Why didn't Bitcoin implement segwit in the first place?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












Why didn't Bitcoin implement segwit in the first place?



Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid?



From Mastering Bitcoin ch. 7 § "Transaction identifiers":




Before segwit, transactions could have their signatures subtly modified by third parties, changing their transaction ID (hash) without changing any fundamental properties (inputs, outputs, amounts).











share|improve this question

























    up vote
    1
    down vote

    favorite












    Why didn't Bitcoin implement segwit in the first place?



    Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid?



    From Mastering Bitcoin ch. 7 § "Transaction identifiers":




    Before segwit, transactions could have their signatures subtly modified by third parties, changing their transaction ID (hash) without changing any fundamental properties (inputs, outputs, amounts).











    share|improve this question























      up vote
      1
      down vote

      favorite









      up vote
      1
      down vote

      favorite











      Why didn't Bitcoin implement segwit in the first place?



      Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid?



      From Mastering Bitcoin ch. 7 § "Transaction identifiers":




      Before segwit, transactions could have their signatures subtly modified by third parties, changing their transaction ID (hash) without changing any fundamental properties (inputs, outputs, amounts).











      share|improve this question













      Why didn't Bitcoin implement segwit in the first place?



      Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid?



      From Mastering Bitcoin ch. 7 § "Transaction identifiers":




      Before segwit, transactions could have their signatures subtly modified by third parties, changing their transaction ID (hash) without changing any fundamental properties (inputs, outputs, amounts).








      bitcoin-core segregated-witness transaction-id






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked 1 hour ago









      Geremia

      2,15212055




      2,15212055




















          2 Answers
          2






          active

          oldest

          votes

















          up vote
          1
          down vote














          Why didn't Bitcoin implement segwit in the first place?




          Nobody thought of it at the time. There wasn't interest in things like off-chain scaling at the time.




          Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid?




          The signature for each input only covers critical parameters of the transaction such as who it makes payments to and how much. It is possible to modify the transaction and preserve the signature validity by not changing anything critical. Since the transaction ID is the hash of the entire transaction, changing even a single byte in the transaction completely changes the transaction ID.






          share|improve this answer




















          • Transaction malleability totally messed up the original wallet and would cause effective funds loss (the wallet would never release coins for respending when killed by parent tx malleability). It was just an un-thought of vulnerability. Segwit is desirable without any thought to off-chain anything, and was first proposed in 2012 without any reference to it importance for smart contracts.
            – G. Maxwell
            26 mins ago











          • Had anyone thought of the malleability probably in the early days, it would likely have lead to a smaller change just to fix malleability, not segwit. But, of course, counterfactuals are hard to establish.
            – David Schwartz
            24 mins ago










          • That isn't at all clear to me, both the full data and the witnessless data must be committed to, no matter how it's constructed. When we created segwit we first did it as a from scratch redo for elements with no need to be compatible and only later realized we could retrofit it into Bitcoin. The two versions were almost identical. As a result I think it's likely that if the flaw was originally known the solution would be equivalent at a high level description level, other than also supporting the old style-- of course.
            – G. Maxwell
            22 mins ago


















          up vote
          1
          down vote














          Why didn't Bitcoin implement segwit in the first place?




          The reason Bitcoin didn't initially have SegWit is up to interpretation, I would say that it simply was not thought of prior to transaction malleability. Although that is not its only goal. Segregated Witness was an idea proposed in BIP 141 as a soft-fork, meaning it did not require an entire network upgrade. Due to the nature of a soft-fork, it is backwards compatible with previous versions of the Bitcoin software. Over time, it has been gradually adopted.




          Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid?




          Mastering Bitcoin is referring to something called transaction malleability. Traditionally, the txid was a hash of ALL the data in the transaction including the signatures. Transaction malleability meant a signature could be slightly modified such that the txid would be changed entirely while the signature still remained valid.



          As David has mentioned in his own answer:




          changing even a single byte in the transaction completely changes the transaction ID.




          This created an opportunity for a "Denial-of-Service" attack where while the transaction was still valid, and every part of the transaction would have the same inputs/outputs, nodes could reject modified transactions and prevent them from confirming. With SegWit, the signatures (as implied by the name "Segregated Witness") are no longer part of this hash. Eliminating the issue entirely.



