BitVMX: A CPU for Universal Computation on Bitcoin

TL;DR

BitVMX introduces a flexible virtual CPU design for Bitcoin that enables arbitrary program execution using hash chains, challenge-response protocols, and authenticated communication, improving verification efficiency over previous methods.

Contribution

It presents a novel CPU design supporting architectures like RISC-V, utilizing hash chains and a new challenge-response protocol to verify arbitrary computations on Bitcoin.

Findings

Supports common architectures like RISC-V and MIPS

Avoids complexities of Merkle trees and signature equivocations

Flexible instantiation balancing cost and complexity

Abstract

BitVMX is a new design for a virtual CPU to optimistically execute arbitrary programs on Bitcoin based on a challenge response game introduced in BitVM. Similar to BitVM1 we create a general-purpose CPU to be verified in Bitcoin script. Our design supports common architectures, such as RISC-V or MIPS. Our main contribution to the state of the art is a design that uses hash chains of program traces, memory mapped registers, and a new challenge-response protocol. We present a new message linking protocol as a means to allow authenticated communication between the participants. This protocol emulates stateful smart contracts by sharing state between transactions. This provides a basis for our verification game which uses a graph of pre-signed transactions to support challenge-response interactions. In case of a dispute, the hash chain of program trace is used with selective pre-signed transactions to locate (via $n$-ary search) and then recover the precise nature of errors in the computation. Unlike BitVM1, our approach does not require the creation of Merkle trees for CPU instructions or memory words. Additionally, it does not rely on signature equivocations. These differences help avoid complexities associated with BitVM1 and make BitVMX a compelling alternative to BitVM2. Our approach is quite flexible, BitVMX can be instantiated to balance transaction cost vs round complexity, prover cost vs verifier cost, and precomputations vs round complexity.