Written by Kyle Liu, Investment Manager at Bing Ventures

Key Takeaways

  • Zero-knowledge proof can improve the privacy of Bitcoin because it can hide transaction details such as amount, address, input and output, while retaining the validity and integrity of the transaction, thus preventing third parties from tracking and analyzing users' transaction activities.

  • Zero-knowledge proofs can improve Bitcoin's scalability by reducing the size of transaction data and verification time. For example, using ZK-STARKs or its improved versions, multiple transactions can be packaged together and verified using zero-knowledge proofs, saving space and time.

  • Zero-knowledge proofs can improve the innovation of Bitcoin because it can support more functions and applications. For example, using ZK-SNARKs, more logic and calculations can be implemented, and more complex and flexible contracts can be executed without exposing information or increasing overhead.

  • Ultimately, zero-knowledge proofs will make Bitcoin more trustless and decentralized, in line with its core values. As the technology continues to develop and improve, the potential of Bitcoin and ZKP will continue to be explored.

More and more teams are adopting zero-knowledge proof technology in blockchain infrastructure and dApps. However, most projects are developed based on Ethereum. However, Bitcoin and zero-knowledge proof actually have a natural combination gene, and this field currently lacks the attention it deserves. What kind of empowerment will the combination of zero-knowledge proof technology and Bitcoin bring to the Bitcoin network? In this issue of Bing Ventures research article, we will explore this topic from the perspective of technical principles and application prospects.

Zero-knowledge proof (ZKP) is a mathematical method that allows one party (called a prover) to prove a fact to another party (called a verifier) ​​without providing any information about the proof to the verifier. This method is very effective for protecting privacy because the prover can provide the proof to the verifier without revealing any information about the proof itself.

Bitcoin is a natural match for zero-knowledge proof. Bitcoin is a decentralized virtual currency that uses blockchain to record transactions, and all transaction information is public. However, this also means that Bitcoin transaction information can be viewed by anyone, so there is a risk of privacy leakage. Zero-knowledge proof can solve this problem.

By using zero-knowledge proofs, Bitcoin users can encrypt transaction information and prove its validity without leaking the information, thus achieving a higher level of privacy protection. Zero-knowledge proofs can also improve the scalability of Bitcoin. Currently, the transaction speed of Bitcoin is limited by the size of the blockchain and network congestion, which limits its use in large-scale commercial applications. However, by using zero-knowledge proofs, Bitcoin users can batch large amounts of transaction information and compress the size of their proofs to a very small size, thereby improving the scalability and efficiency of Bitcoin.

Background and Rationale ZK-SNARKs and ZK-STARKs

ZK-SNARKs and ZK-STARKs are both variants of zero-knowledge proofs, and their commonality is to prove the validity of certain data or operations without revealing sensitive information. However, their implementation methods, performance, and scope of application are different.

ZK-SNARKs (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge) is a zero-knowledge proof technology based on elliptic curve cryptography. It can transform a complex computational problem into a simple proof with a very small size and no interaction required. This means that ZK-SNARKs can verify the correctness of the computation without leaking any computational information. The application areas of ZK-SNARKs mainly include cryptocurrency and privacy protection.

ZK-STARKs (Zero-Knowledge Scalable Transparent Argument of Knowledge) is a new type of zero-knowledge proof technology that is more flexible and secure than ZK-SNARKs. The implementation of ZK-STARKs does not rely on elliptic curve cryptography, but uses hash functions and polynomial interpolation technology. This makes ZK-STARKs more reliable because it does not rely on unpredictable mathematical problems, but on the irreversibility of hash functions. In addition, the proof size of ZK-STARKs is larger than that of ZK-SNARKs, but its proof verifiability is better, so it can be applied to a wider range of fields, such as distributed computing and IoT security.

