Batch verification is successfully the next. At any time when a signature test is encountered throughout script execution, merely bear in mind the (pubkey, message, signature) tuple, however proceed instantly with out really invoking any cryptographic verification for it. On the finish of the batch (which can be for a single transaction, a number of transactions, an entire block, and even a number of blocks), all these tuples are fed concurrently to the cryptographic verification routine, which determines whether or not or not all of them are legitimate. If one is not legitimate, it provides no indication about which one(s) was invalid; solely that not the whole lot was legitimate.
This requires having the ability to predict whether or not the signature is supposed to achieve success. If the additional execution of the script (or signature checks) relies upon in any manner on the result of the signature checking, batch validation runs into an issue. At any time when there are a number of attainable units of permitted legitimate (pubkey, message, signature) tuple mixtures, we would wish to test all these mixtures when verifying the batch. If there are a number of transactions or scripts that every allow a number of mixtures, the mixtures multiply. Just about any uncertainty would kill any benefit batch validation may need.
OP_CHECKMULTISIG is inherently incompatible with this, as such an opcode permits a number of mixtures of pubkey/signature mixtures. The signatures should be in the identical order as the general public keys, however every time n>ok, the opcode is not fed any details about which keys are purported to be skipped. The opcode simply tries all of them, so as.
To fight this downside, all signature checking opcodes in BIP342 tapscript should succeed, except an empty signature is supplied. At any time when a signature just isn’t empty however invalid, the complete script is invalid. This permits the interpreter to know prematurely which signature checks are purported to succeed: the entire non-empty ones. As
OP_CHECKMULTISIG could be ineffective on this context (it’d fail if something however the first ok keys match the primary ok signatures so as), it’s eliminated and changed with a barely lower-level opcode which works for a single pubkey/signature solely: