Bitcoin Script cannot natively read transaction data—inputs, outputs, amounts, or any other field. There is no OP_TXHASH. This means scripts cannot trustlessly verify properties of the transaction they are part of, forcing protocols like BitVM bridges to rely on trusted oracles or accept weaker security models.
Binohash is a collision-resistant hash function for Bitcoin transactions that produces a digest directly readable in Script—without any consensus changes. Named after the binomial coefficient C(n, t) central to its construction, it achieves three properties simultaneously:
The scheme operates in two stages across a single Bitcoin transaction:
FindAndDelete quirk in OP_CHECKMULTISIG, each different subset produces a different sighash. The spender grinds through C(120, 8) ≈ 240 subsets until finding one whose sighash satisfies a proof-of-work puzzle. The winning indices become the first half of the Binohash.
The grinding requires no elliptic curve math—only double SHA-256 hashing. By choosing a special private key d = rmin-1, the signature s-value simplifies to s = 2(z + 1), so checking the puzzle reduces to checking whether the sighash z has enough leading zero bits.
Click an “Attacker modifies” button. The grid lights up the sighash puzzles that would detect the change — forcing the attacker to redo at least one 242-work puzzle. No single field escapes all four.
120 dummy signatures live in the locking script (shown below). FindAndDelete makes each subset of 8 produce a different sighash. Pick a toy target and grind until the sighash has enough leading zero bits. (Real Binohash targets ≈ 240; the slider caps at 222 so your browser stays responsive.)
Signature size depends on the magnitude of r and s values. Smaller values = shorter signatures, verified in Script via OP_SIZE.
Rmin = 2-1G has a 21-byte x-coordinate. Finding anything smaller takes ~97 bits of work, so the spender is forced to use it.
When input_idx ≥ num_outputs, sighash returns z = 1 for any transaction. This enables 9-byte transaction-independent dummy signatures for the nonce pool.
A historical quirk: OP_CHECKMULTISIG removes selected signatures from the scriptCode before hashing, creating controllable sighash variation from subset selection.
Instead of per-bit Lamport signatures (which would exceed the 201 opcode limit), subset preimage revelation signs the Binohash with only 48 opcodes.
All 256 sighash byte values are consensus-valid (only 6 are standard). This gives the honest spender more grinding freedom per sighash mode.
DER-encoded ECDSA signatures are variable length — the bytes used for r and s shrink with their magnitude. Move the sliders to see the byte layout react. The locking script's OP_SIZE check is what forces the spender to find a small-r / small-s signature, which requires PoW grinding. For byte-level dissection of a real DER signature, see the DER Autopsy tool.
| Metric | Basic (W=42) | High Security (W=50) |
|---|---|---|
| Collision resistance | ~84 bits | ~92 bits |
| Honest work | ~44.6 bits | ~52.6 bits |
| GPU time (10× RTX 4090) | ~3.8 hours | ~40 days |
| Cloud cost (vast.ai) | <$15 | ~$3,100 |
| Script size | ~8 KB (locking script) | |
| Transaction fee | ~$40 at current rates | |
BitVM bridges need to verify transaction properties—e.g., "Did this peg-out transaction actually pay the right address?" or "Did the rollup sequencer publish the correct state diff?" By Lamport-signing the Binohash in Script and feeding it into BitVM's off-chain verification, operators can prove transaction properties without trusted oracles.
An attacker could try using only ANYONECANPAY|NONE for the puzzle signature, bypassing pinning entirely. This would reduce security to ~42 bits. Mitigation: BitVM verifies the full transaction off-chain and rejects proofs using non-SIGHASH_ALL flags in the puzzle signatures.
All 256 sighash flag bytes are consensus-valid, giving an attacker 16 extra bits of grinding freedom across 2 rounds. Impact: Only ~0.6 bits of security reduction because pinning work (4 × 242) dominates sample cost, making the puzzle work reduction negligible. BitVM enforcement of canonical SIGHASH_ALL further mitigates this.
Transactions demonstrating a 4-byte Binohash have been successfully executed on both Testnet4 and Bitcoin Mainnet, mined via Marathon's Slipstream service. The paper includes a Polyglot Digest optimization (Appendix D) that could reduce script size by ~3.7 KB by merging dummy signatures with HORS hash commitments.
Binohash composes several primitives in subtle ways. For the underlying mechanics: