|
|
Line 10: |
Line 10: |
| </pre> | | </pre> |
| | | |
− | ==Abstract==
| + | {{BipMoved|bip-0018.mediawiki|BIP 0018}} |
− | | |
− | This BIP modifies the basic format of transaction inputs and outputs, replacing the current scriptSig and scriptPubKey (scripts executed to validate a transaction) with new contents: dataSig, scriptCheck, and hashScriptCheck.
| |
− | | |
− | ==Motivation==
| |
− | | |
− | The purpose of pay-to-script-hash is to move the responsibility for supplying the conditions to redeem a transaction from the sender of the funds to the redeemer.
| |
− | | |
− | The benefit is allowing a sender to fund any arbitrary transaction, no matter how complicated, using a fixed-length 20-byte hash that is short enough to scan from a QR code or easily copied and pasted.
| |
− | | |
− | ==Specification==
| |
− | | |
− | scriptSig and scriptPubKey are hereby deemed to be deprecated.
| |
− | Bitcoin-compatible clients MUST still continue to support them for compatibility, but it should not be used for any new transaction types.
| |
− | Services and people which send Bitcoins SHOULD continue to support old pubkey-based addresses for the time being.
| |
− | Services and people which receive Bitcoins MAY continue to generate and use old pubkey-based addresses.
| |
− | | |
− | To replace these, there are 3 new elements:
| |
− | * dataSig is included in place of scriptSig in transaction inputs, and contains multiple serialized data elements
| |
− | * scriptCheck is the final element of dataSig, and is executed with the preceding dataSig elements preloaded onto the stack (the element immediately before scriptCheck is the top of the stack)
| |
− | * hashScriptCheck is included in place of scriptPubKey in transaction outputs, to specify the hash of the scriptCheck allowed to redeem it
| |
− | | |
− | dataSig is to be encoded the same as a push-only script.
| |
− | | |
− | hashScriptCheck must be encoded exactly so:
| |
− | | |
− | 0xa9 0x14 (20-byte-hash-value) 0x87
| |
− | | |
− | This can be interpreted by legacy (pre-BIP 18) clients as the following script:
| |
− | | |
− | OP_HASH160 [20-byte-hash-value] OP_EQUAL
| |
− | | |
− | If this template is not matched exactly OR the transaction is in a block with a timestamp before the hashScriptCheck activation date, validation MUST proceed in backward-compatibility mode, using scriptSig+scriptPubKey rather than dataSig+scriptCheck+hashScriptCheck.
| |
− | | |
− | A hashScriptCheck-compliant input is valid only if:
| |
− | * dataSig MUST NOT contain any operations other than "push data" (it is data, not a script; no mixing scriptSig with hashScriptCheck)
| |
− | * scriptCheck MUST hash (using Bitcoin's Hash160 algorithm) to the output's hashScriptCheck.
| |
− | * scriptCheck MUST be executed with the dataSig-based stack specified above (ie, not including scriptCheck itself) to perform validation (this does not imply clients are required to validate transactions).
| |
− | * scriptCheck must not abort, and must leave a true value on the top of the stack. This is the current behaviour for scriptSig+scriptPubKey.
| |
− | | |
− | The new scriptCheck SHOULD be checked against "standard transaction" templates by miners.
| |
− | | |
− | For example, the hashScriptCheck and corresponding dataSig for a one-signature-required transaction is:
| |
− | | |
− | scriptCheck: [pubkey] OP_CHECKSIG
| |
− | dataSig: [signature] {[pubkey] OP_CHECKSIG}
| |
− | hashScriptCheck: [20-byte-hash of {[pubkey] OP_CHECKSIG}]
| |
− | | |
− | ===Signature operation limits for scriptCheck===
| |
− | | |
− | Signature operations in scriptCheck do not follow the same rules previously applied to scriptSig and scriptPubKey.
| |
− | Instead, they shall contribute to the maximum number allowed per block (20,000) as follows:
| |
− | | |
− | # OP_CHECKSIG and OP_CHECKSIGVERIFY count as 1 signature operation, whether or not they are evaluated.
| |
− | # OP_CHECKMULTISIG and OP_CHECKMULTISIGVERIFY immediately preceded by OP_1 through OP_16 are counted as 1 to 16 signature operation, whether or not they are evaluated.
| |
− | # All other OP_CHECKMULTISIG and OP_CHECKMULTISIGVERIFY are counted as 20 signature operations.
| |
− | | |
− | Examples:
| |
− | | |
− | +3 signature operations:
| |
− | 2 [pubkey1] [pubkey2] [pubkey3] 3 OP_CHECKMULTISIG
| |
− | | |
− | +22 signature operations
| |
− | OP_CHECKSIG OP_IF OP_CHECKSIGVERIFY OP_ELSE OP_CHECKMULTISIGVERIFY OP_ENDIF
| |
− | | |
− | ==Rationale==
| |
− | | |
− | This BIP replaces BIPs 12 and 17, which propose extensions to the Script system to allow scriptPubKey to outsource its verification.
