BitVM: Compute Anything on Bitcoin

The sender shares their success in compiling Simplicity expressions to polynomial constraints, suggesting that logic gates can be generated in a similar manner. They believe Simplicity could provide ready-made expressions for the BitVM.

Another contributor proposes the idea of a Scriptless Script BitVM using points and scalars instead of hashes and preimages. They explain how bit commitments can be done using public keys and point commitments, and suggest the use of MuSig for logic gate commitments. Adaptor signatures are proposed to ensure correct commitments. This approach would make the BitVM invisible on the blockchain.

The conversation also explores the concept of taking an N-bit claim and providing a NAND circuit to assert its validity. A prover/challenger setup is discussed, where the verifier issues challenges and the prover must respond consistently. Tapleafs are used to encode assertions, allowing spending a transaction via a tapleaf to validate an assertion. Computational costs and cheating detection methods are considered.

Further questions are raised about implementing a high-level language for BitVM, establishing tapleaves, implementing zero-knowledge proofs, and resolving fraud costs. The sender expresses interest in arbitrary smart contracts on Bitcoin and seeks clarification on these aspects.

In response to a question, the sender suggests that existing zero-knowledge proof constructs may not be implementable directly on BitVM. They propose having programs written in a ZKP VM and executing proof verification on BitVM instead.

An example protocol that could be built using BitVM is requested, along with the possibility of exchanging Bitcoin using BitVM. The email provides a link to the BitVM whitepaper for more detailed information.