Month: May 2024

Originally published on Unchained.com.

Unchained is the official US Collaborative Custody partner of Bitcoin Magazine and an integral sponsor of related content published through Bitcoin Magazine. For more information on services offered, custody products, and the relationship between Unchained and Bitcoin Magazine, please visit our website. 

For newcomers, especially those in and around retirement age, the idea of investing in or owning bitcoin can evoke reactions from skepticism to disbelief. If you look beyond the popular narratives, however, you might find there is more to the story than first impressions suggest. Here are six reasons to consider owning at least some bitcoin during retirement.

1. Bitcoin helps broaden your asset allocation base

Traditionally, investors use a strategy called asset allocation to distribute and shield funds from investment risk over time. A sound asset allocation strategy is the antidote to putting all of your eggs in one basket. There are several types of asset “classes” or categories over which to distribute risk. Customarily, advisors seek to establish a dynamic mix between debt instruments (i.e., bonds), equities (i.e., stocks), real estate, cash, and commodities.

The more categories you employ to distribute your assets and the less correlated those categories are, the better your chances of balancing your risk, at least theoretically. Recently, due to unintended consequences caused by the aggressive expansion of societal debt and the money supply, assets that were previously less correlated now tend to behave more in kind with one another. When one sector gets hammered today, several sectors often suffer together.

Regardless of these present-day conditions, asset allocation remains a well-conceived strategy for moderating risk. While still in its relative infancy, bitcoin represents an entirely new asset class. Because of this, owning at least some bitcoin, especially due to its distinct properties when compared to other “cryptocurrencies,” provides an opportunity to broaden your asset base and more effectively distribute your overall risk.

2. Bitcoin offers a hedge against inflation and currency debasement

As a retiree, protecting yourself from inflation is crucial to preserving your long-term purchasing power. In the asset allocation discussion above, we referenced the recent and aggressive money supply expansion. Everyone who has lived long enough to approach retirement age knows that a dollar no longer buys what it used to. When the government issues large amounts of new money, it debases the value of the dollars already in circulation. This generally pushes prices higher as newly created dollars begin to chase the existing limited supply of goods and services.

Our own Parker Lewis touched on this extensively in his Gradually, Then Suddenly series:

In summary, when trying to understand bitcoin as money, start with gold, the dollar, the Fed, quantitative easing and why bitcoin’s supply is fixed. Money is not simply a collective hallucination or a belief system; there is rhyme and reason. Bitcoin exists as a solution to the money problem that is global QE and if you believe the deterioration of local currencies in Turkey, Argentina or Venezuela could never happen to the U.S. dollar or to a developed economy, we are merely at a different point on the same curve.

In contrast to fiat currencies, no one can increase the supply and arbitrarily reduce bitcoin’s value. There are no centralized authorities that govern its monetary policy. Despite arguments to the contrary, bitcoin is similar to gold—but not exactly, because gold miners continue to inflate the supply of gold each year at a rate of 1-2%.

As bitcoin is slowly introduced to the circulating supply (i.e., mined), its inflation rate decreases and will eventually cease. This fact makes bitcoin uniquely scarce among global monetary assets. Ultimately, this scarcity, along with bitcoin’s other monetary properties, should safeguard its purchasing power. As such, owning bitcoin during retirement offers you a hedge against inflation.

Get $100 off Unchained IRA and receive 1-year free of Bitcoin Magazine Pro market research ($250 value). Visit unchained.com and enter code “btcmag” at checkout.

3. Bitcoin offers an opportunity for asymmetric returns

Bitcoin’s capacity to mitigate many of the challenges we discuss here rests on its ability to achieve asymmetric returns. Its supply is fixed (there will only ever be 21,000,000 bitcoin), and demand for the asset is growing steadily. As this limited supply collides with increased store-of-value adoption from individuals, institutions, and governments, bitcoin has the potential to dwarf the returns of nearly every competing asset class.

It’s worth noting that people generally improve their returns with bitcoin when they hold it for the long term. In the modern era, retirements lasting decades or more are increasingly common. Over such time periods, even a limited allocation to bitcoin offers ample opportunity to benefit from its upside potential. You just need time to hold through the short-term volatility, which contrary to popular belief, is not evidence of it being a poor store of value.

Sequestering a portion of funds solely for appreciation during retirement runs somewhat counter to conventional wisdom. Modern retirement planning generally optimizes for the liquidation of portfolio funds to provide income. However, setting aside a small amount of bitcoin—kept steadfastly gated from funds earmarked for income—opens the door to benefit from the monetization of bitcoin’s limited supply.

4. Bitcoin offers protection from the risk of long-term bonds

Conventionally, high-grade bonds—held directly or as fund shares—make up a significant part of most retirement portfolios due to their low risk levels and tendency toward capital preservation. However, things have changed.

Monetary expansion and increases in societal debt have forced bond yields—or the amount of interest paid (i.e., coupon)—to historically low levels. The yields on most bonds today fall well below the rate of inflation. This “negative real yield” means that owning a bond can cost you money. But the difficulty doesn’t end there.

Because retirees need funds from their portfolios to pay bills, they generally must sell assets at current market rates to derive income throughout retirement. In the case of bonds, at present, this can be very problematic. Consider the following equations.

How much money does it take for a bond paying a 2% rate to yield $20? Answer: $1,000. ($1,000 x 2% = $20)How much money does it take for a bond paying a 4% rate to yield $20? Answer: $500. ($500 x 4% = $20)

These two equations reveal that to yield the same $20 return, the market value of the underlying bond changes based on the interest rate promised.

When interest rates go up, the market value of bonds goes down.When interest rates go down, the market value of bonds goes up.

The market value of bonds has an inverse relationship to interest rates. Consider that interest rates today hover near historic lows. Over the next twenty to thirty years, what will happen to the market value of bonds held by retirees if interest rates increase substantially? The answer: the market value of their bonds will collapse.

This changes the entire risk paradigm for bonds in retirement portfolios and potentially makes them far less safe than typically imagined. Bitcoin exists in a separate asset class from bonds; it is a bearer instrument that is not exposed to the same money market risks. As such, owning bitcoin may help you offset at least some of the potential risk incurred from owning bonds in retirement.

5. Bitcoin offers a potential solution for long-term healthcare risk

Another area of concern for retirees is the cost of healthcare. Here, I am not referring so much to ordinary medical bills but rather to the potential to incur long-term care expenses in later age. Insurance is available for long-term care, but it has some unique and increasingly difficult challenges to overcome.

Healthcare, in general, takes a double-hit when it comes to price inflation. Not only do healthcare costs rise due to monetary debasement, but healthcare faces additional headwinds from demand spurred by growth in the aging population.

Source: Administration for Community Living – 2020 Profile of Older Americans

States regulate insurance for long-term care. To keep policyowners safe, insurers face scrutiny over where and how they invest policy premiums. To preserve capital required for future claims, insurers generally rely on low-risk, intermediate and long-term bonds. However, as our discussion above on bonds reveals, low yields and the potential for rising rates complicate this practice. One immediate fallout is that premiums for long-term care insurance policies have risen substantially.

We noted earlier bitcoin’s usefulness as an inflation hedge and its potential for long-term price appreciation. As it relates to long-term healthcare, it may make sense to set aside some bitcoin explicitly dedicated as a hedge for this rapidly increasing expense.

6. Bitcoin offers you individual sovereignty

The final reason we’ll consider for owning bitcoin in retirement is that it offers you increased individual sovereignty. Bitcoin provides you a level of ownership that is not achievable with other assets. It can easily be carried across borders with a hardware wallet or seed phrase, for example, or transferred peer-to-peer anywhere in the world at low cost.

If you hold bitcoin securely in a wallet you control, no central bank can steal the value of your bitcoin by printing it into oblivion. No CEO can dilute its value by issuing more of its “shares.” Nor can a bank arbitrarily block access to or confiscate your funds. Unlike centralized financial custodians, which can be ordered to freeze or withhold funds on the whims of government or other third-party authorities, bitcoin with keys properly held is resistant to these kinds of overreach.

Specifically for retirement purposes, you can also hold your own keys for bitcoin in an IRA. Products like the Unchained IRA are a robust tool for building and saving your wealth on a tax-advantaged basis. And holding your bitcoin keys in the form of a multisig collaborative custody vault allows you to eliminate all single points of failure while you do so.

Visit Unchained.com for $100 off any Unchained financial services product with code “BTCMAG100”

Sound financial principles and owning bitcoin

Benefitting from bitcoin does not require committing to wild speculation or thoughtless abandonment of sound financial principles. In contrast, the more you look at bitcoin through sound financial principles and apply them to your thinking, the greater the opportunities it provides. One steadfast financial principle that coincides with bitcoin ownership is prudence.

Macro-economic investment strategist Lyn Alden often speaks of establishing a “non-zero position” in bitcoin (i.e., owning at least some). The risk of losing a few portfolio percentage points in a worst-case scenario is, in my estimation, worth the potential upside. But to be clear, each person’s situation is unique. You must do your own research and make the best decisions you can about what works in your particular scenario.

Originally published on Unchained.com.

Unchained is the official US Collaborative Custody partner of Bitcoin Magazine and an integral sponsor of related content published through Bitcoin Magazine. For more information on services offered, custody products, and the relationship between Unchained and Bitcoin Magazine, please visit our website. 

“The institutions are coming.”

Anyone who’s been in the Bitcoin space for any significant period of time has heard some prominent figure within the space utter this phrase.

In August 2020, when MicroStrategy, an American-based business software company, announced it would be purchasing bitcoin to add it to its treasury, many thought that was the beginning of the institutional stampede.

But it wasn’t.

Sure, Tesla bought some bitcoin the following year, only to dump 75% of it soon after.

And so from 2020 through 2023, MicroStrategy was an anomaly. During these years, the company — led by Bitcoin permabull Michael Saylor — remained the only major corporation on Earth to convert a notable portion of its treasury into bitcoin.

Saylor’s vision to get MicroStrategy on a bitcoin standard hasn’t wavered, though.

Instead, he has doubled down and continued to guide MicroStrategy as it has put more bitcoin on its balance sheet. He’s also hosted a conference — MicroStrategy World: Bitcoin for Corporations — every year starting the year after his company made its first bitcoin purchase as a means to show other companies how to emulate MicroStrategy.

This year’s edition of the conference — held on May 1 and 2 in Las Vegas, NV — marked the beginning of a new era, according to Saylor, an era in which the time has come for institutions to follow MicroStrategy’s lead.

The Age of Bitcoin For Institutions and Corporations Has Begun

In Saylor’s keynote presentation on the second day of the conference entitled “There Is No Second Best”, he termed 2020-2023 the “crazy years” in the Bitcoin space.

He explained that these years were part of a period of “crypto chaos,” a period from which bitcoin emerged as the dominant and most trusted crypto asset.

What follows the crazy years, Saylor said, are the years in which institutions and corporations embrace Bitcoin, and he told Bitcoin Magazine in an X Spaces on April 30, the day before the conference began, that he believes this new era began in January 2024, when 11 spot Bitcoin ETFs launched in the United States.

Let’s not just take Saylor’s word that a new day has dawned, though. Let’s consider what Hunter Horsley, CEO of Bitwise, one of the 11 financial institutions that launched a spot Bitcoin ETF in the US, had to say about institutional interest in bitcoin.

“The bitcoin ETFs have really brought bitcoin into the realm of possibility for a lot of traditional financial institutions,” Horsley said on a panel during the second day of the conference.

“A lot of traditional and reputable firms have started engaging with bitcoin in a way they never have before, but so few of them are saying anything about it. If you just scroll through your LinkedIn or you read press releases, you would think that nothing has changed versus last year, but, for now, most — or many — are preferring not to have it be public,” he added.

JUST IN: $3.5 billion Bitwise CEO says “A lot of traditional and reputable firms have started engaging with #Bitcoin in a way they never have before, but so few are saying anything about it.”

“Banks are reaching out to us” 👀 pic.twitter.com/h0jjhrzZQ6

— Bitcoin Magazine (@BitcoinMagazine) May 2, 2024

Alexander Leishman, CEO and CTO, of Bitcoin exchange River, also pointed out in his presentation that while buying bitcoin has traditionally been a retail investor-driven phenomenon, more and more businesses are beginning to dip their toes into the bitcoin waters, as well.

In one of his slides, Leishman pointed out that the percentages of businesses and funds/ETFs that hold bitcoin may not seem like a lot, but they’re bigger than they’ve been in previous years.

Alexander Leishman, CEO and CTO of River, explained how the percentage of businesses and funds/ETFs owning bitcoin is still small but has been increasing.

“We have businesses, funds and ETFs and governments, these large institutions, these blue and black bars. These bars have gone from virtually nothing to where they are today, but they’re continuing to grow,” Leishman said.

“Retail is not really driving the recent rally in the bitcoin price. Consumer interest in bitcoin is nowhere near its all-time highs. So, what is driving this price increase? We think that one big factor is institutions,” he added.

According to David Marcus, CEO of Lightspark, in the near future, institutions won’t just be looking to hold bitcoin on their balance sheet or offer it to their customers, but they’ll start using it for payments.

Lightspark Is Using Lightning To Link Businesses Globally

To conclude the first day of the conference, Saylor sat down for a fireside chat with Marcus, former executive at PayPal and former lead for Facebook’s abandoned cryptocurrency project Libra, to discuss how the Lightning Network will connect businesses across the world.

Lightspark made headlines the day before the conference began, as it announced Coinbase would be using Lightspark to integrate Lightning for its US users.

According to Marcus, Coinbase was just the first of many companies that would soon be harnessing the power of Lightning.

“In a world where you’ll have hundreds of millions if not billions of people that have an address for money that can be settled in real time in the currency that they’re choosing, you can imagine all kinds of new applications [for businesses],” said Marcus about companies using Lightning to not only send sats, but digitized versions of fiat currencies, as well. 

“The time is now to enable fast cheap, realtime movement of Bitcoin and other assets [on Lightning].”
-David Marcus, CEO, LightSpark @lightspark#BitcoinforCorporations

— MicroStrategy (@MicroStrategy) May 1, 2024

“Streaming money to endpoints is one of them. New forms of payments for merchants that would reach new audiences or new client bases that they couldn’t reach [previously]. The ability to create brand new business models to enable people to actually contribute to anything that you’re building from anywhere around the world,” he added.

“It will have an impact on the world that is going to be as important as the internet itself was in its own time for communications.”

Marcus also touched on how companies are more multinational in nature than individual Bitcoin users and will greatly benefit from moving value around the world in real time via Lightning.

It was difficult not to be bullish on Bitcoin and Lightning after listening to Marcus and Saylor converse.

It was also difficult not to be bullish on Bitcoin not just as a store of value and a medium of exchange, but as a platform for trust after Cezary Raczko, Executive Vice President of Engineering at MicroStrategy, revealed its plans for MicroStrategy Orange, a decentralized identity (DID) platform built on the Bitcoin blockchain.

MicroStrategy Orange

MicroStrategy Orange is an enterprise platform that empowers organizations to employ DID applications, built directly on the base layer of Bitcoin.

It’s the first technological innovation involving Bitcoin that MicroStrategy has been a part of.

“The platform consists of three fundamental pieces,” said Raczko. “At the heart of it, is a service cloud hosted that allows you to issue those identifiers to your users in your organization. It also allows you to deploy applications that run on MicroStrategy Orange. The Orange SDK allows you to integrate the applications into your own services. And the Orange apps are going to be prepackaged solutions that address specific digital identity challenges.”

This news came as a pleasant surprise to many at the conference, as it illustrated that MicroStrategy wants to continue to lead the way with Bitcoin adoption — outside of its store of value use case — as we enter this new era of businesses and institutions adopting Bitcoin.

Normalizing Bitcoin For Corporations

Conversations both on and off the conference stage revolved around Bitcoin maturing from a taboo entity, to something that’s becoming more normal, making it more difficult to ignore for companies and institutions.

In conversations I had with Bitcoin industry leaders like Becca Rubenfeld, COO of AnchorWatch; Sam Abbassi, founder and CEO of Hoseki; and Nathan McCauley, co-founder and CEO of Anchorage Digital, I learned that companies and institutions that once wrote Bitcoin off as being little more than a scam or fad, are now beginning to inquire about how they can adopt it.

“It’s exciting to be at a stage of adoption where access to bitcoin is being expanded to businesses and their clients,” Rubenfeld told Bitcoin Magazine. “This event is particularly oriented to that, which allows conversation to be focused on the benefits and challenges unique to that new set of Bitcoin owners.”

While it’s taken some time for corporations to come around to Bitcoin, it’s clear that we’re at the onset of an era in which they’re beginning to see the value in it.

Even if companies and institutions aren’t necessarily ready to adopt a bitcoin standard the way that MicroStrategy has, it does seem that more are willing to have some exposure to bitcoin the asset or begin using Lightning for payments or apps that utilize the Bitcoin blockchain.

For this, we have Michael Saylor and the team at MicroStrategy to thank.

Fidelity, a major financial services firm, says pension funds are starting to explore investing in Bitcoin, particularly after the approval of spot Bitcoin exchange-traded funds earlier this year.

BREAKING: Wall Street giant Fidelity says pension funds are beginning to explore #Bitcoin and crypto

Gradually, then suddenly 🚀 pic.twitter.com/8vBz4Bf02t

— Bitcoin Magazine (@BitcoinMagazine) May 3, 2024

Fidelity has been bullish on Bitcoin for years, launching its Digital Assets branch in 2018 and bringing a successful Bitcoin ETF to market earlier this year. The firm’s ETF attracted significant capital compared to competitors.

Now, Fidelity’s VP of Digital Assets Manuel Nordeste says the company is engaging with major pension funds and other institutional investors about allocating to Bitcoin.

Speaking at a recent event, Nordeste stated: “Now, we’re starting to have conversations with the larger, real money institutional investor types, and we’re getting some of those clients, as well as corporates and so on.”

His comments come after BlackRock also mentioned yesterday having educational conversations with pension funds regarding Bitcoin ETFs. Recent 13F filings show major pension consultants have already purchased spot Bitcoin ETFs.

This mounting evidence indicates serious diligence is underway about allowing pension investments in Bitcoin vehicles like ETFs. 

With over $4 trillion in capital, U.S. pension funds committing even tiny portfolio allocations could drive significant inflows.

Click the image to learn more.

While pensions remain cautious compared to family offices and hedge funds, who’ve already bought Bitcoin exposure, their conservative mandates and focus on risk management has kept most pensions on the sidelines so far.

If pensions follow the lead of early adopters, it would represent a seismic shift in mainstream acceptance.

Thus far, Bitcoin ETFs have seen tremendous demand since launching this year. While this week marked record outflows, the long-term trajectory still appears highly favorable.

In a Keynote address at MicroStrategy World: Bitcoin for Corporations, MicroStrategy Executive Chairman Michael Saylor delivered a masterclass on corporate finance and the power of bitcoin to supercharge corporate balance sheets. Saylor made a point to emphasize Bitcoin as the single solution for capital appreciation in an inflationary environment.

In his speech, Saylor likened the cost of capital to being the benchmark which a company must surpass to increase its purchasing power, arguing that “Bitcoin is the only asset that exceeds the cost of capital. Another way to say that, is everything else is dilutive.”

Further describing the true cost of capital, he noted that the “S&P is the modern surrogate for the cost of capital… If you had to pick one metric and say, what’s the metric that gives you a sense of how rapidly the world currency supply is expanding in dollars? Probably the S&P 500… this is another way to see inflation.”

Saylor went on to emphasize his belief that all assets, except bitcoin, are not accretive to corporate balance sheets despite their general acceptance. In particular, he highlighted the relative underperformance of the silver, gold and US government bonds:

“[If companies] invested in T-bills, they’re going to get 3% after tax against a 12% cost of capital per year. And so you hold $100 billion of capital, you destroy $9 billion of shareholder value a year… The story here is that the bonds don’t hold value, right? They’re awful capital assets. Silver doesn’t work. Gold doesn’t keep up with the cost of capital.”

There Is No Second-Best Crypto Asset

The MicroStrategy Executive Chairman noted key differences between Bitcoin and alternative cryptocurrencies like Ethereum, expressing the importance and necessity of proof-of-work-based consensus in creating a digital commodity.

“You could see the writing on the wall when the spot ETF of Bitcoin was approved in January. By the end of May, you’ll know that Ethereum is not going to be approved. And when Ethereum is not going to be approved, sometime this summer it’ll be very clear to everyone that Ethereum is deemed a crypto asset security, not a commodity. After that, you’re going to see that [for] Ethereum, BNB, Solana, Ripple, Cardano – everything down the stack.”

On the point of Bitcoin’s energy use, Saylor invoked the idea of a “physical linkage to the real world” in Bitcon’s consensus. He described the network as having “raw digital power standing in the way of anybody that would try to undermine the integrity of the network… The network is feeding on electricity, and that creates a decentralizing dynamic that drives all of the network to the end of the grid in the quest of stranded energy.”

It’s Going Up, Forever

Saylor’s conviction and use of physics-based metaphors were present as ever as he spoke on Bitcoin’s price appreciation and continued monetization. “It’s never declining. The chart’s not ever decreasing. It only goes one way. Bitcoin is a capital ratchet. It’s a one-way ratchet. Archimedes said, give me a lever long enough and a place to stand and I can move the world. Bitcoin is the place to stand.”

“There’s no more powerful idea than the digital transformation of capital… No force on earth can stop an idea whose time has come. This is an idea. Its time has come. It’s unstoppable. And so I’m going to end with the observation that Bitcoin is the best. The best what? The best.”

Watch the full MicroStrategy World: Bitcoin for Corporations Day 2 Livestream on the Bitcoin Magazine YouTube Channel

The last six months or so have seen several proposals for improvements to Bitcoin Script: CAT, 64-bit arithmetic, as well as some older ideas (CTV) and far-future ideas (Chialisp and Simplicity). This activity has largely overshadowed some revolutionary changes in our understanding of the existing Bitcoin Script, changes which form the basis of BitVM but which may also form the basis of other, equally-exciting improvements.

This article tries to summarize and organize research into Script by other people. I make no claim to originality or authorship of anything described here.

Bitcoin Script

As many readers are aware, Bitcoin Script is a simple programming language embedded in the Bitcoin blockchain, which is used to control under what conditions coins may move. By far the most common use of Script is to simply check a signature with a single signature verification key. Though Bitcoin addresses have changed throughout the years, every form of address has supported this use of script in a first-class way: signing keys can be encoded directly into Bitcoin addresses, and wallets know how to expand these keys into full programs that check signatures on those keys.

Script can do many more things: it can check hash preimages, check relative and absolute timelocks, and it can do some simple reasoning to combine these checks in various ways. This is the premise behind Miniscript: we can generalize the notion of expanding a key into a Script to the notion of expanding an arbitrarily-large set of signing conditions into a Script.

Script can technically do even more than this: it can add and subtract 32-bit numbers, it can hash data and check the hash values for equality, and it can rearrange and manipulate a “stack” of values in various interesting ways. However, Script has many limitations: it lacks opcodes to do simple arithmetic such as multiplication, it is (nearly) incapable of reasoning about objects larger than 32 bits, and it has (nearly) no ability to introspect transaction data. The latter limitation is why covenant support appears to require a softfork, and the former limitations are why Script, until recently, was never used to compute any “interesting” functions.

For example, to multiply two 16-bit numbers in Script, using only the addition and subtraction opcodes that Script provides, you need to break them into bits (by requiring the bits be provided as witness data, then doubling and adding them to reconstruct the original number) and then implementing multiplication in terms of additions of these bits. The resulting code would involve several dozen opcodes for a single multiplication.

Prior to Taproot, Script had an artificial limit of 201 opcodes per program, and with individual multiplications taking more than a quarter of this budget, it was impossible to do much of anything. After Taproot, the 201-opcode limit was removed, but every opcode still takes up a witness byte, meaning that multi-kilobyte programs would be prohibitively expensive for ordinary wallets to put on the blockchain.

And without transaction introspection, it isn’t even clear what large computations would be good for.

After all, if you can do arbitrary computations on arbitrary values, but those values aren’t tied to transaction data on the blockchain, how can those computations add useful semantics to Bitcoin?

Lamport Signatures

Lamport signatures were invented in 1979 by Leslie Lamport — though they are insecure without modern cryptographic hash functions, which did not exist until the 1990s — and are one of the few cryptographic objects from that era which endure to this day. Their lasting popularity comes from their simplicity and the fact that their security against quantum computers depends only on sufficiently-random-looking hash functions, unlike more modern and efficient proposals for quantum-secure signature schemes.

However, Lamport signatures come with two large drawbacks: (1) they are horribly inefficient, taking multiple kilobytes of data for both keys and signatures, and (2) they are single-use. This means that if a user signs more than one message, it becomes possible for a 3rd party to forge more messages, making all signatures effectively worthless. This can be mitigated, for example by having your “public key” be a Merkle tree of millions of single-use keys, but this stretches the bounds of practicality..

These limitations have made Lamport signatures popular as a “backup signature scheme” for Bitcoin in case of a quantum computing breakthrough, but have prevented their use as primary signatures in any widely deployed system.

The way they work is simple: assume that the message to be signed is 256 bits wide. This can be assured by first running an arbitrary-length message through the SHA256 hash function. The user’s public key consists of 256 pairs of hashes – 512 in total. To sign a message, they reveal a preimage for one hash in each pair, choosing the preimage to reveal based on a bit of the message.

A signature verifier re-hashes the message and preimages to ensure they are all consistent.

In 2021, Jeremy Rubin posted a blog post claiming that Bitcoin Script can directly verify Lamport signatures on 33-bit values. His mechanism was very clever. Bitcoin Script does not have an opcode to read individual bits from a number, nor can it do the bitwise operations needed to construct a number from bits. But Script does have an opcode to add two numbers, and by adding different numbers where each has only a single bit set, it is possible to bitwise-construct or bitwise-deconstruct a number.

Using this insight, Rubin checks a Lamport signature, encoded as a series of hash preimages, as follows:

For each preimage, compute its hash and compare it against a pair of target values (comprising the public key) embedded in the Script.If the hash matches the first member of the pair, this is a 0-bit; the script does nothing in this case.If it matches the second member, this is a 1-bit. In this case, add a particular power of 2 to an accumulator.(If it matches neither member, the signature is invalid and the script should abort.)

The final value of the accumulator will then equal the signed number, constructed by adding powers of two corresponding to each 1 bit in its binary expansion.

Already this is interesting: it means that for certain kinds of “oracle signature” applications, you can directly check signatures in Bitcoin Script, assuming you have an oracle that is willing to produce one-time Lamport signatures on specific events and that you know a Lamport public key in advance for each event. For example, a specific sports match outcome can be encoded as a single bit. The particular score can be encoded using a few bits. A particular timestamp can (probably) be encoded in 33 bits. And so on. And of course, by checking multiple Lamport signatures, you can effectively get signatures on as many bits as you want.

Without the ability to sign large messages, you can’t get a signature on transaction data and therefore can’t get covenants. (Or can we?)

BitVM and Equivocation

This blog post by Jeremy Rubin was largely considered to be a curiosity at the time and was lost among larger discussions around his OP_CTV proposal and covenants. In December of 2023, it was indirectly cited in the OP_CAT BIP by Ethan Heilman and Armin Sabouri, which gave it a fresh audience among people who were thinking differently about Bitcoin Script.

People were thinking differently because in October 2023, just two months prior, Robin Linus had announced on the mailing list his project BitVM—an ambitious project to do arbitrary computations in Bitcoin Script by splitting programs across multiple transactions. The individual transactions each do a single simple operation, with outputs from one operation hooked to inputs of another via a hash-preimage-revealing construction that looks suspiciously similar to a Lamport signature.

The trick here is that if a user Lamport-signs multiple messages with the same key, the result will be two hashes in the same hash-pair whose preimages are both known. This is easy to check for in Script, which can be used to construct a “slashing transaction” that will take coins from a user if they do this. Such a slashing transaction would then become valid exactly in the case that a user publicly signed two messages with the same key. Slashing transactions are used within multi-transaction protocols to punish users who misbehave, typically by forfeiting a bond that they must post ahead of time.

So these Lamport signatures, rather than merely losing security when they are used more than once, can be configured to actively punish a user who signs multiple times. This has obvious applications for an oracle signature where a signer is supposed to attest to exactly one outcome of a real-life event; we want to disincentivize such a signer from claiming that e.g. both teams won a particular sports match. But this is an even more powerful idea than it seems.

In the cryptographic literature, when a party reveals two values for something that is supposed to be unique, this is called equivocation. We can think of a slashing transaction as an anti-equivocation measure, because it punishes any signer who produces signatures on the same key with the same message.

Then our Lamport signature with anti-equivocation construction has the effect of mapping public keys to specific and immutable values. In other words, we have a global key-value store accessible from Script, with the curious property that each entry in the global store can be set by a specific person (the person who knows the preimages for that key), but can only be set once for all time. This key-value store is also accessible from any Bitcoin transaction (or a transaction on any blockchain, really) regardless of its connection to other transactions.

This key-value store has on the order of 2^256 entries, most of which are not accessible since nobody knows the preimages to their keys, so while it is a “global key-value store” shared by every possible program using this Lamport signature construction, it cannot fill up and there is no risk that data from one program might accidentally clobber data from another, or that a value which should be set by one user might be set by another. Nor is the key-value store actually stored anywhere in its entirety.

BitVM and its variants use this fact to tie the output of one operation to the input of the next: a given program can be split into a long series of basic operations, for example opcodes in the RISC-V instruction set, and each of these basic operations can be implemented by a self-contained Script program which looks up the operation’s inputs and outputs in the key-value store, checks that they are related correctly, and somehow punishes the user if not.

The complete BitVM system is much more complicated than this: for each program, it carves out an addressable memory space from the key-value store; each operation needs to look up its inputs and outputs from this memory space; each operation needs to track a program counter and other state beyond its inputs and outputs; and the whole thing is tied together with interactive protocols and trees of unconfirmed transactions to ensure than slashing penalties are correctly enforced and that even a single incorrect step in a multi-billion-step program can be zeroed-in-on and punished. But this article is not about BitVM and we will not explore this.

Interlude: Small Script and Big Script

We take a moment to remind the reader that Script can only do non-trivial computations on values that are 32 bits wide or smaller. Such values are “scriptnums” and Script has many opcodes to manipulate them by interpreting them as signed integers or boolean values, sometimes as both.

Using BitVM or a similar mechanism to split Script programs across multiple transactions, you can do arbitrary computations in Small Script, from ZKP verification to proof-of-work checking to number factoring.

Values that are larger than 32 bits can only be manipulated by a small set of narrow-purpose opcodes: they can be hashed, interpreted as public keys or signatures to check a transaction signature, their size in bytes can be computed, and they can be moved around the stack as opaque blobs. The only “real” general-purpose computation that can be done on them is a check for equality, which by itself provides very little value.

We describe the world of 32-bit values as “Small Script”, which is computationally expressive but cannot access transaction data in any way. The world of larger values we call “Big Script”, and can access transaction data through the CHECKSIG opcode. It is also possible to check hash preimages in Big Script, and this is essential to implementing Lamport signatures, but that’s pretty much the only thing you can do in Big Script.

It is impossible to usefully bridge the two worlds: you can hash a Small value to get a Big value, but you cannot then learn anything about the Big value that you didn’t already know. And you can use the SIZE opcode to learn the size of a Big value, but if this value represents a hash, public key or signature, then its size is fixed so you learn nothing new. (Although prior to Taproot, signatures had a variable size, and it is possible that you can extract transaction information from a suitably constrained CHECKSIG-passing transaction.)

All this to remind the reader that, while this new Script functionality is exciting, it provides a lot of computation expressivity without the ability to inspect transaction data, and therefore cannot be used for vaults or other covenant applications.

The CAT opcode provides a mechanism to bridge the two Scripts, which is why CAT is sufficient to provide covenants. This is also why there are so many ways in which Script “almost” supports covenants, or in which non-covenant-related proposals like CAT turn out to enable covenants: pretty much any opcode that takes Small values and outputs Big ones, or vice-versa, can be used to feed Big Script transaction data into a Small Script general program. Even a sufficiently bad break of the SHA1 opcode could probably be used as a bridge, because then you could do “computations” on Big values by interpreting them as SHA1 hashes and finding Small preimages for them.

Interlude: Wormholes

Actually, there is a way that you can get covenants in Small Script, assuming you have enough computational power. By going “outside” of Script, users can validate the Bitcoin blockchain itself, as well as the transaction that contains the Script (it needs to avoid directly encoding its own data to avoid being infinitely-sized, but this can be done by indirect means; see the next section for more details), and then impose additional constraints on the transaction by imposing those constraints on this internally-validated “view” of itself.

This idea could allow the creation of some limited covenant functionality, but it is important to remember that correct access to the key-value store, which is necessary in order to split large computations, is not directly enforced. Instead, some additional mechanism needs to be imposed to enforce slashing penalties on incorrect access. This greatly complicates the implementation of vault-like covenants whose functionality depends on certain spending patterns actually being impossible, not just disincentivized.

Tic-Tac-Toe

Thus far we have talked about the anti-equivocation feature of Lamport signatures, and how this can be used to effect a “global key-value store” in Bitcoin Script, which in turn can be used to pass data between Script programs and to split large computations into many independent parts. But there is another interesting and perhaps surprising aspect of Lamport signatures, which is that they allow committing to a unique value in a script without that value affecting the TXID of its transaction.

This has two consequences: one is that we can commit data in a transaction without affecting its TXID, meaning that we can potentially change parameters within a Script program without invalidating chains of unconfirmed transactions. The other is that we can commit data without affecting the signature hash, meaning that users can “pre-sign” a transaction without first knowing all of its data.

(By the way, these properties apply to any signature scheme, provided there is a check to punish the signing of multiple values. What is interesting about Lamport signatures is that we can use them in Bitcoin today.)

The ability to put data into a Script program without affecting the TXID of the contained transaction opens the door to constructions in which a program is able to refer to its own code (for example, by injecting the TXID itself into the program, which is a hash of all transaction data including the program). This is called Quining, and can be used to enable delegation and to create recursive covenants. This ability is the motivation behind the disconnect combinator in Simplicity. However, since we can only validate Lamport signatures in Small Script, which excludes objects as large as txids, it appears that there is currently nothing we can do in that direction. However, nothing is stopping us from emulating non-recursive covenants with similar tricks.

Let’s describe an example due to supertestnet on Github.

Consider the game tic-tac-toe, played between two people who take turns marking a three-by-three grid. The rules are simple: no player may mark an already-marked square, and if either player marks three squares in a row (horizontally, vertically, or diagonally) then they win. Imagine that these players want to play this game on-chain, representing each turn by a transaction.

Of course, in parallel to these transactions, they would have a single “happy path” transaction where both parties would just sign coins over to the winner so that if they agreed on the events of the game, they wouldn’t actually need to publish the individual turns! But it’s important to also construct the full game transcript so that in the case of disputes, the blockchain can mediate.

One approach they might take is to model the game as a series of pre-signed transactions, which each require a signature from both players. The first player has nine possible moves. So the second player would sign all nine, and the first player would sign whichever one they wanted to take. Then for each of the nine possible moves, the second player has eight moves; so the first player signs all eight, and the second player picks one to sign, and so on.

It turns out that this doesn’t quite work – because either player might refuse to sign a particular move, there is no way to assign blame in the case that the game stalls out, and therefore no incentive for the losing player to complete the game. To prevent this situation, each player must sign all of his counterparty’s moves before the game starts. Then a player can only refuse to sign his own moves, and this can be easily disincentivized by adding timelocked forfeit conditions to the transactions.

As an alternative to having each player sign the other players’ moves, a trusted third party could be enlisted to pre-sign each move. But the result is the same: every possible series of transactions must be signed. For the tic-tac-toe game, there are 255168 paths for a total of 549945 pre-signed transactions. This is pushing the bounds of practicality, and it’s clear that such a strategy will not generalize to nontrivial games. For chess, for example, these values are bounded below by the Shannon number, which is 10^120.

The reason that we have such a large blow-up is that we are distinguishing between moves by distinct transactions which each must be set up before the game has started.

However, using Lamport signatures, we can do much better:

Each game of tic-tac-toe has (at most) nine moves,Each of which is a transition between two board states, that are small enough to be Lamport-signed,And each transition must obey rules which are simple enough to reasonably encode within Script.

We can therefore approach the game differently: each player generates a Lamport public key with which to sign the game state after each of their moves (so the first player generates 5 keys, the second player 4). They then generate a series of 9 transactions whose output taptrees have three branches:

A “ordinary move” branch, consisting ofAn ordinary signature from both players;A Lamport signature on the previous game state from the appropriate player,A Lamport signature on the next game state from the other player,And a check, implemented in Script, that the two-game states are correctly related (they differ by exactly one legal move by the correct player).A “win condition”, consisting ofAn ordinary signature from both players;A Lamport signature on the previous ga)me state from the appropriate player,A check, implemented in Script, that this player has won the game.A “timeout” condition, consisting ofAn ordinary signature from both players;A relative timelock that has expired.

The final transaction, in place of an “ordinary move” branch, has a “draw” branch, since if all moves have completed without a win, there is no winner and presumably any coins at stake should go back to their original owners.

As before, each player pre-signs all transactions, of which there are 27, including “win condition” transactions (which send all the coins to the winning player), “timeout condition” transactions (which send all the coins to the player who didn’t time out) and “draw condition”.

[insert picture of transaction tree, which is 9 transactions in a row, with each one branching to “timeout” and “win”, and the final one also ending in “draw”]

And by the way, while the rules of Chess are a fair bit more complicated, and the board state may require multiple 32-bit values to represent, and there may be more than 9 moves, it is still feasible to carry out exactly the same construction.

Transaction Trees

In the previous example, we took great advantage of the fact that the rules of tic-tac-toe can be embedded in Script itself, meaning that a user cannot usefully sign an invalid game state. (If they sign an invalid move, the transaction representing the move will be invalid, and the transactions representing all future moves will also be invalid because they depend on it. So all the attacker will have accomplished is leaking part of his Lamport signing key, allowing the other player to potentially forge moves on his behalf.

We also took advantage of the fact that our complete protocol was not very long: at most 9 moves. This means that if one player refuses to complete the game, or completes the game but will not acknowledge the result, it is reasonable to publish the entire game transcript on-chain as a recourse. For many games this is sufficient.

It is out of scope of this blog post, but there are many tricks we can play with this model: checking single-party computations as a “game” between a prover and verifier, outsourcing one or both roles, combining multiple steps into single transactions with large taptrees, replacing the linear transcript with a binary search for invalid steps, and so on. These tricks form the basis for BitVM, BitVM 2, BitVMX, and so forth.

Using such tricks, we can reduce the cost of existing protocols that depend on trees of unsigned transactions. A classic 2017 Bitcoin paper by Bentov and Miller argues that stateful protocols in the UTXO model always suffer an exponential blowup relative to analogous protocols in the account model, e.g. on Ethereum. Using Lamport signatures as a global key-value store, we can partially refute this paper. But we are out of space and will need to explore this in our next post!

Acknowledgments

I would like to thank Robin Linus and Ethan Heilman for reviewing an early draft of this post.

This is a guest post by Andrew Poelstra. Opinions expressed are entirely their own and do not necessarily reflect those of BTC Inc or Bitcoin Magazine.