CCV & MATT

Merkleize All The Things

Links

• OP_CHECKCONTRACTVERIFY BIP draft
• OP_CHECKCONTRACTVERIFY bitcoin-core implementation
• MATT homepage

Introduction

OP_CHECKCONTRACTVERIFY (OP_CCV) is a proposed opcode that enables a new primitive called state-carrying UTXOs. This primitive allows a UTXO to contain a commitment to data that can be introspected and computed upon in Script, with the resulting data embedded in the output UTXOs (if desired).

Together with an opcode that allows the creation of vector commitments (like OP_CAT or OP_PAIRCOMMIT; other options are possible), OP_CCV enables fraud proofs for arbitrary computations, widely extending the class of smart contracts that are possible in Script.

Specification

The specifications of OP_CHECKCONTRACTVERIFY are available in the OP_CCV BIP draft and the bitcoin-core implementation.

These specifications are only for the OP_CCV opcode, and therefore should be paired with an opcode for vector commitments for a complete proposal for MATT as originally proposed.

Use Cases

OP_CHECKCONTRACTVERIFY is designed to enable a generic programming construct; therefore, the list of applications is very open-ended, and it plays well in conjunction with other opcodes.

Therefore, the following applications are some known applications that have been discussed or demonstrated, but the list is not exhaustive.

Note: in what follows, OP_CAT can always be replaced with any opcode that enables vector commitments.

Vaults

OP_CCV on its own enables minimal functional vaults (demonstrated as part of the bitcoin-core implementation). Such vaults would be very fitting for usage in recovery spending paths for a wallet like Liana.

OP_CCV + OP_CTV enables fully featured vaults that are essentially equivalent to OP_VAULT + OP_VAULT_RECOVER + OP_CTV.

OP_CCV + OP_AMOUNT also enables fully-featured vaults, although less efficient when unvaulting to multiple destinations.

Recovery/inheritance

An application of vault-like spending conditions is as an alternative to timelocks for spending paths used for recovery or inheritance use cases, as in wallets like Liana.

This has been discussed, for example, here.

OP_CCV alone suffices for those use-cases.

Fraud proofs for arbitrary computation

OP_CCV + OP_CAT enables fraud proofs for arbitrary computations.

This enables optimistic smart contracts, where some state transitions enforced by the covenant are not validated in Script, but simply asserted to be true; in case the party making the assertion is lying, other parties can challenge the assertion, and an arbitration protocol ultimately adjudicates the winner - under the assumption that the challenger's transaction are not being censored.

• Python implementation in the pymatt framework for the fraud proof protocol
• Optimization and cost estimates
• Verification of arbitrary function compiled to Risc-V in Bitcoin Script

Optimistic sidechains/rollups

A widely discussed type of optimistic smart contracts is an optimistic sidechain or rollup, or a client-side-validation protocol like Shielded CSV.

General fraud proofs improve over designs based on systems like BitVM by removing the 1-of-N assumption, and vastly reducing the worst-case on-chain footprint in case of challenges.

Any-order exits in shared UTXOs

Together with an opcode like OP_AMOUNT for introspection of the output amounts, OP_CCV would allow protocols for unilateral, any-order exit from shared UTXOs.

Johan Halseth wrote to the bitcoin-dev mailing list how MATT, together with OP_CAT can be used to implement Payment Pools.

Other applications

• DLCs - OP_CCV can be used for Transferable DLCs and several other applications.
• Aggregate delegated exits for shared UTXOs - in combination with OP_CAT and OP_AMOUNT (or other opcodes for amount introspection): allows multiple parties to join forces in unilaterally exiting a shared UTXO, at a fraction of the cost they would have if they exit individually.

Edit this page on GitHub