Some backgroundI have fooled around a bit with "stupid" scripts and their corresponding P2SH addresses ("3"-format). Have written about some findings for example
here. (And to be clear, I don't mean so-called wrapped P2WPKH-P2SH addresses; those are "3-addresses" too, but on the contrary, do have a private keys, rely on ECC and so forth - very different from "pure" P2SH.)
To mention one, the stupid anyone-can-spend script "OP_1" is 0x51 in hexadecimal and is easily converted to the public address like so (Python 3):
>>> import binascii, hashlib, base58, bitcoinutils
>>> from bitcoinutils import bech32
>>> script='51'
>>> hash160 = hashlib.new('ripemd160', hashlib.sha256(binascii.unhexlify(script)).digest()).hexdigest()
>>> p2sh_b58 = base58.b58encode_check(binascii.unhexlify('05'+ hashlib.new('ripemd160', hashlib.sha256(binascii.unhexlify(script)).digest()).hexdigest())).decode()
>>> print(p2sh_b58)
3MaB7QVq3k4pQx3BhsvEADgzQonLSBwMdj
This public address,
3MaB7QVq3k4pQx3BhsvEADgzQonLSBwMdj, has at the time of writing 790 transactions.
Now, what is interesting is that you only need fundamental insights in Bitcoin raw transactions to spend from this address;
here the most recent transaction out:
0100000001d34fe68a3c6054aae1e092fb5e395a7e72c99783a05c010d2be298e318a0248100000000020151ffffffff01080700000000000017a914a89aec4cd53e6d74215332459b7fea3ec4aca9758700000000
Now, you can't create such a transaction in Bitcoin Core or Electrum, but it is easy enough to do in Notepad++. The magic is the Sigscript
right before the ffffffff separator, which it Bitcoin script for simply saying "push OP_1 onto the stack", and voilla - you control the coins.
No ECC or private key involved. Simple. And stupid. Because of its anyone-can-spend nature.
The real question - do Bech32 P2SH addresses exist?Until just recently, I believed that all Bech32 addresses - the by-now-not-so-new "bc1" format - are either P2WPKH or P2WSH, which means they behave more or less like legacy address, and the only difference is that the raw transactions are constructed differently (the Sigscript must be empty and witness data must be presented as a new entity, after the receiving address - we call this segwit and it's pretty cool), but one sentence in the Bitcoin Wiki made me wonder:
https://en.bitcoin.it/wiki/List_of_address_prefixesFirst table: "Bech32 pubkey hash
or script hash" (my underlining)
What is this? Do they actually mean script hash (SH) and not witness script hash (WSH)? If so, then there are "real" Bech32 P2SH addresses, right? (Or is the wiki written sloppily?)
So, I did some testing and converted "stupid" scripts (like in the introduction) to their Bech32 addresses, using this code:
>>> p2sh_b32 = bitcoinutils.bech32.encode('bc',0,memoryview(binascii.unhexlify(hash160)).tolist())
>>> print(p2sh_b32)
bc1qmgt5t6d4fx7sh7s626vhr3m7hgcv6kjt450t6x
OK, so
bc1qmgt5t6d4fx7sh7s626vhr3m7hgcv6kjt450t6x has to date never been used, suggesting this is uncharted territory.
But - I then tried a slight variation, i.e.
script = <short series of opcodes>
which led me to a Bech32 address that in early 2017 received more than 1 BTC.
For natural reasons, I will not write it out here, as they have never been spent.
The key question (pun intended) is then how one would go about spending from such an address. Because if we take a look at one typical spending from a Bech32 P2WPKH address, I picked this transaction - 4bce99b9f78fd0d5d7d52dd41b6c406577c59ee5f6105541683fe527f6c3f43c - randomly, its raw transaction is
0100000000010128746e138c008ca1c61ebd8d3b7d5d9e8e2d4375d59690661e3f70d0b1de8ca300000000000000000001c9896c000000000017a914269ef48bf373a19deaa94b32cae5cbe3c93062fb8702483045022100b893c9d2f1b2525e84e9bb31c016a65f4891f6a954fc1c0c1d06189bcc8ae65002205e1f3b5de07be06775cd141a4e1e187c41ad03a1c6955b21568079482aef8648012102a5daf09e8da80f53edca8c8e59a5f4a6363a7b94cfbffb9c9240d4b2e239d1dd00000000
Let's skip a few numbers and cut to the chase, the witness program (last in the serialized output, because of segwit). In this example it is (cheating by convering to a JSON object):
"witness": [
"3045022100b893c9d2f1b2525e84e9bb31c016a65f4891f6a954fc1c0c1d06189bcc8ae65002205e1f3b5de07be06775cd141a4e1e187c41ad03a1c6955b21568079482aef864801",
"02a5daf09e8da80f53edca8c8e59a5f4a6363a7b94cfbffb9c9240d4b2e239d1dd" ]
Alright, clearly some signing has been performed here, using a private key. In the first instance, we fairly easily find the r- and s-values (after the code separator "02"), and the second instance is simply the public key (not to be confused with the public address).
Then we have a problem with the maybe P2SH Bech32 address I found - because I know its script, which means I cannot know either its public key or create signatures since there is no private key for it.
The big question is - is it spendable? I have been trying to read up on BIP173 and valid structures for segwit witnesses, but find the documentation vague and elusive.
Remember how easy it was to spend from the "normal stupid" P2SH address above by simply pushing 3 bytes of data in the Sigscript? For Bech32 and segwit, the Sigscript must always be empty, which creates an interesting obstacle.
Is possible to construct witnesses for what I know is a Bech32 address, or at least an attempt to make one, an address that has had more than 1 BTC untouched since 2017? The whole address is the product of one simple script, and there is no cryptography involved at all.
Is it possible to construct "stupid" "020151"-like witnesses for this address and assemble a valid raw transaction that can be broadcast without errors (i.e. accepted by the majority of the network), or is it simply so that Bech32 is never P2SH (despite what the wiki says)?
Looking forward to hearing your thoughts on this. (For what it's worth, I have a smaller collection of Bech32 P2SH addresses with positive balances according to the blockchain and it would feel bad if they were forever stuck there because of a programming error or something.)
TL;DRDo Bech32 P2SH addresses exist, and if they do, how do you construct valid transactions from them? Many thanks!
