ZK-SNARKs Implementation

IBVM uses ZK-SNARKs to generate cryptographic proofs that state transitions are valid without revealing the full transaction data.

Circuit Design

The ZK circuit in IBVM verifies the correctness of state transitions with the following components:

  1. Transaction Verification Circuit: Validates transaction signatures and nonce values

  2. EVM Execution Circuit: Verifies that each instruction executed correctly

  3. State Transition Circuit: Confirms the validity of state changes

Transaction Verification

For each transaction $T$, the circuit verifies:

  • Signature validity: $Verify(pk_T, sig_T, hash(T)) = true$

  • Nonce correctness: $T.nonce = Account[T.from].nonce$

  • Balance sufficiency: $Account[T.from].balance \geq T.value + T.gasLimit \times T.gasPrice$

EVM Execution

The EVM execution circuit validates each step of transaction execution:

  • For each instruction $I$ and state $S$:

    • $S_{i+1} = Apply(S_i, I_i)$

  • The circuit proves that each $Apply$ function correctly follows EVM rules

State Transition

The state transition circuit verifies:

  1. Initial state hash matches previous state root: $Hash(S_0) = H_s$

  2. Final state hash matches claimed new state root: $Hash(S_n) = H_{s'}$

  3. Each intermediate state is derived correctly: $S_{i+1} = Apply(S_i, I_i)$

Proving System

IBVM uses the Groth16 proving system for efficiently generating and verifying ZK-SNARKs:

  1. Setup Phase:

    1. Generate proving key $pk$ and verification key $vk$

    2. The setup requires a trusted setup ceremony to eliminate backdoors

  2. Proving Phase:

    1. For batch of transactions $B$ with initial state $S_0$ and final state $S_n$

    2. Generate proof $\pi = Prove(pk, S_0, S_n, B)$

  3. Verification Phase:

    1. Verify proof: $Verify(vk, H_s, H_{s'}, \pi) = true$

Recursive Proofs

To handle high throughput, IBVM implements recursive SNARK composition:

  1. Generate sub-proofs $\pi_1, \pi_2, ..., \pi_k$ for smaller batches

  2. Create a recursive proof $\pi_{rec}$ that verifies all sub-proofs are valid

  3. Submit only $\pi_{rec}$ to the Bitcoin blockchain

The recursive verification equation: $Verify_{rec}(vk_{rec}, H_s, H_{s'}, \pi_{rec}) = \bigwedge_{i=1}^{k} Verify(vk, H_{s_{i-1}}, H_{s_i}, \pi_i)$

PreviousEVM Compatibility LayerNextRollup Architecture

Last updated