Inside MAST: The Little-Known Plan to Advance Bitcoin Smart Contracts

Bitcoin could soon be endowed with a range of new technical improvements including greater smart-contract functionality.

AccessTimeIconFeb 7, 2017 at 2:00 p.m. UTC
Updated Dec 11, 2022 at 1:52 p.m. UTC

Despite being the largest and longest-running blockchain, bitcoin isn't exactly known for its programming features.

In an age when new blockchain projects continually promise bigger and better (and platforms like ethereum openly court more novice coders), bitcoin has even prized its simpler, safer construction. But that's not to say that work isn't ongoing to bring more advanced functionality to the network.

If and when a certain contentious code change upgrade called SegWit is deployed (and this remains an if), protocol developers say that it could pave the way for a range of new technical improvements. This includes the long-standing Merkelized Abstract Syntax Trees (MAST) upgrade, a concept packaged into an official proposal by Bitcoin Core developer Johnson Lau in early 2016.

Another new piece of cutting-edge cryptography, MAST doesn't enable new smart contracts per se, but by reducing the size of the data necessary for bitcoin scripts, it enables "complicated redemption conditions" that aren't currently viable partially because of space constraints.

Lau told CoinDesk:

"MAST makes complicated smart contracts become very small in size. This reduces demand on block space and improves privacy, as you only reveal a small part of the smart contract to the public blockchain, so it's more difficult to analyze."

On a more technical level, MAST could be described as an extension to Pay to Script Hash.

By using Merkle trees (the same data structure that stores transactions in bitcoin blocks), it enables a new way of embedding and processing scripts that offers more scalability and privacy.

It sounds technical (and perhaps like a minor change), but many bitcoin developers are excited by the potential because they believe it expands bitcoin’s ability to be used as "programmable money".

Smart contract confusion

Stepping back for a minute, a 'smart contract' is a term that refers to a snippet of code that enforces rules on its own, without leaning on an intermediary to interpret the rules and settle disputes when they arise.

Although the tendency is to think of smart contracts as more complex programs, every bitcoin payment uses one. Unless the sender provides the right digital signature (proving that he or she is the owner), the network won’t transfer the bitcoin.

Yet, as mentioned, that definition might sound underwhelming in the context of ethereum, the alternative blockchain applications platform that allows developers to create virtually any kind of smart contract.

Lau noted as much. "For smart contracts to be really ‘smart’, it should allow people doing something more than simple payment," he said.

It's worth noting, too, that bitcoin’s scripting language previously supported more complex types of smart contracts.

However, the digital currency’s still-pseudonymous creator Satoshi Nakamoto had to rip many of them out back in 2010 when he or she realized that there were bugs that malicious actors could use to clog the network with spam. It's taken a while to build that functionality back up.

With this in mind, Lau has put together another bitcoin proposal for a bundle of new 'opcodes' (enabling new smart contracts), many of which have been brought back in a testing environment, saying these would likely be rolled out in tandem with MAST.

He added that his proposal could further reinstate some that were torn out seven years ago.

Although, once the time comes, Lau noted that he doesn’t expect that all of the opcodes proposed in the BIP (bitcoin improvement proposal) to be accepted. "Even only a few (eg OP_CAT or OP_XOR) would enable things that are not possible today," he said.

And, again, these would be bundled with MAST.

New bitcoin uses

There are also practical uses for these features, and Lau pointed to a couple of use cases for MAST combined with the new opcodes.

One is a betting scheme "without any trust needed", he said. His example implementation uses the proposed opcodes OP_XOR and OP_RSHIFT, but he noted that there are other script combinations called 'covenants' that accomplish the same thing.

These restrict how users can use funds, and are“frequently requested, according to Lau".

Blockstream unveiled last year that it has been experimenting with covenants on a test sidechain – a blockchain with a different rule system that is pegged to bitcoin.

The idea is to give users more control over their bitcoin, even if it’s stolen. Say you want to send your bitcoin to an exchange, but you’re worried about the exchange losing funds, as happened with Mt Gox.

Using a construction called a 'vault', perhaps the best-known example of a covenant, users can send their bitcoin to new address along with a certain type of script. Effectively, that script has the power to suck your bitcoin back in the case of a Mt Gox-style hack.

This construction would require the new opcodes OP_CAT and OP_CHECKSIGFROMSTACK.

It’s worth noting, though, that some developers are skeptical that vaults would work, and think that the protecting funds would be better achieved by other means.

That said, there are many types of covenants. Co-founder of MIT Digital Currency Initiative Jeremy Rubin described a variety of other examples in a presentation at the Stanford blockchain security conference last week.

And, there are other miscellaneous ideas of how MAST might be used (which seem to pop up randomly and often when chatting with bitcoin developers).

Lightning Labs engineer Olaoluwa Osuntokun, who also presented at Stanford, mentioned that MAST could even improve the Lightning Network.

This top-layer network, aimed to boost bitcoin capacity, needs someone to monitor the channel used to connect parties in the transaction in the case one tries to cheat. MAST could help with outsourcing this need to a third party, as it reduces the storage space required to do so.

Small steps

Beyond MAST and the opcodes bundled with it, there are other smart contract ideas floating around.

At least two groups are working on opcodes that would alter bitcoin to add sidechains functionality, mentioned earlier. However, like many other features, SegWit would make it easier, because it rolls out a new way of making big consensus changes.

Lightning Network co-creator Joseph Poon mentioned in a recent presentation that his proposed implementation will use an interesting system of smart contracts emerging from a few opcodes that are in bitcoin already.

As far as MAST, R&D is ongoing. In conversation with CoinDesk, Rubin noted that he’s been thinking through a new, potentially better way of implementing the same thing. But, for the time being, the contentious code change SegWit seems to be the main obstacle.

Yet, even if the consensus change isn’t activated in the next eight months, Lau noted that there is another "less elegant" way of bypassing the transaction malleability problem and thus adding support for MAST – a move that could help place bitcoin back in the broader smart contracts conversation.

Telecoms masts image via Shutterstock


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.