原文标题:ZK ROLLUPS ARE COMING TO BITCOIN. HERE’S ALL YOU NEED TO KNOW

Original link: https://bitcoinmagazine.com/technical/zk-rollups-are-coming-to-bitcoin-heres-all-you-need-to-know

Original author: Namcios

Translated by: Yonggeqi

Zero-knowledge rollups are coming to Bitcoin. Two different projects recently took key steps toward bringing the technology to Bitcoin, a development that promises to help the cryptocurrency scale further and provide additional privacy guarantees to those who use it.

Chainway announced last week that it has open-sourced its Data Availability (DA) adapter, which allows developers to leverage Bitcoin’s security and finality to develop Rollups for use with the Sovereign software development kit (SDK). Sovereign provides developers with bundled services to build different types of Rollups, and Chainway’s release aims to implement Bitcoin’s first zero-knowledge Rollup.

Kasar Labs and Taproot Wizards coincidentally released a DA adapter for Bitcoin at the same time. This adapter allows developers to connect the Madara technology stack to Bitcoin to run Rollups based on the Cairo programming language created by StarkWare, thus achieving a technical overlay effect.

What is ZK Rollup?

Rollups batches together transactions that are not standard Bitcoin transactions, such as transactions on certain sidechains, and publishes them to blocks on the underlying blockchain (such as Bitcoin). This greatly reduces the computational cost of verifying these transactions while benefiting from the security of the Layer1 blockchain to a certain extent.

From this perspective, Rollup transactions are based on Bitcoin. Users then run a node designed for that sidechain that can parse the data posted to Bitcoin and establish account balances. This means that everyone needs to run a full node of another protocol - which is not scalable. This is where the ZK part comes into play.

ZK rollups leverage zero-knowledge proofs, a type of cryptographic proof that ensures computational integrity without compromising privacy. It allows a prover to prove to a verifier with mathematical certainty that a computational statement is correct without revealing details of the specific information used to compute that proof. This is important in the context of rollups because it allows any observer to verify those statements or transactions simply by knowing the final proof. The use of ZK rollups enables people to obtain proofs of the latest state from Bitcoin with mathematical certainty while retaining complete privacy.

The benefits of ZK Rollup include that users do not need to receive payments online, only need to obtain payment data on the chain when possible, do not need to manage liquidity, and do not rely on the fees of the Bitcoin base layer. In addition, through ZK rollup, developers can add any desired programming environment on top of Bitcoin, such as Turing-complete smart contracts.

In zero-knowledge proofs, there are two main mathematical techniques: SNARKs and STARKs. The former, Succinct Non-interactive Arguments of Knowledge, predates the latter and is used in cryptocurrencies like Zcash, providing users with a high level of privacy. Scalable Transparent Arguments of Knowledge, STARKs, were developed later and are designed to provide better security and scalability on top of the required privacy. This is because SNARKs rely on a trusted setup to generate the proofs, while STARKs are designed to be completely trustless, and while SNARKs are vulnerable to quantum computing, SNARKs have post-quantum security.

Given Bitcoin’s history of virtually no downtime and deep reorg resistance, it is the most suitable cryptocurrency for Rollup transactions because they rely on the main chain to obtain the critical data that users need to spend. The main chain also ensures that the Rollup remains active and available.

In order for ZK rollups to be properly implemented on Bitcoin and allow users to trustlessly bridge between BTC and Rollup, a soft fork of Bitcoin is required. This soft fork will add a new opcode to the oldest cryptocurrency that will make Bitcoin natively aware of and able to verify ZK rollup. If this happens, users will only need to run a Bitcoin node to be able to reliably verify, understand their accounts and balances, and be able to withdraw funds from Rollup.

The two projects mentioned above do not assume a soft fork of Bitcoin. Instead, they leverage the Ordinals protocol to avoid new opcodes. More specifically, they leverage the concept of inscription engraving, an innovation brought by Ordinals that allows developers and users to encapsulate any type of data by using a specific flag and a few opcodes. For Ordinals, that flag is "ord".

The signs at the beginning of the seal paired with the opcode serve a dual purpose. First, they let Bitcoin nodes know that they can skip the information because it is not relevant to the Bitcoin network. Second, they provide contrary information to users and applications that are aware of the seal, letting them know that something they are interested in is there. In the case of ZK rollups, users can scan these inscriptions in Bitcoin blocks to learn the latest state of the rollup and use ZK rollups for mathematical verification.

Now that we’ve learned about ZK rollup, let’s talk about the two projects we introduced earlier and explore the unique features of their designs.

SOVEREIGN

The Sovereign SDK has three main goals. First, it seeks to provide a standard interface for Rollup to communicate with the DA layer, making it easier to deploy Rollup on new DA layers and for new chains to support existing Rollup. Second, it integrates with a cryptographic compiler to convert the business logic of the code into a cryptographically verifiable form. Finally, it provides default implementations of common blockchain primitives such as tokens, NFTs, and bridges.

