1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
|
Delivery-date: Thu, 21 Aug 2025 15:54:46 -0700
Received: from mail-oo1-f63.google.com ([209.85.161.63])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBDEKZZME2IBBBK6HT3CQMGQE7OCTUAI@googlegroups.com>)
id 1upEBC-0001HL-EI
for bitcoindev@gnusha.org; Thu, 21 Aug 2025 15:54:46 -0700
Received: by mail-oo1-f63.google.com with SMTP id 006d021491bc7-61bd6d7c149sf941075eaf.0
for <bitcoindev@gnusha.org>; Thu, 21 Aug 2025 15:54:45 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1755816880; cv=pass;
d=google.com; s=arc-20240605;
b=cAvF6EIDsM1tDy1IlfTYwqOJ3fFqA2vf0k56mw5/RxBOkIgWWM8agycA2M9mwTkZ/m
g8s55ftUCsEIarS8NAlY5Lba19bokWiiYhlM0RUrkJvnCDi1sZfOvNI84llhV0KQ3z0p
KvNKENk4KaVvfHsgEd/J9nR6ERitLgGrFL2jT6l/KsiULiR/jo48t0cHbGzjgguHEp+I
UhtAZrW/G6K3M3niBn/kSLLoxppbxwRwXYfFMpjhdQ4b63DfTxEWpy9A3Bd05SXJDmZ2
70FC2PURToxO2uz+4uDWxWaqY6ujT5XT1x6pdkPYdiLKqauNxfUeyxms8O9upmwgFh4s
67iA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:reply-to:content-transfer-encoding
:mime-version:feedback-id:message-id:subject:from:to:date
:dkim-signature;
bh=sGypaIbnVRtQng2NmAuf3u+iVfSOqQKPNHkUe/Kpt2o=;
fh=E/H/ynSdQ4/wr8R9D/J9CElwsyYNVN/SnKydOlMWYx4=;
b=gIRxFwq34jDMqej15XbVm/xkol6tPQB9hqSw/KAz8+v2uZ7IBf0cAIjQrRMWIyobmA
WGz/oeUaVLf0pqSudszPIw4M6a4n140wh+/FN9w9J2R4sD5TFmdQ6kybNB5hxce0Tq7C
9Awwe9TYXBGCChsVtZ5HV+P4R/LxQNWqKxhS86mvUXLJR1bwjzyWSGncb9arRv33IhsU
seIj57v0+RiJuGAe9uJgjY3g6n2pK+E0QgNUMALYMyay3ng/s5RcRtIUwtgBQPW19/+v
zfmxUB1W+gPG6mO/nYP7LfAYCLu6/wPrznm/2YB6zxiuZRlZkTQoWhYZlRFgqFt7fycS
/COQ==;
darn=gnusha.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
dkim=pass header.i=@protonmail.com header.s=protonmail3 header.b=yY5lGjj0;
spf=pass (google.com: domain of liameagen@protonmail.com designates 79.135.106.28 as permitted sender) smtp.mailfrom=liameagen@protonmail.com;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1755816880; x=1756421680; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:reply-to
:x-original-authentication-results:x-original-sender
:content-transfer-encoding:mime-version:feedback-id:message-id
:subject:from:to:date:from:to:cc:subject:date:message-id:reply-to;
bh=sGypaIbnVRtQng2NmAuf3u+iVfSOqQKPNHkUe/Kpt2o=;
b=cW3GphLiPMNxs/727eZn3HoyT4+/N5krOEooZb3ldvfBjSJMAaTaHhZM/fMrEUDTnm
FZo7oIcSq3gGGu4eKf8aWFCPm3rTdqhvVi+rQ7lUvr+vMHwS9iYfIg1qISt4uS4uIBOF
XlV6mYzGIRjkTyIqJeil+2ldPEIoR+mqk1SEkK14hGq6jwKMt0k6UvwuiNKwjD1+fF+b
nAMpkH2e75RHMPnb8UceRkkhquxiKAzSN6EzX19L0CbEIICr7UKJ5astthdhUn2s7vJU
vfBov+yFEh/OJYRg0iSMqhp76eqmbuA0puIfRr1NS9AYcz58mKdVPkXmW07gfqjxbnYI
OvnQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1755816880; x=1756421680;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:reply-to
:x-original-authentication-results:x-original-sender
:content-transfer-encoding:mime-version:feedback-id:message-id
:subject:from:to:date:x-beenthere:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=sGypaIbnVRtQng2NmAuf3u+iVfSOqQKPNHkUe/Kpt2o=;
b=ayFmYnDpAi7PL72xSaCx85mh6tmOQS7k3K12vtDQBfFSa21xTI84O80jv+aHv5qMp6
u9Yb9LsFj++jqmQRrdSBAoLZmVwi+2npqcmetW+PlYOi/59ELsaQIpenoqGQC8d/gXpC
ZyuROA1jQhWE+6FTf9bMZ/CH9cvgfNA3GI3WNC38OZgwHbsJNhd0/Nx+FLWsDvEORaNI
eaOYV0xgA2x2j67TTC5stLT5NvUnHzSmX2PkHFZNqsTZVREOUE8PoD1XQN5IObgAHZ9m
woPSKKlV5DF2Uwqp6jf4HHNSz+RJLwKjX0OXPm/Qhl/jJqloMzMaLKRfGX+BnIUuSqUq
Bt6g==
X-Forwarded-Encrypted: i=2; AJvYcCU3XBIA4zzmhe/TAkCsFt0GjdQRZbe1YpAmzpgen0hmN3RPJtzmR6Ao8eKqe6wJnKM5E/SEFlgx8OkH@gnusha.org
X-Gm-Message-State: AOJu0Yy/gIRpjHFUluoni9pBZc+uGrxGeedjox29ybj1WYyoXZm46EvN
u07SBVIfNghRZ2bezxWbVVTZ5wCpJ/6qhqyjwUBE6yoG9hDCqOGrvdYB
X-Google-Smtp-Source: AGHT+IGPa4fIS9wW5eGJf9QKVODTTn6PdcMmmh6bPsP8V5BbqCHqwpsRzvy+4eaaLklQ06TsfrObbQ==
X-Received: by 2002:a05:6820:850a:b0:61b:5f26:7059 with SMTP id 006d021491bc7-61dab29cb0emr880350eaf.4.1755816879570;
Thu, 21 Aug 2025 15:54:39 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com; h=AZMbMZfffPAj4CdohPSAQjUWhrMURWuTLL0tbEfhMagKRw7S7Q==
Received: by 2002:a05:6820:2223:b0:613:e97f:5883 with SMTP id
006d021491bc7-61d9aee3f37ls414447eaf.0.-pod-prod-00-us-canary; Thu, 21 Aug
2025 15:54:35 -0700 (PDT)
X-Received: by 2002:a05:6808:344b:b0:407:9d24:af03 with SMTP id 5614622812f47-43785cd0764mr492039b6e.14.1755816875222;
Thu, 21 Aug 2025 15:54:35 -0700 (PDT)
Received: by 2002:a05:600c:c16f:b0:456:11e5:963 with SMTP id 5b1f17b1804b1-45b51067e6ems5e9;
Thu, 21 Aug 2025 15:48:19 -0700 (PDT)
X-Received: by 2002:a05:6000:2f82:b0:3c5:adc6:dc67 with SMTP id ffacd0b85a97d-3c5daa276c9mr323416f8f.8.1755816496500;
Thu, 21 Aug 2025 15:48:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1755816496; cv=none;
d=google.com; s=arc-20240605;
b=dxStrxbkAQ2WKB8DLJ8v/Fbx9kZWiGQYnPQzcUwz3YSVJ84l1oBUYYe0QFqm3PtQRt
mQeY/pzaTC5rGBQZnGVJnoWlcx6YlF/964Q0cKRuWyqxXOE4u7qxtN7m1Luce58Q03Ct
pYDm6TYtYbrRnQSoZaPDCN67jpr1KdicR7Kjw9HAq4dnG9OAS5kK+e2A/3+we9o9pp1M
lin9jcbGvQV4QScjNrCRvbkiDVMDw8pdh8ru1u3WF14+8OL10UFsdvThWNCz00er/4TV
CRdegsyem/2K0PKFRip+6Eep3gyz5+15CI3U7mlhTi2zAlHlyUcfBj2PxE1dDiNKxPSG
kJvQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=content-transfer-encoding:mime-version:feedback-id:message-id
:subject:from:to:date:dkim-signature;
bh=3G/InH+MEWsuCSlxf44yYe0amX3eHvevvSGK8uHIRLI=;
fh=lhFSo2W/mHC0QoJ9oNg3A35n0DTltt3CQl1/0RggJlk=;
b=eTeqA9vKLVlKetg+hoR/jip8mmOogAVkLGnSgvtLbVu/ZZahmxkcrV77d6Hlt9f486
