Polyhedra has been expanding itself to work on emerging areas of the entire blockchain landscape with zero-knowledge proofs. Previously, we have been focusing on Ethereum and have research on how zero-knowledge proofs can contribute to the Ethereum ecosystem, and we built zkBridge (https://zkbridge.com/), which provides zero-knowledge proofs for securing the LayerZero cross-chain messaging protocol.
Today, we turn our attention to Bitcoin. In particular, we study how to verify ZK proofs on Bitcoin. We are not the first to explore this problem. So, we start this article with a brief history of how human beings have tried to bring zero-knowledge proofs to Bitcoin.
A brief history
The most ambitious attempt in recent years was to verify a BLS12-381 proof on Bitcoin SV, by the team at sCrypt, but this attempt doesn’t work for Bitcoin—Bitcoin SV (BSV) is a hard fork of Bitcoin, an entirely separate chain today, with many differences. Particularly, BSV supports new opcodes that Bitcoin doesn’t support, and has higher script size limits. The transaction that sCrypt used to verify a BLS12-381 proof, which can be found here, lavishly uses these new opcodes, such as OP_NUM2BIN, OP_SPLIT, OP_CAT. This transaction is fairly big—26MB—which is not possible in Bitcoin, as the maximum possible block size is 4MB, and the Bitcoin block interval is about 10 minutes—we need to leave space for other transactions to get settled as well.
image15
Before this ambitious attempt, Bitcoin developers were in fact among the first group of people that looked into zero-knowledge proofs, even before Ethereum existed. Back in 2011, Gregory Maxwell, a former Bitcoin core developer and former CTO of Blockstream, proposed “Zero Knowledge Contingent Payment”. After a few years when zero-knowledge proofs became practical enough, ZKCP was first implemented on the Bitcoin network (see this announcement). This, however, didn’t verify ZK proofs on the Bitcoin network, but the proofs were verified off-chain. This is good enough for the ZKCP application, but it does not work for some other applications where on-chain ZK proof verification is necessary.