I Overview

A covenant is a spending condition that restricts not just who can spend a UTXO, but how it can be spent — constraining the future transaction's outputs, inputs, or other fields. In traditional Bitcoin Script, a locking script answers one question: “prove you're authorized to spend this.” A covenant adds a second question: “prove you're spending this in the way the creator intended.”

The term comes from property law — a deed restriction that runs with the land. In Bitcoin, a covenant “runs with the UTXO.”

“Covenants are a category of proposed changes to Bitcoin's consensus rules that would allow a script to prevent an authorized spender from spending to certain other scripts.” Anthony Towns refines: “the most useful definition of covenant is that it's when the scriptPubKey of a UTXO restricts the scriptPubKey in the output(s) of a tx spending that UTXO.” Bitcoin Optech canonical definition

Why This Matters

Without covenants, Bitcoin scripts are stateless one-shot predicates. With covenants, scripts can:

The Fundamental Tension

The covenant debate is the deepest ideological split in Bitcoin development since the blocksize war. It touches:

Bitcoin's scripting system is at its most contested inflection point since Taproot's activation in 2021. The central tension: Script was deliberately crippled in 2010 when Satoshi disabled 15 opcodes to prevent DoS attacks. Now, a decade and a half later, developers are debating whether to restore, extend, or fundamentally redesign that scripting layer.

◊ ◊ ◊

II The Competing Proposals

1. OP_CHECKTEMPLATEVERIFY (CTV) — BIP-119

Author: Jeremy Rubin (2019), championed by James O'Beirne

Status: Reviewed 5+ years No activation

Optech: bitcoinops.org/en/topics/op_checktemplateverify · MIM: bips.magicinternetmath.com

Thread: CTV+CSFS open letter (~70 messages)

What it does

A single opcode that takes a 32-byte hash from the stack and verifies that the spending transaction matches that hash exactly. The hash commits to: version, locktime, scriptSigs hash, input count, sequences hash, output count, outputs hash, and the input index. It's the minimum viable covenant — a hash check.

What it enables

  • Congestion control: Batched payouts via pre-committed transaction trees
  • Vaults: Pre-committed delayed withdrawal path with recovery key
  • Non-custodial mining pools: Committed payout distributions
  • Payment channel factories

Key debates

  • James O'Beirne (proponent): CTV has been under review for 5+ years. Together with CSFS it enables vaults, congestion control, non-custodial mining, DLCs, and LN-symmetry. Their limited scope makes them realistic.
  • Matt Corallo (skeptic, favors TXHASH): “I have yet to see a reasoned explanation of why we should prefer CTV over TXHASH.” If TXHASH specs must be defined anyway for future upgradability, CTV is a wasted intermediate step.
  • Greg Maxwell (deep skeptic): Questions whether any real-world hack has been defeated by a vault design. Notes “the lack of implementation of these tools in systems where its already easy to do so” suggests limited practical demand.
  • Anthony Towns (process critic): “the ongoing lack of examples of killer apps demonstrating big wins from limited slices of new functionality leaves me completely unexcited about rushing something in the short term.”
  • Erik Aronesty (minimalist): “op_ctv is quite literally not the best at anything. That's the whole point.” CTV's deliberate limitation is its strength.
“op_ctv is quite literally not the best at anything. That's the whole point.” — Erik Aronesty (mailing list)

Optech newsletter coverage: May 2019 (original COSHV), Dec 2019 (renamed CTV), Jan 2020 (BIP119), Feb 2020 (workshop), Apr 2022 (activation debate), Jul 2025 (open letter), Jan 2026 (CTV footgun analysis). 40+ newsletter issues.

2. OP_CHECKSIGFROMSTACK (CSFS) — BIP-348

Authors: Russell O'Connor, Andrew Poelstra

Status: BIP merged Dec 2024 · Deployed on Liquid 8+ years

Optech: bitcoinops.org/en/topics/op_checksigfromstack · MIM: bips.magicinternetmath.com

What it does

Verifies a BIP-340 Schnorr signature against an arbitrary message (not the transaction hash). Standard OP_CHECKSIG only verifies signatures against the transaction's sighash. CSFS removes that restriction. Takes three parameters: signature, message, and public key.

What it enables (especially combined with CTV)

  • LN-Symmetry (Eltoo): Simplified payment channels where the latest state always wins
  • Oracle attestations: Scripts can verify signatures from external data sources
  • Delegation: Sign over spending authority to another key
  • DLC optimizations: Simpler Discreet Log Contract implementations
  • Transaction introspection: With OP_CAT for message construction

The Covenants Support Wiki compiled by /dev/fd0 (December 2024) found CSFS has “unanimous support” and appears in multiple proposal bundles.

Optech newsletter coverage: Oct 2018, May 2019, Dec 2024 (BIP348 merged), Jul 2025 (open letter). 15+ newsletter issues.

3. CTV + CSFS Together

The open letter (June 2025): 40+ developers and companies signed. ~70 mailing list messages followed.

Threads: CTV + CSFS: a letter · Making the case for CTV+CSFS

“if nobody in Core wants to engage at all with consensus changes, then the result is effectively the same as a veto.” — Andrew Poelstra (signed despite technical reservations: “technically good enough”)

Antoine Poinsot & Greg Sanders (“Making the case for CTV+CSFS”): Argued CTV+CSFS represents “the valid Schelling point” — specific use cases (LN-symmetry, Ark, DLCs, BitVM) are well-understood and proven. “The onus is on the proposer to overcome objections.”

The recursive covenant revelation

Anthony Towns demonstrated that CTV+CSFS trivially enables recursive covenants — the very thing BIP-119's motivation section claims to avoid. The construction: create a throwaway key pair, build a tapscript combining CSFS and CTV, derive the scriptPubKey, calculate the CTV hash for a payment back to itself, sign with the throwaway key, then destroy the private key. Funds sent to this address can only ever be spent back to themselves — a perpetual self-spending covenant. Working demo on mutinynet.

Olaoluwa Osuntokun (pushback): “The example that you've come up with to 'directly undermine' the claimed motivations of BIP 119 is still fully enumerated (the sole state is declared up front), and doesn't contain dynamic state.”

4. SIGHASH_ANYPREVOUT (APO) — BIP-118

Author: Anthony Towns (2019, building on Christian Decker's SIGHASH_NOINPUT)

Status: Stalled — limited developer interest

Optech: bitcoinops.org/en/topics/sighash_anyprevout · MIM: bips.magicinternetmath.com

A new sighash flag that allows signatures to not commit to the input being spent. The same signature can authorize spending from different UTXOs — enabling rebindable transactions.

