All: update to comply with current draft of bip-bikeshed
@ -880,7 +880,7 @@ The transaction decode shows all the components of this transaction,
|
||||
including the transaction inputs and outputs. In this case we see that
|
||||
the transaction used one input and generated two outputs. The input to
|
||||
this transaction was the output from a previously confirmed transaction
|
||||
(shown as the vin +txid+). The two outputs correspond to the payment to
|
||||
(shown as the input +txid+). The two outputs correspond to the payment to
|
||||
Bob and the change back to Alice.
|
||||
|
||||
We can further explore the blockchain by examining the previous
|
||||
|
@ -388,21 +388,21 @@ library] to do the elliptic curve math.
|
||||
.Elliptic curve cryptography: visualizing the multiplication of a point G by an integer k on an elliptic curve
|
||||
image::images/mbc2_0404.png["ecc_illustrated"]
|
||||
|
||||
=== ScriptPubKey and ScriptSig
|
||||
=== Output and Input Scripts
|
||||
|
||||
Although the illustration from the original Bitcoin paper, <<pay-to-pure-pubkey>>,
|
||||
shows public keys (pubkeys) and signatures (sigs) being used directly,
|
||||
the first version of Bitcoin instead had payments sent to a field called
|
||||
_scriptPubKey_ and had them authorized by a field called _scriptSig_.
|
||||
_output script_ and had spends of those bitcoins authorized by a field called _input script_.
|
||||
These fields allow additional operations to be performed in addition to
|
||||
(or instead of) verifying that a signature corresponds to a public key.
|
||||
For example, a scriptPubKey can contain two public keys and require two
|
||||
corresponding signatures be placed in the spending scriptSig.
|
||||
For example, an output script can contain two public keys and require two
|
||||
corresponding signatures be placed in the spending input script.
|
||||
|
||||
Later, in <<tx_script>>, we'll learn about scripts in detail. For now,
|
||||
all we need to understand is that bitcoins are received to a
|
||||
scriptPubKey which acts like a public key, and bitcoin spending is
|
||||
authorized by a scriptSig which acts like a signature.
|
||||
all we need to understand is that bitcoins are received to an
|
||||
output script which acts like a public key, and bitcoin spending is
|
||||
authorized by a input script which acts like a signature.
|
||||
|
||||
[[p2pk]]
|
||||
=== IP Addresses: The Original Address For Bitcoin (P2PK)
|
||||
@ -439,21 +439,21 @@ looking at the blockchain and noticing that all of the transactions paid
|
||||
the same public key.
|
||||
|
||||
Using the public key her node received from Bob's node, Alice's wallet
|
||||
would construct a transaction output paying a very simple scriptPubKey:
|
||||
would construct a transaction output paying a very simple output script:
|
||||
|
||||
----
|
||||
<Bob's public key> OP_CHECKSIG
|
||||
----
|
||||
|
||||
Bob would later be able to spend that output with a scriptSig consisting
|
||||
Bob would later be able to spend that output with an input script consisting
|
||||
entirely of his signature:
|
||||
|
||||
----
|
||||
<Bob's signature>
|
||||
----
|
||||
|
||||
To figure out what a scriptPubKey and scriptSig are doing, you can
|
||||
combine them together (scriptSig first) and then note that each piece of
|
||||
To figure out what an output and input script are doing, you can
|
||||
combine them together (input script first) and then note that each piece of
|
||||
data (shown in angle brackets) is placed at the top of a list of items,
|
||||
called a stack. When an operation code (opcode) is encountered, it uses
|
||||
items from the stack, starting with the topmost items. Let's look at
|
||||
@ -564,13 +564,13 @@ where _K_ is the public key and _A_ is the resulting commitment.
|
||||
|
||||
Now that we understand how to make a commitment to a public key, we need
|
||||
to figure out how to use it in a transaction. Consider the following
|
||||
scriptPubKey:
|
||||
output script:
|
||||
|
||||
----
|
||||
OP_DUP OP_HASH160 <Bob's commitment> OP_EQUAL OP_CHECKSIG
|
||||
----
|
||||
|
||||
And also the following scriptSig:
|
||||
And also the following input script:
|
||||
|
||||
----
|
||||
<Bob's signature> <Bob's public key>
|
||||
@ -592,8 +592,8 @@ so now the top of the stack is a hash of Bob's public key. Next, the
|
||||
commitment to Bob's public key is added to the top of the stack. The
|
||||
+OP_EQUALVERIFY+ operation consumes the top two items and verifies that
|
||||
they are equal; that should be the case if the public key Bob provided
|
||||
in the scriptSig is the same public key used to create the commitment in
|
||||
the scriptPubKey that Alice paid. If +OP_EQUALVERIFY+ fails, the whole
|
||||
in the input script is the same public key used to create the commitment in
|
||||
the output script that Alice paid. If +OP_EQUALVERIFY+ fails, the whole
|
||||
script fails. Finally, we're left with a stack containing just Bob's
|
||||
signature and his public key; the +OP_CHECKSIG+ opcode verifies they
|
||||
correspond with each other and that the signature commits to the
|
||||
@ -664,7 +664,7 @@ To convert data (a number) into a base58check format, we first add a
|
||||
prefix to the data, called the "version byte," which serves to easily
|
||||
identify the type of data that is encoded. For example, the prefix zero
|
||||
(0x00 in hex) indicates that the data should be used as the commitment (hash) in
|
||||
a legacy P2PKH scriptPubKey. A list of common version prefixes is shown
|
||||
a legacy P2PKH output script. A list of common version prefixes is shown
|
||||
in <<base58check_versions>>.
|
||||
|
||||
Next, we compute the "double-SHA" checksum, meaning we apply the SHA256
|
||||
@ -866,14 +866,14 @@ compressed public keys.
|
||||
|
||||
As we've seen in preceding sections, someone receiving Bitcoins (like
|
||||
Bob) can require payments to him contain certain constraints in their
|
||||
scriptPubKeys. Bob will need to fulfill those constraints using a
|
||||
scriptSig when he spends those bitcoins. In <<p2pk>>, the constraint
|
||||
was simply that the scriptSig needed to provide an appropriate
|
||||
output script. Bob will need to fulfill those constraints using an
|
||||
input script when he spends those bitcoins. In <<p2pk>>, the constraint
|
||||
was simply that the input script needed to provide an appropriate
|
||||
signature. In <<addresses_for_p2pkh>>, an appropriate public key also needed to be
|
||||
provided.
|
||||
|
||||
In order for a spender (like Alice) to place the constraints Bob wants
|
||||
in the scriptPubKey she uses to pay him, Bob needs to communicate those
|
||||
in the output script she uses to pay him, Bob needs to communicate those
|
||||
constraints to her. This is similar to the problem of Bob needing to
|
||||
communicate his public key to her. Like that problem, where
|
||||
public keys can be fairly large, the constraints Bob uses can also be
|
||||
@ -883,22 +883,22 @@ for which she needs to pay transaction fees every time she wants to spend
|
||||
money to Bob. However, the solution of using hash functions to create
|
||||
small commitments to large amounts of data also applies here.
|
||||
|
||||
The BIP16 upgrade to the Bitcoin protocol in 2013 allows a
|
||||
scriptPubKey to commit to a _redemption script_ (_redeemScript_). When
|
||||
Bob spends his bitcoins, his scriptSig need to provide a redeemScript
|
||||
The BIP16 upgrade to the Bitcoin protocol in 2013 allows an
|
||||
output script to commit to a _redemption script_ (_redeem script_). When
|
||||
Bob spends his bitcoins, his input script need to provide a redeem script
|
||||
that matches the commitment and also any data necessary to satisfy the
|
||||
redeemScript (such as signatures). Let's start by imagining Bob wants
|
||||
redeem script (such as signatures). Let's start by imagining Bob wants
|
||||
to require two signatures to spend his bitcoins, one signature from his
|
||||
desktop wallet and one from a hardware signing device. He puts those
|
||||
conditions into a redeemScript:
|
||||
conditions into a redeem script:
|
||||
|
||||
----
|
||||
<public key 1> OP_CHECKSIGVERIFY <public key 2> OP_CHECKSIG
|
||||
----
|
||||
|
||||
He then creates a commitment to the redeemScript using the same
|
||||
He then creates a commitment to the redeem script using the same
|
||||
HASH160 mechanism used for P2PKH commitments, +RIPEMD160(SHA256(script))+.
|
||||
That commitment is placed into the scriptPubKey using a special
|
||||
That commitment is placed into the output script using a special
|
||||
template:
|
||||
|
||||
----
|
||||
@ -908,24 +908,24 @@ OP_HASH160 <commitment> OP_EQUAL
|
||||
[WARNING]
|
||||
====
|
||||
Payments to Script Hashes (P2SH) must use the specific P2SH template
|
||||
with no extra data or conditions in the scriptPubKey. If the
|
||||
scriptPubKey is not exactly +OP_HASH160 <20 bytes> OP_EQUAL+, the
|
||||
redeemScript will not be used and any bitcoins may either be unspendable
|
||||
with no extra data or conditions in the output script. If the
|
||||
output script is not exactly +OP_HASH160 <20 bytes> OP_EQUAL+, the
|
||||
redeem script will not be used and any bitcoins may either be unspendable
|
||||
or spendable by anyone (meaning anyone can take them).
|
||||
====
|
||||
|
||||
When Bob goes to spend the payment he received to the commitment for his
|
||||
script, he uses a scriptSig that includes the redeemScript, with it
|
||||
script, he uses an input script that includes the redeem script, with it
|
||||
serialized as a single data element. He also provides the signatures
|
||||
he needs to satisfy the redeemScript, putting them in the order that
|
||||
he needs to satisfy the redeem script, putting them in the order that
|
||||
they will be consumed by the opcodes:
|
||||
|
||||
----
|
||||
<signature2> <signature1> <redeemScript>
|
||||
<signature2> <signature1> <redeem script>
|
||||
----
|
||||
|
||||
When Bitcoin full nodes receive Bob's spend, they'll verify that the
|
||||
serialized redeemScript will hash to the same value as the commitment.
|
||||
serialized redeem script will hash to the same value as the commitment.
|
||||
Then they'll replace it on the stack with its deserialized value:
|
||||
|
||||
----
|
||||
@ -968,7 +968,7 @@ Legacy addresses were supplanted by the bech32 family of addresses.
|
||||
.P2SH collision attacks
|
||||
****
|
||||
All addresses based on hash functions are theoretically vulnerable to an
|
||||
attacker finding two different inputs (e.g. redeemScripts) that produce
|
||||
attacker finding two different inputs (e.g. redeem scripts) that produce
|
||||
the same hash function output (commitment). For addresses created
|
||||
entirely by a single party, the chance of an attacker generating a
|
||||
different input for an existing commitment is proportional to the
|
||||
@ -1363,7 +1363,7 @@ With the checksum created, each 5-bit character in the data part
|
||||
(including the witness version, witness program, and checksum) is
|
||||
converted to alphanumeric characters.
|
||||
|
||||
For decoding back into a scriptPubKey, we work in reverse. First let's
|
||||
For decoding back into an output script, we work in reverse. First let's
|
||||
use the reference library to decode two of our addresses:
|
||||
|
||||
----
|
||||
@ -1378,7 +1378,7 @@ decode(hrp, addr)
|
||||
----
|
||||
|
||||
We get back both the witness version and the witness program. Those can
|
||||
be inserted into the template for our scriptPubKey:
|
||||
be inserted into the template for our output script:
|
||||
|
||||
----
|
||||
<version> <program>
|
||||
|
@ -284,7 +284,7 @@ node will start a "handshake" (see <<network_handshake>>) by
|
||||
transmitting a +version+ message, which contains basic identifying
|
||||
information, including:
|
||||
|
||||
+nVersion+:: The Bitcoin P2P protocol version the client "speaks" (e.g., 70002)
|
||||
+Version+:: The Bitcoin P2P protocol version the client "speaks" (e.g., 70002)
|
||||
+nLocalServices+:: A list of local services supported by the node, currently just +NODE_NETWORK+
|
||||
+nTime+:: The current time
|
||||
+addrYou+:: The IP address of the remote node as seen from this node
|
||||
@ -296,7 +296,7 @@ information, including:
|
||||
|
||||
The +version+ message is always the first message sent by any peer to
|
||||
another peer. The local peer receiving a +version+ message will examine
|
||||
the remote peer's reported +nVersion+ and decide if the remote peer is
|
||||
the remote peer's reported +Version+ and decide if the remote peer is
|
||||
compatible. If the remote peer is compatible, the local peer will
|
||||
acknowledge the +version+ message and establish a connection by sending
|
||||
a +verack+.
|
||||
@ -974,7 +974,7 @@ transaction affecting that wallet. For a wallet to be effective, it
|
||||
needs to learn two types of information:
|
||||
|
||||
1. When it has received money. Specifically, when a transaction
|
||||
output contains a scriptPubKey that the wallet controls (such as by
|
||||
output contains a script that the wallet controls (such as by
|
||||
controlling the authorized private key).
|
||||
|
||||
2. When it has spent money. Specifically, when a transaction input
|
||||
@ -991,7 +991,7 @@ accurate filter.
|
||||
For both the primary and secondary goals to be met, a filter would need
|
||||
to reference two types of information:
|
||||
|
||||
1. The scriptPubKey for every output in every transaction in a block.
|
||||
1. The script for every output in every transaction in a block.
|
||||
|
||||
2. The outpoint for every input in every transaction in a block.
|
||||
|
||||
@ -1001,27 +1001,27 @@ to accomplish the primary goal if we sacrificed the secondary goal. In
|
||||
the new design, a block filter would still references two types of
|
||||
information, but they'd be more closely related:
|
||||
|
||||
1. As before, the scriptPubKey for every output in every transaction in a
|
||||
1. As before, the script for every output in every transaction in a
|
||||
block.
|
||||
|
||||
2. In a change, it would also reference the scriptPubKey of the output
|
||||
2. In a change, it would also reference the script of the output
|
||||
referenced by the outpoint for every input in every transaction in a
|
||||
block. In other words, the scriptPubKey being spent.
|
||||
block. In other words, the output script being spent.
|
||||
|
||||
This had several advantages. First, it meant that wallets didn't need
|
||||
to track outpoints; they could instead just scan for the the
|
||||
scriptPubKeys to which they expected to receive money. Second, any time a
|
||||
output scripts to which they expected to receive money. Second, any time a
|
||||
later transaction in a block spends the output of an earlier
|
||||
transaction in the same block, they'll both reference the same
|
||||
scriptPubKey. More than one reference to the same scriptPubKey is
|
||||
output script. More than one reference to the same output script is
|
||||
redundant in a compact block filter, so the redundant copies can be
|
||||
removed, shrinking the size of the filters.
|
||||
|
||||
When full nodes validate a block, they need access to the scriptPubKeys
|
||||
When full nodes validate a block, they need access to the output scripts
|
||||
for both the current transaction outputs in a block and the transaction
|
||||
outputs from previous blocks that are being referenced in inputs, so
|
||||
they're able to build compact block filters in this simplified model.
|
||||
But a block itself doesn't include the scriptPubKeys from transactions
|
||||
But a block itself doesn't include the output scripts from transactions
|
||||
included in previous blocks, so there's no convenient way for a client
|
||||
to verify a block filter was built correctly. However, there is an
|
||||
alternative that can help a client detect if a peer is lying to it:
|
||||
@ -1066,7 +1066,7 @@ more bandwidth than expected.
|
||||
==== Reducing bandwidth with lossy encoding
|
||||
|
||||
The data about the transactions in a block that we want to communicate
|
||||
is a scriptPubKey. ScriptPubKeys vary in length and follow patterns,
|
||||
is an output script. Output scripts vary in length and follow patterns,
|
||||
which means the differences between them won't be evenly distributed
|
||||
like we want. However, we've already seen in many places in this book
|
||||
that we can use a hash function to create a commitment to some data and
|
||||
@ -1079,23 +1079,23 @@ faster and more configurable non-cryptographic hash functions, such as
|
||||
the SipHash function we'll use for compact block filters.
|
||||
|
||||
The details of the algorithm used are described in BIP158, but the gist
|
||||
is that each scriptPubKey is reduced to a 64 bit commitment using
|
||||
is that each output script is reduced to a 64 bit commitment using
|
||||
SipHash and some arthritic operations. You can think of this as
|
||||
taking a set of large numbers and truncating them to shorter numbers, a
|
||||
process that loses data (so it's called _lossy encoding_). By losing
|
||||
some information, we don't need to store as much information later,
|
||||
which saves space. In this case, we go from a typical scriptPubKey
|
||||
which saves space. In this case, we go from a typical output script
|
||||
that's 160 bits or longer down to just 64 bits.
|
||||
|
||||
==== Using compact block filters
|
||||
|
||||
The 64 bit value for every commitment to a scriptPubKey in a block are
|
||||
The 64 bit value for every commitment to an output script in a block are
|
||||
sorted, duplicate entries are removed, and the GCS is constructed by
|
||||
finding the differences (deltas) between each entry. That compact block
|
||||
filter is then distributed by peers to their clients (such as wallets).
|
||||
|
||||
A client uses the deltas to reconstruct the original commitments. The
|
||||
client such as a wallet also takes all the scriptPubKeys it is
|
||||
client such as a wallet also takes all the output scripts it is
|
||||
monitoring for and generates commitments in the same way as BIP158. It
|
||||
checks whether any of its generated commitments match the commitments in
|
||||
the filter.
|
||||
|
@ -273,8 +273,8 @@ criteria:
|
||||
- Each output value, as well as the total, must be within the allowed
|
||||
range of values (zero or more, but less than 21m coins).
|
||||
|
||||
- +nLocktime+ is equal to +INT_MAX+, or +nLocktime+ and +nSequence+
|
||||
values are satisfied according to the locktime and BIP68 rules.
|
||||
- Lock time is equal to +INT_MAX+, or lock time and sequence
|
||||
values are satisfied according to the lock time and BIP68 rules.
|
||||
|
||||
- The number of signature operations (SIGOPS) contained in the
|
||||
transaction is less than the signature operation limit.
|
||||
@ -492,7 +492,7 @@ structure of the coinbase transaction's input.
|
||||
| 32 bytes | Transaction Hash | Pointer to the transaction containing the UTXO to be spent
|
||||
| 4 bytes | Output Index | The index number of the UTXO to be spent, first one is 0
|
||||
| 1–9 bytes (VarInt) | Script Size | Script length in bytes, to follow
|
||||
| Variable | ScriptSig | A script that fulfills the conditions of the UTXO scriptPubKey
|
||||
| Variable | Input script | A script that fulfills the conditions of the UTXO output script
|
||||
| 4 bytes | Sequence Number | Multipurpose field used for BIP68 time locks and transaction replacement signaling
|
||||
|=======
|
||||
|
||||
@ -512,14 +512,14 @@ In a coinbase transaction, the first two fields are set to values that
|
||||
do not represent a UTXO reference. Instead of a "transaction hash," the
|
||||
first field is filled with 32 bytes all set to zero. The "output index"
|
||||
is filled with 4 bytes all set to 0xFF (255 decimal). The
|
||||
+scriptSig+ is replaced by coinbase data, a data field used by
|
||||
input script is replaced by coinbase data, a data field used by
|
||||
the miners, as we will see next.
|
||||
|
||||
[[duplicate_transactions]]
|
||||
==== Coinbase Data
|
||||
|
||||
((("coinbase transactions", "coinbase data")))Coinbase transactions do
|
||||
not have a +scriptSig+ field. Instead, this
|
||||
not have an input script field. Instead, this
|
||||
field is replaced by coinbase data, which must be between 2 and 100
|
||||
bytes. Except for the first few bytes, the rest of the coinbase data can
|
||||
be used by miners in any way they want; it is arbitrary data.
|
||||
@ -1169,11 +1169,11 @@ miner can influence the timestamps in order to gain fees from
|
||||
transactions with a timelock that hasn't yet matured.
|
||||
|
||||
Median time past changes the implementation of time calculations for
|
||||
+nLocktime+, +CLTV+, +nSequence+, and +CSV+. The consensus time
|
||||
lock time, +CLTV+, sequence, and +CSV+. The consensus time
|
||||
calculated by median time past is usually about one hour behind
|
||||
wall clock time. If you create timelock transactions, you should account
|
||||
for it when estimating the desired value to encode in +nLocktime+,
|
||||
+nSequence+, +CLTV+, and +CSV+.
|
||||
for it when estimating the desired value to encode in lock time,
|
||||
sequence, +CLTV+, and +CSV+.
|
||||
|
||||
=== Successfully Mining the Block
|
||||
|
||||
@ -2173,7 +2173,7 @@ effect. Execution continues after the NOP opcode as if it wasn't there.
|
||||
A soft fork therefore can modify the semantics of a NOP code to give it
|
||||
new meaning. For example, BIP65 (+CHECKLOCKTIMEVERIFY+) reinterpreted
|
||||
the NOP2 opcode. Clients implementing BIP65 interpret NOP2 as
|
||||
+OP_CHECKLOCKTIMEVERIFY+ and impose an absolute locktime consensus rule
|
||||
+OP_CHECKLOCKTIMEVERIFY+ and impose an absolute lock time consensus rule
|
||||
on UTXOs that contain this opcode in their locking scripts. This change
|
||||
is a soft fork because a transaction that is valid under BIP65 is also
|
||||
valid on any client that is not implementing (ignorant of) BIP65. To
|
||||
|
@ -581,7 +581,7 @@ to fix those:
|
||||
commitment that is in her favor.
|
||||
|
||||
Both of these problems can be solved with timelocks—let's look at
|
||||
how we could use transaction-level timelocks (+nLocktime+).
|
||||
how we could use transaction-level time locks.
|
||||
|
||||
Emma cannot risk funding a 2-of-2 multisig unless she has a guaranteed
|
||||
refund. To solve this problem, Emma constructs the funding and refund
|
||||
@ -591,7 +591,7 @@ transaction to Fabian and obtains his signature.
|
||||
|
||||
The refund transaction acts as the first commitment transaction and its
|
||||
timelock establishes the upper bound for the channel's life. In this
|
||||
case, Emma could set the +nLocktime+ to 30 days or 4320 blocks into the
|
||||
case, Emma could set the lock time to 30 days or 4320 blocks into the
|
||||
future. All subsequent commitment transactions must have a shorter
|
||||
timelock, so that they can be redeemed before the refund transaction.
|
||||
|
||||
@ -604,7 +604,7 @@ Every commitment transaction the parties exchange during the life of the
|
||||
channel will be timelocked into the future. But the delay will be
|
||||
slightly shorter for each commitment so the most recent commitment can
|
||||
be redeemed before the prior commitment it invalidates. Because of the
|
||||
nLockTime, neither party can successfully propagate any of the
|
||||
lock time, neither party can successfully propagate any of the
|
||||
commitment transactions until their timelock expires. If all goes well,
|
||||
they will cooperate and close the channel gracefully with a settlement
|
||||
transaction, making it unnecessary to transmit an intermediate
|
||||
@ -641,8 +641,8 @@ commitments. Thus, the most recent commitment transaction can be
|
||||
transmitted, spending the inputs and invalidating prior commitment
|
||||
transactions. The enforcement of smart contracts with absolute timelocks
|
||||
protects against cheating by one of the parties. This implementation
|
||||
needs nothing more than absolute transaction-level timelocks
|
||||
(+nLocktime+). Next, we will see how script-level timelocks,
|
||||
needs nothing more than absolute transaction-level lock time.
|
||||
Next, we will see how script-level timelocks,
|
||||
+CHECKLOCKTIMEVERIFY+ and +CHECKSEQUENCEVERIFY+, can be used to
|
||||
construct more flexible, useful, and sophisticated state channels.
|
||||
|
||||
@ -959,7 +959,7 @@ IF
|
||||
HASH160 <H> EQUALVERIFY
|
||||
ELSE
|
||||
# Refund after timeout.
|
||||
<locktime> CHECKLOCKTIMEVERIFY DROP
|
||||
<lock time> CHECKLOCKTIMEVERIFY DROP
|
||||
<Payer Public Key> CHECKSIG
|
||||
ENDIF
|
||||
----
|
||||
@ -1194,7 +1194,7 @@ startref="alicetwelve")))
|
||||
|
||||
Each element of the path contains information on the HTLC that must be
|
||||
extended to the next hop, the amount that is being sent, the fee to
|
||||
include, and the CLTV locktime (in blocks) expiration of the HTLC. As
|
||||
include, and the CLTV lock time (in blocks) expiration of the HTLC. As
|
||||
the route information propagates, the nodes make HTLC commitments
|
||||
forward to the next hop.
|
||||
|
||||
|
@ -29,8 +29,8 @@ used.
|
||||
id="Tsript06")))((("scripting", "transactions and",
|
||||
id="Stransact06")))The original version of Bitcoin introduced a new
|
||||
programming language called _Script_, a Forth-like stack-based
|
||||
language. Both the scriptPubKey placed in an output and the legacy
|
||||
scriptSig used in a spending transaction are written in this scripting
|
||||
language. Both the script placed in an output and the legacy
|
||||
input script used in a spending transaction are written in this scripting
|
||||
language.
|
||||
|
||||
Script is a very simple language. It requires minimal processing and
|
||||
@ -94,28 +94,28 @@ system.
|
||||
==== Script Construction
|
||||
|
||||
Bitcoin's legacy transaction validation engine relies on two parts of scripts
|
||||
to validate transactions: a scriptPubKey and a scriptSig.
|
||||
to validate transactions: an output script and an input script.
|
||||
|
||||
A scriptPubKey is a spending condition placed on an output:
|
||||
An output script is a spending condition placed on an output:
|
||||
it specifies the conditions that must be met to spend the output in the
|
||||
future, such as who is authorized to spend the output and how they will
|
||||
be authenticated.
|
||||
|
||||
A scriptSig is a script that satisfies the
|
||||
conditions placed on an output by a scriptPubKey and allows the output
|
||||
to be spent. ScriptSigs are part of every transaction input. Most
|
||||
An input script is a script that satisfies the
|
||||
conditions placed on an output by an output script and allows the output
|
||||
to be spent. Input scripts are part of every transaction input. Most
|
||||
of the time in legacy transactions they contain a digital signature produced by the user's
|
||||
wallet from his or her private key, but not all scriptSigs
|
||||
wallet from his or her private key, but not all input scripts
|
||||
must contain signatures.
|
||||
|
||||
Every bitcoin validating node will validate transactions by executing
|
||||
the scriptPubKey and scriptSig together. As we saw in
|
||||
the output and input scripts. As we saw in
|
||||
<<c_transactions>>, each input contains an outpoint which refers to a
|
||||
previous transaction output. The input also contains a scriptSig. The
|
||||
validation software will copy the scriptSig, retrieve the UTXO
|
||||
referenced by the input, and copy the scriptPubKey from that UTXO. The
|
||||
scriptSig and scriptPubKey are then executed in sequence. The input is
|
||||
valid if the scriptSig satisfies the scriptPubKey conditions
|
||||
previous transaction output. The input also contains an input script. The
|
||||
validation software will copy the input script, retrieve the UTXO
|
||||
referenced by the input, and copy the output script from that UTXO. The
|
||||
input and output scripts are then executed in sequence. The input is
|
||||
valid if the input script satisfies the output script's conditions
|
||||
(see <<script_exec>>). All the inputs are validated independently, as
|
||||
part of the overall validation of the transaction.
|
||||
|
||||
@ -123,18 +123,18 @@ Note that the steps above involve making copies of all data. The
|
||||
original data in the previous output and current input is never changed.
|
||||
In particular, the previous output is invariable and unaffected by
|
||||
failed attempts to spend it. Only a valid transaction that correctly
|
||||
satisfies the conditions of the scriptPubKey results in the output being
|
||||
satisfies the conditions of the output script results in the output being
|
||||
considered as "spent".
|
||||
|
||||
<<scriptSig_and_scriptPubKey>> is an example of the scriptPubKey and
|
||||
scriptSig for the most common type of legacy Bitcoin transaction (a
|
||||
<<input_and_output_scripts_legacy>> is an example of the output and
|
||||
input scripts for the most common type of legacy Bitcoin transaction (a
|
||||
payment to a public key hash), showing the combined script resulting
|
||||
from the concatenation of the scripts prior to
|
||||
validation.
|
||||
|
||||
[[scriptSig_and_scriptPubKey]]
|
||||
.Combining scriptSig and scriptPubKey to evaluate a transaction script
|
||||
image::../images/mbc2_0603.png["scriptSig_and_scriptPubKey"]
|
||||
[[input_and_output_scripts_legacy]]
|
||||
.Combining input and output scripts to evaluate a transaction script
|
||||
image::../images/mbc2_0603.png["input_and_output_scripts"]
|
||||
|
||||
===== The script execution stack
|
||||
|
||||
@ -172,21 +172,21 @@ operator +OP_EQUAL+, which checks that the resulting sum is equal to
|
||||
in this book. For more details on the available script operators and
|
||||
functions, see <<tx_script_ops>>.
|
||||
|
||||
Although most legacy scriptPubKeys refer to a public key hash (essentially, a
|
||||
Although most legacy output scripts refer to a public key hash (essentially, a
|
||||
legacy Bitcoin address), thereby requiring proof of ownership to spend the
|
||||
funds, the script does not have to be that complex. Any combination of
|
||||
scriptPubKey and scriptSig that results in a TRUE value is valid. The
|
||||
output and input scripts that results in a TRUE value is valid. The
|
||||
simple arithmetic we used as an example of the scripting language is
|
||||
also a valid script.
|
||||
|
||||
Use part of the arithmetic example script as the scriptPubKey:
|
||||
Use part of the arithmetic example script as the output script:
|
||||
|
||||
----
|
||||
3 OP_ADD 5 OP_EQUAL
|
||||
----
|
||||
|
||||
which can be satisfied by a transaction containing an input with the
|
||||
scriptSig:
|
||||
input script:
|
||||
|
||||
----
|
||||
2
|
||||
@ -200,7 +200,7 @@ The validation software combines the scripts:
|
||||
|
||||
As we saw in <<simplemath_script>>, when
|
||||
this script is executed, the result is +OP_TRUE+, making the transaction
|
||||
valid. Not only have we shown a valid transaction output scriptPubKey, but
|
||||
valid. Not only have we shown a valid transaction output script, but
|
||||
the resulting UTXO could be spent by anyone with the arithmetic skills
|
||||
to know that the number 2 satisfies the script.
|
||||
|
||||
@ -237,38 +237,38 @@ When the script execution ends, you should be left with a +TRUE+ value
|
||||
on the stack.
|
||||
|
||||
[[script_exec]]
|
||||
===== Separate execution of scriptPubKey and scriptSig
|
||||
===== Separate execution of output and input scripts
|
||||
|
||||
In the original Bitcoin
|
||||
client, scriptPubKey and scriptSig were concatenated and executed
|
||||
client, output and input scripts were concatenated and executed
|
||||
in sequence. For security reasons, this was changed in 2010 because of
|
||||
a vulnerability known as the +1 OP_RETURN+ bug. In the current
|
||||
implementation, the scripts are executed separately with the stack
|
||||
transferred between the two executions.
|
||||
|
||||
First, the scriptSig executed using the stack execution
|
||||
engine. If the scriptSig is executed without errors and has
|
||||
First, the input script executed using the stack execution
|
||||
engine. If the input script is executed without errors and has
|
||||
no operations left over, the stack is copied and the
|
||||
scriptPubKey is executed. If the result of executing scriptPubKey
|
||||
with the stack data copied from scriptSig is +TRUE+,
|
||||
the scriptSig has succeeded in resolving the conditions imposed
|
||||
by the scriptPubKey and, therefore, the input is a valid authorization
|
||||
output script is executed. If the result of executing the output script
|
||||
with the stack data copied from the input script is +TRUE+,
|
||||
the input script has succeeded in resolving the conditions imposed
|
||||
by the output script and, therefore, the input is a valid authorization
|
||||
to spend the UTXO. If any result other than +TRUE+ remains after
|
||||
execution of the combined script, the input is invalid because it has
|
||||
failed to satisfy the spending conditions placed on the output.
|
||||
|
||||
//SOMEDAY:implications of not being able to use script in scriptSig
|
||||
//SOMEDAY:implications of not being able to use script in input script
|
||||
|
||||
[[p2pkh]]
|
||||
==== Pay-to-Public-Key-Hash (P2PKH)
|
||||
|
||||
((("Pay-to-Public-Key-Hash (P2PKH)")))
|
||||
A Pay-to-Public-Key-Hash or "P2PKH" script uses a scriptPubKey that
|
||||
A Pay-to-Public-Key-Hash or "P2PKH" script uses a output script that
|
||||
contains a hash which commits to a public key. P2PKH is best known as a
|
||||
the basis for a legacy Bitcoin address. A P2PKH output can be spent by
|
||||
presenting a public key which matches the hash commitment and a digital
|
||||
signature created by the corresponding private key (see
|
||||
<<c_signatures>>). Let's look at an example of a P2PKH scriptPubKey:
|
||||
<<c_signatures>>). Let's look at an example of a P2PKH output script:
|
||||
|
||||
----
|
||||
OP_DUP OP_HASH160 <Key Hash> OP_EQUALVERIFY OP_CHECKSIG
|
||||
@ -279,7 +279,7 @@ address. Most applications would show the _public key hash_ in a script
|
||||
using hexadecimal encoding and not the familiar Bitcoin
|
||||
address Base58Check format that begins with a "1."
|
||||
|
||||
The preceding scriptPubKey can be satisfied with a scriptSig
|
||||
The preceding output script can be satisfied with an input script
|
||||
of the form:
|
||||
|
||||
----
|
||||
@ -294,8 +294,8 @@ script:
|
||||
----
|
||||
|
||||
When executed, this combined script will evaluate to TRUE if, and only
|
||||
if, the scriptSig matches the conditions set by the scriptPubKey.
|
||||
In other words, the result will be TRUE if the scriptSig
|
||||
if, the input script matches the conditions set by the output script.
|
||||
In other words, the result will be TRUE if the input script
|
||||
has a valid signature from Bob's private key that corresponds to
|
||||
the public key hash set as an encumbrance.
|
||||
|
||||
@ -338,7 +338,7 @@ to tell "M" and "N" apart when they're spoken, so we use the alternative
|
||||
K-of-N. Both phrases refer to the same type of signature scheme.
|
||||
====
|
||||
|
||||
At this time, _standard_ multisignature scriptPubKeys are limited to at most 3
|
||||
At this time, _standard_ multisignature output scripts are limited to at most 3
|
||||
listed public keys, meaning you can do anything from a 1-of-1 to a
|
||||
3-of-3 multisignature or any combination within that range.
|
||||
You may want to check the +IsStandard()+ function to see what is currently
|
||||
@ -348,7 +348,7 @@ multisignature scripts wrapped in a Pay-to-Script-Hash (P2SH) script.
|
||||
P2SH multisignature scripts are limited to 15 keys, allowing for up to
|
||||
15-of-15 multisignature. We will learn about P2SH in <<p2sh>>.
|
||||
|
||||
The general form of a scriptPubKey setting an K-of-N multisignature
|
||||
The general form of a output script setting an K-of-N multisignature
|
||||
condition is:
|
||||
|
||||
----
|
||||
@ -358,14 +358,14 @@ K <Public Key 1> <Public Key 2> ... <Public Key N> N OP_CHECKMULTISIG
|
||||
where N is the total number of listed public keys and K is the threshold
|
||||
of required signatures to spend the output.
|
||||
|
||||
A scriptPubKey setting a 2-of-3 multisignature condition looks like
|
||||
An output script setting a 2-of-3 multisignature condition looks like
|
||||
this:
|
||||
|
||||
----
|
||||
2 <Public Key A> <Public Key B> <Public Key C> 3 OP_CHECKMULTISIG
|
||||
----
|
||||
|
||||
The preceding scriptPubKey can be satisfied with a scriptSig
|
||||
The preceding output script can be satisfied with an input script
|
||||
containing pairs of signatures and public keys:
|
||||
|
||||
----
|
||||
@ -382,8 +382,8 @@ The two scripts together would form the combined validation script:
|
||||
----
|
||||
|
||||
When executed, this combined script will evaluate to TRUE if, and only
|
||||
if, the scriptSig script matches the conditions set by the scriptPubKey.
|
||||
In this case, the condition is whether the scriptSig has
|
||||
if, the input script script matches the conditions set by the output script.
|
||||
In this case, the condition is whether the input script has
|
||||
a valid signature from the two private keys that correspond to two of
|
||||
the three public keys set as an encumbrance.
|
||||
|
||||
@ -429,7 +429,7 @@ like this:
|
||||
OP_0 <Signature B> <Signature C> 2 <Public Key A> <Public Key B> <Public Key C> 3 OP_CHECKMULTISIG
|
||||
----
|
||||
|
||||
Thus the scriptSig actually used in multisig is not:
|
||||
Thus the input script actually used in multisig is not:
|
||||
|
||||
----
|
||||
<Signature B> <Signature C>
|
||||
@ -517,7 +517,7 @@ than a simple payment transaction, because this script contains very
|
||||
long public keys. The burden of that extra data would be
|
||||
borne by the customer in the form of extra transaction fees. Finally, a large transaction
|
||||
script like this would be carried in the UTXO set in every full
|
||||
node, until it was spent. All of these issues make using complex scriptPubKeys
|
||||
node, until it was spent. All of these issues make using complex output scripts
|
||||
difficult in practice.
|
||||
|
||||
P2SH was developed to resolve these practical difficulties and to make
|
||||
@ -529,33 +529,33 @@ matches the commitment in addition to the data which satisfies the script. In si
|
||||
P2SH means "pay to a script matching this hash, a script that will be
|
||||
presented later when this output is spent."
|
||||
|
||||
((("redeemScripts")))((("scripting", "redeemScripts")))In P2SH
|
||||
((("redeem scripts")))((("scripting", "redeem scripts")))In P2SH
|
||||
transactions, the script that is replaced by a hash is referred
|
||||
to as the _redeemScript_ because it is presented to the system at
|
||||
redemption time rather than as a scriptPubKey. <<without_p2sh>> shows
|
||||
to as the _redeem script_ because it is presented to the system at
|
||||
redemption time rather than as an output script. <<without_p2sh>> shows
|
||||
the script without P2SH and <<with_p2sh>> shows the same script encoded
|
||||
with P2SH.
|
||||
|
||||
[[without_p2sh]]
|
||||
.Complex script without P2SH
|
||||
|=======
|
||||
| ScriptPubKey | 2 PubKey1 PubKey2 PubKey3 PubKey4 PubKey5 5 OP_CHECKMULTISIG
|
||||
| ScriptSig | Sig1 Sig2
|
||||
| Output script | 2 PubKey1 PubKey2 PubKey3 PubKey4 PubKey5 5 OP_CHECKMULTISIG
|
||||
| Input script | Sig1 Sig2
|
||||
|=======
|
||||
|
||||
[[with_p2sh]]
|
||||
.Complex script as P2SH
|
||||
|=======
|
||||
| RedeemScript | 2 PubKey1 PubKey2 PubKey3 PubKey4 PubKey5 5 OP_CHECKMULTISIG
|
||||
| ScriptPubKey | OP_HASH160 <20-byte hash of redeemScript> OP_EQUAL
|
||||
| ScriptSig | Sig1 Sig2 <redeemScript>
|
||||
| Redeem script | 2 PubKey1 PubKey2 PubKey3 PubKey4 PubKey5 5 OP_CHECKMULTISIG
|
||||
| Output script | OP_HASH160 <20-byte hash of redeem script> OP_EQUAL
|
||||
| Input script | Sig1 Sig2 <redeem script>
|
||||
|=======
|
||||
|
||||
As you can see from the tables, with P2SH the complex script that
|
||||
details the conditions for spending the output (redeemScript) is not
|
||||
presented in the scriptPubKey. Instead, only a hash of it is in the
|
||||
scriptPubKey and the reedemScript itself is presented later, as part
|
||||
of the scriptSig when the output is spent. This shifts the burden
|
||||
details the conditions for spending the output (redeem script) is not
|
||||
presented in the output script. Instead, only a hash of it is in the
|
||||
output script and the reedemScript itself is presented later, as part
|
||||
of the input script when the output is spent. This shifts the burden
|
||||
in fees and complexity from the sender to the recipient (spender) of the
|
||||
transaction.
|
||||
|
||||
@ -599,18 +599,18 @@ echo \
|
||||
----
|
||||
|
||||
The series of commands above first encodes Mohammed's multisig
|
||||
redeemScript as a serialized hex-encoded bitcoin Script. The next +bx+ command
|
||||
redeem script as a serialized hex-encoded bitcoin Script. The next +bx+ command
|
||||
calculates the SHA256 hash of that. The next +bx+ command hashes again
|
||||
with RIPEMD160, producing the final script-hash:
|
||||
|
||||
The 20-byte hash of Mohammed's redeemScript is:
|
||||
The 20-byte hash of Mohammed's redeem script is:
|
||||
|
||||
----
|
||||
54c557e07dde5bb6cb791c7a540e0a4796f5e97e
|
||||
----
|
||||
|
||||
A P2SH transaction locks the output to this hash instead of the longer
|
||||
redeemScript, using a special scriptPubKey template:
|
||||
redeem script, using a special output script template:
|
||||
|
||||
----
|
||||
OP_HASH160 54c557e07dde5bb6cb791c7a540e0a4796f5e97e OP_EQUAL
|
||||
@ -619,23 +619,23 @@ OP_HASH160 54c557e07dde5bb6cb791c7a540e0a4796f5e97e OP_EQUAL
|
||||
which, as you can see, is much shorter. Instead of "pay to this 5-key
|
||||
multisignature script," the P2SH equivalent transaction is "pay to a
|
||||
script with this hash." A customer making a payment to Mohammed's
|
||||
company need only include this much shorter scriptPubKey in his
|
||||
company need only include this much shorter output script in his
|
||||
payment. When Mohammed and his partners want to spend this UTXO, they
|
||||
must present the original redeemScript (the one whose hash locked the
|
||||
must present the original redeem script (the one whose hash locked the
|
||||
UTXO) and the signatures necessary to unlock it, like this:
|
||||
|
||||
----
|
||||
<Sig1> <Sig2> <2 PK1 PK2 PK3 PK4 PK5 5 OP_CHECKMULTISIG>
|
||||
----
|
||||
|
||||
The two scripts are combined in two stages. First, the redeemScript is
|
||||
checked against the scriptPubKey to make sure the hash matches:
|
||||
The two scripts are combined in two stages. First, the redeem script is
|
||||
checked against the output script to make sure the hash matches:
|
||||
|
||||
----
|
||||
<2 PK1 PK2 PK3 PK4 PK5 5 OP_CHECKMULTISIG> OP_HASH160 <redeemScript hash> OP_EQUAL
|
||||
<2 PK1 PK2 PK3 PK4 PK5 5 OP_CHECKMULTISIG> OP_HASH160 <redeem script hash> OP_EQUAL
|
||||
----
|
||||
|
||||
If the redeemScript hash matches, the redeemScript is executed:
|
||||
If the redeem script hash matches, the redeem script is executed:
|
||||
|
||||
----
|
||||
<Sig1> <Sig2> 2 PK1 PK2 PK3 PK4 PK5 5 OP_CHECKMULTISIG
|
||||
@ -698,31 +698,31 @@ scripts in outputs:
|
||||
present time (payment) to a future time (when it is spent).
|
||||
|
||||
- P2SH shifts the transaction fee cost of a long script from the sender
|
||||
to the recipient, who has to include the long redeemScript to spend
|
||||
to the recipient, who has to include the long redeem script to spend
|
||||
it.
|
||||
|
||||
==== RedeemScript and Validation
|
||||
==== Redeem Script and Validation
|
||||
|
||||
You are not able to put a P2SH inside a P2SH redeemScript, because the
|
||||
You are not able to put a P2SH inside a P2SH redeem script, because the
|
||||
P2SH specification is not recursive. Also, while it is technically
|
||||
possible to include +OP_RETURN+ (see <<op_return>>) in a redeemScript, as
|
||||
possible to include +OP_RETURN+ (see <<op_return>>) in a redeem script, as
|
||||
nothing in the rules prevents you from doing so, it is of no practical
|
||||
use because executing +OP_RETURN+ during validation will cause the
|
||||
transaction to be marked invalid.
|
||||
|
||||
Note that because the redeemScript is not presented to the network
|
||||
Note that because the redeem script is not presented to the network
|
||||
until you attempt to spend a P2SH output, if you create an output with the
|
||||
hash of an invalid redeemScript, you will not be able to spend
|
||||
it. The spending transaction, which includes the redeemScript,
|
||||
hash of an invalid redeem script, you will not be able to spend
|
||||
it. The spending transaction, which includes the redeem script,
|
||||
will not be accepted because it is an invalid script. This creates a
|
||||
risk, because you can send bitcoin to a P2SH address that cannot be spent later.
|
||||
|
||||
[WARNING]
|
||||
====
|
||||
((("warnings and cautions", "accidental bitcoin invalidation")))P2SH scriptPubKeys
|
||||
contain the hash of a redeemScript, which gives no clues as to
|
||||
the content of the redeemScript. The P2SH transaction will be
|
||||
considered valid and accepted even if the redeemScript is invalid. You
|
||||
((("warnings and cautions", "accidental bitcoin invalidation")))P2SH output scripts
|
||||
contain the hash of a redeem script, which gives no clues as to
|
||||
the content of the redeem script. The P2SH transaction will be
|
||||
considered valid and accepted even if the redeem script is invalid. You
|
||||
might accidentally receive bitcoin in such a way that it cannot later be
|
||||
spent.
|
||||
====
|
||||
@ -763,7 +763,7 @@ from the UTXO set and cause the size of the UTXO database to forever
|
||||
increase, or "bloat."
|
||||
|
||||
A compromise was reached
|
||||
that allows a scriptPubKey starting with +OP_RETURN+ to
|
||||
that allows an output script starting with +OP_RETURN+ to
|
||||
add nonpayment data to a transaction output. However, unlike
|
||||
the use of "fake" UTXOs, the +OP_RETURN+ operator creates an explicitly
|
||||
_provably unspendable_ output, which does not need to be stored in the
|
||||
@ -787,7 +787,7 @@ http://proofofexistence.com[Proof of Existence] digital notarization
|
||||
service uses the 8-byte prefix +DOCPROOF+, which is ASCII encoded as +44
|
||||
4f 43 50 52 4f 4f 46+ in hexadecimal.
|
||||
|
||||
Keep in mind that there is no scriptSig that corresponds to
|
||||
Keep in mind that there is no input script that corresponds to
|
||||
+OP_RETURN+ that could possibly be used to "spend" an +OP_RETURN+ output. The
|
||||
whole point of an +OP_RETURN+ output is that you can't spend the money locked in that
|
||||
output, and therefore it does not need to be held in the UTXO set as
|
||||
@ -801,22 +801,22 @@ script to "RETURN" with a +FALSE+ and halt. Thus, if you accidentally
|
||||
reference a +OP_RETURN+ output as an input in a transaction, that
|
||||
transaction is invalid.
|
||||
|
||||
[[locktime_limitations]]
|
||||
==== Transaction locktime limitations
|
||||
[[lock_time_limitations]]
|
||||
==== Transaction lock time limitations
|
||||
|
||||
+nLockTime+ has the limitation that while it makes it possible to spend some outputs in the future, it does not make it impossible to spend them until that time. Let's explain that with the following example.
|
||||
Lock time has the limitation that while it makes it possible to spend some outputs in the future, it does not make it impossible to spend them until that time. Let's explain that with the following example.
|
||||
|
||||
((("use cases", "buying coffee", id="alicesseven")))Alice signs a transaction spending one of her outputs to Bob's address, and sets the transaction +nLockTime+ to 3 months in the future. Alice sends that transaction to Bob to hold. With this transaction Alice and Bob know that:
|
||||
((("use cases", "buying coffee", id="alicesseven")))Alice signs a transaction spending one of her outputs to Bob's address, and sets the transaction lock time to 3 months in the future. Alice sends that transaction to Bob to hold. With this transaction Alice and Bob know that:
|
||||
|
||||
* Bob cannot transmit the transaction to redeem the funds until 3 months have elapsed.
|
||||
* Bob may transmit the transaction after 3 months.
|
||||
|
||||
However:
|
||||
|
||||
* Alice can create another transaction, double-spending the same inputs without a locktime. Thus, Alice can spend the same UTXO before the 3 months have elapsed.
|
||||
* Alice can create another transaction, double-spending the same inputs without a lock time. Thus, Alice can spend the same UTXO before the 3 months have elapsed.
|
||||
* Bob has no guarantee that Alice won't do that.
|
||||
|
||||
It is important to understand the limitations of transaction +nLockTime+. The only guarantee is that Bob will not be able to redeem it before 3 months have elapsed. There is no guarantee that Bob will get the funds. To achieve such a guarantee, the timelock restriction must be placed on the UTXO itself and be part of the script, rather than on the transaction. This is achieved by the next form of timelock, called Check Lock Time Verify.
|
||||
It is important to understand the limitations of transaction lock time. The only guarantee is that Bob will not be able to redeem it before 3 months have elapsed. There is no guarantee that Bob will get the funds. To achieve such a guarantee, the timelock restriction must be placed on the UTXO itself and be part of the script, rather than on the transaction. This is achieved by the next form of timelock, called Check Lock Time Verify.
|
||||
|
||||
==== Check Lock Time Verify (OP_CLTV)
|
||||
|
||||
@ -828,7 +828,7 @@ timelock was introduced to Bitcoin as a soft fork upgrade. Based on a
|
||||
specification in BIP65, a new script operator called
|
||||
_OP_CHECKLOCKTIMEVERIFY_ (_CLTV_) was added to the scripting language.
|
||||
+OP_CLTV+ is a per-output timelock, rather than a per-transaction timelock
|
||||
as is the case with +nLockTime+. This allows for much greater
|
||||
as is the case with lock time. This allows for much greater
|
||||
flexibility in the way timelocks are applied.
|
||||
|
||||
In simple terms, by committing to the +OP_CLTV+ opcode in an
|
||||
@ -837,21 +837,21 @@ specified time has elapsed.
|
||||
|
||||
[TIP]
|
||||
====
|
||||
While +nLockTime+ is a transaction-level timelock, +OP_CLTV+ is an
|
||||
While lock time is a transaction-level timelock, +OP_CLTV+ is an
|
||||
output-based timelock.
|
||||
====
|
||||
|
||||
+OP_CLTV+ doesn't replace +nLockTime+, but rather restricts specific UTXO
|
||||
+OP_CLTV+ doesn't replace lock time, but rather restricts specific UTXO
|
||||
such that they can only be spent in a future transaction with
|
||||
+nLockTime+ set to a greater or equal value.
|
||||
lock time set to a greater or equal value.
|
||||
|
||||
The +OP_CLTV+ opcode takes one parameter as input, expressed as a number in
|
||||
the same format as +nLockTime+ (either a block height or Unix epoch
|
||||
the same format as lock time (either a block height or Unix epoch
|
||||
time). As indicated by the +VERIFY+ suffix, +OP_CLTV+ is the type of opcode
|
||||
that halts execution of the script if the outcome is +FALSE+. If it
|
||||
results in TRUE, execution continues.
|
||||
|
||||
In order to use +OP_CLTV+, you insert it into the redeemScript of the
|
||||
In order to use +OP_CLTV+, you insert it into the redeem script of the
|
||||
output in the transaction that creates the output. For
|
||||
example, if Alice is paying Bob's address, the output would normally
|
||||
contain a P2PKH script like this:
|
||||
@ -861,7 +861,7 @@ OP_DUP OP_HASH160 <Bob's Public Key Hash> OP_EQUALVERIFY OP_CHECKSIG
|
||||
----
|
||||
|
||||
To lock it to a time, say 3 months from now, the transaction would be a
|
||||
P2SH transaction with a redeemScript like this:
|
||||
P2SH transaction with a redeem script like this:
|
||||
|
||||
----
|
||||
<now + 3 months> OP_CHECKLOCKTIMEVERIFY OP_DROP OP_DUP OP_HASH160 <Bob's Public Key Hash> OP_EQUALVERIFY OP_CHECKSIG
|
||||
@ -875,13 +875,13 @@ where +<now {plus} 3 months>+ is a block height or time value estimated
|
||||
|
||||
When Bob tries to spend this UTXO, he constructs a transaction that
|
||||
references the UTXO as an input. He uses his signature and public key in
|
||||
the scriptSig of that input and sets the transaction +nLockTime+
|
||||
the input script of that input and sets the transaction lock time
|
||||
to be equal or greater to the timelock in the +OP_CHECKLOCKTIMEVERIFY+
|
||||
Alice set. Bob then broadcasts the transaction on the Bitcoin network.
|
||||
|
||||
Bob's transaction is evaluated as follows. If the +OP_CHECKLOCKTIMEVERIFY+
|
||||
parameter Alice set is less than or equal the spending transaction's
|
||||
+nLockTime+, script execution continues (acts as if a _no
|
||||
lock time, script execution continues (acts as if a _no
|
||||
operation_ or OP_NOP opcode was executed). Otherwise, script
|
||||
execution halts and the transaction is deemed invalid.
|
||||
|
||||
@ -890,17 +890,17 @@ the transaction invalid if (source: BIP65):
|
||||
|
||||
1. the stack is empty; or
|
||||
2. the top item on the stack is less than 0; or
|
||||
3. the lock-time type (height versus timestamp) of the top stack item and the +nLockTime+ field are not the same; or
|
||||
4. the top stack item is greater than the transaction's +nLockTime+ field; or
|
||||
5. the +nSequence+ field of the input is 0xffffffff.
|
||||
3. the lock-time type (height versus timestamp) of the top stack item and the lock time field are not the same; or
|
||||
4. the top stack item is greater than the transaction's lock time field; or
|
||||
5. the sequence field of the input is 0xffffffff.
|
||||
|
||||
[[timelock_conflicts]]
|
||||
.Timelock conflicts
|
||||
[WARNING]
|
||||
====
|
||||
+OP_CLTV+ and +nLockTime+ use the same format to describe timelocks, either
|
||||
+OP_CLTV+ and lock time use the same format to describe timelocks, either
|
||||
a block height or the time elapsed in seconds since Unix epoch.
|
||||
Critically, when used together, the format of +nLockTime+ must match
|
||||
Critically, when used together, the format of lock time must match
|
||||
that of +OP_CLTV+ in the outputs--they must both reference either
|
||||
block height or time in seconds.
|
||||
|
||||
@ -922,10 +922,10 @@ dropped, with +OP_DROP+, for correct execution of subsequent script
|
||||
opcodes. You will often see +OP_CHECKLOCKTIMEVERIFY+ followed by +OP_DROP+ in
|
||||
scripts for this reason.
|
||||
|
||||
By using nLockTime in conjunction with +OP_CLTV+, the scenario described in
|
||||
<<locktime_limitations>> changes. Alice can no longer spend the money
|
||||
By using lock time in conjunction with +OP_CLTV+, the scenario described in
|
||||
<<lock_time_limitations>> changes. Alice can no longer spend the money
|
||||
(because it's locked with Bob's key) and Bob cannot spend it before the
|
||||
3-month locktime has expired.((("", startref="alicesseven")))
|
||||
3-month lock time has expired.((("", startref="alicesseven")))
|
||||
|
||||
By introducing timelock functionality directly into the scripting
|
||||
language, +OP_CLTV+ allows us to develop some very interesting complex
|
||||
@ -937,7 +937,7 @@ https://github.com/bitcoin/bips/blob/master/bip-0065.mediawiki[BIP65
|
||||
|
||||
==== Relative Timelocks
|
||||
|
||||
+nLockTime+ and +OP_CLTV+ are ((("timelocks", "relative timelocks",
|
||||
Lock time and +OP_CLTV+ are ((("timelocks", "relative timelocks",
|
||||
id="Trelative07")))((("scripting", "timelocks", "relative
|
||||
timelocks")))((("relative timelocks", id="relativetime07")))both
|
||||
_absolute timelocks_ in that they specify an absolute point in time. The
|
||||
@ -956,7 +956,7 @@ and Lightning Networks, as we will see in <<state_channels>>.
|
||||
Relative timelocks, like absolute timelocks, are implemented with both a
|
||||
transaction-level feature and a script-level opcode. The
|
||||
transaction-level relative timelock is implemented as a consensus rule
|
||||
on the value of +nSequence+, a transaction field that is set in every
|
||||
on the value of +sequence+, a transaction field that is set in every
|
||||
transaction input. Script-level relative timelocks are implemented with
|
||||
the +OP_CHECKSEQUENCEVERIFY+ (OP_CSV) opcode.
|
||||
|
||||
@ -976,20 +976,20 @@ the consensus rules.
|
||||
|
||||
((("scripting", "timelocks", "relative timelocks with
|
||||
CHECKSEQUENCEVERIFY")))((("CHECKSEQUENCEVERIFY (CSV)")))Just like OP_CLTV
|
||||
and +nLockTime+, there is a script opcode for relative timelocks that
|
||||
leverages the +nSequence+ value in scripts. That opcode is
|
||||
and lock time, there is a script opcode for relative timelocks that
|
||||
leverages the sequence value in scripts. That opcode is
|
||||
+OP_CHECKSEQUENCEVERIFY+, commonly referred to as +OP_CSV+ for short.
|
||||
|
||||
The +OP_CSV+ opcode when evaluated in an UTXO's script allows
|
||||
spending only in a transaction whose input +nSequence+ value is greater
|
||||
spending only in a transaction whose input sequence value is greater
|
||||
than or equal to the +OP_CSV+ parameter. Essentially, this restricts
|
||||
spending the UTXO until a certain number of blocks or seconds have
|
||||
elapsed relative to the time the UTXO was mined.
|
||||
|
||||
As with CLTV, the value in +OP_CSV+ must match the format in the
|
||||
corresponding +nSequence+ value. If +OP_CSV+ is specified in terms of
|
||||
blocks, then so must +nSequence+. If +OP_CSV+ is specified in terms of
|
||||
seconds, then so must +nSequence+.
|
||||
corresponding sequence value. If +OP_CSV+ is specified in terms of
|
||||
blocks, then so must sequence. If +OP_CSV+ is specified in terms of
|
||||
seconds, then so must sequence.
|
||||
|
||||
[WARNING]
|
||||
====
|
||||
@ -1156,7 +1156,7 @@ OP_ENDIF
|
||||
OP_CHECKSIG
|
||||
----
|
||||
|
||||
Looking at this redeemScript, you may be wondering: "Where is the
|
||||
Looking at this redeem script, you may be wondering: "Where is the
|
||||
condition? There is nothing preceding the +IF+ clause!"
|
||||
|
||||
The condition is not part of the script. Instead, the condition
|
||||
@ -1182,11 +1182,11 @@ known as +OP_0+, pushes an empty byte array to the stack.
