In case you missed it, Starkware, a company historically active in the Ethereum ecosystem, yesterday announced plans to commit significant resources to new Bitcoin scaling capabilities that have emerged in recent months.
A pioneer in zero-knowledge systems, the group has unveiled plans to use OP_CAT to bring their STARK technology to Bitcoin. The soft fork proposal could allow zero-knowledge proofs to be verified natively, opening up an entirely new design space for developers.
The announcement is seen by many as a major technical milestone for the Bitcoin protocol. Here are my unsolicited 2 cents on this.
It takes a long time
As Eli Ben-Sasson, CEO of Starkware, notes in his announcement post, the idea of using zero knowledge to improve Bitcoin is nothing new. Developers have been discussing applications of the technology for more than a decade. Ben-Sasson himself presented very early drafts of the idea at a 2013 Bitcoin conference in San Jose. In 2017, Blockstream developers Gregory Maxwell, Pieter Wuille, and Andrew Poelstra jointly published a research paper on the use of Bulletproof, a zero-knowledge protocol to support confidential transactions on Bitcoin.
In more recent years, Robin Linus, the creator of BitVM, initiated work on ZeroSync, a compression technique used to create zero-knowledge proofs of Bitcoin’s blockchain. Once fully implemented, it would significantly reduce the resource requirements involved in running a Bitcoin node. In 2022, the Human Rights Foundation commissioned current Alpen Labs researcher John Light to produce a full report on the potential of validity combinations for Bitcoin, using zero-knowledge proofs.
Zero-knowledge proofs have a wide range of applications and we are far from the end of hearing about them. Many expect technology to define this next era of computing, and I would be hard-pressed to bet against them. It is almost guaranteed that higher level Bitcoin applications will start using it soon and we can only expect this trend to continue to grow from here.
It’s still early
Most technological advances in zero-knowledge cryptography have been made in the past decade. The field is rapidly evolving as more cryptographers become interested in applications of the technology. Researchers have been in something of an arms race to figure out who could save the most time and resources needed to produce and verify that evidence. To date, most proof systems remain computationally expensive. Different protocols make different tradeoffs, but the improvements focus on verification so that the average user can quickly and efficiently verify proofs. While the pace of innovation has been relentless, generating these proofs at scale will likely require specialized hardware and major operations.
Despite huge unlocks and significant achievements in this area, it’s worth noting that a decade isn’t an exceptionally long time in cryptographic circles. Many of the latest proposals use techniques that are considered technically sound, but are not as hardened and tested as those of Bitcoin. In 2018, a hidden inflation bug was discovered in Zcash’s ZK-SNARK implementation, allowing an attacker to counterfeit the currency. Frankly, Starkware’s proposed STARK construct is considered significantly more secure due to its more transparent nature.
It’s hard to get excited about rollups
It’s hard to get excited about rollups
One of the motivations for this project is to enable zk rollups on Bitcoin. For those unfamiliar, rollups are critically acclaimed products that use off-chain sequencing to scale applications and throughput. Zk rollups, or validity rollups, propose to create proofs of the system’s transaction record, which can then be independently verified by users, allowing for off-chain systems that do not require additional trust assumptions.
Today, none of the major rollup implementations on Ethereum have fully implemented this system. They all rely on a central operator responsible for both proving and ordering transactions. In the odd cases where evidence is actually generated, only authorized actors can submit it to prevent fraud. Starkware’s Starknet currently does not provide a mechanism for users to force their transactions out of the system if the operator stops cooperating or if their infrastructure goes down.
Virtually every project has billions of dollars on deposit, effectively secured by a series of multi-signature keys. The same group of people responsible for handling these keys can also upgrade the merge contract and manage the associated funds. Just a few days ago, the sixth largest rollup on Ethereum, Linea, was unilaterally stopped by the operator and all user funds were frozen after a hack.
There is an alternative, more optimistic case here that I probably can’t write as well, but a lot of work and resources are put into solving the problems outlined above. A significant amount of research will be required before the full, trustless vision can manifest.
It’s also possible that rollups will evolve, as Ethereum has, into curious beasts of complexity that only a handful of people can tame.
The BitVM sidequest
The introduction of BitVM by Robin Linus last year really kicked the zero-knowledge race on Bitcoin into high gear. Starkware is making headlines for its resume, but several teams like Alpen Labs, Citrea, and Bitlayer are actively exploring how to optimize zero-knowledge proofs for their implementations.
It will be interesting to see what choices they make in the future and whether or not they stick to their guns. A strong case can be made that OP_CAT introduces many efficiency improvements, but it is not yet clear exactly what the trade-offs are. I expect many companies will continue to explore the BitVM path and simply emulate zero-knowledge computation. It is important to point out that in both cases, bridging funds from the Bitcoin chain to another system involves light client security that is susceptible to reorganization attacks.
A lot of attention has been paid to liquidity problems surrounding BitVM in the past month. Looking at the current user profile for this type of solution, I find the idea that this will deter anyone from participating a bit questionable. It may not be practical or sustainable, but I’m honestly not sure any market for this exists. Again, users are currently pouring billions of dollars into multi-sigs, so everything else will seem almost reliable in comparison.
More funding for developers
A million dollars allocated to research funding is a net positive for the ecosystem. This is an encouraging development for the growing mindshare around OP_CAT. It’s unlikely a bug bounty will go anywhere, but I’m curious to see what comes from more focused work on proof-of-concepts and applications. It’s easy to frown at the source of those funds, but ultimately the outcome of those efforts will be judged on their technical merits. Bitcoin’s development process is not as easy to influence as some talking heads would have you believe.
It’s also important to remember that OP_CAT is just one piece of the scripting puzzle. Breakthroughs in specific use cases are exciting, but rarely enough to justify losing sight of the big picture. None of these technologies are mature enough to pay significant dividends in the near term. It seems a bit hasty to upgrade today when it would take years to reliably implement these systems. If people want centralized virtual machines, there are plenty of sidechains to choose from.
We are currently breaking new ground every day and it is difficult to even predict where we will be in a month’s time. I’m cautiously optimistic about the progress being made in Bitcoin script improvements, but it doesn’t feel justified to hold on to anything at this point. We need to let the dust settle for a while.
