OP_CHECKTEMPLATEVERIFY has once again become a focal point in the conversation about improvements to scaling Bitcoin. This time, there are several alternative designs to the proposed charters, and actual concrete designs that use CTV as measurement solutions (Timeout Trees and Ark). The conversation has a much greater depth of concepts to consider, both in terms of alternatives that can be adopted as well as concrete proposals that CTV can offer.
One narrative circulating from the people against CTV camp is that “CTV is not scaling Bitcoin.” Let's interpret that charitably to mean that CTV itself doesn't scale Bitcoin, the things you can build with it do. Well, that's not a coherent argument. The separate witness did not scale Bitcoin. CHECKLOCKTIMEVERIFY and CHECKSEQUENCEVERIFY did not scale Bitcoin. But the accelerator network enabled by these three proposals is scaling Bitcoin. It adds a huge amount of overhead in order for transaction throughput to grow beyond the limitations of the blockchain itself.
Lightning literally cannot exist without that base layer. But the problem with Lightning is that it only measures the number of transactions that can be processed. It in no way helps improve the scalability of ownership of UTXOs, or increase the number of users who can control one. Lightning is currently unable to do this with its current design and the current set of consensus primitives available in the Bitcoin script.
CTV can change that.
UTXOs and virtual UTXOs
Part of the problem with Lightning's shortcomings in terms of Bitcoin ownership scalability is that in order to open a channel, or control a UTXO, you have to actually make transactions on the underlying layer. Then, Lightning can facilitate a very large number of off-chain transactions, but the user still has to make cross-chain transactions to join Lightning. It dramatically increases the number of transactions that Bitcoin can process, but it does absolutely nothing to increase the number of people who can own Bitcoin.
This is another big problem that CTV can help with. Burak coined the term “virtual UTXO” for his proposal for Ark, but I think that term is a perfect and useful general term outside of the context of Ark. A virtual UTXO is one that is committed to being created in the future, through mechanisms such as a pre-transaction that is signed, but has not yet been physically created on-chain. Bitcoin doesn't have the block space for everyone to create a single UTXO across the world's population, but there is certainly the potential for people to have their own independent virtual UTXO if the process of committing to it can be made scalable.
Extending the scope of creating obligations to vUTXOs is the problem. Currently, there is no way to create them except through the use of pre-signed transactions, and this is a bottleneck that must be addressed. The number of vUTXOs that any real UTXO can commit is limited by the size of the multi-signature set that signs these transactions. To create vUTXOs trustlessly, the owner of each vUTXO must be part of the multisig key that signs the transactions committing to create them, otherwise they have no guarantee that conflicting transactions will not be created which invalidates their ability to claim their vUTXO if necessary. The problem of coordinating the signature between each group member introduces practical considerations that will ultimately severely limit the size to which any group of vUTXOs can grow. The only other alternative is to have some party or trusted parties sign the transactions committing everyone's vUTXOs, and simply trust them not to steal those funds from the rightful owners.
CTV offers a solution to both problems. By being able to non-interactively commit a set of future transactions in the same way that pre-signed transactions do, but without requiring every owner of the vUTXOs created by those transactions to format the signature, it solves the coordination problem. At the same time, since no one needs to interact, one person can take on the role of financing the CTV outputs that commit to the vUTXOs of everyone deployed on-chain, and no absolute trust in this person is required after the financing transaction is confirmed. Once the real UTXO is confirmed in the block, the person who funded it will no longer have the ability to undo or double-spend future transactions they have committed to.
Keep in mind that vUTXO can be whatever you want it to be. It could be a Lightning channel, a multi-signature cold storage script, etc. CTV does what the current form of Lightning does not: it expands the scope of actual ownership of Bitcoin, not just the number of transactions it can process.
Cut the shortcut
One other criticism of CTV as being “non-scalable for Bitcoin” is that by committing future transactions you are not evading the need to put them on the chain eventually, so CTV does not actually help improve scalability. I like to call this the “OP_IF fallacy”. For example, once people start talking about CTV, they forget that OP_IF exists, and these scripts can actually have multiple spending terms to choose from.
The most powerful things about Taproot are the ability to create multisigs by adding two public keys together and signing them with one bulk signature, selectively exposing only one “IF” branch of the script that has multiple ways to spend it. In combination with CTV, this provides a very powerful way to leverage vUTXO obligations. Instead of making a series of transactions purely using CTV, they can be created using a CTV spending path buried within the root tree. The end of the transaction chain is all the individual vUTXOs owned by each participant, locked with the public key of that user alone. As you move back towards the root of the tree, each set of switches below any node in the tree can simply be added together and used as a Schnorr multisig switch under which the CTV spending path is buried.
This means that at any point in the chain of transactions that appear on the chain to actually convert vUTXOs into real UTXOs where you can have each UTXO participant be an intermediary to coordinate with each other, everyone can simply collaboratively sign a transaction to transfer their coins as they want to follow a more efficient method. From simply allowing a pre-defined transaction flow to expand all the way to converting their vUTXOs into real objects. This allows small subsets to escape the need to actually expose the entire set of pre-committed transactions on the chain, without introducing any trusted parties to rely on or weakening the security of each user's claim to their vUTXOs.
These two simple facts provide huge scalability gains for Bitcoin without compromising individual sovereignty or security in doing so, and all we need to achieve them is CTV.
Thanks and appreciation: I would like to thank everyone involved at Chicago Bitdevs for helping me shape these notes in a concise way through the discussion.
