Validity Rollups Proposed For Bitcoin – Trustnodes

ZK-tech based second layer solutions may be coming to bitcoin with John Light of the Human Rights Foundation’s ZK-Rollup Research Fellowship, putting forward a proposal that has grabbed the attention of some bitcoin developers.

In a lengthy overview of validity rollups and how they can be implemented in bitcoin’s very limited scripting language, Light first helpfully summarizes what these still very new inventions are:

“A rollup is a blockchain that stores the state root and at least enough transaction data to recompute the current state from genesis inside of the block of a different ‘parent’ blockchain, while shifting transaction execution ‘offchain’ to a separate node network.”

Validity rollups contain enough data on-chain for “validity proofs” to ensure that new rollup blocks follow the rules of the rollup protocol.

These proofs are created through ZK-tech, nowadays mostly STARKs, and thus in effect you get a compression method where you can complete say 100x transactions on this second layer, with the vast majority of the base layer security, and it all translates to just one on-chain transaction.

This has significant usability benefits over something like the Lightning Network because you don’t need things like collaterals, routers, etc., you just deposit to the rollup.

For simple transfers they have largely been implemented on ethereum where they’re now working on an entire zk based Ethereum Virtual Machines with hopes that eventually the ZK solution can be applied to the base layer itself.

In bitcoin however there hasn’t been much work on it until this spring when Trey Del Bonis, a bitcoin developer, published code examples of how validity rollups can be implemented in bitcoin. Light says:

“It would be possible to build a validity rollup on bitcoin using bitcoin’s native Turing-incomplete programming language, Script, with relatively small changes (in terms of code footprint) to the opcodes Script supports…

According to Del Bonis, the changes needed to support validity rollups on bitcoin are a few extra opcodes enabling the two main primitives of his rollup design — validity proof verification and recursive covenants…

Recursive covenants are a type of smart contract that restricts the type of script that BTC can be sent to once it is spent.

Del Bonis uses recursive covenenants to propagate the rollup construction forward with each state update, ensuring that BTC that is locked in a rollup script and haven’t been withdrawn by their owner yet remain in the script from one rollup state update to the next.

Once the owner of BTC on the rollup confirms a valid withdrawal transaction on the rollup, then they can exit the recursive covenant script with their BTC to the L1 withdrawal address they specified.

Recursive covenants are a change to Script that has long been considered by the bitcoin community. However there are currently no specific proposals that have achieved broad consensus among the bitcoin developer community to implement recursive covenants.”

Conceptually this sounds simple. Recursive contracts deal with the locking part, or the transfer of funds in and out of the rollup, while some other changes are required for the proofs to be integrated.

Bitcoin however is notoriously slow to change, but Light says the proposal is fully compatible with bitcoin’s ethos, telling the bitcoin developers mailing list:

“Validity rollups have the potential to improve the scalability, privacy, and programmability of bitcoin without sacrificing bitcoin’s core values or functionality as a peer-to-peer electronic cash system.

Given the ‘trustless’ nature of validity rollups as cryptographically-secured extensions of their parent chain, and given bitcoin’s status as the most secure settlement layer, one could even say these protocols are a _perfect match_ for one another.”

They require no extra bandwidth or storage, so providing scalability without noteworthy tradeoffs.

Their implementation in bitcoin however is likely to be very slow, with Light instead suggesting:

“The Elements sidechain project (and the Liquid blockchain that is based on Elements) does not yet have support for the validity proofs needed to support a validity rollup, but it does have support for recursive covenants.

Implementing support for validity proofs in Elements, along with some of the other changes Del Bonis identified as nice to have, could therefore be a path to testing a validity rollup protocol that is ultimately intended to be deployed on bitcoin.”

Liquid is maintained by Blockstream with Greg Sanders of that Blockstream stating on the mailing list discussion:

“Is there a one page cheat sheet of ‘asks’ for transaction introspection/OP_ZKP(?) and their uses both separately and together for different rollup architectures?”

The Op_ZKP doesn’t quite exist, which is perhaps why he put the question mark, but the question may well indicate that while conceptually it sounds easy, actually implementing this in the very limited bitcoin script language probably won’t be easy at all.

Not least because it would be bleeding edge development, although not completely original as devs in ethereum have been working on these zk systems since 2019.

Transporting that has now reached the point where the skeleton has been laid out for bitcoin. The full implementation however may be quite some time away.