What it enables

  • LN-Symmetry (Eltoo): The original motivation; each new channel state replaces any previous with the same signature
  • Drivechains (with trusted setup)
  • Covenants (indirectly, combined with other opcodes)

Why it stalled: Designed for a specific use case (LN-symmetry). Developers increasingly prefer CTV+CSFS as a more general primitive. The Covenants Wiki noted APO “lacks developer interest; alternatives exist for achieving similar functionality.”

Optech newsletter coverage: Jul 2018 (as NOINPUT), extensive through 2022. 25+ newsletter issues.

5. OP_TXHASH — The Generalized Alternative

Authors: Russell O'Connor (original concept), Brandon Black (minimal implementation)

Optech: covered within covenants topic

Computes a hash of selected transaction fields based on a flags argument. Where CTV commits to the entire template, TXHASH lets the script select which fields to commit to.

Brandon Black's minimal TXHASH+CSFS: Three new opcodes that subsume both CTV and APO. OP_TXHASH with 5 hash modes (mode 0 = CTV, modes 1-4 = APO variants), plus OP_CHECKSIGFROMSTACK and OP_CHECKSIGFROMSTACKVERIFY.

“By splitting the hashing from the validation of BIP-119, the hash can be used in ways other than OP_EQUALVERIFY.” — Brandon Black

The key debate: Matt Corallo argues that if TXHASH specs must be defined anyway for future upgradability, CTV is a wasted intermediate step: “Preferring to do something worse because something better would require someone reasonable pick some reasonable encoding is not a good way of engineering.”

The Covenants Wiki found TXHASH is “more expressive” but generates “meaningless” template combinations.

6. OP_TX — Generalized Introspection

Author: Rusty Russell (May 2022), part of the 4-BIP Script Restoration Quartet (BIP [3/4])

Thread: Script Restoration

Pushes raw transaction fields onto the stack (version, locktime, input/output counts, amounts, scripts, witness data). Unlike TXHASH which produces a hash, OP_TX gives the script direct access to transaction data.

Why it's more powerful: With OP_TX, a script can examine and compare individual fields — not just verify a hash match. Conditions like “output 0 must send at least X satoshis to address Y” without committing to the entire transaction structure. Russell showed CTV is “approximated by” a specific combination of nine OP_TX flags — making CTV a trivial special case.

7. OP_VAULT — Purpose-Built Vault Covenant

BIP: 345 (added Mar 2024, later withdrawn in favor of OP_CCV) · Author: James O'Beirne (January 2023)

Status: Withdrawn

Optech: bitcoinops.org/en/topics/vaults

Two purpose-built opcodes (OP_VAULT and OP_VAULT_RECOVER) specifically for vault workflows. O'Beirne: “a design solely concerned with making the best vault use possible, with covenant functionality as a secondary consideration.”

Towns' critique

  • Recovery address exposure is dangerous: “as soon as your recovery address is revealed, anyone can move all your funds into cold storage”
  • No withdrawal caps — can't limit amounts
  • UTXO locking inefficiency
“if you can secure the rescue/abort key you could use the process for the primary” — Greg Maxwell (challenging vaults generally)

Optech newsletter coverage: Jan 2023 (proposal), Mar 2024 (BIP345 added), May 2025 (withdrawn for CCV). 15+ newsletter issues.

8. OP_CAT — The Simplest Primitive

BIP: 347 · Author: Ethan Heilman (re-enablement, October 2023)

Status: Active · Bitcoin Inquisition signet

Optech: bitcoinops.org/en/topics/op_cat

Thread: Proposed BIP for OP_CAT

Concatenates the top two stack elements. That's it. Disabled by Satoshi in 2010 because repeated OP_DUP + OP_CAT could create exponentially large elements (1 byte to 1TB in 40 iterations). Tapscript's 520-byte element limit eliminates this vulnerability. Proposed as opcode 126 (OP_SUCCESS126) in tapscript.

What it enables

  • Tree signatures: ~1,000 keys in <1KB (logarithmic)
  • Post-quantum Lamport/Winternitz signatures: Quantum-resistant using only hash + concatenation
  • Merkle proof verification on stack
  • Covenant emulation: Combined with OP_CHECKSIGFROMSTACK, enables transaction introspection
  • Non-equivocation contracts: Punish double-signing in payment channels
  • MATT generality: “With this new opcode, the full generality of MATT (including the fraud proofs) can be obtained with just two opcodes: OP_CHECKCONTRACTVERIFY and OP_CAT.” — Salvatore Ingala

Why it's controversial: OP_CAT's power comes from composition. Alone it's trivial. Combined with existing opcodes, it creates emergent capabilities — including things some developers don't want (inscriptions, AMMs, state-carrying covenants). LNHANCE explicitly excluded OP_CAT for this reason.

Winternitz signatures (with OP_CAT)

conduition demonstrated that WOTS can be implemented in Bitcoin Script with OP_CAT, providing post-quantum security. Winternitz = 7,948 bytes total vs. Lamport = ~10,721 bytes — a 26% reduction.

Lamport signatures (no changes needed)

Ethan Heilman showed Lamport signatures can be verified in Bitcoin Script TODAY by exploiting ECDSA signature length variability (the “ECDSA nonce trick”). Achieves 284 security but: “Do not use this signature scheme in a Bitcoin output unless your intent is for that output to be a fun crypto bounty.”

Optech newsletter coverage: May 2019, Oct 2023 (BIP proposed), May 2024 (BIP347, Inquisition deployment), Sep 2024 (research fund), Jul 2025 (Winternitz sigs). 15+ newsletter issues.

9. MATT / OP_CHECKCONTRACTVERIFY (CCV)

BIP: 443 (merged May 2025) · Author: Salvatore Ingala (2023)

Status: Active development Supersedes OP_VAULT

Optech: bitcoinops.org/en/topics/matt

Thread: Concrete MATT opcodes

A single opcode that takes 5 stack parameters (data, index, pk, taptree, flags) and checks whether a specified input or output's scriptPubKey matches a P2TR address derived from those parameters. This lets scripts verify that outputs conform to expected contract states.

Combined with OP_CAT, achieves “full generality of MATT” — Merklize All The Things — including fraud proofs for arbitrary computation.

Limitation: Amount introspection is limited — input amounts toward the same output are summed as a lower bound. Johan Toras Halseth found this “insufficient at least for the use cases I had in mind” for CoinPool (which requires splitting/combining output amounts).

