Request: OP_CHECKTXOUTSCRIPTHASHVERIFY [combined summary]

Individual post summaries:

Request: OP_CHECKTXOUTSCRIPTHASHVERIFY ZmnSCPxj 2018-10-17 10:22:59+00:00
Request: OP_CHECKTXOUTSCRIPTHASHVERIFY kim juan 2018-10-17 06:58:10+00:00
Request: OP_CHECKTXOUTSCRIPTHASHVERIFY ZmnSCPxj 2018-10-17 05:17:15+00:00
Request: OP_CHECKTXOUTSCRIPTHASHVERIFY kim juan 2018-10-17 04:26:34+00:00

Click here to read the original discussion on the bitcoin-dev mailing list

Published on: 2018-10-17T10:22:59+00:00

Summary:

A new opcode, OP_CHECKTXOUTSCRIPTHASHVERIFY, is being proposed for the Bitcoin scripting system. This opcode would allow a transaction output to be spendable only in a predefined manner, potentially reducing the risk of key loss. However, there are concerns about covenants and vaults being visible on-chain and requiring complex script templates, which could increase block space usage. Efforts have also been made to move contract execution off-chain. ZmnSCPxj suggests an improvement to the specification of OP_CHECKTXOUTSCRIPTHASHVERIFY, with plans to focus future SCRIPT updates on SegWit versions. The opcode would succeed if certain conditions are met, such as being a P2WSH with a matching SegWit version and hash, or being the same as the transaction output being spent. If none of these conditions are met, the operation will fail. A sample use case is provided, where Acme has an ordinary key pair and a secure key pair. The private key of the secure key pair remains hidden until it needs to revoke the transaction of the ordinary key pair. To spend the outputs from the ThisRedeemScript, they must be forwarded to the NextRedeemScript. Even if the original key pair is compromised, the attacker can only spend the outputs in this specific way and must publish the transaction. The NextRedeemScript is time-locked, allowing Acme to monitor for unauthorized transactions and react within the specified duration. In certain cases, the combination of both key pairs as one multisig can immediately spend the output regardless of the timelock.The email thread emphasizes that CSV and CTLV have already paved the way for retroactive invalidation, as seen in protocols like HTLC of the lightning network. The proposed opcode could address other problems requiring retroactive invalidation in a less interactive manner than channels. By influencing how outputs can be spent, the opcode could make attacks less rewarding. However, there are still potential privacy concerns, and the use case assumes that P2SH is an exceptional case for custodians like e-commerce merchants and exchanges.

Updated on: 2023-08-01T23:56:46.683568+00:00