Interpreting Bool Network: A truly centralized Bitcoin cross-chain bridge?

Author: Faust & Abyss, Geek Web3

Abstract: Since the emergence of various cross-chain bridges, various hacker attacks have almost never stopped. In 2022, Axie's official cross-chain bridge wasstealThe $620 million incident shocked the world, and countless people began to think about how to solve the problem of cross-chain bridges.SafetyHowever, to this day, there are still many unresolved issues in this area.

However, just like the public chain track, the cross-chain bridge also has an "impossible triangle" in its design concept, and it is still impossible to break it today. In order to have advantages in cost and UX, most cross-chain bridges adopt a witness model similar to multi-signature, and this solution has been a hot commodity in the eyes of hackers since the first day of its implementation.

Bitter historical experience tells us that witness bridges without added protective measures will sooner or later fail, but such bridges are already commonplace in the entire Bitcoin ecosystem, which is creepy.

Bool Network, which will be introduced in this article, provides dynamically rotating witnesses for cross-chain bridge projects, combines privacy computing and TEE encapsulation keys, and attempts to build a cross-chain bridge based on the traditional witness bridge.SafetyFurther optimization of the model and solving the decentralization problem of the cross-chain bridge may bring hope of a breakthrough for the Bitcoin cross-chain bridge.

The current state of the Bitcoin ecosystem: multi-signatures are everywhere

The essence of a cross-chain bridge is to prove to chain B that someone on chain A has initiated a cross-chain request and that the party has paid the fees in accordance with regulations. There are different ways to prove this.

Light client bridges often deploy smartcontract, verify cross-chain messages on the chain Native, this kind of bridgeSafetyIt has the highest efficiency, but also the highest cost, and cannot be implemented on the Bitcoin chain (currently, the project party under the banner of Bitcoin ZK Bridge can only ensure that BTC uses the ZK Bridge when crossing to other chains, and BTC cannot use the ZK Bridge when crossing back).

Optimistic bridges, represented by BitVM, use fraud proofs to ensure that cross-chain messages are processed truthfully, but this solution is extremely difficult to implement. Most Bitcoin cross-chain bridges eventually adopted the witness model, designating several witnesses off-chain to verify and confirm all cross-chain messages.

DLC bridges, represented by DLC.link, introduce the idea of payment channels based on oracle/witness multi-signatures to limit the scenarios where witnesses can do evil to the greatest extent, but they still cannot completely eliminate the hidden dangers of multi-signatures at the root.

Eventually we will find that before BitVM is launched, except for projects such as Lightning Network/payment channels or RGB++ that are based on client verification or isomorphic binding, other Bitcoin cross-chain bridges are multi-signature in nature.

History has long proven that if the trust problem of multi-signature cross-chain bridges and even large asset management platforms is not solved, funds will be stolen.stealIt will only be a matter of time before an incident occurs.

对此，一些项目方让见证人超额抵押资产，以潜在的Slash来作为惩戒条件，或是让大机构充当见证人提供信用背书，弱化跨链桥的Safety隐患。但归根结底，基于见证人模式的桥，Safety模型和多签walletBasically the same, in the end, the trust model must be determined according to the threshold, such as M/N, and the fault tolerance rate is relatively limited.

How to set up and handle multi-signatures, how to make multi-signatures as trustworthy as possible, and how to prevent witnesses from doing evil or raising the cost of external attacks will be issues that Bitcoin's second-layer cross-chain bridge needs to think about in the long term.

Is there any way to make it difficult for multi-signature participants to collude and for hackers to steal keys from the outside? Bool Network attempts to solve the security problem of the witness bridge through a comprehensive solution based on the ZKP-RingVRF algorithm and TEE.

Bool Network: Privacy computing infrastructure designed for cross-chain bridges, etc.

In fact, whether it is KYC, POS or POW, the essence is to decentralize andWitch, to prevent important management rights from being concentrated in the hands of a few people. Using multi-signature/MPC solutions on top of POA and KYC can mitigate security risks through the credit endorsement of large institutions, but this model is different from centralization.exchangeThere is no essential difference. You still have to trust these designated witnesses not to embezzle the funds in the cross-chain bridge fund pool. This is actually a consortium chain, which fundamentally violatesBlockchainThe essence of Trustless.

The POS-based multi-signature/MPC solution is more trustless than POA, and the entry threshold is much lower than the latter, but it still faces various problems: such as privacy leakage of nodes.

Assume that there is a witness network composed of dozens of nodes, which is dedicated to serving a cross-chain bridge. Since these nodes need to exchange data frequently, their public keys, IP addresses or other identity information are easily exposed to the outside world. Attackers can build targeted attack paths, which often leads to the theft of keys of certain nodes. In addition, witnesses may also collude internally, which is easy to happen when the number of nodes is relatively small.

So how do we solve the above problems? You may instinctively think that we need to strengthen the protection of the key to prevent it from being snooped by the outside world. A more reliable method is to encapsulate the key in TEE (Trusted Execution Environment).

TEE allows node devices to run software in a local secure area. Other components in the system cannot access their data. You can isolate private data or programs in a secure execution environment to prevent confidential data from being leaked or maliciously manipulated.

The question here is, how to ensure that the witness really stores the key and generates the signature in the TEE? In fact, as long as the witness presents the remote proof information of the TEE, it can be verified whether it is running in the TEE. We only need to verify the TEE proof on any chain, and the cost is almost negligible.

Of course, in addition to TEE, the problems are not over yet. Even if you introduce TEE, if the total number of witnesses is not large, for example, only 5, we will still encounter various problems. Even if the key encapsulated in TEE cannot be "seen", the witness committee composed of a few people cannot guarantee anti-censorship and availability. For example, if the above five nodes collectively run away, causing the cross-chain bridge to be paralyzed, then the bridged assets cannot be smoothly locked-mint or redeemed, which is basically equivalent to permanent freezing.

After comprehensively considering factors such as compatibility, decentralization, and cost, Bool Network proposed the following idea:

We build a Permissionless candidate witness network by staking assets. As long as you pledge enough assets, you can join. When the network is large enough, for example, when hundreds or thousands of devices are connected, we regularly randomly select some nodes from the network to act as witnesses of the cross-chain bridge, so as to avoid the problem of "class solidification" of witnesses (this idea is also reflected in the current POS Ethereum)

So how can we make the lottery algorithm random? Traditional POS public chains such as Algorand and Cardano introduce the VRF function, which periodically outputs pseudo-random numbers and extracts block producers based on the output results. However, traditional VRF algorithms often fail to protect privacy. Who participated in the VRF calculation process and who are the selected persons associated with the random numbers output by VRF are almost exposed to the public.

The dynamic witnesses of the cross-chain bridge and the dynamic selection of block producers of the POS public chain have different issues to consider. Even if the identity of the block producer of the public chain is leaked, it is usually harmless because the attacker's malicious scenarios are limited and will be subject to many restrictions.

Once the identity of the cross-chain bridge witness is leaked, hackers can obtain their keys, or these witnesses collude internally, which will put the entire bridge asset pool into a complete crisis. Anyway, the security model of the cross-chain bridge and the POS public chain is very different, and the identity confidentiality of the witness must be taken more seriously.

Our instinct is that it is best to hide the list of witnesses. In this regard, Bool Network uses an original ring VRF algorithm to hide the identity of the selected witnesses among all candidates. The overall details are relatively complicated. We simplify it as follows:

1. Before entering the Bool network, all candidates must first pledge assets on Ethereum or a chain created by Bool, leaving a public key as registration information. This public key is also called a "permanent public key". The set of "permanent public keys" of all candidates is publicly visible on the chain. To put it simply, this permanent public key is everyone's identity information;

2. Every few minutes to half an hour, the Bool network will randomly select several witnesses through the VRF function. However, before that, each candidate must generate a one-time "temporary public key" locally and generate a ZKP to prove that the "temporary public key" is associated with the "permanent public key" recorded on the chain; in other words, use ZK to prove that you exist in the candidate list, but do not reveal who it is;

3. The role of “temporary public key”Xiaobai NavigationWhat is it for? It is for privacy protection. If we draw directly from the "permanent public key" set, when the lottery results are announced, everyone will know who is elected directly, and the security will be greatly reduced.

If everyone temporarily submits a one-time "temporary public key" and then selects a few winners from the "temporary public key" set, you will only know that you have won the lottery at most, because you don't know who the other winners' temporary public keys correspond to.

4. This is not the end. Bool Network intends to do this: directly make you not know what your "temporary public key" is. How to do this? Just put the temporary public key in plain text in TEE, encrypt it into "garbled code" and then send it out.

We can also put the generation of "temporary public keys" into TEE. Since TEE can keep data and calculations confidential, you have no idea what is happening in TEE. When the "temporary public key" is generated, it will be encrypted into "garbled code" and then sent outside TEE. At this time, you have no idea what the original text of your "temporary public key" is, and you can only see an encrypted ciphertext (note that the ZKP mentioned in the second paragraph, which proves that the temporary public key is associated with a permanent public key, is also encrypted together with the temporary public key).

5. The candidate needs to send the garbled "temporary public key" ciphertext to the designated Relayer node. The Relayer is responsible for decrypting the garbled ciphertext and restoring the original "temporary public key" from it.

There is a problem here, that is, the Relayer knows who the sender of each ciphertext is. As long as he parses each ciphertext into a "temporary public key", he will naturally know which person each "temporary public key" corresponds to. Therefore, the above work must also be done in TEE. The public key ciphertexts of hundreds of people enter TEE and become the original public key texts after they come out, just like a coin mixer, which can effectively protect privacy.

6. After Relayer obtains the original "temporary public keys", it collects them together and submits them to the VRF function on the chain to select the winners from them. That is, a few winners are selected from these "temporary public keys" to form the next cross-chain bridge witness committee.

