ZeroSync

Introducing STARK proofs to Bitcoin

zerosync.org | @zerosync_ | @robin_linus

A Growing Problem

• Millions of Bitcoin users, but only ~50000 full nodes
• The chain is about 500 GB
• Growing by up to 200 GB/yr
• Running a node keeps getting harder
• Can't we compress the chain?

zerosync.org

Zero-Knowledge Proofs

Proof Systems

zerosync.org

Chain State Proof

zerosync.org

Extreme Compression

500'000 MB

1 MB

zerosync.org

Chain State Proofs

• Header chain proof
• Hash chain, proof of work, difficulty adjustment
• Merkle proof over the headers
• "Assumevalid" chain proof
• All consensus rules except for script validation
• Manages the UTXO set using Utreexo
• Full chain proof
• All consensus rules, including signatures

zerosync.org

Bitcoin 🧡 ZKPs

• No forks required! No activation drama
• Prove once, millions of users can verify
• Nodes can reshare the proof
• Anyone can be a prover and extend the previous state proof

zerosync.org

Header Chain Proof

Proof Architecture

zerosync.org

Sync on Phone

zerosync.org/demo

Our Setup

STARK Proofs

• Transparent proofs. No trusted party
• Conservative cryptographic assumptions
• Fastest proof systems

zerosync.org

Cairo Language

• Arithmetic circuits are hard to work with
• High-level language to express complex programs
• Supports unbounded computation

zerosync.org

Proving

• 14 machines
• 3.5 GHz
• 500 GB RAM + 1TB swap file
• 8 days
• $4000

zerosync.org

Verification

• Proof size: 200kB
• Time: 5 seconds on an iPhone

zerosync.org

Limitations

Longest Chain Rule

• It's hard to prove something doesn't exist
• Honest peer assumption required
• Resolve instantly

zerosync.org

Is it a proof

if I cannot understand it?

Wizard Approved

Tabconf 2021

zerosync.org

$34 Million Bug Bounty

zerosync.org

"That's a hardfork"

Data Availability Problem

• State proofs cannot verify data availability
• State proof proves only the state and a UTXO set commitment
• Updating UTXO inclusion proofs requires knowledge of the last block
• Potential attack: data withholding attack
• Scenario: millions of zkNodes vs 50'000 conventional nodes
• Network split. zk-nodes believe in different state than conventional nodes
• Withhold Lightning justice TXs?
• Blackmail a user to pay for the proofs required to spend their coins?
• How big is the problem actually?
• Can only occur if most people only use proofs

zerosync.org

The ZeroSync Project

ZeroSync

• Founded summer 2022
• Swiss non-profit organisation
• Free and open-source Bitcoin software
• Funded by grants from Geometry, StarkWare, OpenSats
• Team of 4 developers

​

zerosync.org

Roadmap

• Integrate header chain proof into wallet apps
• Neutrino, Electrum, ...
• Improve prover performance by 100 - 1000x
• Smaller field
• Poseidon 2
• Larger grinding factor
• Builtin for SHA256
• EC FFT for secp256k1
• GPU / FPGA / ASICs
• Complete a full chain proof

zerosync.org

Further Applications

• miniSTARK prover is general purpose
• ZDK: Toolkit to generate custom Bitcoin proofs
• zkCoins: scalability and privacy
• sats4files: decentralized hosting via LN
• Blockstream Satellite

zerosync.org

Takeaways

Takeaways

• ZKPs enable groundbreaking compression
• Proof systems are likely the future of bitcoin
• Main limitation: prover performance (probably solved soon)
• zk-SPV clients are ready now

zerosync.org

Questions?

zerosync.org | @zerosync_ | @robin_linus