Author: Salvatore Ingala 2022-11-08 09:17:42
Published on: 2022-11-08T09:17:42+00:00
Salvatore Ingala has proposed a method for enabling general smart contracts in Bitcoin using covenants. This method adds restrictions on the outputs of transactions spending UTXOs, called covenants, which has various benefits, including minimal impact on layer 1, generality, compatibility with P2TR, and no new cryptographic assumptions required. The proposal uses Merkle trees and does not require any other cryptographic primitive.The note explores concepts such as the contract's state, state transitions, and covenants, presenting a framework for defining smart contracts that fit the structure of Bitcoin. It also discusses the possibility of performing on-chain computation and argues that the execution of a contract should be performed off-chain, with blockchain consensus used only to verify the computation or skip the verification altogether. The proposed challenge protocol involves posting the statement “f(x) = y” and allowing a challenge period for anyone to dispute the claim. In case of a challenge, Alice and Bob enter a challenge resolution protocol arbitrated by layer 1. The remainder of the note sketches an instantiation of the challenge protocol involving a bisection protocol for arbitrary computation.The article discusses the use of Merkle trees to enable fully general smart contracts in the UTXO model. It explains how state transitions can be implemented using a challenge-response protocol and how this can be used in state channels and coin pools. Additionally, the article proposes a design of covenant opcodes that can be added in a soft fork to the existing SegWitv1 Script.The proposed covenant optimization for Bitcoin's layer 1 involves a bisection protocol that would simplify required changes to the script and potentially mitigate costs and risks analyzed in prior reports. The proposal does not rely on novel cryptography and would likely require a fully recursive version of the covenant for optimistic rollups. Acknowledgments are given to Antoine Poinsot for suggesting improvements to the original proposed covenant opcodes, as well as other individuals for their helpful discussions and comments on earlier versions of the proposal.References to similar fraud proof constructions in blockchain research are provided, along with prior publications regarding the basic idea of the bisection protocol. Footnotes include links to relevant websites and documents. The security model for the bisection protocol is also discussed, noting that it operates under the honest miner majority assumption. Finally, the article acknowledges that there is still room for optimization and that different challenge mechanisms could be more appropriate for different functions.Overall, Salvatore Ingala's proposal presents a promising method for enabling general smart contracts in Bitcoin using covenants, with various benefits and potential use cases explored in the note.
Updated on: 2023-06-16T02:59:58.633167+00:00