How We Did It: The First ZK Proof on Bitcoin - Edan Yago & Gadi Guy at Bitcoin Nashville #Bitcoin

00:00

hello

00:02

Nashville Sounds like the mic's working

00:05

there are a lot of people here standing

00:08

in line because this conference has

00:10

become the place that major milestones

00:12

in Bitcoin are announced and everyone is

00:15

standing in line for Trump and maybe uh

00:18

Elon Musk to make an announcement which

00:21

is going to be yet another milestone in

00:24

Bitcoin but that isn't the only

00:27

significant Milestone that has been at

00:29

this particular particular Bitcoin

00:31

conference just a few days ago Bitcoin

00:34

OS announced something that on a

00:36

technological level is certainly no less

00:40

profound for the first time ever zero

00:43

knowledge proofs were introduced as

00:47

transactions to bitcoin mayet no

00:50

softwalk no changes we actually have

00:54

lift off for the first time ever we have

00:56

ZK proofs on bitcoin and what does this

00:58

mean it's means that Bitcoin is now able

01:02

even without lightning Network to scale

01:05

to thousands of transactions per second

01:09

it means that Bitcoin can now have

01:10

native private transactions and it means

01:14

that you can now for the first time

01:16

introduce sophisticated smart contracts

01:18

into Bitcoin but perhaps the most

01:22

phenomenal thing that this does is it

01:24

allows Bitcoin to have truly trustless

01:27

layer toos rollups where any type of

01:30

functionality can occur it used to be

01:33

the case that people said they needed to

01:35

create new chains because Bitcoin was

01:37

old boober coin and you couldn't do

01:40

enough things on it but with zero

01:43

knowledge proofs Bitcoin now has the

01:45

power to do anything that

01:47

ethereum that Solana or any other piece

01:50

of software in the blockchain space can

01:52

do so a lot of people have been asking

01:55

questions how was this accomplished how

01:58

did people manage how did Bitcoin OS

02:01

manage to do what people had said was

02:03

impossible to introduce zero knowledge

02:05

proofs without a soft Fork without a new

02:08

bip without any new up codes and here

02:11

from Bitcoin OS for the first time on

02:14

stage is gy Guy the CTO of Bitcoin OS

02:18

who's going to explain how his team

02:20

managed to pull off the impossible gy hi

02:23

guys so I'm GDI um I want to tell you

02:27

today about something that I personally

02:29

find very very exciting which is that we

02:32

have successfully verified the ZK proof

02:34

on top of

02:36

Bitcoin um keeping the existing um

02:39

consensus rules and I want to tell you a

02:41

little bit about how we did it and about

02:44

the opportunities that that opens up for

02:47

the Bitcoin

02:50

ecosystem okay so um as you might have

02:54

heard on July 23rd we have um done

02:58

something for the first time we we have

03:00

verified the ZK proof on top of Bitcoin

03:02

and I want to tell you about how I want

03:04

to tell you how we did it so a ZK proof

03:07

verification is essentially a program

03:09

that's very very large and it's not

03:12

really practical to run that on top of

03:14

Bitcoin because Bitcoin script is

03:17

extremely limited and doesn't have the

03:19

ability to do any kind of advanced

03:23

math and uh so u a SN verification

03:26

program if you did write that in Bitcoin

03:29

script would probably be about um at

03:32

least a terabyte in size which is

03:36

completely science fiction there's no

03:37

way to run that on bitcoin and so what

03:40

we did was we turned that into an

03:42

interactive protocol that allows two or

03:45

more parties to narrow down the program

03:48

and

03:49

negotiate um the smallest possible chunk

03:52

of that program that we can actually

03:55

turn into a Bitcoin script code and um

03:59

we build built a very very large Tapo

04:02

tree that includes all of these little

04:05

chunks and so after the protocol after

04:08

these two parties narrow down the

04:11

program to the bit where they disagree

04:14

on only that bit can be run as a tap rot

04:17

leaf and in the end you get a proof that

04:20

runs on top of Bitcoin and um either

04:23

succeeds if the SN verification succeeds

04:25

or fails if the SN verification fails um

04:28

so to do that with we've built a very

04:30

very large Depo

04:32

tree um and um we we invented a new kind

04:36

of virtual machine for this purpose that

04:38

is specifically optimized for the kind

04:41

of math that elliptic curve cryptography

04:44

requires and uh we used that we we

04:47

ported the snot verification code to

04:50

that virtual machine and that allows

04:53

allowed us to optimize the out of

04:55

it and we uh we also thought about doing

04:59

um representing the Merkel proofs