| |
− | It also replaces BIP 16, which is identical in terms of protocol, but suggests a specific implementation and does not deprecate scriptPubKey to maintain protocol consistency.
| |
− | | |
− | The Motivation for this BIP (and BIP 13, the pay-to-script-hash address type) is somewhat controversial; several people feel that it is unnecessary, and complex/multisignature transaction types should be supported by simply giving the sender the complete {serialized script}. The author believes that this BIP will minimize the changes needed to all of the supporting infrastructure that has already been created to send funds to a base58-encoded-20-byte bitcoin addresses, allowing merchants and exchanges and other software to start supporting multisignature transactions sooner.
| |
− | | |
− | The signature operation counting rules are intended to be easy and quick to implement by statically scanning scriptCheck.
| |
− | Bitcoin imposes a maximum-number-of-signature-operations per block to prevent denial-of-service attacks on miners.
| |
− | If there was no limit, a rogue miner might broadcast a block that required hundreds of thousands of ECDSA signature operations to validate, and it might be able to get a head start computing the next block while the rest of the network worked to validate the current one.
| |
− | | |
− | There is a 1-confirmation attack on old implementations, but it is expensive and difficult in practice. The attack is:
| |
− | | |
− | # Attacker creates a pay-to-script-hash transaction that is valid when interpreted as scriptPubKey, but contains an invalid scriptCheck, and sends themselves some coins using it.
| |
− | # Attacker also creates a standard transaction that spends the pay-to-script transaction, and pays the victim who is running old software.
| |
− | # Attacker mines a block that contains both transactions.
| |
− | | |
− | If the victim accepts the 1-confirmation payment, then the attacker wins because both transactions will be invalidated when the rest of the network overwrites the attacker's invalid block.
| |
− | | |
− | The attack is expensive because it requires the attacker create a block that they know will be invalidated by the rest of the network. It is difficult because creating blocks is difficult and users should not accept 1-confirmation transactions for higher-value transactions.
| |
− | | |
− | ==Backwards Compatibility==
| |
− | | |
− | hashScriptCheck transactions are non-standard to old implementations, which will (typically) not relay them nor include them in blocks.
| |
− | | |
− | Old implementations will validate that scriptCheck's hash value matches when they validate blocks created by software that fully support this BIP, but will do no other validation.
| |
− | | |
− | Avoiding a block-chain split by malicious pay-to-script transactions requires careful handling of one case:
| |
− | | |
− | * A pay-to-script-hash transaction that is invalid for new clients/miners but valid for old clients/miners.
| |
− | | |
− | To gracefully upgrade and ensure no long-lasting block-chain split occurs, more than 50% of miners must support full validation of the new transaction type and must switch from the old validation rules to the new rules at the same time.
| |
− | | |
− | To judge whether or not more than 50% of hashing power supports this BIP, miners are asked to upgrade their software and put the string "/P2SH/" in the input of the coinbase transaction for blocks that they create.
| |
− | | |
− | At 00:00:00 UTC on 15 Mar 2012, the block-chain will be examined to determine the number of blocks supporting pay-to-script-hash for the previous 7 days. If 550 or more contain "/P2SH/" in their coinbase, then all blocks with timestamps after 00:00:00 UTC on 1 Apr 2012 shall have their pay-to-script-hash transactions fully validated. Approximately 1,000 blocks are created in a week; 550 should, therefore, be approximately 55% of the network supporting the new feature.
| |
− | | |
− | If a majority of hashing power does not support the new validation rules, then rollout will be postponed (or rejected if it becomes clear that a majority will never be achieved).
| |
− | | |
− | ==Forwards Compatibility ==
| |
− | The first two bytes of hashScriptCheck specify the hash algorithm and length used to verify scriptCheck.
| |
− | This BIP only allows Bitcoin's Hash160 algorithm, but leaves open the possibility of a future BIP implementing others.
| |
− | | |
− | ==Reference Implementation==
| |
− | | |
− | https://github.com/gavinandresen/bitcoin-git/tree/pay_to_script_hash
| |
− | | |
− | ==See Also==
| |
− | | |
− | * The [[BIP 0013|Address format for Pay to Script Hash BIP]]
| |
− | * [[BIP 16|BIP 16 - Pay to Script Hash (aka "/P2SH/")]]
| |
− | * M-of-N Multisignature Transactions [[BIP 0011|BIP 11]]
| |
| | | |
| [[Category:BIP]] | | [[Category:BIP]] |