|
||||
<Bob's Sig> OP_FALSE
|
||||
----
|
||||
|
||||
Bob's scriptSig causes the +OP_IF+ clause
|
||||
Bob's input script causes the +OP_IF+ clause
|
||||
to execute the second (+OP_ELSE+) script, which requires Bob's signature.
|
||||
|
||||
Since +OP_IF+ clauses can be nested, we can create a "maze" of execution
|
||||
paths. The scriptSig can provide a "map" selecting which
|
||||
paths. The input script can provide a "map" selecting which
|
||||
execution path is actually executed:
|
||||
|
||||
----
|
||||
@ -1202,18 +1202,18 @@ OP_ENDIF
|
||||
----
|
||||
|
||||
In this scenario, there are three execution paths (+subscript A+, +subscript
|
||||
B+, and +subscript C+). The scriptSig provides a path in the form of
|
||||
B+, and +subscript C+). The input script provides a path in the form of
|
||||
a sequence of +TRUE+ or +FALSE+ values. To select path +subscript B+, for
|
||||
example, the scriptSig must end in +OP_1 OP_0+ (+TRUE+, +FALSE+). These
|
||||
example, the input script must end in +OP_1 OP_0+ (+TRUE+, +FALSE+). These
|
||||
values will be pushed onto the stack, so that the second value (+FALSE+)
|
||||
ends up at the top of the stack. The outer +OP_IF+ clause pops the +FALSE+
|
||||
value and executes the first +OP_ELSE+ clause. Then the +TRUE+ value moves
|
||||
to the top of the stack and is evaluated by the inner (nested) +OP_IF+,
|
||||
selecting the +B+ execution path.
|
||||
|
||||
Using this construct, we can build redeemScripts with tens or hundreds
|
||||
Using this construct, we can build redeem scripts with tens or hundreds
|
||||
of execution paths, each offering a different way to redeem the UTXO. To
|
||||
spend, we construct an scriptSig that navigates the execution
|
||||
spend, we construct an input script that navigates the execution
|
||||
path by putting the appropriate +TRUE+ and +FALSE+ values on the stack
|
||||
at each flow control point.((("", startref="Sflow07")))((("",
|
||||
startref="flow07")))((("", startref="condition07")))
|
||||
@ -1242,7 +1242,7 @@ partner signatures. Finally, if all partners are unavailable or
|
||||
incapacitated for a while, they want the lawyer to be able to manage the
|
||||
account directly.
|
||||
|
||||
Here's the redeemScript that Mohammed designs to achieve this (line
|
||||
Here's the redeem script that Mohammed designs to achieve this (line
|
||||
number prefixed as XX):
|
||||
|
||||
[[variable_timelock_multisig]]
|
||||
@ -1272,7 +1272,7 @@ In the first execution path, this script operates as a simple 2-of-3
|
||||
multisig with the three partners. This execution path consists of lines
|
||||
3 and 9. Line 3 sets the quorum of the multisig to +2+ (2-of-3). This
|
||||
execution path can be selected by putting +OP_TRUE OP_TRUE+ at the end of the
|
||||
scriptSig:
|
||||
input script:
|
||||
|
||||
.Spending data for the first execution path (2-of-3 multisig)
|
||||
----
|
||||
@ -1282,7 +1282,7 @@ OP_0 <Mohammed's Sig> <Zaira's Sig> OP_TRUE OP_TRUE
|
||||
|
||||
[TIP]
|
||||
====
|
||||
The +OP_0+ at the beginning of this scriptSig is because of an oddity in
|
||||
The +OP_0+ at the beginning of this input script is because of an oddity in
|
||||
+OP_CHECKMULTISIG+ that pops an extra value from the stack. The extra value
|
||||
is disregarded by the +OP_CHECKMULTISIG+, but it must be present or the
|
||||
script fails. Pushing an empty byte array with +OP_0+ is a workaround to the oddity, as
|
||||
@ -1293,7 +1293,7 @@ The second execution path can only be used after 30 days have elapsed
|
||||
from the creation of the UTXO. At that time, it requires the signature
|
||||
of Abdul the lawyer and one of the three partners (a 1-of-3 multisig).
|
||||
This is achieved by line 7, which sets the quorum for the multisig to
|
||||
+1+. To select this execution path, the scriptSig would end in
|
||||
+1+. To select this execution path, the input script would end in
|
||||
+OP_FALSE OP_TRUE+:
|
||||
|
||||
.Spending data for the second execution path (Lawyer + 1-of-3)
|
||||
@ -1310,9 +1310,9 @@ stack and +TRUE+ is pushed on top of it.
|
||||
|
||||
Finally, the third execution path allows Abdul the lawyer to spend the
|
||||
funds alone, but only after 90 days. To select this execution path, the
|
||||
scriptSig has to end in +OP_FALSE+:
|
||||
input script has to end in +OP_FALSE+:
|
||||
|
||||
.ScriptSig for the third execution path (Lawyer only)
|
||||
.Input script for the third execution path (Lawyer only)
|
||||
----
|
||||
<Abdul's Sig> OP_FALSE
|
||||
----
|
||||
@ -1333,9 +1333,9 @@ inside a P2SH script.
|
||||
===== Pay-to-Witness-Public-Key-Hash (P2WPKH)
|
||||
|
||||
Let's start by looking at the example of a P2PKH
|
||||
scriptPubKey:
|
||||
output script:
|
||||
|
||||
.Example P2PKH scriptPubKey
|
||||
.Example P2PKH output script
|
||||
----
|
||||
OP_DUP OP_HASH160 ab68025513c3dbd2f7b92a94e0581f5d50f654e7 OP_EQUALVERIFY OP_CHECKSIG
|
||||
----
|
||||
@ -1349,7 +1349,7 @@ to the same public key, it would look like this:
|
||||
0 ab68025513c3dbd2f7b92a94e0581f5d50f654e7
|
||||
----
|
||||
|
||||
As you can see, a P2WPKH scriptPubKey is much
|
||||
As you can see, a P2WPKH output script is much
|
||||
simpler than the P2PKH equivalent. It consists of two values that are
|
||||
pushed on to the script evaluation stack. To an old (nonsegwit-aware)
|
||||
Bitcoin client, the two pushes would look like an output that anyone can
|
||||
@ -1366,7 +1366,7 @@ would have to include a signature within the transaction input:
|
||||
.Decoded transaction showing a P2PKH output being spent with a signature
|
||||
----
|
||||
[...]
|
||||
“Vin” : [
|
||||
"vin" : [
|
||||
"txid": "0627052b6f28912f2703066a912ea577f2ce4da4caa5a5fbd8a57286c345c2f2",
|
||||
"vout": 0,
|
||||
"scriptSig": “<Bob’s scriptSig>”,
|
||||
@ -1376,12 +1376,12 @@ would have to include a signature within the transaction input:
|
||||
|
||||
However, to spend the P2PKH output, the transaction has no
|
||||
signature on that input. Instead, Bob’s transaction has an empty
|
||||
+scriptSig+ and includes a witness field:
|
||||
input script and includes a witness structure:
|
||||
|
||||
.Decoded transaction showing a P2WPKH output being spent with a witness field
|
||||
.Decoded transaction showing a P2WPKH output being spent with a witness structure
|
||||
----
|
||||
[...]
|
||||
“Vin” : [
|
||||
"vin" : [
|
||||
"txid": "0627052b6f28912f2703066a912ea577f2ce4da4caa5a5fbd8a57286c345c2f2",
|
||||
"vout": 0,
|
||||
"scriptSig": “”,
|
||||
@ -1424,21 +1424,21 @@ saw this type of script in <<p2sh>>. In that example, P2SH was used by
|
||||
Mohammed's company to express a multisignature script. Payments to
|
||||
Mohammed's company were encoded with a script like this:
|
||||
|
||||
.Example P2SH scriptPubKey
|
||||
.Example P2SH output script
|
||||
----
|
||||
OP_HASH160 54c557e07dde5bb6cb791c7a540e0a4796f5e97e OP_EQUAL
|
||||
----
|
||||
|
||||
This P2SH script references the hash of a _redeemScript_ that defines a
|
||||
This P2SH script references the hash of a _redeem script_ that defines a
|
||||
2-of-3 multisignature requirement to spend funds. To spend this output,
|
||||
Mohammed's company would present the redeemScript (whose hash matches
|
||||
Mohammed's company would present the redeem script (whose hash matches
|
||||
the script hash in the P2SH output) and the signatures necessary to
|
||||
satisfy that redeemScript, all inside the transaction input:
|
||||
satisfy that redeem script, all inside the transaction input:
|
||||
|
||||
.Decoded transaction showing a P2SH output being spent
|
||||
----
|
||||
[...]
|
||||
“Vin” : [
|
||||
"vin" : [
|
||||
"txid": "abcdef12345...",
|
||||
"vout": 0,
|
||||
"scriptSig": “<SigA> <SigB> <2 PubA PubB PubC PubD PubE 5 OP_CHECKMULTISIG>”,
|
||||
@ -1450,7 +1450,7 @@ If Mohammed's customers were using a segwit-compatible wallet, they
|
||||
would make a payment, creating a Pay-to-Witness-Script-Hash (P2WSH)
|
||||
output that would look like this:
|
||||
|
||||
.Example P2WSH scriptPubKey
|
||||
.Example P2WSH output script
|
||||
----
|
||||
0 a9b7b38d972cabc7961dbfbcb841ad4508d133c47ba87457b4a0e8aae86dbb89
|
||||
----
|
||||
@ -1458,7 +1458,7 @@ output that would look like this:
|
||||
Again, as with the example of P2WPKH, you can see that the Segregated
|
||||
Witness equivalent script is a lot simpler and reduces the template
|
||||
overhead that you see in P2SH scripts. Instead, the Segregated Witness
|
||||
scriptPubKey consists of two values pushed to the stack: a witness version
|
||||
output script consists of two values pushed to the stack: a witness version
|
||||
(0) and the 32-byte SHA256 hash of the witness script.
|
||||
|
||||
[TIP]
|
||||
@ -1475,13 +1475,13 @@ Mohammed's company can spend the P2WSH output by presenting the
|
||||
correct witness script and sufficient signatures to satisfy it. Both the
|
||||
witness script and the signatures would be
|
||||
included as part of the witness data. No data would be placed in the
|
||||
scriptSig because this is a native witness program, which does not use
|
||||
the legacy scriptSig field.
|
||||
input script because this is a native witness program, which does not use
|
||||
the legacy input script field.
|
||||
|
||||
.Decoded transaction showing a P2WSH output being spent with witness data
|
||||
----
|
||||
[...]
|
||||
“Vin” : [
|
||||
"vin" : [
|
||||
"txid": "abcdef12345...",
|
||||
"vout": 0,
|
||||
"scriptSig": “”,
|
||||
@ -1516,7 +1516,7 @@ Witness is a two-step process. First, wallets must create segwit
|
||||
type outputs. Then, these outputs can be spent by wallets that know how
|
||||
to construct Segregated Witness transactions. In the examples, Alice's
|
||||
wallet is able to create outputs paying
|
||||
Segregated Witness scriptPubKeys. Bob's wallet is also segwit-aware and able
|
||||
Segregated Witness output scripts. Bob's wallet is also segwit-aware and able
|
||||
to spend those outputs.
|
||||
|
||||
Segregated Witness was implemented as a
|
||||
@ -1587,7 +1587,7 @@ echo \
|
||||
3e0547268b3b19288b3adef9719ec8659f4b2b0b
|
||||
----
|
||||
|
||||
Next, the redeemScript hash is converted to a Bitcoin address. Let's
|
||||
Next, the redeem script hash is converted to a Bitcoin address. Let's
|
||||
use +bx+ on the command-line again:
|
||||
|
||||
.P2SH address
|
||||
@ -1625,7 +1625,7 @@ company, regardless of whether their wallets are upgraded for segwit,
|
||||
Mohammed's wallet can embed the P2WSH witness program inside a P2SH
|
||||
script.
|
||||
|
||||
First, Mohammed's wallet hashes the redeemScript with SHA256 (just
|
||||
First, Mohammed's wallet hashes the redeem script with SHA256 (just
|
||||
once). Let's use +bx+ to do that on the command-line:
|
||||
|
||||
.Mohammed's wallet creates a P2WSH witness program
|
||||
@ -1641,7 +1641,7 @@ echo \
|
||||
9592d601848d04b172905e0ddb0adde59f1590f1e553ffc81ddc4b0ed927dd73
|
||||
----
|
||||
|
||||
Next, the hashed redeemScript is turned into a P2WSH witness program:
|
||||
Next, the hashed redeem script is turned into a P2WSH witness program:
|
||||
|
||||
----
|
||||
0 9592d601848d04b172905e0ddb0adde59f1590f1e553ffc81ddc4b0ed927dd73
|
||||
|
@ -384,8 +384,8 @@ https://bitcoinops.org/en/compatibility/#replace-by-fee-rbf
|
||||
|
||||
As a developer, if you plan to implement RBF fee bumping, you will first
|
||||
need to implement the signaling specified in BIP125, which is a simple
|
||||
modification to any one of the nSequence fields in a transaction (see
|
||||
<<nsequence>>).
|
||||
modification to any one of the sequence fields in a transaction (see
|
||||
<<sequence>>).
|
||||
|
||||
When you need to fee bump a transaction, you will simply create a new
|
||||
transaction that spends at least one of the same UTXOs as the original
|
||||
@ -727,11 +727,11 @@ higher than total fees per block. But at some point in the future,
|
||||
transaction fees will be the majority of the reward (or even the
|
||||
entirety of the reward). At that time, this scenario becomes inevitable.
|
||||
|
||||
Several wallets discourage fee sniping by creating transactions with an
|
||||
+nLocktime+ that limits those transactions to being included in the next
|
||||
Several wallets discourage fee sniping by creating transactions with a
|
||||
lock time that limits those transactions to being included in the next
|
||||
block or any later block. In our
|
||||
scenario, our wallet would set +nLocktime+ to 100,001 on any
|
||||
transaction it created. Under normal circumstances, this +nLocktime+ has
|
||||
scenario, our wallet would set lock time to 100,001 on any
|
||||
transaction it created. Under normal circumstances, this lock time has
|
||||
no effect—the transactions could only be included in block
|
||||
#100,001 anyway; it's the next block.
|
||||
|
||||
@ -745,7 +745,7 @@ This does not entirely prevent fee sniping, but it does make it less
|
||||
profitable in some cases and so can help preserve the stability of the
|
||||
Bitcoin network as the block subsidy declines. We recommend all wallets
|
||||
implement anti fee sniping when it doesn't interfere with the wallet's
|
||||
other uses of the nLockTime field.
|
||||
other uses of the lock time field.
