CHIP-2025-01 TXv5: Transaction Version 5

Announcement and AMA:

https://x.com/bitjson/status/1884677494894453208

Summary

This proposal introduces a version 5 transaction format, enables fractional satoshis and fractional CashTokens, simplifies contracts, and optimizes transaction sizes.

Benefits

• Zero-Overhead Covenants – Enable user-deployed financial and privacy covenants to minimize transaction sizes, matching or outperforming purpose-built, “layer 1” networks. See Example: Zero-Knowledge Proof Covenants.

• Detached (“Cross-Input”) Signatures – Reduce transaction sizes by enabling multiple inputs to reference the same signature(s). See Example: Single-Signature Sweeps.

• Comprehensive Malleability Protection – Optionally covers all unlocking bytecode, simplifying security audits and allowing contracts to eliminate piecemeal protections. Non-push unlocking bytecode also enables significant savings for transactions spending multiple similar inputs.

• Efficient Covenant UTXO Recycling – Enables the economical inclusion of recycling code paths in covenants, allowing covenant systems to recover dust from obsolete UTXOs. See Example: Recycling Covenant Dust.

• Fractional Satoshis – Prepare Bitcoin Cash for significantly increased scale and adoption (while saving up to 6 bytes per output vs. the existing encoding).

• Fractional CashTokens – Simplify the operational requirements of large, highly-liquid CashTokens like stablecoins and real-world assets by optionally allowing up to 19 decimal places of additional precision.

Examples

The following examples highlight efficiency improvements made possible by v5 transactions.

Zero-Knowledge Proof Covenants

This proposal enables zero-overhead covenants: user-deployed protocols with the same bandwidth efficiency as “layer 1” networks.

For example, a zero-knowledge proof (ZKP) contract system could be designed to perform validation of proofs within a read-only input known to the covenant (by outpoint) or marked by a tracking CashToken. Such ZKP transactions might include three inputs and two outputs:

• Input 0 (read-only): The ZKP is provided in this unlocking bytecode. The locking bytecode verifies that the transaction is correctly structured and that the ZKP justifies the state transition between the previous application state (Input 1) and the next application state (output 0).
• Input 1: A covenant holding the previous application state and any BCH, spendable only if Input 0 is the expected ZKP-verifying contract. (Any combination of other tokens may be controlled by sidecar UTXOs, omitted or included as necessary for deposits/withdrawals.)
• Input 2: A user-provided input to fund any deposit(s) and the transaction’s mining fee.
• Output 0: The updated covenant holding the new application state and any BCH.
• Output 1: A user-controlled output to hold any withdrawals or remaining “change” in BCH (if Input 2 isn’t entirely consumed).

Note the bandwidth-efficiency of this transaction: it encodes 1) deposited/withdrawn asset amounts and details 2) the covenant’s “after” state (the “before” state is known via Input 1), and 3) the proof. In particular, both the covenants “before” state and the bytecode evaluated to verify the proof – possibly many hundreds or thousands of bytes – is omitted from the transaction (and de-duplicated in the blockchain).

In short, this ZKP protocol is just as bandwidth-efficient as if it were “built-in” to Bitcoin Cash via consensus upgrade.

Following activation of this proposal, Bitcoin Cash covenants could simultaneous support a wide variety of financial and privacy technologies using transaction sizes no larger than those of purpose-built, “layer 1” networks.

Further, Bitcoin Cash covenants are better positioned to safely adopt new technologies: other networks require extensive development, testing, and advocacy prior to the deployment of upgrades, while equally-efficient Bitcoin Cash covenants can be deployed immediately, at negligible cost, without risk to the wider Bitcoin Cash network, and with risks precisely controlled by the end user (i.e. only the minimal assets trusted to a new system can be lost by a vulnerability in that system).

Finally, deployed technologies on other networks often trail significantly behind the “state of the art” (e.g. in proof sizes). Zero-overhead covenants allow Bitcoin Cash to consistently outperform these other networks in transaction sizes, scalability, and overall user experiences.

Single-Signature Sweeps

This proposal enables significant reductions in common transaction sizes by sharing signatures across inputs and re-enabling non-push unlocking bytecode.

For example, a transaction spending many Pay-to-Public-Key-Hash (P2PKH) outputs may unlock the 0th input with unlocking bytecode: OP_0 <a.public_key> (35 bytes), where the OP_0 indicates the 0th detached signature. Later inputs may then be spent simply by evaluating the push instructions from the 0th input: OP_0 OP_INPUTBYTECODE OP_EVAL (3 bytes per input).

Once constructed, the entire encoded transaction can be signed only once (by a.public_key), with the signature placed in the 0th detached signature slot, preventing malleation of any portion of the transaction.

Recycling Covenant Dust

This proposal resolves a long-standing incentive alignment issue in contract design: covenant UTXOs which have reached the end of their lifecycle (and in many cases, may be provably unspendable) often remain in the UTXO set for lack of a fee-efficient recycling code path.

Prior to this proposal, the aggregate cost of replicating a recycling code path across a covenant’s lifecycle often exceeded the recovered value, even for very short bytecode lengths.

For example, consider this “wrapper” allowing a covenant UTXO to be recycled once its value reaches some minimum value (600 sats): OP_INPUTINDEX OP_UTXOVALUE <600> OP_LESSTHAN OP_NOTIF other_contract_code OP_ENDIF (adds 8 bytes). If this covenant were re-created across a chain of 100 transactions, the transaction fees required (currently 1 byte/sat) for the cumulative overhead contributed by the wrapper (800 bytes) would exceed the expected value of the recovered dust.

Following this proposal, any covenant can be designed such that the aggregate cost of recycling code paths are small and constant: by including recycling code path(s) in read-only inputs, fees paid for inclusion of recycling bytecode are limited to the initial setup transaction(s). As recycling bytecode can be omitted from all later transactions, covenant dust can be economically collected in nearly all cases.

High-Liquidity CashTokens

Prior to this proposal, high-liquidity CashTokens (particularly stablecoins) were forced to navigate a minor tradeoff in denominating their CashToken: larger units reduce the encoding size in most transactions and enable a larger overall supply, but smaller units may be necessary for sufficient precision in important markets and use cases.

For example, using indivisible CashTokens, a USD-backed stablecoin issuer might denominate its stablecoin using 6 decimal places (i.e. 1000000 fungible tokens represent $1) – sufficient precision to accommodate the minimum tick size in today’s largest financial markets (allowing on-chain settlements without batching or precision-handling edge cases).

However, at 6 decimal places, nearly all common output amounts require 5 bytes (e.g. $1 is 0xfe40420f00) or more, whereas at 2 decimal places, many smaller output amounts require only 1 byte (e.g. $1 is 0x64) or 3 bytes (e.g. $655.35 is 0xfdffff). Additionally, at 6 decimal places, the maximum indivisible fungible token supply can represent only $9.2 trillion USD, leaving less than one order of magnitude between the current “market cap” of all cryptocurrencies and the stablecoin’s maximum-supportable supply. This leaves room for plausible concern about migration strategies and/or multi-category issuance schemes, particularly in the event of rapid inflation in the underlying fiat currency.

Following this proposal, this minor tradeoff is alleviated: in addition to the issuer’s chosen number of decimal places, **up to 19 decimal places of additional precision are available for all fractional CashTokens.

I’m proposing this upgrade for chipnet lock-in November 2026, mainnet deployment May 2027.

Thanks, Jason! I believe your work on this proposal will take Zero knowledge proof and covenants in BCH to the next level. I was initially concerned about efficiency and overhead, but your optimizations have addressed those concerns. I fully support this and hope we can have it by early 2027!

IMG_05381251×829 165 KB

Exciting stuff! Looking forward to seeing this conversation continue!

Seems like some thorough review is needed, as well as possibly some example use cases or more concrete details of the potential payoffs, plus some clearer elaboration of the conditions that a rollout would make sense (e.g. Top 10 on CMC), but this is proposed way ahead of schedule and I think it’s great to get the community discussion and consideration flowing already.

Copying some posts below:

https://x.com/bitjson/status/1884833296401453289

Also, new transaction versions are apparently unbelievably big deals, any thoughts on if maybe a later version will avoid that (as with PMv3 and CashTokens I believe). Or if a new transaction version is absolutely necessary, elaborate a little bit on why?

Yes – a new transaction format requires many more wallets, exchanges, and other systems to “deal with” the upgrade, creating a serious bottleneck: some would upgrade, some would drop BCH support.

