The Future of Disabled Opcodes - OP_CAT Revival Debate
10. The Future of Disabled Opcodes — OP_CAT Revival Debate
Overview
No discussion of Bitcoin's disabled opcodes is complete without examining the ongoing, heated, and technically rich debate about restoring them — particularly OP_CAT. As of 2024-2025, OP_CAT re-enablement in Tapscript (BIP-347) is one of the most actively discussed Bitcoin protocol proposals, with advocates from cryptography, Layer 2 development, and smart contract communities, and skeptics from the Bitcoin conservatism camp.
Why OP_CAT First?
Of all the disabled opcodes, OP_CAT generates the most interest because it unlocks the greatest range of capabilities relative to its simplicity. It is one opcode with a clear, unambiguous definition (concatenate two byte arrays), a well-understood mitigation for its original risk (520-byte cap), and enormous downstream implications:
OP_CAT enables:
1. Covenants (constraining future spending conditions)
2. Merkle proof verification (trustless SPV)
3. Schnorr signature introspection (Lamport-style sigs, vault enforcement)
4. ZK proof verification infrastructure
5. Cross-chain bridges without custodians
6. Tree signatures and advanced multisig constructions
7. Recursive covenants (vaults with "only send here" rules)
BIP-347: OP_CAT in Tapscript
BIP-347 proposes re-enabling OP_CAT exclusively within Tapscript (the new Script version introduced by Taproot, BIP-342). This is significant because Tapscript has version semantics — future versions can add new opcodes via soft fork without affecting existing script types.
BIP-347 specification:
Opcode: OP_CAT (0x7E)
Available in: Tapscript (leaf version 0xC0 and future versions)
NOT available in: legacy Script, P2SH, SegWit v0
Behavior:
1. Pop item_B from stack
2. Pop item_A from stack
3. Check: len(item_A) + len(item_B) <= 520
If exceeds 520 bytes → SCRIPT_ERR_INVALID_STACK_OPERATION
4. Push item_A || item_B
The 520-byte limit:
This matches the existing MAX_SCRIPT_ELEMENT_SIZE limit.
Any OP_CAT result respects the same size constraint as any push.
The exponential doubling attack is bounded:
Start: 1 byte
After 9 doublings: 512 bytes (within limit)
After 10 doublings: 1024 bytes → FAILS at OP_CAT
The attack terminates naturally before memory becomes a concern.
The OP_CAT Covenant Construction
The most powerful use case for OP_CAT is enabling covenants — conditions that constrain not just who can spend a UTXO, but where the funds must go when spent. This is transformative for Bitcoin smart contracts.
A covenant using OP_CAT leverages a clever trick with Schnorr signatures:
Schnorr signature structure (64 bytes for SIGHASH_ALL):
sig = r || s
Where r is 32 bytes (nonce point x-coordinate)
s is 32 bytes (signature scalar)
Trick: OP_CAT + OP_CHECKSIG covenant
Script:
<fixed_r_value_32_bytes>
OP_SWAP OP_CAT
OP_CHECKSIG
When spending:
Witness provides: <s_value>
Script constructs: <fixed_r> || <s_value> = 64-byte Schnorr sig
OP_CHECKSIG verifies the concatenated signature
Effect: The r-value is FIXED by the script.
A Schnorr signature is valid only when r matches the nonce used during signing.
Fixing r forces the signer to use a specific nonce — and specific nonces
bind signatures to specific transaction data (sighash), enabling covenant behavior.
Combined with SIGHASH modes and careful key derivation,
this allows scripts that enforce "this UTXO can only be spent to <specific output>."
Merkle Proof Verification with OP_CAT
OP_CAT enables Bitcoin Script to verify Merkle inclusion proofs, which is the foundation of SPV (Simplified Payment Verification) — the ability to prove a transaction exists in a Bitcoin block without downloading the full block:
Merkle proof verification script:
Input: <leaf_hash> <proof_siblings_1..n> <root>
Verification loop (unrolled for a 3-level tree):
<leaf_hash> <sibling_1> OP_CAT OP_SHA256 → <level1_hash>
<level1_hash> <sibling_2> OP_CAT OP_SHA256 → <level2_hash>
<level2_hash> <sibling_3> OP_CAT OP_SHA256 → <computed_root>
<expected_root> OP_EQUAL
Note: Real Merkle verification requires knowing left/right ordering,
handled by providing pre-sorted pairs or ordering flags.
OP_CAT + OP_IF can handle this.
Applications:
- Bitcoin → Ethereum bridge (prove a Bitcoin tx to an Ethereum contract)
- Ethereum → Bitcoin bridge (prove to a Bitcoin UTXO that a condition on ETH was met)
- Cross-chain atomic swaps with on-chain proof of payment
- Lightning Network watchtower constructions
The Lamport Signature Scheme (Quantum Resistance)
One remarkable application of OP_CAT is enabling Lamport signatures in Bitcoin Script — a hash-based signature scheme that is believed to be quantum-resistant:
Lamport signature concept:
Private key: 256 pairs of 256-bit random numbers (for SHA256 output)
Public key: SHA256 of each private key half
Signing: For each bit of message hash:
If bit is 0: reveal private_key[i][0]
If bit is 1: reveal private_key[i][1]
Verification: Hash each revealed value, check against public key
OP_CAT enables Lamport verification in Script:
For each of the 256 bits:
<preimage> OP_SHA256 → <hash>
<expected_hash> OP_EQUAL → verify one bit's signature
OP_CAT is needed to assemble intermediate values
and to reconstruct the signed message hash from revealed preimages.
This creates Bitcoin transactions that are valid even if ECDSA/Schnorr
are broken by quantum computers — purely hash-based security.
