Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
BitVM: Compute Anything on Bitcoin [pdf] (bitvm.org)
128 points by wslh on Oct 16, 2023 | hide | past | favorite | 76 comments


The second sentence of the abstract says, "Rather than executing computations on Bitcoin, they are merely verified..."


This is a good thing. Instead of requiring every node to execute every instruction, parties can trustless prove computation happened off chain.


They are not really verified by full nodes either.

Computation is done by a Prover and duplicated by a Verifier. If the Verifier finds the computation result to be wrong, then they can identify a single gate (e.g. a NAND-gate) in the circuit doing the computation whose output bit(s) is wrong for its input bits, and expose this by engaging in an on-chain gate fraud proof, consisting of an alternation of transactions by Prover and Verifier that ends with one of them taking funds (the Prover in case the single gate computed correctly, the Verifier otherwise).


How does this work game-theoretically? Couldn’t a Verifier assume that most Provers are honest and just skip doing the computation themselves?


The verifier would normally have a financial stake in the correctness of the computation. For example, 2 parties could use this model to play a game on-chain for some amount of bitcoin. Then for every move, the party making the move commits to some move and new game state (acting as Prover) while the other party checks that the new state is correct (acting as Verifier). So the roles of Prover and Verifier are swapped at every move.


What do I care if the King of Sweden does the math problem or the guy at the desk next to me? Only knowing the answer is correct is what matters to me


This is true anywhere on any blockchain. There is no reason to do computation by chain validators, only to verify that it was done correctly.

(Downvotes? I’m being serious.)


It's not true on any blockchain — Ethereum requires validators to actually run smart contract code, for example.

On-chain verification is the ideal though. On-chain computation is incredibly expensive and wasteful.


On-chain computation is required if state is also stored on-chain. Local state is transformed by every node on the network in exactly the same way. It's not wasteful—it's the reason that every node knows definitively that the state advertised by the rest of the network is actually correct.


Not true! Validators and users don't actually care what what computation happened, they only care that whatever computation happened, did so according to the rules that were set in the contract in the beginning.

To make things concrete let's look at an example. Computational state in a block chain contract is typically stored in a Merkle hash trie. Let's say that the data stored is a key, and the holder of the key is allowed to spend the coins bound to the contract. The _computation_ is to check that the key is contained within the Merkel trie, then check signature of the key and the spend. However with some cool zero-knowledge crypto magic, you don't even have to reveal the Merkle inclusion proof, nor even the key itself. All you have to do is provide a zero-knowledge transcript which verifies that the computation of the contract (Merkle inclusion proof and signature check) validates. This is, essentially, how zerocash works.

This result generalizes. For whatever computation you want to perform in a contract, the contract can be rewritten to instead just validate a transcript of a successful execution of that computation. This isn't just academic either. All NP problems have transcripts that are validatable in polynomial time. A derivative of this result is that while you might need Turing completeness to express the logic of a smart contract, you do NOT need Turing completeness to validate its transcript. As a trivial example, a smart contract that involves computing a hash preimage by brute force in a tight loop, could be replaced with a contract that merely takes a string and checks that it hashes to the desired value.


> All NP problems have transcripts that are validatable in polynomial time

Sure, but are they provable in polynomial time?

Proof generation is much more expensive than just running through the original computation through standard means.

> However with some cool zero-knowledge crypto magic, you don't even have to reveal the Merkle inclusion proof, nor even the key itself.

I hate that the exact way that ZK systems work is always omitted from any discussion of the subject. It is very complicated, which explains why no one like to (or is even able to) get into the specifics, but somehow this also leads to handwavy assertion that all we need to do to avoid all that expensive and duplicative computation is to sprinkle in some zero-knowledge proofs.

Due to performance limitations, for all intents and purposes ZK tech is impractical to the point of being infeasible for truly decentralized blockchains with turing-complete smart contract capabilities. It works for more specialized purposes, but it is not a currently solution to the "duplicative computation" problem.


> Sure, but are they provable in polynomial time?

It doesn’t matter, does it? That computation happens off-chain.

As an actual example, there are contracts locked to providing a collision proof for various hash functions. The one for SHA1 was claimed a few years ago when Google generated the first SHA-1 collision. That represented a lot of work on Google’s behalf, but was trivial for bitcoin nodes to validate.

> Due to performance limitations, for all intents and purposes ZK tech is impractical to the point of being infeasible for truly decentralized blockchains with turing-complete smart contract capabilities. It works for more specialized purposes, but it is not a currently solution to the "duplicative computation" problem.

You misunderstand me. I’m not suggesting that such a general zkp system be used, but rather offering it as a theoretical point.

