OP_CHECKTEMPLATEVERIFY has once again become a focal point in the conversation about improvements to scale bitcoin. This time many more alternative designs are proposed for the actual conventions and concrete designs that use CTV as scaling solutions (Timeout Trees and Ark). The conversation has a much greater depth of concepts to consider, both in terms of alternatives that could be adopted and concrete proposals that CTV could enable.
A narrative circulating from the people against CTV camp is that “CTV does not scale bitcoin.” Let's charitably interpret that to mean that CTV itself doesn't scale bitcoin, the things you can build with it do. Well, then that's not a coherent argument. Segregated Witness did not scale bitcoin. CHECKLOCKTIMEVERIFY and CHECKSEQUENCEVERIFY did not scale bitcoin. But the Lightning Network, which those three proposals enabled, scales bitcoin. They add a huge amount of overhead to grow transactional performance beyond the limitations of the blockchain itself.
Lightning literally couldn't exist without those base layer primitives. However, the problem with Lightning is that it only increases the number of transactions that can be processed. It in no way helps to improve the scalability of UTXO ownership or increase the number of users who can control one. Lightning is currently not capable of doing that with its current design and the current set of consensus primitives available in the bitcoin script.
CTV can change that.
UTXO and virtual UTXO
Part of the problem with Lightning's deficiency with respect to the scalability of bitcoin ownership is that to open a channel or control a UTXO, you actually have to perform transactions at the base layer. After that, Lightning can facilitate a large number of off-chain transactions, but a user must still make on-chain transactions to join Lightning. It greatly increases the number of transactions that bitcoin can process, but does absolutely nothing to increase the number of people who can own bitcoins.
This is another big problem that CTV can help with. Burak coined the term “virtual UTXO” for his Ark proposal, but I think this terminology is a perfect general term and useful far beyond the context of Ark. A virtual UTXO is one that is committed to being created in the future, through mechanisms such as a pre-signed transaction, but that has not actually been created on-chain yet. bitcoin doesn't have the block space for everyone to create a single UTXO on the scale of the world's population, but there is definitely a chance for people to have their own independent virtual UTXO if the process of committing to them can be made scalable.
The problem is expanding commit creation with vUTXO. There is currently no way to create these except by using pre-signed transactions, and this introduces a bottleneck that needs to be addressed. The number of vUTXOs that any real UTXO can commit is limited by the size of the multi-signature set that signs these transactions. To create trustless vUTXOs, the owner of each vUTXO must be part of the multisignature key that signs the transactions that commit to creating them; Otherwise, they have no guarantee that conflicting transactions will not be generated that negate their ability to claim their vUTXO if necessary. . The problem of coordinating the signing of this between each member of the pool introduces practical considerations that will ultimately severely limit the size to which any vUTXO pool can grow. The only other alternative is to have some trusted party or parties sign off on transactions committing everyone's vUTXOs and simply trust them not to steal those funds from the rightful owners.
CTV offers a solution to both problems. By being able to non-interactively commit to a set of future transactions in the same way that pre-signed transactions do, but without requiring all owners of the vUTXOs those transactions create to coordinate the signing, the coordination problem is solved. At the same time, since no one needs to interact, a single person could take on the role of funding CTV production that commits to everyone's vUTXOs being deployed on-chain, and no trust is required in that person after it is deployed. confirm the financing transaction. Once that actual UTXO is confirmed in a block, the person who funded it has no ability to undo or double-spend any future transactions they have committed to.
Keep in mind that a vUTXO can be whatever you want it to be. It can be a Lightning channel, a multi-signature script for cold storage, etc. CTV does what the current form of Lightning doesn't: it scales the actual ownership of bitcoin, not just the number of transactions it can process.
Cut the shortcut
One of the other criticisms of CTV for “not scaling bitcoin” is that committing to future transactions does not avoid the need to eventually put them on-chain, and therefore CTV doesn't actually help improve scalability. I like to call this “the OP_IF fallacy”. i.e. once people start talking about CTV, they forget that OP_IF exists and that scripts can have multiple spending conditions to choose from.
The most powerful things about Taproot are the ability to build multiple signatures by simply adding two public keys and signing them with a single added signature, and to only selectively reveal a single “IF” branch of a script that has multiple ways to be spent. . Combined with CTV, this offers a very powerful way to use vUTXO commits. Instead of making a chain of transactions using exclusively CTV, they can be built with the CTV spend path buried within a taproot tree. The end of the transaction chain is all the individual vUTXOs owned by each participant, locked solely with that user's public key. As you move towards the root of the tree, each set of keys found below any node in the tree can simply be added and used as a Schnorr multi-signature key under which the CTV spend path is buried.
This means that at any point in the chain of transactions that are deployed on the chain to convert vUTXOs into actual UTXOs where you can have each participant in an intermediate UTXO coordinate with each other, everyone can simply cooperatively sign a transaction by moving their coins where they want to do it in a more efficient way than simply letting the predefined transaction flow unfold to the end to transform their vUTXOs into real ones. This allows small subgroups to avoid the need to deploy the entire set of previously committed transactions on-chain, without introducing trusted parties to trust or weakening the security of each user's claim to their own vUTXOs.
These two simple realities offer a huge gain in scalability for bitcoin without compromising individual sovereignty or security in doing so, and all we need to realize them is CTV.
Thanks: I would like to thank everyone involved in Chicago Bitdevs for helping me formulate these observations concisely through the discussion.