BIP 119 OP_CHECKTEMPLATEVERIFY allows users to restrict outputs by committing to nVersion, nLockTime, scriptSig hash, input count, sequences hash, output count, outputs hash and input index. In this post, we will focus on committing to multiple inputs because it could help in improving payjoin.
Example from the BIP:
Path A: <+24 hours> OP_CHECKSEQUENCEVERIFY OP_CHECKTEMPLATEVERIFY <Pay Alice 1 Bitcoin (1 input) nLockTime for +24 hours>
Path B: OP_CHECKTEMPLATEVERIFY <Pay Bob 2 Bitcoin (2 inputs)>
In this case, there are 24 hours for the output to, with the addition of a second input, pay Bob 2 BTC. If 24 hours lapses, then Alice may redeem her 1 BTC from the contract. Both input UTXOs may have the exact same Path B, or only one.
Let’s make some changes in this example so that it could work as payjoin:
Path A: <+1 hour> OP_CHECKSEQUENCEVERIFY OP_CHECKTEMPLATEVERIFY <Pay Alice 0.01 Bitcoin (change) and Pay Bob 0.02 Bitcoin (1 input) nLockTime for +1 hour>
Path B: OP_CHECKTEMPLATEVERIFY <Pay Bob 0.03 Bitcoin and Pay Alice 0.01 Bitcoin (change) (2 inputs)>
This will result in 3 transactions:
-
Funding tx (sender)
-
Funding tx (recipient)
-
Spending tx
We can reduce it to 2 transactions by using P2A as described by stutxo in this repository: https://github.com/stutxo/simple_ctv It would improve privacy for this protocol because P2A can be can spent by anyone along with their inputs.
Differences compared to normal payjoin:
-
Less interaction
-
Recipient broadcasts the transaction (path B)
Most importantly this protocol fixes the UTXO probing attack.