• The Cryptographic Machinery
• How the Flow Works
• What Security Depends On
• What PIPEs v2 Can Actually Enforce
• Where It Fits
• Comparison to Other Paths
• Why PIPEs v2 Matters

Bitcoin can already enforce whatever its existing Script system can express, and the covenant debate persists because many of the conditions people want to impose concern future spending behavior or off-chain facts that Bitcoin does not natively know how to check. If you want an output that can move only after a proof verifies or a recovery condition is satisfied, today’s options usually fall into one of two camps. You can push for new opcodes that let Script say more, or you can wrap the existing chain in an optimistic protocol that relies on challengers and time windows spread across multiple transactions. PIPEs v2 proposes a third route, and its central move is easy to state even if the machinery behind it is not: do not teach Bitcoin to verify the condition, make it impossible to produce the required signature until the condition holds.

In an ordinary Bitcoin output, the private key already exists and the whole security question is who controls it. In PIPEs v2, the usable signing secret is hidden behind a witness-encrypting ciphertext bound to some statement. The chain still sees an ordinary public key. Spending still looks like an ordinary Schnorr signature. The novelty lies in the claim that the private key cannot be recovered by anyone unless they know a witness for the chosen condition. A successful spend therefore signals that the condition was satisfied, even though the chain never checked the condition itself.

The paper frames this idea through what it calls a witness signature. The phrase sounds exotic, yet the intuition is direct. Take a statement that has the form, “there exists some witness w such that verification accepts.” That witness might be a zero-knowledge proof for a published instance or a recovery secret satisfying a hash relation. More generally, it can be any object whose validity can be checked quickly once presented. Witness encryption lets you publish a ciphertext that any observer can see but only someone holding a valid witness can decrypt. PIPEs v2 uses that primitive in the most literal possible way: the plaintext inside the ciphertext is the signing material for the Bitcoin output, or an equivalent secret that reveals it.

Schnorr stays simple in this design. Bitcoin is not learning a new rule. Bitcoin is doing what it already does under BIP 340: it checks that a Schnorr signature verifies under a public key. PIPEs v2 leaves that part untouched. The burden of enforcement shifts off-chain, where the cryptography governing key recovery decides whether a valid signature can ever come into existence. The proposal therefore buys expressive authorization conditions while paying with a very different kind of complexity.

§The Cryptographic Machinery

Witness encryption is the decisive primitive because it turns a hard relation into a decryption gate. In the current PIPEs v2 discussion, the construction comes from the recent AADP line of witness encryption. The internal details involve structured matrices and determinant computations produced by nontrivial reductions that are far removed from ordinary Bitcoin engineering. For the architectural argument, only one property matters: if you know a valid witness, decryption is possible; without one, the ciphertext should reveal nothing useful, so the witness never persuades Bitcoin directly and only reveals the secret that can.

If one operator generated the signing key in the usual way, that operator could spend immediately and the whole scheme would collapse. PIPEs v2 therefore leans on distributed setup. A committee jointly generates the Schnorr keypair so that the public key can be published on-chain while the secret key stays unavailable to any single participant during setup. The witness-encrypted ciphertext is then created and bound to the exact public key and statement instance. These schemes rely on committee honesty properties and correct setup behavior. The trust surface sits at setup.

Hashes and commitments do quieter but equally necessary work. They bind the ciphertext to the exact statement and public key so the encrypted secret authorizes only this spend. Without those bindings, an attacker could try to transplant ciphertext material between contexts or exploit ambiguity in what the encrypted secret actually authorizes. Much of the protocol engineering lives in these bindings, because the high-level idea is elegant and the low-level implementation is where thefts happen.

§How the Flow Works

The protocol begins off-chain. A committee runs distributed key generation and obtains a Bitcoin Schnorr public key together with secret signing material that no one party should know outright. The application designer also fixes the relation to be enforced and the concrete instance for this output. If the use case is proof-gated release, the instance might be a verification key, public inputs, and a commitment to the proof system being checked. If the use case is a recovery path, the instance might be a recovery relation encoded as a circuit.

Next comes the expensive step. The protocol produces a witness-encrypting ciphertext tied to that instance and containing the signing material. The corresponding public key is placed in a normal Bitcoin output. On-chain, nothing reveals that the output is special. It looks like a standard key spend waiting for a standard Schnorr signature.

Unlocking happens entirely off-chain until the last moment. Whoever learns a valid witness for the chosen relation runs the witness-decryption procedure on the ciphertext. If the witness is valid, the ciphertext yields the hidden signing secret. That party can then construct an ordinary Bitcoin spending transaction and sign it under the public key already committed on-chain. Once the transaction reaches Bitcoin, validation is immediate because Bitcoin only checks the Schnorr signature. There is no extra opcode and no proof verification inside Script. The challenge game never reaches the spend itself.

Many Bitcoin constructions achieve expressive behavior by spreading the logic across multiple transactions with delays and monitoring requirements. PIPEs v2 compresses the authorization boundary into one binary fact: either the signing secret becomes available and the spend can happen, or it never does.

§What Security Depends On

“No soft fork required” hides the cost. The trust and security burden moves off-chain. The first assumption is witness encryption itself. If the AADP construction or its concrete encoding leaks the secret without a real witness, the scheme fails at once. Witness encryption is the sharpest edge in the design because it remains far more exotic than signatures and hashes, and stranger to most Bitcoin engineers than the proof systems they already discuss today.

The second assumption is setup integrity. Distributed key generation has to ensure that no participant can walk away with the signing secret before the witness condition is met. Descriptions of PIPEs v2 often phrase this as a one-of-n committee honesty assumption, meaning at least one participant must follow the setup correctly. Committee honesty remains a meaningful trust assumption, and anyone comparing PIPEs v2 with native covenant opcodes should keep it in view.

The third assumption is ordinary signature security, which is the least controversial part of the picture. If Schnorr itself becomes forgeable, every Taproot key spend has bigger problems than PIPEs. More interesting are the binding assumptions around commitments and statement encoding. A ciphertext must authorize this exact output under this exact condition. A loose binding can turn a clever construction into an expensive theft vector.

Then there is the liveness assumption hidden inside performance. A condition that is theoretically decryptable but economically or operationally impossible to recover in time may still be useless. The current published estimates are best read with caution. Primary sources around PIPEs v2 discuss ciphertext sizes around 330 terabytes, determinant computations spread across roughly fifty large machines, and cloud costs around one to two hundred dollars for a single execution, all coming from author estimates without independent benchmarks. Discussions of future reductions toward roughly 100 gigabytes exist, but those numbers are aspirational in the material currently available. The basic on-chain cost is tiny. The off-chain bill is enormous.

§What PIPEs v2 Can Actually Enforce

The term covenant carries more baggage than the construction can bear. PIPEs v2 enforces a binary authorization condition. Funds become spendable if the witness exists and remain unspendable if it does not. Proof-gated release fits that model well, yet the construction is narrower than the richer covenant proposals that directly constrain transaction structure.

Once the secret key is recovered, the spender holds ordinary signing power over the output. Bitcoin sees an ordinary key spend. The construction therefore does not, by itself, force the post-recovery transaction to send coins to a prescribed script, maintain a fee rule, preserve a template, or obey some recursively constrained tree of descendants. Anyone calling PIPEs v2 a full covenant system is stretching the phrase beyond its useful meaning. Binary covenant is the more accurate description.

The limitation follows directly from the design choice. PIPEs v2 relocates enforcement to key availability, and key availability answers one question only: may a valid signature exist?

§Where It Fits

The narrow scope still leaves room for serious applications. A vault can use PIPEs v2 for an escape path that activates only when a recovery witness is available. A bridge or rollup design can use it to gate finalization on a proof verifying for a published instance. An optimistic protocol can compress part of its dispute logic into a condition on key release, so the final on-chain effect becomes one ordinary spend whose existence tells observers that the off-chain condition was met.

BitVM is the natural comparison. It keeps Bitcoin verification inside an optimistic game: a prover makes a claim and watchers challenge bad behavior as the protocol moves through its dispute path. PIPEs v2 aims at a different compression. The watcher logic moves off the spend path, and the decisive event becomes witness discovery plus key recovery. If that works, the chain sees only the ending.

PIPEs v2 also fits zero-knowledge gated releases. Bitcoin never has to verify the proof system used elsewhere. The off-chain world only needs a relation whose witness can be encoded into the witness-encryption instance. That opens the door to proof systems or application logic that Bitcoin Script could never hope to express directly.

§Comparison to Other Paths

Compared with native covenant proposals such as CTV, TXHASH-style ideas, CSFS, or OP_VAULT, PIPEs v2 is economically inverted. Opcode-based covenants would put the complexity into consensus design and soft fork politics, then let every node enforce compact rules with cheap validation. PIPEs v2 avoids consensus change and pays for that avoidance with setup assumptions plus huge off-chain cryptographic state. If the goal is broad, cheap, expressive covenant functionality across everyday transactions, native opcodes still look like the cleaner engineering path.

Compared with BitVM fraud proofs and garbled-circuit systems, PIPEs v2 exchanges interactivity for cryptographic heaviness. BitVM asks participants to stay online and push disputes through challenge windows. PIPEs v2 offers a more final-looking spend path because the chain only sees the ordinary signature. The price is a witness-encryption artifact that currently lives at absurd scale. BitVM’s burden is procedural. PIPEs v2’s burden is computational.

Compared with pre-signed transaction trees, which already power practical vault ideas and channel constructions, PIPEs v2 is less rigid at the authorization boundary and weaker at output control. Pre-signing works with familiar assumptions and small artifacts, but every branch has to be prepared in advance and policy changes can become operationally awkward. PIPEs v2 can wait for a witness discovered later in time, which is a real gain. After key recovery, it stops constraining the transaction in the way a pre-signed tree can.

The simplest alternative is trusted humans holding a threshold key and deciding when to sign. In many deployments that option remains more practical today. PIPEs v2 replaces committee discretion with a cryptographic gate. That trade looks best in applications that need cryptographic gating badly enough to justify the cost and the remaining faith placed in witness encryption.

§Why PIPEs v2 Matters

PIPEs v2 enlarges Bitcoin’s design vocabulary because it shows that spending conditions need not live entirely inside Script. They can live upstream of Script, inside the question of whether a usable signing key can ever be obtained. The proposal’s real achievement is conceptual. Native opcodes remain the direct answer for cheap, expressive covenants. Optimistic systems remain the answer for many constructions available under today’s assumptions. PIPEs v2 occupies a narrower territory where single-transaction proof-gated authorization is valuable enough to justify a mountain of off-chain cryptography.

The future of witness encryption will decide whether that territory grows. If the primitive gets smaller and better understood, PIPEs v2 could become a practical tool for a narrow class of high-value contracts. If it does not, the proposal will still have done something useful. It showed that control over spendability can be pushed one layer deeper than most Bitcoin discussions assume, into the problem of key availability itself.