Trustless contracting by combining on-chain and off-chain transactions

We introduce a completely new way to designing smart contracts on Bitcoin. In all our previous contracts, everything is embedded in Bitcoin Script and validated by miners. In the new approach, we combine previous contracting with transactions/contracts held and validated off chain. Surprisingly, it can maintain the trustless nature of on-chain contracts, while being drastically more efficient and private. We exemplify the general idea by improving a fair coin toss contract.

Practical Fair Coin Toss

Using a hash-based commitment scheme, we introduced a contract to achieve fair coin toss without a trusted third party. There is a caveat for it to be practical. …

Using Singular Value Decomposition as an Example

We show how machine learning techniques can be applied in Bitcoin, inspired by the latest Bitcoin Class. Specifically, we demonstrate how Singular Value Decomposition (SVD) can be applied to enable trustless purchase of an original image, based on a low-resolution preview.

Singular Value Decomposition (SVD)

SVD is a type of matrix decomposition that decomposes/factors a single matrix into matrix U, ∑ and V* respectively.

  • U and V* are orthogonal matrices.
  • ∑ is a diagonal matrix of singular values.

Intuitively, it can be seen as converting one complex transformation in 3 simpler transformations (rotation, scaling, and rotation), in which

  • Matrices U and V* causes rotation

How to Build an OnChain Tic-Tac-Toe Step-By-Step

Today we will show you how to build a decentralized application (a.k.a, dApp), on the Bitcoin SV blockchain. We will walk through the entire process of building a full stack decentralized application, including:

  • Write a contract
  • Test the contract
  • Interact with the contract through a simple web app

By the end, you will have a fully functional tic-tac-toe app running on Bitcoin.


Development Environment

Before we dive into the app, make sure you have the following dependencies installed.

Tic-tac-toe Contract

The basic idea is to store the state of the game in a contract, using the general approach detailed before…

Decentralized Lottery as an Example

Secure multiparty computation (MPC) protocols enable multiple parties to jointly compute a function over their inputs while keeping those inputs private. For example, two millionaires decide who is the richer and should pay for dinner, without revealing their actual wealth¹. Or a group of employees can calculate the average salary of the group without disclosing their individual salaries.

One fundamental limitation of MPC is that it cannot force parties to respect the outcome. In the millionaires example, one can refuse to pay after he finds out he is richer.

We use Bitcoin to solve this challenge², by linking the outcome…

We design and implement a secure auction system on Bitcoin. It is open and transparent, where everyone can participate and the highest bidder wins when the bidding is over. Bidders are binded to their bids and auctioneers to the auction results.



  • bid: If a higher bid is found, the current winner is updated and the previous highest bidder is refunded.
  • close: the auctioneer can close the auction after it expires and take the offer.
Auction Contract

Possible Extensions

There are many ways to extend this basic contract. For example, if the item auctioned is tokenized and stored in a UTXO (e.g., an NFT), when the auctioneers closes the auction, it can be demanded one input is the token UTXO and one output is transferring it to the winner, thus making the closing atomic and cheating impossible.

Recurring Payments and Checking Accounts

We introduce a recurring payment contract that allows a customer to deposit money in and a business to collect payment at a regular interval.



The contract have three public functions.

Recurring Payment Contract
  • The first one is for the user to deposit more money.
  • The second one allows the user to opt out at any time. Note that if the user needs to provide a cancellation notice before stopping the recurring payment, it can be achieved on the basis of this contract with minimal modifications.
  • The last one is for the merchant to withdraw certain amount of money from the…

Using Blum’s Protocol

Previously, we implemented a fair coin toss on Bitcoin using XOR. We introduce an alternative way of implementing it using Blum’s original coin tossing protocol¹.

Coin Toss

It consists of the following steps:

  1. Alice chooses prime numbers p and q. He tells Bob N = p * q. Alice chooses p and q to be extremely large so that Bob cannot feasibly find them from N.
  2. Bob chooses x between 0 and N. He calculates b = x² mod N. He tells Alice b. …

Without Trusting a Third Party using Bit Commitment

Toss a Bitcoin

Alice and Bob decide to flip a coin, but they have no physical coin or they want to do it over the Internet. They can achieve fair coin tossing by following protocol on Bitcoin.

  1. Alice and Bob each locks X bitcoins in a smart contract shown below.
  2. They both reveal their secret number, which are XOR’d to determine if the coins lands on head or tail. Alice wins if it is head, otherwise Bob wins. Whoever wins takes all 2X bitcoins.
Coin Toss Contract

Practical Consideration

Additional measures have to be taken in case one party decides to abort when he/she finds out he/she loses, by refusing to reveal their secret number. For example, instead of letting winner taking all, we could have the loser take 0.5X bitcoins and thus incentivise him to proceed even though he will lose.

sCrypt IDE v0.5.5 allows a user to deploy a stateful contract and repeatedly call its methods in a GUI, extending our previous feature. We use an example contract AdvancedCounter to illustrate the workflow.


AdvancedCounter contains a counter, which is increased by one every time increment() is called. We initialize it to be 0 and locks 10000 satoshis into the contract. After hitting Deploy, it should be deployed.


Multiple Calls

In the Call panel, there is an additional section Outputs (Optional) and Transaction Settings, besides section Public Function Arguments introduced last time. It allows customizing outputs, which is necessary in many stateful contracts…

We implement a smart contract to outsource solving Sudoku puzzles on Bitcoin, utilizing the paradigm we published earlier. The general problem of solving Sudoku puzzles is computationally intensive as grid size increases. In fact, it is known to be NP-complete, same as the Travelling Salesman Problem we introduced previously. The advantage of solving it on Bitcoin is that we only have to verify if the proposed solution is valid, which can be done efficiently. The intense computation of solving the puzzle is done off chain.

A Typical Sudoku Puzzle
Sudoku Contract


sCrypt Inc ( is a company with mission to providing integrated on-chain smart contracting solutions on Bitcoin SV.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store