSNARK is designed as a two-party protocol for a prover and a verifier, where the prover initiates the execution by revealing the program’s input and its result, and the verifier can in turn dispute it if they believe the claim is incorrect.
- The Prover generates a zk-SNARK proof and submits it to the Bitcoin mainnet along with a stake of BTC. This stake is their "skin in the game"—if they are caught submitting a false proof, they stand to lose this stake.
- The Verifier reviews the proof. If they believe it is invalid, they can submit a challenge and enter a dispute with the Prover. If the Verifier wins the challenge, they claim the Prover’s stake. The Verifier incurs costs to challenge the Prover, including Bitcoin transaction fees and a predefined payment to the Prover.
When considering more than two operators, a two-party BitSNARK protocol is set up for each pair of agents allowing any successful two-party challenge to block an invalid program execution.
Prover’s Stake: The Prover must put up a stake of BTC when they submit their proof. This stake acts as collateral and ensures that the Prover has something to lose if they submit a false proof. The size of the stake can vary, but it needs to be large enough to make dishonesty unprofitable. A larger stake indicates higher confidence from the Prover that their proof is correct.
Verifier’s Costs: The Verifier has two key costs when challenging a proof:
Blockchain transaction fees: To issue a challenge, the Verifier must submit a transaction to the Bitcoin blockchain. These fees vary depending on network congestion and transaction size.
Predefined payment to the Prover: If the Verifier challenges and loses, they must pay the Prover a predefined amount, which compensates the Prover for their costs in defending the proof.
BitSNARK creates a self-enforcing economic game where dishonesty is punished, and both parties are motivated to act truthfully.
What if There is a Discrepancy?
A discrepancy occurs when a Prover and Verifier disagree on the validity of a proof.
Once the Verifier challenges the Prover's proof, the protocol doesn’t simply rerun the entire BitSNARK verification process in one go. Instead, it uses a binary search to find the exact point of disagreement.
Binary search is halving the possible search area in each step – making it highly efficient. This is crucial because verifying a BitSNARK on-chain could be too
computationally expensive if done in one step.
- The process starts by cutting the program’s execution trace in half and asking the Prover and Verifier to agree on the state at that point.
- If they agree, the second half is where the error must lie; if they disagree, the problem is in the first half. This bisection continues until the exact point of discrepancy is found, which is typically achieved in a logarithmic number of steps. For a program with 2^26 steps, for example, it might take only 26 rounds to pinpoint the error.
Each step of the interactive protocol is a time-locked transaction, such that if a party walks away, they lose the game once that timeout has expired. The complexity of the protocol is 𝑂(log(𝑛)), which allows the program being executed to be very large while efficiently scaling the number of steps, keeping them small.
The search process can end in the following ways:
- If no challenge is entered during the allowed time or if the verifier fails to demonstrate a rejection, the funds are unlocked and the prover can make use of the funds.
- If the challenge is successful, the funds remain securely locked until any other operator initiates the withdrawal process on their own. The verifier is incentivized by receiving a sum from an output created beforehand by the prover in the initiating transaction.
In practice, an honest prover should rarely be expecting a challenge. If he has posted an honest proof, the economic incentives make it irrational to challenge him. The verifier can harass an honest prover by challenging needlessly, but he's paying the prover dearly for the inconvenience. The truthful party will always win.
If it walks like a duck and quacks like a duck, you can’t prove that it is a dog, no matter how much you pay. The system is deterministic. The truth always wins.
Security Assumptions
While many systems rely on a majority vote in a threshold signature scheme for security, BitSNARK promises to provide stronger security by allowing a single honest agent to prevent abuse by any or all of the other agents. In other words, the security assumption is ‘1/n’, or one of many – rather than ‘m of n’, or a majority of many.
An initiating agent is required to create a transaction containing an output with some minimum amount of Bitcoin, which is forfeit to any verifier who successfully proves that the transaction is fraudulent. This in turn incentivizes agents to keep track of blockchain transactions in order to find opportunities to engage in the verification protocol. The verifier is also required to attach an output to his challenges in order to penalize verifiers for making challenges in non-fraudulent cases.
The result of this mutual incentive scheme is that the cost of engaging in the protocol does not fall on the user of the system; instead – it is covered by the dishonest participant. This “optimistic” approach allows us to keep costs down to a minimum.
Why BitSNARK Verification is Revolutionary for Bitcoin
What makes BitSNARK revolutionary is its ability to bring advanced cryptographic proofs and cross-chain functionality to Bitcoin mainnet—a network historically limited in its ability to handle complex operations. BitSNARK requires no changes to the core protocol, and its use of economic incentives ensures honesty without overwhelming the blockchain with computation.
By enabling decentralized atomic swaps, cross-chain transfers, and even 2-way pegging, BitSNARK opens up Bitcoin to a future where it can interact with other blockchains and roll up smart contract transactions to the Bitcoin mainnet. With its clever combination of cryptography and economics, BitSNARK ensures that the game of verification remains fair, efficient, and secure.
The Future of BitSNARK, Open Sourcing It, and What We Are Building
The BitSNARK Verification Protocol unlocks the door to a world of limitless possibilities for the Bitcoin ecosystem .
At the moment, Bitcoin developers are engaged in a space race of innovation for decentralized scaling technologies. By making the BitSNARK Verification Protocol Open source, we aim to bring further understanding and experimentation to the Bitcoin world.
With this protocol open source, we hope that others can evaluate how it works, implement it, experiment with it and collaborate to improve and innovate together. We also believe it will create discourse and debate, which in turn will help innovation move faster.
While we have proven that zk-SNARKs can be run and verified on the Bitcoin mainnet, the potential applications go far beyond this initial milestone.
At BitcoinOS, we’re building tools and infrastructure that will expand the role of decentralized applications on top of the Bitcoin mainnet. Through verifying BitSNARKS on the Bitcoin network we have taken the first step in that direction. Two major innovations on our roadmap are the Grail Bridge and Merkle Mesh.
The Grail Bridge
The Grail Bridge is a decentralized cross-chain bridge that will leverage the power of zk-SNARKs and the BitSNARK Verification Protocol to enable secure and trustless transfers of assets between Bitcoin and other blockchains. These include the myriad of Bitcoin L2s, sidechains, and even chains outside of the Bitcoin ecosystem.
What sets the Grail Bridge apart is its focus on decentralization, speed, and security, using zero-knowledge proofs verified on the Bitcoin mainnet instead of relying on centralized intermediaries like custodians.
Merkle Mesh
The Merkle Mesh is a high-performance network architecture designed to handle a vast number of decentralized zk-SNARK verifications at scale.
The Merkle Mesh enables parallel verification of multiple zk proofs by organizing them in a Merkle tree structure, ensuring fast and secure validation across the network. This approach will be critical for scalability, as more applications adopt zk-SNARKs.
The combination of BitSNARK, the Grail Bridge, and the Merkle Mesh positions BitcoinOS as the new foundation for a future of limitless, permissionless upgrades to Bitcoin. By open-sourcing the BitSNARK Verification Protocol, we are inviting the global developer community to explore and build on this framework, helping Bitcoin evolve into a network that is both the most secure and the most versatile.
The future of Bitcoin is one where decentralization, scalability, and interoperability are built into its core—and BitSNARK is the key to unlocking that potential.
If you are interested to learn more, and you have questions about the tech, please find us through here: https://linktr.ee/bitcoinos