Bitcoin's First ZK Rollup Is Gearing Up For Launch

A conversation with Orkun Kilic, founder of Citrea, about Bitcoin’s security and scaling using zero-knowledge rollups.

Jun 11, 2024 - 12:30
 0  19
Bitcoin's First ZK Rollup Is Gearing Up For Launch

Bitcoin & Beyond is an educational series by the team at The Rollup focused on a new and emerging class of builders in the Bitcoin ecosystem. Through spaces, panels, and interactive presentations, the objective is to provide deep technical insights into innovative scaling projects.

In this episode, the crew discusses building Bitcoin's first ZK (zero-knowledge) rollup with Orkun from Citrea. Rollups are a new technology that promises to enhance Bitcoin’s utility, allowing for different scalability improvements while preserving the security of the Bitcoin infrastructure.

"A rollup is a blockchain that uses another blockchain as the data availability layer," Orkun says emphatically.

Plenty of other elements are considered in rollup design but he believes they shouldn’t be part of the definition. “Where does the settlement fit in, the bridging? ZK or optimistic? The execution layer? It doesn't matter.”

The Motivation Behind Citrea

Citrea’s motivation behind building a zero-knowledge rollup on Bitcoin stems from Bitcoin's unparalleled security and censorship resistance. Despite these strengths, Bitcoin has limitations in block size and script capabilities. Orkun noted, "What you can do with Bitcoin beyond simple payments is extremely limited today. We want to do more using Bitcoin’s block space security.”

Overcoming Bitcoin's Limitations with Modularity

Citrea is attempting to address these limitations through modularity. By building a rollup, developers can customize their stack to create various applications, such as payment rollups, gaming rollups, and EVM rollups. This flexibility allows for different optimizations that might scale blockchains without requiring changes to their core protocol. The combination of different services becomes a fertile ground for experimentation that wasn’t possible before.

Security is paramount for Bitcoin and any layers built on top of it. "Building a rollup is the only way to actually get that security. If you are not building channels like Lightning or Mercury, which are still limited by Bitcoin's functionality."

Citrea's innovation is to use Bitcoin as a data availability layer. Thanks to historical changes like SegWit and Taproot, developers are discovering new ways to inscribe data in Bitcoin transactions. This makes it feasible to use Bitcoin as a data availability layer for rollups. "So you can publish data into Bitcoin, but that data can be arbitrary because it doesn't get executed ever in the blockchain," Orkun explained.

Using Bitcoin for data availability involves trade-offs. While it ensures high security, it may not be suitable for high-speed, low-cost applications. "If you want full Bitcoin security, you must use Bitcoin as your data availability layer. However, for high-speed, low-cost applications, other layers like Celestia may be more appropriate.”

The Clementine Bridge

To move bitcoins in and out of the system, Citrea has built Clementine, a BitVM-based two-way peg that optimistically verifies ZK proofs. This mechanism aggregates proofs from Bitcoin, reducing the need for frequent settlements and enhancing security. "We are just inscribing these proofs on Bitcoin every hour. Other rollups can read the proof from there and execute based on that," Orkun explained.

The evolution of BTC bridges has seen a shift from custodial and federated threshold bridges to modern crypto-economic security bridges. Federated bridges rely on a majority consensus within a committee, while crypto-economic bridges like Stacks or tBTC use staked assets to ensure security. Orkun detailed, "In crypto-economic security, you are still trusting a federation, but those people actually stake some other assets. If they steal the money, then you can slash that asset."

Clementine, however, takes this a step further. It uses an optimistic approach inspired by BitVM to verify ZK proofs, which is cost-effective and secure. This approach allows for the aggregation of proofs, making the process efficient and scalable.

The core idea behind Clementine is to provide optimistic settlements for ZK rollups. "We just aggregate the Bitcoin proofs from Bitcoin to settle less frequently because you cannot settle in every single block. It will be expensive," Orkun explained. By inscribing data periodically and aggregating proofs, Clementine ensures that the state remains accurate and secure.

To achieve this, an operator will initially cover user withdrawal requests out of pocket then aggregate the necessary proofs into a single submission to the network. If other operators suspect foul play, they can challenge the submission. Successful challenges result in the dishonest operator losing their initial bond and being removed from the network. If the operator’s submission is not challenged, they can then reclaim the equivalent amount they disbursed from users’ original deposits.

This setup introduces a trust-minimized assumption where only one participant needs to be honest to ensure security. "We call it trust minimized because now we have this 1-of-N assumption. As long as one person in this N people is honest, then your money is secure," Orkun emphasized. This is a significant improvement over traditional models that require a majority consensus for security.

Future Plans and Ecosystem Impact

Looking ahead, Citrea plans to introduce volition, a hybrid model balancing on-chain security with off-chain cost efficiency. This allows applications to choose their data storage method based on their specific needs. Orkun also emphasized the importance of transaction fees for Bitcoin's long-term security, with Citrea's use of Bitcoin as a data availability layer contributing to maintaining miner incentives and network security.

"So depending on your usage, if you want to deploy now a gaming application, you can use off-chain data. It is very cheap, very fast, but still gets this Bitcoin interoperability. If you want to build a Bitcoin-backed stablecoin application, you can use on-chain data so your stablecoin is fully on-chain secured, fully Bitcoin secured. A bit expensive but you still get this interoperability between the gaming application and the stablecoin application.”

Bridging Bitcoin’s resilience with the flexibility of rollups could push the boundaries of what's possible with Bitcoin. Check out Citrea's website to learn more about their work. Follow our Bitcoin & Beyond series at therollup.co to learn more about the evolving state of Bitcoin scaling solutions.

This is a guest post by The Rollup. Opinions expressed are entirely their own and do not necessarily reflect those of BTC Inc or Bitcoin Magazine.