What Is BitVM?

Bitcoin, by design, offers very little native scripting and its smart contract capabilities are reduced to basic operations, such as signatures, timelocks, and hash locks. Bitcoin doesn’t have the scripting language or the ability to execute scripts on chain which has become popular with the launch of Ethereum and various EVM chains. 

There are several attempts to bring EVM compatibility to Bitcoin, with layer two side chains like Rootstock, the covenant-backed layer two Spiderchains and other implementations of rollups, all with different trade-offs. 

BitVM, however, tries to bring this as close to being executed on-chain as possible. BitVM borrows aspects of Optimistic Rollups and Merkle trees to create a new system that is based on fraud proofs and a challenge-response protocol. The model is designed to illustrate that this approach allows for universal computations on Bitcoin.

Unlike other scaling solutions, BitVM leverages existing Bitcoin Opcodes hash locks, timelocks, and large Taproot trees and requires no changes to Bitcoin’s consensus rules. 

BitVM makes Bitcoin Turing-complete in the sense that encoding fraud proofs in large Taptrees allows parties to verify the execution of any program. A major constraint of the model outlined here is that it is limited to the two-party setting, but work can be done to expand this over time. 

BitVM can be used in conjunction with Taproot to create even more powerful and versatile Bitcoin contracts that are private, stateful, and arbitrarily complex.

Tapleaf circuits are the first WIP version of a BitVM, but as research is conducted in this space, there should be more versions that come to market. 

Here is a simplified explanation of how BitVM and Taproot can be used together to create a complex Bitcoin contract:

1. The prover and verifier create a Taproot address and the program they will execute off-chain but use Bitcoin as a verification tool.
2. The prover commits a large program to the Taproot address and creates the “circuit. This requires significant off-chain computation and communication, but the resulting on-chain footprint is minimal.
3. Additionally, they pre-sign a sequence of transactions, enabling a challenge-response game between the prover and the verifier.
4. Next, the prover reveals his preimages to the verifier. If the prover does not, the verifier can force the script to run or claim the deposited funds as punishment.
5. The prover and verifier run the program off-chain.
6. Now that they have exchanged all the required data to make their circuit execute, the only thing left is to add the funds in on-chain deposits to the Taproot address.
7. This activates the contract, and they can start exchanging off-chain data to trigger state changes in the circuit.
8. If the prover and verifier agree on the output of the program, they can simply sign the Taproot transaction to finalize the contract.
9. If the prover and verifier disagree on the output of the program, the verifier can use a succinct fraud proof to punish the prover.

This mechanism allows the prover and verifier to perform arbitrarily complex, stateful off-chain computation without leaving any trace in the chain. On-chain execution is required only in case of a dispute.

The BitVM gives developers a more expressive toolkit for creating Bitcoin contracts and combines off-chain computation to create programmatic executable transactions.

Potential applications include:

Gaming

Games like Chess, Go or Poker, where funds are held in the contract and released based on the outcome of the match or tournament.

Bridge BTC to foreign chains

BitVM could be used to create atomic swaps with various chains or tokens on other chains like stablecoins. A user could create a contract that executes a sale and provide proof that the transaction was complete on one chain for funds to be released on Bitcoin.

Building prediction markets

In Bitcoin prediction markets, people trade on the outcomes of future events and secure those predictions with Bitcoin. Users could make predictions on anything from market outcomes to sporting events and enter into a contract with a counterparty.

Conditions on payments are set and agreed on when creating the prediction contract and if the conditions are met. The contract would execute, and if there is no dispute, the final transaction would settle on-chain and release the funds.

This use case for Bitcoin is similar to discrete log contracts.

Emulate novel opcodes.

BitVM is still at the proposal stage, and in its current form, the main drawback of the proposed model is that it is limited to two parties setting up an agreement with a prover and a verifier, which limits its applications for now, especially when compared to the complexity EVM chains currently offer. However, it might be possible to have two-way channels and chain them to form a network similar to Lightning.

Another limitation is that significant amounts of off-chain computation and communication options are required to execute programs for both the prover and the verifier.

A user would need to run additional software on their nodes that would handle the computation and communicate the contract parameters once input and outputs are decided with the creation of the circuit. Communication could be done through generic message signing or abstracting this into a layer like nostr.