Pages:
Author

Topic: On-the-wire byte map & OP_CHECKSIG diagram (knowledge donation!) - page 2. (Read 12755 times)

legendary
Activity: 1428
Merit: 1093
Core Armory Developer
For my OP_CHECKSIG code I tested using the following two transactions:

Tx2 uses an output from Tx1.  I wish I could give credit to whoever gave this to me... but I can't remember....

Code:
tx1raw= '\x01\x00\x00\x00\x02\x0f{\x7f\xb8mL\xf6F\x05\x8eA\xd3\xb0\x07\x18?\xdfysn\xd1\x9b*th\xab\xc5\xbd\x04\xb1n\x91\x00\x00\x00\x00\x8cI0F\x02!\x00\xb2\xee9\xd2\xfc\xc2\xe5TJW\xc3\x0f{NI\xcf\xb8""fm\x03O\xb9\x0e"4\x8e\x17\xe2\x8e\x0f\x02!\x00\xdb\x91\xc3\x19\x9c\xc7\xb4\x1dMz\xfc\xe0\xcc\xb4\xce\xb4$\xb9GmQ\xc0aBX=\xafS\xce\n\x9bf\x01A\x04\xc3"\x15\xa9\t0\x11\xbd\xfb\xd8-\x149\xbe\x01A\x04\xc3"\x15\xa9\t0\x11\xbdtx2raw= "\x01\x00\x00\x00\x030\xf3p\x1f\x9b\xc4dU/pIW\x91\x04\x08\x17\xcewz\xd5\xed\xe1nR\x9f\xcd\x0c\x0e\x94\x91V\x94\x00\x00\x00\x00\x8cI0F\x02!\x00\xf5tk\x0b%OZ7\xe7RQE\x9cz#\xb6\xdf\xcb\x86\x8a\xc7F~\xdd\x9ao\xdd\x1d\x96\x98q\xbe\x02!\x00\x88\x94\x8a\xea)\xb6\x91a\xca4\x1cI\xc0&\x86\xa8\x1d\x8c\xbbs\x94\x0f\x91\x7f\xa0\xedqThm>[\x01A\x04G\xd4\x90V\x1f9l\x8a\x9e\xfc\x14Hk\xc1\x98\x88K\xa1\x83y\xbc\xac.\x0b\xe2\xd8RQ4\xabt/0\x1a\x9a\xca6`n])\xaa#\x8a\x9e)\x93\x001PB=\xf6\x92Ecd-J\xfe\x9b\xf4\xfe(\xff\xff\xff\xffr\x14+\xf7hl\xe9,m\xe5\xb73e\xbf\xb9\xd5\x9b\xb6\x0c,\x80\x98-YX\xc1\xe6\xa3\xb0\x8e\xa6\x89\x00\x00\x00\x00JI0F\x02!\x00\xbc\xe4:\xd3\xac\xbcy\xb0$~T\xc8\xc9\x1e\xac\x1c\xf9\x03u\x05\x00\x0e\x01\xd1\xfd\x81\x18T\xd8[\xc2\x1a\x02!\x00\x99*oo/\xebob\xd3po;\x9a\xaa\xb8\x8d\x9f\x112\x95j\x1d\xff\xa9&\xcdUn\xd5S`\xdf\x01\xff\xff\xff\xff\xd2\x81(\xbb\xb6 |\x1c=\nc\x0c\xc6\x19\xdc~{\xeaV\xac\x19\xa1\xda\xb1'\xc6,x\xfa\x1bc,\x00\x00\x00\x00IH0E\x02  \x97W6\x81aSw\x08\xfd)\xd8\x9b\xb1\xe9\xd6H\x00yI\xec\xfd\xedx\x9bQ\xa9c$\xcbe\x18\x02!\x00\xcd\x0f|0!9\x16H+n\x16m\x8aO+\x98\x1fw~\xb1\x84\xcd\x8aI_\x1b=6\x90\xfb\xbf-\x01\xff\xff\xff\xff\x01\x00\xa6\xf7_\x02\x00\x00\x00\x19v\xa9\x14\x9e5\xd9

legendary
Activity: 1232
Merit: 1076
i wouldnt worry about them yet. they arent used anywhere in the blockchain and they are for future transaction types. they control which parents of the tx arent hashed.

together with them you can make replaceable transactions using sequence numbers for example.

