Created
April 25, 2025 23:31
-
-
Save rot13maxi/0a383df2e48df402a92bd75bf67aee20 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<think> | |
Okay, so I need to summarize this paper titled "ColliderVM: Stateful Computation on Bitcoin". Let me start by reading through the provided content | |
carefully. The authors are Victor Kolobov, Avihu Levy, and Moni Naor. They're from StarkWare and the Weizmann Institute. | |
First, the abstract mentions that Bitcoin's scripting language can't handle stateful computations without upgrades like BIP-347 (OP_CAT). Existing | |
approaches like BitVM use fraud proofs but have capital inefficiencies. The authors propose ColliderVM to eliminate those issues by using hash | |
collisions instead of signatures for storage. | |
Looking into the introduction, they explain the limitations of Bitcoin Script: opcode limits, stack size restrictions, and lack of native stateful | |
computation. Stateful computation requires data persistence (storing data across transactions) and logic persistence (keeping the same code across | |
multiple steps). Applications include smart contracts, L2 bridges, etc. | |
The problem with current methods like BitVM is that fraud proofs require operators to front funds during withdrawals, which isn't | |
capital-efficient. The authors want a method without this issue. | |
In their contributions section, they outline ColliderVM's approach: using hash collisions instead of Lamport/Winternitz signatures in BitVM. This | |
reduces script length for STARK proof verification compared to pairing-based systems. They also mention that security relies on 1-out-of-n honest | |
signers and operators, similar to BitVM but without fraud proofs. | |
The construction section uses presigned transactions where each step checks a hash collision. For example, splitting a function into subfunctions | |
and requiring that inputs to each subfunction form a valid B-pair with the same D element. This forces attackers to find collisions, which is | |
computationally hard. They use propositions to outline parameters (like L and B bits) to balance security and efficiency. | |
Extensions include handling multiple operators/signers and applications like L2 bridges where deposits are handled via these presigned flows. | |
Benefits over BitVM2 include capital efficiency, reduced storage overhead with better hash functions, simpler flow without fraud proofs. Drawbacks | |
are higher storage needs for presigned transactions and computational costs for finding preimages. | |
Feasibility discusses using STARK verifiers. They compare script sizes when replacing OP_SHA256 with BLAKE3 or Bitcoin-friendly hashes. Parameters | |
like B=120 bits give 97-bit security, needing 2^46 flows per deposit. However, splitting proofs reduces overhead. | |
Conclusion emphasizes that ColliderVM enables stateful computation without fraud proofs, relying on hash collision resistance and honest | |
participants. Future work includes better hash functions and optimizations. | |
Now, I need to condense this into a concise summary highlighting key points: problem with Bitcoin Script's statefulness limitations, how BitVM's | |
approach has flaws (capital inefficiency), ColliderVM's method using hash collisions for storage instead of signatures, benefits like capital | |
efficiency and simpler flow, security assumptions (honest participants + collision resistance), and potential applications. Also note the | |
trade-offs like storage and computational costs. | |
Wait, did I miss any key technical details? The use of presigned transactions with each subfunction checking a hash condition so that inputs must | |
align across steps. They also mention triple collisions for more security but at higher transaction overhead. Comparing parameters (like L=46 vs | |
B=120) and how this affects work needed for honest vs malicious parties. | |
Also, in applications like bridges, the protocol setup with signers and operators, ensuring safety if one is honest. The withdrawal process using | |
hash preimages to trigger flows without needing upfront funds since the presigned transactions are already set up. | |
I should structure the summary logically: Background/Problem, Solution (ColliderVM), How it Works (hash collisions, presigned txs), Advantages over | |
BitVM2, Trade-offs and feasibility, Applications. Keep it clear and not too technical but still accurate. | |
</think> | |
**Summary of "ColliderVM: Stateful Computation on Bitcoin"** | |
### **Background & Problem** | |
Bitcoin's scripting language lacks native support for *stateful computation*—the ability to persist data and logic across multiple transactions. | |
While upgrades like BIP-347 (OP_CAT) could enable this, current solutions rely on workarounds such as BitVM, which uses fraud proofs. However, | |
BitVM suffers from **capital inefficiency** due to operators needing to front funds during withdrawals until fraudulent activity is reported. | |
### **ColliderVM: Key Innovation** | |
The authors propose **ColliderVM**, a protocol enabling stateful computation *without fraud proofs*. It achieves this by replacing signature-based | |
storage (used in prior protocols) with **hash collision challenges**. This approach ensures computational integrity while addressing BitVM's | |
capital inefficiency and reducing on-chain script size overhead. | |
--- | |
### **How It Works** | |
1. **Presigned Transaction Flows**: | |
- A function \( f \) is split into subfunctions \( f_1, ..., f_k \). | |
- Signers preauthorize transaction flows for each subfunction, requiring inputs that form valid hash collisions. | |
2. **Hash Collision Commitment**: | |
- Inputs (e.g., a withdrawal proof and nonce) must satisfy \( H(x,r)|_B \in D \), where \( D \) is a set of predefined values. This ensures all | |
subfunctions use the same input \( x \). | |
- A malicious operator must find *colliding inputs* across transactions, which requires solving a hard computational problem (e.g., birthday | |
paradox for collisions). | |
3. **Security Parameters**: | |
- **\( L \)**: Size of the set \( D = 2^L \) (e.g., \( L=46 \)). | |
- **\( B \)**: Hash bits checked (\( e.g., B=120 \)), balancing honest effort (\( B-L \)) and attack cost (\( B-L/2 \)). | |
- Example: With \( L=46, B=120 \), an attacker needs ~97-bit work to cheat vs. 74 bits for honest operators. | |
--- | |
### **Advantages Over BitVM2** | |
| **Aspect** | **BitVM2 (Fraud Proof-Based)** | **ColliderVM (Hash Collisions)** | | |
|--------------------------|-----------------------------------------|-------------------------------------------| | |
| **Capital Efficiency** | Operators front funds, delayed reimbursement. | No upfront capital required; funds released immediately via presigned | |
flows. | | |
| **Storage Overhead** | 26 bytes/byte with Winternitz sigs | ~88 bytes/byte for BLAKE3, but reduced by hash function optimizations. | | |
| **On-Chain Script Cost** | Gigabytes (pairing-based SNARKs) | Millions of opcodes (STARK verification), reduced with Bitcoin-friendly | |
hashes. | | |
| **Fraud Proofs Needed?** | Yes (reliance on economic incentives) | No (computationally enforced via collisions). | | |
--- | |
### **Applications** | |
1. **L2 Bridges**: | |
- Deposits trigger presigned flows redeemable upon withdrawal proofs. | |
- Example: A user’s deposit is secured via hash-colliding transactions, ensuring withdrawals validate correct L2 state transitions without | |
upfront operator funding. | |
2. **Stateful Smart Contracts & Vaults**: | |
- Enables persistent logic and data across interactions (e.g., vaults, smart contracts) using presigned flows to enforce consistency. | |
--- | |
### **Trade-offs** | |
- **Storage**: Requires \( 2^L \) pre-signed transaction flows per deposit (e.g., ~70TB for \( L=46 \)). | |
- **Computation**: Operators must solve hash preimage puzzles (e.g., \( 2^{74} \) operations), potentially limiting throughput. | |
- **Security Assumptions**: | |
- Requires **1-of-n honest signers/operators** and collision-resistant hashing. | |
--- | |
### **Feasibility & Future Work** | |
- **Hash Functions**: Bitcoin-friendly implementations (e.g., optimized BLAKE3) could drastically reduce costs. | |
- **Optimizations**: Splitting proofs into subcomponents reduces cross-transaction data sharing. A STARK verifier example showed 10M opcodes with | |
improvements. | |
- **Collaboration Needs**: Research on reducing storage, improving hash efficiency, and widening the computational gap between honest/malicious | |
actors. | |
--- | |
### **Conclusion** | |
ColliderVM offers a novel approach to stateful computation on Bitcoin by leveraging hash collisions instead of fraud proofs. While it introduces | |
trade-offs in storage and computation costs, it eliminates BitVM’s capital inefficiency and simplifies protocol design. This makes it promising for | |
L2 bridges and smart contracts while highlighting opportunities for further optimization in cryptographic primitives and implementation efficiency. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment