Difference between revisions of "Script"
(Changed example to, you know, actually work (I think)) |
m (→Hidden recipient address) |
||
Line 775: | Line 775: | ||
|OP_HASH160 <hash160> OP_EQUALVERIFY OP_CHECKSIG | |OP_HASH160 <hash160> OP_EQUALVERIFY OP_CHECKSIG | ||
|<randomNumber+public_key> is hashed. | |<randomNumber+public_key> is hashed. | ||
+ | |- | ||
+ | |<scriptsig> <public_key> <hash160> | ||
+ | |<hash160> OP_EQUALVERIFY OP_CHECKSIG | ||
+ | |Constant is pushed onto the stack. | ||
|- | |- | ||
|<scriptsig> <public_key> <hash160> <hash160> | |<scriptsig> <public_key> <hash160> <hash160> | ||
|OP_EQUALVERIFY OP_CHECKSIG | |OP_EQUALVERIFY OP_CHECKSIG | ||
− | | | + | |Verify that the hashes match. |
|- | |- | ||
|<scriptsig> <public_key> | |<scriptsig> <public_key> |
Revision as of 12:27, 17 March 2011
Bitcoin uses a scripting system for transactions. Forth-like, Script is simple, stack-based, and processed from left to right. It is purposefully not Turing-complete, with no loops or nesting if statements.
A script is essentially a list of instructions recorded with each transaction that describe how the next person wanting to spend the Bitcoins being transferred can gain access to them. The script for a typical Bitcoin transfer to destination Bitcoin address D simply encumbers future spending of the bitcoins with two things: the spender must provide
- a public key that, when hashed, yields destination address D embedded in the script, and
- a signature to show evidence of the private key corresponding to the public key just provided.
Scripting provides the flexibility to change the parameters of what's needed to spend transferred Bitcoins. For example, the scripting system could be used to require two private keys, or a combination of several, or even no keys at all.
A transaction is valid if nothing in the combined script triggers failure and the top stack item is true (1). The party who originally sent the Bitcoins now being spent, dictates the script operations that will occur last in order to release them for use in another transaction. The party wanting to spend them must provide the input(s) to the previously recorded script that results in those operations occurring last leaving behind true (1).
Scripts are big-endian. (Is all data, also?)
Words
This is a list of all Script words (commands/functions). Some are currently disabled for security reasons.
True=1 and False=0.
Constants
When talking about scripts, these value-pushing words are usually omitted.
Word | Opcode | Input | Output | Description |
---|---|---|---|---|
OP_0, OP_FALSE | 0 | Nothing. | 0 | The number 0 is pushed onto the stack. |
N/A | 1-75 | (special) | data | The next opcode bytes is data to be pushed onto the stack |
OP_PUSHDATA1 | 76 | (special) | data | The next byte contains the number of bytes to be pushed onto the stack. |
OP_PUSHDATA2 | 77 | (special) | data | The next two bytes contain the number of bytes to be pushed onto the stack. |
OP_PUSHDATA4 | 78 | (special) | data | The next four bytes contain the number of bytes to be pushed onto the stack. |
OP_1NEGATE | 79 | Nothing. | -1 | The number -1 is pushed onto the stack. |
OP_1, OP_TRUE | 81 | Nothing. | 1 | The number 1 is pushed onto the stack. |
OP_2-OP_16 | 82-96 | Nothing. | 2-16 | The number in the word name (2-16) is pushed onto the stack. |
Flow control
Word | Opcode | Input | Output | Description |
---|---|---|---|---|
OP_NOP | 97 | Nothing | Nothing | Does nothing. |
OP_IF | 99 | <expression> if [statements] [else [statements]] endif | If the top stack value is 1, the statements are executed. The top stack value is removed. | |
OP_NOTIF | 100 | <expression> if [statements] [else [statements]] endif | If the top stack value is 0, the statements are executed. The top stack value is removed. | |
OP_ELSE | 103 | <expression> if [statements] [else [statements]] endif | If the preceding OP_IF or OP_NOTIF was not executed then these statements are. | |
OP_ENDIF | 104 | <expression> if [statements] [else [statements]] endif | Ends an if/else block. | |
OP_VERIFY | 105 | True / false | Nothing / False | Marks transaction as invalid if top stack value is not true. True is removed, but false is not. |
OP_RETURN | 106 | Nothing | Nothing | Marks transaction as invalid. |
Stack
Word | Opcode | Input | Output | Description |
---|---|---|---|---|
OP_TOALTSTACK | 107 | x1 | (alt)x1 | Puts the input onto the top of the alt stack. Removes it from the main stack. |
OP_FROMALTSTACK | 108 | (alt)x1 | x1 | Puts the input onto the top of the main stack. Removes it from the alt stack. |
OP_IFDUP | 115 | x | x / x x | If the input is true or false, duplicate it. |
OP_DEPTH | 116 | Nothing | <Stack size> | Puts the number of stack items onto the stack. |
OP_DROP | 117 | x | Nothing | Removes the top stack item. |
OP_DUP | 118 | x | x x | Duplicates the top stack item. |
OP_NIP | 119 | x1 x2 | x2 | Removes the second-to-top stack item. |
OP_OVER | 120 | x1 x2 | x1 x2 x1 | Copies the second-to-top stack item to the top. |
OP_PICK | 121 | xn ... x2 x1 x0 <n> | xn ... x2 x1 x0 xn | The item n back in the stack is copied to the top. |
OP_ROLL | 122 | xn ... x2 x1 x0 <n> | ... x2 x1 x0 xn | The item n back in the stack is moved to the top. |
OP_ROT | 123 | x1 x2 x3 | x2 x3 x1 | The top three items on the stack are rotated to the left. |
OP_SWAP | 124 | x1 x2 | x2 x1 | The top two items on the stack are swapped. |
OP_TUCK | 125 | x1 x2 | x2 x1 x2 | The item at the top of the stack is copied and inserted before the second-to-top item. |
OP_2DROP | 109 | x1 x2 | Nothing | Removes the top two stack items. |
OP_2DUP | 110 | x1 x2 | x1 x2 x1 x2 | Duplicates the top two stack items. |
OP_3DUP | 111 | x1 x2 x3 | x1 x2 x3 x1 x2 x3 | Duplicates the top three stack items. |
OP_2OVER | 112 | x1 x2 x3 x4 | x1 x2 x3 x4 x1 x2 | Copies the pair of items two spaces back in the stack to the front. |
OP_2ROT | 113 | x1 x2 x3 x4 x5 x6 | x3 x4 x5 x6 x1 x2 | The fifth and sixth items back are moved to the top of the stack. |
OP_2SWAP | 114 | x1 x2 x3 x4 | x3 x4 x1 x2 | Swaps the top two pairs of items. |
Splice
Word | Opcode | Input | Output | Description |
---|---|---|---|---|
OP_CAT | 126 | x1 x2 | out | Concatenates two strings. Currently disabled. |
OP_SUBSTR | 127 | in begin size | out | Returns a section of a string. Currently disabled. |
OP_LEFT | 128 | in size | out | Keeps only characters left of the specified point in a string. Currently disabled. |
OP_RIGHT | 129 | in size | out | Keeps only characters right of the specified point in a string. Currently disabled. |
OP_SIZE | 130 | in | in size | Returns the length of the input string. |
Bitwise logic
Word | Input | Output | Description | |
---|---|---|---|---|
OP_INVERT | 131 | in | out | Flips all of the bits in the input. Currently disabled. |
OP_AND | 132 | x1 x2 | out | Boolean and between each bit in the inputs. Currently disabled. |
OP_OR | 133 | x1 x2 | out | Boolean or between each bit in the inputs. Currently disabled. |
OP_XOR | 134 | x1 x2 | out | Boolean exclusive or between each bit in the inputs. Currently disabled. |
OP_EQUAL | 135 | x1 x2 | True / false | Returns 1 if the inputs are exactly equal, 0 otherwise. |
OP_EQUALVERIFY | 136 | x1 x2 | True / false | Same as OP_EQUAL, but runs OP_VERIFY afterward. |
Arithmetic
Word | Opcode | Input | Output | Description |
---|---|---|---|---|
OP_1ADD | 139 | in | out | 1 is added to the input. |
OP_1SUB | 140 | in | out | 1 is subtracted from the input. |
OP_2MUL | 141 | in | out | The input is multiplied by 2. Currently disabled. |
OP_2DIV | 142 | in | out | The input is divided by 2. Currently disabled. |
OP_NEGATE | 143 | in | out | The sign of the input is flipped. |
OP_ABS | 144 | in | out | The input is made positive. |
OP_NOT | 145 | in | out | If the input is 0 or 1, it is flipped. Otherwise the output will be 0. |
OP_0NOTEQUAL | 146 | in | out | Returns 1 if the input is 0. 0 otherwise. |
OP_ADD | 147 | a b | out | a is added to b. |
OP_SUB | 148 | a b | out | b is subtracted from a. |
OP_MUL | 149 | a b | out | a is multiplied by b. Currently disabled. |
OP_DIV | 150 | a b | out | a is divided by b. Currently disabled. |
OP_MOD | 151 | a b | out | Returns the remainder after dividing a by b. Currently disabled. |
OP_LSHIFT | 152 | a b | out | Shifts a left b bits, preserving sign. Currently disabled. |
OP_RSHIFT | 153 | a b | out | Shifts a right b bits, preserving sign. Currently disabled. |
OP_BOOLAND | 154 | a b | out | If both a and b are not 0, the output is 1. Otherwise 0. |
OP_BOOLOR | 155 | a b | out | If a or b is not 0, the output is 1. Otherwise 0. |
OP_NUMEQUAL | 156 | a b | out | Returns 1 if the numbers are equal, 0 otherwise. |
OP_NUMEQUALVERIFY | 157 | a b | out | Same as OP_NUMEQUAL, but runs OP_VERIFY afterward. |
OP_NUMNOTEQUAL | 158 | a b | out | Returns 1 if the numbers are not equal, 0 otherwise. |
OP_LESSTHAN | 159 | a b | out | Returns 1 if a is less than b, 0 otherwise. |
OP_GREATERTHAN | 160 | a b | out | Returns 1 if a is greater than b, 0 otherwise. |
OP_LESSTHANOREQUAL | 161 | a b | out | Returns 1 if a is less than or equal to b, 0 otherwise. |
OP_GREATERTHANOREQUAL | 162 | a b | out | Returns 1 if a is greater than or equal to b, 0 otherwise. |
OP_MIN | 163 | a b | out | Returns the smaller of a and b. |
OP_MAX | 164 | a b | out | Returns the larger of a and b. |
OP_WITHIN | 165 | x min max | out | Returns 1 if x is within the specified range (left-inclusive), 0 otherwise. |
Crypto
Word | Opcode | Input | Output | Description |
---|---|---|---|---|
OP_RIPEMD160 | 166 | in | hash | The input is hashed using RIPEMD-160. |
OP_SHA1 | 167 | in | hash | The input is hashed using SHA-1. |
OP_SHA256 | 168 | in | hash | The input is hashed using SHA-256. |
OP_HASH160 | 169 | in | hash | The input is hashed twice: first with SHA-256 and then with RIPEMD-160. |
OP_HASH256 | 170 | in | hash | The input is hashed two times with SHA-256. |
OP_CODESEPARATOR | 171 | Nothing | Nothing | All of the signature checking words will only match signatures to the data after the most recently-executed OP_CODESEPARATOR. |
OP_CHECKSIG | 172 | sig pubkey | True / false | The entire transaction's outputs, inputs, and script (from the most recently-executed OP_CODESEPARATOR to the end) are hashed. The signature used by OP_CHECKSIG must be a valid signature for this hash and public key. If it is, 1 is returned, 0 otherwise. |
OP_CHECKSIGVERIFY | 173 | sig pubkey | True / false | Same as OP_CHECKSIG, but OP_VERIFY is executed afterward. |
OP_CHECKMULTISIG | 174 | sig1 sig2 ... <number of signatures> pub1 pub2 <number of public keys> | True / False | For each signature and public key pair, OP_CHECKSIG is executed. If more public keys than signatures are listed, some key/sig pairs can fail. All signatures need to match a public key. If all signatures are valid, 1 is returned, 0 otherwise. |
OP_CHECKMULTISIGVERIFY | 175 | sig1 sig2 ... <number of signatures> pub1 pub2 ... <number of public keys> | True / False | Same as OP_CHECKMULTISIG, but OP_VERIFY is executed afterward. |
Pseudo-words
These words are used internally for assisting with transaction matching. They are invalid if used in actual scripts.
Word | Opcode | Description |
---|---|---|
OP_PUBKEYHASH | 253 | Represents a public key hashed with OP_HASH160. |
OP_PUBKEY | 254 | Represents a public key compatible with OP_CHECKSIG. |
OP_INVALIDOPCODE | 255 | Matches any opcode that is not yet assigned. |
Reserved words
Any opcode not assigned is also reserved. Using an unassigned opcode makes the transaction invalid.
Word | Opcode | When used... |
---|---|---|
OP_RESERVED | 80 | Transaction is invalid |
OP_VER | 98 | Transaction is invalid |
OP_VERIF | 101 | Transaction is invalid |
OP_VERNOTIF | 102 | Transaction is invalid |
OP_RESERVED1 | 137 | Transaction is invalid |
OP_RESERVED2 | 138 | Transaction is invalid |
OP_NOP1-OP_NOP10 | 176-185 | The word is ignored. |
Scripts
This is a list of interesting scripts (official and unofficial). Keep in mind that all constants actually use the data-pushing commands above.
Standard Transaction to Bitcoin address
scriptPubKey: OP_DUP OP_HASH160 <pubKeyHash> OP_EQUALVERIFY OP_CHECKSIG scriptSig: <sig> <pubKey>
To demonstrate how scripts look on the wire, here is a raw scriptPubKey:
76 A9 14 OP_DUP OP_HASH160 Bytes to push 89 AB CD EF AB BA AB BA AB BA AB BA AB BA AB BA AB BA AB BA 88 AC Data to push OP_EQUALVERIFY OP_CHECKSIG
Here is how each word is processed:
Stack | Script | Description |
---|---|---|
Empty. | <sig> <pubKey> OP_DUP OP_HASH160 <pubKeyHash> OP_EQUALVERIFY OP_CHECKSIG | scriptSig and scriptPubKey are combined. |
<sig> <pubKey> | OP_DUP OP_HASH160 <pubKeyHash> OP_EQUALVERIFY OP_CHECKSIG | Constants are added to the stack. |
<sig> <pubKey> <pubKey> | OP_HASH160 <pubKeyHash> OP_EQUALVERIFY OP_CHECKSIG | Top stack item is duplicated. |
<sig> <pubKey> <pubHashA> | <pubKeyHash> OP_EQUALVERIFY OP_CHECKSIG | Top stack item is hashed. |
<sig> <pubKey> <pubHashA> <pubKeyHash> | OP_EQUALVERIFY OP_CHECKSIG | Constant added. |
<sig> <pubKey> | OP_CHECKSIG | Equality is checked between the top two stack items. |
true | Empty. | Signature is checked for top two stack items. |
Standard Generation / transaction to IP address
scriptPubKey: <pubKey> OP_CHECKSIG scriptSig: <sig>
Checking process:
Stack | Script | Description |
---|---|---|
Empty. | <sig> <pubKey> OP_CHECKSIG | scriptSig and scriptPubKey are combined. |
<sig> <pubKey> | OP_CHECKSIG | Constants are added to the stack. |
true | Empty. | Signature is checked for top two stack items. |
Transaction with a message
It's possible to add arbitrary data to any transaction by just adding some data along with OP_DROP. Scripts are limited to 10,000 bytes and 201 instructions/values, and each individual instruction/value is limited to 520 bytes.
scriptPubKey: <message> OP_DROP <pubKey> OP_CHECKSIG scriptSig: <sig>
Stack | Script | Description |
---|---|---|
Empty. | <sig> <pubKey> OP_CHECKSIG | scriptSig and scriptPubKey are combined. |
<sig> <pubKey> <message> | OP_DROP OP_CHECKSIG | Constants are added to the stack. |
<sig> <pubKey> | OP_CHECKSIG | Top item in the stack is removed. |
true | Empty. | Signature is checked for top two stack items. |
Hidden recipient address
With this script by Gavin, the address of the recipient is encrypted until after the output is claimed. "randomNumber" must be known by both the sender and the recipient.
scriptPubKey: OP_OVER OP_ADD OP_HASH160 <hash160> OP_EQUALVERIFY OP_CHECKSIG scriptSig: <scriptsig> <public_key> <randomNumber>
Checking process:
Stack | Script | Description |
---|---|---|
Empty. | <scriptsig> <public_key> <randomNumber> OP_OVER OP_ADD OP_HASH160 <hash160> OP_EQUALVERIFY OP_CHECKSIG | |
<scriptsig> <public_key> <randomNumber> | OP_OVER OP_ADD OP_HASH160 <hash160> OP_EQUALVERIFY OP_CHECKSIG | Constants are added to the stack. |
<scriptsig> <public_key> <randomNumber> <public_key> | OP_ADD OP_HASH160 <hash160> OP_EQUALVERIFY OP_CHECKSIG | random_number is added to public_key (both treated as big numbers) |
<scriptsig> <public_key> <randomNumber+public_key> | OP_HASH160 <hash160> OP_EQUALVERIFY OP_CHECKSIG | <randomNumber+public_key> is hashed. |
<scriptsig> <public_key> <hash160> | <hash160> OP_EQUALVERIFY OP_CHECKSIG | Constant is pushed onto the stack. |
<scriptsig> <public_key> <hash160> <hash160> | OP_EQUALVERIFY OP_CHECKSIG | Verify that the hashes match. |
<scriptsig> <public_key> | OP_CHECKSIG | Equality is checked between the top two stack items. |
true | Empty. | The signature is checked |