Anyway if anyone wants some raw code to do OP_CHECKSIG then libbitcoin has a unit test under tests/ec-key.cpp (make ec-key && ./bin/tests/ec-key)... Will upload tomorrow togther with my script system's working OP_CHECKSIG once I've cleaned it all up internally:

Code:
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
using libbitcoin::elliptic_curve_key;
using libbitcoin::serializer;
using libbitcoin::hash_digest;
using libbitcoin::data_chunk;
using libbitcoin::log_info;
using libbitcoin::log_fatal;

int main()
{
    serializer ss;
    // blk number 170, tx 1, input 0
    // version = 1
    ss.write_4_bytes(1);
    // 1 inputs
    ss.write_var_uint(1);

    // input 0
    // prevout hash
    ss.write_hash(hash_digest{0x04, 0x37, 0xcd, 0x7f, 0x85, 0x25, 0xce, 0xed, 0x23, 0x24, 0x35, 0x9c, 0x2d, 0x0b, 0xa2, 0x60, 0x06, 0xd9, 0x2d, 0x85, 0x6a, 0x9c, 0x20, 0xfa, 0x02, 0x41, 0x10, 0x6e, 0xe5, 0xa5, 0x97, 0xc9});
    // prevout index
    ss.write_4_bytes(0);

    // input script after running OP_CHECKSIG for this tx is a single
    // OP_CHECKSIG opcode
    data_chunk raw_data;
    raw_data = {0x04, 0x11, 0xdb, 0x93, 0xe1, 0xdc, 0xdb, 0x8a, 0x01, 0x6b, 0x49, 0x84, 0x0f, 0x8c, 0x53, 0xbc, 0x1e, 0xb6, 0x8a, 0x38, 0x2e, 0x97, 0xb1, 0x48, 0x2e, 0xca, 0xd7, 0xb1, 0x48, 0xa6, 0x90, 0x9a, 0x5c, 0xb2, 0xe0, 0xea, 0xdd, 0xfb, 0x84, 0xcc, 0xf9, 0x74, 0x44, 0x64, 0xf8, 0x2e, 0x16, 0x0b, 0xfa, 0x9b, 0x8b, 0x64, 0xf9, 0xd4, 0xc0, 0x3f, 0x99, 0x9b, 0x86, 0x43, 0xf6, 0x56, 0xb4, 0x12, 0xa3};
    data_chunk raw_script;
    raw_script = data_chunk();
    raw_script.push_back(raw_data.size());
    libbitcoin::extend_data(raw_script, raw_data);
    raw_script.push_back(172);
    ss.write_var_uint(raw_script.size());
    ss.write_data(raw_script);
    // sequence
    ss.write_4_bytes(0xffffffff);

    // 2 outputs for this tx
    ss.write_var_uint(2);

    // output 0
    ss.write_8_bytes(1000000000);
    // script for output 0
    raw_data = {0x04, 0xae, 0x1a, 0x62, 0xfe, 0x09, 0xc5, 0xf5, 0x1b, 0x13, 0x90, 0x5f, 0x07, 0xf0, 0x6b, 0x99, 0xa2, 0xf7, 0x15, 0x9b, 0x22, 0x25, 0xf3, 0x74, 0xcd, 0x37, 0x8d, 0x71, 0x30, 0x2f, 0xa2, 0x84, 0x14, 0xe7, 0xaa, 0xb3, 0x73, 0x97, 0xf5, 0x54, 0xa7, 0xdf, 0x5f, 0x14, 0x2c, 0x21, 0xc1, 0xb7, 0x30, 0x3b, 0x8a, 0x06, 0x26, 0xf1, 0xba, 0xde, 0xd5, 0xc7, 0x2a, 0x70, 0x4f, 0x7e, 0x6c, 0xd8, 0x4c};
    // when data < 75, we can just write it's length as a single byte ('special'
    // opcodes)
    raw_script = data_chunk();
    raw_script.push_back(raw_data.size());
    libbitcoin::extend_data(raw_script, raw_data);
    // OP_CHECKSIG
    raw_script.push_back(172);
    // now actually write the script
    ss.write_var_uint(raw_script.size());
    ss.write_data(raw_script);

