Torben Poguntke

What this buys is a primitive that other systems can rely on without re-running Cardano's consensus: a stake-weighted attestation over the chain's state, verifiable against a hardcoded genesis key. The threshold structure makes forgery cost equivalent to acquiring a stake fraction of the network, the lottery makes participation cheap and distributable across hundreds of operators, and the certificate size is bounded by k regardless of how many signers exist in total.

A certificate reaches the protocol's stake threshold when k distinct lottery indices have been won across the signer set. Since eligibility scales with stake via phi_f, reaching k wins requires aggregate participation above a target stake fraction. The protocol parameters (m, k, phi_f) are tuned so that an adversary needs to control at least that target fraction of total stake to produce a valid certificate. The security of the certificate is the security of the stake that signed it.

A succinct zero-knowledge proof of the certificate would close that gap. The proof would commit to the same fields as the original, in the same structured form, and would verify in milliseconds on any chain that supports a Groth16 SNARK or STARK verifier. Every commitment inside the original certificate would become portable. The cryptography was never the obstacle.

The certificates have been ready for years. The verifier has not. Mithril plays the role on Cardano that Ethereum's beacon chain sync committee plays on Ethereum: a stake-weighted signing system designed so other chains and light clients can verify chain state without running a full node.

What does not exist is a way to actually use any of that on another chain. Mithril verification involves BLS pairings, Merkle batch proofs over the full signer set, and hundreds of lottery threshold checks per certificate, each evaluating a Taylor series in arbitrary-precision rational numbers. Bitcoin lacks the primitives for any of this. Plutus has the primitives, but the aggregate cost of a single certificate's verification far exceeds the per-transaction execution budget, even for Cardano's own certificates. Other destination chains face the same kind of limitation in different forms.

Bitcoin keeps its native role across Poguns system. It pays fees on Cardano through a flash loan against the bridged position. It earns yield as collateral in the credit market through the yield layer. It serves as collateral itself, anchored to the specific UTxO, not as a derivative or synthetic. At no step does Bitcoin become something else. That requirement runs through every component. The bridge preserves the locked UTxO as a non-fungible 1:1 representation on Cardano, which can be held by institutions or escrowed for a fungible token without leaving the asset's provenance behind. The credit market accepts either form as collateral directly. The trustless atomic swap layer settles the fungible form back to native Bitcoin peer-to-peer, with cryptographic atomicity. The components were designed against the same requirement, so they fit each other rather than integrate with each other. The bridge's outputs are what the credit market is built to accept. The fungible form produced through escrow is what the trustless atomic swap layer is built to settle. The connections are structural, not glue. The same principle extends outward. The credit market's collateral surface is not limited to assets the bridge produces; it accepts any Cardano native token, including wrapped BTC from other bridges, stablecoins from all issuers, and cross-chain liquidity routed in through protocols like Circle's CCTP. The trustless atomic swap layer is not limited to the fungible token from the middle layer; it works with any wrapped BTC representation on Cardano, including those from federated or multisig bridges. The architecture is open by construction. Every role in the system, from lender to operator, is open to anyone willing to fulfill it. A user moves Bitcoin into Cardano through the bridge, holds it as the collateral form they need, borrows stablecoins against it in the credit market, and exits back to native Bitcoin through the trustless atomic swap layer. No custodian. No federation. No relayer. The cycle closes back to Bitcoin.

Institutional holders want their specific Bitcoin back, the same UTxO with its provenance and any inscriptions intact. Operational users want fungible balances that compose with DeFi protocols built around them. These requirements do not conflict, but they cannot live at the same layer. The base layer is the bridge representation. When a Bitcoin UTxO is locked, a non-fungible token is minted that mirrors 1:1 to that specific UTxO. The trust anchor is Bitcoin's consensus and the cryptographic primitives. No federation, no custodian, no wrapped-pool trust assumption. The NFT can be held directly, which is the form institutional positions need: tax treatment that depends on the asset returned being the same asset that was locked, ordinals attached to their specific satoshis, audit trails to specific Bitcoin outputs. It can also be used directly as collateral in the credit market. The middle layer is smart contract escrow. The NFT can be locked into a contract that mints a fungible token at 1:1, backed by the specific NFT held in escrow. The fungible token has standard DeFi behavior: transferable and composable across protocols. Burning the token releases the NFT it was minted against. The fungible token never exists without its NFT in escrow. There is no fungible balance unbacked by a specific Mirror-UTxO. The top layer is trustless atomic swaps. Any wrapped Bitcoin representation on Cardano can be swapped peer-to-peer for native Bitcoin on Bitcoin, settled atomically across both chains via adaptor signatures. No bridge transaction is needed for the swap. No third party in the path. The swap layer is asset-agnostic and works with the fungible token from the middle layer or with wrapped representations produced by other bridges. For users who want any amount of native Bitcoin without needing the specific UTxO back, this is the operational exit path. The three layers compose into a stack that gives Bitcoin DeFi properties it has not held together cleanly before. Trust anchored on Bitcoin's consensus through trust-minimized verification. UTxO identity preservation for institutions. Fungible operations for everyone else. Cross-chain settlement back to native Bitcoin at any amount, peer-to-peer, with cryptographic atomicity.

A research paper proves a result. A production system runs the result, day after day, against adversarial conditions, at the cost a market will accept. The two are different artifacts, and the work that connects them has its own discipline. For BABE, that work covers a few categories. The paper specifies the cryptographic primitives abstractly. The implementation has to choose concrete instantiations, with their specific tradeoffs and library availability. The paper proves security in an idealized model. The implementation has to identify the assumptions in that model that depend on engineering choices, and discharge them carefully. The setup phase parameters matter. The security argument is probabilistic and depends on the number of instances generated and the size of the kept subset. Choosing those numbers is not a research question. It is an engineering judgment that balances cryptographic confidence against operational cost. Too few instances and the security parameter is too thin. Too many and the operator infrastructure carries weight that does not pay for itself. The right number sits in a narrow band. There are also things the paper does not specify. Operator rotation under churn, without compromising the protocol's liveness or safety. Data lifecycle for the on-chain commitments and the off-chain artifacts they reference, with availability and replication that survive operator failures. Recovery from partial failures during multi-instance setups. Key management and signature lifecycles that hold up under network-layer adversaries. Version handling across operator updates. These are systems concerns, and they determine whether the protocol runs at all in production. Some of the work flows back upstream. Implementing a research result closely usually surfaces things the paper did not anticipate. Edge cases, framing issues, small correctness questions. Our cryptography and engineering team contributed corrections and improvements back to the protocol formalization during implementation. When this work is done right, the cryptographic protocol that ships resembles the paper, and the system around it survives operations the paper never imagined.