In this way, the overall logic is actually clear: we regularly randomly select a few from the witness temporary public key set to act as temporary witnesses for the cross-chain bridge. This design is named DHC (Dynamic Hidden Committee).

Because each node runs TEE, the private key fragments of MPC/TSS, the core programs run by witnesses, and all computing processes are hidden in the TEE environment. No one knows what the specific calculation content includes, and even the selected person himself does not know that he has been selected. This can fundamentally prevent collusion or external attacks.

Bool Network cross-chain message life cycle

After introducing the general idea of Bool hiding the witness identity and key, let's sort out the workflow of Bool Network. We assume that the left side is the source chain and the right side is the target chain. The entire diagram above constitutes the full process life cycle of assets from the source chain to the target chain. From this, we analyze the four cross-chain processes of Bool Network from the perspective of data flow:

First, after the withdrawer initiates a withdrawal action on the source chain, the message is sent to the Messaging Layer by the Realyer; after the message reaches the Messaging Layer, the dynamic committee verifies the message to confirm that the message does exist and is valid on the source chain, and then signs it.

Some people may ask, since we mentioned earlier that no one knows whether they have been selected into the witness committee, how can we pass the message to the designated person and ask them to sign? In fact, this is easy to solve. Since we don’t know who is the selected witness, we can simply broadcast the entire network and pass the pending cross-chain message to everyone.

At the beginning, we mentioned that everyone's temporary public key is generated and encapsulated in the local TEE, and the temporary public key cannot be seen outside the TEE. To verify whether your temporary public key is selected, this part of the logic is directly deployed in the TEE. As long as the cross-chain message to be processed is input into the TEE, the program inside the TEE will determine whether to sign and confirm the message.

After signing the cross-chain message in TEE, you cannot send the digital signature directly, because if you send the signature directly, people will find that you have attached a signature to the cross-chain message and guess that you are one of the selected witnesses. Therefore, if you want to make the outside world not know whether you have signed the cross-chain message, the best way is to encrypt the signature information itself, which is similar to the idea of encrypting the temporary public key mentioned above.

In summary, Bool Network will transmit the cross-chain message to be signed to everyone through P2P communication. The selected witness will verify and sign the message in TEE, and then broadcast the encrypted ciphertext. After others receive the ciphertext, they will put it into TEE for decryption. The above process is repeated until all selected witnesses have signed, and finally it is decrypted by Relayer into the original format of TSS signature, completing the confirmation and signing process of the cross-chain message.

The core is that almost all activities are carried out in TEE, and from the outside, no one can know what is happening. Each node does not know who the witness is, and does not know whether it is a selected witness, which fundamentally prevents collusion and greatly increases the cost of external attacks.

To attack a cross-chain bridge based on Bool Network, you need to determine who the witnesses in the dynamic committee are, but you don’t know who they are, so you can only attack the entire Bool network. For cross-chain bridge infrastructures such as ZetaChain that are purely based on POS and MPC, the identities of all witnesses are exposed. Assuming the threshold is 100/200, you only need to attack at least half of the nodes in the network.

But when it comes to Bool, because of the privacy protection, in theory you have to attack all the nodes. In addition, all Bool nodes run TEE, so the difficulty of attack will be raised again.

Moreover, Bool Network is essentially a witness bridge. The witness bridge only needs to submit a signature on the target chain to complete the cross-chain processing process, with the lowest cost. Since there is no redundant relay chain design like Polkadot, the redundancy of the second-order verification is avoided, and the cross-chain speed of Bool can be very fast. This cross-chain mode meets the needs of both asset cross-chain and message cross-chain, and has good compatibility.

How do you evaluate Bool's product design ideas?

Here we put forward two viewpoints. First, cross-chain assets are ToC products. Second, cross-chain bridges are more competitive than cooperative. In the long run, because the barriers of cross-chain protocols are high and the demand is relatively homogeneous, the concentration of funds related to cross-chain bridges will become higher and higher. This is because cross-chain protocols have relatively strong moat barriers, including scale effects and conversion costs.

As a dedicated infrastructure at a lower level than the cross-chain bridge, Bool actually has broader business prospects than the upper-level cross-chain bridge projects. It can even assume the function of an oracle, and is not limited to cross-chain message verification. In theory, it can also enter the track of full-chain oracle, truly building a decentralized oracle and providing privacy computing services.

The article comes from the Internet:Interpreting Bool Network: A truly centralized Bitcoin cross-chain bridge?

Related recommendations: Idols and music festivals, can the new integration model make good use of the star effect of Web3?

MEET48 has created aAI The fan platform in the entertainment field combined with WEB 3.0 allows users to interact with idols in their metaverse. Written by: Xiaobai Navigation Coderworld The integration of Web3 and celebrities is like a carnival feast. The participation of many celebrities has brought more users to Web3 and promoted the popularity of Web3. But…