BIP 141: Segregated Witness (Consensus layer) #265

pull CodeShark wants to merge 4 commits into bitcoin:master from CodeShark:segwit changing 1 files +25 −21
  1. CodeShark commented at 12:46 AM on December 23, 2015: contributor

    BIP number requested,

  2. CodeShark force-pushed on Dec 23, 2015
  3. CodeShark force-pushed on Dec 23, 2015
  4. CodeShark force-pushed on Dec 23, 2015
  5. CodeShark force-pushed on Dec 23, 2015
  6. CodeShark force-pushed on Dec 23, 2015
  7. in bip-codeshark-jl2012-segwit.mediawiki:None in 7f196396d3 outdated 
       0 | @@ -0,0 +1,300 @@
   1 | +<pre>
   2 | +  BIP: x
   3 | +  Title: Segregated Witness (Consensus layer)
   4 | +  Author:
    btcdrak commented at 2:00 AM on December 23, 2015:

    missing authors

  8. in bip-codeshark-jl2012-segwit.mediawiki:None in 7f196396d3 outdated 
     293 | +SPV clients should reject nVersion < 5 blocks if 950 out of 1000 preceding blocks have
 294 | +nVersion >= 5 to prevent false confirmations from the remaining 5% of
 295 | +non-upgraded miners when the 95% threshold has been reached.
 296 | +
 297 | +== Credits ==
 298 | +
    btcdrak commented at 2:01 AM on December 23, 2015:

    Missing copyright statement.

  9. CodeShark force-pushed on Dec 23, 2015
  10. CodeShark force-pushed on Dec 23, 2015
  11. CodeShark force-pushed on Dec 23, 2015
  12. CodeShark force-pushed on Dec 23, 2015
  13. in bip-codeshark-jl2012-segwit.mediawiki:None in 181280bed7 outdated 
      32 | +# '''Additional data required for fraud proofs can be added to witness'''. Extra data can be committed that allows short proofs of block invalidity that SPV nodes can quickly verify.
  33 | +#* Backlinks for the outputs spent by the transaction's inputs can be provided. These backlinks consist of a block hash and an offset that thin clients can easily query and check to verify that the outputs exist.
  34 | +#* Sum trees for transaction inputs and outputs can be committed making it possible to construct short proofs that no new coins are created in any noncoinbase transaction and that the miner does not add excessive fees to the coinbase transaction. 
  35 | +
  36 | +==Specification==
  37 | +Maybe a seperate BIP
    luke-jr commented at 3:47 AM on December 23, 2015:

    ???

    CodeShark commented at 3:49 AM on December 23, 2015:

    the comment refers to the p2p serialization and relay stuff - what follows is the consensus specification, which WILL be in this document.

  14. in bip-codeshark-jl2012-segwit.mediawiki:None in 181280bed7 outdated 
      59 | +used in some tests) to be interpreted as new serialized data.
  60 | +- Rationale for the 0x01 flag byte in between: this will allow us to
  61 | +easily add more extra non-committed data to transactions (like txouts
  62 | +being spent, ...). It can be interpreted as a bitvector.
  63 | +
  64 | +* A new message 'havewitness' is sent after receiving 'verack' to
    NicolasDorier commented at 4:03 AM on December 23, 2015:

    Why not using "version" service bits ? Having a havewitness message is a pain in the ass for wallet developers, because they need to know whether the node support witness or not. If you use havewitness message, then after the verack we need to wait if there is any havewitness message coming with a timeout to determine if it is supported and deciding if we continue to conversation or not.

    CodeShark commented at 4:16 AM on December 23, 2015:

    This part of the specification (specifically the peer services layer) is still very preliminary and will probably be put into its own BIP. We expect it to undergo substantial changes still.

    jl2012 commented at 4:24 AM on December 23, 2015:

    To avoid confusion, may remove this part from this BIP and say the relay protocol is defined in a separate BIP

  15. in bip-codeshark-jl2012-segwit.mediawiki:None in 894d8ac1cb outdated 
     208 | +# It is not possible to prove the spending of a non-existing input without showing all transaction IDs in the blockchain way back to the genesis block.
 209 | +
 210 | +It is possible to proof the first 2 types of fraud if a block is committed to a Merkle-sum-tree of the fee, size, and sigop count of each transaction. It is also possible to proof the last type of fraud if a block is committed to a Merkle tree with the originating block height and transaction index of all inputs. These commitments could be included in the extensible witness commitment through a soft fork and will be transparent to nodes that do not understand such new rules.
 211 | +
 212 | +=== New script system ===
 213 | +Since all witness programs begin with a version byte, and programs with unknown versions are always considered as anyone-can-spend script, it is possible to introduce any new script system with a soft fork. The witness as a structure is not restricted by any existing script semantics and constraints, the 520-byte push limit in particular, and therefore allows arbitrarily large scripts and signatures.
    afk11 commented at 2:52 PM on December 24, 2015:

    Is 'anyone-can-spend script' a new term? I understand why, I just wonder if the term is too similar to ANYONECANPAY. We should define the term, or maybe reword to say unknown versions are simply not evaluated as anything other than pushdata, and won't be evaluated by the witness interpreter?

    jl2012 commented at 4:05 PM on December 24, 2015:

    It's not new: https://en.bitcoin.it/wiki/Script#Anyone-Can-Spend_Outputs

  16. jl2012 cross-referenced this on Dec 25, 2015 from issue BIP 142: Address Formats for Witness Program by jl2012
  17. Clarify Backward compatibility 3e3006127e
  18. in bip-codeshark-jl2012-segwit.mediawiki:None in 894d8ac1cb outdated 
     222 | +With a soft fork, it is possible to introduce a separate witness structure to allow per-input lock-time and relative-lock-time, and a new script system that could sign and manipulate the new data (like BIP65 and BIP112).
 223 | +
 224 | +== Backward compatibility ==
 225 | +As a soft fork, older software will continue to operate without modification.  Non-upgraded nodes, however, will not see nor validate the witness data and will consider all witness programs as anyone-can-spend scripts (except a few edge cases in version 0 witness programs which are provably unspendable with original script semantics). Wallets should always be wary of anyone-can-spend scripts and treat them with suspicion. Non-upgraded nodes are strongly encouraged to upgrade in order to take advantage of the new features.
 226 | +
 227 | +=== Version 0 witness programs ===
    morcos commented at 5:04 PM on December 28, 2015:

    This was confusing to me. You're not talking about Version 0 and Version 1 witness programs here are you? Aren't you just talking about whether or not the witness program is also embedded in a P2SH regardless of what version witness it is?

    jl2012 commented at 5:09 PM on December 28, 2015:

    yeah, the description is somewhat inaccurate. I'll edit it

  19. luke-jr added the label New BIP on Dec 30, 2015
  20. luke-jr added the label Needs number assignment on Dec 30, 2015
  21. Separating version byte and witness program 66ba4e6fcf
  22. Merge pull request #1 from jl2012/patch-7
    Clarify Backward compatibility and separating version byte and witness program
    038a4c1d2e
  23. Merge pull request #2 from alp-bitcoin/patch-1
    Fixed typos.
    90367c065a
  24. in bip-codeshark-jl2012-segwit.mediawiki:None in 894d8ac1cb outdated 
      87 | +
  88 | +The new rule is s<sub>v</sub> <= 1 MB.
  89 | +
  90 | +=== Witness program ===
  91 | +
  92 | +* A scriptPubKey (or redeemScript as defined in BIP16/P2SH) that consists of a single push of 2 to 41 bytes gets a new special meaning. The byte vector pushed by it is called the "witness program".
    morcos commented at 8:51 PM on January 1, 2016:

    not a single push anymore

  25. in bip-codeshark-jl2012-segwit.mediawiki:None in 894d8ac1cb outdated 
     138 | +
 139 | +The following example is a version 0 witness program, equivalent to the existing Pay-to-Pubkey-Hash (P2PKH) output.
 140 | +
 141 | +    witness:      <signature> <pubkey>
 142 | +    scriptSig:    (empty)
 143 | +    scriptPubKey: <0x0076A914{20-byte-hash-value}88AC>
    morcos commented at 8:52 PM on January 1, 2016:

    you need <0x001976A914{20-byte-hash-value}88AC>

  26. rubensayshi commented at 11:53 AM on January 7, 2016: contributor

    related BIPs, for easy reference;