    // output 0
    ss.write_8_bytes(4000000000);
    // script for output 0
    raw_data = {0x04, 0x11, 0xdb, 0x93, 0xe1, 0xdc, 0xdb, 0x8a, 0x01, 0x6b, 0x49, 0x84, 0x0f, 0x8c, 0x53, 0xbc, 0x1e, 0xb6, 0x8a, 0x38, 0x2e, 0x97, 0xb1, 0x48, 0x2e, 0xca, 0xd7, 0xb1, 0x48, 0xa6, 0x90, 0x9a, 0x5c, 0xb2, 0xe0, 0xea, 0xdd, 0xfb, 0x84, 0xcc, 0xf9, 0x74, 0x44, 0x64, 0xf8, 0x2e, 0x16, 0x0b, 0xfa, 0x9b, 0x8b, 0x64, 0xf9, 0xd4, 0xc0, 0x3f, 0x99, 0x9b, 0x86, 0x43, 0xf6, 0x56, 0xb4, 0x12, 0xa3};
    // when data < 75, we can just write it's length as a single byte ('special'
    raw_script.push_back(raw_data.size());
    libbitcoin::extend_data(raw_script, raw_data);
    // OP_CHECKSIG
    raw_script.push_back(172);
    // now actually write the script
    ss.write_var_uint(raw_script.size());
    ss.write_data(raw_script);

    // End of 2 outputs

    // locktime
    ss.write_4_bytes(0);

    // write hash_type_code
    ss.write_4_bytes(1);

    // Dump hex to screen
    log_info() << "hashing:";
    {
        auto log_obj = log_info();
        log_obj << std::hex;
        for (int val: ss.get_data())
            log_obj << std::setfill('0') << std::setw(2) << val << ' ';
    }
    log_info();

    data_chunk raw_tx = {0x01, 0x00, 0x00, 0x00, 0x01, 0xc9, 0x97, 0xa5, 0xe5, 0x6e, 0x10, 0x41, 0x02, 0xfa, 0x20, 0x9c, 0x6a, 0x85, 0x2d, 0xd9, 0x06, 0x60, 0xa2, 0x0b, 0x2d, 0x9c, 0x35, 0x24, 0x23, 0xed, 0xce, 0x25, 0x85, 0x7f, 0xcd, 0x37, 0x04, 0x00, 0x00, 0x00, 0x00, 0x43, 0x41, 0x04, 0x11, 0xdb, 0x93, 0xe1, 0xdc, 0xdb, 0x8a, 0x01, 0x6b, 0x49, 0x84, 0x0f, 0x8c, 0x53, 0xbc, 0x1e, 0xb6, 0x8a, 0x38, 0x2e, 0x97, 0xb1, 0x48, 0x2e, 0xca, 0xd7, 0xb1, 0x48, 0xa6, 0x90, 0x9a, 0x5c, 0xb2, 0xe0, 0xea, 0xdd, 0xfb, 0x84, 0xcc, 0xf9, 0x74, 0x44, 0x64, 0xf8, 0x2e, 0x16, 0x0b, 0xfa, 0x9b, 0x8b, 0x64, 0xf9, 0xd4, 0xc0, 0x3f, 0x99, 0x9b, 0x86, 0x43, 0xf6, 0x56, 0xb4, 0x12, 0xa3, 0xac, 0xff, 0xff, 0xff, 0xff, 0x02, 0x00, 0xca, 0x9a, 0x3b, 0x00, 0x00, 0x00, 0x00, 0x43, 0x41, 0x04, 0xae, 0x1a, 0x62, 0xfe, 0x09, 0xc5, 0xf5, 0x1b, 0x13, 0x90, 0x5f, 0x07, 0xf0, 0x6b, 0x99, 0xa2, 0xf7, 0x15, 0x9b, 0x22, 0x25, 0xf3, 0x74, 0xcd, 0x37, 0x8d, 0x71, 0x30, 0x2f, 0xa2, 0x84, 0x14, 0xe7, 0xaa, 0xb3, 0x73, 0x97, 0xf5, 0x54, 0xa7, 0xdf, 0x5f, 0x14, 0x2c, 0x21, 0xc1, 0xb7, 0x30, 0x3b, 0x8a, 0x06, 0x26, 0xf1, 0xba, 0xde, 0xd5, 0xc7, 0x2a, 0x70, 0x4f, 0x7e, 0x6c, 0xd8, 0x4c, 0xac, 0x00, 0x28, 0x6b, 0xee, 0x00, 0x00, 0x00, 0x00, 0x43, 0x41, 0x04, 0x11, 0xdb, 0x93, 0xe1, 0xdc, 0xdb, 0x8a, 0x01, 0x6b, 0x49, 0x84, 0x0f, 0x8c, 0x53, 0xbc, 0x1e, 0xb6, 0x8a, 0x38, 0x2e, 0x97, 0xb1, 0x48, 0x2e, 0xca, 0xd7, 0xb1, 0x48, 0xa6, 0x90, 0x9a, 0x5c, 0xb2, 0xe0, 0xea, 0xdd, 0xfb, 0x84, 0xcc, 0xf9, 0x74, 0x44, 0x64, 0xf8, 0x2e, 0x16, 0x0b, 0xfa, 0x9b, 0x8b, 0x64, 0xf9, 0xd4, 0xc0, 0x3f, 0x99, 0x9b, 0x86, 0x43, 0xf6, 0x56, 0xb4, 0x12, 0xa3, 0xac, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00};
    BITCOIN_ASSERT(raw_tx == ss.get_data());

