The Transaction Script
Learn transaction scripts that are used by Bitcoin in this lesson.
Script language
Bitcoin uses a stack-based script language, called Script, that supports
The language is very limited, e.g., it doesn’t allow more complex structures, such as loops, in order to avoid attacks on the transaction validation mechanism. Thus, there are only a few primitive operators in use.
Transaction validation: locking and unlocking script
The transaction validation process of Bitcoin relies on two different types of scripts, which
In summary, an output is locked by a script and can only be unlocked by an appropriate unlocking script of an input. The input is then allowed to spend an output if the unlocking script scriptSig satisfies the conditions that have been placed on the output by the locking script scriptPubKey.
Standard transaction script pay-to-public-key-hash
The Bitcoin protocol provides certain standard scripts for transactions. The most natural is:
-
Pay-to-public-key (P2PK): The original Bitcoin release provided transactions directly to a public key. The locking script scriptPubkey of the output specifies the condition for unlocking by the knowledge of the private key that corresponds to the public key. In order to do so, the recipient creates an unlocking script sigScript with only a signature created with the private key.
-
Pay-to-public-key-hash (P2PKH): This kind of transaction allows the spender to pay directly to an address. This is currently the most common transaction type in Bitcoin.
In this section, we explain how Alice can transfer cryptocurrencies to Bob by using the standard Pay-To-Public-Key-Hash (P2PKH) transaction type, which allows Alice to send a fund to a typical user address that is under Bob’s control, who is able to further transfer it to any other user of the Bitcoin network.
The most common transaction type in Bitcoin is pay-to-address. In this case, the outputs to be spent are locked with a Pay-To-Public-Key-Hash (P2PKH) script, i.e., the script that locks the outputs to a Bitcoin address (or to the public key hash). This output can then be unlocked by presenting a public key and an associated signature (created by ) in order to spend the funds. We assume that Alice wants to send currency units to a typical Bitcoin address that is under Bob’s control, which is later used to spend this transaction, as shown in this figure
According to the official
-
Creation of the locking script: At the beginning, Alice holds an output that’s under the control of her private key . Before Alice can create the transaction in order to release the output, Bob must first generate a corresponding ECC private and public key pair and according to Algorithm 1
, which uses the secp256k1 curve. Q is then cryptographically hashed to and subsequently encoded to the Bitcoin address by Algorithm 8: Algorithm_1 . Bob then provides his address to Alice, who decodes back into the standard hash . She now creates a P2PKH transaction output with a corresponding locking script scriptPubKey, which contains a spending condition that allows anyone to redeem that output who can prove he is in possession of the private key that corresponds to Bob’s hashed public key: Algorithm_8 The locking script scriptPubKey of the transaction output is of the form
where PubKeyHash is Bob’s hashed public key .
-
Broadcasting: Now, Alice broadcasts the transaction to the network, which categorizes the output as UTXO, and its corresponding amount appears in Bob’s wallet. So Bob’s wallet software displays that he is in possession of these funds. The transaction is later included by a miner into a new block of transactions and subsequently added to the blockchain.
-
Creation of the unlocking script: In order to spend the UTXO to Carol in a subsequent transaction, Bob must create an input that references the transaction Alice created by Bob’s hashed public key . Furthermore, Bob has to create the unlocking script scriptSig, which must meet the conditions Alice placed in the previous scriptPubKey. Bob’s scriptSig contains the following parts:
-
His full unhashed public key , which is needed for the scriptPubKey to check if hashes to the same value which Alice defined in her spending conditions.
-
An ECDSA signature according to this figure
, which combines the hash of the previous transaction and Carol’s hashed public key , signed with Bob’s private key . This allows scriptPubKey to verify that Bob really controls the private key which created: transactions_fig_1
So, the transaction input has an unlocking script scriptSig, which looks as follows:
where sig is Bob’s signature and PubKey is his public key , respectively.
-
-
Validation process: The validation process in Bitcoin requires both locking and unlocking the script in order to verify if scriptSig now satisfies all the conditions which Alice placed in her previous scriptPubKey. So, any P2PKH output that is locked by a scriptPubKey only can be unlocked by an appropriate scriptSig. Since Alice’s locking script doesn’t include Bob’s full public key but only a hash of it, Bob has to provide both his public key and a valid signature in his scriptSig in order to redeem the output. The validation process now concatenates both the scriptSig and scriptPubKey in order to evaluate the validity of the transaction such that the script now looks as
The stepwise script evaluation is shown in this Figure. In the first two steps, the two constants sig and PubKey which are provided by Bob’s unlocking script are pushed to the stack. Then duplicates the top item of the stack, which is actually PubKey , and adds it to the top of the stack. In the fourth step, hashes the top stack constant, Bob’s provided public key PubKey, twice with SHA256 and then with and pushes the resulting value PubKeyHashB to the top of the stack. The script now pushes the value PubKeyHash of the locking script to the top of the stack, which is subsequently compared with PubKeyHashB by the operator OP_EQUALVERIFY. If Bob has provided an address to Alice for the transaction that’s really diverted from his public key, the two top stack values match, and thus, both are removed from the stack and the script continues with the command OP_CHECKSIG, which checks Bob’s signature
In summary, the script verifies if Bob’s provided public key really hashes to , which is placed by Alice in her scriptPubKey, and subsequently checks the provided signature against . In doing so, Alice can verify that Bob really is in possession of the private key from which the public key and hence its hash was derived, which proves Bob’s control over . If the validation process finishes successfully, the unlocking script matches the conditions of the locking script, and therefore the input is considered a valid authorization to spend the UTXO. Otherwise, the input is invalid.
- Broadcasting: Now, Bob broadcasts the transaction to the Bitcoin network, where the transaction is independently validated by each Bitcoin node by executing the locking and unlocking scripts before broadcasting it further to other nodes.
Figure 1
Get hands-on with 1400+ tech skills courses.