return to the Bitcoin Improvement Proposals
Title | Transaction Signature Verification for Version 0 Witness Program |
Layer | Consensus (soft fork) |
Author | Johnson Lau , Pieter Wuille |
Comments-Summary | No comments yet. |
Comments-URI | https://github.com/bitcoin/bips/wiki/Comments:BIP-0143 |
Status | Final |
Type | Standards Track |
Created | 2016-01-03 |
Post History | |
Description | https://github.com/bitcoin/bips/blob/master/bip-0143.mediawiki |
License | PD |
This proposal defines a new transaction digest algorithm for signature verification in version 0 witness program, in order to minimize redundant data hashing in verification, and to cover the input value by the signature.
There are 4 ECDSA signature verification codes in the original Bitcoin script system: CHECKSIG, CHECKSIGVERIFY, CHECKMULTISIG, CHECKMULTISIGVERIFY (“sigops”). According to the sighash type (ALL, NONE, SINGLE, ANYONECANPAY), a transaction digest is generated with a double SHA256 of a serialized subset of the transaction, and the signature is verified against this digest with a given public key. The detailed procedure is described in a Bitcoin Wiki article. 1)
Unfortunately, there are at least 2 weaknesses in the original SignatureHash transaction digest algorithm:
Deploying the aforementioned fixes in the original script system is not a simple task. That would be either a hardfork, or a softfork for new sigops without the ability to remove or insert stack items. However, the introduction of segregated witness softfork offers an opportunity to define a different set of script semantics without disrupting the original system, as the unupgraded nodes would always consider such a transaction output is spendable by arbitrary signature or no signature at all.6)