Advanced Bitcoin Scripting — Part 1: Transactions & Multisig

[Applause] alright I'm so glad to be back in San Francisco I I think there are a few places in the world where I would be introduced into a Japanese founded workshop hackerspace gathering people talking about Bitcoin development of Bitcoin scripting with the phrase I will sprinkle some blue all right so today's talk is different from some of the other talks I've done so bear with me we're gonna do this kind of so Lian's in a very casual manner this is not one of my usual talks where I'm going to tell you about big picture vision and stuff like that so I'm going to do a very quick introduction to some of the fundamentals a big point script and then we're gonna dive into some more advanced topics around conditionals or flow control and guard clauses time locks all the way up to if we get to it some of the scripts you see enlightening part of what I'm going to be talked about is some of the new contents from the second edition of mastering thick point as you probably know that book as with the first edition was written on github in public all the laundry out in public everything for everyone to see and criticize and notice all of the horrific mistakes I made and hopefully do pull requests before it goes into final production which is next week hint hint I will also be saying some things here tonight that are wrong extra points if ones you notice and two you send me a message afterwards and help me fix them in the book if I do say things here that are wrong it's because I don't know they're wrong which is why I need your help if you do know they're wrong that's really what I could use so no promises any of this is going to work or that is correct but it will give you some greater sites into how Bitcoin script works so let's get started I'm going to use the white board mostly Bitcoin script is a fourth like sack based language that uses a reverse polish notation how many people did I lose so far okay that's cute and what that means is that it uses as its fundamental elements of stack and the stack evaluates functions or script operates in the opposite order than you would expect and the parameters of functions or operators come before the operators themselves so an example of reverse polish notation script is let's say you want to do one plus one okay start with the easy stuff how do you write that it's one one plus and the reason it's like that is because this gets evaluated through a stack a stack is data structure where you push things into the stack or you pop things from the stack I think of a stack of dishes right you can only access the topmost dish in order to get the one below it you have to pop off the top one and then you get to the second one right so if you want to evaluate this and I'll use this notation which is the one I use in my poll so let's say this is the stack right so the system will start by evaluation the first item in the script and if it's just a number it gets pushed on to the stack so the one goes here script pointer moves the next item goes here I got another one push that onto the stack great and now we've got one item on the stack which is the plus operator now when you get to an operator usually an operator takes a few parameters the plus operator takes put two parameters the two things it's adding together where does it find those two parameters it pops two items off the stack so a plus operator is defined as an operator the tops two items off the stack as Li together and pushes the result back onto the stack right so top hop add push pop pop add them together and push the result of the stack and the program terminates that's how you do one plus one is two it's a bit weird right okay now in the big point the scripting language works like this we often use the prefix op 2 denotes operators so in bitcoins graph this would look like Oh wanna off 100 and up one just pushes one to the stack and our point which responses that not bad hops to iTunes ask them together it pushes a result onto the stack the end result is – same thing right for the rest of these examples I will not use the OP prefix it's implied the only reason the are prefix exists there is because in the actual code that implements Bitcoin for example Bitcoin core or V coin or the Bitcoin the variables that are used in denote these operators are written with the prefix o many programming languages actually don't allow you to start a variable with a number they require the first part of a variable name to be a letter so pens prefix off underscore whatever right but it's redundant everything has all founders who are in front of us if we just drop it from everything and we continue this conversation so far so good who's with me hey very good okay who's familiar with a page public key hash script the ones for an execution of that fir very quickly when in Bitcoin you create a transaction that says Alice pays Bob one Bitcoin for a cup of coffee in the Bitcoin transaction what you get instead is a bunch of Alice's inputs with some signatures to an output that identifies Bob's address as the destination paid right maybe some change as well let's ignore that for now and how does it identify the Bob's address with a script format called pay to public key hash p2p KH okay and the way that looks on the stack is do which stands for a duplicate hash 160 Bob's public key hash equal check sink not strictly necessary to do all of this there are reasons why it's done in this particular way some of the first transactions if you look at the point base for example of the first several hundred blocks the point base is not paid like this it's paid simply in play as a public key check sick right problem with the public he checks it for Matt if you just use the last part you just put Bob's public key checks it is that you've revealed Bob's public key in the output before Bob has had a chance to reveal it to redeem it that's dangerous if there's ever a problem with elliptic curve and you can take a public and reverse it back to a private key in quantum computing maybe you don't want to all the public keys to be known this format actually preserves it behind a double hash which is a hell of a lot harder to break okay so you've got two layers of obfuscation there there's other reasons why you would use a hash as well we'll see that's in a bit but this is a strict so every time you do a Bitcoin transaction if we all pull out our Bitcoin wallets and our smart phones right now and we start sending stuff to each other's QR codes and sending transactions your points creating a bunch of transactions on the Bitcoin blockchain that will all have this script which is called p2kh it will all have this script in the output all right how do you redeem this script so you print you provide two parameters to this let's say your Bob you want to send this you put Bob cig and Bob pub key so when you put these two things they actually get executed in sequence before this is verified so let's say I'm Bob I want to this this is a signature I'm going to provide this goes in the script sake so I want to spend this here is my signature it will be two parts signature and your public key then you put that to you the transaction you want to spend and then the system evaluates is Bob really authorized to spend this particular output how do we know well let's run this through the scripting language first and then let's run that through the scripting language and if the final outcome is true done you get the big one if it's false or anything else invalid transaction good everybody with me so far great what happens when you evaluate these two things through the scripting language these things are in numbers they get pushed onto the stack so pops it goes to the bottom and Bob pop key goes by and this is the state of the stack when the blocking script is evaluated so our locking script is being pushed onto the stack blocking script is in the script execution engine and now we start running to see if this is a valid signer for this output if Bob is in fact allowed to spend this who wants to try running this so first stack the first script execution item we have is two people so also all underscore do I'm taking out the office right so op – okay what does that do it takes how many parameters off the stack one what it pops one parameter off the stack and what does it do it do placate sit and then it pushes two parameters back onto the stack yes so far so good great so we run do Bob's pub he gets popped off the stack and then gets pushed back on the stack twice I'd erased the bottom one will write both of them again but I'm lazy and you know what I'm so now you've got two copies of box public he lets that and we move to the next item in the script execution and who wants to run the next one anybody yes well very good execution pointer is here I'm guessing it's one input takes one input produces one output great so the first input it takes is Bob pop key but what does it do to it it pops it very good so popular 160 operation and it does the hash 160 operation who wants to tell me what the hash 160 operation is it's actually two hashes and more it's a sha-256 wrapped in a ripe MD 160 it's a double hash it is in fact the same matching operation that goes into constructing a Bitcoin address also known as public key hash so hash 160 took Bob's public key hashes it through 256 child 256 hashes is through ripe MD 160 and produces a 160 bit public key hash as a result that gets pushed back onto the stack let's call that Bob's public key hash both the age now at this point if all has gone well if Bob's public he was in fact the one that Alice was paying these two should be the same so let's move to the next point in the stack this is gone this is now in the script execution execution pointer goes here first thing on the step on the script execution it's a number what do we do we numbers we push them on a stack I'll just move these things up all right good who wants to take me forward it's an easy one come on yes bulb goes off so equal takes two parameters it pops those from the stack now bop bah bah bah two copies of the same thing it checks it to reform yes very good okay next up yes two checks in the whatever we move to check say yep which will take one parameter – well actually sorry I may have this wrong who can help you out of here it's equal verify very good so this isn't equal it's equal verify why does it equal verify what's the difference between equal and equal verify and if it's true it doesn't push this off let's carry on checks a check sake pops these two items off the stack and it says is this a signature for this public key and the way it does that is using the elliptic curve digital signature algorithm to do a signature verification against the public key now here's an interesting thing this is really important to realize how does it know what's being signed there's some implicit data so I've written a simplification of what's happening here check sake actually takes more than these parameters first of all Bob signature consists of three parts it