Closed maaku closed 4 years ago
maaku
commented
4 years ago The 20-byte P2WPKH output type is now a MAST output. Since it is no longer a "pay to pubkey hash" output, I've adopted the new terminology of "short hash" and "long hash" to differentiate the two pay-to-witness-script-hash output types.
maaku
commented
4 years ago I'm now considering this ready for merge. The only thing from the original specification that is not implemented is supporting multiple spend pathways. It turns out that implementing this correctly is actually rather complicated. I'm not sure what the best approach is, and I don't want to delay the segwit feature any further while sorting out what is ultimately a rather trivial feature that doesn't affect consensus.
In segwit
P2WSH, thescriptPubKeypayload is the hash the script to be used at time of redemption. This means that only one script can be used, and that script must be committed to at the time the output is created. This PR uses the fast Merkle tree code to have all segwitscriptPubKeysimultaneously commit to N scripts, where N >= 1, and then select which script is to be used at time of redemption. In other words this makes all segwit outputs MAST outputs (MAST = Merklized alternative script tree).The code has been updated to make
P2WSHoutputs contain a Merkle root hash, and an extra witness element is required at redemption which contains the proof. For traditional outputs which contain only one script, the proof is the empty string, but it must be present. The hash of scripts is changed from SHA256 to double-SHA256.Update the wallet code to store proofs for alternative spend pathways, try alternatives when signing, and update RPCs to allow specification of alternative scripts.P2WPKHshould be the same asP2WSH, but with the Merkle root being compressed further by a run of RIPEMD-160. Rather than encourage single-key outputs, which is bad practice, we should permit a smaller weight footprint for MAST outputs where the user does not require collision resistance.