@@ -39,125 +39,24 @@ The recommended standardness rules additionally:
3939
4040==Motivation ==
4141
42- Covenants are restrictions on how a coin may be spent beyond key ownership. This is a general
43- definition based on the legal definition which even simple scripts using CSV would satisfy.
44- Covenants in Bitcoin transactions usually refer to restrictions on where coins can be transferred.
45- Covenants can be useful to construct smart contracts. As covenants are complex to implement
46- and risk of introducing fungibility discriminants they have not been seriously considered for
47- inclusion in Bitcoin.
48-
49- This BIP introduces a simple covenant called a *template* which enables a limited set of highly
50- valuable use cases without significant risk.
51-
52- A few examples are described below, which should be the subject of future non-consensus
53- standardization efforts.
54-
55- ===Congestion Controlled Transactions ===
56-
57- When there is a high demand for blockspace it becomes very expensive to make transactions. A large
58- volume payment processor may aggregate all their payments into a single O(1) transaction commitment
59- for purposes of confirmation using CHECKTEMPLATEVERIFY. Then, some time later, the payments can
60- be expanded out of that UTXO when the demand for blockspace is decreased. These payments can be
61- structured in a tree-like fashion to reduce individual costs of redemption.
62-
63- The below chart showcases the structure of these transactions in comparison to
64- normal transactions and batched transactions.
65-
66- <img src="bip-0119/states.svg" align="middle"></img>
67-
68- A simulation is shown below of what impact this could have on mempool backlog
69- given 5% network adoption, and 50% network adoption. The code for the simulation
70- is provided in this BIP's subdirectory.
71-
72- <img src="bip-0119/five.png" align="middle"></img>
73- <img src="bip-0119/fifty.png" align="middle"></img>
74-
75- ===Payment Channels ===
76-
77- There are numerous payment channel related uses.
78-
79- ====Batched Channel Creation ====
80-
81- Using CHECKTEMPLATEVERIFY for Batched Channel Creation is similar to the use for Congestion Control,
82- except the leaf node transactions are channels instead of plain payments. The channel can be between
83- the sender and recipient or a target of recipient's choice. Using an CHECKTEMPLATEVERIFY, the
84- recipient may give the sender an address which makes a tree of channels unbeknownst to them.
85- These channels are time insensitive for setup, as all punishments are relative timelocked to the
86- penultimate transaction node.
87- Thus, coins sent using a congestion controlled transaction can still enjoy instant liquidity.
88-
89- ====Non-Interactive Channels ====
90-
91- When opening a traditional payment channel, both parties to the channel must participate. This is
92- because the channel uses pre-signed multi-sig transactions to ensure that a channel can always be
93- exited by either party, before entering.
94- With CHECKTEMPLATEVERIFY, it’s possible for a single party to construct a channel which either
95- party can exit from without requiring signatures from both parties.
96- These payment channels can operate in one direction, paying to the channel "listener" without need
97- for their private key to be online.
98- <img src="bip-0119/nic.svg" align="middle"></img>
99-
100- ====Increased Channel Routes ====
101-
102- In the Lightning Network protocol, Hashed Time Locked Contracts (HTLCS) are used in the construction
103- of channels. A new HTLC is required per route that the channel is serving in.
104- In BOLT #2, this maximum number of HTLCs in a channel is hard limited to 483 as the maximum safe
105- size to prevent the transaction from being too large to be valid. In common software implementations
106- such as LND, this limit is set much lower to 12 HTLCS. This is because accepting a larger number of
107- HTLCS makes it more difficult for transactions to confirm during congested periods as they must pay
108- higher fees.
109- Therefore, similarly to how congestion control is handled for normal transaction, lightning channel
110- updates can be done across an CHECKTEMPLATEVERIFY tree, allowing nodes to safely use many more
111- HTLCS.
112- Because each HTLC can have its own relative time lock in the tree, this also improves the latency
113- sensitivity of the lightning protocol on contested channel close.
114-
115- ===Wallet Vaults ===
116-
117- This section will detail two variants of wallet vault that can be built using
118- CTV. Wallet vaults are a useful tool when greater security is required for
119- cold storage solutions, providing default transactional paths that move funds
120- from one's cold storage to a hot wallet.
121-
122- One type of cold wallet can be set up such that a customer support desk can,
123- without further authorization, move a portion of the funds (using multiple
124- pre-set amounts) into a lukewarm wallet operated by an isolated support desk.
