* [bitcoin-dev] BitVM: Compute Anything on Bitcoin
@ 2023-10-09 13:46 Robin Linus
2023-10-10 1:06 ` Lloyd Fournier
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: Robin Linus @ 2023-10-09 13:46 UTC (permalink / raw)
To: bitcoin-dev
Abstract. BitVM is a computing paradigm to express Turing-complete Bitcoin contracts. This requires no changes to the network’s consensus rules. Rather than executing computations on Bitcoin, they are merely verified, similarly to optimistic rollups. A prover makes a claim that a given function evaluates for some particular inputs to some specific output. If that claim is false, then the verifier can perform a succinct fraud proof and punish the prover. Using this mechanism, any computable function can be verified on Bitcoin. Committing to a large program in a Taproot address requires significant amounts of off-chain computation and communication, however the resulting on-chain footprint is minimal. As long as both parties collaborate, they can perform arbitrarily complex, stateful off-chain computation, without leaving any trace in the chain. On-chain execution is required only in case of a dispute.
https://bitvm.org/bitvm.pdf
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [bitcoin-dev] BitVM: Compute Anything on Bitcoin
2023-10-09 13:46 [bitcoin-dev] BitVM: Compute Anything on Bitcoin Robin Linus
@ 2023-10-10 1:06 ` Lloyd Fournier
2023-10-10 1:12 ` symphonicbtc
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Lloyd Fournier @ 2023-10-10 1:06 UTC (permalink / raw)
To: Robin Linus, Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 1583 bytes --]
Hi Robin,
Fascinating result.
Is it possible to give us an example of a protocol that uses BitVM that
couldn't otherwise be built? I'm guessing it's possible to exchange Bitcoin
to someone who can prove they know some input to a binary circuit that
gives some output.
Thanks!
LL
On Tue, 10 Oct 2023 at 01:05, Robin Linus via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> Abstract. BitVM is a computing paradigm to express Turing-complete Bitcoin
> contracts. This requires no changes to the network’s consensus rules.
> Rather than executing computations on Bitcoin, they are merely verified,
> similarly to optimistic rollups. A prover makes a claim that a given
> function evaluates for some particular inputs to some specific output. If
> that claim is false, then the verifier can perform a succinct fraud proof
> and punish the prover. Using this mechanism, any computable function can be
> verified on Bitcoin. Committing to a large program in a Taproot address
> requires significant amounts of off-chain computation and communication,
> however the resulting on-chain footprint is minimal. As long as both
> parties collaborate, they can perform arbitrarily complex, stateful
> off-chain computation, without leaving any trace in the chain. On-chain
> execution is required only in case of a dispute.
>
> https://bitvm.org/bitvm.pdf
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 2217 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [bitcoin-dev] BitVM: Compute Anything on Bitcoin
2023-10-09 13:46 [bitcoin-dev] BitVM: Compute Anything on Bitcoin Robin Linus
2023-10-10 1:06 ` Lloyd Fournier
@ 2023-10-10 1:12 ` symphonicbtc
2023-10-10 1:27 ` Anthony Towns
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: symphonicbtc @ 2023-10-10 1:12 UTC (permalink / raw)
To: Robin Linus; +Cc: bitcoin-dev
Hello Robin,
I'm very interested in this development, as I've been longing for arbitrary smart contracts on bitcoin for a while. I've got a couple questions I'd like to ask, on behalf of myself and some others I've been discussing this with.
1. Do you have plans to implement a high-level language that can compile down to this or maybe adapt some existing VM to make these scripts? I'm sure many would love to get their hands on something a bit more workable to test this out.
2. What are the expected computational costs of establishing the tapleaves for these scripts? Is it feasible to do complex things like ECDSA signature checking, etc? I worry that the hardware required to use this tech will be a barrier in it's widespread use.
3. Would it be possible to implement existing zero-knowledge proof constructs on BitVM, and would that make verification simpler? I.e. instead of verifying your program directly with BitVM, have your program be written in some ZKP VM, and just have the proof verification execute on BitVM
4. What are the expected costs of resolving a fraud for a program? I assume this is quite nuanced and has to do with the exact circumstances of the program, but would it be possible for you to provide some examples of how this might go down for some simple programs to aid comprehension?
Thanks,
Symphonic
Sent with Proton Mail secure email.