lihw/ZsWnEUg3hxhLvYm3saH+LDHbJGiTwlCx+TiNNOt2Fp27fQ9N5lDAuVJOpmoYO4h
jcNUPUwrH6ksy/2IBRhlZ+KSqyqV6zR0TtQAnq7eb2ksK7GxAcHcnUARBcdfmUdLSvyT
pTUBg6XVZ3G/v5varqFhsHOUSHqrQb4bwz7oioHghv+Yh809MBUnQea7pVubYAPM1Iep
K3FdKJITOxCU5AFdw0eJulSQHnzOryWkXCym5QACtz90vBgWt1gOqdnY2lOPFeoREC3a
yfIA==;
dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
dkim=pass header.i=@protonmail.com header.s=protonmail3 header.b=yY5lGjj0;
spf=pass (google.com: domain of liameagen@protonmail.com designates 79.135.106.28 as permitted sender) smtp.mailfrom=liameagen@protonmail.com;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.com
Received: from mail-10628.protonmail.ch (mail-10628.protonmail.ch. [79.135.106.28])
by gmr-mx.google.com with ESMTPS id 5b1f17b1804b1-45b4f3705c3si370955e9.0.2025.08.21.15.48.16
for <bitcoindev@googlegroups.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Thu, 21 Aug 2025 15:48:16 -0700 (PDT)
Received-SPF: pass (google.com: domain of liameagen@protonmail.com designates 79.135.106.28 as permitted sender) client-ip=79.135.106.28;
Date: Thu, 21 Aug 2025 22:48:11 +0000
To: "bitcoindev@googlegroups.com" <bitcoindev@googlegroups.com>
From: "'Liam Eagen' via Bitcoin Development Mailing List" <bitcoindev@googlegroups.com>
Subject: [bitcoindev] Glock: Garbled Locks for Bitcoin
Message-ID: <Aq_-LHZtVdSN5nODCryicX2u_X1yAQYurf9UDZXDILq6s4grUOYienc4HH2xFnAohA69I_BzgRCSKdW9OSVlSU9d1HYZLrK7MS_7wdNsLmo=@protonmail.com>
Feedback-ID: 12385552:user:proton
X-Pm-Message-ID: 66731a165e1051960bd921d70022dfb5844171a4
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Original-Sender: liameagen@protonmail.com
X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass
header.i=@protonmail.com header.s=protonmail3 header.b=yY5lGjj0;
spf=pass (google.com: domain of liameagen@protonmail.com designates
79.135.106.28 as permitted sender) smtp.mailfrom=liameagen@protonmail.com;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.com
X-Original-From: Liam Eagen <liameagen@protonmail.com>
Reply-To: Liam Eagen <liameagen@protonmail.com>
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -1.0 (-)
Hey everyone,
Wanted to share our recent work on "Glock" (Garbled Locks) for optimistic s=
mart contract verification on bitcoin. This is pretty similar in concept to=
Jeremy Rubin's work on Delbrag [0] and Robin Linus' work on BitVM3(RSA/s) =
[1,2], but uses different techniques to make a practical scheme. We have (l=
inked below) a preprint that describes the scheme in detail and a research =
implementation under active development. We've been working on this for a l=
ong time, and I think some of techniques might be of independent interest.