As mentioned before, Chainway’s DA adapter is designed to make it easier for applications built with the Sovereign SDK to connect to Bitcoin. In other words, the adapter allows Sovereign sidechains to use Bitcoin as their DA layer, which was not possible before. Data availability is critical to sidechains because it allows for trustless verification of computations performed outside the mainchain, and users need to be able to verify or modify their balances as well as withdraw funds from the sidechain.

In order to include a Sovereign transaction in a Bitcoin block, users relay their transactions to a so-called sorter. In Chainway’s DA adapter design, the sorter is run by the foundation itself, and it is responsible for establishing this connection between the sidechain and Bitcoin, ensuring that all transactions forwarded by users are published to Bitcoin via ZK Rollup.

This sounds a bit centralized, and it is. However, given the existence of proof-of-validity technology (ZK-STARK), sequencers are actually almost unable to act maliciously. This is because the proof privately confirms the legitimacy of the transaction and can be verified by anyone. For example, sequencers cannot embezzle user funds or perform unauthorized transactions. But in theory they can censor users' transactions by not including them in Bitcoin blocks and retaining this data. If this happens for some reason, the user can choose to publish their transaction data on Bitcoin by writing this information to Bitcoin.

Chainway said that in the future they plan to achieve decentralized sequencing through a network of small sequencers, where participation will be permissionless and based on staking.

STARKNET

Similar to Sovereign, Starknet also seeks to allow for the scaling of Rollups. However, Starknet is a more opinionated ecosystem with clear components for developers to leverage, including Cairo, CairoVM, and Madara.

Starknet is a ZK rollup currently running on top of Ethereum, which means that the rollup relies on the blockchain created by Vitalik Buterin as its DA layer. It leverages STARK proofs to provide the privacy and security assumptions required by users, as well as batching transactions before publishing proofs and new states to Layer1 to improve scalability and reduce transaction costs.

Cairo is a Turing-complete programming language for writing provable programs, where one party can prove to another party that a certain computation was performed correctly without requiring that party to re-execute the same program. It is the first production-grade platform for generating STARK proofs for general-purpose computation.

The Cairo Virtual Machine (VM) takes the bytecode generated by the compiler and runs it on your computer. The output of this run is a trace of the program, which can then be sent to a STARK Prover to prove the validity of the statements expressed in the code.

Madara is the sorter for the Starknet stack, helping developers power their Starknet-based ZK rollups.

Until recently, all of these software stacks were only available on top of Ethereum. Now, Kasar Labs and Taproot Wizards have launched the Bitcoin DA adapter, designed to allow developers to anchor rollups built using the open source version of Starknet to the original and most secure cryptocurrency network.

Does Bitcoin need ZK Rollups?

Essentially, Bitcoin doesn’t need to change much. It’s fair to say that it works extremely well in its current state, and as an electronic cash system, there is little reason to think that Bitcoin needs to change fundamentally in order to continue to solve the double-spending problem. However, scalability is a real need, and technologies like the Lightning Network have proven to be very useful in allowing more users to participate in Bitcoin’s economic transactions who might otherwise be unable to.

ZK rollups offer another way to look at Bitcoin. The two projects listed above do not require any actual changes to Bitcoin itself to function, but consensus changes to introduce new opcodes are needed if the full functionality of the technology is to be realized. For now, this research into ZK rollups seems to be trying to push the boundaries of what is possible with Bitcoin, which is a good thing for Bitcoin users if the goal is to increase the pool of possible Bitcoins, just like the Lightning Network did.

The similarities to the Lightning Network are obvious, as rollups also work by batching together multiple transactions before publishing a single source of truth to Bitcoin. Of course, ZK Rollup takes a very different approach than the Lightning Network, and rightly so. The technology doesn’t seek to compete with the tried-and-true cheap payments Layer 2 that Bitcoin enthusiasts have grown to love. Instead, Rollups look at other problems and try to devise other solutions.

Another Bitcoin scaling technology that will eventually enable private, complex computations that rely on mathematical proofs sounds attractive to those seeking to do more with Bitcoin. Likewise, the ability to bridge BTC in and out of Rollups completely trustlessly will depend on this opcode. But even so, the idea is there.

It is not clear whether ZK sidechains will gain widespread adoption on Bitcoin. Bitcoin already has sidechains. Liquid has been active on Bitcoin for years but has yet to see significant transaction volume. An argument could be made that in the case of Liquid, the presence of a federated model is a disadvantage, while ZK sidechains are more advantageous in this case. Perhaps sidechains will meet the same fate as Liquid, with low transaction volume and less interest — as Bitcoin users continue to choose to simply “hoard and hold.” Or it may open up new areas of Bitcoin development and usage.

Still, whether the end result is success or failure, exploring these developments through high-quality research is a natural and necessary endeavor. There is something to be learned from either outcome. In either case, one thing is certain — Bitcoin will continue to hash and produce blocks, allowing all users to enjoy the monetary finality of hard money without having to worry about any of that. And that’s a wonderful thing.