Difference between revisions of "Script"
(CHECKMULTISIG bug) |
(Working version of Hidden recipient address (OP_ADD does not work for bignums).) |
||
Line 755: | Line 755: | ||
|} | |} | ||
− | ===Hidden recipient | + | ===Hidden recipient=== |
− | With this script by Gavin, the | + | With this script by Gavin, nothing is known about the transaction recipient. "randomNumber" must be known by both the sender and the recipient, and must never be re-used. |
− | scriptPubKey: | + | scriptPubKey: OP_HASH160 <hash160> OP_EQUAL |
− | scriptSig: | + | scriptSig: <randomNumber> |
Checking process: | Checking process: | ||
Line 770: | Line 770: | ||
|- | |- | ||
|Empty. | |Empty. | ||
− | | | + | |<randomNumber> OP_HASH160 <hash160> OP_EQUAL |
| | | | ||
|- | |- | ||
− | | | + | |<randomNumber> |
− | | | + | |OP_HASH160 <hash160> OP_EQUAL |
− | | | + | |Constant put on the stack. |
|- | |- | ||
− | |< | + | |<random_numer_hashed> |
− | | | + | |<hash160> OP_EQUAL |
− | | | + | |hash random number |
|- | |- | ||
− | |< | + | |<random_numer_hashed> <hash160> |
− | + | | OP_EQUAL | |
− | + | | Expected hash put on stack | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | | | ||
− | | | ||
− | |||
− | |||
− | |||
− | |||
|- | |- | ||
|true | |true | ||
|Empty. | |Empty. | ||
− | | | + | |TRUE will be left on the stack if the hash matches the random number. |
|} | |} | ||
Revision as of 19:46, 12 September 2011
Bitcoin uses a scripting system for transactions. Forth-like, Script is simple, stack-based, and processed from left to right. It is purposefully not Turing-complete, with no loops or nesting if statements.
A script is essentially a list of instructions recorded with each transaction that describe how the next person wanting to spend the Bitcoins being transferred can gain access to them. The script for a typical Bitcoin transfer to destination Bitcoin address D simply encumbers future spending of the bitcoins with two things: the spender must provide
- a public key that, when hashed, yields destination address D embedded in the script, and
- a signature to show evidence of the private key corresponding to the public key just provided.
Scripting provides the flexibility to change the parameters of what's needed to spend transferred Bitcoins. For example, the scripting system could be used to require two private keys, or a combination of several, or even no keys at all.
A transaction is valid if nothing in the combined script triggers failure and the top stack item is true (1). The party who originally sent the Bitcoins now being spent, dictates the script operations that will occur last in order to release them for use in another transaction. The party wanting to spend them must provide the input(s) to the previously recorded script that results in those operations occurring last leaving behind true (1).
Scripts are big-endian. (Is all data, also?)
Contents
Words
This is a list of all Script words (commands/functions). Some are currently disabled for security reasons.
True=1 and False=0.
Constants
When talking about scripts, these value-pushing words are usually omitted.
Word | Opcode | Input | Output | Description |
---|---|---|---|---|
OP_0, OP_FALSE | 0 | Nothing. | 0 | The number 0 is pushed onto the stack. |
N/A | 1-75 | (special) | data | The next opcode bytes is data to be pushed onto the stack |
OP_PUSHDATA1 | 76 | (special) | data | The next byte contains the number of bytes to be pushed onto the stack. |
OP_PUSHDATA2 | 77 | (special) | data | The next two bytes contain the number of bytes to be pushed onto the stack. |
OP_PUSHDATA4 | 78 | (special) | data | The next four bytes contain the number of bytes to be pushed onto the stack. |
OP_1NEGATE | 79 | Nothing. | -1 | The number -1 is pushed onto the stack. |
OP_1, OP_TRUE | 81 | Nothing. | 1 | The number 1 is pushed onto the stack. |
OP_2-OP_16 | 82-96 | Nothing. | 2-16 | The number in the word name (2-16) is pushed onto the stack. |
Flow control
