A new research paper titled “BitVM: Compute Anything on Bitcoin” proposes a novel method for executing complex computations and smart contracts on the Bitcoin network.
The paper — published on Oct. 9 — suggests that users verify Bitcoin (BTC) computations without executing them on-chain. This is done using a prover-verifier model, where the prover claims the result of a calculation, and the verifier can check if the claim is valid.
The prover first compiles the program into a large binary circuit of logic gates to achieve this. They commit to this circuit bit-by-bit using cryptographic commitments in a Taproot address. The verifier can then query the prover to reveal certain parts of the circuit and check if they are consistent.
The paper shows that by using cleverly constructed “challenge-response” transactions signed by both parties, the verifier can detect any false claims by the prover through a series of binary searches. This allows arbitrary computations to be verified succinctly on-chain.
The key benefit of this model, called “BitVM,” is that it requires no changes to Bitcoin’s consensus rules. All the heavy lifting is done off-chain, while the on-chain footprint remains small. The paper demonstrates BitVM’s capabilities through simple logic gates but notes it can be extended to any computable function.
Potential applications include verifying computational proofs for Bitcoin contracts, bridging assets across chains, hosting prediction markets directly on Bitcoin, and more. However, BitVM is limited to a two-party setting between a prover and a verifier.
While more research is needed to extend BitVM for real-world use, the paper presents a promising approach to expand Bitcoin’s smart contract capabilities while retaining its security model focused on low complexity to reduce the attack surface. Still, cypherpunk and Blockstream co-founder Adam Back pointed out that this paper is not as revolutionary as it may appear to non-experts.
For people getting (over) excited, this is cool but effectively a generalization of a two-party game – it says right in the abstract – so it’s a bit like Greg Maxwell’s 2016 ZKP contingent payments implemented example
Adam Back, Blockstream co-founder
Despite the system cited by Back being remarkably similar, it still features some significant differences compared to BitVM. The critical one is that Zero-Knowledge Contingent Payment (ZKCP) — proposed by renowned developer Gregory Maxwell in February 2016 — relies on zero-knowledge proofs (ZPKs), while BitVM uses fraud proofs based on hash locks and timelocks.
In ZKCP, the seller uses zero-knowledge proof to prove to the buyer that they have the information the buyer wants to purchase without revealing anything about the actual data. The buyer only needs to verify the proof.
In contrast, in BitVM, the prover (seller) commits to a program bit-by-bit in a large Taproot tree. The verifier (buyer) can then challenge the prover to reveal parts of the program to ensure consistency. If the prover makes a false claim, the verifier can construct a fraud proof to take their deposit.
Additionally, ZKCP requires significant cryptographic overhead in generating and verifying the proofs. BitVM relies more on hashes and digital signatures, making it more lightweight.