consists of an R value and s value and it's the seek hash pipe the sick hash pipe maybe C cash also has single sick casually whatever one of those sick hash types and what does the sick cash hype do it tells check sing there's a transaction also in your data space you take that transaction and if it's sick at all you create a hash based on a very specific recipe by mixing together all of the inputs and all of the outputs if it's a cash single then it says you create a hash for this inputs and this outputs only right so in here implicit is something that tells checks sake which part of the transactions is going to fingerprint so I contract the signature against the public key against that specific hash so what's being signed is the hash and how you construct that hash depends on whether this is a sick hash haul or some other type of signature have I lost the rest of the room slowly all right because 160 is the ripe MD 160 which produces the 160 bits which is the final to apply so the outputs of hash 160 is the outputs of ripe MD but it also internally does a shell 256 okay what's up oh very good all right so is everybody with me so far okay now we've demonstrated I've demonstrated poorly but to a level that maybe you understood a bit how the script is executed on the stack by pushing things you notice they go in reverse order right the first thing that gets pushed is the last thing that comes off right so when you have a function in a script it acts on the things that are closest to it because those get pushed onto the stack class and then later things in the script act on parts of the script that are furthest from it because those are the first things that get pushed on the stack right so first you move the parameters in do something with them create new parameters do something with them create new parameters do something with them and then there may be some leftovers at the bottom they get picked up at the end yeah that's a common thing so when you're looking at a script it's not always easy when you look at it to figure out which part is acting on which other parts of data because you have to visualize the sequence of pushing things and popping things onto and off of the stack but it depends on how many parameters being pushed and popped by each of the intermediate commands every one wouldn't be so far great so I'm not going to draw the stack again what I'm going to do instead is draw some scripts so we talked briefly about the suffix verifying does anybody remember which of the opcodes have a soft that can be verified equal so equal comes in two forms next anyone check see so again you have checks in check that only comes in one form we'll get to that in a bit Multi say check multi sit so each of these comes in two ports both with and without clarifying so can someone has anyone figured out exactly the difference between the two where would you use one where would you use the other yes correct so very anything that has verified will only continue execution of the script if the outcome of the conditional operator is true in which case it will not push that true back to the stack and it will simply continue execution otherwise equal check save and check multi sake put the outcome truth false on the stack and whether it's true or false you then have to further down decide what to do with that maybe afterwards you could do something to verify that it's true but that's not really useful because you would do it right there you could use equal it could be more cumbersome now not much point in using these at the end of a script because the end of the script acts like a verified meaning that when you reach the end of the script if true is on the stack you're good the lock script has been unlocked if anything other than true is on the stack your script terminates with a false thumb that blocking script has not been satisfied so effectively the end of the script acts as a verified meaning that you can comfortably put evening checks ignore check multi-sig at the end of a script because the verify is implied right afterwards the reason you would use the equal verify checks terrifying or check multi-sig verify is if you're putting it earlier in the script you don't want to leave anything on the stack and you want to terminate like this is a kill Klaus you're not going to worry about whether this is true or false if it's false oh you're done you're not going to evaluate anything else yes okay does anybody remember in programming what we call clauses does that decide whether the following part of the language is going to be executed or not anybody if clauses well yeah it's a very specific type of the net applause yes I think they're called guard cause it's called the guard Clause so a guard Clause is if the previous thing was true then do this so the this part only gets executed if you pass by the car it's a gatekeepers it says this code only gets executed under specific condition guard courses are used extensively in programming for one simple reason they're very easy to read and very clean we use them in formal languages especially languages where bugs are very dangerous the reason we use guard causes is because if you wrap code in a simple guard clause that code will not run if the guard calls is not satisfied right so you see that all the time if debug prints to you log file right and all you're doing is turning on or off that functionality when there's a debug right otherwise the print to log file never happens if the bug load assert zero that's the guard clause that should have been