    hash_digest tx_hash = libbitcoin::generate_sha256_hash(ss.get_data());

    data_chunk pubkey{0x04, 0x11, 0xdb, 0x93, 0xe1, 0xdc, 0xdb, 0x8a, 0x01, 0x6b, 0x49, 0x84, 0x0f, 0x8c, 0x53, 0xbc, 0x1e, 0xb6, 0x8a, 0x38, 0x2e, 0x97, 0xb1, 0x48, 0x2e, 0xca, 0xd7, 0xb1, 0x48, 0xa6, 0x90, 0x9a, 0x5c, 0xb2, 0xe0, 0xea, 0xdd, 0xfb, 0x84, 0xcc, 0xf9, 0x74, 0x44, 0x64, 0xf8, 0x2e, 0x16, 0x0b, 0xfa, 0x9b, 0x8b, 0x64, 0xf9, 0xd4, 0xc0, 0x3f, 0x99, 0x9b, 0x86, 0x43, 0xf6, 0x56, 0xb4, 0x12, 0xa3};
    // Leave out last byte since that's the hash_type_code (SIGHASH_ALL in this
    // case)
    data_chunk signature{0x30, 0x44, 0x02, 0x20, 0x4e, 0x45, 0xe1, 0x69, 0x32, 0xb8, 0xaf, 0x51, 0x49, 0x61, 0xa1, 0xd3, 0xa1, 0xa2, 0x5f, 0xdf, 0x3f, 0x4f, 0x77, 0x32, 0xe9, 0xd6, 0x24, 0xc6, 0xc6, 0x15, 0x48, 0xab, 0x5f, 0xb8, 0xcd, 0x41, 0x02, 0x20, 0x18, 0x15, 0x22, 0xec, 0x8e, 0xca, 0x07, 0xde, 0x48, 0x60, 0xa4, 0xac, 0xdd, 0x12, 0x90, 0x9d, 0x83, 0x1c, 0xc5, 0x6c, 0xbb, 0xac, 0x46, 0x22, 0x08, 0x22, 0x21, 0xa8, 0x76, 0x8d, 0x1d, 0x09};
    BITCOIN_ASSERT(signature.size() == 70);

    elliptic_curve_key key;
    if (!key.set_public_key(pubkey))
    {
        log_fatal() << "unable to set EC public key";
        return -1;
    }

    log_info() << "checksig returns: " << (key.verify(tx_hash, signature) ? "true" : "false");
    return 0;
}


BTW that's the first spent tx in bitcoin from block 170,

http://blockexplorer.com/block/00000000d1145790a8694403d4063f323d499e655c83426834d4ce2f8dd4a2ee
http://blockexplorer.com/tx/f4184fc596403b9d638783cf57adfe4c75c605f6356fbc91338530e9831e9e16
legendary
Activity: 1428
Merit: 1093
Core Armory Developer
I have produced a few hour-long seminars at work, with the goal of adding extremely detailed visualizations to describe the mechanisms of cryptography.  So, for me, these visualizations were quite easy as I have become extremely efficient with Inkscape.   The hard part was understanding the algorithms to begin with!  Once I finally got my OP_CHECKSIG code working, I knew that I could leverage my Inkscape skills to benefit others (and myself, as these images are great for my own reference).

If you feel that there are more algorithms/concepts that could benefit from such visualization, I will be happy to produce them, as long as I understand it.  Perhaps others could help by injecting these images into the wikis at appropriate places.  Of course, if you believe there is an error in one of them, please let me know.

On that note, I would like to make a few variants of the OP_CHECKSIG diagram, one for each hashtype.  Unfortunately, I don't fully understand them myself.  I need SIGHASH_NONE, SIGHASH_SINGLE, SIGHASH_ANYONECANPAY.  I have read the descriptions, but still don't understand them well enough to complete the visualization.  Perhaps someone that does understand can explain them in the context of the my diagram for SIGHASH_ALL.

-Eto
hero member
Activity: 938
Merit: 500
https://youengine.io/
This is extremely valuable information! I will need it once I come to the point of verifying transactions myself. The OP_CHECKSIG mechanism is the single one thing about the entire protocol that raises the most and the biggest question marks when reading the protocol specification. Compared to that the rest of the protocol is a child's play.

Having this independently documented by different people (who all have their own style of visualizing and explaining the same thing) is a great help. I believe especially this topic (OP_CHECKSIG & friends) deserves more explanaition and this thread and the excellent diagrams are a very valuable contribution.

I hope more of those people wo have already completely understood it will attempt to document and pass on their knowledge and maybe also try to explain in their own words not only what the code does but also why certain steps are needed or done exactly the way they are done or find even better ways to visualize what is going on. I personally will certainly try to do this once I have a working implementation of OP_CHECKSIG (I'm still busy with boring implementtion of network protocol and persistance layer but at one point I will need to start working on transaction verification).
legendary
Activity: 1428
Merit: 1093
Core Armory Developer
Five or six posts up I included the .svg file that contains all the images so far.  It's kind of a mess, but it's all there. 

And please let me know if you find any problems with it, I'll update it myself. 
-Eto
legendary
Activity: 1232
Merit: 1076
You should consider giving us the sources to these pics too. I'm going to be going through all the OP_CHECKSIG code soon with a fine comb and I'll probably have corrections to add to your images.
legendary
Activity: 1232
Merit: 1076
Hey thanks.

Definitely going to use this in my project: http://forum.bitcoin.org/index.php?topic=30646
(check it out Wink

Maybe you have some code samples to share?
legendary
Activity: 1428
Merit: 1093
Core Armory Developer
How about if I just change the title to say "Bitcoin Main-Network Address Operations"?  I don't feel like all the extra detail is justified, it'll just muck up the diagram to accomodate cases that most people will never encounter.

P.S. - I just updated the image to include one \x00 byte, and changed the title as I just described.  Let me know what you think.

full member
Activity: 140
Merit: 430
Firstbits: 1samr7
Okay.  So I need to add a '\x00' byte to the 24-byte binary address to make it 25-byte... and it never mattered because it's big endian so the integer calculation works out the same...?  So when would this byte not be '\x00'?

That's right!

The only interesting cases for the first byte being nonzero are testnet addresses and namecoin addresses.

Quote
And is this the same \x00 that you say is responsible for the '1' at the beginning of the address?  There could be multiple '\x00' bytes? 

Yes to both!  And, as you mentioned, preceding zeros are ignored by the binary-to-base58-string conversion step.  Without this rule, it wouldn't be possible to have an address that started with 11 or 111, and it would be possible to have an address shorter than 25 characters (which is impossible in the current scheme).
legendary
Activity: 1428
Merit: 1093
Core Armory Developer
Ah hah.  Little details that I missed...

Okay.  So I need to add a '\x00' byte to the 24-byte binary address to make it 25-byte... and it never mattered because it's big endian so the integer calculation works out the same...?  So when would this byte not be '\x00'?  And is this the same \x00 that you say is responsible for the '1' at the beginning of the address?  There could be multiple '\x00' bytes? 

Damn these small details!   I'll update the diagrams once I understand it, myself.

