1

I'm stuck at understanding Bitcoin's transactions. So, the owner must sign the transaction with his private key, then miners can verify whether this signature matches his public key. However the public key is hashed with three functions (RIPEMD160, SHA256 and Base58) and it's impossible to get the original ECDSA public key from the address. So how does the transaction verification actually work?

Yangrui
  • 657
  • 1
  • 6
  • 12

1 Answers1

4

The ECDSA public key is "included" in the new transaction (part of the scriptSig).

Details

This is an example output of a transaction (only hash of the pubkey is available):

"scriptPubKey": {
    "asm": "OP_DUP OP_HASH160 059be22aadc3bef6b673cb7a16247a0b7403d943 OP_EQUALVERIFY OP_CHECKSIG",
    "hex": "76a914059be22aadc3bef6b673cb7a16247a0b7403d94388ac",
    "reqSigs": 1,
    "type": "pubkeyhash",
    "addresses": [
      "mg2cQz9Y3ugyjfq8b2wTcW4veemgTBKxkX"
    ]
  }

The pubkey from the address above is 03788e5414ebec4a38032be706ae0c13870e320d916bb087ab7258fcf8c0111cbf (but it's not visible in the blockchain until the output gets spent. Only the recipient of the output above knows it.)

Using that output as an input in a later transaction will result in:

"scriptSig": {
            "asm": "304402203b47249bfe6528dcf297c5888ad608a5c7227ea9f878df09a265c3318c1482e202204e8a8f17da505a6d20ceb4eb63fba2d8e2c5d0a792a0e280dcb18adeec68a05d[ALL]03788e5414ebec4a38032be706ae0c13870e320d916bb087ab7258fcf8c0111cbf",
            "hex": "47304402203b47249bfe6528dcf297c5888ad608a5c7227ea9f878df09a265c3318c1482e202204e8a8f17da505a6d20ceb4eb63fba2d8e2c5d0a792a0e280dcb18adeec68a05d012103788e5414ebec4a38032be706ae0c13870e320d916bb087ab7258fcf8c0111cbf"
          },
  • (3044... is the DER encoded ECDSA signature)
  • (03788... is the pubkey)
Community
  • 1
Jonas Schnelli
  • 6,052
  • 1
  • 21
  • 34
  • How is it decoded? Isn't SHA256 one way only? – Yangrui Dec 01 '16 at 00:47
  • SHA256 is a oneway hash function. Yes. You can't decode a public-key-hash into a public-key. Only the recipient of the coins has the according public key (in his wallet). There is no need to "decode". – Jonas Schnelli Dec 01 '16 at 08:23
  • So, does this mean the recipient possesses the public key? But this doesn't explain how other people can't imitate sender's signature if his public key is unknown... – Yangrui Dec 01 '16 at 09:15
  • I think I understand now. So, for the input, the ScriptSig contains both sender's unhashed pubkey and signature, and the output contains receiver'a address, correct? – Yangrui Dec 01 '16 at 10:00
  • Right. Input = expose pubkey (no longer relevant) – Jonas Schnelli Dec 01 '16 at 12:19
  • Output = hash(pubkey) (no-one knows the pubkey expect the recipient) – Jonas Schnelli Dec 01 '16 at 12:20