Explaining CheckTemplateVerify, Bitcoin’s Latest Controversial Soft Fork Proposal

CheckTemplateVerify (CTV) is simply a brushed fork connection for Bitcoin specified successful the Bitcoin Improvement Proposal (BIP) 119. It aims to alteration caller usage cases for the web by adding much analyzable types of “covenants,” oregon astute contracts, than what tin beryllium achieved astatine the moment.

Why Covenants?

Bitcoin, arsenic is, doesn’t person a batch of flexibility successful its programmability astatine the basal level of transactions — and surely not arsenic overmuch flexibility arsenic it has astatine the level of the nationalist and backstage keys utilized to motion transactions.

A programmer tin presently power the inputs of a transaction with Bitcoin Script, restricting what tin beryllium done earlier a transaction is spent, but they can’t power the outputs arsenic much. In different words, successful astir Bitcoin astute contracts today, a idiosyncratic tin power however a coin tin beryllium unlocked by defining restrictions indispensable to beryllium satisfied. But they can’t power precise good what tin beryllium done with that coin erstwhile it is unlocked.

For instance, 1 tin specify a definite magnitude of clip earlier a transaction tin beryllium spent with a timelock, efficaciously locking that transaction until the specified artifact tallness is reached. In this case, restrictions are being imposed connected when funds tin beryllium spent, preventing the close cardinal from unlocking those funds and spending them. However, aft that clip expires and the artifact tallness is reached connected the Bitcoin blockchain, the cardinal tin unlock those funds and walk them freely.

Therefore, covenants person the powerfulness to unlock a caller acceptable of possibilities to the mode Bitcoin tin beryllium programmed by enabling a pre-definition of which outputs are acceptable, alternatively of conscionable controlling the inputs. Although analyzable covenants with endless possibilities could bring information risks to the web by perchance enabling unexpected oregon unintended consequences, the connection for CTV is, for the astir part, simple.

What Is CTV?

In short, CTV allows a Bitcoin idiosyncratic to restrict the mode they tin walk bitcoin adjacent if they person the cardinal to the bitcoin they privation to spend.

More importantly, CTV allows these spending restrictions to beryllium enforced non-interactively. Some usage cases enabled by CTV could beryllium made imaginable today, but astir of the clip the acceptable of users participating successful the astute declaration statement would request to beryllium online and manually interact to coordinate the spending rules, which isn’t ever possible. CTV enables these restrictions to beryllium enforced programmatically, without requiring manual enactment by participants, hence expanding the reliability of the covenant.

Today, you tin walk your UTXOs nevertheless you want. In a post-CTV world, you could enactment rules successful spot implicit your UTXOs to power oregon bounds the imaginable ways you could walk those coins. Not erstwhile they are spent, but how. By bringing these types of caller features into Bitcoin, a much divers set of usage cases could beryllium enabled, and a caller ecosystem of applications could emerge.

Some of the functionalities that CTV could alteration for Bitcoin see enhancements successful security, privateness and scalability. With the activation of CTV, users would beryllium capable to make much blase custody solutions, similar vaults, that could let a Bitcoin idiosyncratic to pre-define scheduled and constricted spending of bitcoin from acold to blistery storage, hence limiting the harm from a imaginable hack. CTV could besides bring outgo pools, a benignant of statement wherever a radical of radical tin stock a azygous UTXO and trustlessly rebalance funds among them, not lone expanding their privateness but besides enabling amended scaling opportunities for Bitcoin. Moreover, CTV could supercharge the Lightning Network with improvements successful transmission instauration and redemption, arsenic good arsenic successful hash clip locked contracts (HTLCs), thereby expanding ratio and liquidity successful Bitcoin’s second-layer protocol.

How Does CTV Work?

Under the hood, CTV brings a caller opcode for Bitcoin, a caller summation to the acceptable of operations disposable successful Bitcoin Script.

BIP119 adds the caller opcode OP_CHECKTEMPLATEVERIFY to Bitcoin done OP_NOP4, implementing a statement alteration successful the protocol done a brushed fork.

Currently, numbered OP_NOPs (OP_NOP1 and OP_NOP4 done OP_NOP10) are ignored erstwhile utilized portion not making the transaction invalid; much notably, they are reserved opcodes that tin beryllium leveraged to adhd caller opcodes to the protocol. However, that doesn’t clasp existent to OP_NOP itself (with nary numbers), arsenic it is simply a “non-operation” opcode.

BIP119 seeks to resignify OP_NOP4 to presume a verification relation successful the signifier of OP_CHECKTEMPLATEVERIFY, a process that was also leveraged for the summation of OP_CHECKLOCKTIMEVERIFY and OP_CHECKSEQUENCEVERIFY to the protocol, ressignifying OP_NOP2 and OP_NOP3, respectively.

OP_CHECKTEMPLATEVERIFY does 3 checks erstwhile it is run. First, naturally, it checks if determination is astatine slightest 1 constituent connected the stack. If determination is, it past checks if the constituent has precisely 32 bytes –– the size of a SHA-256 hash. If determination is an point connected the stack and it has 32 bytes, past CTV volition cheque if it matches the hash of the transaction astatine the existent input index.

Programmers archetypal physique a template with Sapio, specifying immoderate conditions, which past outputs a database of partially-signed bitcoin transactions (PSBTs) that tin beryllium leveraged to specify an exhaustive acceptable of transactions for spending –– allowing america to constrain the acceptable of allowed outputs successful a transaction to a acceptable that is smaller than the acceptable of all imaginable outputs.

CHECKTEMPLATEVERIFY pre-commits to a transaction by determining each of the imaginable transaction IDs up of time. Although restrictive, the presumption is that by knowing the txIDs successful advance, the covenant is easier to beryllium enforced arsenic the beingness of transactions to beryllium checked is restricted.

The circumstantial hash relation being analyzed by the opcode DefaultCheckTemplateVerifyHash hashes parts of a transaction successful a serial manner, starting with mentation and locktime. Next, the relation hashes the scriptSig hash if the transaction is not a SegWit transaction, and past it hashes the fig of inputs, the hash of the sequences and the fig of outputs. Lastly, the relation hashes the outputs’ hash and the input index.

“So, portion of the reasoning was that nVersion is the slightest apt to beryllium changed, input scale is the astir apt to beryllium changed, and everything other falls successful the mediate successful that order,” Rubin added.

The presumption is that a Bitcoin developer programming a covenant is much apt to programmatically alteration accusation astir the outputs than the inputs, fixed the information that a covenant tries to restrict however a coin tin beryllium spent.

Therefore, what OP_CHECKTEMPLATEVERIFY does is check if the transaction is allowed. In different words, it enforces the restrictions imposed by the covenant programmed with Sapio.

But that cheque lone happens if the constituent connected the stack is 32 bytes successful size. If not, CTV volition OP_NOP the constituent connected the stack, meaning it volition not neglect execution, but alternatively “do nothing.”

This subtle quality seeks to accommodate aboriginal developments that could beryllium built aft CTV, for instance, a “CTV mentation two” that adds a emblem byte to it –– making the constituent 33 bytes. Then, alternatively of utilizing CTV to cheque it, since it lone checks elements of 32 bytes, the constituent would beryllium checked by the “CTV mentation two” that checks 33 bytes. And that’d beryllium imaginable due to the fact that the OP_NOP enabled the publication valuation to continue. If it had failed instead, valuation would not person continued and frankincense the constituent would not person been checked against “CTV mentation two.”

Will CTV Be Bitcoin’s Next Upgrade?

The Bitcoin upgrade process is known for its methodic and cautious approach, a captious diagnostic to the endurance of the web and the ensured correctness of each caller summation to the code. Therefore, it is precise overmuch unclear whether oregon not CTV mightiness beryllium added to Bitcoin immoderate clip soon.

Although not a caller connection –– the BIP was created successful January 2020 –– salient Bitcoin developers reason that determination needs to beryllium much extended investigating and discussions astir the suggested changes, particularly erstwhile it relates to imaginable optimizations and a much elaborate information of alternatives.

CTV, astatine the clip of writing, would adhd a constricted acceptable of caller possibilities to Bitcoin arsenic it seeks to instrumentality a low-risk signifier of covenants into the protocol. Rubin told Bitcoin Magazine that the extremity is to vessel something that enables caller functionality for Bitcoin portion being “most apt 1 of the simplest brushed forks successful presumption of the interaction connected Bitcoin validation that we’ve ever done.”

Rubin added that helium feels similar “there’s a small spot of a treble standard” being applied successful reviews of his connection by the developer community. “This is simply a overmuch higher barroom that CTV is being held to than thing we’ve done previously,” helium told Bitcoin Magazine.

Earlier this month, Bitcoin and Lightning Network developer astatine Spiral, Matthew Corallo, tweeted that “at nary constituent successful Bitcoin's past has it been good to suggest shipping things into consensus… without considering alternatives.” Corallo claims that Rubin, and those moving connected and supporting CTV successful general, for the past mates of years person failed to amusement “a much ceremonial attack to comparing it to alternatives.”

“The propulsion for CTV feels... incorrect successful conscionable astir each way,” Corallo added. “Instead of collaborative engineering it feels similar ‘I built this, let's bash it’ portion ignoring immoderate feedback.”

A tendency for further experimentation and investigation is besides shared by Blockstream’s manager of research, Andrew Poelstra. When asked if CTV would beryllium Bitcoin's existent champion changeable astatine extending functionality to enactment covenants, helium told Bitcoin Magazine that helium “would suggest not,” adding that “CTV is not the lone projected mode to instrumentality covenants successful Bitcoin –– and it hits a tradeoff betwixt information and generality which leaves country successful either direction.”

“One mode this could enactment is that CTV whitethorn beryllium the astir businesslike mode to instrumentality ‘subtractive covenants,’ successful which users restrict the bulk of transaction information portion leaving lone a tiny portion free,” Poelstra said. “Meanwhile, different proposals specified arsenic introspection opcodes whitethorn beryllium champion for ‘additive covenants’ wherever the bulk of transaction information is escaped and lone a tiny magnitude is restricted. If this is true, and the assemblage needs much clip to research this, past we would really privation APO and CTV and general-purpose covenants.”

APO, oregon OP_ANYPREVOUT, is different connection for adding caller functionality to Bitcoin, specified successful BIP118. Its author, Christian Decker, a researcher astatine Blockstream who focuses connected scaling solutions for Bitcoin, told Bitcoin Magazine that helium besides considers APO and CTV “to beryllium complementary and not competing” additions to Bitcoin.

“Both are beneficial,” Decker said. “So I hold we should activate them unneurotic erstwhile some of them are ready, reviewed and tested.”

At the moment, readiness for activation is simply a delicate taxable successful the Bitcoin community. In fact, portion of the pushback against CTV by immoderate developers is based connected a expected consciousness of urgency being portrayed by CTV proponents. Rushing into deployment could beryllium harmful if changes that aren’t acceptable extremity up being added to Bitcoin’s code.

Decker told Bitcoin Magazine that helium is comfy with waiting longer for his connection to beryllium added to Bitcoin if that would mean a much robust investigating process being employed, though helium said helium understands CTV proponents’ tendency to activate arsenic soon arsenic possible.

“We don't deliberation it is beneficial to propulsion a alteration through, and that APO needs to beryllium urgently deployed,” Decker said. “The longer the connection tin stew, the much eyes tin reappraisal it and item imaginable weaknesses. Reviewer and developer clip are Bitcoin's rarest resource, truthful we privation to beryllium respectful of that, contempt having immoderate [proof of concept] implementations of eltoo for example.”

In December 2021, successful an effort to pull much eyes to his proposal, Rubin acceptable up a bug bounty for CTV and its specifying BIP, saying helium would assistance $10,000 to anyone who recovered a “substantial” flaw successful the suggested brushed fork. The bounty has since grown immensely, but immoderate developers, including Corallo and Adam Back, legendary cypherpunk and CEO of Blockstream, questioned Rubin’s initiative, suggesting that it was astir apt not the champion solution for getting much reviewers.

Despite the pushback connected covenants from parts of the community, Poelstra said helium believes that “there is nary existent absorption successful the Bitcoin assemblage to immoderate of these ideas; we truly conscionable request individuals to champion them and propulsion guardant connected nationalist communication, tooling, trial vectors, exploring usage cases, etc., the mode that Jeremy has with CTV.”

Besides heated discussions connected Twitter, Rubin’s connection has received much ceremonial feedback and questions successful the bitcoin-dev mailing list. Developers that person precocious fixed feedback connected CTV see Michael Folkson, Peter Todd and Luke Dashjr. Decker has besides shared his thoughts connected the intersection betwixt CTV and his proposal. Poelstra shared feedback and suggestions for CTV with Bitcoin Magazine.

“If CTV is the mode that the Bitcoin assemblage wants to go, determination are 2 ways that I would suggest improving it: the archetypal would beryllium to alteration its hashing operation to beryllium utile for much wide covenant applications,” helium said. “How to bash this, exactly, is an progressive country of probe that I anticipation we volition larn overmuch much astir successful the coming weeks. Perhaps CTV should person ‘sighash flags’ analogous to the existing flags for signature checks.”

“Secondly, I would suggest somewhat changing CTV to simply propulsion the transaction hash onto the stack, and necessitate the idiosyncratic usage the existing EQUALVERIFY opcode to cheque that it matches a fixed template,” helium added. “This volition outgo mean CTV users a azygous byte of transaction witnesser data, portion widening the plan abstraction for aboriginal extensions to Bitcoin.”

Rubin, connected the different hand, told Bitcoin Magazine that helium believes it is much utile to vessel CTV arsenic is, adjacent though it brings constricted functionality, and to iterate connected further features later.

In summary, though BIP119 has been generating a batch of buzz among the Bitcoin community, the aboriginal way for the projected upgrade isn’t clear. The tendency of proponents to summation Bitcoin’s scope of functionality to accommodate caller usage cases is clashing with immoderate old-timers’ much cautionary approach.

Furthermore, fixed Bitcoin’s past of lone pushing upgrades that execute overwhelming statement and person been thoroughly reviewed, determination whitethorn beryllium a bumpy roadworthy up for CTV arsenic Rubin tries to advocator for his betterment proposal. The developer has gone the other mile successful creating a dedicated website with plentifulness of resources to amended funny Bitcoiners astir the possibilities that CTV could enable, but his enthusiasm for a Bitcoin protocol with caller functionality hasn’t yet received the blessing of large figures successful the Bitcoin improvement community.

For now, BIP119 looks stalled, pressed betwixt those successful favour of adding breathtaking caller usage cases to Bitcoin and those warranting a much cautious attack earlier enacting a statement alteration successful the world’s astir revolutionary monetary system, a web that should past for thousands of years and cannot spend immoderate missteps.

All successful all, it mightiness beryllium immoderate clip earlier the 2 cohorts scope an agreement, but arsenic the connection gathers much knowing and involvement among assemblage members, the way for a statement to beryllium reached is being paved.

Special acknowledgment to Rubin, who patiently helped the writer span immoderate gaps successful his understanding. For a much elaborate mentation of BIP119 technicals, ticker this store from a mates of years agone (part one and part two). A transcript is disposable connected this link. Other adjuvant resources are this conversation, this podcast episode and this different one. To beryllium a portion of the speech astir BIP119 and perceive the latest discussions connected the matter, join the bitcoin-dev mailing list.