125- The support desk can then issue some funds to a hot wallet, and send the
126- remainder back to cold storage with a similar withdrawal mechanism in place.
127- This is all possible without CHECKTEMPLATEVERIFY, but CHECKTEMPLATEVERIFY
128- eliminates the need for coordination and online signers, as well as reducing
129- the ability for a support desk to improperly move funds. Furthermore, all such
130- designs can be combined with relative time locks to give time for compliance
131- and risk desks to intervene. This is a 'Coins at Rest' or 'Optically Isolated'
132- vault, and is shown below.
133-
134- <img src="bip-0119/vaults.svg" align="middle"></img>
135-
136- An alternative design for vaults is also highly effective and simpler to
137- implement in Sapio, a smart contract programming language. In this design, the
138- user commits to a single UTXO that contains a program for an annuity of
139- withdrawals from cold storage to a hot wallet. At any time, the remaining
140- balance for the annuity can be cancelled and funds locked entirely in cold
141- storage. The withdrawals to the hot wallet can be 'cancelled' before a maturity
142- date to ensure the action was authorized. These sort of vaults strongly benefit
143- from non-interactivity because the withdrawal program can be set up with cold
144- keys that are permanently offline, except in case of emergency. The image below
145- shows an instance of this type of wallet vault created with Sapio in Sapio
146- Studio. These types of wallet vault can also be chained together by taking
147- advantage of CTV's scriptSig commitment. This type of vault is a 'Coins in Motion'
148- variant where the coins move along the control path.
149-
150- <img src="bip-0119/vaultanim.gif" align="middle"></img>
151-
152- ===CoinJoin / Payment Pools / Join Pools ===
153-
154- CHECKTEMPLATEVERIFY makes it much easier to set up trustless CoinJoins than
155- previously because participants agree on a single output which pays all
156- participants, which will be lower fee than before. Further each participant
157- doesn't need to know the totality of the outputs committed to by that output,
158- they only have to verify their own sub-tree will pay them. These trees can
159- then, using a top-level Schnorr key, be interactively updated on a rolling basis
160- forming a "Payment Pool".
42+ Covenants are restrictions on how a coin may be spent beyond key ownership.
43+ This is a general definition based on the legal definition which even simple
44+ scripts using CSV would satisfy. Covenants in Bitcoin transactions usually
45+ refer to restrictions on where coins can be transferred. Covenants can be
46+ useful to construct smart contracts. As covenants are complex to implement and
47+ risk of introducing fungibility discriminants they have not been seriously
48+ considered for inclusion in Bitcoin.
49+
50+ This BIP introduces a simple covenant called a *template* which enables a
51+ limited set of highly valuable use cases without significant risk. BIP-119
52+ templates allow for non-recursive fully-enumerated covenants with no dynamic
53+ state. CTV serves as a replacement for a pre-signed transaction oracle, which
54+ eliminates the trust and interactivity requirements. Examples of uses include
55+ wallet vaults, non-interactive payment channel creation, congestion controlled
56+ batching, efficient to construct discreet log contracts, and payment pools,
57+ among many others. For more details on these applications, please see the
58+ references.
59+
16160
16261==Detailed Specification ==
16362
@@ -725,6 +624,14 @@ for older node versions that can be patched but not upgraded to a newer major re
725624*[https://fc16.ifca.ai/bitcoin/papers/MES16.pdf Bitcoin Covenants ]
726625*[https://bitcointalk.org/index.php?topic=278122.0 CoinCovenants using SCIP signatures, an amusingly bad idea. ]
727626*[https://fc17.ifca.ai/bitcoin/papers/bitcoin17-final28.pdf Enhancing Bitcoin Transactions with Covenants ]
627+ *[https://github.com/jamesob/simple-ctv-vault Simple CTV Vaults ]
628+ *[https://github.com/kanzure/python-vaults Python Vaults ]
629+ *[https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-January/019808.html CTV Dramatically Improves DLCs ]
630+ *[https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-April/020225.html Calculus of Covenants ]
631+ *[https://rubin.io/bitcoin/2021/12/10/advent-13/ Payment Pools with CTV ]
632+ *[https://rubin.io/bitcoin/2021/12/11/advent-14/ Channels with CTV ]
633+ *[https://rubin.io/bitcoin/2021/12/09/advent-12/ Congestion Control with CTV ]
634+ *[https://rubin.io/bitcoin/2021/12/07/advent-10/ Building Vaults on Bitcoin ]
728635
729636
730637===Note on Similar Alternatives ===
0 commit comments