From GLOBAL COIN RESEARCH TEAM by Lukasinho

The recent approval of Bitcoin spot ETFs and bullish BTC price action have become a catalyst for heightened interest in the Bitcoin ecosystem. A myriad of projects aiming to improve Bitcoin’s scalability have been introduced in recent times, the most exciting of them being BitVM.

BitVM is the first solution to build real Bitcoin layer-2 networks. In this article we want to look at how BitVM is achieving this, the opportunities and limitations as well as what we can expect from the future.

What is BitVM?

“BitVM is a computing paradigm to express Turing-complete Bitcoin contracts. This requires no changes to the network’s consensus rules. Rather than executing computations on Bitcoin, they are merely verified, similar to optimistic rollups. A prover makes a claim that a given function evaluates for some particular inputs to some specific output. If that claim is false, then the verifier can perform a succinct fraud proof and punish the prover. Using this mechanism, any computable function can be verified on Bitcoin.

Committing to a large program in a Taproot address requires significant amounts of off-chain computation and communication, however the resulting on-chain footprint is minimal. As long as both parties collaborate, they can perform arbitrarily complex, stateful off-chain computation, without leaving any trace in the chain. On-chain execution is required only in case of a dispute.”

Source: BitVM Whitepaper – Abstract

Source: atlas21.com

Why is building a Layer 2 on Bitcoin so hard?

Bitcoin cannot at a base layer verify zero-knowledge or validity proofs. This is due to its underlying language: Script. Unlike the smart contract languages of other blockchains, Script isn’t Turing complete.

A system or programming language is considered Turing complete if it is capable of solving any computational problem. As a Turing complete system, Solidity can execute more or less any program imaginable – DeFi protocols, zero-knowledge proof verifiers and much more. This allows these applications to be directly implemented on Ethereum. Since Script is not Turing complete, Bitcoin does not have this capacity.

Satoshi deliberately restricted Bitcoin’s capabilities to ensure decentralization. To ensure that anyone can run a node that can quickly verify transactions so that the miners can build the block, Satoshi kept transaction information simple to prevent computational requirements for verifying blocks from spiraling out of control.

As a result, complex computations like fraud proofs or zero-knowledge verifiers so far couldn’t exist natively on Bitcoin. Without those capabilities, Bitcoin cannot interpret what is happening outside of its own chain. Bundling transactions and posting them on the mainnet, as Ethereum layer-2s do, is consequently not possible.

BitVM promises to have figured out a way to run any computation on Bitcoin without making full nodes execute every line of code. This would be a massive paradigm shift as it would allow Bitcoin to run trust-minimized systems and so enable the development of real Layer-2 networks.

How does BitVM resolve Bitcoin’s limitations?

In a nutshell, BitVM’s trick is lifting all of the logic off-chain and being able to challenge a few steps of the computation on-chain if verifiers assert a dishonest outcome.

A prover commits to do a set of computation off-chain together with an economic stake to guarantee that they will correctly complete the computation. After completion, the prover submits the results back embedded in a Bitcoin transaction. Verifiers can then verify if the computation was completed honestly and submit fraud proofs if they notice any irregularities to render the transaction invalid and slash the prover’s economic stake.

However, as previously mentioned, Bitcoin has no smart contract compatibility. To verify all of this, BitVM relies on breaking down code into binary gates – also called Boolean logic gates.

Under the hood of any computer, all any computer is doing to complete processes is passing around zeroes and ones. These zeroes and ones are processed by tiny devices called logic gates. Each logic gate takes one or two inputs (either zeros or ones) and produces a single output (again, either a zero or a one). By combining these logic gates in various ways, any kind of computation can be performed.

After breaking down the code into such binary gates, BitVM organizes them into a structure called a Taptree (also known as a Tapleaf tree). A Taptree is a type of Merkle tree, which is a data structure used to efficiently verify the contents of large sets of data.

In the case of BitVM, each leaf of the Taptree represents a different step in the computation process. By chaining together multiple logic gates within the Taptree, BitVM can perform any desired computation. The entire Taptree, containing all the necessary logic gates can then be embedded into a Bitcoin transaction. 

To ensure everything is done correctly, two parties can engage in a process where one tries to prove they’re doing the computation correctly while the other verifies their work. If there’s a disagreement, they can resolve it by revealing certain secret values within the Taptree that prove who’s right and who’s wrong.

In the end, this process ensures that the computation is carried out accurately, and the appropriate party receives the funds based on the result. 

Source: BitVM whitepaper

Potential Challenges

While BitVM seems to solve Bitcoins biggest limitations, it doesn’t come without its own challenges.

Firstly, BitVM only allows the creation of trust-minimized systems, not trustless systems. A 1-of-N trust assumption will remain, as at least one honest verifier is needed to step in and challenge attempted frauds. If someone were to undermine every single verifier, they could post fraudulent transactions on the Bitcoin chain. Luckily there is no upper bound on how many verifiers engage in the network. Anyone will be able to act as a verifier. The more verifiers participate in the network, the more robust the 1-of-N trust assumption becomes and the more secure the system will be.

A second issue that arises lies in the potential complexity of this system. Taptrees could potentially have billions of leaves and pre-signed transactions to go with them all at least a few hops long to ensure accurate settlement. In order to develop something using BitVM, one has to build it at the very lowest level of programming. This means there are countless different components that need to be built and put together in order to get a higher level programming language or even just a ZK verifier.

In its current state, BitVM would only support a two-party model. This means it cannot support smart contracts with multiple parties involved and many moving parts. For that reason, most if not all applications would need to be developed on L2s with proof verification occuring on Bitcoin L1.

BitVM Early Adoption

BitVM is not a layer-2 blockchain. Instead of building the L2 blockchain themselves, the Zero Sync team focuses on providing the infrastructure necessary for other teams building such networks. 

Citrea, Bitlayer and zkBase are two such projects that are looking to build layer-2 blockchains powered by BitVM. Citrea will be a zkEVM using STARKs – like zkSync and Starknet. Bitlayer is building an L2 framework that will support EVM, SVM, MoveVM and Cairo. zkBase is building zkByte as a zkVM, based on the Halo 2 proving system – an evolution of the Halo system developed to solve zcash’s scalability issues.

The BitVM whitepaper was just published in December and the product itself is still in the early development stage with no launch date announced yet. We can assume that it will take quite a while until BitVM is launched and that until then likely more teams will jump on the opportunity to leverage it. 

Proof generation on Citrea. Source: docs.citrea.xyz/

Future Outlook

BitVM is one of the most exciting technical undertakings on Bitcoin over the last years. The two most exciting prospects it could enable are trust-minimized bridges, and the verification of zero-knowledge proofs. These are two key components of zk-rollups. If BitVM can fulfill that potential, zk-rollups could usher in a new era of Bitcoin applications. Defi, DAOs, gaming and more could all be coming to Bitcoin. 

Bitcoin’s long-term sustainability has come into question as block rewards decrease which  could negatively impact mining profitability in the future. To sustain network security Bitcoin will need to generate more fee revenue in the future than Bitcoin’s traditional use-cases can provide. BitVM has the potential to resolve this issue. With layer-2 scaling, the Bitcoin network becomes more accessible as a payment system and the activity of L2 networks could generate the fees necessary to secure the network long-term.

While this sounds promising, BitVM is still in its early phases of development. The general consensus within the BitVM community is that the majority of the challenges described earlier are solvable.

Bitcoin’s status as the first decentralized blockchain, long standing ecosystem of stakeholders, and now institutional acceptance points to strong motivating factors to continue to develop BitVM. BitVM has the potential to be an important breakthrough that expands the possibilities of what Bitcoin can be.