summaryrefslogtreecommitdiff
path: root/bip-0141.mediawiki
diff options
context:
space:
mode:
Diffstat (limited to 'bip-0141.mediawiki')
-rw-r--r--bip-0141.mediawiki42
1 files changed, 31 insertions, 11 deletions
diff --git a/bip-0141.mediawiki b/bip-0141.mediawiki
index 7266e9d..b62d54d 100644
--- a/bip-0141.mediawiki
+++ b/bip-0141.mediawiki
@@ -21,7 +21,7 @@ The entirety of the transaction's effects are determined by output consumption (
By removing this data from the transaction structure committed to the transaction merkle tree, several problems are fixed:
-# '''Nonintentional malleability becomes impossible'''. Since signature data is no longer part of the transaction hash, changes to how the transaction was signed are no longer relevant to transaction identification. As a solution of transaction malleability, this is superior to the canonical signature approach ([https://github.com/bitcoin/bips/edit/master/bip-0062.mediawiki BIP62]):
+# '''Nonintentional malleability becomes impossible'''. Since signature data is no longer part of the transaction hash, changes to how the transaction was signed are no longer relevant to transaction identification. As a solution of transaction malleability, this is superior to the canonical signature approach ([https://github.com/bitcoin/bips/blob/master/bip-0062.mediawiki BIP62]):
#* It prevents involuntary transaction malleability for any type of scripts, as long as all inputs are signed (with at least one CHECKSIG or CHECKMULTISIG operation)
#* In the case of an m-of-n CHECKMULTISIG script, a transaction is malleable only with agreement of m private key holders (as opposed to only 1 private key holder with BIP62)
#* It prevents involuntary transaction malleability due to unknown ECDSA signature malleability
@@ -34,13 +34,35 @@ By removing this data from the transaction structure committed to the transactio
==Specification==
+=== Transaction ID ===
+
+A new data structure, <code>witness</code>, is defined. Each transaction will have 2 IDs.
+
+Definition of <code>txid</code> remains unchanged: the double SHA256 of the traditional serialization format:
+
+ [nVersion][txins][txouts][nLockTime]
+
+A new <code>wtxid</code> is defined: the double SHA256 of the new serialization with witness data:
+
+ [nVersion][marker][flag][txins][txouts][witness][nLockTime]
+
+Format of <code>nVersion</code>, <code>txins</code>, <code>txouts</code>, and <code>nLockTime</code> are same as traditional serialization.
+
+The <code>marker</code> MUST be <code>0x00</code>.
+
+The <code>flag</code> MUST be a 1-byte non-zero value. Currently, <code>0x01</code> MUST be used.
+
+The <code>witness</code> is a serialization of all witness data of the transaction. Each txin is associated with a witness field. A witness field starts with a <code>var_int</code> to indicate the number of stack items for the txin. It is followed by stack items, with each item starts with a <code>var_int</code> to indicate the length. Witness data is NOT script and is not restricted by the 520-byte push limit.
+
+A non-witness program (defined hereinafter) txin MUST be associated with an empty witness field, represented by a <code>0x00</code>. If all txins are not witness program, a transaction's <code>wtxid</code> is equal to its <code>txid</code>.
+
=== Commitment structure ===
-A new block rule is added which requires a commitment to the witness hashes, the double SHA256 of a transaction including witnesses. The witness hash of coinbase transaction is assumed to be 0x0000....0000.
+A new block rule is added which requires a commitment to the <code>wtxid</code>. The <code>wtxid</code> of coinbase transaction is assumed to be <code>0x0000....0000</code>.
-A witness root hash is calculated with all those witness hashes as leaves, in a way similar to the hashMerkleRoot in the block header.
+A witness root hash is calculated with all those <code>wtxid</code> as leaves, in a way similar to the hashMerkleRoot in the block header.
-The commitment is recorded in a scriptPubKey of the coinbase transaction. It must be at least 38 bytes, with the first 6-byte of 0x6a24aa21a9ed, that is:
+The commitment is recorded in a scriptPubKey of the coinbase transaction. It must be at least 38 bytes, with the first 6-byte of <code>0x6a24aa21a9ed</code>, that is:
1-byte - OP_RETURN (0x6a)
1-byte - Push the following 36 bytes (0x24)
@@ -206,9 +228,9 @@ The 32-byte limitation for witness program could be easily extended through a so
=== Per-input lock-time and relative-lock-time ===
-Currently there is only one nLockTime field in a transaction and all inputs must share the same value. [https://github.com/bitcoin/bips/edit/master/bip-0068.mediawiki BIP68] enables per-input relative-lock-time using the nSequence field, however, with a limited lock-time period and resolution.
+Currently there is only one nLockTime field in a transaction and all inputs must share the same value. [https://github.com/bitcoin/bips/blob/master/bip-0068.mediawiki BIP68] enables per-input relative-lock-time using the nSequence field, however, with a limited lock-time period and resolution.
-With a soft fork, it is possible to introduce a separate witness structure to allow per-input lock-time and relative-lock-time, and a new script system that could sign and manipulate the new data (like [https://github.com/bitcoin/bips/edit/master/bip-0065.mediawiki BIP65] and [https://github.com/bitcoin/bips/edit/master/bip-0112.mediawiki BIP112]).
+With a soft fork, it is possible to introduce a separate witness structure to allow per-input lock-time and relative-lock-time, and a new script system that could sign and manipulate the new data (like [https://github.com/bitcoin/bips/blob/master/bip-0065.mediawiki BIP65] and [https://github.com/bitcoin/bips/blob/master/bip-0112.mediawiki BIP112]).
== Backward compatibility ==
@@ -217,14 +239,13 @@ As a soft fork, older software will continue to operate without modification. N
'''What a non-upgraded wallet can do'''
* Receiving bitcoin from non-upgraded and upgraded wallets
-* Sending bitcoin to non-upgraded wallets
-* Sending bitcoin to upgraded wallets using a P2SH address (less efficient)
-* Sending bitcoin to upgraded wallets using a native witness program (more efficient) through [https://github.com/bitcoin/bips/blob/master/bip-0070.mediawiki BIP70] payment protocol
+* Sending bitcoin to non-upgraded and upgraded wallets with traditional P2PKH address (without any benefit of segregated witness)
+* Sending bitcoin to upgraded wallets using a P2SH address
+* Sending bitcoin to upgraded wallets using a native witness program through [https://github.com/bitcoin/bips/blob/master/bip-0070.mediawiki BIP70] payment protocol
'''What a non-upgraded wallet cannot do'''
* Validating segregated witness transaction. It assumes such a transaction is always valid
-* Sending bitcoin to upgraded wallets using a native witness program if BIP70 is not supported
== Deployment ==
@@ -259,7 +280,6 @@ https://github.com/sipa/bitcoin/commits/segwit
== References ==
*[[bip-0016.mediawiki|BIP16 Pay to Script Hash]]
-*[[bip-0142.mediawiki|BIP142 Address Formats for Segregated Witness]]
*[[bip-0143.mediawiki|BIP143 Transaction Signature Verification for Version 0 Witness Program]]
*[[bip-0144.mediawiki|BIP144 Segregated Witness (Peer Services)]]
generated by cgit v1.2.3 (git 2.26.2) at 2024-11-05 18:25:54 +0000