5

In a transaction Tx, the hash pointer of the earlier transaction (say TxE) that serves as input to Tx must be signed by the sender S of Tx. This is to show that S was the recipient of TxE. It remains to show that S agrees with the output of Tx. At which stage does S sign the output of Tx? I assume (s)he does so. Else, what would prevent an attacker from looking at Tx just after S broadcasted it, and modify the output (so that he is the recipient) before rebroadcast?

In other words: The scriptSig proves the sender owns the input of Tx. What proves that the sender approves the output of the Tx?

rgds

P.S: the transaction I am considering atm is:

enter image description here

hartmut
  • 671
  • 5
  • 21

1 Answers1

4

The signature also signs the Pubkey Script and Amount (which together would represent what you reference as "output of Tx").

Quoting the Transaction section of the Developer's guide:

Bob’s secp256k1 signature doesn’t just prove Bob controls his private key; it also makes the non-signature-script parts of his transaction tamper-proof so Bob can safely broadcast them over the peer-to-peer network.

enter image description here
Image Source: Developer Guide: Transactions

As illustrated in the figure above, the data Bob signs includes the txid and output index of the previous transaction, the previous output’s pubkey script, the pubkey script Bob creates which will let the next recipient spend this transaction’s output, and the amount of satoshis to spend to the next recipient. In essence, the entire transaction is signed except for any signature scripts, which hold the full public keys and secp256k1 signatures.

Community
  • 1
Murch
  • 71,155
  • 33
  • 180
  • 600
  • 2
    I would note this is true for SIGHASH_ALL, but not the others. – Jimmy Song Jun 06 '16 at 19:25
  • 1
    Thank you very much; but I am not sure I fully understand. Indeed, I saw this picture before but I am not sure what its message is. Would someone be so kind as to explain it once more plz? – hartmut Jun 06 '16 at 22:13
  • @Murch Considering the picture I originally posted, do you mean that each of the scriptSig in Tx not only certifies the ownership of TxE's outputs, but also confirms Tx' s output? – hartmut Jun 06 '16 at 22:16
  • 2
    Yes, typically every input contains signatures that cover both the outputs of the previous transaction being spent, AND the outputs where the transaction containing the signatures sends them to. – Pieter Wuille Jun 06 '16 at 23:19
  • I other words: it is not just signing to prove ownership, but it proves agreement with the transaction. – Pieter Wuille Jun 07 '16 at 00:22
  • @Pieter Wuille. Thanks for this explanation. Apologies for being a nit-picky but: which signature covers what? Or is it that a same signature covers outputs and inputs? – hartmut Jun 07 '16 at 07:20
  • 2
    Every signature covers both inputs and outputs. The diagram and the linked Developer Guide explain that in much more detail than I can put in a comment. – Pieter Wuille Jun 07 '16 at 08:07
  • The figure does not make sense because it suggests that the signed data covers everything from left to right including the private key. Furthermore the link needs to be updated. – phinz Nov 10 '21 at 20:06