          I recommend reading this article for more information on how exactly it is done in practice.






          share|improve this answer






















            Your Answer







            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "308"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: false,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            noCode: true, onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fbitcoin.stackexchange.com%2fquestions%2f80466%2fwhy-didnt-bitcoin-implement-segwit-in-the-first-place%23new-answer', 'question_page');

            );

            Post as a guest






























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            1
            down vote














            Why didn't Bitcoin implement segwit in the first place?




            Nobody thought of it at the time. There wasn't interest in things like off-chain scaling at the time.




            Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid?




            The signature for each input only covers critical parameters of the transaction such as who it makes payments to and how much. It is possible to modify the transaction and preserve the signature validity by not changing anything critical. Since the transaction ID is the hash of the entire transaction, changing even a single byte in the transaction completely changes the transaction ID.






            share|improve this answer




















            • Transaction malleability totally messed up the original wallet and would cause effective funds loss (the wallet would never release coins for respending when killed by parent tx malleability). It was just an un-thought of vulnerability. Segwit is desirable without any thought to off-chain anything, and was first proposed in 2012 without any reference to it importance for smart contracts.
              – G. Maxwell
              26 mins ago











            • Had anyone thought of the malleability probably in the early days, it would likely have lead to a smaller change just to fix malleability, not segwit. But, of course, counterfactuals are hard to establish.
              – David Schwartz
              24 mins ago










            • That isn't at all clear to me, both the full data and the witnessless data must be committed to, no matter how it's constructed. When we created segwit we first did it as a from scratch redo for elements with no need to be compatible and only later realized we could retrofit it into Bitcoin. The two versions were almost identical. As a result I think it's likely that if the flaw was originally known the solution would be equivalent at a high level description level, other than also supporting the old style-- of course.
              – G. Maxwell
              22 mins ago















            up vote
            1
            down vote














            Why didn't Bitcoin implement segwit in the first place?




            Nobody thought of it at the time. There wasn't interest in things like off-chain scaling at the time.




            Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid?




            The signature for each input only covers critical parameters of the transaction such as who it makes payments to and how much. It is possible to modify the transaction and preserve the signature validity by not changing anything critical. Since the transaction ID is the hash of the entire transaction, changing even a single byte in the transaction completely changes the transaction ID.






            share|improve this answer




















            • Transaction malleability totally messed up the original wallet and would cause effective funds loss (the wallet would never release coins for respending when killed by parent tx malleability). It was just an un-thought of vulnerability. Segwit is desirable without any thought to off-chain anything, and was first proposed in 2012 without any reference to it importance for smart contracts.
              – G. Maxwell
              26 mins ago











            • Had anyone thought of the malleability probably in the early days, it would likely have lead to a smaller change just to fix malleability, not segwit. But, of course, counterfactuals are hard to establish.
              – David Schwartz
              24 mins ago










            • That isn't at all clear to me, both the full data and the witnessless data must be committed to, no matter how it's constructed. When we created segwit we first did it as a from scratch redo for elements with no need to be compatible and only later realized we could retrofit it into Bitcoin. The two versions were almost identical. As a result I think it's likely that if the flaw was originally known the solution would be equivalent at a high level description level, other than also supporting the old style-- of course.
              – G. Maxwell
              22 mins ago













            up vote
            1
            down vote










            up vote
            1
            down vote










            Why didn't Bitcoin implement segwit in the first place?




            Nobody thought of it at the time. There wasn't interest in things like off-chain scaling at the time.




            Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid?




            The signature for each input only covers critical parameters of the transaction such as who it makes payments to and how much. It is possible to modify the transaction and preserve the signature validity by not changing anything critical. Since the transaction ID is the hash of the entire transaction, changing even a single byte in the transaction completely changes the transaction ID.






            share|improve this answer













            Why didn't Bitcoin implement segwit in the first place?




            Nobody thought of it at the time. There wasn't interest in things like off-chain scaling at the time.




            Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid?




            The signature for each input only covers critical parameters of the transaction such as who it makes payments to and how much. It is possible to modify the transaction and preserve the signature validity by not changing anything critical. Since the transaction ID is the hash of the entire transaction, changing even a single byte in the transaction completely changes the transaction ID.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered 43 mins ago









            David Schwartz

            45.1k491163




            45.1k491163











            • Transaction malleability totally messed up the original wallet and would cause effective funds loss (the wallet would never release coins for respending when killed by parent tx malleability). It was just an un-thought of vulnerability. Segwit is desirable without any thought to off-chain anything, and was first proposed in 2012 without any reference to it importance for smart contracts.
              – G. Maxwell
              26 mins ago











