Proof Systems
Introducing a game-changing compression technique.
Succinct zero-knowledge proofs (ZKP) promise a paradigm shift in blockchain scalability and privacy. While considerable engineering effort is underway in the Ethereum community to apply this technology, no similar investment has yet been made for the Bitcoin network. Therefore, ZeroSync was created to bring these proof systems to Bitcoin for the first time.
Proving hundreds of gigabytes of blockchain history is computationally expensive, but this compression results in a very compact proof. Once a proof is generated, an arbitrary number of nodes in the network can use it to sync with the network instantly. Proofs are succinct, regardless of the growing size of the chain. When the next block is mined, any prover can incrementally extend the previous state proof.
Proof systems play together well with Bitcoin's immutability. They allow to compress the chain and augment it with additional data structures, such as a UTXO set commitment, without requiring any consensus changes. Users can decide individually if they use a proof or conventional bootstrapping. ZKP systems offer great flexibility on top of Bitcoin's rigid base layer and introduce a range of novel applications for exploration.
ZeroSync's Mission
Pioneering the Adoption of Proof Systems in the Bitcoin Ecosystem.
At ZeroSync, our mission is to catalyze the use of proof systems in the Bitcoin ecosystem to improve scalability, accessibility, and privacy. Our main activities are:
- Creating a proof system to sync Bitcoin's chain state instantly. Additionally, a toolkit for developers to enhance existing protocols, applications, and services with ZKPs.
- Building a community around Bitcoin proofs by presenting the tech at conferences, by providing resources to get people engaged, and by collaborating with other projects in the space.
- Working towards the eventual integration of a ZKP verifier into the main layer of Bitcoin.
State Proofs
Sync a node instantly, without having to download hundreds of gigabytes of blockchain data.
Implementing a chain state proof is highly complex, so we are rolling it out in three consecutive stages. As of today, we have completed prototypes for the first two of them.
1. The Header Chain Proof
Similar to an SPV light client, the headers state proof verifies only the block headers, the proof of work, and the difficulty adjustments. Additionally, it augments the header chain with a Merkle tree over all block headers, which enables succinct proofs of inclusion for all blocks and transactions. This state proof is relatively simple, lightweight, and cheap to compute. It will be the first of our proofs to become production-ready.
2. The Assumevalid
State Proof
Mimics the assumevalid
option of Bitcoin Core. It verifies all Bitcoin consensus rules except for the transaction signatures. More precisely: All witness data is assumed to be valid. Additionally, this proof uses Utreexo to augment the chain with a UTXO set commitment. The team completed an initial prototype of this state proof in February 2023.
3. The Full State Proof
Verifies all Bitcoin consensus rules, including all witness data. Based on the assumevalid state proof, it also verifies all witness data. This is the most costly proof in terms of computation and it requires significant optimizations of the prover to become feasible. It will be the last to become production-ready.
Our first major application will be to broadcast state proofs from space via the Blockstream Satellite, for everyone to instantly sync the Bitcoin blockchain almost anywhere on earth.
Developer Toolkit
Enabling a next-generation ecosystem with powerful tools for Bitcoin developers to apply zero-knowledge proofs to their own products and services.
The ZeroSync Developer Toolkit (ZDK) allows developers with minimal domain expertise to integrate proof systems into the existing Bitcoin ecosystem. This enables a zk layer
on top of Bitcoin. The following examples give an idea of the novel design space.
- Light clients: Currently, many Bitcoin apps are based on servers providing the chain data to clients in a trusted fashion. Bitcoin proofs enable client-server models that require no trust, while adding only minimal overhead on the client-side, which is ideal for mobile devices and web applications.
- Flexible database: Proofs can transform or filter the blockchain data, and create indexes to query it efficiently. For example, they can augment the chain with Compact Block Filters, which increases the privacy of light clients. Another idea is to filter for unilateral payment channel closes, such that Lightning nodes can skip most of the chain.
- Attestations: ZKPs allow arbitrarily complex statements to be made over UTXO state and history, including the selective hiding of information. For example, a Bitcoin exchange can prove its solvency to all its customers without ever revealing any balances or transaction history.
-
Proofs are composable: For example,
the full state proof
is the same for everyone, but it can be easily extended, which makes custom state proofs cheap. For example, a custom proof could additionally provide the average transaction fee of the latest blocks. - Lightning privacy: ZKPs can probably help enhance the privacy of payment routing in the Lightning Network. Currently, the gossip network requires channels to be public, but ZKPs could enable private routing channels.
