Why didn't Bitcoin implement segwit in the first place?

Clash Royale CLAN TAG#URR8PPP

up vote
1
down vote

favorite

Why didn't Bitcoin implement segwit in the first place?

Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid?

From Mastering Bitcoin ch. 7 § "Transaction identifiers":

Before segwit, transactions could have their signatures subtly modified by third parties, changing their transaction ID (hash) without changing any fundamental properties (inputs, outputs, amounts).

bitcoin-core segregated-witness transaction-id

share|improve this question

asked 1 hour ago

Geremia

2,15212055

add a comment | 

up vote
1
down vote

favorite

Why didn't Bitcoin implement segwit in the first place?

Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid?

From Mastering Bitcoin ch. 7 § "Transaction identifiers":

Before segwit, transactions could have their signatures subtly modified by third parties, changing their transaction ID (hash) without changing any fundamental properties (inputs, outputs, amounts).

bitcoin-core segregated-witness transaction-id

share|improve this question

asked 1 hour ago

Geremia

2,15212055

add a comment | 

up vote
1
down vote

favorite

up vote
1
down vote

favorite

Why didn't Bitcoin implement segwit in the first place?

Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid?

From Mastering Bitcoin ch. 7 § "Transaction identifiers":

Before segwit, transactions could have their signatures subtly modified by third parties, changing their transaction ID (hash) without changing any fundamental properties (inputs, outputs, amounts).

bitcoin-core segregated-witness transaction-id

share|improve this question

asked 1 hour ago

Geremia

2,15212055

Why didn't Bitcoin implement segwit in the first place?

Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid?

From Mastering Bitcoin ch. 7 § "Transaction identifiers":

Before segwit, transactions could have their signatures subtly modified by third parties, changing their transaction ID (hash) without changing any fundamental properties (inputs, outputs, amounts).

bitcoin-core segregated-witness transaction-id

bitcoin-core segregated-witness transaction-id

share|improve this question

asked 1 hour ago

Geremia

2,15212055

share|improve this question

asked 1 hour ago

Geremia

2,15212055

share|improve this question

share|improve this question

asked 1 hour ago

Geremia

2,15212055

asked 1 hour ago

Geremia

2,15212055

asked 1 hour ago

Geremia

2,15212055

2,15212055

add a comment | 

add a comment | 

2 Answers
2

active

oldest

votes

up vote
1
down vote

Why didn't Bitcoin implement segwit in the first place?

Nobody thought of it at the time. There wasn't interest in things like off-chain scaling at the time.

Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid?

The signature for each input only covers critical parameters of the transaction such as who it makes payments to and how much. It is possible to modify the transaction and preserve the signature validity by not changing anything critical. Since the transaction ID is the hash of the entire transaction, changing even a single byte in the transaction completely changes the transaction ID.

share|improve this answer

answered 43 mins ago

David Schwartz

45.1k491163

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Transaction malleability totally messed up the original wallet and would cause effective funds loss (the wallet would never release coins for respending when killed by parent tx malleability). It was just an un-thought of vulnerability. Segwit is desirable without any thought to off-chain anything, and was first proposed in 2012 without any reference to it importance for smart contracts.
  – G. Maxwell
  26 mins ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Had anyone thought of the malleability probably in the early days, it would likely have lead to a smaller change just to fix malleability, not segwit. But, of course, counterfactuals are hard to establish.
  – David Schwartz
  24 mins ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  That isn't at all clear to me, both the full data and the witnessless data must be committed to, no matter how it's constructed. When we created segwit we first did it as a from scratch redo for elements with no need to be compatible and only later realized we could retrofit it into Bitcoin. The two versions were almost identical. As a result I think it's likely that if the flaw was originally known the solution would be equivalent at a high level description level, other than also supporting the old style-- of course.
  – G. Maxwell
  22 mins ago
  
  

  
  
  
  

add a comment | 

up vote
1
down vote

Why didn't Bitcoin implement segwit in the first place?

The reason Bitcoin didn't initially have SegWit is up to interpretation, I would say that it simply was not thought of prior to transaction malleability. Although that is not its only goal. Segregated Witness was an idea proposed in BIP 141 as a soft-fork, meaning it did not require an entire network upgrade. Due to the nature of a soft-fork, it is backwards compatible with previous versions of the Bitcoin software. Over time, it has been gradually adopted.

Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid?

Mastering Bitcoin is referring to something called transaction malleability. Traditionally, the txid was a hash of ALL the data in the transaction including the signatures. Transaction malleability meant a signature could be slightly modified such that the txid would be changed entirely while the signature still remained valid.

As David has mentioned in his own answer:

changing even a single byte in the transaction completely changes the transaction ID.

This created an opportunity for a "Denial-of-Service" attack where while the transaction was still valid, and every part of the transaction would have the same inputs/outputs, nodes could reject modified transactions and prevent them from confirming. With SegWit, the signatures (as implied by the name "Segregated Witness") are no longer part of this hash. Eliminating the issue entirely.

I recommend reading this article for more information on how exactly it is done in practice.

share|improve this answer

edited 24 mins ago

answered 40 mins ago

KappaDev

155114

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "308"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fbitcoin.stackexchange.com%2fquestions%2f80466%2fwhy-didnt-bitcoin-implement-segwit-in-the-first-place%23new-answer', 'question_page');

);

Post as a guest

Name Email

2 Answers
2

active

oldest

votes

2 Answers
2

active

oldest

votes

active

oldest

votes

active

oldest

votes

up vote
1
down vote

Why didn't Bitcoin implement segwit in the first place?

Nobody thought of it at the time. There wasn't interest in things like off-chain scaling at the time.

Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid?

The signature for each input only covers critical parameters of the transaction such as who it makes payments to and how much. It is possible to modify the transaction and preserve the signature validity by not changing anything critical. Since the transaction ID is the hash of the entire transaction, changing even a single byte in the transaction completely changes the transaction ID.

share|improve this answer

answered 43 mins ago

David Schwartz

45.1k491163

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Transaction malleability totally messed up the original wallet and would cause effective funds loss (the wallet would never release coins for respending when killed by parent tx malleability). It was just an un-thought of vulnerability. Segwit is desirable without any thought to off-chain anything, and was first proposed in 2012 without any reference to it importance for smart contracts.
  – G. Maxwell
  26 mins ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Had anyone thought of the malleability probably in the early days, it would likely have lead to a smaller change just to fix malleability, not segwit. But, of course, counterfactuals are hard to establish.
  – David Schwartz
  24 mins ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  That isn't at all clear to me, both the full data and the witnessless data must be committed to, no matter how it's constructed. When we created segwit we first did it as a from scratch redo for elements with no need to be compatible and only later realized we could retrofit it into Bitcoin. The two versions were almost identical. As a result I think it's likely that if the flaw was originally known the solution would be equivalent at a high level description level, other than also supporting the old style-- of course.
  – G. Maxwell
  22 mins ago
  
  

  
  
  
  

add a comment | 

up vote
1
down vote

Why didn't Bitcoin implement segwit in the first place?

Nobody thought of it at the time. There wasn't interest in things like off-chain scaling at the time.

Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid?

The signature for each input only covers critical parameters of the transaction such as who it makes payments to and how much. It is possible to modify the transaction and preserve the signature validity by not changing anything critical. Since the transaction ID is the hash of the entire transaction, changing even a single byte in the transaction completely changes the transaction ID.

share|improve this answer

answered 43 mins ago

David Schwartz

45.1k491163

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Transaction malleability totally messed up the original wallet and would cause effective funds loss (the wallet would never release coins for respending when killed by parent tx malleability). It was just an un-thought of vulnerability. Segwit is desirable without any thought to off-chain anything, and was first proposed in 2012 without any reference to it importance for smart contracts.
  – G. Maxwell
  26 mins ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Had anyone thought of the malleability probably in the early days, it would likely have lead to a smaller change just to fix malleability, not segwit. But, of course, counterfactuals are hard to establish.
  – David Schwartz
  24 mins ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  That isn't at all clear to me, both the full data and the witnessless data must be committed to, no matter how it's constructed. When we created segwit we first did it as a from scratch redo for elements with no need to be compatible and only later realized we could retrofit it into Bitcoin. The two versions were almost identical. As a result I think it's likely that if the flaw was originally known the solution would be equivalent at a high level description level, other than also supporting the old style-- of course.
  – G. Maxwell
  22 mins ago
  
  

  
  
  
  

add a comment | 

up vote
1
down vote

up vote
1
down vote

Why didn't Bitcoin implement segwit in the first place?

Nobody thought of it at the time. There wasn't interest in things like off-chain scaling at the time.

Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid?

The signature for each input only covers critical parameters of the transaction such as who it makes payments to and how much. It is possible to modify the transaction and preserve the signature validity by not changing anything critical. Since the transaction ID is the hash of the entire transaction, changing even a single byte in the transaction completely changes the transaction ID.

share|improve this answer

answered 43 mins ago

David Schwartz

45.1k491163

Why didn't Bitcoin implement segwit in the first place?

Nobody thought of it at the time. There wasn't interest in things like off-chain scaling at the time.

Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid?

The signature for each input only covers critical parameters of the transaction such as who it makes payments to and how much. It is possible to modify the transaction and preserve the signature validity by not changing anything critical. Since the transaction ID is the hash of the entire transaction, changing even a single byte in the transaction completely changes the transaction ID.

share|improve this answer

answered 43 mins ago

David Schwartz

45.1k491163

share|improve this answer

share|improve this answer

answered 43 mins ago

David Schwartz

45.1k491163

answered 43 mins ago

David Schwartz

45.1k491163

answered 43 mins ago

David Schwartz

45.1k491163

45.1k491163

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Transaction malleability totally messed up the original wallet and would cause effective funds loss (the wallet would never release coins for respending when killed by parent tx malleability). It was just an un-thought of vulnerability. Segwit is desirable without any thought to off-chain anything, and was first proposed in 2012 without any reference to it importance for smart contracts.
  – G. Maxwell
  26 mins ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Had anyone thought of the malleability probably in the early days, it would likely have lead to a smaller change just to fix malleability, not segwit. But, of course, counterfactuals are hard to establish.
  – David Schwartz
  24 mins ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  That isn't at all clear to me, both the full data and the witnessless data must be committed to, no matter how it's constructed. When we created segwit we first did it as a from scratch redo for elements with no need to be compatible and only later realized we could retrofit it into Bitcoin. The two versions were almost identical. As a result I think it's likely that if the flaw was originally known the solution would be equivalent at a high level description level, other than also supporting the old style-- of course.
  – G. Maxwell
  22 mins ago
  
  

  
  
  
  

add a comment | 

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Transaction malleability totally messed up the original wallet and would cause effective funds loss (the wallet would never release coins for respending when killed by parent tx malleability). It was just an un-thought of vulnerability. Segwit is desirable without any thought to off-chain anything, and was first proposed in 2012 without any reference to it importance for smart contracts.
  – G. Maxwell
  26 mins ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Had anyone thought of the malleability probably in the early days, it would likely have lead to a smaller change just to fix malleability, not segwit. But, of course, counterfactuals are hard to establish.
  – David Schwartz
  24 mins ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  That isn't at all clear to me, both the full data and the witnessless data must be committed to, no matter how it's constructed. When we created segwit we first did it as a from scratch redo for elements with no need to be compatible and only later realized we could retrofit it into Bitcoin. The two versions were almost identical. As a result I think it's likely that if the flaw was originally known the solution would be equivalent at a high level description level, other than also supporting the old style-- of course.
  – G. Maxwell
  22 mins ago
  
  

  
  
  
  

Transaction malleability totally messed up the original wallet and would cause effective funds loss (the wallet would never release coins for respending when killed by parent tx malleability). It was just an un-thought of vulnerability. Segwit is desirable without any thought to off-chain anything, and was first proposed in 2012 without any reference to it importance for smart contracts.
– G. Maxwell
26 mins ago

Transaction malleability totally messed up the original wallet and would cause effective funds loss (the wallet would never release coins for respending when killed by parent tx malleability). It was just an un-thought of vulnerability. Segwit is desirable without any thought to off-chain anything, and was first proposed in 2012 without any reference to it importance for smart contracts.
– G. Maxwell
26 mins ago

Had anyone thought of the malleability probably in the early days, it would likely have lead to a smaller change just to fix malleability, not segwit. But, of course, counterfactuals are hard to establish.
– David Schwartz
24 mins ago

Had anyone thought of the malleability probably in the early days, it would likely have lead to a smaller change just to fix malleability, not segwit. But, of course, counterfactuals are hard to establish.
– David Schwartz
24 mins ago

That isn't at all clear to me, both the full data and the witnessless data must be committed to, no matter how it's constructed. When we created segwit we first did it as a from scratch redo for elements with no need to be compatible and only later realized we could retrofit it into Bitcoin. The two versions were almost identical. As a result I think it's likely that if the flaw was originally known the solution would be equivalent at a high level description level, other than also supporting the old style-- of course.
– G. Maxwell
22 mins ago

That isn't at all clear to me, both the full data and the witnessless data must be committed to, no matter how it's constructed. When we created segwit we first did it as a from scratch redo for elements with no need to be compatible and only later realized we could retrofit it into Bitcoin. The two versions were almost identical. As a result I think it's likely that if the flaw was originally known the solution would be equivalent at a high level description level, other than also supporting the old style-- of course.
– G. Maxwell
22 mins ago

add a comment | 

up vote
1
down vote

Why didn't Bitcoin implement segwit in the first place?

The reason Bitcoin didn't initially have SegWit is up to interpretation, I would say that it simply was not thought of prior to transaction malleability. Although that is not its only goal. Segregated Witness was an idea proposed in BIP 141 as a soft-fork, meaning it did not require an entire network upgrade. Due to the nature of a soft-fork, it is backwards compatible with previous versions of the Bitcoin software. Over time, it has been gradually adopted.

Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid?

Mastering Bitcoin is referring to something called transaction malleability. Traditionally, the txid was a hash of ALL the data in the transaction including the signatures. Transaction malleability meant a signature could be slightly modified such that the txid would be changed entirely while the signature still remained valid.

As David has mentioned in his own answer:

changing even a single byte in the transaction completely changes the transaction ID.

This created an opportunity for a "Denial-of-Service" attack where while the transaction was still valid, and every part of the transaction would have the same inputs/outputs, nodes could reject modified transactions and prevent them from confirming. With SegWit, the signatures (as implied by the name "Segregated Witness") are no longer part of this hash. Eliminating the issue entirely.

I recommend reading this article for more information on how exactly it is done in practice.

share|improve this answer

edited 24 mins ago

answered 40 mins ago

KappaDev

155114

add a comment | 

up vote
1
down vote

Why didn't Bitcoin implement segwit in the first place?

The reason Bitcoin didn't initially have SegWit is up to interpretation, I would say that it simply was not thought of prior to transaction malleability. Although that is not its only goal. Segregated Witness was an idea proposed in BIP 141 as a soft-fork, meaning it did not require an entire network upgrade. Due to the nature of a soft-fork, it is backwards compatible with previous versions of the Bitcoin software. Over time, it has been gradually adopted.

Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid?

Mastering Bitcoin is referring to something called transaction malleability. Traditionally, the txid was a hash of ALL the data in the transaction including the signatures. Transaction malleability meant a signature could be slightly modified such that the txid would be changed entirely while the signature still remained valid.

As David has mentioned in his own answer:

changing even a single byte in the transaction completely changes the transaction ID.

This created an opportunity for a "Denial-of-Service" attack where while the transaction was still valid, and every part of the transaction would have the same inputs/outputs, nodes could reject modified transactions and prevent them from confirming. With SegWit, the signatures (as implied by the name "Segregated Witness") are no longer part of this hash. Eliminating the issue entirely.

I recommend reading this article for more information on how exactly it is done in practice.

share|improve this answer

edited 24 mins ago

answered 40 mins ago

KappaDev

155114

add a comment | 

up vote
1
down vote

up vote
1
down vote

Why didn't Bitcoin implement segwit in the first place?

The reason Bitcoin didn't initially have SegWit is up to interpretation, I would say that it simply was not thought of prior to transaction malleability. Although that is not its only goal. Segregated Witness was an idea proposed in BIP 141 as a soft-fork, meaning it did not require an entire network upgrade. Due to the nature of a soft-fork, it is backwards compatible with previous versions of the Bitcoin software. Over time, it has been gradually adopted.

Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid?

Mastering Bitcoin is referring to something called transaction malleability. Traditionally, the txid was a hash of ALL the data in the transaction including the signatures. Transaction malleability meant a signature could be slightly modified such that the txid would be changed entirely while the signature still remained valid.

As David has mentioned in his own answer:

changing even a single byte in the transaction completely changes the transaction ID.

This created an opportunity for a "Denial-of-Service" attack where while the transaction was still valid, and every part of the transaction would have the same inputs/outputs, nodes could reject modified transactions and prevent them from confirming. With SegWit, the signatures (as implied by the name "Segregated Witness") are no longer part of this hash. Eliminating the issue entirely.

I recommend reading this article for more information on how exactly it is done in practice.

share|improve this answer

edited 24 mins ago

answered 40 mins ago

KappaDev

155114

Why didn't Bitcoin implement segwit in the first place?

The reason Bitcoin didn't initially have SegWit is up to interpretation, I would say that it simply was not thought of prior to transaction malleability. Although that is not its only goal. Segregated Witness was an idea proposed in BIP 141 as a soft-fork, meaning it did not require an entire network upgrade. Due to the nature of a soft-fork, it is backwards compatible with previous versions of the Bitcoin software. Over time, it has been gradually adopted.

Why and how does non-segwit Bitcoin enable a miner to change a transaction's txid?

Mastering Bitcoin is referring to something called transaction malleability. Traditionally, the txid was a hash of ALL the data in the transaction including the signatures. Transaction malleability meant a signature could be slightly modified such that the txid would be changed entirely while the signature still remained valid.

As David has mentioned in his own answer:

changing even a single byte in the transaction completely changes the transaction ID.

This created an opportunity for a "Denial-of-Service" attack where while the transaction was still valid, and every part of the transaction would have the same inputs/outputs, nodes could reject modified transactions and prevent them from confirming. With SegWit, the signatures (as implied by the name "Segregated Witness") are no longer part of this hash. Eliminating the issue entirely.

I recommend reading this article for more information on how exactly it is done in practice.

share|improve this answer

edited 24 mins ago

answered 40 mins ago

KappaDev

155114

share|improve this answer

share|improve this answer

edited 24 mins ago

edited 24 mins ago

edited 24 mins ago

answered 40 mins ago

KappaDev

155114

answered 40 mins ago

KappaDev

155114

answered 40 mins ago

KappaDev

155114

155114

add a comment | 

add a comment | 

 

draft saved

draft discarded

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fbitcoin.stackexchange.com%2fquestions%2f80466%2fwhy-didnt-bitcoin-implement-segwit-in-the-first-place%23new-answer', 'question_page');

);

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Name Email

Name

Email

Name Email

Name

Email