------- Original Message -------
On Monday, October 9th, 2023 at 1:46 PM, Robin Linus via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
> Abstract. BitVM is a computing paradigm to express Turing-complete Bitcoin contracts. This requires no changes to the network’s consensus rules. Rather than executing computations on Bitcoin, they are merely verified, similarly to optimistic rollups. A prover makes a claim that a given function evaluates for some particular inputs to some specific output. If that claim is false, then the verifier can perform a succinct fraud proof and punish the prover. Using this mechanism, any computable function can be verified on Bitcoin. Committing to a large program in a Taproot address requires significant amounts of off-chain computation and communication, however the resulting on-chain footprint is minimal. As long as both parties collaborate, they can perform arbitrarily complex, stateful off-chain computation, without leaving any trace in the chain. On-chain execution is required only in case of a dispute.
>
> https://bitvm.org/bitvm.pdf
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [bitcoin-dev] BitVM: Compute Anything on Bitcoin
2023-10-09 13:46 [bitcoin-dev] BitVM: Compute Anything on Bitcoin Robin Linus
2023-10-10 1:06 ` Lloyd Fournier
2023-10-10 1:12 ` symphonicbtc
@ 2023-10-10 1:27 ` Anthony Towns
2023-10-15 15:15 ` ZmnSCPxj
2023-10-17 18:00 ` Russell O'Connor
4 siblings, 0 replies; 6+ messages in thread
From: Anthony Towns @ 2023-10-10 1:27 UTC (permalink / raw)
To: Robin Linus, Bitcoin Protocol Discussion
On Mon, Oct 09, 2023 at 03:46:24PM +0200, Robin Linus via bitcoin-dev wrote:
> Abstract. BitVM is a computing paradigm to express Turing-complete
> Bitcoin contracts.
Please correct me if I'm wrong:
The way I understand this idea is that you take an N-bit claim (in the
given example N=4), and provide a NAND circuit that asserts whether
the claim is valid or not (in the example, if I did the maths right,
valid values take the form xxx0, 1x01, and only three bits were
actually needed). It would be very straightforward afaics to allow
for AND/OR/XOR/etc gates, or to have operations with more than two
inputs/one output.
The model is then a prover/challenger one: where the prover claims to
have a solution, and the verifier issues challenges that the prover
only be able to reply to consistently if the solution is correct. If
the prover doesn't meet the challenge, they lose the funds.
The circuit entails C individual assertions, with two inputs (selected
from either the N inputs bits, or the output of one of the previous
assertions) and a single output. You then encode each of those C
assertions as tapleafs, so that spending a tx via that tapleaf validates
that individual assertion.
You also have an additional tapleaf per input/assertion, that allows
the verifier to claim the funds immediately rather than issue another
challenge if the prover ever gave two inconsistent values for either an
input or the result of one of the assertions.
If the prover tries to cheat -- eg, claiming that 1111 is a valid input
in the example -- then the verifier can run the circuit themselves
offline, establish that it's an invalid, and work backwards from the
tip to establish the error. For example:
TRUE=NAND(L,D) -- D is true, so L better be false
L=NAND(J,A) -- A is true, so J better be true for L to be false
J=NAND(H,I) -- one of H or I must be false for J to be true,
prover will have to pick. suppose they pick I.
I=NAND(G,B) -- B is true, so if I was false, G was true
G=NAND(A,C) -- can only pass at this point with some of A,C,G
being given an inconsistent value
So you should need enough challenges to cover the longest circuit path
(call it P) in order to reliably invalidate an attempt to cheat. I guess
if your path isn't "branching" (ie one of the NAND inputs is something
you already have a commitment to) then you can skip back to something
that NAND's two "unknowns", at which point either one of the inputs is
wrong, and you trace it further down, or the output is correct, in which
case you can do a binary search across the NAND's where there wasn't
any branching, which should get you roughly to P=log(C) steps, at which
point you can do a billion gate circuit in ~100 on-chain transactions?
I think the "reponse enabled by challenge revealing a unique preimage"
approach allows you to do all the interesting work in the witness,
which then means you can pre-generate 2-of-2 signatures to ensure the
protocol is followed, without needing CTV/APO.
You'd need to exchange O(C*log(C)) hashes for the challenge hashes as
well as the 2*C commitment hashes, so if you wanted to limit that setup
to 20GB, then 24M gates would be about the max.
I think APO/CTV would let you avoid all the challenge hashes -- you'd
instead construct P challenge txs, and P*C response txs; with the output
of the C responses at level i being the i+1'th challenge, and each
of the tapscripts in the P challenges having a CTV-ish commitment to a
unique response tx. Still a lot of calculation, but less transfer needed.
You'd still need to transfer 2*C hashes for the commitments to each of
the assertions; but 20GB gets you a circuit with about ~300M gates then.
> It is inefficient to express functions in simple NAND circuits. Programs
> can be expressed more efficiently by using more high-level opcodes. E.g.,
> Bitcoin script supports adding 32-bit numbers, so we need no binary
> circuit for that.
I don't think that really works, though? You need a way of committing
to the 32-bit number in a way that allows proof of equivocation; but
without something like OP_CHECKFROMSTACK, I don't think we really have
that. You could certainly have 2**K hashes to allow a K-bit number,
but I think you'd have a hard time enumerating even three 16bit numbers
into a 4MB tapscript even.
CSFS-ish behaviour would let you make the commitments by signature,
so you wouldn't need to transfer hashes in advance at all, I think.
Cheers,
aj
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [bitcoin-dev] BitVM: Compute Anything on Bitcoin
2023-10-09 13:46 [bitcoin-dev] BitVM: Compute Anything on Bitcoin Robin Linus
` (2 preceding siblings ...)
2023-10-10 1:27 ` Anthony Towns
@ 2023-10-15 15:15 ` ZmnSCPxj
2023-10-17 18:00 ` Russell O'Connor
4 siblings, 0 replies; 6+ messages in thread
From: ZmnSCPxj @ 2023-10-15 15:15 UTC (permalink / raw)
To: Robin Linus; +Cc: bitcoin-dev
Good morning Robin et al,
It strikes me that it may be possible to Scriptless Script BitVM, replacing hashes and preimages with points and scalars.
For example, equivocation of bit commitments could be done by having the prover put a slashable fund behind a pubkey `P` (which is a point).
This slashable fund could be a 2-of-2 between prover and verifier `P && V`.
Then the prover provides a bit-0 point commitment `B`, which is a point.
If the prover wants to assert that this specific bit is 0, it has to provide `b` such that `B = b * G`.
If the prover wants to instead assert that this bit is 1, it has to provide `b + p` such that `B = b * G` and `P = p * G`.
If `b` (and therefore `B`) is chosen uniformly at random, if it makes exactly one of these assertions (that the bit is 0, or that the bit is 1) then it does not reveal `p`.
But if it equivocates and asserts both, it reveals `b` and `b + p` and the verifier can get the scalar `p`, which is also the private key behind `P` and thus can get the fund `P && V`.
To create a logic gate commitment, we have the prover and validator provide public keys for each input-possibility and each output-possibility, then use MuSig to combine them.
For example, suppose we have a NAND gate with inputs I, J and output K.
We have:
* `P[I=0]` and `V[I=0]`, which are the public keys to use if input I is 0.
* `P[I=1]` and `V[I=1]`, which are the public keys to use if input I is 1.
* ...similar for input `J` and output `K`.
In the actual SCRIPT, we take `MuSig(P[I=0], V[I=0])` etc.
For a SCRIPT to check what the value of `I` is, we would have something like:
```
OP_DUP <MuSig(P[I=1], V[I=1])> OP_CHECKSIG
OP_IF
OP_DROP
<1>
OP_ELSE
<MuSig(P[I=0], V[I=0])> OP_CHECKSIGVERIFY
<0>
OP_ENDIF
```
We would duplicate the above (with appropriate `OP_TOALTSTACK` and `OP_FROMALTSTACK`) for input `J` and output `K`, similar to Fig.2 in the paper.
The verifier then provides adaptor signatures, so that for `MuSig(P[I=1], V[I=1])` the prover can only complete the signature by revealing the `b + p` for `I`.
Similar for `MuSig(P[I=0], V[I=0])`, the verifier provides adaptor signatures so that the prover can only complete the signature by revealing the `b` for `I`.
And so on.
Thus, the prover can only execute the SCRIPT by revealing the correct commitments for `I`, `J`, and `K`, and any equivocation would reveal `p` and let the verifier slash the fund of `P`.
Providing the adaptor signatures replaces the "unlock" of the challenge-response phase, instead of requiring a preimage from the verifier.
The internal public key that hides the Taproot tree containing the above logic gate commitments could be `MuSig(P, V)` so that the verifier can stop and just take the funds by a single signature once it has learned `p` due to the prover equivocating.
Not really sure if this is super helpful or not.
Hashes are definitely less CPU to compute.