|
||||
|
||||
As Bitcoin continues to mature, and as the subsidy continues to decline,
|
||||
fees become more and more important to Bitcoin users, both in their
|
||||
|
@ -186,8 +186,8 @@ different subsets of the data in the transaction. By including the
|
||||
|
||||
[NOTE]
|
||||
====
|
||||
All +SIGHASH+ types sign the transaction +nLocktime+ field (see
|
||||
<<nlocktime>>). In addition, the +SIGHASH+ type
|
||||
All +SIGHASH+ types sign the transaction lock time field (see
|
||||
<<lock_time>>). In addition, the +SIGHASH+ type
|
||||
itself is appended to the transaction before it is signed, so that it
|
||||
can't be modified once signed.
|
||||
====
|
||||
@ -219,7 +219,7 @@ even if they haven't reached the specified value.
|
||||
+NONE+ :: This construction can be used to create a "bearer check" or
|
||||
"blank check" of a specific amount. It commits to the input, but allows
|
||||
the output script to be changed. Anyone can write their own
|
||||
Bitcoin address into the output scriptPubKey. However, the output value
|
||||
Bitcoin address into the output script. However, the output value
|
||||
itself cannot be changed. By itself, this allows any miner to change
|
||||
the output destination and claim the funds for themselves, but if other
|
||||
required signatures in the transaction use +SIGHASH_ALL+ or another type
|
||||
|
@ -83,7 +83,7 @@ in the transaction and describe any additional fields that they contain.
|
||||
.A byte map of Alice's transaction
|
||||
image::../images/tx-map-1.png["A byte map of Alice's transaction"]
|
||||
|
||||
[[nVersion]]
|
||||
[[version]]
|
||||
=== Version
|
||||
|
||||
The first four bytes of a serialized Bitcoin transaction are its
|
||||
@ -94,7 +94,7 @@ described throughout this book.
|
||||
|
||||
Version 2 Bitcoin transactions were introduced in the BIP68 soft fork
|
||||
change to Bitcoin's consensus rules. BIP68 places additional
|
||||
constraints on the nSequence field, but those constraints only apply to
|
||||
constraints on the sequence field, but those constraints only apply to
|
||||
transactions with version 2 or higher. Version 1 transactions are
|
||||
unaffected. BIP112, which was part of the same soft fork as BIP68,
|
||||
upgraded an opcode (OP_CHECKSEQUENCEVERIFY) which will now fail if it is
|
||||
@ -116,7 +116,7 @@ Network, depend on pre-signed transactions.
|
||||
|
||||
This creates a challenge for protocol developers when they assist users
|
||||
in upgrading the Bitcoin consensus protocol. Adding new
|
||||
constraints--such as BIP68 did to the nSequence field--may invalidate
|
||||
constraints--such as BIP68 did to the sequence field--may invalidate
|
||||
some pre-signed transactions. If there's no way to create a new
|
||||
signature for an equivalent transaction, then the money being spent in
|
||||
the pre-signed transaction is permanently lost.
|
||||
@ -125,7 +125,7 @@ This problem is solved by reserving some transaction features for
|
||||
upgrades, such as version numbers. Anyone creating pre-signed
|
||||
transactions prior to BIP68 should have been using version 1
|
||||
transactions, so only applying BIP68's additional constraints on
|
||||
nSequence to transactions v2 or higher should not invalidate any
|
||||
sequence to transactions v2 or higher should not invalidate any
|
||||
pre-signed transactions.
|
||||
|
||||
If you implement a protocol that uses pre-signed transactions, ensure
|
||||
@ -150,8 +150,8 @@ part of the Segregated Witness (segwit) soft fork change to Bitcoin's
|
||||
consensus rules. The rules were changed according to BIPs 141 and 143,
|
||||
but the _extended serialization format_ is defined in BIP144.
|
||||
|
||||
If the transaction includes a witness field (which we'll describe in
|
||||
<<witnesses>>), the marker must be zero (0x00) and the flag must be
|
||||
If the transaction includes a witness structure (which we'll describe in
|
||||
<<witness_structure>>), the marker must be zero (0x00) and the flag must be
|
||||
non-zero. In the current P2P protocol, the flag should always be one
|
||||
(0x01); alternative flags are reserved for later protocol upgrades.
|
||||
|
||||
@ -177,9 +177,9 @@ map of those bytes in <<alice_tx_input_map>>.
|
||||
.Map of bytes in the input field of Alice's transaction
|
||||
image::../images/input-byte-map.png["map of bytes in the input field of Alice's transaction"]
|
||||
|
||||
==== Inputs Count
|
||||
==== Length of transaction input list
|
||||
|
||||
The input field starts with an integer indicating the number of inputs
|
||||
The transaction input list starts with an integer indicating the number of inputs
|
||||
in the transaction. The minimum value is one. There's no explicit
|
||||
maximum value, but restrictions on the maximum size of a transaction
|
||||
effectively limit transactions to a few thousand inputs. The number is
|
||||
@ -210,7 +210,8 @@ For numbers from 0 to 252, compactSize unsigned integers are identical
|
||||
to the C-language data type +uint8_t+, which is probably the native
|
||||
encoding familiar to any programmer. For other numbers up to
|
||||
0xffffffffffffffff, a byte is prefixed to the number to indicate its
|
||||
length—but otherwise the numbers look like regular unsigned integers.
|
||||
length—but otherwise the numbers look like regular C-language encoded
|
||||
unsigned integers.
|
||||
|
||||
[cols="1,1,1"]
|
||||
|===
|
||||
@ -226,9 +227,9 @@ Each input in a transaction must contain three fields:
|
||||
|
||||
- An _outpoint_ field
|
||||
|
||||
- A length-prefixed _scriptSig_ field
|
||||
- A length-prefixed _input script_ field
|
||||
|
||||
- An _nSequence_
|
||||
- A _sequence_
|
||||
|
||||
We'll look at each of those fields in the following sections. Some
|
||||
inputs also include a witness, but this is serialized at the end of a
|
||||
@ -252,7 +253,7 @@ This txid is in Bitcoin's internal byte order for hashes, see
|
||||
|
||||
Because transactions may contain multiple outputs, Alice also needs to
|
||||
identify which particular output from that transaction to use, called
|
||||
its output vector (_vout_). Output vectors are four-byte unsigned
|
||||
its _output index_. Output indices are four-byte unsigned
|
||||
integers indexed from zero.
|
||||
|
||||
When a full node encounters an outpoint, it uses that information to
|
||||
@ -348,14 +349,14 @@ _little-endian byte order_ for the internal version and _big-endian byte
|
||||
order_ for the display version.
|
||||
****
|
||||
|
||||
==== ScriptSig
|
||||
==== Input script
|
||||
|
||||
The scriptSig field is a remnant of the legacy transaction format. Our
|
||||
The input script field is a remnant of the legacy transaction format. Our
|
||||
example transaction input spends a native segwit output which doesn't
|
||||
require any data in the scriptSig, so the length prefix for the
|
||||
scriptSig is set to zero (0x00).
|
||||
require any data in the input script, so the length prefix for the
|
||||
input script is set to zero (0x00).
|
||||
|
||||
For an example of a length-prefixed scriptSig that spends a legacy
|
||||
For an example of a length-prefixed input script that spends a legacy
|
||||
output, we use one from an arbitrary transaction in the most recent
|
||||
block as of this writing:
|
||||
|
||||
@ -367,23 +368,23 @@ fa2580bb664b020220366060ea8203d766722ed0a02d1599b99d3c95b97dab8e
|
||||
----
|
||||
|
||||
The length prefix is a compactSize unsigned integer indicating the
|
||||
length of the serialized scriptSig field. In this case, it's a single
|
||||
byte (0x6b) indicating the scriptSig is 107 bytes. We'll cover parsing
|
||||
length of the serialized input script field. In this case, it's a single
|
||||
byte (0x6b) indicating the input script is 107 bytes. We'll cover parsing
|
||||
and using scripts in detail in the next chapter,
|
||||
<<c_authorization_authentication>>.
|
||||
|
||||
[[nsequence]]
|
||||
==== nSequence
|
||||
[[sequence]]
|
||||
==== Sequence
|
||||
|
||||
The final four bytes of an input are its sequence number, called
|
||||
_nSequence_. The use and meaning of this field has changed over time.
|
||||
The final four bytes of an input are its _sequence_ number.
|
||||
The use and meaning of this field has changed over time.
|
||||
|
||||
[[original_tx_replacement]]
|
||||
===== Original nSequence-based Transaction Replacement
|
||||
===== Original Sequence-Based Transaction Replacement
|
||||
|
||||
The +nSequence+ field was originally intended to allow creation of
|
||||
The sequence field was originally intended to allow creation of
|
||||
multiple versions of the same transaction, with later versions replacing
|
||||
earlier versions as candidates for confirmation. The nSequence number
|
||||
earlier versions as candidates for confirmation. The sequence number
|
||||
tracked the version of the transaction.
|
||||
|
||||
For example, imagine Alice and Bob want to bet on a game of cards. They
|
||||
@ -399,27 +400,27 @@ output:
|
||||
the transaction at this time. They only need it if there's a problem.
|
||||
|
||||
- Alice wins the first round of the card game, so the second version of
|
||||
the transaction, with nSequence 1, increases the amount of money paid
|
||||
the transaction, with sequence 1, increases the amount of money paid
|
||||
to Alice and decreases Bob's share. They both sign the updated
|
||||
transaction. Again, they don't need to broadcast this version of the
|
||||
transaction unless there's a problem.
|
||||
|
||||
- Bob wins the second round, so the nSequence is incremented to 2,
|
||||
- Bob wins the second round, so the sequence is incremented to 2,
|
||||
Alice's share is decreased, and Bob's share is increased. They again
|
||||
sign but don't broadcast.
|
||||
|
||||
- After many more rounds where the nSequence is incremented, the
|
||||
- After many more rounds where the sequence is incremented, the
|
||||
funds redistributed, and the resulting transaction is signed but not
|
||||
broadcast, they decide to finalize the transaction. Creating a
|
||||
transaction with the final balance of funds, they set nSequence to its
|
||||
transaction with the final balance of funds, they set sequence to its
|
||||
maximum value (0xffffffff), finalizing the transaction. They broadcast
|
||||
this version of the transaction, it's relayed across the network, and
|
||||
eventually confirmed by miners.
|
||||
|
||||
We can see the replacement rules for nSequence at work if we consider
|
||||
We can see the replacement rules for sequence at work if we consider
|
||||
alternative scenarios:
|
||||
|
||||
- Imagine that Alice broadcasts the final transaction, with an nSequence of
|
||||
- Imagine that Alice broadcasts the final transaction, with a sequence of
|
||||
0xffffffff, and then Bob broadcasts one of the earlier transactions
|
||||
where his balance was higher. Because Bob's version of the
|
||||
transaction has a lower sequence number, full nodes using the original
|
||||
@ -429,7 +430,7 @@ alternative scenarios:
|
||||
- In another scenario, imagine that Bob broadcasts an earlier version of
|
||||
the transaction a few seconds before Alice broadcasts the final
|
||||
version. Nodes will relay Bob's version and miners will attempt to
|
||||
mine it, but when Alice's version with its higher nSequence number
|
||||
mine it, but when Alice's version with its higher sequence number
|
||||
arrives, nodes will also relay it and miners using the original
|
||||
Bitcoin code will try to mine it instead of Bob's version. Unless Bob
|
||||
got lucky and a block was discovered before Alice's version arrived,
|
||||
@ -442,7 +443,7 @@ the protocol to support them. We'll learn about several of those other
|
||||
features later and also discover how modern versions of payment channels
|
||||
are increasingly being used in Bitcoin today.
|
||||
|
||||
There were a few problems with purely nSequence-based payment channels.
|
||||
There were a few problems with purely sequence-based payment channels.
|
||||
The first was that the rules for replacing a lower-sequence transaction
|
||||
with a higher-sequence transaction were only a matter of software
|
||||
policy. There was no direct incentive for miners to prefer one version
|
||||
@ -465,27 +466,27 @@ need to pay any costs for the enormous burden they placed on full node
|
||||
operators.
|
||||
|
||||
To eliminate the risk of this attack, the original type of
|
||||
nSequence-based transaction replacement was disabled in an early version
|
||||
sequence-based transaction replacement was disabled in an early version
|
||||
of the Bitcoin software. For several years, Bitcoin full nodes would
|
||||
not allow an unconfirmed transaction containing a particular input (as
|
||||
indicated by its outpoint) to be replaced by a different transaction
|
||||
containing the same input. However, that situation didn't last forever.
|
||||
|
||||
[[nsequence-bip125]]
|
||||
[[sequence-bip125]]
|
||||
===== Opt-in Transaction Replacement Signaling
|
||||
|
||||
After the original nSequence-based transaction replacement was disabled
|
||||
After the original sequence-based transaction replacement was disabled
|
||||
due to the potential for abuse, a solution was proposed: programming
|
||||
Bitcoin Core and other relaying full node software to allow a
|
||||
transaction that paid a higher transaction fee rate to replace a
|
||||
conflicting transaction that paid a lower fee rate. This is called
|
||||
_Replace-By-Fee_, or _RBF_ for short. Some users and businesses
|
||||
objected to adding support for transaction replacement back into Bitcoin
|
||||
Core, so a compromise was reached that once again used the nSequence
|
||||
Core, so a compromise was reached that once again used the sequence
|
||||
field in support of replacement.
|
||||
|
||||
As documented in BIP125, an unconfirmed transaction with any input that
|
||||
has an nSequence set to a value below 0xfffffffe (i.e., at least 2 below
|
||||
has an sequence set to a value below 0xfffffffe (i.e., at least 2 below
|
||||
the maximum value) signals to the network that its signer wants it to be
|
||||
replaceable by a conflicting transaction paying a higher fee rate.
|
||||
Bitcoin Core allowed those unconfirmed transactions to be replaced and
|
||||
@ -495,56 +496,56 @@ ignore unconfirmed transactions containing the BIP125 signal until they
|
||||
became confirmed.
|
||||
|
||||
There's more to modern transaction replacement policies than fee rates
|
||||
and nSequence signals, which we'll see in <<rbf>>.
|
||||
and sequence signals, which we'll see in <<rbf>>.
|
||||
|
||||
[[relative_timelocks]]
|
||||
===== nSequence as a consensus-enforced relative timelock
|
||||
===== Sequence as a consensus-enforced relative timelock
|
||||
|
||||
In the <<nVersion>> section, we learned that the BIP68 soft fork added
|
||||
In the <<version>> section, we learned that the BIP68 soft fork added
|
||||
a new constraint to transactions with version numbers 2 or higher. That
|
||||
constraint applies to the nSequence field.
|
||||
constraint applies to the sequence field.
