Turing-complete smart contracts arrive on Bitcoin

ZeroSync developer Robin Linus has published a paper on a Bitcoin protocol, BitVM, which is capable of processing Turing-complete smart contracts. For a decade, Ethereum differentiated itself from Bitcoin with Turing-completeness — in what has been called “the most exciting discovery in the history of bitcoin script,” Bitcoin maximalists may now build Turing-complete smart contracts.

A computer program is Turing-complete if it can use arbitrary types of computation to find an answer to any computational problem. Turing-complete smart contracts can run the logic of any computer request, like addition, multiplication, store/write, retrieve/read, erase/delete, if-else conditions, return statements, etc. — and produce the result of such a computer program.

The BitVM protocol, short for Bitcoin Virtual Machine, uses zero-knowledge proofs to compress data-processing off-blockchain before committing the results to a Taproot Bitcoin transaction for final verification by miners and nodes. In this way, BitVM is similar to an Ethereum roll-up.

Linus announced the protocol with the slogan, “Any computable function can be verified on Bitcoin.”

Technical details of the BitVM protocol

The protocol doesn’t require a soft nor hard fork to activate. BitVM is already active and requires no changes to Bitcoin’s consensus rules.

BitVM only requests Bitcoin to verify the truth or falsehood of final fraud proofs generated by BitVMs.

BitVMs (yes, there can be many virtual machines) are based on NAND gates, or logic gates that only produce a ‘0’ bit if it receives two ‘1’ bits. NAND gates can produce all other types of logic gates. Although NAND gates can be inefficient, they are useful for arbitrary computation-like applications.

BitVM uses three basic operations of smart contracts on Bitcoin’s blockchain: signatures, timelocks, and hashlocks operations.

It uses hashlocks and the OP_BOOLAND and OP_NOT codes, for example, to produce NAND gates. Hashlocks plus these two opcodes can individually take a single-bit input and generate a single-bit output based on whether the input is a ‘1’ or a ‘0.’

Ordinals won’t be solving Bitcoin’s security budget anytime soon

Read more: Marathon Digital accidentally releases block with extra bitcoin

The two bits generated by OP_BOOLAND and OP_NOT can be sent to another opcode called OP_EQUALVERIFY. If OP_EQUALVERIFY cannot verify that the bit matches the desired output, the attempt to verify the claim is rejected.

Again, NAND gates permit applications that require two ‘yes or no’ questions to be answered. When combined with opcodes that consolidate the answers of other questions into two inputs, consider a simple example of a BitVM: an escrow smart contract.

Simple examples of Bitcoin Virtual Machines

Putting together those technical capabilities above, consider someone sending bitcoin to a BitVM contract address. This BitVM will be a smart contract: an escrow payment service.

A very simple series of NAND gates can automatically escrow the incoming bitcoin for a set number of blocks. One gate can produce the first of the final ‘1’ bits by answering a question: “Is there money in the timelock?” Then, if the counterparty subsequently keeps up their end of the deal within that time, another NAND gate can create the other ‘1’ bit. Satisfying the terms of the escrow, the intended recipient receives the payout from the escrow. On the other hand, if the escrow expires before the counterparty keeps up their end of the deal, the gate spits out a ‘0’ bit, and the payer receives their refund.

Already, Bitcoiners are tinkering with other types of BitVMs. Linus’ whitepaper suggested introductory applications such as games that require at least two players, like chess or poker. Games with defined rulesets, data, and computational requirements allow players to agree on simple rules, with the BitVM protocol preventing cheating.

Other possible applications include bridges to other blockchains, prediction markets, or emulating Bitcoin opcodes.

As a Turing-complete protocol, BitVM can verify any computation on-chain using zero-knowledge proofs.

To reiterate, Bitcoin is now as Turing Complete as any other chain, and this requires zero changes to Bitcoin.

It’s become a canon maxi talking point that Turing Complete = Bad. This is silly for a number of reasons.

Firstly nothing in our reality will ever be TRULY Turing… https://t.co/ex21ScmMl3

— Sam Parker (@zkchesterton) October 9, 2023

Read more: Did Taproot ruin Bitcoin with NFT inscriptions of monkey jpegs?

Explain it to me like I’m five

In summary, BitVM proposes a system that verifies any off-blockchain computation. It provides a strong assurance, backed by a multi-billion dollar mining and node industry, that the mathematical proofs summarizing any computation are valid.

By encoding fraud proofs using zero knowledge proofs, BitVM allows any two parties to verify the execution of any computer program — and penalize fraud with the bitcoin committed to their proof transaction.

The idea of a ‘Bitcoin Virtual Machine’ did seem to take some people by surprise. It brings Bitcoin closer to Turing-completeness without having to change the core consensus protocol. It also allows Bitcoin to verify computer functions that would be impossible to fit into Bitcoin’s data-constrained blockchain.

Relevant tweet for everyone to whom @robin_linus’ BitVM was even slightly surprising. https://t.co/jL724EmUIH

— Sam Parker (@zkchesterton) October 9, 2023

The author of BitVM’s whitepaper, Robin Linus, aims to move the processing cost of running complex computations away from the Bitcoin blockchain. He uses Taproot and NAND logic gates to allow computations that require multiple answers to various ‘yes or no’ questions.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.