0

in bip 143 for creating a witness signature it describes what needs to be serialized/signed. One thing that the doc seems to be missing is how to determine WHICH outpoint to use. So in these transactions there are multiple txins in each example, and they always seem to just pick one of them?

For example from the Native P2WPKH in bip 143

The following is an unsigned transaction:
    0100000002fff7f7881a8099afa6940d42d1e7f6362bec38171ea3edf433541db4e4ad969f0000000000eeffffffef51e1b804cc89d182d279655c3aa89e815b1b309fe287d9b2b55d57b90ec68a0100000000ffffffff02202cb206000000001976a9148280b37df378db99f66f85c95a783a76ac7a6d5988ac9093510d000000001976a9143bde42dbee7e4dbe6a21b2d50ce2f0167faa815988ac11000000
    
    nVersion:  01000000
    txin:      02 fff7f7881a8099afa6940d42d1e7f6362bec38171ea3edf433541db4e4ad969f 00000000 00 eeffffff
                  ef51e1b804cc89d182d279655c3aa89e815b1b309fe287d9b2b55d57b90ec68a 01000000 00 ffffffff
    txout:     02 202cb20600000000 1976a9148280b37df378db99f66f85c95a783a76ac7a6d5988ac
                  9093510d00000000 1976a9143bde42dbee7e4dbe6a21b2d50ce2f0167faa815988ac
    nLockTime: 11000000
  
  The first input comes from an ordinary P2PK:
    scriptPubKey : 2103c9f4836b9a4f77fc0d81f7bcb01b7f1b35916864b9476c241ce9fc198bd25432ac value: 6.25
    private key  : bbc27228ddcb9209d7fd6f36b02f7dfa6252af40bb2f1cbc7a557da8027ff866
    
  The second input comes from a P2WPKH witness program:
    scriptPubKey : 00141d0f172a0ecb48aee1be1f2687d2963ae33f71a1, value: 6
    private key  : 619c335025c7f4012e556c2a58b2506e30b8511b53ade95ea316fd8c3286feb9
    public key   : 025476c2e83188368da1ff3e292e7acafcdb3566bb0ad253f62fc70f07aeee6357
    
  To sign it with a nHashType of 1 (SIGHASH_ALL):
  
  hashPrevouts:
    dSHA256(fff7f7881a8099afa6940d42d1e7f6362bec38171ea3edf433541db4e4ad969f00000000ef51e1b804cc89d182d279655c3aa89e815b1b309fe287d9b2b55d57b90ec68a01000000)
  = 96b827c8483d4e9b96712b6713a7b68d6e8003a781feba36c31143470b4efd37
  
  hashSequence:
    dSHA256(eeffffffffffffff)
  = 52b0a642eea2fb7ae638c36f6252b6750293dbe574a806984b8e4d8548339a3b
  
  hashOutputs:
    dSHA256(202cb206000000001976a9148280b37df378db99f66f85c95a783a76ac7a6d5988ac9093510d000000001976a9143bde42dbee7e4dbe6a21b2d50ce2f0167faa815988ac)
  = 863ef3e1a92afbfdb97f31ad0fc7683ee943e9abcf2501590ff8f6551f47e5e5
  
  hash preimage: 0100000096b827c8483d4e9b96712b6713a7b68d6e8003a781feba36c31143470b4efd3752b0a642eea2fb7ae638c36f6252b6750293dbe574a806984b8e4d8548339a3bef51e1b804cc89d182d279655c3aa89e815b1b309fe287d9b2b55d57b90ec68a010000001976a9141d0f172a0ecb48aee1be1f2687d2963ae33f71a188ac0046c32300000000ffffffff863ef3e1a92afbfdb97f31ad0fc7683ee943e9abcf2501590ff8f6551f47e5e51100000001000000
  
    nVersion:     01000000
    hashPrevouts: 96b827c8483d4e9b96712b6713a7b68d6e8003a781feba36c31143470b4efd37
    hashSequence: 52b0a642eea2fb7ae638c36f6252b6750293dbe574a806984b8e4d8548339a3b
    outpoint:     ef51e1b804cc89d182d279655c3aa89e815b1b309fe287d9b2b55d57b90ec68a01000000
    scriptCode:   1976a9141d0f172a0ecb48aee1be1f2687d2963ae33f71a188ac
    amount:       0046c32300000000
    nSequence:    ffffffff
    hashOutputs:  863ef3e1a92afbfdb97f31ad0fc7683ee943e9abcf2501590ff8f6551f47e5e5
    nLockTime:    11000000
    nHashType:    01000000

you can see that there are 2 txins and only one outpoint used in the signature, and this is pretty much true for all the examples. It does not say anywhere in bip143 HOW you choose. Any advice is greatly appreciated.

Improve this question

1 Answer 1

Reset to default
1

When you are creating signatures, you are signing for a specific input in the transaction. That specific input has a corresponding outpoint, so you use its outpoint in the sighash.

In the examples given, the sighashes for all of the inputs are given. So for each input, it makes a sighash using the outpoint for that input.

In this example, if you are signing for input 1, then you use the outpoint fff7f7881a8099afa6940d42d1e7f6362bec38171ea3edf433541db4e4ad969f00000000. If you are signing for input 2, you use the outpoint ef51e1b804cc89d182d279655c3aa89e815b1b309fe287d9b2b55d57b90ec68a01000000.

Improve this answer
4
  • so then you would have to have 2 witness signatures, each with with the hashPrevouts including ALL the inputs? Also that example doesn't appear to have 2 sighashes, that example clearly only has one?is this example incorrect?
    – noone392
    Commented Jun 15, 2021 at 21:28
  • 2
    I think Andrew missed that the first input isn't a segwit output, so it doesn't use BIP143. In this case, for the second input, the output you substitute is the output being spent in the second input.
    – Pieter Wuille
    Commented Jun 15, 2021 at 22:39
  • 2
    @noone392 Yes, if your transaction has two inputs requiring witness signatures, then there will be 2 witness signatures. hashPrevouts will include all of the outpoints, but in order for a sighash to apply to a specific input, the outpoint for that particular input is included explicitly. This example only has 1 witness sighash because there is only 1 witness input which I did not notice earlier.
    – Ava Chow
    Commented Jun 15, 2021 at 22:46
  • Thank you guys a ton for the help. I am not sure it would be possible to come up to speed without just reverse engineering the core if it wasn't for the experts spending their time.
    – noone392
    Commented Jun 15, 2021 at 23:05

Not the answer you're looking for? Browse other questions tagged or ask your own question.