2

Reading the BIP:

https://github.com/bitcoin/bips/blob/master/bip-0142.mediawiki

I see that the scriptPubKey in a transaction that funds a segwit redemption is the same as a normal P2PKH but merely prepended with OP_0.

Is this opcode what tells older clients that the Tx is "anyone can spend" meaning that there will be no signature data in the redemption Tx?

Of course upgraded nodes will know to look for the actual scriptSig in the witness data to verify the Tx. But how does this OP_0 fool old nodes into ignoring the scriptSig on the redemption Tx?

Murch
  • 71,155
  • 33
  • 180
  • 600
pinhead
  • 4,932
  • 2
  • 23
  • 38

1 Answers1

6

It's not prepending a script with OP_0. It's a data push that contains the witness program hash, prepended by OP_0.

Old nodes will evaluate this as a script that just pushes two data items onto the stack (a 0 and a hash). That's obviously spendable by all, as the requirement is having a non-zero item as last element on the stack.

Pieter Wuille
  • 98,249
  • 9
  • 183
  • 287
  • Thanks. Does 'OP0 hash' evaluate to true automatically to release the coins? And why is the hash of the witness needed? Doesn't that reintroduce malleability back into the txid? – pinhead Jan 18 '16 at 00:01
  • Any non-zero item left on the stack is interpreted as successful execution. And it's not the hash of the witness, but the hash of the witness program. – Pieter Wuille Jan 18 '16 at 00:02
  • Then why is OP_0 needed at all? And what is the witness program? The usual 'dup hash equalverify checksig'? – pinhead Jan 18 '16 at 00:28
  • The witness program is the actual versioned script (the equivalent of the redeemscript in P2SH), which is stored inside the witness. The pubkey commits to it using that hash. The OP_0 before is the witness version number. We can later use higher values to make any script change at all in a softforkable manner. – Pieter Wuille Jan 18 '16 at 00:31
  • So the actual opcode CHECKSIG is in the witness? Not the scriptPubKey? The examples in the bip141 mediawiki are confusing me – pinhead Jan 18 '16 at 00:53
  • Then BIP141 needs improvement! I'll relay the message :) – Pieter Wuille Jan 18 '16 at 00:53
  • 1
    @PieterWuille I thought this check meant that successful execution happens only if a non-zero item is on top of the stack AND is the only element on the stack: https://github.com/bitcoin/bitcoin/blob/8152d3fe57a991e9088d0b9d261d2b10936f45a9/src/script/interpreter.cpp#L1508 So in the case of the witness program the final stack would be [0, ], how would this be interpreted as ANYONECANSPEND by old nodes? – Simone Bronzini Mar 15 '17 at 16:40
  • 1
    @SimoneBronzini The line of code you're referring to is enclosed within a ` `(flags & SCRIPT_VERIFY_CLEANSTACK) != 0` conditional, which is only set for checking standardness, not consensus. So while old clients wouldn't relay such transactions, they are absolutely valid within a block. – Pieter Wuille Mar 15 '17 at 17:33