In reality, we probably need to be in the top 10 cryptocurrencies by market cap to upgrade the transaction format without damaging the BCH ecosystem. (People may complain about ETH upgrades, but they’re not dropping ETH over them.)

Note that I’m not pushing this for 2026, and markets can change quickly – if BCH sees sudden growth (in time for a 2027 lock-in), it’d be nice to have this ready.

For now, this CHIP is probably most useful as a technical vision for how far we can push BCH contracts: they can truly subsume every “layer 1” network out there, matching and often outperforming them on transaction sizes, scalability, and overall user experience.

RE later iterations:

Yes, read-only inputs are actually backwards compatible in the TXv5 CHIP. Those can cleanly be activated before v5 transactions. Likewise with unifying the byte length limits.

On the other hand, detached signatures (and comprehensive malleability protection + re-enabling non-push unlocking bytecode), fractional sats/CashTokens, and trimming ancient TX encoding waste should probably just wait for a transaction format upgrade. (It’s always possible to hack things in SegWit-style, but I’d be against defacing the protocol over upgrade fears/logistics. Better to wait and do it right.)

https://x.com/bitjson/status/1884834849871085823

“Should we limit signatures in v5 to be Schnorr only going forward? It might make sense to slowly phase out old tech.”

IMO, no – deprecation can’t really simplify the protocol, only remove functionality. It’s very hard to justify removing even “silly” accidental behaviors like multisig stack clearing or modern codeseparator usage. See Increased Usability of Multisig Stack Clearing and Ongoing Value of OP_CODESEPARATOR Operation.

https://x.com/bitjson/status/1884838231146922293

Why are you proposing this upgrade for chipnet lock-in November 2026, mainnet deployment May 2027? What keeps you from aiming for mainnet deployment in may 2026?

1. the other 2026 CHIPs are much higher priority, as they’re more foundational and unlock new use cases: x.com and
2. transaction format upgrades are really hard: x.com

https://x.com/bitjson/status/1884995047851950338

Covenants already enable any “layer 1” technology: zkVMs, Monero (inc. Full-Chain Membership Proofs), Zcash, Mimblewimble, etc.

The 2026 proposals make these truly practical: from messy, multi-MB transaction chains to cheap, atomic transactions sent from any wallet.

Endgame: CHIP TXv5 demonstrates that Bitcoin Cash can consistently match or outperform “privacy coins” and other use-case-specific networks in the long term – on both transaction sizes and overall user experience.

https://x.com/bitjson/status/1885022284538130873

What’s the point if zkVMs covenants and other layer 1 technology that you mentioned aren’t even unlocked as new functionality? Shrinking MB size is nice, but without Bitcoin Cash covenants, it’s just optimizing transaction size, not expanding what’s possible.

Transaction fees and wallet support. There’s a huge difference between:

1. Wallets chaining together dozens or hundreds of maximum-sized transactions to do something that should be simple (e.g. send someone a ZK-shielded transaction) vs.
2. The code being efficient enough to use one small transaction (created by the wallet filling in blanks of common templates).

In practice – even if all wallet developers had the unlimited resources to implement complex, multi-step chaining protocols – real medium-of-exchange users don’t want to pay $20+ per interaction just because the VM requires copying and pasting the same code hundreds of times. (The underlying issue, literally.)

Instead, fixing the copy/paste requirement would make implementation easier for wallets (often “drop-in” using common templates) + the resulting protocols are inexpensive to use (less than $0.01 per interaction).
[…]
BCH already has very complete covenant functionality. We already have the “compute” capabilities, and popular protocols are already being ported to BCH.

With these duplication issues resolved, BCH would be far ahead of ETH and other networks in base protocol capabilities.

https://x.com/bitjson/status/1885125090179711215

Would it be possible to implement a zkVM on chipnet today, for release on mainnet in May 2025?

Theoretically yes, but very impractical – the VM bytecode evaluated to verify a proof would be absurdly filled with duplication. Many segments would be copied hundreds or thousands of times, likely accounting for more than 99% of overall transaction bandwidth (even considering potentially-large proof sizes), and in practice, each “proof verification” might have to be split across tens or hundreds of max-sized (100KB) transactions.

In a bit more detail:

It’s possible (since 2023) to break apart any computation, performing it across multiple transaction inputs: each input looks for its operands in some introspect-able location, performs part of the computation, then verifies that its intermediate result appears in another introspect-able location for the next input, etc.