in that line and Bitcoin unlimited what was it so guard cause is it useful because they simply preclude the execution of the next thing and we'll see how we use them in the next section so there's that there's a specific type of command that only has a verify version and that's time locks the two forms of script based on box check lock time verified check sequence verified there is no check lock type without firefight there is no check sequence without verify there is a very good reason for that it actually makes it rather difficult to write scripts that run that are valid now but not valid in the future you can only write scripts are invalid and till an event but from that point to infinity this is deliberate time locks allow you to activate a transaction but not expire it once something becomes valid it is valid forever this is consistent throughout Bitcoin there's no such thing as a script that is valid today that is not valid tomorrow unless the consensus rules change right transactions do not expire and scripts do not expire us and as a result checkbox time is written in such a way that you can't say not if and then run something afterwards to invert its meaning so check locks and verify for example means this is valid only after block 1000 you can't invert its meaning and say this is valid only before block 1000 and not after because the verify doesn't let you evaluate the outcome it simply stops does that make sense now you can get around that but it's not easy it's not easy you have to use something called a ring vocation all right who's with me so far who's still having fun this is the geeky Meetup I love it all right so the verify clause at the end of an operator is a form of a conditional right and it's also a form of flow control it's the same as writing if true do what comes after else return right return the return code in Bitcoin causes the script to terminate right and there's not evaluate truth value as possible well done if you find a return in your script and run it right so verify is the same the same if true do this else return but it's a much more compact form and we'll see how that works okay so the most useful form of conditional is a flow control statement and the flow control says State men's is an if-then-else statement everybody familiar with this then else yes in in Silicon Valley what we call if then else we call it AI [Laughter] for many programmers AI is a hundred-thousand if the analysis concatenated together that evaluates all the possible ways something might work I wrote an interpretive interactive psychiatrist : Liza in college as a very weak AI that would interact and have a conversation with you and it consisted a lot of if-then-else trying to figure out what the hell you were saying in English so if then else statements now this is Bitcoin of course so take what you know about it then else spring is some weird on it and we get Bitcoin if else and different this is what it looks like in bit so in the Bitcoin script you have if else and if all right what is a anyone a condition you would assume so this is where the weird comes in second best guess yes it's the code that gets executed if the condition is true so this is the then part you can assume that here there's a then just to make it easier to read if true then a else B that's how it actually runs so you start reading Bitcoin script you see it if you assume the very next thing is the thing that you're testing it is not the very next thing is the thing you're executing if the thing you tested was true then there's an else statement or not there might just be an end if then there's the thing the price if it was false then it's an ending so far so good where the hell is the condition before the entry so actually the way this works is it looks like this X is that is the condition so the way this reads is FX then a else B and it problem is the X isn't in the script the X isn't in the walking script it almost never is it's not as a literal for sure there might be other stuff before there in which case whatever they put on the stack maybe they put the true or false so if you have an equal here equal gets evaluated it does trough also the stack it gets evaluated it takes the true or false from the equal so in saying if equal then a speed so if this X was an equal operator it took whatever two things were on the stack before weighed them together if they were equal this part runs if they were different this part runs yes so you can actually take an equal verifying write 2 as equal if what comes after else return and if it's a rather long-winded way of writing the same thing but very often in scripts there is no X and this gets very confusing because you read the script do you think oh it's just English right programming is just English so if a is true then I'm not quite sure but LSB right and that's not what this script does and the first thing you come across conditional flows in Bitcoin scripts your natural inclination is to read it so you read for example if something check box I verify something check saying and you think oh it's checking the check box time it's not the condition came before but it's not on the script so where the hell is it and why is it not on the script in doing reverse pull into patients so first it has to get push which means it comes before the function that actually uses it yes but why not put it before the if writes and the locking screens there's a very good reason for that because if the condition is in the locking script then you put it in place when the UT XO