This year has seen a huge spike in demand for the limited space available within Bitcoin blocks, resulting in soaring on-chain transaction fees. Most of the demand is for transactions that reveal inscriptions. The contents of these inscriptions were revealed as part of witness statements1 From a Bitcoin transaction. This is witness information1 It is discounted to a quarter of the cost of other transaction data. Why do we give these inscriptions a discount? Should we get rid of the witness discount?
Why are some bytes cheaper than others?
Money in general and Bitcoin in particular operate against the backdrop of human incentives. Bitcoin aligns the incentives of miners and miners by using Bitcoin's native code to pay miners for including certain transactions in the blocks they create. The same cannot be said about aligning the incentives of contract operators with miners and transactors, nor aligning incentives between senders and recipients.
There have been 3 major improvements to Bitcoin's incentive alignment so far:
1. Limit block size
2. Shifting the cost of complex texts from sender to receiver (P2SH)
3. Aligning data costs between node operators and dealers (SegWit)
Limit block size
Dealers want to make a lot of transactions and miners want to collect a lot of transaction fees; But node operators must relay, verify and store all transaction data, and are not compensated like miners for doing so. Early in Bitcoin's history, Satoshi worked to address this problem by adding a fixed limit to the block size (enforced by the nodes). The limit was 1 million bytes per block, setting an upper limit on the amount of data nodes would need to download and verify. At the time, Satoshi wrote: “[w]We can make the change gradually later if we get closer to needing it.” He later noted, referring to the correction to increase the limit, “[d]“Do not use this patch, it will make you incompatible with the network,” which means that increasing the maximum block size is a hard fork and requires more coordination than even a soft fork. In the years since, Bitcoin such as this has deliberately avoided incompatible hard fork changes, which also means maintaining a maximum block size of 1 million bytes.
Transfer complex script costs from sender to recipient
Since Bitcoin is secured by locking scripts, it has always been possible to lock it using advanced scripts, including multisig. Under the original design, the sender of a Bitcoin transaction would place the recipient's full lock text in their transaction, and pay any fees to include that lock text in the block. The developers realized that as fees increased, senders might be reluctant to pay users of larger lock scripts due to the higher cost of paying those users. These complex lock scripts also posed a problem with encryption in addresses and sharing via low-bandwidth mechanisms such as QR code.
To solve this problem, P2SH was added to Bitcoin as a soft fork. Under the rules of this fork, instead of putting the recipient's entire lock text in the transaction output, the sender simply includes a hash of it. When the recipient inevitably spends this output, they include the full script in the spending transaction, which is checked against the hash of the script the coin is locked to before being validated. With this change, a recovery script of any size can be represented by a fixed-length lock script and senders no longer need (or are able) to differentiate between recipients based on their spending conditions.
Aligning data costs between contract operators and dealers
The primary verification that nodes perform in Bitcoin transactions is that the Bitcoin you are trying to spend actually exists. To do this, each node maintains an index of each spendable unit of Bitcoin (Unspent Transaction Output, UTXO). The larger this index, the more expensive it is to run the node and verify future transactions2. As a result, a transaction that increases the size of this index (which has more outputs than inputs) costs more over time than a transaction that has the same number of bytes that reduces the size of the index.
The bulk of most Bitcoin unlocking scripts are cryptographic signatures. These signatures are about twice the size of their corresponding public keys, making lock bodies (even without P2SH) larger than lock bodies.
The high cost of consuming versus generating UTXOs creates an incentive conflict between contract operators and dealers. Dealers are discouraged from spending their small UTXOs (especially sometimes with high fees), and instead prefer to spend large UTXOs and create more small UTXOs. At the same time, node operators pay the cost of this accumulation of small UTXOs in higher verification costs for all transactions.
Strange as it may seem, verifying that every UTXO spent by a transaction in the historical blockchain whose lock script is satisfied by the corresponding unlock script is much less important. In this regard, a Bitcoin node running the default Bitcoin Core 26.x will not validate the execution of the full transaction lock script before block 804000 (August 19, 2023).
All of the above means that there are different costs imposed on Bitcoin nodes by different parts of the blockchain. The data required to determine the effects of each transaction must be validated by synchronizing each node of the configuration block3Transaction outputs tend to be more expensive than transaction inputs in the long run (especially if they are long-running), and not much witness data is examined except for the most recent transactions.
Enter the separate witness
The separate witness fork (SegWit) is the most ambitious change made to Bitcoin to date. The biggest motivation for the change was to fix the long-standing TXID issue4 Adaptation5 In Bitcoin. In order to fix this adaptability, the unlock script is replaced with a newly created “witness”. By removing authorization data (which can often be changed by third parties without changing the transaction effects) from the TXID, protocols (such as Lightning) that rely on non-volatile TXIDs become possible.
As the authorization data is moved from the original transaction structure, it no longer counts against the 1 million byte block limit. New limit required. Several approaches to limiting discrete witness data were discussed at the time: Separate witness byte limit6total limit < 1 million bytes7Or a weighted joint term. Ultimately, a weighted combined threshold was chosen, with separate witness data weighted with 1 unit, transaction data weighted with 4 units, and a weight block threshold of 4 million. Each weight unit is treated as 1/4 of a virtual byte (vByte) for the purpose of fee calculations.
Why these weights? Let's look at the input and output costs of a transaction with and without a separate witness:
The first thing to notice from this table is how the witness script types (P2WPKH, P2WSH) have roughly the same number of input and output bytes (each of which loads a full vByte). The witness script spender is then charged a fee of 1/4 vByte for the data that allows the spending, much of which is unverified for any transactions except the most recent, and none of which has an ongoing cost in the UTXO index. The other thing worth noting here is how the cost of using 2 of 3 more secure multisig compared to a single signature is reduced from 147 vBytes to 36.25 vBytes.
Root and inscriptions change everything (or nothing)
As I said at the beginning, Bitcoin is based on human incentives, and here we can see how changes have been made to Bitcoin over the years to better align incentives between parties using the network.
Taproot itself is “just” an alternative way to lock Bitcoin using a separate witness. It does not change these incentives significantly. One of the changes that came with Taproot was removing some restrictions on script size. This was done to reduce the complexity of designing analysis tools for Bitcoin scripts, and in recognition of the relative cost of different types of data. Removing these limits made staking easier than it was before Taproot, but it did not fundamentally change the incentive structure of the network.
Now to the crux of the matter. Patterns are detected in the witness, so only 1/4 vByte is charged for each byte of pattern data. Is this an insult to the witness's opponent? The truth is that logging data is some of the cheapest data that nodes on the network can verify. The text structure used by engravings explicitly overrides the implementation of the engraving data, so the only verification performed on it is a single hash check (to ensure that the exposed engraving is what the engraver planned to reveal). This data is hashed once and then is not looked at again by the nodes. It has a very low computational cost (an order of magnitude lower than an equivalent multi-signature script).
But inscriptions raise fees and drive away other users.
Yes! With the current software available to interact with the Bitcoin network, registrants have a greater economic incentive to make their own engravings than many people have to make other transactions.
This starkly highlights the value of increasing the economic density of Bitcoin transactions. The accelerator network takes a big step towards this by enabling hundreds, thousands or millions of economic transactions to be aggregated into a single Bitcoin transaction. The greater the economic intensity per byte in a transaction, the lower the fees paid for this economic activity. As the economic density of Bitcoin transactions increases, other uses of block space have been priced out and will continue to be priced out9.
It is worth noting that if Off-chain multisig protocols such as MuSig2, FROST, or switch signatures have become mainstream; He. She maybe It makes sense to reduce or eliminate the witness discount. These protocols can enable the representation of large spending terms with a single signature. This, combined with Taproot's efficient main path spend, can bring the cost of inputs with complex conditions down to approximately just $105. Byte.
Conclusion
The response to higher fees caused by tokens is the same as any other hypothetical sky-fall scenario in Bitcoin history: build patiently, build patiently. There is a lot we can do to increase the economic density of Bitcoin transactions from creating better Lightning wallets to Ark to separate ledger contracts and beyond. Removing the witness discount (prematurely), rolling back the main root, or similar counterproductive actions will only reduce the economic density of existing Bitcoin transactions and worsen the situation.
Stay humble, stack the chairs, and build.
Footnotes
- The term witness in Bitcoin is adopted from cryptographic language where it refers to the data needed to efficiently verify a cryptographic claim. BIP141 defines it as any “data that is required to validate a transaction but is not required to determine the effects of the transaction.” Cryptologists may have picked up the term from manufacturing witness marks used to efficiently verify the alignment of components.
- The Utreexo project aims to change this for a subset of Bitcoin nodes by allowing them to efficiently accumulate UTXO embedding roots and then receive embedding paths along with the spending of those UTXOs. If this becomes a popular way to use Bitcoin, it shifts the cost of more UTXOs from nodes to holders of UTXOs.
- The ZeroSync project aims to change that for some nodes in some contexts.
- Transaction ID: SHA256 double reverse byte command for a pre-network format transaction.
- Multiple valid transactions with the same inputs and outputs have different txids if they are signed in different ways or their signatures are modified by a third party.
- It can be any value without a hard fork because old nodes are not aware of the separate witness data.
- 1 million or less to maintain compatibility and prevent a hard fork.
- Assuming the use of combined public keys and 71-byte R/S DER signatures.
- Does anyone remember Satoshi Dice?
This is a guest post by Brandon Black. The opinions expressed are entirely their own and do not necessarily reflect the opinions of BTC Inc or Bitcoin Magazine.