    • Segwit peer services #272
    • Transaction signature verification for version 0 and version 1 witness program #270
    • Address Format for Witness Program #267

    and WIP code:

  27. in bip-codeshark-jl2012-segwit.mediawiki:None in 90367c065a 
     163 | +
 164 | +    1 <33-byte-pubkey1> <33-byte-pubkey2> 2 CHECKMULTISIG
 165 | +
 166 | +The script is executed with the remaining data from witness:
 167 | +
 168 | +    0 <signature1> 1 <33-byte-pubkey1> <33-byte-pubkey2> 2 CHECKMULTISIG
    FelixWeis commented at 2:27 PM on January 7, 2016:

    The segwit update seems like the perfect moment to get rid of that CHECKMULTISIG bug where one item too many is popped off the stack. Although probably should be done in #270.

    sipa commented at 3:22 PM on January 7, 2016:

    No bikeshedding about what changes to make, please :(

    We have script versions now, so we do not need to fix all inconveniences at once.

    There are two exceptions to this self-imposed rule:

    • Changing the sighashing to not be O(n^2), as it wouldn't be a bugfix to a worst-case scenario if it's optional for an attacker.
    • Amount signing, as I didn't expect that people would accept any sighash change proposal that did not include this...
  28. rubensayshi commented at 5:22 PM on January 7, 2016: contributor

    is there a reason why the transaction version is not bumped for the new structure?

  29. sipa commented at 5:29 PM on January 7, 2016: member

    Yes. There is no need:

    • SegWit transactions are not standard anyway due to the CLEANSTACK rule already.
    • We don't need it for serialization, because we need another mechanism for signaling the presence of witness data anyway.
  30. in bip-codeshark-jl2012-segwit.mediawiki:None in 90367c065a 
     137 | +
 138 | +The following example is a version 0 witness program, equivalent to the existing Pay-to-Pubkey-Hash (P2PKH) output.
 139 | +
 140 | +    witness:      <signature> <pubkey>
 141 | +    scriptSig:    (empty)
 142 | +    scriptPubKey: OP_0 <0x76A914{20-byte-hash-value}88AC>
    jonasschnelli commented at 8:42 PM on January 7, 2016:

    nit: use OP_0 <DUP HASH160 {20-byte-hash-value} EQUALVERIFY CHECKSIG>?

    sipa commented at 8:43 PM on January 7, 2016:

    Why? Waste of space.

    sipa commented at 8:44 PM on January 7, 2016:

    Oops, never mind.

    MarcoFalke commented at 8:49 PM on January 7, 2016:

    @jonasschnelli Isn't the deserialized format below?

    jl2012 commented at 5:29 AM on January 8, 2016:

    It's shown in the deserialized script

  31. luke-jr assigned luke-jr on Jan 8, 2016
  32. luke-jr renamed this:
    Segwit BIP
    BIP 141: Segregated Witness (Consensus layer)
    on Jan 8, 2016
  33. luke-jr removed the label Needs number assignment on Jan 8, 2016
  34. luke-jr merged this on Jan 8, 2016
  35. luke-jr closed this on Jan 8, 2016
  36. afk11 cross-referenced this on Jan 10, 2016 from issue Fix BIP142: Example script needs PUSH length byte by afk11
  37. luke-jr referenced this in commit c93cd75d88 on Jan 20, 2018
Contributors
CodeSharkbtcdrakluke-jrNicolasDorierjl2012afk11morcosrubensayshiFelixWeissipajonasschnelliMarcoFalke
Labels
New BIP
Linked (view graph)
#267 BIP 142: Address Formats for Witness Program#270 BIP 143: Transaction signature verification for version 0 and version 1 witness program#272 BIP 144: Segregated Witness (Peer Services)#275 Fix BIP142: Example script needs PUSH length byte
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bips. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-14 15:10 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me