'%3e%3crect%20x='109.185'%20y='253.397'%20width='350.859'%20height='857.656'%20fill='white'/%3e%3cpath%20d='M274.77%20708.572H233.194V888.205H286.632C302.651%20888.205%20314.635%20883.711%20322.461%20875.088C330.287%20866.465%20334.322%20851.404%20334.322%20830.149V779.138C334.322%20752.539%20329.797%20734.2%20320.382%20723.997C310.966%20713.795%20295.681%20708.451%20274.77%20708.451V708.572Z'%20fill='%23FF5C00'/%3e%3cpath%20d='M310.966%20610.558C320.015%20601.206%20324.539%20585.295%20324.539%20563.19V530.518C324.539%20490.559%20308.887%20470.519%20277.705%20470.033H232.949V624.768H269.512C287.977%20624.768%20302.039%20619.91%20311.088%20610.436L310.966%20610.558Z'%20fill='%23FF5C00'/%3e%3cpath%20d='M277.582%200C124.362%200%200%20123.399%200%20275.704V1069.3C0%201221.48%20124.239%201345%20277.582%201345C430.803%201345%20555.165%201221.6%20555.165%201069.3V275.704C555.165%20123.52%20430.926%200%20277.582%200ZM426.523%20833.064C426.523%20878.367%20414.539%20912.739%20390.817%20936.423C375.898%20951.241%20356.7%20961.322%20333.221%20966.909V987.677C333.221%201002.5%20320.993%201014.64%20306.075%201014.64C291.156%201014.64%20278.805%201002.5%20278.805%20987.677V971.888H232.949V987.677C232.949%201002.5%20220.721%201014.64%20205.803%201014.64C190.884%201014.64%20178.655%201002.5%20178.655%20987.677V971.888H170.218C150.53%20971.888%20140.625%20962.05%20140.625%20942.496V415.743C140.625%20396.188%20150.53%20386.35%20170.218%20386.35H178.655V357.201C178.655%20342.383%20190.884%20330.238%20205.803%20330.238C220.721%20330.238%20232.949%20342.383%20232.949%20357.201V386.35H278.805V357.201C278.805%20342.383%20291.034%20330.238%20306.075%20330.238C321.115%20330.238%20333.221%20342.383%20333.221%20357.201V388.78C333.221%20389.994%20332.977%20391.087%20332.855%20392.18C354.499%20397.524%20371.863%20406.512%20384.703%20419.386C406.469%20441.491%20417.597%20475.377%20417.597%20521.045V544.364C417.597%20604.363%20397.42%20642.743%20357.556%20659.14V660.719C403.656%20676.265%20426.646%20717.074%20426.646%20782.782V833.064H426.523Z'%20fill='%23FF5C00'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_1_174'%3e%3crect%20width='555'%20height='1345'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
- Understanding ECDSA: Bitcoin's Digital Signature Foundation
- Signature Commitments and the Signing Process
- Transaction Structure and Inputs/Outputs
- Fees, Change, and Malleability
Understanding ECDSA: Bitcoin's Digital Signature Foundation
Bitcoin relies on ECDSA, an elliptic curve–based signature scheme offering strong security with far smaller key sizes than RSA. Its security comes from the elliptic curve discrete logarithm problem: given P = eG, computing P is easy, but deriving e from P is computationally infeasible. This asymmetry enables public key cryptography while keeping private keys secure.
DER Encoding of ECDSA Signatures
Bitcoin encodes ECDSA signatures using the DER format:
- 0x30 (sequence marker)
- length byte
- 0x02 + length + R bytes
- 0x02 + length + S bytes
This adds overhead, expanding a 64‑byte signature to ~71–72 bytes. Taproot eliminates this inefficiency by adopting fixed‑size Schnorr signatures.
Signature Commitments and the Signing Process
ECDSA signatures rely on a commitment equation: UG + VP = KG. The signer selects non‑zero U and V values, and a random nonce K, proving knowledge of the private key without revealing it. The message is hashed into Z, a random K is generated, R is the x‑coordinate of KG, and S = (Z + RE)/K. The signature is the pair (R, S). Security critically depends on using a unique, unpredictable K—if K is reused or leaked, the private key is compromised. Modern implementations use deterministic K generation (RFC 6979) to avoid RNG failures.
Signature Verification
Given Z, (R, S), and public key P, the verifier computes U = Z/S and V = R/S, then checks whether the x‑coordinate of UG + VP equals R. This works because the verification algebra reconstructs KG without needing the private key. Forging signatures would require solving the discrete log problem or breaking the hash function.
Schnorr Signatures and Historical Context
Schnorr signatures are mathematically cleaner and support aggregation features, but were patented when Bitcoin launched. ECDSA offered a free alternative, though with more complexity and larger signatures. With the patents expired, Bitcoin added Schnorr signatures via Taproot, providing fixed 64‑byte signatures and improved privacy. ECDSA remains supported for legacy compatibility.
Transaction Structure and Inputs/Outputs
A Bitcoin transaction consists of:
- version (4 bytes, little‑endian)
- input list
- output list
- locktime (4 bytes)
Inputs reference previous UTXOs by their transaction hash and output index, and include an unlocking script (scriptSig) and a sequence number used for timelocks or RBF. Outputs specify the amount (8 bytes) and the locking script (scriptPubKey), defining spending conditions. Bitcoin addresses are representations of these scripts.
The UTXO Model
Bitcoin tracks unspent outputs rather than account balances. UTXOs must be spent entirely—partial spending is impossible. To spend 1 BTC from a 100 BTC UTXO, a transaction must include a change output. Forgetting the change output turns the remainder into a miner fee.
Transaction Serialization and Parsing
Transactions use a compact binary format. After the version field, a varint encodes the number of inputs. Inputs include:
- previous tx hash (32 bytes)
- output index (4 bytes)
- scriptSig (varstr)
- sequence (4 bytes)
Outputs include an 8‑byte amount and scriptPubKey (varstr). Locktime controls when the transaction becomes valid. Serialization uses little‑endian ordering for most integers. Parsers consume bytes sequentially and delegate to specialized classes for inputs, outputs, and scripts.
Fees, Change, and Malleability
Fees are implicit:
fee = sum(input values) – sum(output values).
Any unassigned value becomes the fee, making correct change output construction essential. Before SegWit, signatures allowed malleability—modifying S to N-S produced a new valid transaction with a different ID. Bitcoin now enforces a low‑S rule, and SegWit isolates signatures from the txid calculation, making IDs stable and enabling second‑layer protocols like Lightning.
fee = sum(input values) – sum(output values).
Any unassigned value becomes the fee, making correct change output construction essential. Before SegWit, signatures allowed malleability—modifying S to N-S produced a new valid transaction with a different ID. Bitcoin now enforces a low‑S rule, and SegWit isolates signatures from the txid calculation, making IDs stable and enabling second‑layer protocols like Lightning.
Quiz
Quiz1/5
pro2023.1
What is the primary consequence of forgetting to include a change output when spending a UTXO that contains more Bitcoin than needed?