Optech newsletter coverage: Nov 2022 (proposal), May 2023 (vaults), Jun 2023 (CTV replication), Apr 2025 (draft BIP), May 2025 (OP_VAULT withdrawn for CCV, BIP443 merged). 10+ newsletter issues.

10. Rusty Russell's 4-BIP Script Restoration Quartet

Author: Rusty Russell (September 2025)

Status: BIP drafts submitted, received BIP numbers (2026)

Thread: Script Restoration (4-BIP quartet)

The maximalist proposal — restore Bitcoin's scripting language to its original power:

  • BIP [1/4] — Varops Budget: The safety net. Extends the sigops budget into a variable-operations budget using benchmarks. This makes everything else safe.
  • BIP [2/4] — Tapscript v2 (tapleaf 0xc2): Re-enables 15 disabled opcodes:
    • Splice: OP_CAT, OP_SUBSTR, OP_LEFT, OP_RIGHT
    • Bitwise: OP_INVERT, OP_AND, OP_OR, OP_XOR
    • Bitshift: OP_UPSHIFT, OP_DOWNSHIFT
    • Arithmetic: OP_2MUL, OP_2DIV, OP_MUL, OP_DIV, OP_MOD
    Increases max stack element (520 → 4MB), stack capacity (→ 8MB), stack element count (1,000 → 32,768), removes 32-bit arithmetic restrictions.
  • BIP [3/4] — OP_TX: Transaction introspection. The covenant primitive.
  • BIP [4/4] — New Opcodes: OP_CHECKSIGFROMSTACK, OP_SEGMENT, OP_BYTEREV, OP_ECPOINTADD, OP_INTERNALKEY, OP_MULTI.
“These restrictions removed much of the ability for users to control spending conditions, frustrating the ideal of programmable money without third-party trust.” — Rusty Russell
“Once the safety net of the varops budget is in place, disabled opcodes can be re-enabled, stack object size and total capacity extended.” — Rusty Russell

11. LNHANCE — The Conservative Bundle

Author: moonsettler (November 2025)

Bundles four opcodes: CTV + CSFS + OP_INTERNALKEY + OP_PAIRCOMMIT. Specifically designed to improve Lightning and L2 scaling while avoiding general covenant capabilities.

Explicitly excluded OP_CAT because it “enables introspection, including parent transaction introspection, state carrying and script intractable exogenous asset protocols.” LNHANCE wants better Lightning without enabling inscriptions, AMMs, or MEV.

12. Graftleaf — Program Composition and Delegation

Author: Josh Doman (May 2025)

A new Taproot leaf version (0xc2) enabling:

  • Program composition: Multiple witness programs execute sequentially on a single leaf
  • Generic delegation: Users commit to additional spending conditions at signature-time via the annex
  • Vault-of-vaults: Compose multiple personal vaults into higher-level multisig structures

Core execution logic: fewer than 60 lines of code. Works within existing P2TR addresses. “Delegation from any valid spending path to arbitrarily complex compositions.”

13. ColliderScript — Covenants Without Soft Forks

Author: Ethan Heilman (November 2024)

Achieves covenants using 160-bit hash collisions (SHA-1 + RIPEMD-160) within existing Bitcoin Script. Requires ~286 hash operations to spend — equivalent to the entire Bitcoin network's output over ~33 hours. Transactions near the 4MB limit.

“Not a replacement for a covenant opcode” but proves covenants are theoretically achievable today. Demonstrates that Bitcoin's Script already contains latent capabilities.

14. Slashing Covenants — Covenants via Economic Incentives

Author: Ethan Heilman (November 2024)

Instead of cryptographic enforcement, slashing covenants use economic penalties — if you violate the covenant, your funds are burned. Works by requiring two parallel signatures (ECDSA + Lamport) that must match; a mismatch makes a “slashing output” spendable by anyone.

Works today, no new opcodes needed. “Less secure than a covenant enforced by an opcode” but parallels how “bitcoin mining itself is secure only through cryptoeconomic incentives.”

◊ ◊ ◊

III What Covenants Enable

Vaults

Optech: bitcoinops.org/en/topics/vaults

The most cited covenant use case. A vault enforces: (1) withdrawals require a time delay, (2) during the delay, a recovery key can clawback to cold storage, (3) after the delay, funds release normally.

Multiple design approaches exist: pre-signed transactions (key deletion), CTV-based, OP_VAULT/OP_UNVAULT (withdrawn), MATT-based, OP_CAT-based.

“if you can secure the rescue/abort key you could use the process for the primary” — Greg Maxwell (the fundamental challenge to vaults)

Vault advocates respond that the recovery key can be less accessible (geographically distributed, multi-party) because it's only needed in emergencies.

LN-Symmetry (Eltoo)

Optech: bitcoinops.org/en/topics/eltoo

Requires CTV+CSFS or APO. Replaces Lightning's current penalty-based channel mechanism with a simpler “latest state wins” approach. No more toxic waste problem. Enables multiparty channels (3+ participants). Minimal storage requirements (few kilobytes) — ideal for hardware wallets.

Current Lightning (penalty-based): If Alice broadcasts an old state, Bob can take all the funds as punishment. Requires watching the chain constantly and storing every old state.

LN-Symmetry: Any party can publish any state, and a newer state can always replace an older one. No punishment needed — just correction. Safer backup restoration. Multiparty variant with optional penalties proposed (Jan 2025).

Ark Protocol

Optech: bitcoinops.org/en/topics/ark · BitcoinTalk FAQ: bitcointalk.org

A second-layer protocol (Burak Keceli, May 2023) where users hold off-chain “virtual UTXOs” (vTXOs) that expire after ~4 weeks. An Ark Service Provider (ASP) creates rapid blinded coinjoin sessions every ~5 seconds. Recipients receive payments without inbound liquidity (unlike Lightning). On-chain footprint is “orders of magnitude less” than Lightning. Privacy via blinded mixing and standardized denomination sets.

Covenant requirement: Full non-interactive Ark needs CTV or APO. Without covenants, recipients must be online to co-sign n-of-n multisig. The covenant-less variant (clArk) has significant limitations.

Current status: Bark implementation on mainnet (Oct 2024). Arkade launched (Nov 2025). Ark Wallet SDK released (Feb 2025). hArk (hash-lock variant) released (Feb 2026). V-PACK standard for stateless VTXO verification (Mar 2026).

BitcoinTalk perspective (BlackHatCoiner): Self-custody caveat — users retain control “as long as they interact with their ASP at least once every few days.” MarryWithBTC raised skepticism about VTXO expiry creating fund seizure risk.

