Last updated
original: https://docs.citrea.xyz/technical-specs/introduction
author: citrea
Citrea is the first rollup that enhances the capabilities of Bitcoin blockspace with zero-knowledge technology, making it possible to build everything on Bitcoin. Citrea’s vision is to build scalable infrastructure that advances Bitcoin into its next phase, foundation for world's finance.
We’re proud to announce that Chainway Labs, the company building Citrea, has raised $2.7 million in seed funding to develop Bitcoin’s First ZK Rollup. The round closed in 2023 and was led by Galaxy, with participation from investors including Delphi Ventures, Eric Wall, Anurag Arjun, BatuX, Igor Barinov, and James Parillo, among others.
Citrea introduces a zero-knowledge powered rollup solution to address Bitcoin’s challenges in handling more transactions and supporting diverse applications without changing its consensus rules. In doing so, Citrea leverages Bitcoin not only as a digital currency but also as a base layer for securing and settling transactions.
Characteristics of the Citrea blockchain. In short:
Type 2 zkEVM
Sequencer with a block producing privilege, inscribing state roots on Bitcoin to finalize ordering.
Prover with a responsibility of producing batch proofs and light client proofs, both via scanning Bitcoin blockspace.
Full and light nodes are able to easily and securely verify the blockchain.
Bitcoin Settlement via BitVM. Citrea proofs are optimistically verified in Bitcoin, enabling the first universal trust-minimized bridge.
The Citrea VM is a fully Ethereum Virtual Machine (EVM) equivalent VM running on Bitcoin and using $cBTC as its native token. EVMs as a concept are the most battle-tested and mature VM in the cryptocurrency ecosystem. It is a deterministic, stack-based virtual machine, renowned for its ability to efficiently execute smart contracts in a secure and isolated environment.
Citrea implements its own EVM, referred to as a "zkEVM." zkEVM is a special EVM implementation that makes the full VM implementation provable. Citrea zkEVM is classified as Type 2, which means full equivalency and a scalable and trustless proof system due to being based on zk-STARKs. Citrea zkEVM is built using RISC Zero.
For further compatibility, Citrea is implemented intentionally to make multiple VMs interoperable.
Block Production in CitreaIn Citrea, the entity responsible for producing blocks is called the "sequencer." A sequencer, unlike a validator or miner, doesn't need validations over produced blocks from other sequencers or nodes because every block produced by sequencers undergoes a zero-knowledge proving process, which acts as a natural and trustless validation mechanism over blocks.The sequencer builds blocks using its own local mempool. Anyone can a send transaction to sequencer's mempool using its RPC endpoints or a full node. In case of censorship, there is a force transaction mechanism that falls back to Bitcoin and guarantees transactions will be included in the next batch.The sequencer is only responsible for ordering and publishing blocks. It can neither steal users' funds nor freeze them thanks to ZK proofs, force transaction mechanism, and on-chain data availability.
The sequencer's ordering promise is only trusted until the next Bitcoin block. The merkle root of the soft blocks (batch tree) is inscribed in Bitcoin every 10 minutes. After the state root is inscribed, its validity and data availability is asserted inside the zk circuit, preventing any change in the ordering of transactions. This mechanism ensures that ordering of the transactions cannot be changed after it is inscribed in Bitcoin.
With this method, Citrea ensures that ordering finality is not delayed until the batch proof while keeping the full data publishing cost as low as possible. For future work, Citrea will introduce a multi-sequencer network, which will reduce ordering trust assumptions to near-zero.
A single sequencer operating for a rollup is sufficient for security (safety), however it imposes a limit for censorship-resistance, uptime, and fair ordering. In order to prevent any potential issues, Citrea is working towards a solution that significantly reduces risks by allowing multiple sequencers to produce and finalize blocks with sub-second timing.
The consensus network between multiple sequencers minimizes the risk of censorship on the L2 level, reducing Bitcoin fallback force transaction count (thus reducing the need for users to force-transact). It also removes the need to trust the sequencer ordering, even it is for a short time, because now ordering is determined and finalized on the sequencer network with sub-second timing.