A "Glock" is a protocol for optimistic smart contract verification using Ga=
rbled Circuits. The "Garbler" signs the input (and proof) using a kind of L=
amport-like signature and then the "Evaluator" can derive a secret if the s=
mart contract fails, which they can use to sign a slashing transaction. Thi=
s works with bitcoin today with no soft forks and is nice because it moves =
essentially all of the cost and complexity of verification off chain.
In theory, the fraud proof can literally be a Schnorr signature. Previous c=
onstructions either used something like Rubin's Grug tehcnique, which requi=
res a larger slashing script, or had impractical costs for garbling. We pro=
pose the first (imo) practical Glock whose fraud proof is a single signatur=
e, which represents over a 550x reduction [4] of on-chain data compared to =
BitVM2 [3].
Our protocol, Glock25, uses a bunch of interesting cryptography to make all=
the costs of the scheme manageable. We propose a new SNARK, which is curre=
ntly the smallest known SNARK, make it designated verifier, and instantiate=
it with binary elliptic curves. These curves have some really nice synergi=
es with the GC scheme. We also have some neat tricks to use adaptor signatu=
res and verifiable secret sharing for efficient malicious security.
Paper here:
https://eprint.iacr.org/2025/1485
Code here:
* Rust implementation of DV-Pari: github.com/alpenlabs/dv-pari
* Binary circuit generator for DV-Pari: github.com/alpenlabs/dv-pari-circui=
t
* Generic garbling & evaluation tool: github.com/alpenlabs/garbled-circuits
Paper Abstract:
Bitcoin [Nak09] is a decentralized, permissionless network for digital paym=
ents. Bitcoin also supports a limited set of smart contracts, which restric=
t how bitcoin can be spent, through bitcoin script. In order to support mor=
e expressive scripting functionality, Robin Linus introduced the BitVM fami=
ly of protocols [Lin23a, LAZ+24]. These implement a weaker form of =E2=80=
=9Coptimistic=E2=80=9D smart contracts, and for the first time allowed bitc=
oin to verify arbitrary computation. BitVM allows a challenger to publish a=
"fraud proof" that the computation was carried out incorrectly which can b=
e verified on chain, even when the entire computation cannot. Jermey Rubin =
introduced an alternative optimistic smart contract protocol called Delbrag=
. This protocol uses Garbled Circuits (GC) to replace the BitVM fraud proof=
by simply revealing a secret. He also introduced the Grug technique for ma=
licious security.
We introduce a new formalization of GC based optimistic techniques called G=
arbled Locks or Glocks. Much like Delbrag, we use the GC to leak a secret a=
nd produce a signature as a fraud proof. We further propose the first concr=
etely practical construction that does not require Grug. Like BitVM2 and De=
lbrag, Glock25 reduces verification of arbitrary bounded computation to ver=
ification of a SNARK. In Glock25, we use a designated verifier version of a=
modified SNARK Pari [DMS24] with smaller proof size. We make Glock25 malic=
iously secure using a combination of Cut-and-Choose, Verifiable Secret Shar=
ing (VSS), and Adaptor Sig- natures. These techniques reduce the communicat=
ion, computational, and on-chain complexity of the protocol compared to oth=
er approaches to construct a Glock, e.g. based on Groth16.
[0] https://rubin.io/public/pdfs/delbrag.pdf
[1] https://bitvm.org/bitvm3-rsa.pdf
[2] https://bitvm.org/bitvm3.pdf
[3] https://bitvm.org/bitvm_bridge.pdf
[4] This cost calculation includes the entire BitVM2 game, not just the fra=
ud proof/disprove transaction.
--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/=
Aq_-LHZtVdSN5nODCryicX2u_X1yAQYurf9UDZXDILq6s4grUOYienc4HH2xFnAohA69I_BzgRC=
SKdW9OSVlSU9d1HYZLrK7MS_7wdNsLmo%3D%40protonmail.com.
|
