Bitcoin Digital Signature

[Picard78]

Hello Bitcoin Expert,

I was wondering if the entire Transaction is included in the Signature and then came across the below post where Pieter Wuille makes the following statement:

What is being signed is indeed (a modified version of) the entire transaction. The details are complex (see the question linked to be the answer), but most importantly, the transaction inputs are stripped before signing (as otherwise, the signature would need to sign itself before signing, which is computationally infeasible). – Pieter Wuille Jan 24 '13 at 12:14

https://bitcoin.stackexchange.com/questions/7253/signing-bitcoin-transactions

I don't understand how the transaction inputs can be stripped before signing.  If only the Output is signed then a Miner could simply inject another UTXO from the same Bitcoin address and utilize the same Signature and give himself a big Tip (large transaction fee)

Thank you.

[AdolfinWolf]

My limited understanding is as follows, and please someone correct me if i'm wrong:
How can they be signed before the transaction is constructed?

Consider the resulting scriptSig of an input as follows:

Code:

 <sig> <pubkey>

Considering the signature is created using the tx data (double SHA-256 hash of the entire script), it becomes clear that it is impossible to have the input scriptSig before signing the transaction.

https://bitcoin.stackexchange.com/questions/3374/how-to-redeem-a-basic-tx

so, only at #14 we have our tx data, after which we can construct our scriptSig.

This simultaneously explains that by using the scriptPubKey to generate our tx data, it will be impossible to insert a different UTXO, as the signature will not verify. (Consider we verify the signature by taking the public key of the scriptSig, hash it, check it against scriptPubKey, and then subsequently verify the signature.)

Note that this is only for 1 input, 1 output.

[NotATether]

My limited understanding is as follows, and please someone correct me if i'm wrong:

~

I think you're right. According to your link, the scriptSig of the transaction is filled with the scriptPubKey of the UTXO.

5. Now comes the scriptSig. For the purpose of signing the transaction, this is temporarily filled with the scriptPubKey of the output we want to redeem. First we write a one-byte varint which denotes the length of the scriptSig (0x19 = 25 bytes): 19

6. Then we write the temporary scriptSig which, again, is the scriptPubKey of the output we want to redeem: 76a914010966776006953d5567439e5e39f86a0d273bee88ac

It makes a temporary signature out of that, then creates another scriptSig putting the signature length + 1 as an opcode form, then the signature, then the public key length in opcode form, then the public key.

Then the initial scriptSig is replaced with the final scriptSig without signing a second time. A few other changes are made, and then the transaction is ready to be broadcasted.


For multiple UTXOs I think that each one is signed in the same way above, according to https://bitcoin.stackexchange.com/questions/92155/signing-a-raw-transaction-with-multiple-inputs, and then the signed inputs are combined together in one large transaction. So the same scriptSig generation process should also follow here.

[pooya87]

I don't understand how the transaction inputs can be stripped before signing.

input means the entire txin that consists of outpoint (tx hash and the index of the output being spent in that tx) the signature script and sequence. the inputs are not entirely stripped, only the signature script is emptied because there is no way to know the signature before signing the transaction.
a tx with 2 inputs and 2 outputs (to put simply):
[version][hash][index][sig_scr][seq][hash][index][sig_scr][seq][txout1][txout2][locktime]
to sign this for input 1 with SIGHASH_ALL you modify it like this:
SHA256d([version][hash][index][pub_scr][seq][hash][index][0][seq][txout1][txout2][locktime])
to sign for input 2:
SHA256d([version][hash][index][0][seq][hash][index][pub_scr][seq][txout1][txout2][locktime])

If only the Output is signed then a Miner could simply inject another UTXO from the same Bitcoin address and utilize the same Signature and give himself a big Tip (large transaction fee)

no they can't do that. as you are saying yourself the outputs are signed that means the output can not change. even if the miner (or anybody else) added any other inputs they are just putting more money in that transaction that has a fixed output.

in fact this option also exists in bitcoin with another signature hash type called SIGHASH_ANYONECANPAY where you only sign 1 input that is yours and ignore everything else. it gives the option for others to add other inputs but you could sign all outputs and make sure no matter what others added the receiving end remains the same.

[Picard78]

the inputs are not entirely stripped, only the signature script is emptied because there is no way to know the signature before signing the transaction.

That makes more sense now.  

SHA256d([version][hash][index][pub_scr][seq][hash][index][0][seq][txout1][txout2][locktime])
to sign for input 2:
SHA256d([version][hash][index][0][seq][hash][index][pub_scr][seq][txout1][txout2][locktime])

Why not [sig_scr] = 0 in all instances before signing?  Is there some benefit to making it [pub_scr] instead of 0?

[pooya87]

Why not [sig_scr] = 0 in all instances before signing?  Is there some benefit to making it [pub_scr] instead of 0?

i'm not really sure, i believe it was asked before but i can't find the link anywhere on SE or here.
i think it had something to do with OP_CodeSeparator and the way Satoshi thought scripts could be used.