For example, would it be possible to have the Tapleaves be *just* the wires between NAND gates instead of NAND gates themselves?
So to prove a NAND gate operation with inputs `I` and `J` and output `K`, the prover would provide bit commitments `B` for `B[I]`, `B[J]`, and `B[K]`, and each tapleaf would be just the bit commitment SCRIPT for `I`, `J`, and `K`.
The prover would have to provide `I` and `J`, and commit to those, and then verifier would compute `K = ~(I & J)` and provide *only* the adaptor signature for `MuSig(P[K=<result>], V[K=<result>])`, but not the other side.
In that case, it may be possible to just collapse it down to `MuSig(P, V)` and have the verifier provide individual adaptor signatures.
For example, the verifier can first challenge the prover to commit to the value of `I` by providing two adaptor signatures for `MuSig(P, V)`, one for the scalar behind `B[I]` and the other for the scalar behind `B[I] + P`.
The prover completes one or the other, then the verifier moves on to `B[J]` and `B[J] + P`.
The prover completes one or the other, then the verifier now knows `I` and `J` and can compute the supposed output `K`, and provides only the adaptor signature for `MuSig(P, V)` for the scalar behind `B[K]` or `B[K] + P`, depending on whether `K` is 0 or 1.
That way, you only really actually need Schnorr signatures without having to use Tapleaves at all.
This would make BitVM completely invisible on the blockchain, even in a unilateral case where one of the prover or verifier stop responding.
Regards,
ZmnSCPxj
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [bitcoin-dev] BitVM: Compute Anything on Bitcoin
2023-10-09 13:46 [bitcoin-dev] BitVM: Compute Anything on Bitcoin Robin Linus
` (3 preceding siblings ...)
2023-10-15 15:15 ` ZmnSCPxj
@ 2023-10-17 18:00 ` Russell O'Connor
4 siblings, 0 replies; 6+ messages in thread
From: Russell O'Connor @ 2023-10-17 18:00 UTC (permalink / raw)
To: Robin Linus, Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 2664 bytes --]
While I haven't looked at the BitVM in detail, I would like to mention that
Simplicity's core language (excluding introspection primitives) has the
same expressivity as Boolean circuits.
A few years ago I did some experiments to compile Simplicity expressions to
a system of polynomial constraints (R1CS). The experiments were
successful. For instance, I was able to compile our Sha256 compression
function specification written in Simplicity to a set of approximately
128,000 constraints. Under this "circuit" interpretation, Simplicity types
represent cables, which are a bundle of wires equal to the 'bit size' of
the given type. The 'case' combinator ends up being the only "active"
component (implementing a demux). The 'injr' and 'injr' combinators output
some fixed Boolean values. The rest of the combinations end up only
connecting, bundling and unbundling wires, and contribute no constraints at
all.
While my previous experiment was generating constraints, it is clear to me
that a similar interpretation could instead generate logic gates, and I
would expect the same order of magnitude in the number of gates generated
as the number of constraints generated above. Thus Simplicity could be
used as a source of ready made expressions to generate useful circuits for
the BitVM, should someone be interested in pursuing this angle.
On Mon, Oct 9, 2023 at 10:05 AM Robin Linus via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> Abstract. BitVM is a computing paradigm to express Turing-complete Bitcoin
> contracts. This requires no changes to the network’s consensus rules.
> Rather than executing computations on Bitcoin, they are merely verified,
> similarly to optimistic rollups. A prover makes a claim that a given
> function evaluates for some particular inputs to some specific output. If
> that claim is false, then the verifier can perform a succinct fraud proof
> and punish the prover. Using this mechanism, any computable function can be
> verified on Bitcoin. Committing to a large program in a Taproot address
> requires significant amounts of off-chain computation and communication,
> however the resulting on-chain footprint is minimal. As long as both
> parties collaborate, they can perform arbitrarily complex, stateful
> off-chain computation, without leaving any trace in the chain. On-chain
> execution is required only in case of a dispute.
>
> https://bitvm.org/bitvm.pdf
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 3297 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-10-17 18:00 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-10-09 13:46 [bitcoin-dev] BitVM: Compute Anything on Bitcoin Robin Linus
2023-10-10 1:06 ` Lloyd Fournier
2023-10-10 1:12 ` symphonicbtc
2023-10-10 1:27 ` Anthony Towns
2023-10-15 15:15 ` ZmnSCPxj
2023-10-17 18:00 ` Russell O'Connor
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox