Original Title: 《"What Will "ZKP+Bitcoin" Bring?》

Author: Kyle Liu, Investment Manager at Bing Ventures

Key Points

• Zero-knowledge proofs can enhance the privacy of Bitcoin by hiding transaction details such as amounts, addresses, inputs, and outputs while preserving the validity and integrity of transactions, thus preventing third parties from tracking and analyzing user transaction activities.
• Zero-knowledge proofs can improve the scalability of Bitcoin by reducing the size of transaction data and verification time. For example, using ZK-STARKs or its improved versions can bundle multiple transactions together and use zero-knowledge proofs to verify them, saving space and time.
• Zero-knowledge proofs can enhance the innovation of Bitcoin by supporting more features and applications. For instance, using ZK-SNARKs can enable more logic and computation, allowing for the execution of more complex and flexible contracts without exposing information or increasing overhead.
• Ultimately, zero-knowledge proofs will make Bitcoin more trustless and decentralized, aligning with its core values. As technology continues to evolve and improve, the potential of Bitcoin and ZKP will also be continuously explored.

An increasing number of teams are adopting zero-knowledge proof technology in blockchain infrastructure and dApps. However, most projects are developed based on Ethereum. Nevertheless, Bitcoin has a natural affinity with zero-knowledge proofs, a field that currently lacks the attention it deserves. What empowerment might the combination of zero-knowledge proof technology and Bitcoin bring to the Bitcoin network? In this issue of Bing Ventures' research article, we will explore this topic from the perspectives of technical principles and application prospects.

Zero-knowledge proof (ZKP) is a mathematical method that allows one party (the prover) to prove a fact to another party (the verifier) without providing any information about the proof itself. This method is highly effective for protecting privacy, as the prover can provide proof to the verifier without disclosing any information about the proof itself.

Bitcoin has a natural affinity for zero-knowledge proofs. Bitcoin is a decentralized virtual currency that uses blockchain to record transactions, and all transaction information is public. However, this also means that Bitcoin's transaction information can be viewed by anyone, leading to privacy risks. Zero-knowledge proofs can address this issue.

By using zero-knowledge proofs, Bitcoin users can encrypt transaction information and prove its validity without disclosing information, thus achieving a higher level of privacy protection. Zero-knowledge proofs can also enhance Bitcoin's scalability. Currently, Bitcoin's transaction speed is limited by blockchain size and network congestion, which restricts its use in large-scale commercial applications. However, by using zero-knowledge proofs, Bitcoin users can batch process large amounts of transaction information and compress the size of the proof to a minimal level, thereby improving Bitcoin's scalability and efficiency.

Background and Basic Principles:

ZK-SNARKs and ZK-STARKs

ZK-SNARKs and ZK-STARKs are both variants of zero-knowledge proofs, sharing the common feature of proving the validity of certain data or operations without disclosing sensitive information. However, they differ in their implementation methods, performance, and application scope.

ZK-SNARKs (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge) is a zero-knowledge proof technology based on elliptic curve cryptography. It can transform a complex computational problem into a simple proof, with a very small proof size and no need for interaction. This means that ZK-SNARKs can verify the correctness of computations without disclosing any computational information. The application areas of ZK-SNARKs mainly include cryptocurrencies and privacy protection.

ZK-STARKs (Zero-Knowledge Scalable Transparent Argument of Knowledge) is a new type of zero-knowledge proof technology that is more flexible and secure compared to ZK-SNARKs. ZK-STARKs do not rely on elliptic curve cryptography but use hash functions and polynomial interpolation techniques. This makes ZK-STARKs more reliable, as they do not depend on unpredictable mathematical problems but rather on the irreversibility of hash functions. Additionally, the proof size of ZK-STARKs is larger than that of ZK-SNARKs, but its proof verifiability is better, allowing for applications in a wider range of fields, such as distributed computing and IoT security.

