diff --git a/bip-0143.mediawiki b/bip-0143.mediawiki index 4c6503b3..d39fdd8e 100644 --- a/bip-0143.mediawiki +++ b/bip-0143.mediawiki @@ -1,4 +1,4 @@ -
+
   BIP: 143
   Title: Transaction Signature Verification for Version 0 Witness Program
   Author: Johnson Lau 
@@ -28,37 +28,41 @@ A new transaction digest algorithm is defined, but only applicable to sigops in
      2. hashPrevouts (32-byte hash)
      3. hashSequence (32-byte hash)
      4. outpoint (32-byte hash + 4-byte little endian) 
-     5. scriptCode of the input (varInt for the length + script)
+     5. scriptCode of the input (serialized as scripts inside CTxOuts)
      6. value of the output spent by this input (8-byte little endian)
      7. nSequence of the input (4-byte little endian)
      8. hashOutputs (32-byte hash)
      9. nLocktime of the transaction (4-byte little endian)
     10. sighash type of the signature (4-byte little endian)
 
-All components in the original algorithm, including the behavior OP_CODESEPERATOR, remains unchanged. The only difference is the way of serialization and the inclusion of amount being spent.
+Semantics of the original sighash types remain unchanged, except the followings:
+# The way of serialization is changed;
+# All sighash types commit to the amount being spent by the signed input;
+# FindAndDelete of the signature is not applied to the scriptCode;
+# SINGLE does not commit to the input index. When ANYONECANPAY is not set, the semantics are unchanged since hashPrevouts and outpoint together implictly commit to the input index. When SINGLE is used with ANYONECANPAY, omission of the index commitment allows permutation of the input-output pairs, as long as each pair is located at an equivalent index.
 
 The items 1, 4, 7, 9, 10 have the same meaning as the original algorithm. 
 
 The item 5:
 *For P2WPKH witness program, the scriptCode is 0x1976a914{20-byte-pubkey-hash}88ac.
 *For P2WSH witness program,
-**if the witnessScript does not contain any OP_CODESEPERATOR, the scriptCode is a varInt for the length of the witnessScript, followed by the witnessScript.
-**if the witnessScript contains any OP_CODESEPERATOR, the scriptCode is the evaluated script, with all OP_CODESEPARATOR and everything up to the last OP_CODESEPARATOR before the signature checking opcode being executed removed, and prepended by a varInt for the length of the truncated script.
+**if the witnessScript does not contain any OP_CODESEPERATOR, the scriptCode is the witnessScript serialized as scripts inside CTxOuts.
+**if the witnessScript contains any OP_CODESEPERATOR, the scriptCode is the evaluated script, with all OP_CODESEPARATOR and everything up to the last OP_CODESEPARATOR before the signature checking opcode being executed removed, serialized as scripts inside CTxOuts.
 
 The item 6 is a 8-byte value of the amount of bitcoin spent in this input.
 
 hashPrevouts:
-*If the ANYONECANPAY flag is not set, hashPrevouts is the double SHA256 of the serialization of all input outpoints;
+*If the ANYONECANPAY flag is not set, hashPrevouts is the double SHA256 of the serialization of all input outpoints;
 *Otherwise, hashPrevouts is a uint256 of 0x0000......0000.
 
 hashSequence:
-*If none of the ANYONECANPAY, SINGLE, NONE sighash type is set, hashSequence is the double SHA256 of the serialization of nSequence of all inputs;
+*If none of the ANYONECANPAY, SINGLE, NONE sighash type is set, hashSequence is the double SHA256 of the serialization of nSequence of all inputs;
 *Otherwise, hashSequence is a uint256 of 0x0000......0000.
 
 hashOutputs:
-*If the sighash type is neither SINGLE nor NONE, hashOutputs is the double SHA256 of the serialization of all output value (8-byte little endian) with scriptPubKey (varInt for the length + script);
-*If sighash type is SINGLE and the input index is not greater than the number of outputs, hashOutputs is the double SHA256 of the output value with scriptPubKey of the same index as the input;
-*Otherwise, hashOutputs is a uint256 of 0x0000......0000.
+*If the sighash type is neither SINGLE nor NONE, hashOutputs is the double SHA256 of the serialization of all output value (8-byte little endian) with scriptPubKey (serialized as scripts inside CTxOuts);
+*If sighash type is SINGLE and the input index is not greater than the number of outputs, hashOutputs is the double SHA256 of the output value with scriptPubKey of the same index as the input;
+*Otherwise, hashOutputs is a uint256 of 0x0000......0000.In the original algorithm, a uint256 of 0x0000......0001 is commited if the input index for a SINGLE signature is greater than the number of outputs. In this BIP a 0x0000......0000 is commited, without changing the semantics.
 
 The hashPrevouts, hashSequence, and hashOutputs calculated in an earlier verification may be reused in other inputs of the same transaction, so that the time complexity of the whole hashing process reduces from O(n2) to O(n).
 
@@ -195,7 +199,7 @@ As a soft fork, older software will continue to operate without modification. No
 
 == Reference Implementation ==
 
-https://github.com/sipa/bitcoin/commits/segwit
+https://github.com/bitcoin/bitcoin/pull/7910
 
 == References ==