05:03

representing the the state commitment as

05:04

Merkel proofs in order to keep each

05:07

transaction down to at most

05:12

100K so here you can see what a

05:15

verification actually looks like this is

05:17

this is a real thing for mayet um so you

05:20

have a prover and the verifier that the

05:24

the prover initially posts the proof to

05:27

bitcoin and then the verifier can see

05:30

this check the proof and decide if the

05:33

proof is correct or incorrect if the

05:35

proof is incorrect the verifier has to

05:37

stake some funds in order to challenge

05:41

the the challenge the proof and then

05:43

they uh begin the interactive protocol

05:46

that you see um the Prov part that we

05:50

call we call Patrick is um colorcoded

05:53

blue and the verifier part that we call

05:56

um Victor is color colorcoded orange

06:01

um this this this case of the protocol

06:04

took about 25

06:06

steps um which was which we managed to

06:09

get into as few as six blocks okay and

06:13

the initial the the final step of the

06:15

protocol that you can see here labeled

06:18

step 26 is performed by the by the

06:20

prover and in this case since the proof

06:23

is correct the final transaction is

06:27

successful the the idea behind this this

06:30

is that since this can be quite costly

06:32

to do um if if the prover is is correct

06:37

and the proof is right then the Prov get

06:40

takes the stake from the verifier and if

06:43

the verifier is correct and the proof is

06:44

wrong then the verifier takes a state on

06:47

the approval which means basically that

06:49

the dishonest party is the one paying

06:51

all of the fees which is good and that

06:55

that means we don't really care how

06:56

expensive it is um the only real that we

07:00

have is that we want all the

07:01

transactions to be small enough that we

07:04

can make sure they get mined quickly

07:07

that's the that's the constraint that

07:09

that we had in this

07:12

case um so this is the first this is um

07:15

the initial transaction is on block

07:20

85326 and um you can you can copy the

07:23

transaction ID if you want and we also

07:25

put on GitHub um a little bit of code

07:28

that you guys can in Clone and um use it

07:32

to verify that the proof that we have on

07:34

Main net is actually correct I want to

07:36

show you um the code for a

07:40

second because it's really very simple

07:43

um can you read this

07:45

yeah yeah so basically we you can you

07:49

can download the code and you can just

07:51

take the transaction payload from the

07:54

actual transaction on a on um block

07:57

Explorer copy that into this um

08:00

repository and then you can just the the

08:02

code as you see is is is coded as a J

08:05

Test you can use J to run it and uh it

08:09

uses

08:10

sjs to verify the proof um very simple

08:15

so that you can actually see that what

08:17

we put on mainnet is is

08:21

real um and this is the the final

08:24

transaction is on block

08:28

85326 6 2 six we have also attached an

08:32

Nal to that block just to make it more

08:35

fun and more interesting and um that

08:37

ordinal will later be used to spawn new

08:40

ones and if you want you can um you can

08:42

join our group and um get free ordinals

08:46

is always

08:49

fun

08:51

um okay so what what are the next steps

08:54

so this this was a very very nice and

08:57

interesting demonstration and and um but

09:00

in order to make it the real world

09:02

application we still have to do a few

09:04

things few for example we have to uh to

09:07

turn the two-party protocol into a

09:09

multi-party protocol to so that the

09:12

security is real world security and uh

09:15

we're going to build real world

09:16

applications with this technology um

09:19

some that come come to mind is uh

09:21

something that we called Grail which is

09:24

the first trustless or nearly trustless

09:27

bridge between Bitcoin and VMS and what

09:30

I mean by trustless is that unlike most

09:34

bridges today that rely on a

09:36

multi- uh bridge will not rely on a

09:39

multi6 so um it's um it enjoys the full

09:43

security that ZK proofs can

09:46

provide additional killer apps that we

09:49

can build on this technology are um ZK

09:52

rollups smart contracts um decentralized

09:55

exchanges stable coins all of these

09:58

great and wonderful things that exist in

10:01

the evm world and don't exist yet on

10:03

bitcoin and that's something that we we

10:06

think really should

10:07

change please please scan the QR code um

10:11

we are hiring coders if anybody is

10:14

interested in um helping us you can join

10:17

our telegram group and um if you're a

10:20

top notes coder we'll welcome you to to

10:23

our

10:25

team and um that's it time's up thank

10:28

you

10:30

good