Challenges of Adopting Zero-Knowledge Proofs in Bitcoin

Taking Zcash as an example, Zcash employs ZK-SNARKs, a zero-knowledge proof technology that can hide transaction details, including transaction amounts and participant identities, to achieve better privacy protection. The technical principles of Zcash using ZK-SNARKs are roughly as follows:

• Zcash has two types of addresses: transparent addresses (t-address) and shielded addresses (z-address). Transparent addresses are similar to Bitcoin addresses, publicly displaying transaction amounts and participants on the blockchain. Shielded addresses use zero-knowledge proofs to protect the privacy of transaction amounts and participants.
• When a user sends funds from one shielded address to another, they need to generate a ZK-SNARKs proof to indicate that they have sufficient funds and have not spent any already spent funds. This process involves complex mathematical and cryptographic operations, such as generating public parameters, calculating hashes, and constructing arithmetic circuits.
• Generating a ZK-SNARKs proof requires significant computational resources and time, but verifying a ZK-SNARKs proof is very fast and simple. The verifier only needs to check whether the transaction complies with blockchain rules without needing to know any information about the transaction amount or participants.
• By using ZK-SNARKs, Zcash can achieve fully anonymous and verifiable transactions while maintaining blockchain security and decentralization, thereby enhancing user privacy and usability.

However, the zero-knowledge proof technology adopted by Zcash also has some limitations. First, Zcash is based on UTXO, which means that transaction information is not completely concealed but merely obscured. Therefore, attackers can infer useful information by analyzing patterns and flows of transaction information. This leads to the conclusion that Zcash's level of privacy protection is not entirely reliable.

Secondly, Zcash operates on an independent network based on Bitcoin, making it more challenging to integrate with other applications. This limits its potential for broader application and further hinders its development. Although Zcash has implemented privacy transactions, its actual usage rate is not high. One reason for this is that the cost of privacy transactions is significantly higher than that of public transactions, which restricts its application scope.

Technical Advantages of ZK-STARKs

While adopting ZK-SNARKs technology on Bitcoin can achieve transaction anonymity and privacy protection, this technology has some drawbacks, such as the need for trusted setups and devices, as well as requiring substantial computational and storage resources. To address these issues, new zero-knowledge proof technologies, such as ZK-STARKs, have emerged.

In simple terms, the process of ZK-STARKs includes the following steps:

• The prover converts the computation they want to prove into a system of polynomial equations, using secret information as variables.
• The prover performs a series of transformations and simplifications on this system of equations to obtain a simpler system.
• The prover samples and encodes this simplified system to obtain a low-dimensional vector.
• The prover hashes and signs this vector to produce a short string as their proof.
• The verifier receives this string and can verify its correctness using some public parameters and algorithms without needing to know the secret information or the original computation.

Compared to ZK-SNARKs technology, ZK-STARKs technology has the following advantages:

1. ZK-STARKs technology does not require a trusted setup, meaning there is no need to trust a specific generator, which enhances the security of the technology.
2. ZK-STARKs technology requires less computational and storage resources, making it better suited for lightweight devices and a broader range of application scenarios. This is because its proof generation process is more efficient compared to the complex encryption and decryption operations required in ZK-SNARKs. Additionally, ZK-STARKs technology can better utilize parallel computing and distributed computing capabilities, allowing for more efficient handling of computational tasks in certain cases.
3. ZK-STARKs technology can also support more algorithms and operations, such as hash functions and polynomial operations, providing more possibilities for the expansion and upgrading of the technology.

The Combination of Bitcoin and ZK-STARKs

EC-STARKs Technology

STARKs technology is a new type of cryptographic proof technology that allows for communication with third parties while maintaining data privacy. This technology can shift the computation and storage verification data off-chain, thereby improving scalability. Compared to ZK-SNARKs technology, STARKs technology is more advanced and can resist attacks from quantum computers.

EC-STARKs technology is the next generation of STARKs technology, aimed at improving Bitcoin's scalability and security by replacing hash functions with elliptic curves. This technology can make existing scalability solutions on Ethereum compatible with Bitcoin. By using EC-STARKs technology, Bitcoin protocols can run off-chain, with proofs stored in STARK.

