Smart contracts executed off-chain and verified within Taproot outputs to bring new use cases to Bitcoin.
- BitVM is a new proposal to bring Turing-complete smart contracts to Bitcoin without the need for a soft fork or hard fork.
- The system is similar to optimistic roll-ups and relies on the ability to create proofs of incorrect code execution in the event of attempted fraud.
- While greatly expanding what will be possible on Bitcoin, the solution has limitations in efficiency and practicality.
The execution of code on the Bitcoin blockchain is limited by design, as, given the importance of Bitcoin as an alternative monetary system, maximizing security and minimizing the risks of unforeseen behaviors is considered a priority over the flexibility that more generic smart contracts can offer. However, thanks to new off-chain computation protocols, it might become possible to enable the execution of complex contracts directly on Bitcoin, without needing to compromise the security of the blockchain.
On October 9, 2023, Bitcoin developer Robin Linus published a paper titled “BitVM: Compute Anything on Bitcoin” where he presents a proposal to allow the creation of Turing-complete smart contracts on Bitcoin without the need for a soft fork or hard fork to the consensus protocol. The paper was met with much enthusiasm as it has the potential to open the doors to use cases previously impossible on Bitcoin.
What is BitVM?
The idea behind BitVM is to have a protocol where the blockchain is not used to execute code, but only to verify the execution. Thus, two users can create a contract where the first one (the “Prover”) claims that the output of the execution of a piece of code is a certain value, while the second user (the “Verifier”) can check whether the code execution is correct or not, and if it is not, they can in turn create proof that the first user has provided an incorrect output. The code can be any type of program, enabling multiple use cases.
It is important to note that BitVM does not enable code execution on Bitcoin, which would have significant scalability issues, but offers the possibility to publish proofs that a particular script has been executed (outside the blockchain) incorrectly and to activate a punishment mechanism if this happens.
The main advantage of this paradigm is that a proof of incorrect execution is generally very compact since you need to publish on-chain only the lines of code where the error occurred, not the entire script that was executed. For this reason, although similar in purpose, BitVM is fundamentally different from the EVM (Ethereum Virtual Machine) and embraces an approach that certainly has its complexities, but is much more scalable.
How does BitVM work?
To deploy a contract with BitVM, the contract code is broken down into logical circuits composed of NAND gates, and each step of the execution is then committed within a leaf (Tapleaf) of a Taproot address, so that the on-chain space used is minimized. The two parties can then deposit bitcoins on the Taproot address and begin a sequence of Challenges and Responses where the two parties prepare a series of pre-signed transactions in which the Verifier will propose a Challenge and the Prover will respond with a solution, thus creating a chain of challenge → response → challenge → response, and so on.
If the Prover manages to respond to all the challenges, they will be entitled to take some bitcoins that the Verifier had deposited on the Taproot address, while if the Prover fails one of the challenges or their responses turn out to be inconsistent with each other, the Verifier can take the bitcoins that the Prover had put at stake.
All the pre-signed transactions used for the challenge-response chain will be forwarded to the blockchain only in case of dispute, while if the two parties are cooperative, they can settle with a simple 2-of-2 multisig. If, on the other hand, one of the two parties is not collaborative, the counterparty can claim the bitcoins locked in the address after the associated timelock expires. It can be noted that, in some aspects, BitVM leverages an incentive system similar to that used in the Lightning network.
Is Turing-completeness desirable?
There’s often debate about whether it’s desirable to have the ability to execute Turing-complete scripts on Bitcoin, or if this would pose a security risk. The main issue with Turing-completeness is that a computer cannot tell whether a program is computable or not until it begins execution, and if a non-computable script is inserted into a Bitcoin transaction, all nodes trying to validate the transaction would get stuck, effectively paralyzing the network. For this reason, Bitcoin has always preferred to avoid Turing-completeness to prevent loops and scripts that cannot be executed to completion.
However, by moving the code execution off the blockchain, BitVM completely avoids the problem as a non-computable script would have no effect on the nodes in the network. With BitVM, only the Prover has to execute the code, and any issues that arise during execution are confined to the Prover’s computer.
Use cases
It is still not 100% clear which use case can be actually enabled by BitVM due to the need to do more research on the implementation side, but by allowing the execution of arbitrary programs to be verified directly on Bitcoin, BitVM has the potential to open the door to various use cases that would otherwise require a soft fork. These may include covenants, trustless 2-way-peg bridges to and from sidechains, improving prediction markets through DLCs, and generally emulating any proposal for new op_codes in Bitcoin’s scripting language.
Limitations and criticisms
Despite being a revolutionary solution that allows for very complex smart contracts directly on Bitcoin, BitVM has its limitations:
- The protocol is very complex and requires a lot of interactivity between parties, making it difficult to implement in user-friendly applications.
- Each contract is limited to two parties, extendable in some cases to a 1 to N model (i.e., one Prover responds to challenges from N Verifiers), but it’s not possible for N people to interact with each other. Do to this limitation, a trustless peg-out scheme for a sidechain system is unlikely yo be possible to be supported.
- The amount of off-chain data that parties must manage will likely be huge, making it impractical.
- The hardware requirements to run complex programs with BitVM could be such that its use is limited to desktop devices, excluding mobile environments. For simpler contracts, a mobile device might be sufficient.
Conclusions
BitVM is a new paradigm that is certainly revolutionary as it opens up new scenarios on Bitcoin that were previously thought to be impossible without a fork, further validating the idea that there is much room for innovation on Bitcoin as it is.
Today only a proof-of-concept of BitVM has been developed, and much research work still needs to be done to fully understand how BitVM can move from theory to real world useful applications, but it’s likely that in the process new optimizations to make the protocol more practical will be discovered.
Furthermore, BitVM confirms that working on multiple layers and moving complexity off-chain is a design choice that, on one hand, requires great engineering effort, but at the same time allows for maximizing Bitcoin’s value without compromising its principles of security and decentralization.
