Workshop on Cryptography for Bitcoin

Registration: Attendance is free but registration is mandatory. Registration link


With a market capitalization of more than a trillion USD, Bitcoin is the world’s largest cryptocurrency β€” yet its highly constrained programming environment limits its applications. Despite this, there is growing interest in building secure applications on Bitcoin, from faster and private payments to bridging Bitcoin to other blockchains. There is also a concerted effort to make Bitcoin post-quantum secure by upgrading its signature schemes. Meeting these challenges has spurred significant cryptographic innovation, with implications well beyond Bitcoin itself. This workshop showcases these advances and brings together researchers from academia and industry to tackle the open problems that remain.


Organizers:



Schedule:

9:30 – 10:00Breakfast
10:00 – 10:30
BABE: Verifying proofs on Bitcoin made 1000x cheaper β€” Srivatsan Sridhar (UC Berkeley)

Endowing Bitcoin with the ability to verify succinct proofs has been a longstanding problem with important applications such as scaling Bitcoin and allowing the Bitcoin asset to be used in other blockchains trustlessly. It is a challenging problem due to the lack of expressiveness in the Bitcoin scripting language and the small Bitcoin block space. BitVM2 is the state-of-the-art verification protocol for Bitcoin used in several mainnets and testnets, but it suffers from very high on-chain Bitcoin transaction fees in the unhappy path (over $14,000 in a recent experiment). Recent research BitVM3 dramatically reduces this on-chain cost by using a garbled SNARK verifier circuit to shift most of the verification off-chain, but each garbled circuit is 42 Gibytes in size, so the off-chain storage and setup costs are huge. This paper introduces BABE, a new proof verification protocol on Bitcoin, which preserves BitVM3's savings of on-chain costs but reduces its off-chain storage and setup costs by three orders of magnitude. BABE uses a witness encryption scheme for linear pairing relations to verify Groth16 proofs. Since Groth16 verification involves non-linear pairings, this witness encryption scheme is augmented with a secure two-party computation protocol implemented using a very efficient garbled circuit for scalar multiplication on elliptic curves. The design of this garbled circuit builds on a recent work, Argo MAC, which gives an efficient garbling scheme to compute homomorphic MACs on such curves.

10:30 – 11:00
Duty-free bits: Projectivizing garbling schemes β€” David Heath (UIUC)

Starting with the seminal work on BitVM, techniques based on Yao’s Garbled Circuit (GC) have recently emerged as a key ingredient for constructing trust-minimized Bitcoin bridges. However, GC-based techniques are often expensive in that they involve the transmission and storage of large cryptographic encodings; a naive encoding for the problem at hand has size on the order of tens of gigabytes. Exciting recent works BABE (Garg et al.) and Argo MAC (Eagen and Lai) demonstrated substantial improvement by integrating Yao-style garbling with so-called decomposable affine randomized encodings (DAREs) aka information-theoretic garbled circuits (IT-GCs). This integration led to encodings on the order of tens of megabytes β€” dramatically improved, but still large. The bottleneck of these recent approaches is a need to convert the way values are encoded, from simple bit-by-bit Yao-style garbled labels to efficient IT-GC-style labels. This conversion is essential, as Yao-style labels have a simple property crucial to the Bitcoin setting β€” projectivity, which means input values are encoded in a straightforward bit-by-bit manner. Existing works take a natural approach to the conversion, leading to the need to transmit and store an encoding whose size grows roughly quadratically in the size of the labels output by the conversion.

Our work combines and extends modern advances in garbled circuits to substantially improve this Yao-style to IT-GC-style label conversion, ultimately leading to an encoding that scales only linearly with the output labels β€” crossing the border is duty-free. We use our improved conversion technique as a drop-in replacement for the natural conversions used by prior works. At the cost of a modest increase in local computation, we improve the total size of the garbled encoding for BABE (resp. Argo MAC) by 45x (resp. 20x).

This work was completed in collaboration with Alpen.

11:00 – 11:30Coffee break
11:30 – 12:00
From cut-and-choose to constant-size proofs of garbling correctness β€” Ariel Futoransky and Sergio Lerner (Fairgate Labs)

Garbled circuits underpin a growing class of Bitcoin protocols β€” bridges, vaults, and covenant-like constructions β€” that express rich spending conditions without consensus changes. These rest on garbling correctness: a verifier must be convinced that a garbled circuit was produced honestly from an agreed Boolean circuit. The standard tool is cut-and-choose, in which the garbler commits to many circuit copies and opens a random subset; verifier communication and storage therefore grow as O(kΒ·n) in the security parameter k and circuit size n.

We replace cut-and-choose with a direct succinct proof. Given a public Boolean circuit and a commitment to the garbled tables, we prove that the committed tables are a correct garbling of the circuit under a Free-XOR scheme, and recursively compose per-gate local proofs into a single final artifact. Verification then costs O(1) in added communication and storage, independent of n, for arbitrary circuits.

We present the construction and two implementations: a STARK-recursive prover for Free-XOR garbled circuits, and a Nova-based IVC prover for the same garbling-correctness statement, with the STARK prover reaching 25k gates/s on commodity hardware.

12:00 – 12:30
Implementable witness encryption from arithmetic affine determinant programs β€” Michel Abdalla ([[alloc]init])

Abstract coming soon.

12:30 – 2:00Lunch break
2:00 – 2:30
TBD β€” Dan Boneh (Stanford)

Abstract coming soon.

2:30 – 3:00
Flock: SHA256 proving, fast enough for post-quantum Bitcoin β€” William Wang (NYU)

For many applications of SNARKs, a key bottleneck is proving large batches of standard cryptographic hash evaluations, such as SHA-256, Keccak, or BLAKE3. We introduce Flock, a hash-based SNARK for extremely fast proving of such batched Boolean computations. Flock proves batches of the same R1CS circuit (plus input/output relations between them), can prove hash-chains and Merkle path openings, and in principle can be extended to full-fledged hash- based signature verification. At its core, Flock combines new optimizations for the lincheck and zerocheck protocols with an aggressively optimized proof-of-concept implementation co-designed by coding agents.

On a single core of an M4 Max processor, Flock proves 82k evaluations of the BLAKE3 compression function, 42k SHA-256 compressions, and 30k Keccak permutations per second β€” less than a 250x overhead over native execution. On ten cores, throughput exceeds 660k BLAKE3 compressions per second; in proving SHA-256, Flock is more than 9x faster than Binius64, the prior state of the art, and more than 500x faster than the fastest elliptic curve-based SNARK we measured against.

3:00 – 3:30Coffee break
3:30 – 4:00
Ark: Offchain transaction batching in Bitcoin β€” Zeta Avarikioti (TU Vienna)

Abstract coming soon.

4:00 – 4:30
Shielded CSV: Private and efficient client-side validation β€” Robin Linus (Stanford, ZeroSync)

Abstract coming soon.