This pattern can also be extended across multiple transactions to perform any imaginable computation, given sufficient mining fees paid. ZKP verification is just math, so by definition, it’s possible.

In practice though, many kinds of computations are absurdly inefficent to express with our current VM bytecode lacking function definition and loops. An easy example is hashing, which can be expressed in hundreds of bytes given function definition and a loop, but otherwise might require hundreds of KBs or even MBs of bytecode when everything is “inlined”.

This is even more of a problem for various ZKP constructions, which require repeated applications of even more verbose (in bytecode) primitive functions: efficient modular arithmetic (batched ops), EC group ops, bilinear pairings, Fourier transforms, etc. Individually, these might be reasonably succinct in VM bytecode, but inlining each in different locations across an algorithm – often in one or more tight loops – causes exponential or factorial growth in the length of the required bytecode.

This is a rather silly exercise though, as (after the 2025 upgrade) computation limits are no longer implicitly specified by a delicate set of magic constants, program length, and message encodings – the density-based limits comprehensively prevent abuse regardless of program structure (loops, OP_EVAL, any other flow control, 100KB redeem bytecode, 100KB stack item lengths, etc).

Even if someone were willing to commit the resources to porting a zkVM’s on-chain verification to the 2025 BCH VM (for which most of the work is in the workarounds) – the ported system likely wouldn’t be very production-useful: every protocol interaction might cost ~10,000x the typical BCH transaction fees, with extremely limited wallet support. (And even if building from scratch, the differences in constraints would encourage selection of a sub-optimal ZK construction vs. one chosen with less concern for program length – so even the “non-workaround” work might be a technical dead end.)

I wrote more here on how the 2026 CHIPs make it more practical: above

https://x.com/bitjson/status/1885337780730892770

Would it make sense to write a privacy app using the 2026 CHIPs to make sure we aren’t missing anything that might be needed? Usually when actually trying to implement something is when you really work all the bugs out.

Yes! The 2026 CHIPs are fully supported in Bitauth IDE (open source), and a handful of BCH contract devs have already been experimenting with them for a while. Here’s a video of the new loop debugging UI: https://x.com/bitjson/status/1867472399542710439…

Note, while I’ve focused on highlighting privacy apps over the past few days to make the impacts more tangible (and get people thinking about bigger contracts), it’s not just privacy apps that benefit from making our VM more efficient at expressing algorithms (with P2S, function definition, loops).

Prediction markets, loan protocols, decentralized exchanges, and a wide variety of other use cases benefit from deduplication by avoiding excessive “inlining” of loops and function applications.

Excessive duplication is also holding back many of these other use cases, e.g. multi-market scoring rules and decision matrices for prediction markets (where various functions need to be repeatedly applied to mathematical inputs from a long list of sub-market transaction inputs).

https://x.com/bitjson/status/1885510754033344949

Why 19?

The 19 isn’t a design choice, just the decimal result of squeezing every bit of precision out of our existing 64-bit CompactUint format.

What’s the limit for non CashToken ie native?

The CHIP proposes the same encoding for both fractional satoshis and fractional CashTokens.

Are tx fees still limited by sat denomination and/or pre existing dust limits?

Yes, no proposed change to fees or dust limits.

I don’t think it should be called zero-overheads when it’s not clear (from your wording at least) that’s it’s really zero.

It’s really zero. Covenants can implement the exact same behavior as e.g. Monero, with final transaction sizes that match or outperform those of Monero.

User-deployed covenants can truly have zero overhead compared to deploying the very same functionality as a consensus upgrade.

Podcast talking at length about this CHIP and the 2026 proposals: Fiendish & Friends #11 - Jason Dreyzehner talks 2026 CHIPS OP_EVAL, P2S, and Loops

On youtube:

Includes some discussion about how two components could reasonably be extracted from TXv5 (if BCH doesn’t have sufficient market dominance by 2026 to lock-in a transaction format upgrade), making this into 3 CHIPs:

1. Read-only inputs – the implementation in the CHIP is already backwards compatible, the TXv5 part just adds a more efficient encoding
2. Unified bytecode length limits
3. The v5 encoding itself (everything else in this CHIP)

If an improved encoding format still looks too disruptive in early 2026, I’ll just propose the smaller, backwards-compatible items (1 and 2) for 2027, and re-propose the v5 encoding for 2028.