- Layer-2: Transaction history compression for client-side validation protocols such as Taro and RGB, as well as for embedded consensus protocols such as Omni Layer or Counterparty, or Ordinals. Furthermore, ZKPs can add best-in-class privacy by obfuscating both the transaction values and the graphs.
- Interoperability: Trust-reduced cross-chain bridges from BTC to foreign chains. Also trustless pegs for assets from foreign chains to assets on Bitcoin.
- Domain name system: Proofs enable an efficient decentralized domain name system, which solves many flaws of previous designs.
- Sell data: Proofs can be sold using Zero-Knowledge Contingent Payments. This also works well on the Lightning Network. It might be possible to further develop it into a data layer protocol which offers an incentive for servers to provide light clients with chain data and proofs.
More generally, this toolkit can be used to develop more sophisticated off-chain applications, with improved scalability, usability, and privacy.
pip install zerosync
The toolkit is still early-stage and experimental, but you can already integrate our Bitcoin Cairo library into your own project using the Python package manager.
Long-term Vision
ZeroSync catalyses the process of adding ZKP systems to Bitcoin's main layer. A proof verifier on Bitcoin enables a variety of powerful new features such as validity rollups, trustless two-way pegs, or perfect transaction privacy. Our works on off-state proofs aim to explore this design space and help develop tools and best practices for future on-chain proofs.
A good candidate could be a STARK verifier written in Simplicity, if/when it is activated on Bitcoin. Experimenting with STARKs in Simplicity might be possible on the Liquid sidechain soon.
Tech Stack
ZeroSync is based entirely on free and open-source software.
STARKs and the Cairo Language
ZeroSync is based on STARK proofs, which are are relatively simple in comparison to other proof systems. STARKs rely only on hash functions and polynomials. No novel cryptographic assumptions are required. And most importantly, there is no trusted setup.
To implement Bitcoin proofs we are using the Cairo language created by StarkWare. We are working closely together with the developers of all STARK tools underlying ZeroSync. read more
- We are using Giza, a free and open source STARK prover and verifier, based on Winterfell
- To generate proofs on consumer devices we're using MiniSTARK, a GPU-accelerated prover
- In the long-term, we might switch to StarkWare's open source StarkNet prover when it is published
ZeroSync Cairo Codebase
Our Cairo code base is available on GitHub, and offers various modules such as
- a Bitcoin library implementing the consensus rules
- an Utreexo implementation for UTXO set commitments
- a recursive STARK verifier for incrementally verifiable computation
About
We are a Swiss nonprofit organization developing public goods.
Board
The ZeroSync Association, based in the Swiss canton of Zug, is governed by a board represented as a multi-signature wallet with key holders who have earned a strong reputation in the field of Bitcoin or ZKP systems. The key holders' names are not public as a security measure and to preserve their privacy. If you consider sponsoring ZeroSync, they can contact you to reveal their identities.
Core Contributors
Robin Linus, Lukas George, Tino Steffens, Max Gillett, Andrew Milson
Sponsors
ZeroSync development is sponsored by research grants from
Partners
ZeroSync collaborates in projects with various industry partners
Media
Learn more about STARKs on Bitcoin
Publications and Articles
A selection of publications and articles about the technology and the project.
-
Research paper
ZeroSync: Introducing Validity Proofs to Bitcoin
-
Geometry Notebook:
Introduction to ZeroSync
-
ZeroSync and Blockstream to Broadcast Bitcoin Zero-Knowledge Proofs From Space
- CoinDesk -
Zero-knowledge proofs coming to Bitcoin, overhauling network state validation
- CoinTelegraph -
Tested on Ethereum, StarkWare’s Zero-Knowledge Proofs Are Now Live on Bitcoin
- Decrypt -
Bitcoin Nodes Now One Step Closer To Instant Sync
- Bitcoin Magazine -
Bitcoin’s first zero-knowledge light client seeks to drive innovation
- Blockworks -
ZeroSync implements first Stark-based ZK client for Bitcoin
- The Block
Presentations and Podcasts
-
Newly Formed ZeroSync Association Brings Zero-Knowledge Proofs to Bitcoin
- Interview with CoinDesk -
Andrew Milson’s talk on
Provers for Consumers
at StarkWare Sessions 2023, Tel Aviv -
Olaoluwa Osuntokun's talk on
STARKs on Bitcoin: From Outside In
at StarkWare Sessions 2023, Tel Aviv -
Lukas George and Robin Linus on Blockstream Talk
ZeroSync & Blockstream Satellite
-
Presentation
Zero-Knowledge Proofs for Bitcoin
at MIT Bitcoin Expo 2023, Cambridge MA -
Presentation
Building a Zero Knowledge Proof System for Bitcoin
s at Bitcoin Builders 2023, Miami -
Robin Linus' presentation
Introducing Validity Proofs to Bitcoin
at Bitcoin 2023, Miami - Lukas George and Robin Linus on the Bitcoin Optech Recap about our research paper
-
Stephan Livera Podcast
ZeroSync: Speeding up Bitcoin IBD
-
Robin Linus on the Bitcoin Optech Recap about the
Some Day Peg
-
Presentation
Bitcoin STARKs
at StarknetCC 2023, Paris -
Online presentation
zkCoins: A novel token protocol with strong privacy and scalability
at BTC Startup Lab -
Can the Bitcoin Blockchain be compressed from 600GB down to a few MBs?
Interview with Bitcoin News
Roadmap
Heading to production-grade Bitcoin proofs.
Our prototype is a strong indicator of the technical feasibility of a Bitcoin proof system. Now we want to bring this technology into the real world.
Improve Prover Performance
The fundamental bottleneck is the prover performance. Significant optimizations are required. read more
- Switch to the cairo-rs runner, which is much faster because it is written in Rust, in comparison to the runner we're currently using, which is written in Python.
- Use a STARK-friendly hash function for the recursive verifier
- Implement Cairo builtins for sha256 and secp256k1. Also implement remaining builtins for bitwise, pedersen, ecdsa, ec_op
- Use the Goldilocks Field to save memory and improve performance
Complete Bitcoin Consensus
We still have to implement some remaining Bitcoin consensus rules. read more
- The sighashes (ALL, NONE, SINGLE, ANYONECANPAY, ... )
- A script interpreter (implement all opcodes)
- All payment types, Legacy: p2pk, p2pkh, p2sh, SegWit: p2wpkh, p2wsh, Taproot: p2tr; key path & script path spend
- Schnorr signature verification
Security Hardening
Applying best practices to ensure the security of the proof system. read more
- Do plenty of automated testing. E.g., use all static test vectors from Bitcoin Core. Also add fuzzing
- Hire externals to perform code reviews and security audits
- Run a public bug bounty program
Integration into the Ecosystem
Gradually rolling out the proof system for real-world use cases. read more
- Integrate the header chain into a light client like Neutrino.
- Integrate a full state proof into btcd or Electrum
- Build a tool to sync a Bitcoin Core full node. Running a zerosync'd full node requires no modification of the code of Bitcoin Core. We just copy the UTXO set into Core's chainstate directory after verifying it. Ideally, this is combined with the new AssumeUTXO mode to sync instantly, while still having a backup check for the state proof.
- Define a set of new network messages for Bitcoin's peer-to-peer network to share state proofs among nodes.
History
Growing from an idea into reality.
- In February 2022, Lukas George started STARK relay, his bachelor's thesis at Technical University of Berlin, in which he implemented and benchmarked a first basic proof of Bitcoin's header chain.
- Geometry offered a research grant to fund the initial development.
- In July 2022, Robin Linus joined as project lead and together they founded ZeroSync to implement a full state proof.
- Ruben Somsen gave the project its name ZeroSync.
- In September 2022, Max Gillett, who developed the Giza prover, joined the team to help implement a STARK verifier in Cairo for proof recursion.
- In February 2023, they completed their first major milestone, a basic prototype of a recursive state proof that verifies all Bitcoin consensus rules except for the witness data.
- In March 2023, Giacomo Zucco, who co-authored the RGB protocol with Peter Todd, helped them found the ZeroSync Association in Switzerland to grow now into a long-term project.
- StarkWare's open-source initiative, OnlyDust, also offered a research grant to sponsor the development.
- In June 2023, Andrew Milson, who developed the miniSTARK prover, joined the team to help optimize the prover performance and complete a production-ready chain proof.
- In July 2023, ZeroSync received a research grant from OpenSats.
- In September 2023, the team completed a header chain proof, enabling Bitcoin's first zk-client.