Because in my understanding I may provide a signature to unlock a txo
and someone uses my signature to change the locking scripts of those
TXs.
Taking a "P2PKH tx", the unlockscript requires some operations to be executed while spending a tx:
<sig><pubkey><OP_DUP><OP_HASH160>pk hash<OP_EQUALVERIFY><OP_CHECKSIG>
I have three scenarios here, when changing parts of the script fields:
1.) change <sig> and <pubkey>
a miner changes the part with a new signature and pubkey. Assuming the block raelly gets "through", the spender of the funds has a problem, cause his would not match to the hash of the anymore.
2.) change only the <sig>
a miner changes only the part with a new signature. Now the spender's would match the hash of the . However the last command <OP_CHECKSIG> would check the remaining parts on the stack (<new sig><pubkey>), and this would (obviously) fail.
3.) change the pubkey script
when anything in the pubkey script is changed, then the signature process will fail. During creat
ion of the signed transaction, the sigscipt area is filled with the pubkey script, and then signe
d. Later on, before transmitting the tx, the sciptsig area is replaced with <signature><pubkey>.
So when the block would be propagated to other nodes, they would verify this block and it's tx in
side, and discover a signature mismatch.
Pieter explained details here of the scriptsig here:
What are the parts of a Bitcoin Transaction "Input" script?
and two references that further help to understand:
1) http://www.righto.com/2014/02/bitcoins-hard-way-using-raw-bitcoin.html
2) Andreas' book "Mastering Bitcoin", 2nd Edition, page 135ff
Then my question is what is really signed in a bitcoin unlocking script. I was doing some research on the bitcoin script. And for a P2PKH TX, the stack pre final state is a pubkey, a signature and OP_CHECKVERIFY, No mention of which data was signed or to be verified. – OvGeny – 2018-01-10T07:39:53.547
The search term for that is the "sighash". It's a hash of a (modified version of) the spending transaction. It's modified because the signature would need to sign itself if it was included. BIP143 changes the sighash scheme. – Pieter Wuille – 2018-01-10T07:48:26.090
But conceptually, you can say that most signatures effectively sign the entire spending transaction. – Pieter Wuille – 2018-01-10T07:48:59.813
"But conceptually, you can say that most signatures effectively sign the entire spending transaction” Does that mean the signed data is the SHA 256 (TXOs) ? If so we might have a transaction with identical TXOs which might end up giving the same message digest. – OvGeny – 2018-01-10T08:00:58.187
What does TXO stand for? You can say that what is signed is the entire transaction (all inputs, all outputs), excluding the signatures themselves. – Pieter Wuille – 2018-01-10T08:03:14.967
I have just got to understand what really happens. Nevertheless Blockchains are currently poorly documented. I'm really thankful for the time you dedicate in explaining these technologies. – OvGeny – 2018-01-10T08:17:52.747
1
Here is a specification for the signature hashing scheme used in witness v0 spends: https://github.com/bitcoin/bips/blob/master/bip-0143.mediawiki#Specification
– Pieter Wuille – 2018-01-10T08:54:17.157