Bitcoin Covenants: Three Ways to Control the Future

A bitcoin covenant is a mechanism to enforce conditions on how the control of coins will be transferred in the future. This work introduces deleted-key covenants; using pre-signed transactions with secure key deletion. With this, a general class of covenants are possible without introducing new security risks to bitcoin. There is a range of security models for the key deletion process, but this is subject to a security-convenience trade-off and requires interactivity in a multi-party context. On the other hand, this work makes a compelling case for what can be gained through a soft-fork upgrade to the signature hash system [Dec17] which enables recovered-key covenants through elliptic curve key recovery. This has similar properties to script-based covenant mechanisms proposed previously [Rub20]. Key factors are discussed and compared for the three covenant mechanisms, including; the enforcement process, methods for proving accessibility of funds and whether or not they are bound by a covenant, methods for dynamic fee allocation, the underlying cryptographic assumptions, and their feasibility in single-party, hierarchical and adversarial multi-party contexts. Despite the relative downsides of deleted-key covenants, they are a practical tool for custody protocol design. The comparison shows precisely how soft-fork proposals improve the practicality of bitcoin covenants, through non-interactive enforcement and tighter cryptographic assumptions, to enhance custody protocols and enable some adversarial applications such as payment protocols.