Original author: Stone, B² Network Research Lead

B² Network is a Layer 2 solution on Bitcoin. It mainly uses zero-knowledge proof verification commitments to be submitted to the Bitcoin network, allowing challengers to initiate fraud proof challenges to achieve the use of the strong consensus of the Bitcoin network to ensure the security of B² Network. the goal of.

This article mainly introduces the operating mechanism of ZK-Rollup and OP-Rollup on Ethereum, introduces the magical NAND gate circuit, introduces the role of commitment, and uses these mechanisms and concepts to design zero-knowledge proof verification commitment on B² Network, and then explains Zero-knowledge proofs verify how commitments are executed on the Bitcoin network and how they ensure the security of the B² Network.

ZK-Rollup on Ethereum

ZK-Rollup is a two-layer scaling solution for blockchain that ensures the correctness and integrity of these transaction batches by aggregating multiple transactions and utilizing zero-knowledge proofs on a one-layer blockchain network. Verification of knowledge proof, thereby using the first-layer network to ensure the security of the second-layer network. It is designed to increase the throughput of blockchain systems and reduce transaction fees while maintaining a high degree of security and data integrity.

The running process of ZK-Rollup is roughly as follows:

1. Transaction aggregation and sorting. Users submit transactions to ZK-Rollup, and the transactions will be submitted to mempool. ZK-Rollups Sequencer obtains user transactions from the mempool and collects and sorts them. The Sequencer is responsible for processing transactions, updating account status, and finally generating a batch representing these updates;

2. State transitions and calculations. All transaction execution and status updates occur off-chain. ZK-Rollups VM (including different zero-knowledge proof smart contract execution engines such as zkEVM and zkVM) calculates new account status and handles operations such as transfers and smart contract interactions. At the same time, the necessary data and evidence are generated to prove that these transactions and status updates are valid, including new account status and zero-knowledge proof;

3. Zero-knowledge proof generation. ZK-Rollups Prover utilizes zero-knowledge proof technology (such as zk-SNARKs or zk-STARKs) to create a proof that all aggregated transactions are valid and do not violate network rules. This proof does not reveal any information about the transaction content, protecting user privacy while ensuring data integrity and security.

4. Zero-knowledge proof verification. Aggregator submits batches of data and zero-knowledge proofs to a one-layer blockchain network. This usually happens in a form of compression to reduce the on-chain space required. Smart contracts on a layer of blockchain network receive these data and proofs and verify the validity of the proofs. If proven valid, the contract will update the state of its recorded ZK-Rollup layer.

The core of ZK-Rollup lies in the generation and verification of zero-knowledge proofs. The transactions of ZK-Rollup are executed off-chain and the state is generated off-chain. Zero-knowledge proof is generated through Prover as the commitment of ZK-Rollup. This commitment represents that transactions on ZK-Rollup are executed correctly and effectively, generating the correct state. The one-layer blockchain network does not need to verify all transactions and status of ZK-Rollup. It only needs to verify the commitment. The verification of the commitment is to conduct zero-knowledge proof verification through the smart contract of the one-layer network to confirm the validity of ZK-Rollup.

Therefore, in Ethereum’s ZK-Rollup, the zero-knowledge proof data is a commitment submitted by the second-layer network to the first-layer network.

OP-Rollup on Ethereum

Optimistic Rollup (OP-Rollup) is a technology designed to extend blockchain performance by keeping minimal data on-chain and performing as many calculations as possible off-chain. OP-Rollup takes advantage of the optimistic assumption that most transactions are honest. Instead of verifying the validity of each transaction immediately, it can be verified after a period of time, greatly improving throughput and efficiency.

The running process of OP-Rollup is roughly as follows:

1. Transaction aggregation and sorting. The user submits a transaction to OP-Rollup, and the transaction will be submitted to the mempool. The Sequencer of OP-Rollup obtains the users transactions from the mempool and collects and sorts them. The Sequencer is responsible for processing the transactions, updating the account status, and finally generating a batch representing these updates;

2. Execution of Transactions. OP-Rollup transactions are executed off-chain. The execution of each batch of transactions will cause the old state to transform into a new state. Each batch will calculate a new state root (an encrypted snapshot representing the entire system status) and submit it to a layer of blockchain network;

