OP_CHECKSIGFROMSTACK
OP_CHECKSIGFROMSTACK (OP_CSFS) is an opcode on ElementsProject.org-based sidechains that is sometimes proposed for implementation on Bitcoin. The opcode allows checking whether a signature signs an arbitrary message. The opcode takes three parameters: a signature, a message, and a public key.
Bitcoin’s existing signature-checking opcodes, such as OP_CHECKSIG
,
don’t allow specifying an arbitrary message. The message they use is
derived from the transaction executing the signature-checking opcode.
This allows them to verify that the signature matches a certain public
key and that the private key used to generate both of those objects
was used to authorize the spend. That mechanism is powerful enough to
secure Bitcoin UTXOs, but it precludes using digital signatures to
authenticate other types of data in the Bitcoin system. The ability
to use OP_CSFS
to verify an arbitrary message can enable several new
features for Bitcoin users:
-
Paying for signatures: if Alice controls a private key that can sign a transaction paying Bob, Bob can use OP_CSFS to trustlessly offer to pay Alice for the signature he needs.
More recently, protocols involving paying for signatures typically assume the use of adaptor signatures that are more private and which use less block space.
-
Delegation: Alice might want to delegate the authority to spend her coins to Bob without explicitly creating an onchain transaction transferring the coins to a 1-of-2 multisig between her and Bob. If Alice designs her scripts with this sort of delegation in mind, she can put Bob’s pubkey in a message and use OP_CSFS to prove that she’s delegated spending authority to that key.
An alternative approach that’s more private, more flexible, and more block-space efficient is graftroot, although this requires a soft fork that has so far only been lightly discussed.
-
Oracles: an oracle may agree to sign a message indicating the outcome of an event, e.g. the name of the national team that wins a sporting event. Two or more users can then deposit money into a script using OP_CSFS that will pay a different person depending on which team the oracle indicates was the winner.
More recent focus on oracle-moderated contracts involves using Discreet Log Contracts (DLCs), which can be more private and more block-space efficient.
-
Double-spent protection bonds: a service may promise to never try to double spend its UTXOs in order to encourage its payees to accept its unconfirmed transactions as reliable payments. To demonstrate its good faith, the service can use OP_CSFS to offer payment of a bond to any user that can prove the same key was used to create two different signatures for transactions spending the same UTXO.
This use of
OP_CSFS
can be compared to single-show signatures that allow anyone who sees two signatures from the same key to derive the private key used to create them, allowing them to spend any other funds secured by that key. -
Transaction introspection: If the same pubkey and signature pair are valid both with
OP_CSFS
andOP_CHECKSIG
, then the contents of the arbitrary message passed toOP_CSFS
is identical to the serialized spending transaction (and other data) implicitly used withOP_CHECKSIG
. This makes it possible to put a validated copy of the spending transaction on the script evaluation stack where other opcodes can run tests on it in order to enforce restrictions on the spending transaction.For example, if
OP_CSFS
had been available in 2015 and 2016, it would’ve been possible to implement the features of BIP65OP_CHECKLOCKTIMEVERIFY
(CLTV) and BIP112OP_CHECKSEQUENCEVERIFY
(CSV) using without any consensus changes just by writing a verification script.Looking forward,
OP_CSFS
could also allow scripts to implement the features of the proposed SIGHASH_NOINPUT andSIGHASH_ANYPREVOUT
signature hashes, as well as other opcode proposals such as OP_CHECKTEMPLATEVERIFY. Additionally,OP_CSFS
would allow the creation of covenants that restrict the way in which a set of bitcoins may be spent—for example, a vault may restrict its spending transaction to a small set of acceptable scriptPubKeys to limit the risk of theft.The strength of
OP_CSFS
is that it provides full introspection of the signing transaction in a completely generic way. Its weakness is that it requires essentially adding a complete copy of the signing transaction to the stack, which may significantly increase the size of transactions that want to useOP_CSFS
for introspection. By comparison, single-purpose introspection opcodes such as CLTV and CSV use minimal overhead, but adding each new special introspection opcode requires a consensus change and it may not be possible to disable their use (even if they become unpopular) without risking someone losing money.
Relationship to OP_CAT
Proposals to add OP_CSFS
to Bitcoin are often combined with
proposals to restore the OP_CAT
opcode removed as part
of the response to the value overflow incident. This opcode
catenates two elements, appending one to the other. This makes it
possible to construct a message (such as a serialized transaction) by
appending together individual parts of the message (e.g. the fields of
a transaction). Initializing the stack with the message already split
into parts simplifies the writing of scripts that perform tests on
those parts. Beyond the basic risks of adding any new consensus
code to Bitcoin, there are no published downsides of adding OP_CAT
.
Primary code and documentation
Optech newsletter and website mentions
2021
2019
- Discussion of potential script changes, including
OP_CSFS
- Criticism of
OP_COSHV
andSIGHASH_ANYPREVOUT
;OP_CSFS
as alternative
2018
See also
Previous Topic:
MuSig
Next Topic:
OP_CHECKTEMPLATEVERIFY