The Difficulty of Using Zero-Knowledge Proof in Bitcoin

Take Zcash as an example. Zcash uses ZK-SNARKs in zero-knowledge proof technology, which can be used to hide detailed transaction information, including transaction amount, participant identity, etc., to achieve better privacy protection. The technical principle of Zcash using ZK-SNARKS is as follows:

  • There are two types of addresses in Zcash: transparent addresses (t-addresses) and hidden addresses (z-addresses). Transparent addresses are similar to Bitcoin addresses, and they disclose transaction amounts and participants on the blockchain. Hidden addresses use zero-knowledge proofs to protect the privacy of transaction amounts and participants.

  • When a user sends funds from one hidden address to another, they need to generate a ZK-SNARKS proof to show that they have enough funds and have not spent any funds that have already been spent. This process involves some complex mathematical and cryptographic operations, such as generating public parameters, calculating hashes, and constructing arithmetic circuits.

  • Generating ZK-SNARKS proofs requires a lot of computing resources and time, but verifying ZK-SNARKS proofs is very fast and simple. The verifier only needs to check whether the transaction complies with the rules of the blockchain without knowing any information about the transaction amount or participants.

  • By using ZK-SNARKS, Zcash can achieve fully anonymous and verifiable transactions, improving user privacy and usability while maintaining the security and decentralization of the blockchain.

However, the zero-knowledge proof technology used by Zcash also has some limitations. First, Zcash is based on UTXO, which means that transaction information is not completely obscured, but only shielded. Therefore, attackers can infer some useful information by analyzing the pattern and flow of transaction information. This also leads to the fact that the degree of privacy protection of Zcash is not completely reliable.

Secondly, Zcash is an independent network based on Bitcoin, which makes it more difficult to integrate it with other applications. This also limits its possibility of application in a wider range, further hindering its development. Although Zcash implements private transactions, its actual usage rate is not high. One of the reasons is that the cost of private transactions is much higher than that of public transactions, which limits its scope of application.

Technical advantages of ZK-STARKs

Using ZK-SNARKs technology on Bitcoin can indeed achieve anonymity and privacy protection for transactions, but this technology has some disadvantages, such as the need for trusted settings and equipment, and the need for a large amount of computing and storage resources. In order to solve these problems, some new zero-knowledge proof technologies, such as ZK-STARKs technology, have also emerged.

In simple terms, the ZK-STARKs process consists of the following steps:

  • The prover converts the computation he wants to prove into a system of polynomial equations with the secret information as variables.

  • The prover performed a series of transformations and simplifications on this system of equations to obtain a simpler system of equations.

  • The prover samples and encodes this simplified system of equations to obtain a low-dimensional vector.

  • The prover hashes and signs this vector to obtain a short string as his proof.

  • After receiving this string, the verifier can check whether it is correct through some public parameters and algorithms without knowing the secret information or the original calculation.

Compared with ZK-SNARKs technology, ZK-STARKs technology has the following advantages:

  1. ZK-STARKs technology does not require a trusted setup, that is, there is no need to trust a specific generator, which improves the security of the technology.

  2. ZK-STARKs technology can better adapt to lightweight devices and a wider range of application scenarios because it requires less computing and storage resources. This is because its proof generation process is more efficient than the complex encryption and decryption operations required in ZK-SNARKs. In addition, ZK-STARKs technology can also better utilize the power of parallel computing and distributed computing, so that computing tasks can be processed more efficiently in some cases.

  3. ZK-STARKs technology can also support more algorithms and operations, such as hash functions, polynomial operations, etc., which also provides more possibilities for the expansion and upgrading of technology.

Combination of Bitcoin and ZK-STARKs EC-STARKs Technology

STARKs technology is a new type of cryptographic proof technology that can communicate with third parties by passing data while maintaining the privacy of the data. This technology can transfer the calculation and storage of verification data to the off-chain, thereby improving scalability. Compared with ZK-SNARKs technology, STARKs technology is more advanced and can resist attacks from quantum computers.

EC-STARKs technology is the next generation of STARKs technology, which aims to improve the scalability and security of Bitcoin by replacing hash functions with elliptic curves. This technology can make scalability solutions that already exist on Ethereum compatible with Bitcoin. Using EC-STARKs technology, the Bitcoin protocol can be run off-chain and the proofs can be stored in STARKs.

In short, Bitcoin can be emulated in STARKs, allowing highly complex protocols to be built on Bitcoin-based tokens using the same elliptic curve keys. The use of EC-STARKs technology can be run in Bitcoin's off-chain protocol while keeping the proofs in STARKs. This approach not only improves Bitcoin's scalability, but also allows highly complex protocols to be built on Bitcoin with higher privacy.

This technology brings Bitcoin’s scalability and privacy to a whole new level, making it a better platform for developers to build more sophisticated applications on top of Bitcoin, making it a more solid cryptocurrency.

The future of ZK-STARKs in Bitcoin

The application of ZK-STARKs is also in line with Bitcoin's conservative design philosophy. It does not require a trusted collection, but uses technologies such as hash functions, Merkle trees, and polynomials to improve Bitcoin's transparency and security. One advantage of EC-STARKS on Bitcoin is that it can improve Bitcoin's privacy because it does not need to disclose transaction details. Another advantage is that it can reduce Bitcoin's storage requirements because it can compress large amounts of data into a small proof. One challenge of EC-STARKS on Bitcoin is that it requires more computing resources because it needs to perform complex mathematical operations. Another challenge is that it requires more coordination and standardization because it needs to be compatible with Bitcoin's existing protocols and infrastructure.

From the perspective of technical implementation, the application of ZK-STARKs can be divided into light nodes, full nodes, and verification methods. Light nodes can use stark to prove the state of block headers and achieve fast synchronization. Full nodes can implement validity proof through UTXO state, and use utreexo technology to represent UTXO state in a new format, so there is no need to view the entire UTXO state. In terms of verification methods, you only need to give the utreexo root + final state to start verifying the incoming block.

In addition, there are many potential directions for the application of ZK-STARKs. For example, by combining with the Taro protocol, Bitcoin can be made into a more universal asset, so that the application scenarios of Bitcoin can be further expanded. By combining ZK-STARKs with TARO, the scalability of the TARO protocol can be improved, enabling it to process more transactions and support larger-scale applications, which will open the door to multi-chain deployment of the TARO protocol. In addition, the privacy of Bitcoin has always been a problem, and the application of ZK-STARKs technology can greatly improve the privacy of Bitcoin. By using ZK-STARKs technology, the entire transaction history can be compressed into a single transaction, effectively hiding the user's transaction information.

What to watch for in the future

Furthermore, ZK-STARKs can be used to verify Bitcoin transactions, including serialization of Bitcoin transactions, double SHA calculations, secp256k1 operations, etc. These operations are the core of Bitcoin transaction verification, and using ZK-STARKs can ensure that the verification process of Bitcoin transactions is highly secure and reliable. ZK-STARKs can also be used to verify Bitcoin's accelerated Cairo built-in functions. Cairo is an efficient zero-knowledge proof system, and when used in conjunction with Bitcoin's accelerated Cairo built-in functions, efficient Bitcoin transaction verification and security can be achieved.

ZK-STARKs can also be used to implement Taro primitives and asset TLV serialization, as well as MS-SMT implementation and verification. These operations can effectively protect the privacy and security of Bitcoin transactions, and further improve the credibility and reliability of Bitcoin transactions. As a second-layer solution for Bitcoin transactions, the Lightning Network can achieve more efficient and secure Bitcoin transactions by combining ZK-STARKs technology. Using ZK-STARKs technology, Bitcoin transactions on the Lightning Network can be quickly verified without sacrificing transaction privacy.

We are seeing more and more teams adopting zero-knowledge proof technology in blockchain infrastructure and dApps. Some of these new solutions may have the potential to accelerate the application of zero-knowledge proof in the blockchain space and help privacy and scalability in a better way. However, most of the projects are developed based on Ethereum, while Bitcoin lacks the attention it deserves in the field of zero-knowledge proof. What's worse is that engineering practice has not caught up with academic achievements in a sense. We need more implementation and exploration in this regard, and there should also be more attention and support for this field.