|
||||
|
||||
Transaction inputs with +nSequence+ values less than 2^31^ are
|
||||
Transaction inputs with sequence values less than 2^31^ are
|
||||
interpreted as having a relative timelock. Such a transaction may only
|
||||
be included in the blockchain once the previous output (referenced by the
|
||||
outpoint) has aged by the relative timelock amount. For example, a
|
||||
transaction with one input with a relative timelock of 30 blocks can
|
||||
only be confirmed after least 30 blocks have elapsed from the time the
|
||||
previous output was confirmed in a block on the current blockchain.
|
||||
Since +nSequence+ is a per-input field, a transaction may contain any
|
||||
Since sequence is a per-input field, a transaction may contain any
|
||||
number of timelocked inputs, all of which must have sufficiently aged
|
||||
for the transaction to be valid. A transaction can include both
|
||||
timelocked inputs (+nSequence+ < 2^31^) and inputs without a relative
|
||||
timelock (+nSequence+ >= 2^31^).
|
||||
timelocked inputs (sequence < 2^31^) and inputs without a relative
|
||||
timelock (sequence >= 2^31^).
|
||||
|
||||
The +nSequence+ value is specified in either blocks or seconds.
|
||||
The sequence value is specified in either blocks or seconds.
|
||||
A type-flag
|
||||
is used to differentiate between values counting blocks and values
|
||||
counting time in seconds. The type-flag is set in the 23rd
|
||||
least-significant bit (i.e., value 1<<22). If the type-flag is set, then
|
||||
the +nSequence+ value is interpreted as a multiple of 512 seconds. If
|
||||
the type-flag is not set, the +nSequence+ value is interpreted as a
|
||||
the sequence value is interpreted as a multiple of 512 seconds. If
|
||||
the type-flag is not set, the sequence value is interpreted as a
|
||||
number of blocks.
|
||||
|
||||
|
||||
When interpreting +nSequence+ as a relative timelock, only the 16 least
|
||||
When interpreting sequence as a relative timelock, only the 16 least
|
||||
significant bits are considered. Once the flags (bits 32 and 23) are
|
||||
evaluated, the +nSequence+ value is usually "masked" with a 16-bit mask
|
||||
(e.g., +nSequence+ & 0x0000FFFF). The multiple of 512 seconds is
|
||||
evaluated, the sequence value is usually "masked" with a 16-bit mask
|
||||
(e.g., +sequence+ & 0x0000FFFF). The multiple of 512 seconds is
|
||||
roughly equal to the average amount of time between blocks, so the
|
||||
maximum relative timelock in both blocks and seconds from 16 bits
|
||||
(2^16^) is about one year.
|
||||
|
||||
<<bip_68_def_of_nseq>> shows the binary layout of the +nSequence+ value,
|
||||
<<bip_68_def_of_nseq>> shows the binary layout of the sequence value,
|
||||
as defined by BIP68.
|
||||
|
||||
[[bip_68_def_of_nseq]]
|
||||
.BIP68 definition of nSequence encoding (Source: BIP68)
|
||||
image::../images/mbc2_0701.png["BIP68 definition of nSequence encoding"]
|
||||
.BIP68 definition of sequence encoding (Source: BIP68)
|
||||
image::../images/mbc2_0701.png["BIP68 definition of sequence encoding"]
|
||||
|
||||
Note that any transaction which sets a relative timelock using nSequence
|
||||
Note that any transaction which sets a relative timelock using sequence
|
||||
also sends the signal for opt-in replace-by-fee as described in
|
||||
<<nsequence-bip125>>.
|
||||
<<sequence-bip125>>.
|
||||
|
||||
=== Outputs
|
||||
|
||||
@ -566,10 +567,10 @@ transaction. It's a compactSize integer and must be greater than zero.
|
||||
|
||||
The example transaction has two outputs.
|
||||
|
||||
==== nValue
|
||||
==== Amount
|
||||
|
||||
The first field of a specific output is its value, also called
|
||||
_nValue_ in Bitcoin Core. This is an eight-byte signed integer indicating
|
||||
The first field of a specific output is its _amount_, also called
|
||||
"value" in Bitcoin Core. This is an eight-byte signed integer indicating
|
||||
the number of _satoshis_ to transfer. A satoshi is the smallest unit of
|
||||
bitcoin that can be represented in an onchain Bitcoin transaction.
|
||||
There are 100 million satoshis in a bitcoin.
|
||||
@ -639,39 +640,39 @@ use Utreexo.
|
||||
====
|
||||
|
||||
Bitcoin Core's policy rules about dust do have one exception: output
|
||||
scriptPubKeys starting with +OP_RETURN+, called _data carrier outputs_,
|
||||
scripts starting with +OP_RETURN+, called _data carrier outputs_,
|
||||
can have a value of zero. The OP_RETURN opcode causes the script to
|
||||
immediately fail no matter what comes after it, so these outputs can
|
||||
never be spent. That means full nodes don't need to keep track of them,
|
||||
a feature Bitcoin Core takes advantage of to allow users to store small
|
||||
amounts of arbitrary data in the blockchain without increasing the size
|
||||
of its UTXO database. Since the outputs are unspendable, they aren't
|
||||
uneconomical--any satoshis in nValue assigned to them becomes
|
||||
permanently unspendable--so allowing the nValue to be zero ensures
|
||||
uneconomical--any satoshis assigned to them becomes
|
||||
permanently unspendable--so allowing the amount to be zero ensures
|
||||
satoshis aren't being destroyed.
|
||||
|
||||
==== ScriptPubKey
|
||||
==== Output scripts
|
||||
|
||||
The output amount is followed by a compactSize integer indicating the
|
||||
length of the output's _scriptPubKey_, the script that contains the
|
||||
length of the _output script_, the script that contains the
|
||||
conditions which will need to be fulfilled in order to spend the
|
||||
bitcoins, the _spending authorization_. According to Bitcoin's
|
||||
consensus rules, the minimum size of a scriptPubKey is zero.
|
||||
consensus rules, the minimum size of an output script is zero.
|
||||
|
||||
The consensus maximum allowed size of a scriptPubKey varies depending on
|
||||
when it's being checked. There's no explicit limit on the size of a
|
||||
scriptPubKey in the output of a transaction, but a later transaction can
|
||||
only spend a previous output with a scriptPubKey of 10,000 bytes or
|
||||
smaller. Implicitly, a scriptPubKey can be almost as large as the
|
||||
The consensus maximum allowed size of an outputs script varies depending on
|
||||
when it's being checked. There's no explicit limit on the size of an
|
||||
output script in the output of a transaction, but a later transaction can
|
||||
only spend a previous output with a script of 10,000 bytes or
|
||||
smaller. Implicitly, an output script can be almost as large as the
|
||||
transaction containing it, and a transaction can be almost as large as
|
||||
the block containing it.
|
||||
|
||||
[[anyone-can-spend]]
|
||||
[TIP]
|
||||
====
|
||||
A scriptPubKey with zero length can be spent by a scriptSig containing
|
||||
OP_TRUE. Anyone can create that scriptSig, which means anyone
|
||||
can spend an empty scriptPubKey. There are an essentially unlimited
|
||||
An output script with zero length can be spent by a input script containing
|
||||
OP_TRUE. Anyone can create that input script, which means anyone
|
||||
can spend an empty output script. There are an essentially unlimited
|
||||
number of scripts which anyone can spend and they are known to Bitcoin
|
||||
protocol developers as _anyone can spends_. Upgrades to Bitcoin's
|
||||
script language often take an existing anyone-can-spend script and add
|
||||
@ -683,7 +684,7 @@ future upgrades don't accidentally interfere with your system.
|
||||
====
|
||||
|
||||
Bitcoin Core's policy for relaying and mining transactions effectively
|
||||
limits scriptPubKeys to just a few templates, called _standard
|
||||
limits output scripts to just a few templates, called _standard
|
||||
transaction outputs_. This was originally implemented after the
|
||||
discovery of several early bugs in Bitcoin related to the Script
|
||||
language and is retained in modern Bitcoin Core to support
|
||||
@ -694,8 +695,8 @@ segwit v2 (taproot) tapscripts.
|
||||
We'll look at each of the current standard transaction templates and
|
||||
learn how to parse scripts in <<c_authorization_authentication>>.
|
||||
|
||||
[[witnesses]]
|
||||
=== Witnesses
|
||||
[[witness_structure]]
|
||||
=== Witness structure
|
||||
|
||||
In court, a witness is someone who testifies that they saw something
|
||||
important happen. Human witnesses aren't always reliable, so courts
|
||||
@ -743,10 +744,10 @@ Witnesses, the values used to solve the math problems that protect
|
||||
bitcoins, need to be included in the transactions where they're used in
|
||||
order for full nodes to verify them. In the legacy transaction format
|
||||
used for all early Bitcoin transactions, signatures and other data are
|
||||
placed in the scriptSig field. However, when developers started to
|
||||
placed in the input script field. However, when developers started to
|
||||
implement contract protocols on Bitcoin, such as we saw in
|
||||
<<original_tx_replacement>>, they discovered several significant
|
||||
problems with placing witnesses in the scriptSig field.
|
||||
problems with placing witnesses in the input script field.
|
||||
|
||||
==== Circular Dependencies
|
||||
|
||||
@ -758,7 +759,7 @@ other person becomes unresponsive. A simple solution is to sign
|
||||
transactions out of order.
|
||||
|
||||
- Tx~0~ pays money from Alice and money from Bob into an output with a
|
||||
scriptPubKey that requries signatures from both Alice and Bob to spend
|
||||
script that requries signatures from both Alice and Bob to spend
|
||||
|
||||
- Tx~1~ spends the previous output to two outputs, one refunding Alice
|
||||
her money and one refunding Bob his money (minus a small amount for
|
||||
@ -770,7 +771,7 @@ transactions out of order.
|
||||
protocol_.
|
||||
|
||||
A problem with this construction in the legacy transaction format is
|
||||
that every field, including the scriptSig field which contains
|
||||
that every field, including the input script field which contains
|
||||
signatures, is used to build a transaction's identifier (txid). The
|
||||
txid for Tx~0~ is part of the input's outpoint in Tx~1~. That means
|
||||
there's no way for Alice and Bob to construct Tx~1~ until both
|
||||
@ -784,13 +785,13 @@ _circular dependency_.
|
||||
A more complex series of transactions can sometimes eliminate a circular
|
||||
dependency, but many protocols will then encounter a new concern: it's
|
||||
often possible to solve the same script in different ways. For example,
|
||||
consider our simple script from <<witnesses>>:
|
||||
consider our simple script from <<witness_structure>>:
|
||||
|
||||
----
|
||||
2 OP_ADD 4 OP_EQUAL
|
||||
----
|
||||
|
||||
We can make this script pass by providing the value _2_ in a scriptSig,
|
||||
We can make this script pass by providing the value _2_ in a input script,
|
||||
but there are several ways to put that value on the stack in Bitcoin.
|
||||
Here are just a few:
|
||||
|
||||
@ -811,7 +812,7 @@ OP_PUSHDATA4 0x000000020002
|
||||
...
|
||||
----
|
||||
|
||||
Each alternative encoding of the number _2_ in a scriptSig will produce
|
||||
Each alternative encoding of the number _2_ in an input script will produce
|
||||
a slightly different transaction with a completely different txid. Each
|
||||
different version of the transaction spends the same inputs (outpoints)
|
||||
as every other version of the transaction, making them all _conflict_
|
||||
@ -819,7 +820,7 @@ with each other. Only one version of a set of conflicting transactions
|
||||
can be contained within a valid blockchain.
|
||||
|
||||
Imagine Alice creates one version of the transaction with +OP_2+ in the
|
||||
scriptSig and an output that pays Bob. Bob then immediately spends that
|
||||
input script and an output that pays Bob. Bob then immediately spends that
|
||||
output to Carol. Anyone on the network can replace +OP_2+ with
|
||||
+OP_PUSH1 0x02+, creating a conflict with Alice's original version. If
|
||||
that conflicting transaction is confirmed, then there's no way to
|
||||
@ -855,7 +856,7 @@ that person could generate alternative signatures and so change the txid.
|
||||
|
||||
For example, Alice and Bob have deposited their money into a script
|
||||
requiring a signature from both of them to spend. They've also created
|
||||
a refund transaction that allows each of the to get their money back at
|
||||
a refund transaction that allows each of them to get their money back at
|
||||
any time. Alice decides she wants to spend just some of the
|
||||
money, so she cooperates with Bob to create a chain of transactions.
|
||||
|
||||
@ -892,9 +893,9 @@ mutation is called _unwanted second-party transaction malleability_.
|
||||
As early as https://bitcointalk.org/index.php?topic=40627.msg494697[2011],
|
||||
protocol developers knew how to solve the problems of circular
|
||||
dependence, third-party malleability, and second-party malleability. The
|
||||
idea was to avoid including the scriptSig in the calculation that
|
||||
idea was to avoid including the input script in the calculation that
|
||||
produces a transaction's txid. Recall that an abstract name for the data
|
||||
held by a scriptSig is a _witness_. The idea of separating the rest of
|
||||
held by a input script is a _witness_. The idea of separating the rest of
|
||||
the data in a transaction from its witness for the purpose of generating
|
||||
a txid is called _segregated witness_ (segwit).
|
||||
|
||||
@ -915,28 +916,28 @@ explore the details of upgrading Bitcoin's consensus rules in
|
||||
<<mining>>).
|
||||
|
||||
The soft fork segwit approach is based on anyone-can-spend
|
||||
scriptPubKeys. A script which starts with any of the numbers 0 to 16
|
||||
output scripts. A script which starts with any of the numbers 0 to 16
|
||||
and followed by 2 to 40 bytes of data is defined as a segwit
|
||||
scriptPubKey template. The number indicates its version (e.g. 0 is
|
||||
output script template. The number indicates its version (e.g. 0 is
|
||||
segwit version 0, or _segwit v0_). The data is called a _native witness
|
||||
program_. It's also possible to wrap the segwit template in a P2SH
|
||||
commitment, called a _P2SH witness program_, but we won't deal with that
|
||||
here.
|
||||
|
||||
From the perspective of old nodes, these scriptPubKey templates can be
|
||||
spent with an empty scriptSig. From the perspective of a new node which
|
||||
is aware of the new segwit rules, any payment to a segwit scriptPubKey
|
||||
template must only be spent with an empty scriptSig. Notice the
|
||||
difference here: old nodes _allow_ an empty scriptSig; new nodes
|
||||
_require_ an empty scriptSig.
|
||||
From the perspective of old nodes, these output script templates can be
|
||||
spent with an empty input script. From the perspective of a new node which
|
||||
is aware of the new segwit rules, any payment to a segwit output script
|
||||
template must only be spent with an empty input script. Notice the
|
||||
difference here: old nodes _allow_ an empty input script; new nodes
|
||||
_require_ an empty input script.
|
||||
|
||||
An empty scriptSig keeps witnesses from affecting the txid, eliminating
|
||||
An empty input script keeps witnesses from affecting the txid, eliminating
|
||||
circular dependencies, third-party transaction malleability, and
|
||||
second-party transaction malleability. But, with no ability to put
|
||||
data in a scriptSig, users of segwit scriptPubKey templates need a
|
||||
new field. That field is called the _witness_.
|
||||
data in an input script, users of segwit output script templates need a
|
||||
new field. That field is called the _witness structure_.
|
||||
|
||||
The introduction of witnesses and witness programs complicates Bitcoin,
|
||||
The introduction of witness programs and the witness structure complicates Bitcoin,
|
||||
but it follows an existing trend of increasing abstraction. Recall from
|
||||
<<ch04_keys_addresses>> that the original Bitcoin whitepaper describes a system
|
||||
where bitcoins were received to public keys (pubkeys) and spent with
|
||||
@ -945,50 +946,50 @@ the bitcoins (whoever controlled the corresponding private key) and the
|
||||
signature provided _authentication_ that the spending transaction came
|
||||
from someone who controlled the private key. To make that system more
|
||||
flexible, the initial release of Bitcoin introduced scripts that allow
|
||||
bitcoins to be received to scriptPubKeys and spent with scriptSigs.
|
||||
bitcoins to be received to output scripts and spent with input scripts.
|
||||
Later experience with contract protocols inspired allowing bitcoins to
|
||||
be received to witness programs and spent with witnesses.
|
||||
be received to witness programs and spent with the witness structure.
|
||||
|
||||
.Terms used for authorization and authentication data in different parts of Bitcoin
|
||||
[cols="1,1,1"]
|
||||
|===
|
||||
| | **Authorization** | **Authentication**
|
||||
| **Whitepaper** | Public key | Signature
|
||||
| **Original (Legacy)** | scriptPubKey | scriptSig
|
||||
| **Segwit** | Witness program | Witness
|
||||
| **Original (Legacy)** | Output script | Input script
|
||||
| **Segwit** | Witness program | Witness structure
|
||||
|===
|
||||
|
||||
==== Witness Serialization
|
||||
==== Witness Structure Serialization
|
||||
|
||||
Similar to the inputs and outputs fields, the witness field contains
|
||||
several other fields, so we'll start with a map of those bytes from
|
||||
Similar to the inputs and outputs fields, the witness structure contains
|
||||
other fields, so we'll start with a map of those bytes from
|
||||
Alice's transaction in <<alice_tx_witness_map>>:
|
||||
|
||||
[[alice_tx_witness_map]]
|
||||
.A byte map of the witness from Alice's transaction
|
||||
.A byte map of the witness structure from Alice's transaction
|
||||
image::../images/witness-byte-map.png["A byte map of the witness from Alice's transaction"]
|
||||
|
||||
Unlike the inputs and outputs fields, the overall witness field doesn't
|
||||
start with any indication of the total number of elements it contains.
|
||||
Unlike the inputs and outputs fields, the overall witness structure doesn't
|
||||
start with any indication of the total number of witness stacks it contains.
|
||||
Instead, this is implied by the inputs field--there's one witness
|
||||
element for every input in a transaction.
|
||||
stack for every input in a transaction.
|
||||
|
||||
The witness field for a particular input does start with a count of the
|
||||
number of elements they contain. Those elements are called _stack
|
||||
The witness structure for a particular input does start with a count of the
|
||||
number of elements they contain. Those elements are called _witness
|
||||
items_. We'll explore them in detail in
|
||||
<<c_authorization_authentication>>, but for now we need to know that
|
||||
each stack item is prefixed by a compactSize integer indicating its
|
||||
each witness item is prefixed by a compactSize integer indicating its
|
||||
size.
|
||||
|
||||
Legacy inputs don't contain any witness stack items so their witness
|
||||
Legacy inputs don't contain any witness items so their witness stack
|
||||
consists entirely of a count of zero (0x00).
|
||||
|
||||
Alice's transaction contains one input and one stack item.
|
||||
|
||||
[[nlocktime]]
|
||||
=== nLockTime
|
||||
[[lock_time]]
|
||||
=== Lock Time
|
||||
|
||||
The final field in a serialized transaction is its _nLockTime_. This
|
||||
The final field in a serialized transaction is its lock time. This
|
||||
field was part of Bitcoin's original serialization format but it was
|
||||
only initially enforced by Bitcoin's policy for choosing which
|
||||
transactions to mine. Bitcoin's earliest known soft fork added a rule
|
||||
@ -996,21 +997,21 @@ that, starting at block height 31,000, forbid the inclusion of a
|
||||
transaction in a block unless it satisfies one of the following rules:
|
||||
|
||||
- The transaction indicates that it should be eligible for inclusion in
|
||||
any block by setting its nLockTime to 0.
|
||||
any block by setting its lock time to 0.
|
||||
|
||||
- The transaction indicates that it wants to restrict which blocks it
|
||||
can be included in by setting its nLockTime to a value less than
|
||||
can be included in by setting its lock time to a value less than
|
||||
500,000,000. In this case, the transaction can only be included in a
|
||||
block that has a height equal to the nLockTime or higher. For
|
||||
example, a transaction with an nLockTime of 123,456 can be included in
|
||||
block that has a height equal to the lock time or higher. For
|
||||
example, a transaction with a lock time of 123,456 can be included in
|
||||
block 123,456 or any later block.
|
||||
|
||||
- The transaction indicates that it wants to restrict when it can be
|
||||
included in the blockchain by setting its nLockTime to a value of
|
||||
included in the blockchain by setting its lock time to a value of
|
||||
500,000,000 or greater. In this case, the field is parsed as epoch
|
||||
time (the number of seconds since 1970-01-01T00:00 UTC) and the
|
||||
transaction can only be included in a block with a _Median Time Past_
|
||||
(MTP) greater than the nLockTime. MTP is normally about an hour or
|
||||
(MTP) greater than the lock time. MTP is normally about an hour or
|
||||
two behind the current time. The rules for MTP are described in
|
||||
<<mtp>>.
|
||||
|
||||
@ -1040,7 +1041,7 @@ Some of the special rules for coinbase transactions include:
|
||||
which would (at the very least) be confusing given that the coinbase
|
||||
transaction spends fees and subsidy.
|
||||
|
||||
- The field which would contain a scriptSig in a normal transaction is
|
||||
- The field which would contain a input script in a normal transaction is
|
||||
called a _coinbase_. It's this field that gives the coinbase
|
||||
transaction its name. The coinbase field must be at least two bytes
|
||||
and not longer than 100 bytes. This script is not executed but legacy
|
||||
@ -1123,14 +1124,14 @@ creation of uneconomical outputs as described in
|
||||
| Marker & Flag | 1 | 2
|
||||
| Inputs Count | 4 | 4
|
||||
| Outpoint | 4 | 144
|
||||
| scriptSig | 4 | 4
|
||||
| nSequence | 4 | 16
|
||||
| Input script | 4 | 4
|
||||
| Sequence | 4 | 16
|
||||
| Outputs Count | 4 | 4
|
||||
| nValue | 4 | 64 (2 outputs)
|
||||
| scriptPubKey | 4 | 232 (2 outputs with different scripts)
|
||||
| Amout | 4 | 64 (2 outputs)
|
||||
| Output script | 4 | 232 (2 outputs with different scripts)
|
||||
| Witness Count | 1 | 1
|
||||
| Witnesses | 1 | 66
|
||||
| nLockTime | 4 | 16
|
||||
| Witness items | 1 | 66
|
||||
| Lock time | 4 | 16
|
||||
| **Total** | _N/A_ | **569**
|
||||
|===
|
||||
|
||||
@ -1162,13 +1163,13 @@ older format, called _legacy serialization_, must be used on the Bitcoin
|
||||
P2P network for any transaction with an empty witness (which is only
|
||||
valid if the transaction doesn't spend any witness programs).
|
||||
|
||||
Legacy serialization does not include the marker, flag, and witness
|
||||
Legacy serialization does not include the marker, flag, and witness structure
|
||||
fields.
|
||||
|
||||
In this chapter, we looked at each of the fields in a transaction and
|
||||
discovered how they communicate to full nodes the details about the
|
||||
bitcoins to be transferred between users. We only briefly looked at the
|
||||
scriptPubKey, scriptSig, and witness fields that allow specifying and
|
||||
output script, input script, and witness structure that allow specifying and
|
||||
satisfying conditions which restrict who can spend what bitcoins.
|
||||
Understanding how to construct and use these conditions is essential to
|
||||
ensuring that only Alice can spend her bitcoins, so they will be the
|
||||
|
@ -7,7 +7,7 @@ address::
|
||||
A Bitcoin address looks like +1DSrfJdB2AnWaFNgSbv3MZC2m74996JafV+. It consists of a string of letters and numbers. It's really an encoded base58check version of a public key 160-bit hash. Just as you ask others to send an email to your email address, you would ask others to send you bitcoin to one of your Bitcoin addresses.
|
||||
|
||||
bip::
|
||||
Bitcoin Improvement Proposals. A set of proposals that members of the bitcoin community have submitted to improve bitcoin. For example, BIP-21 is a proposal to improve the bitcoin uniform resource identifier (URI) scheme.
|
||||
Bitcoin Improvement Proposals. A set of proposals that members of the bitcoin community have submitted to improve bitcoin. For example, BIP21 is a proposal to improve the bitcoin uniform resource identifier (URI) scheme.
|
||||
|
||||
bitcoin::
|
||||
The name of the currency unit (the coin), the network, and the software.
|
||||
@ -107,8 +107,8 @@ LevelDB::
|
||||
Lightning Networks::
|
||||
Lightning Network is a proposed implementation of Hashed Timelock Contracts (HTLCs) with bi-directional payment channels which allows payments to be securely routed across multiple peer-to-peer payment channels. This allows the formation of a network where any peer on the network can pay any other peer even if they don't directly have a channel open between each other.
|
||||
|
||||
Locktime::
|
||||
Locktime, or more technically nLockTime, is the part of a transaction which indicates the earliest time or earliest block when that transaction may be added to the block chain.
|
||||
Lock time::
|
||||
Lock time is the part of a transaction which indicates the earliest time or earliest block when that transaction may be added to the block chain.
|
||||
|
||||
mempool::
|
||||
The bitcoin Mempool (memory pool) is a collection of all transaction data in a block that have been verified by Bitcoin nodes, but are not yet confirmed.
|
||||
@ -165,10 +165,10 @@ P2SH address::
|
||||
P2SH addresses are Base58Check encodings of the 20-byte hash of a script, P2SH addresses use the version prefix "5", which results in Base58Check-encoded addresses that start with a "3". P2SH addresses hide all of the complexity, so that the person making a payment does not see the script.
|
||||
|
||||
P2WPKH::
|
||||
The signature of a P2WPKH (Pay-to-Witness-Public-Key-Hash) contains the same information as a P2PKH spending, but is located in the witness field instead of the scriptSig field. The scriptPubKey is also modified.
|
||||
The signature of a P2WPKH (Pay-to-Witness-Public-Key-Hash) contains the same information as a P2PKH spending, but is located in the witness structure instead of the input script. The output script is also modified.
|
||||
|
||||
P2WSH::
|
||||
The difference between P2SH and P2WSH (Pay-to-Witness-Script-Hash) is about the cryptographic proof location change from the scriptSig field to the witness field and the scriptPubKey that is also modified.
|
||||
The difference between P2SH and P2WSH (Pay-to-Witness-Script-Hash) is about the cryptographic proof location change from the input script to the witness structure and the output script that is also modified.
|
||||
|
||||
paper wallet::
|
||||
In the most specific sense, a paper wallet is a document containing all of the data necessary to generate any number of Bitcoin private keys, forming a wallet of keys. However, people often use the term to mean any way of storing bitcoin offline as a physical document. This second definition also includes paper keys and redeemable codes.
|
||||
@ -200,11 +200,11 @@ Satoshi Nakamoto::
|
||||
Script::
|
||||
Bitcoin uses a scripting system for transactions. Forth-like, Script is simple, stack-based, and processed from left to right. It is purposefully not Turing-complete, with no loops.
|
||||
|
||||
ScriptPubKey (aka pubkey script)::
|
||||
ScriptPubKey or pubkey script, is a script included in outputs which sets the conditions that must be fulfilled for those satoshis to be spent. Data for fulfilling the conditions can be provided in a signature script.
|
||||
Output script::
|
||||
A script included in outputs which sets the conditions that must be fulfilled for those satoshis to be spent. Data for fulfilling the conditions can be provided in a signature script.
|
||||
|
||||
ScriptSig (aka signature script)::
|
||||
ScriptSig or signature script, is the data generated by a spender which is almost always used as variables to satisfy a pubkey script.
|
||||
Input script::
|
||||
The data generated by a spender which is almost always used as variables to satisfy an output script.
|
||||
|
||||
secret key (aka private key)::
|
||||
The secret number that unlocks bitcoin sent to the corresponding address. pass:[<span class="keep-together">A secret</span>] key looks like the following:
|
||||
|
Before Width: | Height: | Size: 13 KiB After Width: | Height: | Size: 15 KiB |
Before Width: | Height: | Size: 17 KiB After Width: | Height: | Size: 16 KiB |
Before Width: | Height: | Size: 18 KiB After Width: | Height: | Size: 18 KiB |
Before Width: | Height: | Size: 14 KiB After Width: | Height: | Size: 15 KiB |
Before Width: | Height: | Size: 9.1 KiB After Width: | Height: | Size: 9.4 KiB |
@ -46,9 +46,9 @@
|
||||
== Chapter 7
|
||||
|
||||
* Time Locks
|
||||
* Transaction level absolute (nLocktime)
|
||||
* Transaction level absolute lock time
|
||||
* UTXO/Script level absolute (CHECKLOCKTIMEVERIFY)
|
||||
* Input level relative (nSequence)
|
||||
* Input level relative sequence
|
||||
* UTXO/Script level relative (CHECKSEQUENCEVERIFY)
|
||||
* Median Time Past
|
||||
* Timelock defense against fee sniping
|
||||
@ -82,7 +82,7 @@
|
||||
* Diverging hard forks
|
||||
* Soft forks for feature upgrades
|
||||
* Signaling soft forks with block version
|
||||
* BIP-9 (versionbits) signaling and activation
|
||||
* BIP9 (versionbits) signaling and activation
|
||||
* Consensus software development
|
||||
|
||||
== Chapter 11
|
||||
|
@ -114,10 +114,10 @@ Bitcoin Addresses, Balances, and Other Abstractions
|
||||
* Redeem Script and Validation
|
||||
* Data Recording Output (RETURN)
|
||||
* Timelocks
|
||||
* Transaction Locktime (nLocktime)
|
||||
* Transaction lock time
|
||||
* Check Lock Time Verify (CLTV)
|
||||
* Relative Timelocks
|
||||
* Relative Timelocks with nSequence
|
||||
* Relative Timelocks with sequence
|
||||
* Relative Timelocks with CSV
|
||||
* Median-Time-Past
|
||||
* Timelock Defense Against Fee Sniping
|
||||
|