Congestion Control / Timeout Trees

Optech: bitcoinops.org/en/topics/timeout-trees

CTV enables a single on-chain transaction to commit to a tree of N future payouts. The exchange or service posts one transaction; users settle when they choose. Reduces block space by orders of magnitude during high-fee periods.

Timeout trees: offchain transaction trees that only remain safe against counterparty theft for a limited period. Superscalar (timeout tree channel factories) proposed Nov 2024.

CoinPools / Joinpools

Optech: bitcoinops.org/en/topics/joinpools

Shared UTXO ownership where multiple users share a single on-chain output with privacy (spending member not identifiable on-chain). Each can exit unilaterally. Requires covenant introspection (OP_CHECKCONTRACTVERIFY or OP_TX) to verify exit transactions. MATT + OP_CAT can manage joinpool state transitions. CTV-based payment pool proof-of-concept (Jan 2025).

DLCs & BitVM

CTV+CSFS enables significant DLC optimizations: oracle attestation verification, reduced on-chain footprint, simpler implementation. BitVM fraud proofs benefit from CSFS (verify signatures against arbitrary messages). Glock (garbled locks) achieves 550x improvement over BitVM2 using Schnorr signatures as fraud proofs.

◊ ◊ ◊

IV The OP_RETURN War

Not technically covenants, but the OP_RETURN debate is inseparable from the covenant debate because both concern what Bitcoin's Script should be for.

The Status Quo

Bitcoin Core limits OP_RETURN outputs to 83 bytes and one per transaction. These are standardness rules (relay policy), not consensus rules.

Antoine Poinsot's Proposal (April 2025)

Mailing list thread (~70 messages): Relax or remove the limits. The restrictions have failed — developers store data in unspendable Taproot outputs instead, which is worse because those bloat the UTXO set permanently (OP_RETURN outputs are prunable). The Citrea Clementine bridge stores data in unspendable Taproot outputs specifically because OP_RETURN limits are too small.

The Mailing List Positions

“million-dollar (or more) business incentives” cannot be thwarted by relay policy. If restrictions push users to private transaction rails, “I feel we'd be giving up on one of the most valuable properties the network has” — permissionless access. “There is no need to discriminate” when blocks are consistently full. — Pieter Wuille (reversed his own earlier position)
“standardness limits aren't holy, they're a hack... sometimes a very useful hack. They should only exist when their benefits well outweigh their costs.” Since 2014, minimum feerate buying power increased 171x, blocks are consistently full, and compact block relay means the old propagation argument is inverted. — Greg Maxwell
“This idea is utter insanity. The bugs should be fixed, not the abuse embraced.” — Luke Dashjr (strong opponent, advocates returning to script whitelisting)

Peter Todd: Supports full removal of both size and count limits. Multiple OP_RETURN outputs serve legitimate purposes like SIGHASH_SINGLE signing.

Anthony Towns: Encoding data undetectably is “a standard exercise.” Filtering is a perpetual losing game. “Acting tough about it at best has zero effect, and at worst generates publicity for the spammers.”

BitcoinTalk Forum Perspective

Thread (341+ replies): The forum surfaced the cultural dimension that the mailing list largely avoided.

The 80-byte limit is actively harmful because it pushes data embedders toward worse methods. OP_RETURN data is “completely prunable and pruned.” “Having some developer going around playing wack-a-mole blocking stuff that isn't perfectly imitating ordinary transactions is a huge liability.” “If you don't want to store that prunable data, simply don't.” — gmaxwell (on BitcoinTalk)

d5000: Removing limits is actually anti-centralization: “restrictive standardness settings” create “strong centralization effect” by giving large pools additional income from non-standard transaction fees that small miners can't access.

pooya87 (skeptic): Historical evidence shows limits work — most spam respects the 80-byte boundary. Analogy: “Like going to emergency room for appendicitis but they remove your kidney instead.”

takuma sato (purist): “The point of Bitcoin is to move money from A to B, everything else is bloat.”

“Bitcoin is Money” Counterproposals

Reduced Data Temporary Softfork (~30 messages): A temporary softfork (expiring after one year) to restrict arbitrary data storage at consensus level, “strongly re-affirming in consensus that bitcoin is money, not data storage.”

Soft Fork Compromise on OP_RETURN (~12 messages): Majorian proposed making the existing 83-byte limit into a consensus rule: “By enforcing this at consensus, we simply make permanent the relay standards that nodes have followed in practice for much of Bitcoin's history.”

BitcoinTalk: BIP 110 (59+ replies): The forum unanimously rejected BIP 110. Peter Todd demonstrated its futility by embedding BIP-110's full text into a compliant transaction. Jameson Lopp: “Why would anyone voluntarily take a pay cut?” and “kicks off a never-ending game of cat and mouse.” pooya87 called it “an attack on Bitcoin and its principles.” gmaxwell pointed out that presigned transactions could be rendered unspendable retroactively.

d5000's “Three Doors” Analysis (Bitcoin Core 30)

BitcoinTalk (51 merits, 20+ replies): Three methods of on-chain data storage, ranked by harm:

Opening Door 3 wider encourages spammers toward the least destructive method. The change doesn't make NFTs cheaper since alternative methods remain competitive on fees.

◊ ◊ ◊

V The Great Consensus Cleanup

BIP: 54 (merged May 2025) · Optech: bitcoinops.org/en/topics/consensus-cleanup-soft-fork

Authors: Matt Corallo (2019 original), Antoine Poinsot (2024-2025 revival)

Thread: Great Consensus Cleanup revival

The one thing nearly everyone agrees on. Four bug fixes through a soft fork:

  1. Timewarp attack: Miners can manipulate difficulty by exploiting timestamp validation across difficulty periods. Fix: 7200-second grace period + invalidate negative-duration difficulty periods (Murch-Zawy attack).
  2. Worst-case block validation time: Legacy transactions can be crafted to take minutes to validate. Fix: per-transaction sigops limit for legacy scripts.
  3. Merkle tree weakness: 64-byte transactions create ambiguity between internal Merkle nodes and transaction data. Fix: make 64-byte transactions consensus-invalid (BIP53, merged May 2025).
  4. Duplicate coinbase transactions: BIP-34 doesn't fully prevent duplicate coinbase txids after block 1,983,702. Fix: mandate nLockTime = block height - 1.

Status: BIP54 merged May 2025. Bitcoin Core #32521 and #32155 implementing changes. Bitcoin Inquisition added BIP54 implementation (Feb 2026). Test vectors published (Nov 2025). Active implementation phase.

Demonstrates that Bitcoin can evolve through consensus when changes are clearly beneficial and don't expand the protocol's scope.

