2 Architecture
Similar to Optimistic Rollups[1] and the MATT proposal (Merkelize All The Things)[2],
our system is based on fraud proofs and a challenge-response protocol. However, BitVM
requires no changes to Bitcoin’s consensus rules. The underlying primitives are relatively
simple. It’s mostly based on hashlocks, timelocks, and large Taproot trees.
The prover commits to the program literally bit-by-bit, however verifying all of that
on-chain would be too computationally expensive, so the verifier performs a sequence of
carefully crafted challenges to succinctly disprove a false claim of the prover. Prover and
verifier jointly pre-sign a sequence of challenge-and-response transactions, which they can
later use to resolve any dispute.
The model is designed to simply illustrate that this approach allows for universal com-
putations on Bitcoin. For practical applications we should consider more efficient models.
The protocol is simple: Firstly, prover and verifier compile the program into a huge binary
circuit. The prover commits to that circuit in a Taproot address which has a leaf script
for every logic gate in the circuit. Additionally, they pre-sign a sequence of transactions,
enabling a challenge-response game between the prover and the verifier. Now they have
exchanged all of the required data, so they can make their on-chain deposits to the
resulting Taproot address.
This activates the contract and they can start exchanging off-chain data to trigger state
changes in the circuit. If the prover makes any incorrect claim, the verifier can take their
deposit. This guarantees attackers always lose their deposits.
3 Bit Value Commitment
The bit value commitment is the most elementary component of the system. It allows
the prover to set the value of a particular bit to either “0” or “1”. Especially, it allows
the prover to set the value of a variable across different Scripts and UTXOs. This is
key, as it extends the execution runtime of Bitcoin’s VM by splitting it across multiple
transactions.
Similar to Lamport signatures[3], the commitment contains two hashes, hash0 and hash1.
At some later point, the prover sets the bit’s value either to “0” by revealing preimage0,
the preimage of hash0 – or the prover sets the bit’s value to “1” by revealing preimage1,
the preimage of hash1. If, at some point, they reveal both preimages preimage0 and
preimage1, then the verifier can use them as a fraud proof, and take the prover’s deposit.
That is called equivocation. Being able to punish equivocation is what makes the com-
mitment binding – it is an “incentive-based commitment”.
Combining bit value commitments with timelocks allows the verifier to force the prover
2