1083 sats \ 2 replies \ @conduition 25 Jul \ on: BitcoinOS Claims First Zero-Knowledge Proof Verified on Bitcoin Mainnet bitcoin
Their whitepaper is pretty bad at explaining what this tech is, and their docs aren't much better. I'll give it my best shot but if anyone from sovryn is reading, please correct me if i'm wrong here.
The whitepaper introduces two technologies, "Grail" and "BitSNARK", which i assume taken together are the 'framework' they call BitcoinOS.
They claim BitSNARK is a more efficient version of BitVM for the specific case of validating ZK rollups, but they fail to elaborate on how they made it more efficient and how it works internally, beyond the high level overview given on page 3. The main raison d'etre of BitSNARK seems to be to act as an on-chain enforcement mechanism for settling smart contract disputes using zero knowledge proofs (Groth16 snarks) as the ultimate source of truth for who 'wins' the settlement. Basically this is BitVM specifically instantiated for SNARK verification.
Also, Groth16 requires a per-circuit trusted setup and produces "toxic waste", and their paper doesn't clarify how they deal with that. Who does the trust fall on? What are the consequences if the trusted parties misbehave and keep their toxic waste?
As for Grail, it seems to be a procedure used to 'transfer' bitcoin in and out of an L2/sidechain, using BitSNARK (BitVM+ZKP). This type of procedure seems to be a hot topic for businesses these days. Full disclosure: i'm doing some work for a company who is building something similar, except with multisig escrow instead of an on-chain ZKP verifier.
So the "Unlimited Smart Contracts and Scalability" claim they have emblazoned on their website isn't occurring on bitcoin - it's occurring off-chain, and the framework they've designed is just an engine (powered by BitVM and SNARKs) to allow people to wrap bitcoin which they can then use on smart contracts inside the given L2.
Ultimately users still need to choose their L2 wisely because a bug or hack in the L2 will destroy the wrapped bitcoins, and prevent users from creating valid proofs to reclaim the actual Bitcoins proper.
For example, if you used Grail to wrap BTC onto Ethereum, and then deposited that wrapped-BTC in a poorly coded ETH smart contract which gets hacked, then you're shit-outta-luck - the hacker can burn the wrapped-BTC and create a proof which lets them sweep away your mainchain BTC, and you can't do anything about it. Your money would be just as gone as if you'd just sent your BTC straight to the hacker in the first place.
Overall rating: 6/10. Highly efficient ZKPs enforced on Bitcoin is exciting and I would like to know more about how their 'BitSNARK' system actually works. I think Sovryn is focusing on the wrong use case with Grail though. Instead of bridging Bitcoin to shitcoins, they should be focusing on using BitSNARK to create more powerful expressive tools on L1 bitcoin.
Thank you for this fantastic breakdown! I have a couple of questions if you are able to clarify some things with this I'd appreciate it! What is toxic waste in the way you are mentioning it and what does it do? Also, could you explain a little what the difference is between a multisig escrow instead of an on-chain ZKP verifier?
Thanks in advance!
reply
Many Zero-knowledge proving systems, including Groth16, require something called a 'trusted setup ceremony', where one or more people (usually a commonly trusted set of third parties) create some secret data and some corresponding public data. The public data from this ceremony can then be used to create and verify zero knowledge proofs. The important part of the ceremony is that the secret data (often called 'toxic waste') must be deleted unrecoverably.
If that toxic waste isn't deleted, it can be used to create fraudulent proofs indistinguishable from valid proofs.
There are more powerful ZKP systems like STARKs available these days, which do not require trusted third parties, but their proofs are much larger and slower to verify. Most blockchain applications prefer SNARKs for performance.
Also, could you explain a little what the difference is between a multisig escrow instead of an on-chain ZKP verifier?
Sovryn's on-chain ZKP verifier is basically a BitVM smart contract holding a user's BTC in escrow, which says: "release these coins to whomever can provide a proof that
X tokens were burned on Y other blockchain". How that proof is constructed I don't know... But if such a proof can be verified on Bitcoin (using their flavor of BitVM) then the prover is entitled to get their escrowed bitcoin back.A multisig escrow is much simpler, faster, and more efficient on-chain, but requires more trust. A user deposits money into a 2-of-2 multisig, where the first key belongs to the user, and the second key is a FROST threshold key belonging to some group of independent auditors. Those auditors watch the other blockchain and promise to sign a refund transaction when the user burns their wrapped BTC tokens.
Naturally the auditors could withhold that signature, or go offline, and the user doesn't get their money back. Hence the higher trust level. But with a diverse enough group, that risk can be mitigated, and there's zero risk of the user's Bitcoins being stolen because the user holds one of the necessary signing keys.
reply