Emulating OP_EVAL using Bitcoin Cash Native Introspection Opcodes (OP_UTXOBYTECODE)

The idea of OP_EVAL was presented by Gavin Andersen in BIP-0012[1] but never got implemented on a Bitcoin blockchain.

The idea behind OP_EVAL is this: allow an input to execute a stack item as Script VM bytecode. This would allow contract authors to hide code modules behind hashes, and those code modules never used would not have to be revealed when spending the UTXO.

Generalized construction like that is called a Merkelized Abstract Syntax Tree (MAST), and OP_EVAL would be a sufficient building primitive[2]:

One way to implement the general MAST design is using a combination of OP_EVAL, OP_CAT, and OP_HASH256. However, that will suffer from the problems of OP_EVAL, including risks of indefinite program loop and inability to do static program analysis. A complicated implementation is required to fix these problems and is difficult to review.

In the meantime, the first Bitcoin blockchain (blocks 0 to 478558) was forked and from there Bitcoin (BTC) and Bitcoin Cash (BCH) diverged in both their blockchain history and blockchain development.

With November 2021 soft-fork upgrade activation, Bitcoin (BTC) introduced Taproot which supports merkle branch constructions[3]:

Merkle branches let us only reveal the actually executed part of the script to the blockchain, as opposed to all possible ways a script can be executed. Among the various known mechanisms for implementing this, one where the Merkle tree becomes part of the script’s structure directly maximizes the space savings, so that approach is chosen.

With May 2022 hard-fork upgrade activation, Bitcoin Cash (BCH) introduced native introspection opcodes[4] and here the OP_UTXOBYTECODE will be of use:

Pop the top item from the stack as an input index (Script Number). Push the full locking bytecode of the Unspent Transaction Output (UTXO) spent by that input to the stack.

It will let us load an additional code to be executed using another input, called “sidecar” input (term coined by Jason Dreyzehner), and then verify the code against the hash stored in the “main” input.

Demo Contract

The contract allows for two spending paths. It is a simple construction just to demonstrate the capability to emulate OP_EVAL using OP_UTXOBYTECODE.

• Example transaction using spending path “HA”, requiring a sidecar with P2PKH locking bytecode: 826763fd0ce418e0f0859c026d0498bf66af012bf78323fcf3557791d4510306 [5]
• Example transaction using spending path “HB”, requiring a sidecar with P2SH locking bytecode: 72356114028064e36de76ae183c361e12cf22d525573556db64444290af72fc7 [6]

The code to be executed is introduced through an input spending a dust amount UTXO prepared in advance of spending the “main” 0.1 UTXO. The “main” UTXO requires that some input in the TX spends the UTXO which has the “sidecar” code.

This is a simple hash structure that has only 2 leaf nodes and the root, so when spending using any of the 2 leaves, the hash of the other leaf node must be provided by the spender so the redeem script can verify the root hash. The code (“SA” or “SB”) of the other leaf is not revealed.

• The first transaction revealed 1 leaf, one that requires a P2PKH sidecar input, but it did not reveal the other leaf’s code.
• The second transaction revealed the other leaf, one that requires a P2SH sidecar input, but it did not reveal the 1st transaction’s leaf.

Anyone can spend using the P2SH path. To make things interesting I have again sent 0.1 to the contract, try and claim it. :) Edit: claimed[7] by TinosNitso[8].

Redeem script for the address (bitcoincash:pzgevd54q0cy3usffzxk00gphu77rdajdsp460cnt2 [9]) currently holding 0.1 BCH:

OP_UTXOBYTECODE
711b8704f80c7b17082783be22b966251fd4df2feca36425b3e1b4c27776a8c9
OP_TOALTSTACK
OP_TOALTSTACK
OP_DUP
0
OP_EQUAL
OP_IF
OP_FROMALTSTACK
OP_HASH256
OP_ROT
OP_CAT
OP_HASH256
OP_FROMALTSTACK
OP_EQUAL
OP_SWAP
OP_ENDIF
1
OP_EQUAL
OP_IF
OP_FROMALTSTACK
OP_HASH256
OP_CAT
OP_HASH256
OP_FROMALTSTACK
OP_EQUAL
OP_ENDIF

BitAuth IDE Scratchpad for the contract [10]

—

—

Links:

[1] https://en.bitcoin.it/wiki/BIP_0012
[2] https://github.com/bitcoin/bips/blob/master/bip-0114.mediawiki#mast-structure
[3] https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki#design
[4] https://gitlab.com/GeneralProtocols/research/chips/-/blob/master/CHIP-2021-02-Add-Native-Introspection-Opcodes.md
[5] https://explorer.bitcoinunlimited.info/tx/826763fd0ce418e0f0859c026d0498bf66af012bf78323fcf3557791d4510306
[6] https://explorer.bitcoinunlimited.info/tx/72356114028064e36de76ae183c361e12cf22d525573556db64444290af72fc7
[7] https://explorer.bitcoinunlimited.info/tx/260b5896d741a53322314fac403395fb4877b80b22cebced06841fcff8730580
[8] https://old.reddit.com/r/btc/comments/w11r7s/emulating_op_eval_using_bitcoin_cash_native/igi5msn/
[9] https://explorer.bitcoinunlimited.info/address/pzgevd54q0cy3usffzxk00gphu77rdajdsp460cnt2
[10] https://ide.bitauth.com/import-template/eJzNVW1v2zYQ_iuEsI9JTJESSQWBAddxlqAv8vzStZiHgC_HWYMtCRbdeCjy30tKspOsKIqiHzZ9Efnw7rnj3XPg5-iXRq9hK6PLaO1c3VwOBqpwcu_WF7raDrrDZhAAKF2hpSuq8tzBtt5IB-ef8EVncvF3U5XRWWSg0buiDlae0gOl3IJfLb2z24DxSOBxBTTR5efHs6gzD5uwlE6v72tpwrb3nHcomsrg3Jl7-Cqf3l8vp8j_bkfz25hhhA9xMlyVV_iASSwS0CZJBc8SKhOdqFRlMSUMDJXcqDQzJuOQUEY5YVxYyIwQLLWJ4ElmwfM8MXtOv5n8thy9eT-Z3d18DFHHt5Px6_ndr53leLRA3e_kSFK2KjvXf2d4tYocNG4VDf0hfpcvWu5vxfxehCP6Eg_1meXTAA8G6K6s9w511WuzwgfNJQMRK5tZrqhOpU44thbHGrhVRBmu0hiblFKqNBVWKZyllGXUGEJTHA-R5829Lnaolm6N1rJZB-IWn9dQmqL8qz3yaGc9Lwyca7lzqCgNHEIibXYzMADbPj0EB9D7oCDUFNv9ppVcb_jgVYi8MOtiE8h34GWoAfkkkK02m-ohoA-Fz8Zff7n4kL_6uJiM8-vJqkT-62uC_O05k1mcKN93MAnITHNBsSYAGdMxl1SZ1NqUUR0TS5QQUg_7uvE4VoLjxAqsuYo5FsT7KiBEZYyRNLYmMZZY0JKyhKSKQqwSTTj3MYXOhiGNRT56s5gvRuPXoS67qnJ9_V6cdV1cTruyHvUQFnc3pxvdzPK3J7InBYTlLD9qBj2XxjccT-Tz30fTNvTk3XUIFLr348F_JOrzaG2jdy8U0XUcDFL_ONCVgV7ABP9sM5hiijOMBWeUaSm54iAl04JzzUQan_AeZWLYZ1iTZv0sn2dT_tXEH2t6rMrTZJ8mutXW_2Qo_7vSDqPH8CTs67raOf9YXP4RvRrf3hNM8D1Ooz_Pok-wa9q3BT9-AWVOCaw=