Bitcoin Rollups – The Rock Or The Hard Place?

Rollups have become the narrative focus of scaling Bitcoin lately, becoming the first thing to truly “steal the limelight” from the Lightning Network in terms of wider mindshare. Rollups aim to be an off-chain layer two that is not bound or constrained by the liquidity limitations that are central to the Lightning Network, i.e. end users required someone allocate (or “lend”) them funds ahead of time in order to be able to receive money, or intermediary routing nodes requiring channel balances that can facilitate the movement of the payment amount all the way from sender to receiver.

These systems were originally developed to function on Ethereum and other Turing complete systems, but as of late the focus has shifted to porting them to UTXO based blockchains such as Bitcoin. This article is not going to discuss the current state of things being implemented on Bitcoin currently, but going to discuss the function of an idealized rollup that people are aiming for in the long term depending on features Bitcoin currently does not support, namely the ability to verify Zero Knowledge Proofs (ZKPs) on Bitcoin directly.

The basic architecture of a roll is as follows: a single account (or in Bitcoin’s case UTXO), holds the balances of all users in the rollup. This UTXO contains a commitment in the form of a merkle root of a merkle tree that commits to all the current balances of existing accounts in the rollup. All of these accounts are authorized using public/private key pairs, so in order to propose an off-chain spend a user must still sign something with a key. This part of the structure allows users to leave without permission whenever they want, simply by crafting a transaction proving their account is part of the merkle tree, they can unilaterally exit the rollup without the operator’s permission.

The operator of the rollup must include a ZKP in transactions that update the merkle root of account balances on-chain in the process of finalizing off-chain transactions, without this ZKP the transaction will be invalid and therefore not includable in the blockchain. This proof allows people to verify that all changes to off-chain accounts were properly authorized by the account holder(s), and that the operator has not conducted a malicious update of balances to steal money from users or reallocate it to other users dishonestly.

The problem is, if only the root of the merkle tree is posted on-chain where users can view and access it, how do they get their branch in the tree in order to be capable of exiting without permission when they want to?

Proper Rollups

In a proper rollup, the information is put directly into the blockchain everytime that new off-chain transactions are confirmed and the state of the rollup accounts change. Not the entire tree, that would be absurd, but the information necessary to reconstruct the tree. In a naive implementation, the summary of all existing accounts in the rollup would have balances and accounts simply added in the transaction updating the rollup.

In more advanced implementations, a balance diff is used. This is essentially a summary of what accounts have had money added to or subtracted from them during the course of an update. This allows each rollup update to only include the changes to account balances that occur. Users can then simply scan the chain and “do the math” from the beginning of the rollup to arrive at the current state of account balances, which allows them to reconstruct the merkle tree of current balances.

This saves a lot of overhead and blockspace (and therefore money) while still allowing users to guarantee access to the information needed for them to exit unilaterally. Including this data in a formal rollup that uses the blockchain to make it available to users is mandated by the rules of the rollup, i.e. a transaction that does not include the account summary or account diff is considered an invalid transaction.

Validiums

The other way to handle the problem of data availability for users to withdraw is to put the data somewhere else besides the blockchain. This introduces subtle issues, the rollup still needs to enforce that the data was made available somewhere else. Traditionally other blockchains are used for this purpose, specifically designed to function as data availability layers for systems like rollups.

This creates the dilemma of security guarantees being as strong. When the data is posted directly to the Bitcoin blockchain, consensus rules can guarantee it is correct with absolute certainty. However when it is posted to an external system, the best it can do is verify an SPV proof that the data was posted to another system.

This entails verifying an attestation that data exists on other chains, which is ultimately an oracle problem. Bitcoin’s blockchain cannot verify anything completely except what occurs on its own blockchain, the best it can do is verify a ZKP. A ZKP however cannot verify that a block containing rollup data was actually publicly broadcast after being produced. It cannot verify that external information is actually publicly available to everyone.

This opens the door to data withholding attacks, where a commitment to the data being published is created and used to advance the rollup, but the data is not actually made available. This renders users funds beyond their ability to withdraw. The only real solution to this is to depend entirely on the value and incentive structure of systems completely external to Bitcoin.

The Rock and Hard Place

This creates a dilemma in terms of rollups. When it comes to the data availability issue, there is essentially a binary choice between posting the data to the Bitcoin blockchain or somewhere else. This choice has massive implications for both rollup security and sovereignty, as well as their scalability.

On one hand, using the Bitcoin blockchain for the data availability layer introduces a hard ceiling on how much rollups can scale. There is only so much blockspace, and that puts an upper limit on how many rollups can exist at one time and how many transactions all rollups in aggregate can process off-chain. Every rollup update requires blockspace proportional to the amount of accounts that have had balance changes since the last update. Information theory only allows data to be compressed so much, and at that point there is no more potential for scaling gains.

On the other hand, using a different layer for data availability removes the hard ceiling on scalability gains, but it also introduces new security and sovereignty issues. In a rollup using Bitcoin for data availability it is literally not possible for the state of the rollup to change without the data needed by users to withdraw being atomically posted to the blockchain. With Validiums, that guarantee depends entirely on the ability of whatever external system is being used to resist gaming and data withholding.

Any block producer on the external data availability system is now capable of holding Bitcoin rollup users’ funds hostage by producing a block and not actually broadcasting it to make the data available.

So which will it be, if we ever do get to an ideal rollup implementation on Bitcoin that actually enables unilateral user withdrawal? The rock, or the hard place?