Why didn't Bitcoin implement segwit in the first place?
Clash Royale CLAN TAG#URR8PPP
up vote
1
down vote
favorite
Why didn't Bitcoin implement segwit in the first place?
Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid
?
From Mastering Bitcoin ch. 7 ç "Transaction identifiers":
Before segwit, transactions could have their signatures subtly modified by third parties, changing their transaction ID (hash) without changing any fundamental properties (inputs, outputs, amounts).
bitcoin-core segregated-witness transaction-id
add a comment |Â
up vote
1
down vote
favorite
Why didn't Bitcoin implement segwit in the first place?
Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid
?
From Mastering Bitcoin ch. 7 ç "Transaction identifiers":
Before segwit, transactions could have their signatures subtly modified by third parties, changing their transaction ID (hash) without changing any fundamental properties (inputs, outputs, amounts).
bitcoin-core segregated-witness transaction-id
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
Why didn't Bitcoin implement segwit in the first place?
Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid
?
From Mastering Bitcoin ch. 7 ç "Transaction identifiers":
Before segwit, transactions could have their signatures subtly modified by third parties, changing their transaction ID (hash) without changing any fundamental properties (inputs, outputs, amounts).
bitcoin-core segregated-witness transaction-id
Why didn't Bitcoin implement segwit in the first place?
Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid
?
From Mastering Bitcoin ch. 7 ç "Transaction identifiers":
Before segwit, transactions could have their signatures subtly modified by third parties, changing their transaction ID (hash) without changing any fundamental properties (inputs, outputs, amounts).
bitcoin-core segregated-witness transaction-id
bitcoin-core segregated-witness transaction-id
asked 1 hour ago
Geremia
2,15212055
2,15212055
add a comment |Â
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
1
down vote
Why didn't Bitcoin implement segwit in the first place?
Nobody thought of it at the time. There wasn't interest in things like off-chain scaling at the time.
Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid?
The signature for each input only covers critical parameters of the transaction such as who it makes payments to and how much. It is possible to modify the transaction and preserve the signature validity by not changing anything critical. Since the transaction ID is the hash of the entire transaction, changing even a single byte in the transaction completely changes the transaction ID.
Transaction malleability totally messed up the original wallet and would cause effective funds loss (the wallet would never release coins for respending when killed by parent tx malleability). It was just an un-thought of vulnerability. Segwit is desirable without any thought to off-chain anything, and was first proposed in 2012 without any reference to it importance for smart contracts.
â G. Maxwell
26 mins ago
Had anyone thought of the malleability probably in the early days, it would likely have lead to a smaller change just to fix malleability, not segwit. But, of course, counterfactuals are hard to establish.
â David Schwartz
24 mins ago
That isn't at all clear to me, both the full data and the witnessless data must be committed to, no matter how it's constructed. When we created segwit we first did it as a from scratch redo for elements with no need to be compatible and only later realized we could retrofit it into Bitcoin. The two versions were almost identical. As a result I think it's likely that if the flaw was originally known the solution would be equivalent at a high level description level, other than also supporting the old style-- of course.
â G. Maxwell
22 mins ago
add a comment |Â
up vote
1
down vote
Why didn't Bitcoin implement segwit in the first place?
The reason Bitcoin didn't initially have SegWit is up to interpretation, I would say that it simply was not thought of prior to transaction malleability. Although that is not its only goal. Segregated Witness was an idea proposed in BIP 141 as a soft-fork, meaning it did not require an entire network upgrade. Due to the nature of a soft-fork, it is backwards compatible with previous versions of the Bitcoin software. Over time, it has been gradually adopted.
Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid?
Mastering Bitcoin is referring to something called transaction malleability. Traditionally, the txid
was a hash of ALL the data in the transaction including the signatures. Transaction malleability meant a signature could be slightly modified such that the txid
would be changed entirely while the signature still remained valid.
As David has mentioned in his own answer:
changing even a single byte in the transaction completely changes the transaction ID.
This created an opportunity for a "Denial-of-Service" attack where while the transaction was still valid, and every part of the transaction would have the same inputs/outputs, nodes could reject modified transactions and prevent them from confirming. With SegWit, the signatures (as implied by the name "Segregated Witness") are no longer part of this hash. Eliminating the issue entirely.
I recommend reading this article for more information on how exactly it is done in practice.
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
Why didn't Bitcoin implement segwit in the first place?
Nobody thought of it at the time. There wasn't interest in things like off-chain scaling at the time.
Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid?
The signature for each input only covers critical parameters of the transaction such as who it makes payments to and how much. It is possible to modify the transaction and preserve the signature validity by not changing anything critical. Since the transaction ID is the hash of the entire transaction, changing even a single byte in the transaction completely changes the transaction ID.
Transaction malleability totally messed up the original wallet and would cause effective funds loss (the wallet would never release coins for respending when killed by parent tx malleability). It was just an un-thought of vulnerability. Segwit is desirable without any thought to off-chain anything, and was first proposed in 2012 without any reference to it importance for smart contracts.
â G. Maxwell
26 mins ago
Had anyone thought of the malleability probably in the early days, it would likely have lead to a smaller change just to fix malleability, not segwit. But, of course, counterfactuals are hard to establish.
â David Schwartz
24 mins ago
That isn't at all clear to me, both the full data and the witnessless data must be committed to, no matter how it's constructed. When we created segwit we first did it as a from scratch redo for elements with no need to be compatible and only later realized we could retrofit it into Bitcoin. The two versions were almost identical. As a result I think it's likely that if the flaw was originally known the solution would be equivalent at a high level description level, other than also supporting the old style-- of course.
â G. Maxwell
22 mins ago
add a comment |Â
up vote
1
down vote
Why didn't Bitcoin implement segwit in the first place?
Nobody thought of it at the time. There wasn't interest in things like off-chain scaling at the time.
Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid?
The signature for each input only covers critical parameters of the transaction such as who it makes payments to and how much. It is possible to modify the transaction and preserve the signature validity by not changing anything critical. Since the transaction ID is the hash of the entire transaction, changing even a single byte in the transaction completely changes the transaction ID.
Transaction malleability totally messed up the original wallet and would cause effective funds loss (the wallet would never release coins for respending when killed by parent tx malleability). It was just an un-thought of vulnerability. Segwit is desirable without any thought to off-chain anything, and was first proposed in 2012 without any reference to it importance for smart contracts.
â G. Maxwell
26 mins ago
Had anyone thought of the malleability probably in the early days, it would likely have lead to a smaller change just to fix malleability, not segwit. But, of course, counterfactuals are hard to establish.
â David Schwartz
24 mins ago
That isn't at all clear to me, both the full data and the witnessless data must be committed to, no matter how it's constructed. When we created segwit we first did it as a from scratch redo for elements with no need to be compatible and only later realized we could retrofit it into Bitcoin. The two versions were almost identical. As a result I think it's likely that if the flaw was originally known the solution would be equivalent at a high level description level, other than also supporting the old style-- of course.
â G. Maxwell
22 mins ago
add a comment |Â
up vote
1
down vote
up vote
1
down vote
Why didn't Bitcoin implement segwit in the first place?
Nobody thought of it at the time. There wasn't interest in things like off-chain scaling at the time.
Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid?
The signature for each input only covers critical parameters of the transaction such as who it makes payments to and how much. It is possible to modify the transaction and preserve the signature validity by not changing anything critical. Since the transaction ID is the hash of the entire transaction, changing even a single byte in the transaction completely changes the transaction ID.
Why didn't Bitcoin implement segwit in the first place?
Nobody thought of it at the time. There wasn't interest in things like off-chain scaling at the time.
Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid?
The signature for each input only covers critical parameters of the transaction such as who it makes payments to and how much. It is possible to modify the transaction and preserve the signature validity by not changing anything critical. Since the transaction ID is the hash of the entire transaction, changing even a single byte in the transaction completely changes the transaction ID.
answered 43 mins ago
David Schwartz
45.1k491163
45.1k491163
Transaction malleability totally messed up the original wallet and would cause effective funds loss (the wallet would never release coins for respending when killed by parent tx malleability). It was just an un-thought of vulnerability. Segwit is desirable without any thought to off-chain anything, and was first proposed in 2012 without any reference to it importance for smart contracts.
â G. Maxwell
26 mins ago
Had anyone thought of the malleability probably in the early days, it would likely have lead to a smaller change just to fix malleability, not segwit. But, of course, counterfactuals are hard to establish.
