Skip to content

Instantly share code, notes, and snippets.

@rot13maxi
Created April 25, 2025 23:31
Show Gist options
  • Save rot13maxi/0a383df2e48df402a92bd75bf67aee20 to your computer and use it in GitHub Desktop.
Save rot13maxi/0a383df2e48df402a92bd75bf67aee20 to your computer and use it in GitHub Desktop.
<think>
Okay, so I need to summarize this paper titled "ColliderVM: Stateful Computation on Bitcoin". Let me start by reading through the provided content
carefully. The authors are Victor Kolobov, Avihu Levy, and Moni Naor. They're from StarkWare and the Weizmann Institute.
First, the abstract mentions that Bitcoin's scripting language can't handle stateful computations without upgrades like BIP-347 (OP_CAT). Existing
approaches like BitVM use fraud proofs but have capital inefficiencies. The authors propose ColliderVM to eliminate those issues by using hash
collisions instead of signatures for storage.
Looking into the introduction, they explain the limitations of Bitcoin Script: opcode limits, stack size restrictions, and lack of native stateful
computation. Stateful computation requires data persistence (storing data across transactions) and logic persistence (keeping the same code across
multiple steps). Applications include smart contracts, L2 bridges, etc.
The problem with current methods like BitVM is that fraud proofs require operators to front funds during withdrawals, which isn't
capital-efficient. The authors want a method without this issue.
In their contributions section, they outline ColliderVM's approach: using hash collisions instead of Lamport/Winternitz signatures in BitVM. This
reduces script length for STARK proof verification compared to pairing-based systems. They also mention that security relies on 1-out-of-n honest
signers and operators, similar to BitVM but without fraud proofs.
The construction section uses presigned transactions where each step checks a hash collision. For example, splitting a function into subfunctions
and requiring that inputs to each subfunction form a valid B-pair with the same D element. This forces attackers to find collisions, which is
computationally hard. They use propositions to outline parameters (like L and B bits) to balance security and efficiency.
Extensions include handling multiple operators/signers and applications like L2 bridges where deposits are handled via these presigned flows.
Benefits over BitVM2 include capital efficiency, reduced storage overhead with better hash functions, simpler flow without fraud proofs. Drawbacks
are higher storage needs for presigned transactions and computational costs for finding preimages.
Feasibility discusses using STARK verifiers. They compare script sizes when replacing OP_SHA256 with BLAKE3 or Bitcoin-friendly hashes. Parameters
like B=120 bits give 97-bit security, needing 2^46 flows per deposit. However, splitting proofs reduces overhead.
Conclusion emphasizes that ColliderVM enables stateful computation without fraud proofs, relying on hash collision resistance and honest
participants. Future work includes better hash functions and optimizations.
Now, I need to condense this into a concise summary highlighting key points: problem with Bitcoin Script's statefulness limitations, how BitVM's
approach has flaws (capital inefficiency), ColliderVM's method using hash collisions for storage instead of signatures, benefits like capital
efficiency and simpler flow, security assumptions (honest participants + collision resistance), and potential applications. Also note the
trade-offs like storage and computational costs.
Wait, did I miss any key technical details? The use of presigned transactions with each subfunction checking a hash condition so that inputs must
align across steps. They also mention triple collisions for more security but at higher transaction overhead. Comparing parameters (like L=46 vs
B=120) and how this affects work needed for honest vs malicious parties.
Also, in applications like bridges, the protocol setup with signers and operators, ensuring safety if one is honest. The withdrawal process using
hash preimages to trigger flows without needing upfront funds since the presigned transactions are already set up.
I should structure the summary logically: Background/Problem, Solution (ColliderVM), How it Works (hash collisions, presigned txs), Advantages over
BitVM2, Trade-offs and feasibility, Applications. Keep it clear and not too technical but still accurate.
</think>
**Summary of "ColliderVM: Stateful Computation on Bitcoin"**
### **Background & Problem**
Bitcoin's scripting language lacks native support for *stateful computation*—the ability to persist data and logic across multiple transactions.
