Hi Greg, First, thank you for working on these important consensus changes.
## Comparison of hashes. Compared to CTV, TEMPLATEHASH drops nInputs, nOutputs, and scriptSigs; and adds the taproot annex presence flag and taproot annex. Compared to SIGHASH_ANYSCRIPTANYPREVOUT|ALL, TEMPLATEHASH drops hash_type, _this_ sequence, key_version, and codesep_pos; and adds _all_ sequences. This puts TEMPLATEHASH in a pretty comfortable middle ground between CTV's hash and ANYSCRIPTANYPREVOUT's. It indirectly commits to the number of inputs via sequences, is capable of creating stable txids with 1 input, and makes no concession to constructing the hash on the stack nor to legacy script. ## Capabilities As has been previously discussed, all protocols that are possible with LNHANCE are possible with CTV+CSFS alone. That remains true with TEMPLATEHASH+CSFS. The other two LNHANCE opcodes are optimizations. This proposal includes INTERNALKEY for its ability to save 32WU in common protocols where the taproot internal key can be reused in scripts (e.g. Lightning Symmetry). The final LNHANCE opcode, PAIRCOMMIT, is omitted from this proposal and its optimization capacity is enabled for certain specific cases by TEMPLATEHASH committing to the taproot annex. For protocols which need to bind and make available one additional data push with a spend (either pre-committed or spend-time committed), this is sufficient. One comment on the commitment to the annex: In my X spaces today, we discussed whether this restricts future uses of the annex in practice. We concluded that while it does eliminate certain perverse ways of implementing certain annex extensions, it does not seem to eliminate any possible protocol application. E.g. once we have an opcode that is expected to be used in pre-committed transaction scripts in the wild, we cannot make a consensus rule that requires all taproot spends to have a non-empty annex. ## Efficiency Comparing this proposal to LNHANCE and other earlier proposals in terms of its efficiency for implementing common proposed protocols: unless a protocol requires multiple data commitments (e.g. a complex delegation to key_a after locktime_a or key_b after locktime_b), this proposal will be within the range of +1WU to -33WU. For protocols that could have used bare CTV, this proposal is 69WU less efficient, but as of this writing the only protocol that is known to take advantage of bare CTV is congestion control trees. I am not aware of any concrete proposal to implement these. For protocols that do require multiple data commitments, each additional data commitment requires an additional pubkey and 3 signatures to implement Key Laddering. Adding PAIRCOMMIT or CAT to consensus would eliminate this. Concretely, I believe this proposal will be 32WU more efficient in the Lightning Symmetry uncontested close case. ## Closing thoughts I'm happy to see this tightly scoped tapscript only opcode package proposed. As of this writing, I do not have any technical misgivings about this selection of opcodes and functionality. I hope to see this proposal garner review from the broader technical community! Thanks again for your work, --Brandon On 2025-07-09 (Wed) at 11:19:22 -0700, Greg Sanders wrote: > Hello all, > > This is a bit of a follow-up from "What's a good stopping point? ... > CTV/CSFS..." from [^1] > > > There has been several objections to this proposal, which we can group > into three categories: > exploration of alternatives, demonstration of usage, and design of the > operations to achieve these capabilities > > For this e-mail I would like to address the third point proactively: design > of the operations to achieve these capabilities. > > Antoine Poinsot, Steven Roose, and I have been working on a familiar, yet > concrete technical proposal that focuses on three well-understood > capabilities: > > 1. "Next transaction" capability, ala BIP119 > 2. "Verify signature of message on stack", ala BIP348 > 3. "Push taproot internal key onto stack", ala BIP349 > > These first two capabilities can offer radical simplifications > to well-understood systems when combined. The third is a simple > update that dovetails with the first two. > > The BIP text is > here(https://github.com/instagibbs/bips/blob/bip_op_templatehash/bip-templatehash-csfs-ik.md) > > and PR here(https://github.com/instagibbs/bips/pull/1), with full > motivation for this particular bundle and rationale discussing > alternatives. Our main contribution is a fully specified `OP_TEMPLATEHASH` > as a drop-in replacement for BIP119 `OP_CHECKTEMPLATEVERIFY`. > `OP_TEMPLATEHASH` is a simpler and more modern implementation of the "next > transaction" capability. It differs in committing to the Taproot annex and > being otherwise Taproot native, which allows us to: > > - Use the `OP_SUCCESS` upgrade hooks in place of legacy `OP_NOP`s and be > able to push the template hash on the stack making the flagship use case of > rebindable signatures more efficient. > - Re-use the existing pre-computed Taproot sighash fields only instead of > introducing new ones (substantially simplifying the implementation and > review of the specifications). > - Not commit to the spending transaction's scriptSigs (which are both > unecessary and may incentivize ad-hoc uses of legacy input scripts as > programs). > - Not unnecessarily modify the less well-understood legacy Script. > > Another notable difference is the lack of "bare CTV" analogue, which is > implemented here(https://github.com/instagibbs/bitcoin/tree/p2th) but left > out of the bundle due to lack of demonstrated utility. > > The BIP for `OP_TEMPLATEHASH` is > here(https://github.com/instagibbs/bips/blob/bip_op_templatehash/bip-templatehash.md) > > and a complete implementation is provided > here(https://github.com/instagibbs/bitcoin/pull/3). The bundle itself is > heavily inspired by > "LNHANCE"(https://delvingbitcoin.org/t/lnhance-bips-and-implementation/376). > > We are hopeful that an opcode/implementation-focused discussion can be held > concurrently with other efforts such as discussions as to whether > or not this capability set is a good stopping point, including whether > this bundle is worth implementing on its own at all, as well as what > level of assurances we should have as far as tooling and proof of concepts > is concerned. > > Best, > Greg > > (1) https://groups.google.com/g/bitcoindev/c/-qJc1EWQzY0 -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/aG9FEHF1lZlK6d0E%40console.