In short, Bitcoin can be simulated in STARK, allowing for the establishment of highly complex protocols based on Bitcoin using the same elliptic curve keys. The use of EC-STARKs technology can run Bitcoin's off-chain protocols while keeping the proofs in STARK. This method not only enhances Bitcoin's scalability but also allows for the establishment of highly complex protocols on Bitcoin, resulting in greater privacy.

This technology elevates Bitcoin's scalability and privacy to a new level, making Bitcoin a better platform. Developers can create more complex applications on Bitcoin, solidifying its position in the cryptocurrency market.

Application Prospects of ZK-STARKs in Bitcoin

The application of ZK-STARKs also aligns with Bitcoin's conservative design philosophy, not requiring trusted setups but using hash functions, Merkle trees, and polynomials to enhance Bitcoin's transparency and security. One advantage of EC-STARKs in Bitcoin is that it can improve Bitcoin's privacy, as it does not require disclosing transaction details. Another advantage is that it can reduce Bitcoin's storage requirements by compressing large amounts of data into a small proof. A challenge for EC-STARKs in Bitcoin is that it requires more computational resources due to the need for complex mathematical operations. Another challenge is that it requires more coordination and standardization to be compatible with Bitcoin's existing protocols and infrastructure.

From a technical implementation perspective, the application of ZK-STARKs can be divided into aspects such as light nodes, full nodes, and verification methods. Light nodes can utilize STARK proofs of block header states for rapid synchronization. Full nodes can achieve validity proofs through UTXO states and use Utreexo technology to represent UTXO states in a new format, eliminating the need to view the entire UTXO state. Regarding verification methods, given the Utreexo root + final state, verification of incoming blocks can begin.

Moreover, there are many potential directions for the application of ZK-STARKs. For example, combining with the Taro protocol to transform Bitcoin into a more universal asset, further expanding Bitcoin's application scenarios. By integrating ZK-STARKs with Taro, the scalability of the Taro protocol can be enhanced, enabling it to handle more transactions and support larger-scale applications, opening the door for multi-chain deployment of the Taro protocol. Additionally, Bitcoin's privacy has always been a concern, and the application of ZK-STARKs technology can significantly enhance Bitcoin's privacy. By using ZK-STARKs technology, the entire transaction history can be compressed into a single transaction, effectively concealing users' transaction information.

Future Highlights

Furthermore, ZK-STARKs can be used for the verification of Bitcoin transactions, including serialization of Bitcoin transactions, double SHA calculations, secp256k1 operations, etc. These operations are core to Bitcoin transaction verification, and using ZK-STARKs can ensure that the verification process for Bitcoin transactions is highly secure and reliable. ZK-STARKs can also be used to verify the accelerated Cairo built-in functions of Bitcoin. Cairo is an efficient zero-knowledge proof system, and when combined with Bitcoin's accelerated Cairo built-in functions, it can achieve efficient Bitcoin transaction verification and security assurance.

ZK-STARKs can also be used to implement Taro primitives and asset TLV serialization, as well as MS-SMT implementation and verification. These operations can effectively protect the privacy and security of Bitcoin transactions, further enhancing the credibility and reliability of Bitcoin transactions. The Lightning Network, as a second-layer solution for Bitcoin transactions, can achieve more efficient and secure Bitcoin transactions by integrating ZK-STARKs technology. Utilizing ZK-STARKs technology allows for rapid verification of Bitcoin transactions on the Lightning Network without sacrificing transaction privacy.

We are seeing an increasing number of teams adopting zero-knowledge proof technology in blockchain infrastructure and dApps. Some of these new solutions may accelerate the application of zero-knowledge proofs in the blockchain space and better assist privacy and scalability. However, most projects are developed based on Ethereum, while Bitcoin lacks the attention it deserves in the field of zero-knowledge proofs. Worse still, engineering practices have, in some sense, not kept pace with academic achievements. We need to implement and explore more in this area while also providing more attention and support for the field.