Input validation in transactions

1

1

I'm just writing a small essay about the basics of BTC and I ran into a small problem.

I know, that there are digital signatures in our bitcoins' earlier transactions (our transaction inputs) and in the next owner's public key. How can the system verify, if the input is really from our earlier output? We can just use a random (unspent) output from an earlier block, can't we? I know that we are the next owner and our public key is in the transaction, but we can (and should) generate a a new public-private key for our next transaction, so the new private key won't match our "old" public key... What is that thing I don't know or understand?

Zoltán

Posted 2014-12-06T19:55:04.243

Reputation: 13

Answers

2

Starting from basics, each input spends a previous output:

Input spending output

To spend the output, the input has to include a reference to it (called an outpoint). This includes the TXID that included the output as well as the sequence number of that output in the transaction (called a vout for output vector).

Spending an output

In order for Alice to pay Bob in a pay-to-public-key-hash (P2PKH) output, Bob needs to create a private key (which he keeps secret), derive a public key, hash that public key (encoding it as a Bitcoin address), and then give that hash to Alice. Alice uses that hash in a P2PKH output in TX1.

Creating a P2PKH output

When Bob wants to later spend that output from TX1 (using it as an input), his computer gets the hash (address) from the TX1 output, finds the corresponding public key, inserts that public key into the signature script, then finds the corresponding private key in its secure database, and uses that key to create an ECDSA signature which it also adds to the signature script.

Creating a signature script

So only one keypair is used per output, although the same keypair may be used in multiple outputs. (This is called key reuse, and it's discouraged to improve privacy and, possibly, security.)

(The images above are from the Bitcoin.org Developer Guide transactions section, which is under the MIT license.)

David A. Harding

Posted 2014-12-06T19:55:04.243

Reputation: 10 154

One thing is not clear yet (anyway I accepted your answer). When I spend the coins from the previous transaction, I use another private key (because as I know unique keypairs should be used for every transaction), not that private key which is the pair of the public key included in the pubkey script, don't I? (yeah, I'm not familiar with this scripting system, yet)Zoltán 2014-12-06T20:45:01.527

I think you're confused about how addresses work. Give me a sec and I'll edit my answer.David A. Harding 2014-12-06T20:51:25.157

One more question, if you are still here and I'm not bothering you :) To put it in a nutshell, with the signing with earlier private keys I can prove that the earlier transactions were mine? So I also generate (maybe) an address when I spend these bitcoins, however I use private keys from my earlier transactions and this newly generated address is just for receiving the "change"...?Zoltán 2014-12-06T21:47:19.237

Right, signature A in TX2 mathematically corresponds to pubkey A in TX1's output in a provable way. TX2 may include pubkey B to return change to you. Pubkey B was created with a different private key than pubkey A.David A. Harding 2014-12-06T21:55:39.380

@Zoltán You can search matt thomas on youtube, his videos on bitcoin are very informative.Suraj Jain 2018-02-14T16:33:12.597

Asked: 2014-12-06T19:55:04.243

Viewed: 845 times

Active: 2014-12-06T21:06:25.540