3
1
According to the bitcoin wiki, the most common form of transaction (pay-to-pubkey-hash) looks like this:
scriptPubKey: OP_DUP OP_HASH160 <pubKeyHash> OP_EQUALVERIFY OP_CHECKSIG
scriptSig: <sig> <pubKey>
I am curious why OP_CHECKSIG comes at the end. Couldn't we check the signature even before doing the hash?
More precisely, couldn't it instead do:
scriptPubKey: OP_CHECKSIGVERIFY OP_DUP OP_HASH160 <pubKeyHash> OP_EQUAL
scriptSig: <pubKey> <sig>
This way you don't have to go through all the hashing if the pubkey and sig don't match to begin with.
I'm sure there's a good reason for this or i'm completely misunderstanding something, please enlighten me. Thank you!
aha i see. thanks for the answer. Just to make sure i understood completely, so if we do
scriptPubKey: OP_DUP OP_CHECKSIGVERIFY OP_HASH160 <pubKeyHash> OP_EQUALandscriptSig: <sig> <pubKey>, this would: 1. work; 2. but not efficient therefore not used because hashing is much faster than checksig? – Vlad – 2017-10-08T07:08:15.877Not quite. After OP_DUP, your stack will be <sig> <pubkey> <pubkey>. Invoking OP_CHECKSIGVERIFY at that point will do a verification with <pubkey> as signature. – Pieter Wuille – 2017-10-08T07:50:43.907
1What would work (but be inefficient): scriptSig={<pubkey> <sig>}, scriptPubKey={OP_OVER OP_CHECKSIGVERIFY OP_HASH160 <pubkeyhash> OP_EQUAL}. – Pieter Wuille – 2017-10-08T08:07:49.223
Actually, the scriptSig would be "<sig> <pubkey>" to use OP_OVER. If it was already "<pubkey> <sig>" the suggestion in the first comment would work, but it would require a change in the scriptSig, not only the scriptPubKey. – diego nunes – 2018-04-23T16:39:59.367