bitcoin-dev

OP_ZKP updates

OP_ZKP updates

Original Postby Weiji Guo

Posted on: July 22, 2024 14:05 UTC

The OP_ZKP proposal, initiated last year, aims to integrate Zero-Knowledge Proofs (ZKPs) within Bitcoin transactions, focusing on selecting an appropriate ZKP scheme for its proving system.

The initial exploration into existing ZKP schemes was necessary to understand their application within OP_ZKP, leading to the development of potential applications. This exploration highlighted the need for a ZKP scheme that meets several high-level requirements such as minimal security assumptions, specifically the Elliptic Curve Discrete Logarithm Problem (ECDLP) for Inner Product Argument (IPA) over secp256k1, small block size consumption, and the capability for batched verification and aggregated proving without necessitating a trusted setup.

Security and efficiency are paramount, with the chosen scheme needing to provide proofs that are both succinct and small enough to be posted on-chain individually without incurring excessive costs. Batched verification is considered essential due to block size limitations, allowing thousands of transactions to be verified together, thereby saving block space and reducing transaction costs. Additionally, the scheme should support small verification keys to facilitate deployment and optional aggregated proving to further reduce proof size and verification time for certain schemes.

The Inner Product Argument (IPA) is identified as a potential solution meeting these requirements due to its transparent setup, reliance on the ECDLP assumption, compatibility with the secp256k1 curve, and its relatively small proof size. However, issues such as linear verification time and the scalability of verification keys pose challenges. Aggregated proving techniques are suggested as a means to address these issues by combining multiple sub-circuits into a single argument, thereby reducing the complexity and verification time.

An ongoing challenge is the deployment of large verification keys required for circuits, which could hinder the practical implementation of this approach on-chain. A proposed solution involves committing to circuit constants to minimize the verification key's size, although this raises concerns about the sparsity of aggregated constants and the overall complexity of the system.

Considerations for future adoption include the performance impact on lower-powered devices like the Raspberry Pi 4, with benchmarks suggesting acceptable verification times for block and transaction verification. Should the open issues with IPA not be resolved, alternative schemes such as Dory, which offers logarithmic proof size and verification time along with batched verification capabilities, may need to be considered despite requiring additional security assumptions.

For further reading and insights into misconceptions about SNARKs, interested readers can explore detailed articles provided by a16zcrypto. Additionally, discussions on Torus-based optimization and its potential to enhance proof size and efficiency are available through provided links (Video and Paper).