4

It is my understanding that taproot enables multiple spending conditions for an address, if this is correct, can I do something like this in Bitcoin?:

I send bitcoin to a taproot address where I want the spending conditions to be:

A) Spendable if you have the private key (me), OR: B) Spendable by anyone but only to a specific address, and only after 5 years. (For example to a deposit address of an exchange I use)

Michael Folkson
  • 14,337
  • 3
  • 11
  • 45
Fabian
  • 93
  • 1
  • 4

2 Answers2

9

Bitcoin Script has always had support for multiple spending conditions, see e.g. this overview of flow control operators. What taproot changes (amongst others) is that you can now construct a transaction such that when you spend the output, you only have to show the spending condition that you're actually using. The other conditions are not revealed (and thus don't take up any blockspace). "What is a Bitcoin Merklized Abstract Syntax Tree (MAST)?" goes into more detail on how this works.

Spendable by anyone but only to a specific address

Script does not currently support this type of introspection. Covenants have been an area of active debate recently and could add such functionality if and when consensus is reached. See e.g. "On a new community process to specify covenants" as a starting point for more research.

stickies-v
  • 540
  • 1
  • 10
3

As mentioned by stickies-v, covenants are currently not part of the Bitcoin protocol. However, that doesn't mean a construction like you want is impossible to achieve another way. Simply send your bitcoin to a single-key output (like P2WPKH or P2TR without a valid script path commitment), then pre-sign a transaction sending your coins to the target address, timelocked 5 years into the future, and publish it somewhere someone could be expected to grab it from and broadcast it 5 years later.

The publishing step might be tricky to do right as you need to consider long-term storage issues, but even if covenants were available in Bitcoin, you would have the exact same problem of having to publish the spending script and Merkle path for anyone to be able to spend the output.

Vojtěch Strnad
  • 5,623
  • 1
  • 8
  • 31
  • I could just publish the timelocked transaction in public right? In a tweet or in some forum post, then put it on archive.today and the wayback machine. If for whatever reason I lost my keys I just have to wait 5 years and then I can broadcast the transaction to get my coins back through the exchange, or am I missing something? – Fabian Aug 17 '22 at 15:29
  • Yes, if you're still around at that time and thus don't have to rely on anyone else to broadcast the transaction, it becomes a lot easier. I understood your words "spendable by anyone" as implying you yourself wouldn't need to take any action at that time. – Vojtěch Strnad Aug 17 '22 at 16:24
  • Perhaps make it clear in your answer that your covenant scheme requires the private key to be deleted so an alternative transaction can't be constructed – Michael Folkson Aug 30 '22 at 10:26
  • 1
    @MichaelFolkson: OP wants the coin to be spendable by the private key owner at any time (condition A), so it should not be deleted. The pre-signed transaction is simply a backup. – Vojtěch Strnad Aug 30 '22 at 16:08