Disconnecting Simplicity Expressions

Simplicity’s disconnect combinator enables user-defined signature hash modes, delegation, and more

Simplicity’s Merkle Roots

With BIP 16’s pay-to-script-hash (P2SH), Bitcoin developers realized that it is sufficient to commit to the hash of a Bitcoin script when funds are sent and scripts only need to be revealed at redemption time. This allows Bitcoin addresses to have a fixed length independent of the complexity of the script that controls those funds.

  • As with P2SH, Simplicity addresses have a fixed length independent of the complexity of the Simplicity program committed to.
  • Any unexecuted branches in the program can be pruned at redemption time, decreasing program size and increasing privacy.
  • The computation of the Merkle root of shared subexpressions can be shared.

The disconnect Combinator

Simplicity’s disconnect combinator composes two subexpressions, but only the first of these subexpressions is included in the expression’s CMR. The second expression is “disconnected” from the commitment, allowing for it to be freely programmed at redemption time. Instead, the second expression’s CMR is passed as an argument to the first expression. This allows the first expression to constrain the disconnected expression.

Universal Signature Hash Modes

Our universal CheckSigHash Simplicity program uses the disconnect combinator to allow the signer to build their own custom signature hash mode which can include and exclude whichever transaction components they wish for their digest. The CMR of their chosen signature hash expression is combined with the output of their expression to form the signed message. A witness combinator holds a digital signature for that message which is verified using the Schnorr signature algorithm against a public key fixed by the CheckSigHash program. Because the signature commits to the CMR of the signature hash mode expression, the disconnected expression cannot be altered without creating a new signature.


The arbitrary Simplicity expressions used to create custom signature hash modes can also include assertions. Assertions can be used to enforce requirements such as:

  • A lower bound on the transaction’s timelock
  • A minimum amount sent to a (change) address
  • A covenant
  • A signature from another party

Loops without Bounds

Simplicity’s disconnect combinator enables other features as well. One can constrain the disconnected expression to a single fixed CMR. While this may appear useless, it enables a trick where one can pass the expression’s own CMR as an argument to the expression itself. Then the expression can use its own disconnect combinator to call another copy of itself. Such an expression creates an unbounded loop that commits to arbitrarily many nested copies of itself, which can be terminated by pruning the expression at a depth past which no more copies are executed.


With the disconnect combinator now implemented, we have completed the functional implementation of Simplicity. We have seen how to use the disconnect combinator to enable features such as:

  • Universal signature hash modes
  • Delegation
  • Unbounded loops

Future Work

We continue to work towards a production-ready release of Simplicity. While the language functionality is now complete, there is more work to be done:

  • Anti-denial-of-service mitigations, including a cost model for resource usage.
  • Create a wide selection of jets to reduce the cost of common expressions.
  • Update the transaction introspection primitives to support new Taproot features.

Keep Up To Date With Developments

To keep up with the latest Simplicity developments, make sure you sign up for our official newsletter below and subscribe to the simplicity-dev mailing list.



The latest developments in cutting-edge Bitcoin technology from Blockstream.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

Blockstream is the global leader in Bitcoin & blockchain technology, making financial markets more efficient by reducing reliance on trust.