-Eto

full member
Activity: 140
Merit: 430
Firstbits: 1samr7


This is good.  But I'll call you on the length of the pre-base58 address: it's 25 bytes long, not 24, but the upper byte is always 0 for regular bitcoin addresses.  Also, the base58 encoding procedure will prepend a 1 for each preceding \x00 byte in the pre-encoded address, not just a single 1.
legendary
Activity: 1428
Merit: 1093
Core Armory Developer
First of all, here is a link to the raw .svg file I am using:  

https://dl.dropboxusercontent.com/u/1139081/BitcoinImg/BTC_Illustrations.svg

This is typically how I prepare images for presentations I make at work.  I use Inkscape to create a bunch of diagrams, then select each one and "File-->Export Bitmap".  With this file out there, it should be available for others to download, modify and re-post somewhere else if I get hit by a bus tomorrow.   By the way, Inkscape is amazing.  Once you learn some of the hotkeys, alignments, grouping, fill&stroke, etc, it's very pleasant and efficient to use.  The learning curve isn't terribly steep, and they have interactive tutorials which are actually Inkscape canvases, with inkscape objects for you to play with.

Second, here's another diagram.  It's not nearly as complicated as OP_CHECKSIG, but once I had it mapped out like this, I was able to do a ton of address magic in my code and get it right on the first try.  Not having to guess endianness at every step is a big help!  Remembering the extra bytes that have to be added here and there helps, too.



The full size image is here:  https://dl.dropboxusercontent.com/u/1139081/BitcoinImg/PubKeyToAddrSmall.png
newbie
Activity: 28
Merit: 0
Thank you sir. Documenting that is a big plus!
newbie
Activity: 59
Merit: 0
thanks a lot for those!
legendary
Activity: 1428
Merit: 1093
Core Armory Developer
Ack, nice catch!  I have updated the image in Dropbox.   Maybe I'll keep it in Dropbox for a while, until I get a little more feedback like this...

I had no idea OP_CHECKSIG was so complicated either... until I started trying to figure out what I needed to hash to verify the signature.  That was like 2-3 days ago, and only now did I get it!

-Eto

newbie
Activity: 42
Merit: 0
Nice work!  The only glitch I noticed is that the value field in a TxOut is 64 *bits* long, i.e. 8 bytes.  Most other field lengths seem to be in bytes.

I hadn't delved into the details of OP_CHECKSIG before, and hadn't realized it was this complicated.  Thanks for sorting this all out for us!
member
Activity: 70
Merit: 18
Well done!  0.1 BTC sent
legendary
Activity: 1428
Merit: 1093
Core Armory Developer
Alright!  After spending a dozen hours figuring out the OP_CHECKSIG procedure, and working out all the endianness issues and other details in my code, I decided no one else should have to go through this as confused as I was!  So, I hereby present the illustrated guide to OP_CHECKSIG (with SIGHASH_ALL only).   Again, click on it for the full-detail image.



Please let me know if you spot any errors.  I would like to make this diagram as accurate as possible.

Btw, this was a lot of work!  So, if you get some benefit out of this diagram, please consider donating 0.1 BTC to me!  My address is in my signature. (and I would love to show my girlfriend that it's possible to get compensated for all the time I spend on the computer! Smiley)

Enjoy!
-Eto
hero member
Activity: 812
Merit: 1022
No Maps for These Territories
Cool! Put them on the wiki!
legendary
Activity: 1428
Merit: 1093
Core Armory Developer
As part of the effort I invested to really understand the BTC protocol, I made some SVG images to help me piece everything together.  I got most of the difficult details I needed from the BTC forums, so here is me giving back Smiley

The first image is a breakdown of an entire transaction.  I could not put the full-size image into this post, because it had to be saved at 800 DPI in order to capture all the small text describing the scripts.  Click on it for the full-sized image.



I have a couple more images coming, showing the process for OP_CHECKSIG, but they need to be cleaned up before I can post them here.  Please let me know if you find any errors so I can fix them.  

Enjoy!
-Eto

P.S. - I would like the full-sized images to be stored somewhere permanently on the forums instead of in my dropbox folder, but I can't put them in a post without flooding your browser screen.  Any recommendations?
Pages:
Jump to: