由 Kyrian Alexstaff 作家撰写 由 Korbinian Kettnakerstaff 编辑审阅 由凯里安·亚历克斯斯塔夫 作家 撰写 由 Korbinian Kettnakerstaff 编辑审阅 研究发表于 2026 年 7 月 7 日 APO 让比特币签名授权任何兼容的 UTXO,而不是一个固定的出点。它允许针对闪电网络、保险库和第 2 层协议进行可重新绑定的预签名交易,而无需新的密钥管理开销。 这是 Cointelegraph Research 有关比特币契约的技术文章系列的第 3 部分。要阅读上一篇文章,请点击此处。 BIP 118 中提出的 SIGHASH_ANYPREVOUT 建立在 Joseph Poon 和 Thaddeus Dryja 2015 年闪电网络论文中提到的早期 SIGHASH_NOINPUT 概念的基础上,后来由 Joseph Poon 于 2016 年 2 月在比特币开发邮件列表上正式提出。
SIGHASH_ANYPREVOUT 不是一个新的操作码,而是 SIGHASH 标志的提议新值,旨在作为比特币的软分叉升级进行部署。 SIGHASH 标志附加到签名后,确定交易的哪些部分已签名并将由 CHECKSIG 操作码检查。所选标志由签名者选择,而不是由 scriptPubKey 强制执行。由于与软分叉中的可升级性相关的技术细节,SIGHASH_ANYPREVOUT 提案仅扩展到来自主根地址的支出。
多种标准 SIGHASH 模式已经存在,如图 1 所示。如果标志设置为 SIGHASH_ALL,则签名必须覆盖所有输入、所有输出以及所花费的特定输出点,从而以加密方式将授权绑定到该确切的 UTXO。出点是交易 ID 和输出索引的组合,它们共同唯一地标识交易正在消耗哪个 UTXO。使用 SIGHASH_NONE,仅需要对输入进行签名,而输出不受约束。 SIGHASH_SINGLE 变体对所有输入进行签名,但仅对与被签名的输入具有相同索引的输出进行签名。 ANYONECANPAY 修饰符允许单个输入独立于其他输入进行签名,从而引入了进一步的灵活性。至关重要的是,这些现有模式都不允许签名省略对出点的承诺。 SIGHASH_ANYPREVOUT 删除了该限制。
BIP-118 定义了两个 ANYPREVOUT 变体,它们在摘要中省略了多少先前输出,如图 2 所示。在 SIGHASH_ANYPREVOUT 下,输出点从摘要中排除,但签名仍然提交先前输出的 amount 和 scriptPubKey,以及输入的 nSequence。在 SIGHASH_ANYPREVOUTANYSCRIPT 下,金额和 scriptPubKey 也被排除,这意味着签名根本不绑定到已用输出的锁定脚本。所有其他承诺均遵循标准 Taproot 签名消息构造,并取决于所选的基本标志,例如 SIGHASH_ALL 或 SIGHASH_SINGLE。
由于摘要中省略了输出点,因此相同的签名可以授权花费任何满足剩余提交字段的兼容 UTXO。例如,使用 ANYPREVOUT | 预签名的交易如果同一地址后来收到另一个 0.5 BTC 的 UTXO,即使用于创建原始签名的私钥不再可用,产生 0.5 BTC 输出的 ALL 也可以重复使用。然而,如果新的 UTXO 持有超过 0.5 BTC,那么多余的部分将被矿工损失,除非原始签名包含找零输出。这一重新绑定属性使得 ANYPREVOUT 对于第 2 层协议非常有用,其中相同的预签名交易必须应用于多个可能的链上 UTXO,而不需要为每个协议都提供新签名。 对于类似契约的应用程序,ANYPREVOUT 变体保留对先前输出的 scriptPubKey 的承诺,并且通常是最相关的。它们允许在兼容的 UTXO 之间重复使用签名,同时确保资金仍然绑定到相同的锁定脚本。 ANYPREVOUTANYSCRIPT 完全删除了这种绑定,因此不太适合契约式应用程序。
与 OP_CTV 类似,SIGHASH_ANYPREVOUT 改进了通过预签名事务已经可以实现的逻辑,但其本身并不能实现递归契约或事务自省。相反,它放松了签名和特定 UTXO 之间的绑定,允许签名在多个兼容的 UTXO 之间重用。 一些研究还指出,删除出点承诺使得恢复密钥构造成为可能——也就是说,可以从固定签名和消息对派生出公钥,从而证明任何人都不知道相应的私钥,从而使 UTXO 的密钥路径证明是不可花费的,并强制通过脚本路径进行任何支出。它将避免对临时密钥的需要,否则需要临时密钥来使密钥路径在依赖于仅脚本路径强制执行的构造中变得不可使用。这一观察结果出现在 Jacob Swambo 等人的《比特币契约:控制未来的三种方法》中。 (2020),尽管它仍然是一个理论构建,而不是 BIP-118 中提出的设计。
与 SIGHASH_ANYPREVOUT 签名相关的主要风险是签名重放。由于这些签名不会提交到特定的出点,因此只要新的 UTXO 满足剩余的提交字段,相同的签名就可以用于花费与最初预期不同的 UTXO。这种风险在特定配置中变得更加明显:当 ANYPREVOUT |使用SINGLE,可以重新排列输出数量;当存在具有相同 scriptPubKey 和金额的单独 UTXO 时,在 ANYPREVOUT 的情况下;当相同的公钥出现在兼容脚本中时,在 ANYPREVOUTANYSCRIPT 的情况下;或者当矿工可以影响交易排序和包含以利用这些条件时。然而,这些场景需要故意误用或者用户或开发人员在协议设计期间未能考虑重放条件。 在我们接下来的
Written by Kyrian Alexstaff writerReviewed by Korbinian Kettnakerstaff editor
Written by Kyrian Alexstaff writer
Reviewed by Korbinian Kettnakerstaff editor
ResearchPublishedJul 7, 2026
APO lets a Bitcoin signature authorize any compatible UTXO rather than one fixed outpoint. It allows for rebindable pre-signed transactions for Lightning, vaults, and layer-2 protocols without new key management overhead.
This is Part 3 in the technical article series about Bitcoin covenants by Cointelegraph Research. To read the previous article click here.
SIGHASH_ANYPREVOUT, as proposed in BIP 118, builds on the earlier SIGHASH_NOINPUT concept mentioned in the 2015 Lightning Network paper by Joseph Poon and Thaddeus Dryja, and later formally proposed by Joseph Poon on the bitcoin-dev mailing list in February 2016.
SIGHASH_ANYPREVOUT is not a new opcode but a proposed new value for the SIGHASH flag, designed to be deployed as a soft-fork upgrade to Bitcoin. The SIGHASH flag is appended to a signature and determines which parts of a transaction are signed and will be checked by the CHECKSIG opcode. The selected flag is chosen by the signer, not enforced by the scriptPubKey. Due to the technical details related to upgradability in a softfork, the SIGHASH_ANYPREVOUT proposal only extends to spends from taproot addresses.
A variety of standard SIGHASH modes already exist, as illustrated in Figure 1. If the flag is set to SIGHASH_ALL, the signature must cover all inputs, all outputs, and the specific outpoint being spent, thus cryptographically binding the authorization to that exact UTXO. An outpoint is the combination of a transaction ID and an output index that together uniquely identify which UTXO a transaction is consuming. With SIGHASH_NONE, only the inputs need to be signed, leaving the outputs unconstrained. The SIGHASH_SINGLE variant signs all inputs, but only the output at the same index as the input being signed. The ANYONECANPAY modifier introduces further flexibility by allowing a single input to be signed independently of the others. Crucially, none of these existing modes allows a signature to omit commitment to the outpoint. That restriction is what SIGHASH_ANYPREVOUT removes.
BIP-118 defines two ANYPREVOUT variants that differ in how much of the previous output they omit from the digest, summarised in Figure 2. Under SIGHASH_ANYPREVOUT, the outpoint is excluded from the digest, but the signature still commits to the amount and scriptPubKey of the previous output, as well as the input's nSequence. Under SIGHASH_ANYPREVOUTANYSCRIPT, the amount and scriptPubKey are also excluded, meaning the signature is not bound to the locking script of the spent output at all. All other commitments follow the standard Taproot signature message construction and depend on the selected base flag, such as SIGHASH_ALL or SIGHASH_SINGLE.
Because the outpoint is omitted from the digest, the same signature can authorize spending any compatible UTXO that satisfies the remaining committed fields. For example, a transaction pre-signed with ANYPREVOUT | ALL to produce a 0.5 BTC output can be reused if the same address later receives another UTXO of 0.5 BTC, even if the private key used to create the original signature is no longer available. If the new UTXO holds more than 0.5 BTC, however, the excess will be lost to miners unless the original signature included a change output. This rebinding property is what makes ANYPREVOUT useful for layer-2 protocols, where the same pre-signed transaction must apply to multiple possible on-chain UTXOs without requiring new signatures for each one.
For covenant-like applications, the ANYPREVOUT variants preserve commitment to the scriptPubKey of the previous output, and are typically the most relevant. They allow signatures to be reused across compatible UTXOs while ensuring funds remain bound to the same locking script. ANYPREVOUTANYSCRIPT removes this binding entirely and is therefore less suited to covenant-style applications.
Similar to OP_CTV, SIGHASH_ANYPREVOUT improves on the logic already achievable with pre-signed transactions but does not by itself enable recursive covenants or transaction introspection. Instead, it relaxes the binding between a signature and a specific UTXO, allowing a signature to be reused across multiple compatible UTXOs.
Some research has also noted that removing the outpoint commitment makes recovered-key constructions possible — that is, a public key can be derived from a fixed signature and message pair such that the corresponding private key is provably unknown to anyone, making the UTXO's key path provably unspendable and forcing any spend through the script path. It would avoid the need for temporary keys, which are otherwise required to make the key path unspendable in constructions that rely on script-path-only enforcement. This observation appears in Bitcoin Covenants: Three Ways to Control the Future by Jacob Swambo et al. (2020), although it remains a theoretical construction rather than a design proposed in BIP-118.
The primary risk associated with SIGHASH_ANYPREVOUT signatures is signature replay. Because these signatures do not commit to a specific outpoint, the same signature can be used to spend a different UTXO than the one originally intended, provided the new UTXO satisfies the remaining committed fields. This risk becomes more pronounced in specific configurations: when ANYPREVOUT | SINGLE is used and output amounts can be rearranged; when a separate UTXO exists with the same scriptPubKey and amount, in the case of ANYPREVOUT; when the same public key appears in a compatible script, in the case of ANYPREVOUTANYSCRIPT; or when a miner can influence transaction ordering and inclusion to exploit these conditions. However, these scenarios require either deliberate misuse or a failure of the user or developer to account for replay conditions during protocol design.
In our next article we will commence our discussion of Opcodes that serve as supporting tools. These extend the expressiveness of Bitcoin script or data handling but do not implement covenant functionality unless combined with other opcodes. In this next category, we will discuss OP_CHECKSIGFROMSTACK and OP_CAT.
Bitcoin Core
Bitcoin
More on the subject
Bitcoin bulls battle for $63K as Micron stock eyes 10% drop in US chip sell-off
19 minutes ago
William Suberg
Has Bitcoin bottomed for this cycle? Analysts say 'not yet'
2 hours ago
Christina Comben
Digital Chamber amicus brief urges dismissal of NY lawsuit over 39,069 Bitcoin wallets
6 hours ago
Zoltan Vardai
Bitcoin bulls battle for $63K as Micron stock eyes 10% drop in US chip sell-off
19 minutes ago
William Suberg
Has Bitcoin bottomed for this cycle? Analysts say 'not yet'
2 hours ago
Christina Comben
Digital Chamber amicus brief urges dismissal of NY lawsuit over 39,069 Bitcoin wallets
6 hours ago
Zoltan Vardai