Optech newsletter coverage: Mar 2019 (original), Apr 2024 (revisited), May 2025 (BIP54 merged), through Feb 2026. 15+ newsletter issues.

◊ ◊ ◊

VI The Covenants Landscape

The Covenants Support Wiki

/dev/fd0 compiled a Bitcoin Wiki page (December 2024) where developers evaluated proposals. Key findings:

Power/Simplicity Spectrum

LEAST POWERFUL MOST POWERFUL CTVTemplate hash APORebind sigs CTV+CSFS+ Arbitrary msg TXHASHSelective fields OP_CATCompose anything OP_TXRaw field access RestorationFull restore MINIMALISTS GENERALISTS RESTORATIONISTS

The Three Philosophical Camps

1. Minimalists CTV / LNHANCE

Add the least possible. CTV's weakness is its strength. Ship something small, iterate later. “The onus is on the proposer to overcome objections.” LNHANCE explicitly excludes OP_CAT to avoid enabling inscriptions, AMMs, or MEV.

“The onus is on the proposer to overcome objections.” — Antoine Poinsot

2. Generalists TXHASH+CSFS / OP_CAT

If you're going to change consensus, don't waste the opportunity on something too narrow. Build primitives, not features. “By splitting the hashing from the validation, the hash can be used in ways other than OP_EQUALVERIFY.”

3. Restorationists Russell's Quartet

Bitcoin's Script was crippled unnecessarily. Restore it properly with safety constraints. The varops budget makes everything safe. Don't do this piecemeal. “These restrictions removed much of the ability for users to control spending conditions.”

◊ ◊ ◊

VII Agreed / Contested / Unresolved

Agreed

  1. Bitcoin's Script is too limited. Even skeptics like Greg Maxwell don't argue Script is perfect — they disagree about whether proposed changes address real problems.
  2. OP_RETURN standardness limits have failed. Near-consensus (Luke Dashjr as the notable exception) that 83-byte limits are easily circumvented and push data storage toward worse alternatives.
  3. The Great Consensus Cleanup should happen. Broad support. BIP54 merged. Active implementation.
  4. Taproot's versioning system works. All proposals use Taproot's leaf versioning or OP_SUCCESSx mechanism for safe deployment, validating Taproot's design as an upgrade platform.
  5. CSFS is broadly supported. Appears in nearly every proposal bundle. The Covenants Wiki found “unanimous support.”

Deeply Contested

  1. CTV vs. TXHASH vs. OP_TX. Three competing approaches to transaction commitment/introspection with different power/risk tradeoffs. CTV is the narrowest (hash of the whole transaction), TXHASH allows selecting specific fields, OP_TX pushes raw fields onto the stack.
  2. Whether covenants are needed at all. Maxwell: presigned transactions replicate most functionality. Towns: no demonstrated killer apps. Proponents: LN-symmetry, Ark, vaults are proven use cases.
  3. Piecemeal vs. comprehensive. CTV+CSFS now vs. Russell's quartet vs. clean-sheet redesign (Simplicity/bll).
  4. The governance question. Bitcoin Core has effective veto power. The open letter was controversial — is it advocacy or pressure? Poelstra: “if nobody in Core wants to engage at all with consensus changes, then the result is effectively the same as a veto.”
  5. OP_CAT's emergent risks. Does re-enabling concatenation open Pandora's box? LNHANCE's explicit exclusion reflects real concern.

Unresolved

  1. Activation mechanism. No consensus on BIP-8, BIP-9, flag day, etc. The 2017 SegWit activation trauma looms. No new activation has occurred since Taproot (2021). See Optech: Soft Fork Activation.
  2. The philosophical question. Should UTXOs constrain their own future spending? Both sides have technically valid arguments.
  3. Data storage on chain. Is Bitcoin purely money, or a general-purpose commitment layer? The answer determines whether Ordinals, Runes, and Inscriptions are features or attacks. BitcoinTalk debates this explicitly; the mailing list treats it as settled.
  4. Post-quantum preparedness. Script-based quantum resistance is possible (Lamport/Winternitz) but impractical at current sizes. Whether to optimize for this threat is open. BitcoinTalk's debate on Lopp's BIP.
  5. Timeline. Despite 5+ years of CTV review, no activation date exists for any proposal as of early 2026.
  6. Accidental confiscation risk. Soft forks that restrict previously valid behavior can make existing funds unspendable — only reversible via hard fork. See Optech: Accidental Confiscation.
◊ ◊ ◊

VIII Key Voices

Developers & Researchers

DeveloperPositionNotable Quote
James O'BeirneCTV champion, OP_VAULT author“vaults are an almost necessary part of bitcoin's viability”
Matt CoralloPrefers TXHASH over CTV“I have yet to see a reasoned explanation of why we should prefer CTV over TXHASH”
Greg MaxwellDeep skeptic of covenants generally“if you can secure the rescue/abort key you could use the process for the primary”
Andrew PoelstraPragmatic CTV+CSFS supporter“if nobody in Core wants to engage at all with consensus changes, the result is effectively the same as a veto”
Anthony TownsProcess critic, prefers clean-sheet (bllsh/Simplicity)“the ongoing lack of examples of killer apps...leaves me completely unexcited”
Rusty RussellScript Restoration maximalist“These restrictions removed much of the ability for users to control spending conditions”
Ethan HeilmanOP_CAT champion, ColliderScript, slashing covenantsDemonstrated Lamport sigs work today, ColliderScript covenants without forks
Antoine PoinsotCTV+CSFS as “Schelling point,” OP_RETURN relaxation“the onus is on the proposer to overcome objections”
Salvatore IngalaMATT/CCV architect“the full generality of MATT including fraud proofs with just two opcodes”
moonsettlerLNHANCE (conservative bundle)Excluded OP_CAT to avoid “state carrying and script intractable exogenous asset protocols”
Erik AronestyCTV minimalist“op_ctv is quite literally not the best at anything. That's the whole point”
Luke DashjrOpposes all data storage relaxation“This idea is utter insanity”
Pieter WuilleReversed position on OP_RETURN“There is no need to discriminate” when blocks are full
Burak KeceliArk protocol authorArk needs covenants for full non-interactive operation
Josh DomanGraftleaf (composition + delegation)“Delegation from any valid spending path to arbitrarily complex compositions”
Brandon BlackTXHASH+CSFS as CTV+APO unifier“By splitting the hashing from the validation, the hash can be used in ways other than OP_EQUALVERIFY”
Antoine RiardTechnical refinement of CTVCTV should be restricted to witness v1 to reduce attack surface
Olaoluwa OsuntokunDefends BIP-119 motivationsRecursive covenant example is “still fully enumerated...doesn't contain dynamic state”
conduitionWinternitz signatures with OP_CATDemonstrated 26% size reduction over Lamport for post-quantum sigs

BitcoinTalk Voices

Forum MemberRoleNotable Quote
d5000Decentralization maximalist, empirical analyst“Lifting the limits would thus be an anti-centralization measure”
pooya87Skeptic of developer authority“Like going to emergency room for appendicitis but they remove your kidney instead”
Satofan44Immutability / property rights defender“How we approach this lack of consensus will have a bigger impact on Bitcoin's future than any amount of 'stolen coins'”
BlackHatCoinerBridges technical and philosophical“Bitcoin has clearly charted another course...become the cornerstone of honest and true money”
gmaxwell (on forum)Authoritative technical voice“standardness limits aren't holy, they're a hack”
◊ ◊ ◊

IX Dependency Graph: What Enables What

SIGHASH_ANYPREVOUT (BIP118) +-- Eltoo / LN-Symmetry +-- Drivechains (with trusted setup) OP_CHECKTEMPLATEVERIFY (BIP119) +-- Congestion control +-- Vaults (CTV-based) +-- Joinpools / Payment pools +-- Ark (more efficient with CTV) +-- + CSFS --> LN-Symmetry, delegation, perpetual covenants OP_CHECKSIGFROMSTACK (BIP348) +-- Oracle contracts +-- Delegation +-- + CTV --> LN-Symmetry, BitVM improvements +-- + OP_CAT --> Transaction introspection, covenants OP_CAT (BIP347) +-- Equivocation bonds +-- + CSFS --> Covenants, vaults +-- + MATT --> Joinpool management +-- Recursive covenants (with other ops) +-- Winternitz signatures (post-quantum) MATT / OP_CHECKCONTRACTVERIFY (BIP443) +-- Generalized smart contracts +-- Vaults (supersedes OP_VAULT/BIP345) +-- Joinpool state transitions (with OP_CAT) +-- Arbitrary program verification Consensus Cleanup (BIP54) +-- Time warp fix +-- Merkle tree fix (BIP53) +-- Slow validation fix +-- Duplicate transaction fix (Independent of covenant proposals) Simplicity / bll +-- Could subsume all above opcodes +-- No concrete activation proposal
◊ ◊ ◊

X Timeline

2010
Satoshi disables 15 opcodes (including OP_CAT) to prevent DoS
2016
First vault proposals
2018
SIGHASH_NOINPUT proposed (precursor to APO). Script roundtable on CSFS.
2019
Jeremy Rubin proposes CTV (BIP-119, originally COSHV). Anthony Towns proposes ANYPREVOUT (BIP-118). Matt Corallo proposes Great Consensus Cleanup.
2020
CTV workshop. Vault prototypes. CoinPool proposed.
2021
Taproot activates (Nov), enabling future script upgrades via leaf versioning
2022
Rusty Russell proposes OP_TX. Russell O'Connor proposes TXHASH+CSFS. CTV activation debate. MATT proposed (Nov).
2023
O'Beirne proposes OP_VAULT. Heilman proposes OP_CAT re-enablement (Oct). Ingala proposes MATT/CCV. Keceli proposes Ark (May). Brandon Black proposes minimal TXHASH+CSFS.
2024
Heilman: Lamport sigs without changes (Apr). ColliderScript + slashing covenants (Nov). Covenants Support Wiki compiled by /dev/fd0 (Dec). BIP348 (CSFS) merged (Dec). Bark on mainnet (Oct). BIP345 (OP_VAULT) added (Mar).
2025
CTV+CSFS open letter, 40+ signers, ~70 messages (Jun-Aug). OP_RETURN relaxation debate, ~70 messages (Apr-May). Russell's 4-BIP Script Restoration quartet submitted (Sep). LNHANCE proposed (Nov). Graftleaf proposed (May). BIP54 (Consensus Cleanup) merged (May). BIP443 (MATT/CCV) merged (May). OP_VAULT withdrawn for CCV (May). Ark Wallet SDK (Feb). Arkade launched (Nov).
2026
No activation achieved. Script Restoration BIPs receive BIP numbers. Bitcoin Inquisition adds BIP54 implementation (Feb). hArk released (Feb). V-PACK standard (Mar). Debate continues.
◊ ◊ ◊

XI Alternative Scripting Languages

Two clean-sheet alternatives to extending Bitcoin Script:

Simplicity

Optech: bitcoinops.org/en/topics/simplicity

Nine primitive operators (“combinators”) with formally specified semantics. Jets provide performance-equivalent implementations of common functions. Could implement SIGHASH_ANYPREVOUT and other features without separate soft forks. SimplicityHL (compile Rust-like programs to Simplicity) released Aug 2025. Currently on Elements/Liquid test branches. No soft fork proposal for Bitcoin.

Basic Bitcoin Lisp Language (bll)

Optech: bitcoinops.org/en/topics/basic-bitcoin-lisp-language

Conceptually based on Chia Lisp. Includes symbll (compiler) and bllsh (REPL). Can implement quantum-safe signatures. Proposed Nov 2024. No BIP submitted.

Anthony Towns advocates for these clean-sheet approaches over piecemeal opcode additions.

◊ ◊ ◊

XII The Mathematics of Covenants

Every covenant proposal rests on a small set of mathematical primitives. This section covers all of them, from the ground up. If you understand these, you can read any covenant BIP.

A. Finite Fields and Modular Arithmetic

All Bitcoin cryptography operates in finite fields — sets of integers where arithmetic wraps around at a prime number p.

Definition: Finite Field Fp
The set {0, 1, 2, …, p−1} with addition and multiplication performed modulo p.

Bitcoin uses two primes:

  • The field prime (coordinates): p = 2256 − 232 − 977
  • The group order (scalars): n = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE BAAEDCE6 AF48A03B BFD25E8C D0364141

Key operations:

a + b mod p — addition wraps at p
a · b mod p — multiplication wraps at p
a−1 mod p — the unique value where a · a−1 ≡ 1 (mod p) Modular arithmetic in Fp

The modular inverse exists for every nonzero element because p is prime. Computed via Fermat's little theorem: a−1ap−2 (mod p).

B. Elliptic Curves and secp256k1

Definition: secp256k1
The curve y2 = x3 + 7 over Fp, where p = 2256 − 232 − 977.