Opposition Arguments
Not everyone in the Bitcoin community supports re-enabling OP_CAT. The skeptical arguments are serious and deserve treatment:
Argument 1: Covenants threaten fungibility
Concern: If UTXOs can be marked "only spendable to addresses X, Y, Z,"
then some bitcoins become "restricted" and others "unrestricted."
This could create a two-tier Bitcoin where "clean" coins (no covenants)
trade at a premium over "restricted" coins.
Counter: Covenants are opt-in. Nobody forces anyone to create
covenant-constrained UTXOs. The fungibility concern applies to
any identifiable Bitcoin (which already exists via chain analysis).
Argument 2: Recursive covenants could trap funds forever
Concern: Recursive covenants (covenants whose spending conditions
require the output to also have the same covenant) could create
UTXOs that are permanently unspendable or permanently restricted.
Example:
UTXO with covenant: "Can only be spent to another UTXO with this same covenant"
This creates a permanent recursive trap — the coins can never
leave the covenant's constraints.
Counter: Opt-in again. Also, vaults WANT this behavior (coins can
only ever leave via approved withdrawal path). The "trap" is a feature
for self-custody security, not a bug.
Argument 3: Complexity and attack surface
Concern: Every new opcode adds complexity to the consensus rules.
More complexity = more attack surface = more potential bugs.
Bitcoin's conservatism has served it well for 15 years.
Counter: OP_CAT is a single, well-specified operation.
Its semantics are completely understood. The risk is lower
than adding complex new opcodes with multiple parameters.
The 520-byte cap handles the only known attack vector.
Argument 4: We should wait for more research
Concern: OP_CAT might enable constructions we haven't fully thought through.
Unexpected interactions with future opcodes could create problems.
The safe move is to study it more before deploying.
Counter: OP_CAT has been studied since 2010. Elements/Liquid has run it
in production for years. The research is in — it's time to act.
Other Disabled Opcodes — Revival Prospects
OP_CAT (BIP-347): HIGH likelihood of re-enablement
Active BIP, implementation exists, widespread interest
OP_SUBSTR / OP_LEFT / OP_RIGHT:
MODERATE — less urgent given OP_CAT
Could be specified with size limits like OP_CAT
Less community momentum currently
OP_AND / OP_OR / OP_XOR:
LOW-MODERATE — useful but not critical
Elements/Liquid has enabled them with equal-length rules
Bitcoin mainnet discussion is minimal
OP_INVERT: LOW — limited compelling use cases articulated
Could be done but not a priority
OP_MUL / OP_DIV / OP_MOD:
MODERATE — useful for arithmetic
OP_DIV and OP_MOD especially useful for Script math
Some BIPs have proposed these
OP_LSHIFT / OP_RSHIFT: LOW — niche use cases
Bitshift without clean-up logic is messy in Script
The Elements/Liquid Precedent
The Liquid Network (a Bitcoin sidechain by Blockstream) has re-enabled several of Bitcoin's disabled opcodes, providing real-world production data:
Elements/Liquid re-enabled opcodes:
OP_CAT (with 520-byte limit)
OP_SUBSTR (with bounds checking)
OP_LEFT (with bounds checking)
OP_RIGHT (with bounds checking)
OP_INVERT
OP_AND (equal-length requirement)
OP_OR (equal-length requirement)
OP_XOR (equal-length requirement)
OP_LSHIFT
OP_RSHIFT
Result: Years of production operation with no critical exploits.
This gives the Bitcoin community empirical evidence that properly
specified versions of these opcodes are safe.
The Activation Path
For any opcode to be re-enabled on Bitcoin mainnet, it must go through the soft fork process. The most likely path for OP_CAT (BIP-347):
Activation path:
1. BIP specification finalized (BIP-347 is already drafted)
2. Implementation in Bitcoin Core (client support)
3. Community consensus building (mailing list, conferences, CoreDev)
4. Miner signaling (likely via Speedy Trial or BIP-8)
5. Tapscript version bump activates OP_CAT
6. Backward-compatible: old scripts unaffected,
new Tapscript leaves can use OP_CAT
No hard fork required — this is a soft fork.
The Bigger Picture
The debate around OP_CAT and disabled opcodes is ultimately a debate about what Bitcoin should be:
Vision A: Bitcoin as Digital Gold
- Simple, conservative, minimal features
- Maximum security through minimal complexity
- Smart contracts happen on L2 (Lightning, sidechains)
- OP_CAT is unnecessary risk for marginal benefit
Vision B: Bitcoin as Programmable Settlement Layer
- Rich on-chain script capabilities
- Covenants, vaults, bridges, ZK proofs on L1
- OP_CAT is the minimal step toward this vision
- The 520-byte cap makes risk manageable
The resolution:
OP_CAT is opt-in. It doesn't change anything for Vision A holders.
It only enables Vision B without preventing Vision A.
This is why it has growing support even among moderate Bitcoiners.
Summary
The future of disabled opcodes in Bitcoin is being written right now. OP_CAT, through BIP-347, represents the most mature and likely candidate for re-enablement — bringing covenants, Merkle proofs, Lamport signatures, and trustless bridges within Bitcoin's native scripting reach. The 520-byte safeguard addresses the original 2010 attack vector cleanly. The Elements/Liquid sidechain has demonstrated production safety. The technical arguments for re-enablement are strong; the remaining debate is philosophical — about what Bitcoin should aspire to be. Whatever the outcome, the careful consideration of these opcodes exemplifies Bitcoin's governance at its best: slow, deliberate, evidence-based, and always oriented toward preserving what makes Bitcoin trustworthy while cautiously expanding what makes it useful.
TeachMeBitcoin is an ad-free, open-source educational repository curated by a passionate team of Bitcoin researchers and educators for public benefit. If you found our articles helpful, please consider supporting our hosting and ongoing content updates with a clean donation: