6 min read
Bitcoin is a fascinating world surrounded by people constantly looking for ways to improve it. Improvements can be in the realm of disclosure (as I do myself) or in the technological realm.
Protocol changes are a very complicated topic and can lead to heated discussions. An example of this was the one that took place between 2016 and 2017 with the SegWit2x proposal (we will talk about this another day). If there is one thing we can be sure of, it is that Bitcoin is very difficult to change, and this is possibly its greatest strength.
That is why changes to Bitcoin are thoroughly reviewed and undergo months of discussion. An important step for a proposal is registration as BIP (Bitcoin Improvement Proposal). Today we are going to talk about one of these proposals, precisely what BIP 118 is about.
But first let’s understand what a sighash flag is and how a transaction basically works.
Sighash and transactions
Bitcoin transactions consist of unlocking bitcoins from one address (proving you are the owner with a digital signature) and locking them in another address.
For example you can have two addresses with bitcoins (belonging to two previous transactions in which they were sent to you). To spend those bitcoins you can make a transaction with two digital signatures for each address and send them wherever you want.
The “sighash flag” consists of an identifier that indicates which data must be signed to unlock the bitcoins (the SigHash being the information to be signed).
What is BIP 118 (ANYPREVOUT)
BIP 118 was written in 2017 and was then known as SIGHASH_NOINPUT. This proposal was initially made by the writers of the Lightning Network paper (Joseph Poon and Thaddeus Dryja) to solve a problem known as “transaction malleability” later solved by SegWit.
Lightning Network is a protocol that allows bitcoin to be transferred almost instantaneously and with almost no commission. Not for nothing is it the biggest promise for scaling bitcoin to thousands of transactions per second. And despite its slow growth, it has come a long way since its theoretical inception in 2015.
However, with its advancement, the developers realized that it was still going to be very positive SIGHASH_NOINPUT. Recently, following the development of the new Bitcoin update, Taproot, it was decided to change the name to SIGHASH_ANYPREVOUT and make it suitable for integration with Taproot addresses.
What ANYPREVOUT allows, in a nutshell, is to not sign the part of the information that refers to the previous transaction. A transaction with this type of sighash flag is not linked to past transactions and can spend any bitcoin from addresses with the same public key (or conditions for spending).
Okay, you’ve probably stayed the same, but let’s explain the implications of this.
Eltoo and Lightning Network
The biggest implication, and the reason why this proposal is so important, is because it enables a protocol called Eltoo (as if we read “L2” in English). Eltoo greatly simplifies and improves Lightning Network.
Lightning uses a construct called payment channels where two users can transfer bitcoin off-chain, i.e. without it being a transaction on the blockchain and therefore privately, instantly and without commission.
In a payment channel the balances of two users are updated with each off-chain transaction. For example Alice has 1 BTC and Bob has 0. Alice can make a transaction to Bob updating the balance so that she keeps 0.5 and Bob keeps 0.5 (i.e. this is a 0.5 transaction).
The Bitcoin blockchain acts as a judge in case of a dispute in this protocol. If Alice puts on the blockchain her balance of 1 BTC (which is incorrect because she actually has 0.5 after the transaction), Bob will be able to prove that Alice has cheated and will keep all her money as a penalty. But this makes Lightning users have to accumulate more and more information in order to settle these disputes, as well as being complex.
With Eltoo all this complexity disappears because the only thing you have to maintain is the last balance sheet. You don’t have to keep information for each case as it is the case now. Just keep the last 2 transactions (one of them with ANYPREVOUT). If someone cheats you can use the ANYPREVOUT transaction to prove he did it and spend those bitcoins the right way.
This way the information to be backed up is minimal, the protocol is simpler, Lightning can be innovated more easily and the risk of losing all your money accidentally due to the penalty that exists now is reduced.
Other uses this type of sighash flag can have are “covenants” that allow for more complex smart contracts (setting out specific ways in which bitcoins should be spent) and blind statechains using Eltoo (a scalability solution like Lightning but not entirely without reliance on third parties).
If implemented, ANYPREVOUT will only be used by this type of protocols so the rest of the users would not be affected. However, although its effect on the blockchain itself is small, it would be a change that would allow a lot of innovation in higher layers (scalability solutions such as Lightning).