Bitcoin Covenants: CHECKSIGFROMSTACK (BIP 348)

This is the 2nd nonfiction successful a series heavy diving into idiosyncratic covenant proposals that person reached a constituent of maturity meriting an in-depth breakdown. 

CHECKSIGFROMSTACK (CSFS), enactment guardant by Brandon Black and Jeremy Rubin with BIP 348, is not a covenant. As I said successful the introductory nonfiction to this series, immoderate of the proposals I would beryllium covering are not covenants, but synergize oregon interrelate with them successful immoderate way. CSFS is the archetypal illustration of that. 

CSFS is simply a precise elemental opcode, but earlier we spell done however it works let’s look astatine the basics of however a Bitcoin publication really works. 

Script is simply a stack based language. That means that information is “stacked” unneurotic connected apical of each different connected the stack, and operated connected by removing an point from the apical of the stack to run connected based connected what an opcode does, either returning the information oregon a effect from it to the apical of the stack. 

There are 2 parts of a publication erstwhile it is yet executed and verified, the “witness” provided to unlock the script, and the publication included successful the output being spent. The witness/unlocking publication is “added” to the near broadside of the locking script, and past each constituent is added to (or operates on) the stack 1 by 1 near to right. Look astatine this illustration (the “|” marks the bound betwixt the witnesser and script):

1 2 | OP_ADD 3 OP_EQUAL

This illustration publication adds the worth “1” to the stack, past the worth “2” connected apical of that. OP_ADD takes the apical 2 elements of the stack and adds them together, putting the effect backmost connected to the stack (so present each that is connected the stack is “3”). Another “3” is past added to the stack. The past item, OP_EQUAL, takes the apical 2 items of the stack and returns a “1” to the stack (1 and 0 tin correspond True oregon False arsenic good arsenic numbers).

A publication indispensable extremity with the past point connected the apical of the stack being True, different the publication (and transaction executing it) fails and is considered statement invalid. 

This is simply a basal illustration of a pay-to-pubkey-hash (P2PKH) script, i.e. the bequest addresses that commencement with a “1”:

<signature> <pubkey> | DUP HASH160 <pubkey-hash> EQUALVERIFY CHECKSIG

First the signature and the nationalist cardinal are added to the stack. Then DUP is called, which takes the apical stack point and duplicates it, returning it to the apical of the stack. HASH160 takes the apical stack point (the nationalist cardinal duplicate), hashes it, past returns it to the apical of the stack. The nationalist cardinal hash from the publication is enactment connected apical of the stack. EQUALVERIFY functions the aforesaid arsenic EQUAL, it grabs the 2 apical stack items and returns a 1 oregon 0 based connected the outcome. The lone quality is EQUALVERIFY besides runs VERIFY aft EQUAL, which fails the transaction if the apical stack point is not 1, and besides removes the apical stack item. Finally CHECKSIG is run, which grabs the apical 2 stack items assuming them to beryllium a signature and a pubkey, and verifies the signature implicitly against the hash of the transaction being verified. If it is valid it puts a 1 connected apical of the stack. 

How CSFS Works

CHECKSIG is 1 of the astir utilized opcodes successful Bitcoin. Every transaction, with astir nary exceptions, makes usage of this opcode astatine immoderate constituent successful 1 of its scripts. Signature verification is simply a foundational constituent of the Bitcoin protocol. The occupation is, determination is astir nary flexibility successful presumption of what connection you are checking the signature against. CHECKSIG volition lone verify a signature against the transaction being verified. There is immoderate flexibility, i.e. you tin determine with immoderate grade of state what parts of the transaction the signature applies to, but that’s it. 

CSFS aims to alteration this by allowing a signature to beryllium verified against immoderate arbitrary connection that is pushed straight onto the stack, alternatively of being constricted to the verification of signatures against the transaction itself. The opcode follows a precise basal operational structure:

<signature> <message> | <pubkey> CSFS

The signature and connection are dropped connected apical of the stack, past the nationalist cardinal connected apical of them, and yet CSFS grabs the apical 3 items from the stack assuming them to beryllium the nationalist key, message, and signature from apical to bottom, verifying the signature against the message. If the signature is valid, a 1 is placed connected the stack. 

That’s it. A elemental variant of CHECKSIG that lets users specify arbitrary messages alternatively of conscionable the spending transaction. 

What Is CSFS Useful For

So what precisely is this bully for? What is the usage of checking a signature against an arbitrary connection connected the stack alternatively of against the spending transaction? 

Firstly, successful operation with CTV it tin supply a functionality equivalent to thing that Lightning developers person wanted since the precise beginning, floating signatures that tin connect to antithetic transactions. This was primitively projected arsenic a caller sighash emblem for signatures (the tract that dictates what parts of a transaction a signature applies to). This was needed due to the fact that a transaction signature covers the transaction ID of the transaction that created the output being spent. This means a signature is lone valid for a transaction spending that exact output. 

This is simply a desired behaviour for Lightning due to the fact that it would let america to bash distant with transmission penalties. Every past Lightning authorities needs a punishment cardinal and transaction successful bid to guarantee that your transmission counterparty ne'er uses immoderate of them to effort to assertion funds they don’t own. If they effort you tin assertion each their money. A superior functionality would beryllium thing that allows you to simply “attach” the existent authorities transaction to immoderate erstwhile 1 to halt the theft effort by distributing funds correctly arsenic opposed to confiscating them. 

This tin beryllium accomplished with a basal publication that takes a CTV hash and a signature implicit it that is checked utilizing CSFS. This would let immoderate transaction hash signed by that CSFS cardinal to walk immoderate output that is created with this script. 

Another utile diagnostic is delegation of power of a UTXO. The aforesaid mode that immoderate CTV hash signed by a CSFS cardinal tin validly walk a UTXO with a publication designed for that, different variables tin beryllium passed into the publication to beryllium checked against, specified arsenic a caller nationalist key. A publication could beryllium constructed that allows a CSFS cardinal to motion disconnected connected any public key, which past could beryllium validated utilizing CSFS and utilized for a mean CHECKSIG validation. This would let you to delegate the quality to walk a UTXO to anyone other without having to determination it on-chain. 

Lastly, successful operation with CAT, CSFS tin beryllium utilized to constitute overmuch much analyzable introspection functionality. As we volition spot aboriginal successful the bid though, CSFS is not really required to emulate immoderate of this much precocious behavior, arsenic CAT unsocial is capable to bash so. 

Closing Thoughts

CSFS is simply a precise basal opcode that successful summation to offering elemental utile functionality successful its ain close composes precise nicely with adjacent the astir elemental covenant opcodes to make precise utile functionality. While the illustration supra regarding floating signatures specifically references the Lightning Network, floating signatures are a mostly utile primitive that are applicable to immoderate protocol built connected Bitcoin making usage of pre-signed transactions. 

In summation to floating signatures, publication delegation is simply a precise utile primitive that generalizes acold beyond delegating power implicit a UTXO to a caller nationalist key. The aforesaid basal quality to “sideload” variables aft the information into a publication validation travel tin use to anything, not conscionable nationalist keys. Timelock values, hashlock preimages, etc. Any publication that hardcodes a adaptable to verify against tin present person those values dynamically added aft the fact. 

On apical of that, CSFS is simply a precise mature proposal. It has an implementation that has been unrecorded connected the Liquid Network and Elements (the codebase Liquid uses) since 2016. In summation Bitcoin Cash has had a version of it since 2018. 

CSFS is simply a precise mature connection that goes backmost conceptually astir arsenic agelong arsenic I person been successful this space, with aggregate mature implementations, and precise wide usage cases it tin beryllium applied to.