BitVM – Smart Contracts on Bitcoin Without Hard Fork

🧑‍💻 TLDR: The BitVM whitepaper by Bitcoin developer Robin Linus introduces a method to implement Ethereum-like smart contracts on Bitcoin without a hard fork. BitVM proposes a system where contract logic is executed off-chain but verified on Bitcoin, similar to Ethereum’s optimistic rollups, BitVM enables Turing-complete Bitcoin contracts. The architecture employs fraud proofs and a challenge-response model, and while it opens up new application possibilities, it also requires substantial off-chain computation and communication.

Here’s the most interesting quote (in my opinion) from the whitepaper:

Built like a computer by stacking NAND gates: “Any computable function can be represented as a Boolean circuit. The NAND gate is a universal logic gate, so any Boolean function can be composed from them. To keep our model simple, we show that our method works for simple NAND gates. Additionally, we show how to compose gates arbitrarily. Together this demonstrates BitVM can express any circuit.”

Quick Overview

The BitVM whitepaper, introduced by Bitcoin developer Robin Linus of ZeroSync, proposes a novel method to bring Ethereum-like smart contracts to Bitcoin without necessitating a hard fork. Unveiled on October 9, 2023, BitVM seeks to enable Turing-complete Bitcoin contracts without modifying Bitcoin’s consensus rules. The system allows any computable function to be verified on Bitcoin, with the “logic” of contracts executed off-chain, while verification occurs on Bitcoin, akin to Ethereum’s optimistic rollups.

🧑‍💻 Recommended: What is a zkEVM Rollup? A Simplified Guide to Ethereum’s Most Promising Scaling Solution

BitVM’s architecture leans on fraud proofs and a challenge-response model.

Source: Whitepaper

Here, a “prover” makes claims, and a “verifier” conducts a fraud-proof to penalize the prover if false claims are presented.

Applications: Linus highlighted that while Bitcoin is currently limited to basic operations like signatures, timelocks, and hashlocks, BitVM could expand its capabilities, enabling a variety of applications, such as

  • games (Chess, Go, Poker),
  • verification of validity proofs in Bitcoin contracts,
  • bridging BTC to other chains,
  • building prediction markets, and
  • emulating novel opcodes.

However, Linus acknowledged that the model has limitations, such as being confined to a two-party setting (a prover and a verifier) and necessitating a significant amount of off-chain computation and communication to execute programs. The next milestone involves fully implementing BitVM and Tree++, a high-level programming language designed for writing and debugging Bitcoin contracts.

💡 Info: BitVM is facilitated by the Taproot soft fork, which was implemented in November 2021. Taproot is a technological upgrade (soft fork) to Bitcoin, enhancing its privacy and efficiency. As shown in this article, users can now create “smart contracts,” which are sets of rules for how bitcoins are spent in a way that they appear like regular transactions to outside observers. This can improve privacy by masking complex transactions. Additionally, Taproot enables more complex transaction conditions (like multi-signature requirements) while maintaining a streamlined, efficient process, which is beneficial for scalability and transaction speed on the Bitcoin network.

Community Response

The new computing paradigm BitVM whitepaper has garnered varied responses from the Bitcoin community.

The whitepaper, meticulously reviewed by Super Testnet and Sam Parker, has garnered a whopping 2.4 million views and dives deep into a system that combines Optimistic Roll Up, Fraud Proof, Taproot Leaf, and Bitcoin Script, aiming to bring additional programmability to Bitcoin without necessitating an upgrade.

While some, like Bitcoiner Eric Wall and analyst Dylan LeClair, expressed excitement and appreciation for the paper, others, like Bitcoin Core contributor Adam Back, urged caution, noting that while the development is cool, it essentially generalizes a two-party game.

Super Testnet, on the other hand, hailed it as “the most exciting discovery in the history of bitcoin script”, emphasizing its potential to enable covenants, sidechains, and powers akin to Liquid or the EVM without requiring forks.

A proof-of-concept is already available on GitHub, while others attempted to allay fears among Bitcoin maximalists by emphasizing that BitVM won’t compel Bitcoins to be “locked” into these contracts since it is opt-in.

Some community members have suggested that implementing CheckTemplateVerify (CTV) could enhance BitVM’s efficiency and functionality.

Key Takeaways

Is BitVM theoretically possible? Yes. Is it feasible? Maybe.

Let’s have a look at what Bob Bodily, PhD says about its feasibility:

  • Not a Panacea: BitVM isn’t a one-size-fits-all solution.
  • Comparison with EVM: It’s slower, more expensive, and more complex than Ethereum’s EVM. However, this may be a feature, not a bug because BitVM is the most decentralized smart contract solution considering the well-established view that Bitcoin is more decentralized than Ethereum.
  • Core Benefit: Enables additional programmability on Bitcoin without requiring new op_codes or a soft fork. This makes it highly practicable and the conservative Bitcoin community will likely adopt it.
  • Use Cases: Potential applications include decentralizing various parts of applications that currently depend on centralized services.
  • Trustless Bridging: BitVM doesn’t solve trustless bridging for sidechains.
  • Comparison with Previous Models: It’s strictly better than Greg Maxwell’s 2016 ZKP contingent payments example.
  • Complexity: BitVM is intricate to understand and implement.

BitVM’s mission, as per the whitepaper, is to ensure “any computable function can be verified on Bitcoin.”

Sam Parker elucidates that while Bitcoin isn’t technically more Turing Complete than before, it has been endowed with a runtime that makes it “Turing complete enough” for any realistically executable program, given you have the financial means, bandwidth, and capability to perform as many Bitcoin transactions as needed.

So to summarize, these are the three main key take aways (for now) but we should remain updated on the developments — feel free to subscribe to my newsletter if you haven’t already:

  1. Intriguing but Preliminary: BitVM, while fascinating and potentially groundbreaking, is still in its infancy with numerous aspects yet to be explored and validated.
  2. Immediate Applicability: Certain use cases, such as Decentralized Finance (DeFi) oracles, might start leveraging BitVM immediately to minimize trust assumptions.
  3. A Welcome Addition: The effort to enhance Bitcoin’s programmability is commendable and the more developers that engage with and build upon BitVM, solving tangible problems, the better.

In conclusion, BitVM has certainly stirred the Bitcoin community, offering a fresh perspective on enhancing Bitcoin’s programmability. Whether it will stand the test of time and practical application remains to be seen, but it undeniably opens up a new chapter exploring the extents and limits of Bitcoin’s scripting capabilities.

💡 Recommended: Bitcoin Whitepaper Cheat Sheet (PDF Download)

Still here? Okay, let’s review some technical details:

Technical Details Whitepaper

BitVM: A Leap Towards Turing-Complete Bitcoin Contracts

The BitVM system, rather than executing computations on Bitcoin, merely verifies them, akin to optimistic rollups, and allows any computable function to be verified on Bitcoin.

Architecture and Mechanism

BitVM’s architecture is inspired by Optimistic Rollups and the MATT proposal (Merkelize All The Things), utilizing fraud proofs and a challenge-response protocol, yet it doesn’t require alterations to Bitcoin’s consensus rules. The prover commits to the program bit-by-bit, and the verifier performs a sequence of challenges to succinctly disprove a false claim by the prover. Both parties pre-sign a sequence of challenge-and-response transactions, which they can later use to resolve any dispute.

This is some hardcore Bitcoin and cryptography language and most people, even technical people like me don’t understand the technical intricacies:

Bit Value and Logic Gate Commitment

The bit value commitment is a fundamental component, allowing the prover to set the value of a particular bit to either “0” or “1”. Especially, it allows the prover to set the value of a variable across different Scripts and UTXOs. The commitment contains two hashes, hash0 and hash1, and at a later point, the prover sets the bit’s value by revealing the preimage of one of the hashes. If both preimages are revealed, the verifier can use them as a fraud proof, and take the prover’s deposit.

Logic gate commitments are implemented simply and contain two bit commitments representing the two inputs and a third bit commitment representing the output. The Script computes the NAND value of the two inputs to ensure that it matches the committed output bit.

Binary Circuit Commitment and Challenges

BitVM allows any computable function to be represented as a Boolean circuit, with NAND gate being a universal logic gate. The prover’s Taproot address contains a leaf script with a corresponding gate commitment for each gate, allowing the prover to set the values of the circuit’s inputs at any point later in time. The verifier can quickly identify the prover’s error after just a few rounds of challenge-and-response by applying binary search.

Thanks for reading — exciting times we’re living through! 🚀