[bitcoindev] Glock: Garbled Locks for Bitcoin

[bitcoindev] Glock: Garbled Locks for Bitcoin

['Liam Eagen' via Bitcoin Development Mailing List]

Hey everyone,

Wanted to share our recent work on "Glock" (Garbled Locks) for optimistic smart contract verification on bitcoin. This is pretty similar in concept to Jeremy Rubin's work on Delbrag [0] and Robin Linus' work on BitVM3(RSA/s) [1,2], but uses different techniques to make a practical scheme. We have (linked below) a preprint that describes the scheme in detail and a research implementation under active development. We've been working on this for a long time, and I think some of techniques might be of independent interest.

A "Glock" is a protocol for optimistic smart contract verification using Garbled Circuits. The "Garbler" signs the input (and proof) using a kind of Lamport-like signature and then the "Evaluator" can derive a secret if the smart contract fails, which they can use to sign a slashing transaction. This works with bitcoin today with no soft forks and is nice because it moves essentially all of the cost and complexity of verification off chain.

In theory, the fraud proof can literally be a Schnorr signature. Previous constructions either used something like Rubin's Grug tehcnique, which requires a larger slashing script, or had impractical costs for garbling. We propose the first (imo) practical Glock whose fraud proof is a single signature, which represents over a 550x reduction [4] of on-chain data compared to BitVM2 [3].

Our protocol, Glock25, uses a bunch of interesting cryptography to make all the costs of the scheme manageable. We propose a new SNARK, which is currently the smallest known SNARK, make it designated verifier, and instantiate it with binary elliptic curves. These curves have some really nice synergies with the GC scheme. We also have some neat tricks to use adaptor signatures and verifiable secret sharing for efficient malicious security.

Paper here:
https://eprint.iacr.org/2025/1485

Code here:
* Rust implementation of DV-Pari: github.com/alpenlabs/dv-pari
* Binary circuit generator for DV-Pari: github.com/alpenlabs/dv-pari-circuit
* Generic garbling & evaluation tool: github.com/alpenlabs/garbled-circuits

Paper Abstract:
Bitcoin [Nak09] is a decentralized, permissionless network for digital payments. Bitcoin also supports a limited set of smart contracts, which restrict how bitcoin can be spent, through bitcoin script. In order to support more expressive scripting functionality, Robin Linus introduced the BitVM family of protocols [Lin23a, LAZ+24]. These implement a weaker form of “optimistic” smart contracts, and for the first time allowed bitcoin to verify arbitrary computation. BitVM allows a challenger to publish a "fraud proof" that the computation was carried out incorrectly which can be verified on chain, even when the entire computation cannot. Jermey Rubin introduced an alternative optimistic smart contract protocol called Delbrag. This protocol uses Garbled Circuits (GC) to replace the BitVM fraud proof by simply revealing a secret. He also introduced the Grug technique for malicious security.

We introduce a new formalization of GC based optimistic techniques called Garbled Locks or Glocks. Much like Delbrag, we use the GC to leak a secret and produce a signature as a fraud proof. We further propose the first concretely practical construction that does not require Grug. Like BitVM2 and Delbrag, Glock25 reduces verification of arbitrary bounded computation to verification of a SNARK. In Glock25, we use a designated verifier version of a modified SNARK Pari [DMS24] with smaller proof size. We make Glock25 maliciously secure using a combination of Cut-and-Choose, Verifiable Secret Sharing (VSS), and Adaptor Sig- natures. These techniques reduce the communication, computational, and on-chain complexity of the protocol compared to other approaches to construct a Glock, e.g. based on Groth16.

[0] https://rubin.io/public/pdfs/delbrag.pdf

[1] https://bitvm.org/bitvm3-rsa.pdf

[2] https://bitvm.org/bitvm3.pdf

[3] https://bitvm.org/bitvm_bridge.pdf

[4] This cost calculation includes the entire BitVM2 game, not just the fraud proof/disprove transaction.

-- 
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/Aq_-LHZtVdSN5nODCryicX2u_X1yAQYurf9UDZXDILq6s4grUOYienc4HH2xFnAohA69I_BzgRCSKdW9OSVlSU9d1HYZLrK7MS_7wdNsLmo%3D%40protonmail.com.