Word | Opcode | Input | Output | Description |
---|---|---|---|---|
OP_NOP | 97 | Nothing | Nothing | Does nothing. |
OP_IF | 99 | <expression> if [statements] [else [statements]] endif | If the top stack value is 1, the statements are executed. The top stack value is removed. | |
OP_NOTIF | 100 | <expression> if [statements] [else [statements]] endif | If the top stack value is 0, the statements are executed. The top stack value is removed. | |
OP_ELSE | 103 | <expression> if [statements] [else [statements]] endif | If the preceding OP_IF or OP_NOTIF was not executed then these statements are. | |
OP_ENDIF | 104 | <expression> if [statements] [else [statements]] endif | Ends an if/else block. | |
OP_VERIFY | 105 | True / false | Nothing / False | Marks transaction as invalid if top stack value is not true. True is removed, but false is not. |
OP_RETURN | 106 | Nothing | Nothing | Marks transaction as invalid. |
Stack
Word | Opcode | Input | Output | Description |
---|---|---|---|---|
OP_TOALTSTACK | 107 | x1 | (alt)x1 | Puts the input onto the top of the alt stack. Removes it from the main stack. |
OP_FROMALTSTACK | 108 | (alt)x1 | x1 | Puts the input onto the top of the main stack. Removes it from the alt stack. |
OP_IFDUP | 115 | x | x / x x | If the input is true or false, duplicate it. |
OP_DEPTH | 116 | Nothing | <Stack size> | Puts the number of stack items onto the stack. |
OP_DROP | 117 | x | Nothing | Removes the top stack item. |
OP_DUP | 118 | x | x x | Duplicates the top stack item. |
OP_NIP | 119 | x1 x2 | x2 | Removes the second-to-top stack item. |
OP_OVER | 120 | x1 x2 | x1 x2 x1 | Copies the second-to-top stack item to the top. |
OP_PICK | 121 | xn ... x2 x1 x0 <n> | xn ... x2 x1 x0 xn | The item n back in the stack is copied to the top. |
OP_ROLL | 122 | xn ... x2 x1 x0 <n> | ... x2 x1 x0 xn | The item n back in the stack is moved to the top. |
OP_ROT | 123 | x1 x2 x3 | x2 x3 x1 | The top three items on the stack are rotated to the left. |
OP_SWAP | 124 | x1 x2 | x2 x1 | The top two items on the stack are swapped. |
OP_TUCK | 125 | x1 x2 | x2 x1 x2 | The item at the top of the stack is copied and inserted before the second-to-top item. |
OP_2DROP | 109 | x1 x2 | Nothing | Removes the top two stack items. |
OP_2DUP | 110 | x1 x2 | x1 x2 x1 x2 | Duplicates the top two stack items. |
OP_3DUP | 111 | x1 x2 x3 | x1 x2 x3 x1 x2 x3 | Duplicates the top three stack items. |
OP_2OVER | 112 | x1 x2 x3 x4 | x1 x2 x3 x4 x1 x2 | Copies the pair of items two spaces back in the stack to the front. |
OP_2ROT | 113 | x1 x2 x3 x4 x5 x6 | x3 x4 x5 x6 x1 x2 | The fifth and sixth items back are moved to the top of the stack. |
OP_2SWAP | 114 | x1 x2 x3 x4 | x3 x4 x1 x2 | Swaps the top two pairs of items. |
Splice
Word | Opcode | Input | Output | Description |
---|---|---|---|---|
OP_CAT | 126 | x1 x2 | out | Concatenates two strings. Currently disabled. |
OP_SUBSTR | 127 | in begin size | out | Returns a section of a string. Currently disabled. |
OP_LEFT | 128 | in size | out | Keeps only characters left of the specified point in a string. Currently disabled. |
OP_RIGHT | 129 | in size | out | Keeps only characters right of the specified point in a string. Currently disabled. |
OP_SIZE | 130 | in | in size | Returns the length of the input string. |
Bitwise logic
Word | Opcode | Input | Output | Description |
---|---|---|---|---|
OP_INVERT | 131 | in | out | Flips all of the bits in the input. Currently disabled. |
OP_AND | 132 | x1 x2 | out | Boolean and between each bit in the inputs. Currently disabled. |
OP_OR | 133 | x1 x2 | out | Boolean or between each bit in the inputs. Currently disabled. |
OP_XOR | 134 | x1 x2 | out | Boolean exclusive or between each bit in the inputs. Currently disabled. |
OP_EQUAL | 135 | x1 x2 | True / false | Returns 1 if the inputs are exactly equal, 0 otherwise. |
OP_EQUALVERIFY | 136 | x1 x2 | True / false | Same as OP_EQUAL, but runs OP_VERIFY afterward. |
Arithmetic
Word | Opcode | Input | Output | Description |
---|---|---|---|---|
OP_1ADD | 139 | in | out | 1 is added to the input. |
OP_1SUB | 140 | in | out | 1 is subtracted from the input. |
OP_2MUL | 141 | in | out | The input is multiplied by 2. Currently disabled. |
OP_2DIV | 142 | in | out | The input is divided by 2. Currently disabled. |
OP_NEGATE | 143 | in | out | The sign of the input is flipped. |
OP_ABS | 144 | in | out | The input is made positive. |
OP_NOT | 145 | in | out | If the input is 0 or 1, it is flipped. Otherwise the output will be 0. |
OP_0NOTEQUAL | 146 | in | out | Returns 1 if the input is 0. 0 otherwise. |
OP_ADD | 147 | a b | out | a is added to b. |
OP_SUB | 148 | a b | out | b is subtracted from a. |
OP_MUL | 149 | a b | out | a is multiplied by b. Currently disabled. |
OP_DIV | 150 | a b | out | a is divided by b. Currently disabled. |
OP_MOD | 151 | a b | out | Returns the remainder after dividing a by b. Currently disabled. |
OP_LSHIFT | 152 | a b | out | Shifts a left b bits, preserving sign. Currently disabled. |
OP_RSHIFT | 153 | a b | out | Shifts a right b bits, preserving sign. Currently disabled. |
OP_BOOLAND | 154 | a b | out | If both a and b are not 0, the output is 1. Otherwise 0. |
OP_BOOLOR | 155 | a b | out | If a or b is not 0, the output is 1. Otherwise 0. |
OP_NUMEQUAL | 156 | a b | out | Returns 1 if the numbers are equal, 0 otherwise. |
OP_NUMEQUALVERIFY | 157 | a b | out | Same as OP_NUMEQUAL, but runs OP_VERIFY afterward. |
OP_NUMNOTEQUAL | 158 | a b | out | Returns 1 if the numbers are not equal, 0 otherwise. |
OP_LESSTHAN | 159 | a b | out | Returns 1 if a is less than b, 0 otherwise. |
OP_GREATERTHAN | 160 | a b | out | Returns 1 if a is greater than b, 0 otherwise. |
OP_LESSTHANOREQUAL | 161 | a b | out | Returns 1 if a is less than or equal to b, 0 otherwise. |
OP_GREATERTHANOREQUAL | 162 | a b | out | Returns 1 if a is greater than or equal to b, 0 otherwise. |
OP_MIN | 163 | a b | out | Returns the smaller of a and b. |
OP_MAX | 164 | a b | out | Returns the larger of a and b. |
OP_WITHIN | 165 | x min max | out | Returns 1 if x is within the specified range (left-inclusive), 0 otherwise. |
Crypto
Word | Opcode | Input | Output | Description |
---|---|---|---|---|
OP_RIPEMD160 | 166 | in | hash | The input is hashed using RIPEMD-160. |
OP_SHA1 | 167 | in | hash | The input is hashed using SHA-1. |
OP_SHA256 | 168 | in | hash | The input is hashed using SHA-256. |
OP_HASH160 | 169 | in | hash | The input is hashed twice: first with SHA-256 and then with RIPEMD-160. |
OP_HASH256 | 170 | in | hash | The input is hashed two times with SHA-256. |
OP_CODESEPARATOR | 171 | Nothing | Nothing | All of the signature checking words will only match signatures to the data after the most recently-executed OP_CODESEPARATOR. |
OP_CHECKSIG | 172 | sig pubkey | True / false | The entire transaction's outputs, inputs, and script (from the most recently-executed OP_CODESEPARATOR to the end) are hashed. The signature used by OP_CHECKSIG must be a valid signature for this hash and public key. If it is, 1 is returned, 0 otherwise. |
OP_CHECKSIGVERIFY | 173 | sig pubkey | True / false | Same as OP_CHECKSIG, but OP_VERIFY is executed afterward. |
OP_CHECKMULTISIG | 174 | x sig1 sig2 ... <number of signatures> pub1 pub2 <number of public keys> | True / False | For each signature and public key pair, OP_CHECKSIG is executed. If more public keys than signatures are listed, some key/sig pairs can fail. All signatures need to match a public key. If all signatures are valid, 1 is returned, 0 otherwise. Due to a bug, one extra unused value is removed from the stack. |
OP_CHECKMULTISIGVERIFY | 175 | x sig1 sig2 ... <number of signatures> pub1 pub2 ... <number of public keys> | True / False | Same as OP_CHECKMULTISIG, but OP_VERIFY is executed afterward. |
Pseudo-words
These words are used internally for assisting with transaction matching. They are invalid if used in actual scripts.
Word | Opcode | Description |
---|---|---|
OP_PUBKEYHASH | 253 | Represents a public key hashed with OP_HASH160. |
OP_PUBKEY | 254 | Represents a public key compatible with OP_CHECKSIG. |
OP_INVALIDOPCODE | 255 | Matches any opcode that is not yet assigned. |
Reserved words
Any opcode not assigned is also reserved. Using an unassigned opcode makes the transaction invalid.
Word | Opcode | When used... |
---|---|---|
OP_RESERVED | 80 | Transaction is invalid |
OP_VER | 98 | Transaction is invalid |
OP_VERIF | 101 | Transaction is invalid |
OP_VERNOTIF | 102 | Transaction is invalid |
OP_RESERVED1 | 137 | Transaction is invalid |
OP_RESERVED2 | 138 | Transaction is invalid |
OP_NOP1-OP_NOP10 | 176-185 | The word is ignored. |
Scripts
This is a list of interesting scripts (official and unofficial). Keep in mind that all constants actually use the data-pushing commands above.
Standard Transaction to Bitcoin address
scriptPubKey: OP_DUP OP_HASH160 <pubKeyHash> OP_EQUALVERIFY OP_CHECKSIG scriptSig: <sig> <pubKey>
To demonstrate how scripts look on the wire, here is a raw scriptPubKey:
76 A9 14 OP_DUP OP_HASH160 Bytes to push 89 AB CD EF AB BA AB BA AB BA AB BA AB BA AB BA AB BA AB BA 88 AC Data to push OP_EQUALVERIFY OP_CHECKSIG
Here is how each word is processed:
Stack | Script | Description |
---|---|---|
Empty. | <sig> <pubKey> OP_DUP OP_HASH160 <pubKeyHash> OP_EQUALVERIFY OP_CHECKSIG | scriptSig and scriptPubKey are combined. |
<sig> <pubKey> | OP_DUP OP_HASH160 <pubKeyHash> OP_EQUALVERIFY OP_CHECKSIG | Constants are added to the stack. |
<sig> <pubKey> <pubKey> | OP_HASH160 <pubKeyHash> OP_EQUALVERIFY OP_CHECKSIG | Top stack item is duplicated. |
<sig> <pubKey> <pubHashA> | <pubKeyHash> OP_EQUALVERIFY OP_CHECKSIG | Top stack item is hashed. |
<sig> <pubKey> <pubHashA> <pubKeyHash> | OP_EQUALVERIFY OP_CHECKSIG | Constant added. |
<sig> <pubKey> | OP_CHECKSIG | Equality is checked between the top two stack items. |
true | Empty. | Signature is checked for top two stack items. |
Standard Generation / transaction to IP address
scriptPubKey: <pubKey> OP_CHECKSIG scriptSig: <sig>
Checking process:
Stack | Script | Description |
---|---|---|
Empty. | <sig> <pubKey> OP_CHECKSIG | scriptSig and scriptPubKey are combined. |
<sig> <pubKey> | OP_CHECKSIG | Constants are added to the stack. |
true | Empty. | Signature is checked for top two stack items. |
Transaction with a message
It's possible to add arbitrary data to any transaction by just adding some data along with OP_DROP. Scripts are limited to 10,000 bytes and 201 instructions/values, and each individual instruction/value is limited to 520 bytes.
scriptPubKey: <message> OP_DROP <pubKey> OP_CHECKSIG scriptSig: <sig>
Stack | Script | Description |
---|---|---|
Empty. | <sig> <message> OP_DROP <pubKey> OP_CHECKSIG | |
<sig> | <message> OP_DROP <pubKey> OP_CHECKSIG | scriptSig added to the stack. |
<sig> <message> | OP_DROP <pubKey> OP_CHECKSIG | The message has been put. |
<sig> | <pubKey> OP_CHECKSIG | Top stack item has been removed. |
<sig> <pubKey> | OP_CHECKSIG | Checking signature against the public key. |
true | Empty. | Stack holds the value of signature check now. |
Hidden recipient
With this script by Gavin, nothing is known about the transaction recipient. "randomNumber" must be known by both the sender and the recipient, and must never be re-used.
scriptPubKey: OP_HASH160 <hash160> OP_EQUAL scriptSig: <randomNumber>
Checking process:
Stack | Script | Description |
---|---|---|
Empty. | <randomNumber> OP_HASH160 <hash160> OP_EQUAL | |
<randomNumber> | OP_HASH160 <hash160> OP_EQUAL | Constant put on the stack. |
<random_numer_hashed> | <hash160> OP_EQUAL | hash random number |
<random_numer_hashed> <hash160> | OP_EQUAL | Expected hash put on stack |
true | Empty. | TRUE will be left on the stack if the hash matches the random number. |