A Decentralized Sequencer Network can further reduce the costs of the rollup because it allows the posting of roots and proofs to Bitcoin less often, as the ordering is guaranteed and finalized on the L2 directly.
Batch Proof: Batch proofs are produced for every few Bitcoin blocks. The Citrea batch proof circuit is configured to scan Bitcoin blocks for batch root inscriptions via inclusion and soundness proofs, and if any exist, it inputs the L2 batch that results in the batch root and proves the validity of the L2 batch. The proof outputs state difference resulted by the batch, initial and latest state roots, and the blockhash of Bitcoin block scanned. The proof with outputs is inscribed in Bitcoin.
Light Client Proof: Light client proofs recursively validate batch proofs and provides a single proof for full rollup history, allowing trustless and instant light clients. Light client proof circuit inputs the previously generated light client proof, an array of batch proofs with their inclusion and soundness proofs, and an array of Bitcoin block headers corresponding to the inscribed batch proofs. The circuit recursively verifies every single batch proof and the light client proof, asserts latest state root of the proof N-1 is equal to initial state root of the proof N. This logic ensures that no state transition is skipped, thus the end result is the same state root with the actual rollup state root.
Light client proofs can be generated at any time by recursively verifying the previous light client proof with the batch proofs.
Light client proofs are broadcasted in the peer-to-peer network and also inscribed in Bitcoin.
Light nodes can listen to the peer-to-peer network or only track the latest Bitcoin headers, and the latest proof they find verifies the full rollup history and provides a trustless access to the state root.
The Citrea circuit mainly proves two different pieces of logic; execution and blockspace. During the batch proof generation, both execution and blockspace are proven. During the light client proof generation, blockspace and verification of batch proofs are proven.
Execution proving: Citrea runs the state transition function of the rollup, which is slightly broader logic that includes the EVM, inside the zk circuit. The circuit inputs the pre-state of the rollup, the new batch of blocks, and outputs the state difference between the pre and post-state after applying the batch.
Blockspace proving: Blockspace proving is a brand new concept used in Citrea. Blockspace proving logic is a custom zk circuit that scans a Bitcoin block, extracts the state roots or Citrea batch proofs and forced transactions from it. In batch proofs it asserts the state root's accuracy and in light client proofs it verifies the batch proofs (if one exists). Bitcoin block scanning inside the circuit is being done by the inclusion and soundness proof given, and checked against the corresponding Bitcoin block header.
Citrea merges execution proving and blockspace proving inside a single circuit for batch proofs. Individual batch proofs are only helpful for full nodes. In order to run a light node on batch proof only system, the light node must check every Bitcoin block one by one for proofs, which is not feasible for a light client because of the bandwidth and storage requirements involved.In Citrea, thanks to its light client proofs which apply recursion over batch proofs and blockspace proofs, users have trustless light clients. Anyone with the last few Bitcoin blocks or connection to the peer-to-peer network can extract the Citrea light client proof and be sure that it represents the only valid fork of the chain and validates every state transition since Citrea's genesis block.
Full nodes in Citrea are the nodes that sync with the sequencer(s) as well as verify the zk proofs. Full nodes are designed for users who need instant confirmations from the sequencer or need the full history of Citrea.A sequencer that produced a block broadcasts the block over a network of full nodes. Full nodes apply the sequencer block to their local state. RPC endpoints can now serve the block data to explorers, wallets, and other applications without waiting for additional zk proving. After a batch of blocks is proven and inscribed in Bitcoin, full nodes extract and verify the proofs. According to the result of the proof they confirm, finalize, or revert the sequencer broadcasted blocks.
A light node is a node that is designed to fully validate the full nodes' responses using minimal bandwidth and storage requirements. In Citrea, light nodes run next to a Bitcoin light node (SPV) or full node and only need the several latest Bitcoin block headers to trustlessly access the latest light client proof. They can also directly connect to the peer-to-peer network and retrieve the light client proof through the network.Using the state root extracted from the light client proof, Citrea light nodes can validate full node and RPC endpoint responses. With the advancements in light node technology on Bitcoin like ZeroSync header chain proofs, the proofs that verify a chain of Bitcoin block headers thus allow instant sync with Bitcoin headers allowing Citrea light nodes to sync with the rollup near-instantaneously.This improvement significantly reduces the trust on full nodes and boosts decentralization of Citrea with more verifying nodes. Such a light node can also live in another blockchain, which enables trust-minimized bridges with every other smart contract-capable blockchain ecosystem.
Recursively-merged Light Client proofs with deposit and withdrawal roots.
Bitcoin Header Chain proof showing the latest Bitcoin block header as well as a merkle tree of all the previous headers (similar to ZeroSync header chain proofs).
Bitcoin SPV proofs showing that all the withdrawals are covered by the operator from its own pocket.
In order to reduce the program size committed on Bitcoin (and thus the fraud proof size), all of the above logic is enshrined in two Groth16 circuits. The BitVM program is actually a single Groth16 verifier, hardcoded with the circuit's verifying key.The operator provides the proof off-chain first. If everyone agrees its correct, the on-chain footprint is minimal - N/N signatures. If a verifier thinks there is a fraud, a challenge-response game starts between the verifier and operator. Eventually the loser's deposit gets slashed. If an operator is malicious, it will be removed from the committee and replaced by other pre-determined operator.
Peg-in and peg-out amount is fixed and a relatively large number.
In order to keep the pre-signed tx amount manageable, Citrea will start with a fixed and large amount as peg-in/out amount.
To improve the UX, users can collectively sign PSBTs on Bitcoin to peg-in and also collectively send withdrawal requests on Citrea.
To improve the UX further, Citrea will develop a trustless atomic swap protocol between Bitcoin and Citrea to employ $BTC/$cBTC swaps.
The design and architecture of the two-way peg is ready and under heavy development. The two-way peg does not require any network change and is trust-minimized. In order to make settlements of Citrea fully trustless, there needs to be opcode change(s). Please refer to the Future Research section for more information.
BitVM is a computing paradigm that enables turing-complete smart contracts on Bitcoin. BitVM works using Taproot trees and fraud proofs.The current BitVM implementation is work in progress independently by the BitVM team led by Robin Linus. The Citrea trust-minimized bridge program consists of an operator and verifier software with zk circuits of the bridge. It is built on top of the BitVM implementation by the BitVM team.We acknowledge and thank all BitVM contributors for the efforts.
BitVM is based on fraud proofs, which means it is a protocol that merely verifies the execution of a program using fraud proofs. The whole program is never being executed on-chain. If the result provided by the operator gets challenged by a verifier, the execution gets verified on-chain with a series of challenge-response transactions. If the off-chain result is correct, the on-chain footprint is minimal.Even though the BitVM paradigm is optimistic, Citrea is a ZK rollup that has optimistic settlement. As all the proofs and data are inscribed in Bitcoin, nodes accept proofs and verify them locally. The settlement only happens at checkpoints, which happens every few months. Between checkpoint times, withdrawals are fronted by an operator and later claimed during settlement.
Proof Generation in CitreaCitrea's proof generation mechanism is specialized for Bitcoin and BitVM. Citrea is running on top of a recursion-capable STARK-based zkVM, RISC Zero, and utilizes two different types of proofs:
Citrea is the first Universal L2 that has a trust-minimized BTC bridge.Trust-minimized two-way peg in CitreaCitrea light client proofs are natively verified in Bitcoin, thanks to BitVM. We have implemented a multi-verifier BitVM setup where an operator is responsible for peg-in and peg-out transactions and verifiers are in charge of checking invalid peg-in and peg-out transactions. Any invalid transaction can be challenged by verifiers. As long as one verifier is honest, the peg is secure. This is a great improvement over the existing insecure bridge constructions that mostly depend on the honest majority assumption within a closed or open federation.There are no delays on withdrawals once the proof is finalized on Bitcoin in the optimistic case. The operator does the withdrawals from its own pocket. Later, it claims the pegged-out BTC from the BitVM program with a proof showing that all the withdrawals from the canonical Citrea chain have been done on Bitcoin. If there is any fraud in the process, any verifier among set of N reacts with a fraud proof on Bitcoin, slashing prover's stake and keeping the peg secure.