However, as I tried to get across in the podcast, I consider the 2026 proposals many times more important than any part of TXv5.

My estimated ranking:

1. OP_EVAL – 1,000 - 10,000x improvements in algorithmically complex use cases, required for practical zero-knowledge proofs, and even a modest improvement for nearly all other BCH contracts
2. P2S – unlocks new use cases and wallet patterns (e.g. covenants can operate without off-chain tracking of redeem bytecode, some interactions can be atomic rather than requiring a chain of transactions, eliminates need for sidecar inputs in many cases, etc.)
3. Loops – less impactful than OP_EVAL, but in the cases where it can be used, improves compression by 20-30% vs. OP_EVAL (and makes compiled contracts easier to audit vs. recursion-based iteration)

On the other hand, the TXv5 improvements are long-term important, but not urgent:

4. Detached signatures, non-push unlocking bytecode – Up to ~60% savings in the best cases (esp. CashFusion)
5. Read-only inputs: seems like 10-50% reduction in the most complex covenant transaction sizes (on the higher end without the 2026 proposals, on the lower end with them)
6. Other TX format trimming – Less than 10% reduction (but applies to nearly every v5 transaction, so the savings are substantial over years/decades)
7. Unified bytecode length limits: saves ~40-75 bytes per 10,000 bytes (less than 1%, but reduces needless contract complexity)

Is the idea here to run some introspection opcodes to just copy stuff from some other input, thus avoiding the need to replicate common data across all inputs? Why did people of the past ever introduce this when they could have just prohibited OP_RETURN from appearing in unlocking bytecode?

Consider adding this to the roadmap, way for spenders to “buy” more bytes for the purpose of getting a bigger operation budget:

Same method could be used to add a byte to declare an input read-only. Speaking of which, read-only inputs would need a new set of introspection opcodes, right? Else they could be used to fool old contracts.

Also, I’d love it if we could reliably access mature headers (at greater security than SPV): something like <block_hash> OP_BLOCKHASHVERIFY that would pass only if referenced hash is 100 or more blocks deep, else fail the TX.

Yes, or any other computation that more efficiently produces a particular stack item than pushing the raw bytes (e.g. providing a number via squaring rather than directly pushing the product).

Initially, IIRC just uncertainty about whether similar vulnerabilities existed. And they were right to be careful: non-push unlocking operations always allow third-party malleability without some way to sign unlocking bytecode (like TXv5 detached signatures).

Yes, thank you! That’s definitely something that should at least be reviewed in the rationale (even if left to a separate upgrade). Could also be set as sequence number bit 24, input bitfield bit 4, and an additional compact Uint input field (like age lock, but the value wouldn’t be inspectable via sequence number, so would still need an introspection operation; if either 6 or 8 bits could be sufficient, encoding directly in the sequence number enables full backwards compatibility and saves the codepoint).

I hope we’ll also get a better understanding of any use cases and requirements here over the next 1-2 years.

I don’t think so:

• Existing UTXOs could only be referenced by a valid spend, so by definition, if you can reference a UTXO, you could have spent it in the same way.
• Existing UTXOs can’t be negatively affected by unintended references, as references are not even observable by simultaneous and later transactions.
• Any existing UTXOs inspecting for transfers of assets will simply fail if a read-only input fails to transfer an asset, just as it would fail if the transaction implicitly burned that asset (as mining fees for BCH, or simply burned for CashTokens).
• So concern falls only to intended-sibling UTXOs that check for spends of known UTXOs or token identities in sibling inputs: here again, if you’re able to successfully reference a pre-upgrade UTXO, you could have simply spent it. Additionally, if you’re not checking the actual outputs for an asset transfer, you’re already susceptible to malicious burning.

I’m interested in others’ reviews of this question, but so far I think it’s hard to contrive a scenario in which read-only inputs impact an existing use case. The proposed implementation is even consistent with the precedent from BIP68 by defining unused sequence number bits.

I think this can safely be a separate CHIP and forum topic, I don’t think there’s much interaction with transaction encoding.

If we relax input bytecode rules then any spender could add some <0x00...00> OP_DROP somewhere in unlocking bytecode to get more budget, even if not anticipated by the locking bytecode, so that could work - but it would spend bandwidth. However, some compression at transport layer could address that just as well.

Sure, just thought to add here considering you laid out a general roadmap in post I was replying to.