Skip to content

Latest commit

 

History

History
71 lines (48 loc) · 3.06 KB

signature.md

File metadata and controls

71 lines (48 loc) · 3.06 KB
Raw

Index

Bitcoin Signatures

Bitcoin uses ECDSA signatures that prove that an owner of a certain private key acknowledges a certain message (usually a transaction).

One or more signatures are used in a transaction input to prove that the owner of bitcoins locked in a corresponding output allows spending them in this specific transaction.

Within Bitcoin transactions, signature contains an extra byte (hash type) that specifies how exactly the transaction must be transformed before being signed. To differentiate between regular signatures and signatures with a hash type, we use the following terms:

Signature is a DER-encoded ECDSA signature.

Script Signature is a DER-encoded ECDSA signature with an appended hashtype byte.

Hash Types

Hash type determines how OP_CHECKSIG hashes the transaction to verify the signature in a transaction input. Depending on hash type, transaction is modified in some way before its hash is computed. Hash type is 1 byte appended to a signature in a transaction input.

First three types are mutually exclusive (tested using hashtype & 0x1F). SIGHASH_ANYONECANPAY type can be combined together with any of the first three types.

BTC::SIGHASH_ALL = 0x01

Default. Signs all inputs and outputs. Other inputs have scripts and sequences zeroed out, current input has its script replaced by the previous transaction's output script (or, in case of P2SH, by the signatures and the redemption script).

If (hashtype & SIGHASH_OUTPUT_MASK) is not SIGHASH_NONE or SIGHASH_SINGLE, then SIGHASH_ALL is used.

BTC::SIGHASH_NONE = 0x02

All outputs are removed. "I don't care where it goes as long as others pay". Note: this is not safe when used with SIGHASH_ANYONECANPAY, because then anyone who relays the transaction can pick your input and use in his own transaction. It's also not safe if all inputs are SIGHASH_NONE as well (or it's the only input).

BTC::SIGHASH_SINGLE = 0x03

Hash only the output with the same index as the current input. Preceding outputs are "nullified", other outputs are removed. Special case: if there is no matching output, hash is equal 0000000000000000000000000000000000000000000000000000000000000001 (32 bytes)

BTC::SIGHASH_OUTPUT_MASK = 0x1F

This mask is used to determine one of the first types independently from SIGHASH_ANYONECANPAY option:

if (hashtype & SIGHASH_OUTPUT_MASK) == SIGHASH_NONE
  blank all outputs
end

BTC::SIGHASH_ANYONECANPAY = 0x80

Removes all inputs except for current txin before hashing. This allows to sign the transaction outputs without knowing who and how adds other inputs. E.g. a crowdfunding transaction with 100 BTC output can be signed independently by any number of people and will become valid only when someone combines all inputs in a single transaction to make it valid. Can be used together with any of the above types.