Nostr Web Client

Instead of verifying it, it can be possible to prove an invalid SNARK. This is called an “optimistic protocol”.

BitVM is such a protocol.

The verifies is split into small pieces, which are linked using Lamport signatures. One of these pieces must fail in case the SNARK is invalid.

Please Login to reply.

This can work on Bitcoin, but it comes with a large on-chain footprint (around 4MB).

Alternative approaches appeared using Garbled Circuits.

BitVMs mechanism can be substituted with Garbled Circuits.

Garbler (prover) encodes a proof on-chain.

Evaluator (verifier) derives a secret through a GC.

If the proof is invalid, the secret is used to slash the Grarbler.

Drawback: need to generate a Garbled Circuit, which can is very large. The cost can quickly explode.

New approach: Glock25.

A new kind of SNARK has been created, which is the smallest one knowledge as of today.

This bring a huge reduction in the amount of gates needed for the GC.

There is still a lot of room for improvements, like alternative garbling schemes.