BitVM - Compute Anything on Bitcoin

What happened?

Robin Linus (from the ZeroSync project) dropped the whitepaper for BitVM, a new mechanism to perform essentially any type of computation off-chain and use that computation to control bitcoin on-chain (i.e., Turing-complete smart contracts). This proposal doesn't require any consensus changes to Bitcoin itself.

BitVM is a computing paradigm to express Turing-complete Bitcoin contracts. This requires no changes to the network’s consensus rules. Rather than executing computations on Bitcoin, they are merely verified, similarly to optimistic rollups. A prover makes a claim that a given function evaluates for some particular inputs to some specific output. If that claim is false, then the verifier can perform a succinct fraud proof and punish the prover. Using this mechanism, any computable function can be verified on Bitcoin.

Committing to a large program in a Taproot address requires significant amounts of off-chain computation and communication, however the resulting on-chain footprint is minimal. As long as both parties collaborate, they can perform arbitrarily complex, stateful off-chain computation, without leaving any trace in the chain. On-chain execution is required only in case of a dispute.


How does it work?

BitVM is a proposal that aims to bring arbitrary computation capabilities to Bitcoin without necessitating changes to the core Bitcoin protocol. It leverages logic gates, particularly NAND gates, to enable complex computations while providing a mechanism for on-chain enforcement in case of disputes.


Logic Gates and NAND Gates

Building NAND Gates in Bitcoin Script

Implementing NAND Gates

Creating Complex Computation Structures

Challenge and Response Game

Enforcement and Penalties


What are the limitations/challenges?

More Resources