â David Schwartz
24 mins ago
That isn't at all clear to me, both the full data and the witnessless data must be committed to, no matter how it's constructed. When we created segwit we first did it as a from scratch redo for elements with no need to be compatible and only later realized we could retrofit it into Bitcoin. The two versions were almost identical. As a result I think it's likely that if the flaw was originally known the solution would be equivalent at a high level description level, other than also supporting the old style-- of course.
â G. Maxwell
22 mins ago
add a comment |Â
Transaction malleability totally messed up the original wallet and would cause effective funds loss (the wallet would never release coins for respending when killed by parent tx malleability). It was just an un-thought of vulnerability. Segwit is desirable without any thought to off-chain anything, and was first proposed in 2012 without any reference to it importance for smart contracts.
â G. Maxwell
26 mins ago
Had anyone thought of the malleability probably in the early days, it would likely have lead to a smaller change just to fix malleability, not segwit. But, of course, counterfactuals are hard to establish.
â David Schwartz
24 mins ago
That isn't at all clear to me, both the full data and the witnessless data must be committed to, no matter how it's constructed. When we created segwit we first did it as a from scratch redo for elements with no need to be compatible and only later realized we could retrofit it into Bitcoin. The two versions were almost identical. As a result I think it's likely that if the flaw was originally known the solution would be equivalent at a high level description level, other than also supporting the old style-- of course.
â G. Maxwell
22 mins ago
Transaction malleability totally messed up the original wallet and would cause effective funds loss (the wallet would never release coins for respending when killed by parent tx malleability). It was just an un-thought of vulnerability. Segwit is desirable without any thought to off-chain anything, and was first proposed in 2012 without any reference to it importance for smart contracts.
â G. Maxwell
26 mins ago
Transaction malleability totally messed up the original wallet and would cause effective funds loss (the wallet would never release coins for respending when killed by parent tx malleability). It was just an un-thought of vulnerability. Segwit is desirable without any thought to off-chain anything, and was first proposed in 2012 without any reference to it importance for smart contracts.
â G. Maxwell
26 mins ago
Had anyone thought of the malleability probably in the early days, it would likely have lead to a smaller change just to fix malleability, not segwit. But, of course, counterfactuals are hard to establish.
â David Schwartz
24 mins ago
Had anyone thought of the malleability probably in the early days, it would likely have lead to a smaller change just to fix malleability, not segwit. But, of course, counterfactuals are hard to establish.
â David Schwartz
24 mins ago
That isn't at all clear to me, both the full data and the witnessless data must be committed to, no matter how it's constructed. When we created segwit we first did it as a from scratch redo for elements with no need to be compatible and only later realized we could retrofit it into Bitcoin. The two versions were almost identical. As a result I think it's likely that if the flaw was originally known the solution would be equivalent at a high level description level, other than also supporting the old style-- of course.
â G. Maxwell
22 mins ago
That isn't at all clear to me, both the full data and the witnessless data must be committed to, no matter how it's constructed. When we created segwit we first did it as a from scratch redo for elements with no need to be compatible and only later realized we could retrofit it into Bitcoin. The two versions were almost identical. As a result I think it's likely that if the flaw was originally known the solution would be equivalent at a high level description level, other than also supporting the old style-- of course.
â G. Maxwell
22 mins ago
add a comment |Â
up vote
1
down vote
Why didn't Bitcoin implement segwit in the first place?
The reason Bitcoin didn't initially have SegWit is up to interpretation, I would say that it simply was not thought of prior to transaction malleability. Although that is not its only goal. Segregated Witness was an idea proposed in BIP 141 as a soft-fork, meaning it did not require an entire network upgrade. Due to the nature of a soft-fork, it is backwards compatible with previous versions of the Bitcoin software. Over time, it has been gradually adopted.
Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid?
Mastering Bitcoin is referring to something called transaction malleability. Traditionally, the txid
was a hash of ALL the data in the transaction including the signatures. Transaction malleability meant a signature could be slightly modified such that the txid
would be changed entirely while the signature still remained valid.
As David has mentioned in his own answer:
changing even a single byte in the transaction completely changes the transaction ID.
This created an opportunity for a "Denial-of-Service" attack where while the transaction was still valid, and every part of the transaction would have the same inputs/outputs, nodes could reject modified transactions and prevent them from confirming. With SegWit, the signatures (as implied by the name "Segregated Witness") are no longer part of this hash. Eliminating the issue entirely.
I recommend reading this article for more information on how exactly it is done in practice.
add a comment |Â
up vote
1
down vote
Why didn't Bitcoin implement segwit in the first place?
The reason Bitcoin didn't initially have SegWit is up to interpretation, I would say that it simply was not thought of prior to transaction malleability. Although that is not its only goal. Segregated Witness was an idea proposed in BIP 141 as a soft-fork, meaning it did not require an entire network upgrade. Due to the nature of a soft-fork, it is backwards compatible with previous versions of the Bitcoin software. Over time, it has been gradually adopted.
Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid?
Mastering Bitcoin is referring to something called transaction malleability. Traditionally, the txid
was a hash of ALL the data in the transaction including the signatures. Transaction malleability meant a signature could be slightly modified such that the txid
would be changed entirely while the signature still remained valid.
As David has mentioned in his own answer:
changing even a single byte in the transaction completely changes the transaction ID.
This created an opportunity for a "Denial-of-Service" attack where while the transaction was still valid, and every part of the transaction would have the same inputs/outputs, nodes could reject modified transactions and prevent them from confirming. With SegWit, the signatures (as implied by the name "Segregated Witness") are no longer part of this hash. Eliminating the issue entirely.
I recommend reading this article for more information on how exactly it is done in practice.
add a comment |Â
up vote
1
down vote
up vote
1
down vote
Why didn't Bitcoin implement segwit in the first place?
The reason Bitcoin didn't initially have SegWit is up to interpretation, I would say that it simply was not thought of prior to transaction malleability. Although that is not its only goal. Segregated Witness was an idea proposed in BIP 141 as a soft-fork, meaning it did not require an entire network upgrade. Due to the nature of a soft-fork, it is backwards compatible with previous versions of the Bitcoin software. Over time, it has been gradually adopted.
Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid?
Mastering Bitcoin is referring to something called transaction malleability. Traditionally, the txid
was a hash of ALL the data in the transaction including the signatures. Transaction malleability meant a signature could be slightly modified such that the txid
would be changed entirely while the signature still remained valid.
As David has mentioned in his own answer:
changing even a single byte in the transaction completely changes the transaction ID.
This created an opportunity for a "Denial-of-Service" attack where while the transaction was still valid, and every part of the transaction would have the same inputs/outputs, nodes could reject modified transactions and prevent them from confirming. With SegWit, the signatures (as implied by the name "Segregated Witness") are no longer part of this hash. Eliminating the issue entirely.
I recommend reading this article for more information on how exactly it is done in practice.
Why didn't Bitcoin implement segwit in the first place?
The reason Bitcoin didn't initially have SegWit is up to interpretation, I would say that it simply was not thought of prior to transaction malleability. Although that is not its only goal. Segregated Witness was an idea proposed in BIP 141 as a soft-fork, meaning it did not require an entire network upgrade. Due to the nature of a soft-fork, it is backwards compatible with previous versions of the Bitcoin software. Over time, it has been gradually adopted.
Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid?
Mastering Bitcoin is referring to something called transaction malleability. Traditionally, the txid
was a hash of ALL the data in the transaction including the signatures. Transaction malleability meant a signature could be slightly modified such that the txid
would be changed entirely while the signature still remained valid.
As David has mentioned in his own answer:
changing even a single byte in the transaction completely changes the transaction ID.
This created an opportunity for a "Denial-of-Service" attack where while the transaction was still valid, and every part of the transaction would have the same inputs/outputs, nodes could reject modified transactions and prevent them from confirming. With SegWit, the signatures (as implied by the name "Segregated Witness") are no longer part of this hash. Eliminating the issue entirely.
I recommend reading this article for more information on how exactly it is done in practice.
edited 24 mins ago
answered 40 mins ago
KappaDev
155114
155114
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fbitcoin.stackexchange.com%2fquestions%2f80466%2fwhy-didnt-bitcoin-implement-segwit-in-the-first-place%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password