Complex Scripts: Segregated Witness | Saylor Academy

Segregated Witness

Segregated Witness (segwit) is an upgrade to the bitcoin consensus rules and network protocol, proposed and implemented as a BIP-9 soft-fork that was activated on bitcoin's mainnet on August 1st, 2017.

In cryptography, the term "witness" is used to describe a solution to a cryptographic puzzle. In bitcoin terms, the witness satisfies a cryptographic condition placed on an unspent transaction output (UTXO).

In the context of bitcoin, a digital signature is one type of witness, but a witness is more broadly any solution that can satisfy the conditions imposed on an UTXO and unlock that UTXO for spending. The term "witness" is a more general term for an "unlocking script" or "scriptSig."

Before segwit's introduction, every input in a transaction was followed by the witness data that unlocked it. The witness data was embedded in the transaction as part of each input. The term segregated witness, or segwit for short, simply means separating the signature or unlocking script of a specific output. Think "separate scriptSig," or "separate signature" in the simplest form.

Segregated Witness therefore is an architectural change to bitcoin that aims to move the witness data from the scriptSig (unlocking script) field of a transaction into a separate witness data structure that accompanies a transaction. Clients may request transaction data with or without the accompanying witness data.

In this section we will look at some of the benefits of Segregated Witness, describe the mechanism used to deploy and implement this architecture change, and demonstrate the use of Segregated Witness in transactions and addresses.

Segregated Witness is defined by the following BIPs:

BIP-141

The main definition of Segregated Witness.

BIP-143

Transaction Signature Verification for Version 0 Witness Program

BIP-144

Peer Services – New network messages and serialization formats

BIP-145

getblocktemplate Updates for Segregated Witness (for mining)

BIP-173

Base32 address format for native v0-16 witness outputs

Why Segregated Witness?

Segregated Witness is an architectural change that has several effects on the scalability, security, economic incentives, and performance of bitcoin:

Transaction Malleability

By moving the witness outside the transaction data, the transaction hash used as an identifier no longer includes the witness data. Since the witness data is the only part of the transaction that can be modified by a third party (see Transaction identifiers), removing it also removes the opportunity for transaction malleability attacks. With Segregated Witness, transaction hashes become immutable by anyone other than the creator of the transaction, which greatly improves the implementation of many other protocols that rely on advanced bitcoin transaction construction, such as payment channels, chained transactions, and lightning networks.

Script Versioning

With the introduction of Segregated Witness scripts, every locking script is preceded by a script version number, similar to how transactions and blocks have version numbers. The addition of a script version number allows the scripting language to be upgraded in a backward-compatible way (i.e., using soft fork upgrades) to introduce new script operands, syntax, or semantics. The ability to upgrade the scripting language in a nondisruptive way will greatly accelerate the rate of innovation in bitcoin.

Network and Storage Scaling

The witness data is often a big contributor to the total size of a transaction. More complex scripts such as those used for multisig or payment channels are very large. In some cases these scripts account for the majority (more than 75%) of the data in a transaction. By moving the witness data outside the transaction data, Segregated Witness improves bitcoin's scalability. Nodes can prune the witness data after validating the signatures, or ignore it altogether when doing simplified payment verification. The witness data doesn't need to be transmitted to all nodes and does not need to be stored on disk by all nodes.

Signature Verification Optimization

Segregated Witness upgrades the signature functions (CHECKSIG, CHECKMULTISIG, etc.) to reduce the algorithm's computational complexity. Before segwit, the algorithm used to produce a signature required a number of hash operations that was proportional to the size of the transaction. Data-hashing computations increased in O(n2) with respect to the number of signature operations, introducing a substantial computational burden on all nodes verifying the signature. With segwit, the algorithm is changed to reduce the complexity to O(n).

Offline Signing Improvement

Segregated Witness signatures incorporate the value (amount) referenced by each input in the hash that is signed. Previously, an offline signing device, such as a hardware wallet, would have to verify the amount of each input before signing a transaction. This was usually accomplished by streaming a large amount of data about the previous transactions referenced as inputs. Since the amount is now part of the commitment hash that is signed, an offline device does not need the previous transactions. If the amounts do not match (are misrepresented by a compromised online system), the signature will be invalid.

How Segregated Witness Works

At first glance, Segregated Witness appears to be a change to how transactions are constructed and therefore a transaction-level feature, but it is not. Rather, Segregated Witness is a change to how individual UTXO are spent and therefore is a per-output feature.

A transaction can spend Segregated Witness outputs or traditional (inline-witness) outputs or both. Therefore, it does not make much sense to refer to a transaction as a "Segregated Witness transaction". Rather we should refer to specific transaction outputs as "Segregated Witness outputs".

When a transaction spends an UTXO, it must provide a witness. In a traditional UTXO, the locking script requires that witness data be provided inline in the input part of the transaction that spends the UTXO. A Segregated Witness UTXO, however, specifies a locking script that can be satisfied with witness data outside of the input (segregated).

Course Introduction

Course Syllabus

Unit 1: Introduction to Bitcoin Technology

1.1: What is Bitcoin?

What is Bitcoin?

Bitcoin: A Peer-to-Peer Electronic Cash System

1.2: P2P Networks

The Bitcoin Network

1.3: Ledger Entries

Bitcoin Transactions

1.4: Intro to Consensus

Understanding Consensus

1.5: Decentralization and Balance of Power

Consensus Algorithms, Blockchain Technology, and Bitcoin

1.6: Open Systems

Why Open Blockchains Matter

1.7: Exercise: Look Up a Transaction on a Blockchain Explorer

Exercise: Look Up a Transaction on a Blockchain Explorer

Study Session Review Video

CS120: Bitcoin for Developers I | Study Session Unit 1

Unit 1 Assessment

Unit 1 Assessment

Unit 2: Cryptographic Algorithms

2.1: What is Cryptography?

What is Cryptography?

2.2: Cryptographic Keys

Keys and Addresses

2.3: The Basics of Hashing

Cryptographic Hash Functions

2.4: Keys and Transaction Signatures

Digital Signatures

2.5: Keys and Bitcoin Addresses

Keys and Bitcoin Addresses

Can Someone Guess My Crypto Private Key?

2.6: Exercise: Encrypt and Decrypt Data

Exercise: Encrypt and Decrypt Data

Study Session Review Video

CS120: Bitcoin for Developers I | Study Session Unit 2

Unit 2 Assessment

Unit 2 Assessment

Unit 3: Signatures and Transactions

3.1: What is a Digital Signature?

What are Cryptographic Primitives?

3.2: Exercise: Sign and Validate Data

Exercise: Sign and Validate Data

3.3: Introduction to Bitcoin Transactions

More on Bitcoin Transactions

3.4: How Bitcoin Transactions Use Signatures

Elliptic Curve Signatures

Locking Scripts and Transaction Verification

Study Session Review Video

CS120: Bitcoin for Developers I | Study Session Unit 3

Unit 3 Assessment

Unit 3 Assessment

Unit 4: Hashing and Mining

4.1: What is a Hash?

Hash Functions, Mining, and Addresses

4.2: Hashing Algorithms

Hashing Algorithms

4.3: Exercise: Hash Something

Exercise: Hash Something

4.4: Hashing and Bitcoin Mining

Mining and Consensus

Mining Fees, Block Data, Block Headers, and Proof-of-Work

How Is the Number of Zeros in the Target Hash Determined?

4.5: Exercise: Try a Mining Simulator

Exercise: Try a Mining Simulator

4.6: Merkle Trees

Merkle Trees

Study Session Review Video

CS120: Bitcoin for Developers I | Study Session Unit 4

Unit 4 Assessment

Unit 4 Assessment

Unit 5: Bitcoin Data

5.1: How Bitcoin Transmits Data on the Network

More on the Bitcoin Network

SVP Nodes

5.2: Bitcoin Addresses and Keys

Base58

Data Encoding