3. Status verification. OP-Rollup does not perform complex verification immediately when submitting the transaction batch, but optimistically assumes that these transactions are valid, and then submits a layer of blockchain network. If an observer believes a batch is invalid, they can challenge the batch by submitting a fraud proof. In an Optimistic Rollup solution, fraud proof is a mechanism that allows any observer to challenge a state or transaction submitted to the chain incorrectly or maliciously. Optimistic Rollup utilizes fraud proofs to ensure that even transactions accepted “optimistically” can be proven to be wrong after the fact and reversed accordingly;

4. Challenge mechanism. The challenge period is OP-Rollup. After the submission status is confirmed, there is a challenge window period during which anyone can check the submitted batch and submit a fraud proof if an error is found. This is usually by submitting a transaction to a layer of blockchain. network to implement it, the transaction declares what they believe to be an error and provides corresponding evidence. Arbitrum Rollup (a solution to Optimistic Rollup) uses a process called an interactive verification game to solve the challenge. In this process, a series of rounds take place between the challenger and submitter, gradually narrowing down the scope of their disagreement about what went wrong (using a binary search method to quickly locate the wrong transaction position). Ultimately, this process will determine the exact location where the error occurred. Once the error is confirmed, the original batch will be revoked and the validator who raised the error will be penalized. If the challenge fails, the challenger may lose the funds they staked to launch the challenge; if the challenge is successful, the challenger can receive the reward funds earned by successfully launching the challenge.

The core of OP-Rollup lies in the fraud proof and challenge mechanism. OP-Rollup will first be optimistic that all transactions are executed correctly, and then compile the calculation into bytecode of the virtual machine (AVM, OVM) in the contract on the first layer of the network, and release the commitment of the bytecode. OP-Rollups commitment verification requires transaction calculation, obtaining bytecode, and then verifying the commitment. Once an observer discovers a batch with mismatched commitments, the observer will generate a fraud proof through the challenge mechanism and receive rewards.

Ethereums OP-Rollup first confirms and submits the commitment optimistically, and then uses the challenge mechanism to allow anyone to challenge the submitted commitment, and finally ensures that the OP-Rollup is verified and confirmed through commitment and challenge.

Magical NAND gate

The NAND gate is a basic logic gate in digital logic. It implements the logical NOT (NOT) operation after the logical AND (AND) operation. The properties of the NAND gate make it the basis from which any other logic gate and complex logic circuits can be constructed. The following is a detailed introduction to how to use NAND gates to construct logic gates (such as AND gates, OR gates, XOR gates) as well as addition gates and subtraction gates:

1. NAND gate basics

A NAND gate has two inputs and the output is 0 if and only if both inputs are 1; in all other cases, the output is 1. This can be represented by a logical expression as A NAND B.

2. Construct basic logic gates

AND gate (AND)

To construct an AND gate using a NAND gate:

• Step 1: Connect the two inputs to a NAND gate.

• Step 2: Connect the output of this NAND gate to the two inputs of another NAND gate.

• Result: The output of the second NAND gate is the result of the AND gate.

OR gate (OR)

To construct an OR gate using a NAND gate:

• Step 1: Pass each input through a NAND gate (self and self) to produce the effect of two NOT gates.

• Step 2: Use the outputs of these two NAND gates as the input of one NAND gate.

• Result: The output of the NAND gate is the result of the OR gate.

Exclusive OR gate (XOR)

To construct an XOR gate using a NAND gate (a little more complicated):

• Step 1: Construct two NAND gates, with each input connected to one of them.

• Step 2: Use the outputs of the two NAND gates in the first step as the input of the third NAND gate.

• Step 3: Connect the original input A and the output of the first NAND gate to the fourth NAND gate, and connect the original input B and the output of the second NAND gate to the fifth NAND gate.

• Step 4: Finally, connect the outputs of the fourth and fifth NAND gates to the sixth NAND gate.

• Result: The output of the sixth NAND gate is the result of the XOR gate.

3. Construct an addition gate

Half Adder

A half adder is a simple adder that handles two-bit addition and produces a sum and a carry.

• Sum: Use an XOR gate to generate the sum.

• Carry: Use an AND gate to generate a carry.

• These basic gates are constructed using NAND gates and then combined to form a half-adder.

Full Adder

The full adder takes into account the carry input from the lower bits.

• Step 1: Construct two half adders, the first handles A and B, the second handles the sum and carry input C of the first half adder.

• Sum: The sum output of the second half adder.

• Carry: The carry outputs of the two half adders are connected through an OR gate.

• Construct half adders and OR gates using NAND gates and then combine them to form a full adder.

4. Construct a subtraction gate

Half Subtractor

The half subtractor handles the subtraction of two bits.

• Difference: Use an XOR gate to generate the difference.

• Borrow: Use a NAND gate and a NOT gate to generate a borrow.

• Use NAND gates to construct XOR gates and other required logic, and then combine them to form a half-subtractor.

Full Subtractor

The full subtractor takes into account borrows from high bits.

• Step 1: Construct two half-subtractors, the first handles A and B, and the second handles the difference and borrow inputs of the first half-subtractor.

• Difference: Difference output of the second half-subtractor.

• Borrow: The borrow outputs of the two half-subtractors are connected through an OR gate.

• Use NAND gates to construct half-subtractors and OR gates, and then combine them to form a full-subtractor.

5. Construct a multiplication gate

binary multiplication

Implement the multiplication of two binary numbers.

• Step 1: Use AND gates for bitwise multiplication.

• Step 2: Use full adders in series to perform continuous additions.

• Part 3: Implement shifting and accumulation.

6. Construct register

D flip-flop

Stores one bit of binary information.

• Step 1: Create a latch using a NAND gate.

• Step 2: Expand the latch into a flip-flop (Flip-flop).

register

Stores multi-digit binary numbers.

• Multiple D flip-flops are connected in parallel, each storing one bit.

7. Constructing a clock

Oscillator

Provides a periodic clock signal.

• Use NAND gates to create feedback loops that produce continuous oscillations.

in conclusion

The NAND gate is called a universal logic gate because of its ability to construct any other logic gate and complex circuit. Through the above method, NAND gates can be used to construct complex addition, subtraction, multiplication, storage and clock circuits, which are the basis for arithmetic operations in computers and digital systems. In modern integrated circuit design, NAND gates are widely used because of their simplicity and versatility.

In the practice of B² Network, any computing logic can be constructed through NAND gates.

Promises in cryptography

Commitments are widely used in cryptography and blockchain. SHA 256, Merkle Tree, and KZG in zero-knowledge proofs are all commitments. Like ZK-Rollup introduced above, zero-knowledge proofs are used as commitments of Rollup. OP-Rollup Use the bytecode in the virtual machine as a commitment for Rollup.

We use Merkle Tree to explain in detail how to use promises:

1. Commit: Prover calculates hashes for all values, and the hashes are used as leaf nodes of the binary tree. The hash calculation is continued upwards, and finally a Merkle Tree is generated, and the tree root hash is released as a commitment.

2. reveal: Prover reveals the value corresponding to a leaf node and its branch.

3. check: Verifier calculates the hash through the exposed value and branch, and finally compares it with the published commitment for verification.

As shown below:

1. Commit: Prover calculates hashes of tx 1, tx 2...tx 8 respectively, and obtains H(1), H(2)...H(8), and continuously performs hash calculations in pairs to finally generate a graph. The binary tree structure in , that is, Merkle Tree, publishes the value H (12345678) of the root node of Merkle Tree as a promise.

2. reveal: Prover reveals the value corresponding to a leaf node, such as tx 3, and its branch (H( 4) -> H( 12) -> H( 5678)).

3. check: Verifier computes and verifies the promise by exposing tx 3 and branch (H( 4) -> H( 12) -> H( 5678) ):

• Compute the hash H(3) of tx 3

• H(3) is hashed with H(4) in branch to get H(34)

• H(34) is hashed with H(12) in branch to get H(1234)

• H(1234) is hashed with H(5678) in branch to get H(12345678)

• Verify H(12345678) against the published promise

B² Network’s Zero-Knowledge Proof Verification Promise

B² Network is a ZK-Rollup second-layer solution built on the Bitcoin network.

Limitations of ZK-Rollup on Bitcoin

Due to the Turing incompleteness limitation of Bitcoin, there is no way to verify zero-knowledge proofs on the Bitcoin network. Therefore, the traditional solution of ZK-Rollup, which is to verify the implementation of zero-knowledge proofs on a layer of blockchain network, is not possible. The method is implemented on the Bitcoin network.

ZK-Rollup only writes zero-knowledge proof and Rollup data aggregation into the Bitcoin network through Taproot. This can only ensure that ZK-Rollup data is anchored in the Bitcoin network and cannot be tampered with, but it cannot guarantee the security of ZK-Rollup transactions. In terms of validity and correctness, there is no way to use the strong consensus capability of the Bitcoin network to ensure the security of the second-layer ZK-Rollup.

Therefore, ZK-Rollup confirmation must be done on the Bitcoin network.

Zero-knowledge proofs and arithmetic circuits

Zero knowledge proof

In zero-knowledge proofs, arithmetic circuits are used to construct a proof in which the prover knows some secret information without revealing the information itself.

Zero-knowledge proofs use arithmetic circuits to generate proofs:

• Generate proof

  Once the arithmetic circuit is built, the prover will use their secret input to calculate the circuits output. During this process, the prover also generates additional information (such as commitments and random numbers unique to zero-knowledge proofs), which is used to construct the proof.

• Verification certificate

  Provers send their proofs to verifiers. The verifier does not know the provers secret input, but they have a description of the circuit and the provers proof. The verifier verifies the validity of the proof by performing the same computation of the circuit and comparing its results with the proof provided by the prover.

arithmetic circuit

Arithmetic circuits are typically represented as a directed acyclic graph (DAG), where each node represents an arithmetic operation and the edges represent the data flow between operations. Input nodes represent the circuits input values, usually some numbers or variables, while internal nodes represent arithmetic operations. The output of the circuit is the final calculation result.

Basic circuit gates in arithmetic circuits:

• Addition Gate

• Multiplication Gate

According to the introduction of NAND gates above, arithmetic circuits can be converted into NAND gates by converting addition gates into NAND gates, converting multiplication gates into NAND gates, and finally converting arithmetic circuits into logic gate circuits based on NAND gates.

Zero-knowledge proofs verify promises

The verification program of the zero-knowledge proof itself is an arithmetic circuit. By converting the arithmetic circuit into a logic gate based on NAND gates, the verification program of the zero-knowledge proof can actually be converted into a logic gate circuit based on NAND gates.

The NAND gate is implemented through Bitcoin script, and Bit Value Commitment is assembled into a logic gate as input and output to implement logic gate constraints.

can be abbreviated as OP_GATECOMMITMENT, the corresponding unlocking script is 。

In fact, the NAND gate can be implemented through the Bitcoin script, and then the addition gate and the multiplication gate are constructed from the NAND gate. The addition gate and the multiplication gate are combined into an arithmetic circuit, and finally a verification program for the zero-knowledge proof is constructed. However, due to the large number of gate circuits involved, the constructed Bitcoin script is also very large and cannot actually run on the Bitcoin network.

Assemble Bit Value Commitment as input and output into logic gates, and each logic gate with different inputs and outputs as leaf nodes to form a circuit binary tree. The released Circuit Taproot is the root of the binary tree, which reduces the size of the release.

Circuit Taproot commits as a B² Rollup on the one-layer blockchain network Bitcoin. Unlike traditional ZK-Rollup, which can perform verification on a layer of the network, B² Rollup cannot perform verification directly on Bitcoin. However, you can refer to the Optimistic Rollup method to provide a challenge mechanism for commitments, and complete the confirmation of Circuit Taproot commitments through the challenge mechanism.

Verification and response protocol

Unlike BitVM, off-chain transactions between two parties need to be signed in advance. B² Network uses UTXO transactions to issue locked rewards, and the unlocking script is a Taproot script.

The specific unlocking Taproot script is that Prover generates a script for each branch of the Circuit Taproot Tree in advance and gives the input hash. Challenger uses preimage to execute the script. If the executed output is inconsistent with Provers submission, it can use MAST (Taproot Merklized Abstract Syntax Tree) to unlock the entire Taproot and obtain the locked bonus.

Since the running cost of the zero-knowledge verification program is very small and very fast, users on the Bitcoin network can act as observers of the Challenge mechanism, verify the commitments submitted by B² Rollup, and can immediately initiate a challenge once the commitments are found to be inconsistent.

The challenge mechanism is similar to Arbitrum Rollups interactive verification game, constantly looking for incorrectly executed logic gate calculations. In order to find the wrong one among the many logic gates, a binary search method will be used to execute the gate circuit Bitcoin script. The challenger who finds the wrong branch the fastest will be rewarded by unlocking the UTXO that locks the reward on the Bitcoin network.

At the same time, a branch of the Taproot locking script is the time lock script. When no Challenge succeeds, Prover will unlock the UTXO through the time lock script after the challenge period ends and retrieve the reward.

Summarize

B² Network uses Ordinals Protocol to aggregate rollup data and proof and write them into Tapscript, and uses different decentralized storage protocols to save rollup detailed data, effectively ensuring rollup data availability.

By recording zero-knowledge proof verification commitment on Bitcoin and allowing any observer to challenge the commitment mechanism, B² Network can inherit the security of Bitcoin and consensus rollup data on Bitcoin.