Points on this curve form a group under an operation called point addition:

Given points P = (x1, y1) and Q = (x2, y2):

λ = (y2y1) · (x2x1)−1 mod p
x3 = λ2x1x2 mod p
y3 = λ(x1x3) − y1 mod p Point addition (P ≠ Q)
For P = Q (point doubling):

λ = (3x12) · (2y1)−1 mod p Point doubling (tangent line slope) — the +7 term vanishes because its derivative is 0

Scalar multiplication: d · G means adding G to itself d times. This is a one-way function: given d and G, computing P = d · G is fast (double-and-add, O(256) steps). Given P and G, recovering d is the Elliptic Curve Discrete Logarithm Problem (ECDLP) — believed to require ~2128 operations classically.

The generator point G
A fixed point on secp256k1 with coordinates:
x = 79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB 2DCE28D9 59F2815B 16F81798
y = 483ADA77 26A3C465 5DA4FBFC 0E1108A8 FD17B448 A6855419 9C47D08F FB10D4B8
Every public key is P = d · G for some secret scalar d (the private key).
Why quantum computing matters
Shor's algorithm solves ECDLP in polynomial time on a quantum computer. This is why P2PK outputs (which expose the public key) are vulnerable, while P2PKH outputs (which expose only a hash) require breaking both ECDLP and the hash preimage.

C. Hash Functions

Hash functions are the workhorses of covenants. Every proposal uses them differently.

SHA-256
Maps arbitrary-length input to a 256-bit (32-byte) output. Bitcoin uses double-SHA-256 (SHA-256d): H(x) = SHA-256(SHA-256(x)). Used for: transaction IDs, block hashes, proof-of-work, CTV template hashes.
HASH160
RIPEMD-160(SHA-256(x)). Produces a 160-bit (20-byte) output. Used for: P2PKH addresses, P2SH addresses, P2WPKH witness programs. The 160-bit output is why ColliderScript needs ~280 operations for a birthday collision.
Tagged Hashes (BIP-340)
SHA-256(SHA-256(tag) || SHA-256(tag) || message)

The tag prefix ensures that hashes in different contexts can never collide. Tags used in Taproot:
"TapLeaf" — hashing a tapscript leaf
"TapBranch" — combining two branches in the Merkle tree
"TapTweak" — tweaking the internal key
"BIP0340/challenge" — Schnorr signature challenge

Properties that matter for covenants

  • Preimage resistance: Given H(x), finding x requires ~2256 work. This is why CTV's hash commitment is binding.
  • Collision resistance: Finding any xy where H(x) = H(y) requires ~2128 work (birthday bound). ColliderScript exploits the weaker 280 birthday bound of RIPEMD-160.
  • Determinism: Same input always produces same output. This is what makes CTV work — only one transaction can match the committed hash.

D. Schnorr Signatures (BIP-340)

Taproot uses Schnorr signatures instead of ECDSA. All covenant proposals that interact with Tapscript use Schnorr verification. CSFS extends it to arbitrary messages.

Key generation

Private key: d ∈ {1, 2, …, n−1}
Public key: P = d · G BIP-340 uses x-only public keys (just the x-coordinate, 32 bytes)

Signing

Choose random nonce k, compute R = k · G
Compute challenge: e = Htag(Rx || Px || m)
Compute: s = k + e · d mod n
Signature: (Rx, s) — 64 bytes total Schnorr signing

Verification

Compute e = Htag(Rx || Px || m)
Check: s · G = R + e · P Verification equation — this is what OP_CHECKSIG computes
Why the message m matters for covenants
In standard OP_CHECKSIG, m is always the transaction's sighash — a hash of the spending transaction's fields. The signer cannot choose m freely.

OP_CHECKSIGFROMSTACK (CSFS) removes this restriction. It lets the script specify m as any value from the stack. This is what enables oracle attestations, delegation, and — combined with CTV — covenants.

Why Schnorr (not ECDSA) for Taproot

  • Linearity: Schnorr signatures are linear — (s1 + s2) · G = s1 · G + s2 · G. This enables key aggregation (MuSig), signature aggregation (DahLIAS), and adaptor signatures. ECDSA lacks this property.
  • Provable security: Schnorr has a security proof in the random oracle model. ECDSA does not.
  • Simpler: No DER encoding, no s-value malleability, fixed 64-byte size.

E. Taproot Mathematics

Taproot is the foundation all covenant proposals build on. Understanding the key tweak and Merkle tree is essential.

The Key Tweak

A Taproot output commits to an internal key P and an optional script tree c. The output key Q is:

Q = P + HTapTweak(Px || r) · G where r is the Merkle root of the script tree (or empty for key-path-only)

The tweak t = HTapTweak(Px || r) is a scalar. The output key is a point. Anyone who knows P and r can verify the tweak, but the output key Q looks like any other public key on the curve.

Key-path spend

If you know the private key d for P, you can spend with private key d + t (mod n). This produces a standard Schnorr signature — indistinguishable from any other spend.

Script-path spend (MAST)

The script tree is a Merkle tree of TapLeaf hashes:

Leaf hash: HTapLeaf(v || compact_size(script) || script)

Branch hash: HTapBranch(min(hL, hR) || max(hL, hR))

Root: r = the top-level branch hash v is the leaf version byte (0xc0 for current tapscript)

To spend via script path, you reveal: the script, a Merkle proof (sibling hashes), and the internal key P. The verifier recomputes Q and checks it matches the output.

Why leaf versions matter for covenants
Current tapscript uses leaf version 0xc0. Covenant proposals use new leaf versions to activate new opcodes safely:
• Russell's Script Restoration and Graftleaf both propose 0xc2
• OP_SUCCESSx opcodes in current 0xc0 leaves make the script succeed unconditionally — this is the upgrade hook for CTV, CSFS, OP_CAT

NUMS points (Nothing Up My Sleeve)

Some covenant constructions (Winternitz signatures, key-path-disabled covenants) need an internal key P where nobody knows the private key. A NUMS point is generated by hashing a known string and mapping to a curve point:

PNUMS = lift_x(SHA-256("some publicly known string")) If nobody knows d such that d · G = PNUMS, key-path spending is impossible

F. The CTV Template Hash

CTV (BIP-119) commits to a template hash of the spending transaction. Understanding exactly what's hashed is essential for understanding what CTV constrains and what it leaves free.

DefaultCheckTemplateVerifyHash(tx, i) =
SHA-256d(
  nVersion
  || nLockTime
  || SHA-256d(scriptSigs)
  || input_count
  || SHA-256d(sequences)
  || output_count
  || SHA-256d(outputs)
  || input_index
) BIP-119 template hash — the spending transaction must match this exactly

What's committed: All outputs (amounts + scriptPubKeys), all sequences, version, locktime, input count, input index.