While upgrades like BIP-347 (OP_CAT) could enable this, current solutions rely on workarounds such as BitVM, which uses fraud proofs. However,
BitVM suffers from **capital inefficiency** due to operators needing to front funds during withdrawals until fraudulent activity is reported.
### **ColliderVM: Key Innovation**
The authors propose **ColliderVM**, a protocol enabling stateful computation *without fraud proofs*. It achieves this by replacing signature-based
storage (used in prior protocols) with **hash collision challenges**. This approach ensures computational integrity while addressing BitVM's
capital inefficiency and reducing on-chain script size overhead.
---
### **How It Works**
1. **Presigned Transaction Flows**:
- A function \( f \) is split into subfunctions \( f_1, ..., f_k \).
- Signers preauthorize transaction flows for each subfunction, requiring inputs that form valid hash collisions.
2. **Hash Collision Commitment**:
- Inputs (e.g., a withdrawal proof and nonce) must satisfy \( H(x,r)|_B \in D \), where \( D \) is a set of predefined values. This ensures all
subfunctions use the same input \( x \).
- A malicious operator must find *colliding inputs* across transactions, which requires solving a hard computational problem (e.g., birthday
paradox for collisions).
3. **Security Parameters**:
- **\( L \)**: Size of the set \( D = 2^L \) (e.g., \( L=46 \)).
- **\( B \)**: Hash bits checked (\( e.g., B=120 \)), balancing honest effort (\( B-L \)) and attack cost (\( B-L/2 \)).
- Example: With \( L=46, B=120 \), an attacker needs ~97-bit work to cheat vs. 74 bits for honest operators.
---
### **Advantages Over BitVM2**
| **Aspect** | **BitVM2 (Fraud Proof-Based)** | **ColliderVM (Hash Collisions)** |
|--------------------------|-----------------------------------------|-------------------------------------------|
| **Capital Efficiency** | Operators front funds, delayed reimbursement. | No upfront capital required; funds released immediately via presigned
flows. |
| **Storage Overhead** | 26 bytes/byte with Winternitz sigs | ~88 bytes/byte for BLAKE3, but reduced by hash function optimizations. |
| **On-Chain Script Cost** | Gigabytes (pairing-based SNARKs) | Millions of opcodes (STARK verification), reduced with Bitcoin-friendly
hashes. |
| **Fraud Proofs Needed?** | Yes (reliance on economic incentives) | No (computationally enforced via collisions). |
---
### **Applications**
1. **L2 Bridges**:
- Deposits trigger presigned flows redeemable upon withdrawal proofs.
- Example: A user’s deposit is secured via hash-colliding transactions, ensuring withdrawals validate correct L2 state transitions without
upfront operator funding.
2. **Stateful Smart Contracts & Vaults**:
- Enables persistent logic and data across interactions (e.g., vaults, smart contracts) using presigned flows to enforce consistency.
---
### **Trade-offs**
- **Storage**: Requires \( 2^L \) pre-signed transaction flows per deposit (e.g., ~70TB for \( L=46 \)).
- **Computation**: Operators must solve hash preimage puzzles (e.g., \( 2^{74} \) operations), potentially limiting throughput.
- **Security Assumptions**:
- Requires **1-of-n honest signers/operators** and collision-resistant hashing.
---
### **Feasibility & Future Work**
- **Hash Functions**: Bitcoin-friendly implementations (e.g., optimized BLAKE3) could drastically reduce costs.
- **Optimizations**: Splitting proofs into subcomponents reduces cross-transaction data sharing. A STARK verifier example showed 10M opcodes with
improvements.
- **Collaboration Needs**: Research on reducing storage, improving hash efficiency, and widening the computational gap between honest/malicious
actors.
---
### **Conclusion**
ColliderVM offers a novel approach to stateful computation on Bitcoin by leveraging hash collisions instead of fraud proofs. While it introduces
trade-offs in storage and computation costs, it eliminates BitVM’s capital inefficiency and simplifies protocol design. This makes it promising for
L2 bridges and smart contracts while highlighting opportunities for further optimization in cryptographic primitives and implementation efficiency.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment