How does Bitcoin verifies signature if addresses are one way hashed

1

1

I'm stuck at understanding Bitcoin's transactions. So, the owner must sign the transaction with his private key, then miners can verify whether this signature matches his public key. However the public key is hashed with three functions (RIPEMD160, SHA256 and Base58) and it's impossible to get the original ECDSA public key from the address. So how does the transaction verification actually work?

Yangrui

Posted 2016-11-30T15:14:07.890

Reputation: 477

Answers

4

The ECDSA public key is "included" in the new transaction (part of the scriptSig).

Details

This is an example output of a transaction (only hash of the pubkey is available):

"scriptPubKey": {
    "asm": "OP_DUP OP_HASH160 059be22aadc3bef6b673cb7a16247a0b7403d943 OP_EQUALVERIFY OP_CHECKSIG",
    "hex": "76a914059be22aadc3bef6b673cb7a16247a0b7403d94388ac",
    "reqSigs": 1,
    "type": "pubkeyhash",
    "addresses": [
      "mg2cQz9Y3ugyjfq8b2wTcW4veemgTBKxkX"
    ]
  }

The pubkey from the address above is 03788e5414ebec4a38032be706ae0c13870e320d916bb087ab7258fcf8c0111cbf (but it's not visible in the blockchain until the output gets spent. Only the recipient of the output above knows it.)

Using that output as an input in a later transaction will result in:

"scriptSig": {
            "asm": "304402203b47249bfe6528dcf297c5888ad608a5c7227ea9f878df09a265c3318c1482e202204e8a8f17da505a6d20ceb4eb63fba2d8e2c5d0a792a0e280dcb18adeec68a05d[ALL]03788e5414ebec4a38032be706ae0c13870e320d916bb087ab7258fcf8c0111cbf",
            "hex": "47304402203b47249bfe6528dcf297c5888ad608a5c7227ea9f878df09a265c3318c1482e202204e8a8f17da505a6d20ceb4eb63fba2d8e2c5d0a792a0e280dcb18adeec68a05d012103788e5414ebec4a38032be706ae0c13870e320d916bb087ab7258fcf8c0111cbf"
          },
  • (3044... is the DER encoded ECDSA signature)
  • (03788... is the pubkey)

Jonas Schnelli

Posted 2016-11-30T15:14:07.890

Reputation: 5 465

How is it decoded? Isn't SHA256 one way only?Yangrui 2016-12-01T00:47:54.040

SHA256 is a oneway hash function. Yes. You can't decode a public-key-hash into a public-key. Only the recipient of the coins has the according public key (in his wallet). There is no need to "decode".Jonas Schnelli 2016-12-01T08:23:13.290

So, does this mean the recipient possesses the public key? But this doesn't explain how other people can't imitate sender's signature if his public key is unknown...Yangrui 2016-12-01T09:15:18.203

I think I understand now. So, for the input, the ScriptSig contains both sender's unhashed pubkey and signature, and the output contains receiver'a address, correct?Yangrui 2016-12-01T10:00:32.037

Right. Input = expose pubkey (no longer relevant)Jonas Schnelli 2016-12-01T12:19:46.157

Output = hash(pubkey) (no-one knows the pubkey expect the recipient)Jonas Schnelli 2016-12-01T12:20:04.520