What's NOT committed: The input outpoints (which UTXOs are being spent) and their values. This is deliberate — it means the same CTV template can be satisfied by spending different UTXOs, enabling batched payouts.

Why this is a covenant

The locking script is: <hash> OP_CHECKTEMPLATEVERIFY. When you try to spend, the node computes the template hash of your transaction and checks: does it equal <hash>? If not, the spend fails. The output has constrained its own future.

G. Post-Quantum Signature Primitives

Several covenant-adjacent proposals use hash-based signature schemes that resist quantum computers.

Lamport Signatures

Construction
To sign a 256-bit message:
  1. Key generation: Generate 512 random 256-bit values: sk[0][0], sk[0][1], sk[1][0], sk[1][1], …, sk[255][0], sk[255][1]
  2. Public key: Hash each one: pk[i][b] = H(sk[i][b])
  3. Signing: For each bit i of the message, reveal sk[i][mi]
  4. Verification: Hash each revealed value and check it matches the public key

Size: Public key = 512 × 32 = 16,384 bytes. Signature = 256 × 32 = 8,192 bytes. Total: ~24 KB per signature. One-time use only — signing two messages reveals enough secret keys to forge.

Security: Relies only on hash preimage resistance. No algebraic structure for quantum computers to exploit.

Winternitz One-Time Signatures (WOTS)

Winternitz compresses Lamport signatures by using hash chains instead of individual hashes:

With parameter w = 16 (chain length):

Break the 256-bit hash into 64 four-bit words
For each word i: chaini = H(15)(ski)

Public key: {H(15)(sk0), …, H(15)(sk63)}
Signature for word value v: H(v)(ski) H(k) means applying H iteratively k times

Size with OP_CAT (conduition's scheme): 7,948 bytes total (5,610 script + 2,240 witness) — a 26% reduction vs. Lamport.

The ECDSA nonce trick (Heilman)

Lamport signatures can be verified in today's Bitcoin Script by exploiting ECDSA signature length variability. Set the nonce k = 2−1 mod n (the modular inverse of 2), producing an exceptionally short r-value. A known k leaks the private key — but the Lamport layer provides the real security. OP_SIZE measures signature length; different lengths encode different bit values.

H. Hash Collision Mathematics (ColliderScript)

ColliderScript achieves covenants without new opcodes by exploiting the birthday paradox applied to 160-bit hashes.

Birthday Bound
For a hash function with N-bit output, the expected number of random inputs needed to find a collision is approximately 2N/2.

• SHA-256 (256-bit): collision at ~2128 — infeasible
• RIPEMD-160 (160-bit): collision at ~280 — expensive but achievable
• SHA-1 (160-bit): collision at ~280 — same

ColliderScript uses a dual-evaluation trick: the same data is processed two ways simultaneously:

"Big Script": OP_SHA1 and OP_RIPEMD160 operate on whole stack elements
"Small Script": SHA-1 and RIPEMD-160 reimplemented using 32-bit OP_ADD/OP_SUB

Find values A, B where:
OP_SHA1(A) = BigScript_dGen(w, t)
SHA1(B) = SmallScript_dGen(w, t)

If both match → A = B (with overwhelming probability) Cost: ~286 hash operations ≈ 33 hours of the entire Bitcoin network

I. Merkle Trees (Beyond Taproot)

Merkle trees appear in three distinct contexts in the covenant landscape:

1. Taproot script trees (MAST)

Binary tree of TapLeaf and TapBranch hashes. Reveals only the executed script path + Merkle proof. Covered in Section E above.

2. CTV commitment trees

CTV enables transaction trees — a single on-chain transaction commits to a binary tree of future transactions. Each leaf is a payout; internal nodes are intermediate transactions. The tree is pre-computed; users claim their leaf when ready.

Root tx: 1 input → 2 outputs (each a CTV-locked branch)
Level 1: 2 txs → 4 outputs
Level 2: 4 txs → 8 outputs

Level k: 2k leaf payouts

On-chain cost: O(log N) per claim instead of O(N) for all payouts Congestion control: batch N payouts with one on-chain transaction

3. MATT fraud proofs

Ingala's OP_CHECKCONTRACTVERIFY uses Merkle trees to represent computation states. Each leaf is a step in a computation; the Merkle root commits to the entire execution trace. A fraud proof reveals a single step where the claimed computation diverges from the correct one.

J. Sighash Flags and Transaction Binding

Understanding sighash flags is essential for APO and TXHASH proposals. A sighash flag determines which parts of the transaction the signature commits to.

FlagValueCommits to
SIGHASH_ALL0x01All inputs and all outputs
SIGHASH_NONE0x02All inputs, no outputs
SIGHASH_SINGLE0x03All inputs, only the output at the same index
ANYONECANPAY | *0x80 | *Only the current input (not all inputs)

SIGHASH_ANYPREVOUT (BIP-118)

Adds a new dimension: the signature does not commit to the input outpoint (which UTXO is being spent). The same signature can authorize spending from any UTXO with the same scriptPubKey. This is what enables LN-symmetry — a new state transaction can replace any previous one.

TXHASH modes

Brandon Black's proposal generalizes sighash flags into 5 hash modes for OP_TXHASH:

  • Mode 0: CTV-equivalent (all outputs, version, locktime, sequences)
  • Modes 1-4: APO variants (different combinations of input/output commitment)

Future modes use OP_SUCCESS semantics — they succeed unconditionally today, allowing safe extension later.

K. Putting It All Together: How a Covenant Executes

Here is the complete mathematical flow for a CTV+CSFS recursive covenant (Towns' construction):

Setup (one time):
1. Generate throwaway key pair: x ← random, X = x · G
2. Build tapscript: OP_OVER <X> OP_CSFS OP_VERIFY OP_CTV
3. Compute leaf hash: = HTapLeaf(0xc0 || script)
4. Compute tweak: t = HTapTweak(Xx || )
5. Compute output key: Q = X + t · G
6. Build CTV hash h for a tx sending value back to Q
7. Sign: (R, s) = Schnorr_sign(x, h)
8. Destroy x

Spending (every time, forever):
1. Witness: h, (R, s), script, control block
2. Script executes: OP_OVER duplicates h, OP_CSFS verifies sig on h, OP_CTV checks tx matches h
3. Output goes back to Q — the cycle repeats A perpetual self-spending covenant. The private key is gone; only the signature remains.

This construction uses every primitive covered in this section: finite field arithmetic, elliptic curve scalar multiplication, Schnorr signatures, tagged hashes, Taproot key tweaking, Merkle trees (single leaf), and the CTV template hash.

↑ Back to top