            • Had anyone thought of the malleability probably in the early days, it would likely have lead to a smaller change just to fix malleability, not segwit. But, of course, counterfactuals are hard to establish.
              – David Schwartz
              24 mins ago










            • That isn't at all clear to me, both the full data and the witnessless data must be committed to, no matter how it's constructed. When we created segwit we first did it as a from scratch redo for elements with no need to be compatible and only later realized we could retrofit it into Bitcoin. The two versions were almost identical. As a result I think it's likely that if the flaw was originally known the solution would be equivalent at a high level description level, other than also supporting the old style-- of course.
              – G. Maxwell
              22 mins ago

















            • Transaction malleability totally messed up the original wallet and would cause effective funds loss (the wallet would never release coins for respending when killed by parent tx malleability). It was just an un-thought of vulnerability. Segwit is desirable without any thought to off-chain anything, and was first proposed in 2012 without any reference to it importance for smart contracts.
              – G. Maxwell
              26 mins ago











            • Had anyone thought of the malleability probably in the early days, it would likely have lead to a smaller change just to fix malleability, not segwit. But, of course, counterfactuals are hard to establish.
              – David Schwartz
              24 mins ago










            • That isn't at all clear to me, both the full data and the witnessless data must be committed to, no matter how it's constructed. When we created segwit we first did it as a from scratch redo for elements with no need to be compatible and only later realized we could retrofit it into Bitcoin. The two versions were almost identical. As a result I think it's likely that if the flaw was originally known the solution would be equivalent at a high level description level, other than also supporting the old style-- of course.
              – G. Maxwell
              22 mins ago
















            Transaction malleability totally messed up the original wallet and would cause effective funds loss (the wallet would never release coins for respending when killed by parent tx malleability). It was just an un-thought of vulnerability. Segwit is desirable without any thought to off-chain anything, and was first proposed in 2012 without any reference to it importance for smart contracts.
            – G. Maxwell
            26 mins ago





            Transaction malleability totally messed up the original wallet and would cause effective funds loss (the wallet would never release coins for respending when killed by parent tx malleability). It was just an un-thought of vulnerability. Segwit is desirable without any thought to off-chain anything, and was first proposed in 2012 without any reference to it importance for smart contracts.
            – G. Maxwell
            26 mins ago













            Had anyone thought of the malleability probably in the early days, it would likely have lead to a smaller change just to fix malleability, not segwit. But, of course, counterfactuals are hard to establish.
            – David Schwartz
            24 mins ago




            Had anyone thought of the malleability probably in the early days, it would likely have lead to a smaller change just to fix malleability, not segwit. But, of course, counterfactuals are hard to establish.
            – David Schwartz
            24 mins ago












            That isn't at all clear to me, both the full data and the witnessless data must be committed to, no matter how it's constructed. When we created segwit we first did it as a from scratch redo for elements with no need to be compatible and only later realized we could retrofit it into Bitcoin. The two versions were almost identical. As a result I think it's likely that if the flaw was originally known the solution would be equivalent at a high level description level, other than also supporting the old style-- of course.
            – G. Maxwell
            22 mins ago





            That isn't at all clear to me, both the full data and the witnessless data must be committed to, no matter how it's constructed. When we created segwit we first did it as a from scratch redo for elements with no need to be compatible and only later realized we could retrofit it into Bitcoin. The two versions were almost identical. As a result I think it's likely that if the flaw was originally known the solution would be equivalent at a high level description level, other than also supporting the old style-- of course.
            – G. Maxwell
            22 mins ago











            up vote
            1
            down vote














            Why didn't Bitcoin implement segwit in the first place?




            The reason Bitcoin didn't initially have SegWit is up to interpretation, I would say that it simply was not thought of prior to transaction malleability. Although that is not its only goal. Segregated Witness was an idea proposed in BIP 141 as a soft-fork, meaning it did not require an entire network upgrade. Due to the nature of a soft-fork, it is backwards compatible with previous versions of the Bitcoin software. Over time, it has been gradually adopted.




            Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid?




            Mastering Bitcoin is referring to something called transaction malleability. Traditionally, the txid was a hash of ALL the data in the transaction including the signatures. Transaction malleability meant a signature could be slightly modified such that the txid would be changed entirely while the signature still remained valid.



            As David has mentioned in his own answer:




            changing even a single byte in the transaction completely changes the transaction ID.




            This created an opportunity for a "Denial-of-Service" attack where while the transaction was still valid, and every part of the transaction would have the same inputs/outputs, nodes could reject modified transactions and prevent them from confirming. With SegWit, the signatures (as implied by the name "Segregated Witness") are no longer part of this hash. Eliminating the issue entirely.



            I recommend reading this article for more information on how exactly it is done in practice.






            share|improve this answer


























              up vote
              1
              down vote














              Why didn't Bitcoin implement segwit in the first place?




              The reason Bitcoin didn't initially have SegWit is up to interpretation, I would say that it simply was not thought of prior to transaction malleability. Although that is not its only goal. Segregated Witness was an idea proposed in BIP 141 as a soft-fork, meaning it did not require an entire network upgrade. Due to the nature of a soft-fork, it is backwards compatible with previous versions of the Bitcoin software. Over time, it has been gradually adopted.




              Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid?




              Mastering Bitcoin is referring to something called transaction malleability. Traditionally, the txid was a hash of ALL the data in the transaction including the signatures. Transaction malleability meant a signature could be slightly modified such that the txid would be changed entirely while the signature still remained valid.



              As David has mentioned in his own answer:




              changing even a single byte in the transaction completely changes the transaction ID.




              This created an opportunity for a "Denial-of-Service" attack where while the transaction was still valid, and every part of the transaction would have the same inputs/outputs, nodes could reject modified transactions and prevent them from confirming. With SegWit, the signatures (as implied by the name "Segregated Witness") are no longer part of this hash. Eliminating the issue entirely.



              I recommend reading this article for more information on how exactly it is done in practice.






              share|improve this answer
























                up vote
                1
                down vote










                up vote
                1
                down vote










                Why didn't Bitcoin implement segwit in the first place?




                The reason Bitcoin didn't initially have SegWit is up to interpretation, I would say that it simply was not thought of prior to transaction malleability. Although that is not its only goal. Segregated Witness was an idea proposed in BIP 141 as a soft-fork, meaning it did not require an entire network upgrade. Due to the nature of a soft-fork, it is backwards compatible with previous versions of the Bitcoin software. Over time, it has been gradually adopted.




                Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid?




                Mastering Bitcoin is referring to something called transaction malleability. Traditionally, the txid was a hash of ALL the data in the transaction including the signatures. Transaction malleability meant a signature could be slightly modified such that the txid would be changed entirely while the signature still remained valid.



                As David has mentioned in his own answer:




                changing even a single byte in the transaction completely changes the transaction ID.




                This created an opportunity for a "Denial-of-Service" attack where while the transaction was still valid, and every part of the transaction would have the same inputs/outputs, nodes could reject modified transactions and prevent them from confirming. With SegWit, the signatures (as implied by the name "Segregated Witness") are no longer part of this hash. Eliminating the issue entirely.



                I recommend reading this article for more information on how exactly it is done in practice.






                share|improve this answer















                Why didn't Bitcoin implement segwit in the first place?




                The reason Bitcoin didn't initially have SegWit is up to interpretation, I would say that it simply was not thought of prior to transaction malleability. Although that is not its only goal. Segregated Witness was an idea proposed in BIP 141 as a soft-fork, meaning it did not require an entire network upgrade. Due to the nature of a soft-fork, it is backwards compatible with previous versions of the Bitcoin software. Over time, it has been gradually adopted.




                Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid?




                Mastering Bitcoin is referring to something called transaction malleability. Traditionally, the txid was a hash of ALL the data in the transaction including the signatures. Transaction malleability meant a signature could be slightly modified such that the txid would be changed entirely while the signature still remained valid.



                As David has mentioned in his own answer:




                changing even a single byte in the transaction completely changes the transaction ID.




                This created an opportunity for a "Denial-of-Service" attack where while the transaction was still valid, and every part of the transaction would have the same inputs/outputs, nodes could reject modified transactions and prevent them from confirming. With SegWit, the signatures (as implied by the name "Segregated Witness") are no longer part of this hash. Eliminating the issue entirely.



                I recommend reading this article for more information on how exactly it is done in practice.







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited 24 mins ago

























                answered 40 mins ago









                KappaDev

                155114




                155114



























                     

                    draft saved


                    draft discarded















































                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fbitcoin.stackexchange.com%2fquestions%2f80466%2fwhy-didnt-bitcoin-implement-segwit-in-the-first-place%23new-answer', 'question_page');

                    );

                    Post as a guest













































































                    Comments

                    Popular posts from this blog

                    What does second last employer means? [closed]

                    Installing NextGIS Connect into QGIS 3?

                    One-line joke