BIP 141: Segregated Witness (Consensus layer) #265
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -89,20 +89,19 @@ The new rule is s<sub>v</sub> <= 1 MB. | |
|
|
||
| === Witness program === | ||
|
|
||
| * A scriptPubKey (or redeemScript as defined in BIP16/P2SH) that consists of a 1-byte push opcode (for 0 to 16) followed by a data push between 2 and 32 bytes gets a new special meaning. The value of the first push is called the "version byte". The following byte vector pushed is called the "witness program". | ||
| ** In case the scriptPubKey pushes a version byte and witness program directly, the scriptSig must be exactly empty. | ||
| ** In case the redeemScript pushes a version byte and witness program, the scriptSig must be exactly the single push of the redeemScript. | ||
|
|
||
| ** If the version byte is 0, the WP is the actual script. | ||
| *** The script is executed after normal script evaluation but with data from the witness rather than the scriptSig. | ||
| *** The program must not fail, and result in exactly a single TRUE on the stack. | ||
| ** If the version byte is 1, the WP must be 32 bytes, as a SHA256 hash of the actual script. | ||
| *** The witness must consist of an input stack to feed to the program, followed by the serialized program. | ||
| *** The serialized program is popped off the initial witness stack. Hash of the serialized program must match the hash pushed in the witness program. | ||
| *** The serialized program is deserialized, and executed after normal script evaluation with the remaining witness stack. | ||
| *** The script must not fail, and result in exactly a single TRUE on the stack. | ||
| ** If the version byte is 2 to 16, no further interpretation of the witness program or witness happens. | ||
|
|
||
| === Other consensus critical constraints === | ||
|
|
||
|
|
@@ -140,9 +139,9 @@ The following example is a version 0 witness program, equivalent to the existing | |
|
|
||
| witness: <signature> <pubkey> | ||
| scriptSig: (empty) | ||
| scriptPubKey: OP_0 <0x76A914{20-byte-hash-value}88AC> | ||
|
|
||
| The OP_0 indicates the following push is a version 0 witness program. The witness program is deserialized and becomes: | ||
|
|
||
| DUP HASH160 <20byte-hash-value> EQUALVERIFY CHECKSIG | ||
|
|
||
|
|
@@ -158,17 +157,17 @@ The following example is an 1-of-2 multi-signature version 1 witness program. | |
|
|
||
| witness: 0 <signature1> <0x5121{33-byte-pubkey1}21{33-byte-pubkey2}52AE> | ||
| scriptSig: (empty) | ||
| scriptPubKey: OP_1 <0x{32-byte-hash-value}> | ||
|
|
||
| The OP_1 in scriptPubKey indicates the following push is a version 1 witness program. The last item in the witness is popped off, hashed with SHA256, compared against the 32-byte-hash-value in scriptPubKey, and deserialized: | ||
|
|
||
| 1 <33-byte-pubkey1> <33-byte-pubkey2> 2 CHECKMULTISIG | ||
|
|
||
| The script is executed with the remaining data from witness: | ||
|
|
||
| 0 <signature1> 1 <33-byte-pubkey1> <33-byte-pubkey2> 2 CHECKMULTISIG | ||
|
There was a problem hiding this comment. The segwit update seems like the perfect moment to get rid of that CHECKMULTISIG bug where one item too many is popped off the stack. Although probably should be done in #270. There was a problem hiding this comment. No bikeshedding about what changes to make, please :( We have script versions now, so we do not need to fix all inconveniences at There are two exceptions to this self-imposed rule:
|
||
|
|
||
| Since the actual program is larger than 32 bytes, it cannot be accommodated in a version 0 witness program. A version 1 witness program allows arbitrarily large script as the 520-byte push limit is bypassed. | ||
|
|
||
| The scriptPubKey occupies 34 bytes, as opposed to 23 bytes of P2SH. The increased size improves security against possible collision attacks, as 2^80 work is not infeasible anymore (By the end of 2015, 2^84 hashes have been calculated in Bitcoin mining since the creation of Bitcoin). The spending script is same as the one for an equivalent P2SH output but is moved to witness. | ||
|
|
||
|
|
@@ -177,12 +176,12 @@ The scriptPubKey occupies 34 bytes, as opposed to 23 bytes of P2SH. The increase | |
| The following example is the same 1-of-2 multi-signature version 1 witness program, but nested in a P2SH output. | ||
|
|
||
| witness: 0 <signature1> <0x5121{33-byte-pubkey1}21{33-byte-pubkey2}52AE> | ||
| scriptSig: <0x5120{32-byte-hash-value}> | ||
| scriptPubKey: HASH160 <20-byte-hash-value> EQUAL | ||
|
|
||
| The only item in scriptSig is hashed with HASH160, compared against the 20-byte-hash-value in scriptPubKey, and interpreted as: | ||
|
|
||
| OP_1 <0x{32-byte-hash-value}> | ||
|
|
||
| The version 1 witness program is then executed as described in the last example | ||
|
|
||
|
|
@@ -210,11 +209,11 @@ In the current Bitcoin protocol, it is possible to generate compact fraud proof | |
| It is possible to prove the first 2 types of fraud if a block is committed to a Merkle-sum-tree of the fee, size, and sigop count of each transaction. It is also possible to prove the last type of fraud if a block is committed to a Merkle tree with the originating block height and transaction index of all inputs. These commitments could be included in the extensible witness commitment through a soft fork and will be transparent to nodes that do not understand such new rules. | ||
|
|
||
| === New script system === | ||
| Since a version byte is pushed before a witness program, and programs with unknown versions are always considered as anyone-can-spend script, it is possible to introduce any new script system with a soft fork. The witness as a structure is not restricted by any existing script semantics and constraints, the 520-byte push limit in particular, and therefore allows arbitrarily large scripts and signatures. | ||
|
|
||
| Examples of new script system include Schnorr signatures which reduce the size of multisig transactions dramatically, Lamport signature which is quantum computing resistance, and Merklized abstract syntax trees which allow very compact witness for conditional scripts with extreme complexity. | ||
|
|
||
| The 32-byte limitation for witness program could be easily extended through a soft fork in case a stronger hash function is needed in the future. The version byte is also expandable through a softfork. | ||
|
|
||
| === Per-input lock-time and relative-lock-time === | ||
| Currently there is only one nLockTime field in a transaction and all inputs must share the same value. BIP68 enables per-input relative-lock-time using the nSequence field, however, with a limited lock-time period and resolution. | ||
|
|
@@ -224,11 +223,16 @@ With a soft fork, it is possible to introduce a separate witness structure to al | |
| == Backward compatibility == | ||
| As a soft fork, older software will continue to operate without modification. Non-upgraded nodes, however, will not see nor validate the witness data and will consider all witness programs as anyone-can-spend scripts (except a few edge cases in version 0 witness programs which are provably unspendable with original script semantics). Wallets should always be wary of anyone-can-spend scripts and treat them with suspicion. Non-upgraded nodes are strongly encouraged to upgrade in order to take advantage of the new features. | ||
|
|
||
| '''What a non-upgraded wallet can do''' | ||
|
|
||
| * Receiving bitcoin from non-upgraded and upgraded wallets | ||
| * Sending bitcoin to non-upgraded wallets | ||
| * Sending bitcoin to upgraded wallets using a P2SH address (a less efficient way to use segregated witness) | ||
|
|
||
| '''What a non-upgraded wallet cannot do''' | ||
|
|
||
| * Validating segregated witness transaction. It assumes such a transaction is always valid | ||
| * Sending bitcoin to upgraded wallets using a native witness program (a more efficient way to use segregated witness) | ||
|
|
||
| == Deployment == | ||
|
|
||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: use
OP_0 <DUP HASH160 {20-byte-hash-value} EQUALVERIFY CHECKSIG>?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jonasschnelli Isn't the deserialized format below?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's shown in the deserialized script