pull down to refresh

Bitcoin PIPEs v2: Covenants and ZKPs via Witness Encryption - allocinitwww.allocinit.xyz/uploads/pipesv2.pdf
370 sats \ 204 boost \ 0 comments \ @Scoresby 7h bitcoin

The cryptographers are cooking, people! Here comes PIPEs v2 with new iterations on how to do covenants in Bitcoin transactions without a soft fork.

This work introduces Bitcoin PIPEs v2, an upgrade to the original Bitcoin PIPEs approach focusing
on emulating missing covenant functionality practically without requiring a soft fork. At its core,
a PIPE v2 uses a witness encryption (WE) scheme to lock a Bitcoin private key under an NP
statement. The key (and thus the ability to spend the associated coins) can be recovered only by
a participant who provides a valid witness (e.g., a SNARK proof) satisfying that statement. Once
unlocked, the mechanism outputs a standard Schnorr signature indistinguishable from any other
Bitcoin signature. From Bitcoin’s perspective, transactions appear entirely ordinary; yet they are
cryptographically guaranteed to enforce arbitrary off-chain logic.

PIPEs v1 was introduced back in 2024 (#713922) in a delving post. PIPEs v2 seems to have improved on the concept:

We formalize how PIPEs v2 enable arbitrary spending conditions on Bitcoin by enforcing predicates
on signatures through cryptography, without requiring any consensus changes. We introduce a new
primitive, the Witness Signature (WS), which captures conditional signing under hard relations.
We show that a PIPE instantiated with a WE scheme and a standard digital signature scheme enables
programmable covenants and SNARK-verifiable conditions on Bitcoin—entirely without soft forks,
trusted parties, or interactive fraud-proof mechanisms such as those used in BitVM constructions.

"From a builder’s perspective, a PIPE acts as a programmable covenant layer on top of Bitcoin: it lets"From a builder’s perspective, a PIPE acts as a programmable covenant layer on top of Bitcoin: it lets

developers define arbitrary off-chain logic that is enforced cryptographically on-chain."

I mostly skimmed the paper, but I'm hoping to spend more time on it later. They do a nice job of summarizing the various covenant soft fork proposals as well as the BitVM approaches to covenants. The original PIPEs proposal had this to say about the security trade-offs (I didn't see a similar evaluation in the PIPEs v2 paper, but perhaps I missed it).

Given the need to eliminate trust assumptions as much as possible, Bitcoin PIPEs become effectively trustless after completion of a one-time trusted setup (DKG), which brings trust assumptions to 1-out-of-n for each new covenant creation. In other words, so long as one participant behaves honestly the system is secure. To clarify, Bitcoin PIPEs do not rely on moving assets off-chain (i.e. no required use of bridging or sidechains), custodians (or custodian chains), or multi-signatures.

(I wonder if the filter bois will consider this arbitrary data...)

write
preview
related posts