In practice you make a specialized zk proof for whatever you are trying to do. And despite the hype, the practical use cases for Turing complete smart contracts are quite small and limited in scope. If you have a smart contract with real world applicability that can’t be reduced down to a handful of easily checked signatures and if-else clauses (or something of similar complexity), I’d like to see it. I know of scant few examples, and this is my field of expertise.


Can you please recommend a book on ZK proofs for someone with basic CS level understanding of algorithms and data structures? I would like to understand it better and use it in dapps. I feel like it completely change the relation between what's data and what's computation, a bit how matter and energy was linked in physics.


Sorry, no. Hopefully someone else can chime in, but when I entered the field there simply weren’t any such resources.


Are all polynomial time algorithms implementable with primitive recursion? You would need to know the constant factor, right?


In practice, yes. And for real world applications I know of, the depth of primitive recursion is small enough that loops can be fully unrolled. So e.g. bitcoin’s lack of a looping construct isn’t even a problem.


Kind of! But that state can also be a proof that a transition function is correct, rather than eg raw application state.

Look into Mina or Zcash to better understand what I mean. Off-chain clients (eg, wallets in Zcash) keep the application state, and the state committed to the chain is just the proof that the application state is following an agreed-upon state transition function.

Relying on hashing, computation proofs, etc are ways to asymmetrically enjoy the benefits of global coordination without requiring all nodes in the network to run the code. Instead, they just verify the receipts of off-chain agents who ran the code.


You only need to verify computations, not run them yourself.


This model then only makes sense for computations that are easier to verify a solution for than to solve (or where both are trivial in terms of computation), presumably?


It can make sense for any computation that cannot be implemented within the existing Bitcoin script programming language.


LOL

always a sham


Definitely opens the possibility of a Bitcoin-on-Bitcoin implementation.


This is only true in a very loose and rather useless sense. This isn't because of some weakness of the BitVM construction, these are products of limitations of Bitcoin itself.

As far as I understand, all possible settlement pathways have to be predetermined. They can't be chosen/constructed on the fly according to the circuit. It also has a pretty restrictive prover-verifier relationship. If the prover lies then the verifier can force a recovery pathway, but if the verifier fails to perform their duties then the prover can choose the settle the construction in any of the predetermined settlement pathways. The only ways that that would work would require some trusted third party to sign off on the other outcomes. They can also, of course, collude to settle the contract in any arbitrary way, meaning that the verifier has to be trusted by third parties. There's also no obvious way to chain instances of this construction in an arbitrary data-dependent way. There's also large communication costs, where two hashes have to be exchanged for each wire in the circuit, which adds up a lot when you'd want to do nontrivial circuits. Although I can imagine someone could invent some clever construction to deterministically generate wire commitments in a way that each party could agree on, but I'm not sure what it would look like though given the constraints Bitcoin has.

So it's only possible to build a "Bitcoin-on-Bitcoin" with it if you don't care about moving funds between it and the host Bitcoin ledger or being able to be trusted by anyone other than the parties actively involved in executing the construction (like you could do with a rollup), which means it's useless as a thing to improve throughput.

It states in the paper that a more practical construction should be used in a real use-case. I'm still a little bit fuzzy on the details so I might be slightly off here. It's a very cool construction, and it's pretty neat that it's doable on Bitcoin today without modifications to the core protocol. Bitcoin only needs a couple of very minor modifications in order to enable basically anything-on-Bitcoin, which I sketched out [1] a while back that got some attention and further work [2].

[1] https://tr3y.io/articles/crypto/bitcoin-zk-rollups.html

[2] https://bitcoinrollups.org/


As funny as this comment is, I really think the bitcoin blockchain is an implementation of a truth engine. It's currently a ledger for most people but you can be pretty damn sure what has been written 1 hour ago, is the absolute truth.


“you can be pretty damn sure that some JSON got POSTed with appropriate signatures/a hash reward attached to it to some nodes listening on a peer-to-peer network and propagated around”


The effect of which is, you can be preset damn sure that the JSON is the same as the last time it was looked at and the time after that etc…

Not “truth” in the colloquial sense, which OP seemed to be implying, but not useless.


When old chips shall hash generation waste,

Thou SHAlt remain, in midst of other woe

Than ours, a friend to ape, to whom thou POST'st,

"JSON is truth, truth JSON,"—that is all

Ye know on chain, and all ye need to know.


What would be the point of that?

With bitcoin blocks as slow and small as they are, which is a good thing for security and decentralization, implementing bitcoin on top of the bitcoin chain would just slow this down even more.

Perhaps lightning is what you're thinking of.


Why build anything-in-anything?

It’s like a true classic computer science meme


Time to bring together every trend into a single product: An LLM and image generator developed through a cryptocurrency-based distributed network that is also a social media platform.


Someone brought the TCP and the HTTP together. Both popular. Worked out.


On the metaverse.


Only 16hrs/frame


I was curious so I did some back of the napkin math:

On ethereum you get: ~3 gas per instruction 15 million gas per block 12s per block ~420000 instructions per second

From online sources of stable diffusion on a GTX 1050 at 20 steps: 40 seconds to generate 1.8 TFLOPS at full precision 70 trillion instructions

That's around 5.2 years.

If you account for a lack of floating point instructions (a ~34x instruction overhead) that's 180 years per image.


If there's a reactive, stateful medium, there will be a generalized Game of Life implementation described in LaTeX at some point.


Ok so they copy Etherum on their next bitcoin client update.


The costs involved in getting this to work would be way too expensive.

It's a fascinating trick, but not realistic for any practical use.


It already works and has a proof of concept available: https://github.com/supertestnet/tapleaf-circuits


You’re missing my original point - it’s increasingly expensive for increasingly complex logic to be used for anything practical


When to expect a running Doom on bitcoin?


Bitcon can be turing complete but it is not on purpose.


please don't. wildly inefficient


So is using sed to play chess. This exists as a proof on concept not as a suggestion that it is a practical solution.

Since you chose to post this request here and not on the thread about playing chess with sed, I suspect you are imagining some form of real world effect from the energy expenditure from people doing this. I think that lacks a sense of perspective, a better approach would be to consider the change in state of the world after an extended period of expected use of the approach. Considering the considerable lack of practicality of calculating in Bitcoin (and indeed playing chess in SED) the expected use is negligible and consequently the impact would also be negligible.


This improves the efficiency of Bitcoin.


What’s the harm?


immense amounts of wasted energy


That’s a matter of opinion. Many happen to believe it is not wasted.



Bitcoin uses less than 0.1% of the world's energy. Any time somebody says things like "uses more energy than a country" they are either dishonest or malicious and clearly have an agenda. I'd recommend to try to stick facts, not opinions.


Bitcoin or not I don't like the idea of having opinionated people and entities judging what I do with the energy I paid for. Today is proof of work, tomorrow might be high end computer gaming, hopping on a car for a trip etc. You can already see on this very site judgmental comments about carbon usage when you mention a hobby like home lab.


Agree, the entire concept is ridiculous.

We don't ration energy usage to the bare essentials in free countries. That's the sort of thing that people attempt to escape.


My initial point was to inform the OP about peer-reviewed articles on current waste, not which energy uses are allowed or disallowed, nor a call to judge or curtail individual energy expenditures.

As with many things, there is not a single 'right' or wrong, but degrees of evidence. Highlighting current chain inefficiencies allows future versions to better mitigate these energy impacts. Honing any process to use less energy while achieving similar or better results is not an unreasonable goal.

Re: your first point, am I right to understand that entities that are able to afford higher usage should have no qualms doing so?


> My initial point was to inform the OP about peer-reviewed

"Peer-reviewed" is meaningless if it's not scientific, fact-based.

> articles on current waste

See, you start with the assumption that it's wasted. You can only come to that conclusion if you assume that bitcoin serves little or no purpose.

> Honing any process to use less energy while achieving similar or better results is not an unreasonable goal.

Energy usage is what brought humanity from stone tools and caves to the moon, using energy is a good thing that advances civilization. Energy production can be problematic, which bitcoin doesn't do. Proof of work is one of the core innovations, there is no system that has better results.


I wouldn't be too quick to dismiss the linked sources, though. Similar to the authored pieces, I don't assume energy is 'wasted' on a perceived goal, but that actual waste is produced (e.g. mining devices are discarded quite frequently) as well as waste energy due to protocol implementation inefficiencies and infrastructural limitations (i.e. many compute cycles for little gain).

Both can be accounted for: would you not rather see a version where these issues are accounted for? PoS is a sure way forward, but there are still many legacy chains around that do not benefit from this [0].

[0]: https://www.sciencedirect.com/science/article/abs/pii/S03014...


> PoS is a sure way forward

No, PoS is a total failure. As it is not tied to reality the history of the ledger can be modified at will. There is no independent way of knowing which chain is the "real" one. There is no independent way of knowing which "validators" are valid. You can not leave the network and rejoin and be sure about the history without trusting some third party. This is the problem that PoW solved and PoS doesn't.


What would then be a more optimal trade-off compared to current implementations, in your opinion?


I'm not sure what you mean by your question. PoW solved a problem no other known system solves. There is no trade-off here.


Paying for something doesn't rid you of the responsibilities of its consequences


Less than .1 % for embarrassingly little volume


Less than .1% to secure more than 500 billion of value. Bitcoin energy usage is primarily to secure the network, not for transaction "volume", but that's a common misconception for people who have yet to learn about bitcoin.


You're splitting hairs. If the energy is needed to stave away a 51% attack, that's the energy needed to support the single digit tps monstrosity you have. As for the 500 billion in value, I doubt if everyone liquidated their positions today it'd amount to a figure remotely close to that.


> I doubt if everyone liquidated their positions today it'd amount to a figure remotely close to that.

The same goes for any stock in the S&P 500. Market Cap is just a number.


If once in bitcoin's history there is 51% attack, all energy that was ever used was used to prevent this one attack. Wow, you totally convinced me.


Bitcoin uses a ridiculously small amount of energy to begin with.


Just one country, to achieve the computational and storage power of a raspberry pi. The mental gymnastics continue to beggar belief.

I wish people would just be honest and say yes, it's absurd and wasteful, but I think it'll make me rich so I don't care.


> I wish people would just be honest and say yes, it's absurd and wasteful, but I think it'll make me rich so I don't care.

That's just your opinion. Most hardcore bitcoiners aren't in it to be rich, it's because it has a lot of potential to be a more sustainable monetary system over what we have now. I don't see the energy consumed by Bitcoin to be wasted and I'm doubtful that most who say it is understand why it's used in the first place.


Every industry on this planet that is worth doing uses "more energy than one country". Anybody who parrots this "argument" is either stupid or malicious.


I find it interesting to travel in such country. Take a train and when it approaches a city look at all the buildings passing by. All the lights in the windows that show that people live there. The eletric heating of many of those homes. All the electricity any of the people living there ever spends. All the factories, farms you see on the way. Massive greenhouses. Server farms. All those electric cars stuck in traffic. The train goes for hours and hours. Everything you see combined uses less electricity than bitcoin. Millions of people can run their lives and build all their businesses using less energy.

The scale is mind boggling.


Like I said, the same can be said about any industry on this planet. That this fact is mind-boggling for you shows that you haven't really ever thought about energy consumption. That you see this as a weakness of bitcoin shows that you approach bitcoin with the preconception that it is useless, and that you try to find facts that suit your view.


That’s a fair point I don’t have good grasp on what energy usage really is.

I don’t perceive bitcoin as useless. I think the energy usage is way out of scale. POW is elegant solution to building the system, but the logical conclusion is that it ends up taking massive industry scale resources only catering to small to midsize industry. It’s economically viable only in the narrow sense that we don’t anticipate the true longterm costs of energy spent.


> but the logical conclusion is that it ends up taking massive industry scale resources only catering to small to midsize industry.

That's a fair assumption, but personally I find it absurd to think that a global open permissionless trustless non-censorable payment system will not keep growing. I think that's an expression of the financial privilege rich people in secure, wealthy countries without any financial problems have.

> That’s true, but then so does Google, Youtube, Facebook, Amazon, the cruise industry, Christmas lights, household drying machines, private jets, the zinc industry, and basically any other sizable platform or industry. From that list, Bitcoin’s energy usage is the closest to that of the cruise industry’s energy usage, but bitcoins are used by more people, and the network scales far better. If people were 10% more efficient at shutting off their electronic devices when not using them, then that alone would save more energy than the global Bitcoin network uses.

> https://www.lynalden.com/bitcoin-energy/


> It’s economically viable only in the narrow sense that we don’t anticipate the true longterm costs of energy spent.

Why would it be less economically viable with scale? As Bitcoin increases in value, the hashrate and energy usage will increase. If it doesn't, the hashrate and energy usage will stagnate or decrease.

If you think the energy usage is "way out of scale" for the problem it solves, I think you may be underestimating the challenges of developing a decentralized monetary system and the impact of money on society itself.


So more non-solutions in search of a problem, there is no use case for this only burning more computing cycles.

This is the best way to take something that doesn't work at all for the environment and make it even worse.


Seems like a toy project


Cool totally academic exercise. I shudder at the performance not to mention energy waste.

A better question is what chain to use for efficient ( $/op or watts/op? ) verified Turing complete computation.

Avax?? I really have no idea.


Chia uses a lisp variant, along with the a similar coin model to bitcoins utxo. So it's computationally powerful, while avoiding the security nightmares of Eths account model (i.e. no global variables, functions have no side effects)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: