SNARK Verification on a Bitcoin Mainnet

On 19th July 2024, a transaction was successfully spent using a zero-knowledge proof on the Bitcoin SV mainnet. More precisely, the Bitcoin SV network successfully verified a Groth16 proof as part of a transaction validation. This is the first time that it has been achieved on Bitcoin or any of its variants.

It is a significant milestone for Bitcoin as it paves the way for smart contracts on-chain. Bitcoin, perceived as lacking computation capability, can now verify proofs that computations are done correctly. This approach to smart contracts not only offers scalability but also addresses privacy concerns over a public blockchain.

Recently, BitVM and StarkWare have made similar impressive announcements. StarkWare published a series of transactions that verify a STARK proof, while BitVM verified a SNARK proof. The big difference is that all of these transactions were published on the BTC testnet (Signet) rather than mainnet. They can be moved to the mainnet only if the network enables OP_CAT, an opcode that concatenates inputs. sCrypt were the first to implement Groth16 verification on Bitcoin SV testnet. Their 5MB verification script was improved by a hackathon entry ZkBaguette who reduced its size to 1.2 MB. While all these groups, including ourselves, use different techniques and different versions of Bitcoin, we have tackled the same underlying challenge: coding up something very complex in very primitive Bitcoin opcodes.

We chose to implement Groth16 because its characteristics are well suited to optimising transaction size, and therefore transaction fees. Groth16 has the smallest proof size among all SNARKS with a very efficient verification algorithm. Our smallest implementation to date is Groth16 for the curve BLS12–381, which achieves a locking script size of 480KB and an unlocking script of 40KB. We chose to implement it on Bitcoin SV as it supports large number arithmetic and has a default script size limit of 500KB on its mainnet. Moreover, taking advantage of the low transaction fee rate on Bitcoin SV, we only paid roughly USD 0.015 for creating and spending the transaction.

We are now in the process of refining and improving our implementation in order to deploy recursive Groth16 on-chain. This will be a critical building block for many applications. You can follow our progress on Github. You can also download the repository and test it out yourself. Any feedback is welcome!

We have written up our work in an academic paper which will be published soon. It is the culmination of a great team effort involving the nChain Cryptography team (Enrique, Paul and Wei) along with our senior researcher Federico, who spent months understanding the literature behind bilinear pairings and optimising the computation with respect to the transaction size. Federico then turned our ideas on paper into transactions on Bitcoin with further optimisations to reduce the transaction size. Well done to everyone involved! We also would like to congratulate BitVM, Starkware and sCrypt for their achievements. We know very well how challenging it is!