is created and it only ever has one value the one you put there and therefore the rest of the script is pointless because if this was something that evaluates to true and you put it in the locking script then it will always run a and if it was false and you put it in the walkie script it will always run B so why the hell do you have these there why don't you just get rid of all that and just say A or B the reason you can't put the condition in the script is because the script gets recorded on the blockchain and is immutable and it's the part that gets executed every time in exactly the same way so whatever you put there will always evaluate to either true or false will always run a or B and therefore if you put it in the locking script you're just wasting space right this is a very important so you need to put it in the part of the scripting language that's variable and that's the unlocking script which means that the person's spending provides the condition well that's weird and so this comes to the basic understanding of what conditional flow does in Bitcoin what that says is this is locked this simple locking script if it was exactly like this it says this can be spent two ways and you choose you show up with an unlocking strip the leaves true on the stack we're going to try and spend this with method a you show up with an unlocking script that spend that has false on the stack we're going to try and spend script beep the unlocking script chooses one of the two paths to execute so if statements in Bitcoin conditional flow in Bitcoin is very different from how we would use a procedural language because the condition you're testing is user inputs it comes from the unlocking script so in a sense essentially in Bitcoin script you're saying there are two ways to spend this you TXO a or B and you can choose equally between both of them by saying true or false in the spending script now that seems weird because that doesn't seem very secure what do you mean the unlocking script can choose they can just choose a or B well then we've got to see what happens here so usually that means something sophisticated is happening here let's have a look so here's a locking script it says well you tried reading it with English first so it goes if Bob's public key is check safe then no that's wrong okay so what this says is if you give me a true I'm gonna try and use Bob's public key to check this if you give me a false I'm going to try and use Alice's public key to unlock this script which means that to spend this Bob passes as the unlocking script Bob sick true and Alice can spend the same thing by saying Allisyn Paulson that's really weird that's really weird you probably don't understand in first class but let me explain how this works so let's say Bob presented this so how does this execute on the script let's put it in our mind and think about it so Bob say is the first thing it's a number and gets put onto the stack then true gets put on top of it in the stack then the if Clause is executed it pops off the true drops everything else and runs this now pump key goes on top of Bob sink checks a grunts sink puppy check sig true done Bob Spencer similarly here allison goes on the stack false goes above it if execute its false all of this goes away the else clause runs Alice's public key gets pushed on the stack check sick pops Alice's public key and I was sick truth done alice spends this output I just wrote a really freaky weird one of two multi singer that's a one of two multi synced between Bob and Alice it's two keys any one of them can spend it with a single signature right so what I did was multi sink but with an if clause and all they have to do in order to choose the right clause for their particular execution path the one they want them will achieve the result they want is put at row false again yes everybody with me some people with me anybody with me very good okay so now you see why the condition is actually provided by the redeemer now that may be a problem you may want to make sure that some parts of these things can only be executed by a very specific spender yes let's say we wanted to do more here let's say Bob had to produce a secret hash and the signature well then we could do half 1/16 while passion now mob has to deliver three things to the stack true signature and some number that win hash the juices that hash a pre-image yes not quite we need to turn this into a guard claws how do we turn this into a guard claws verify very good so what we're saying now is there to execution paths available in this script the first execution path must first overcome this guard cross that requires a named public ITA's provide a signature and then they must also provide the preimage to a hash Alice has a lesser burden she only needs to produce a signature right make sense so we've pilots to conditions this is almost like a nested-if because it's a verify verify is the same as doing if else return everybody would be so far this is getting complicated right well no the reason for doing this is to to allow a motive a motive redemption that uses a pre-image instead of a public key lightning uses that kind of technique for hash time locked contracts you'd actually probably put this the other way around so that the guard Clause is give me the preimage first and then give me the signature they're equivalent you can also have this without this and this means Alice can spend this or anyone with knowledge of the secret can spend this and you learn at all once the secret is out first person to get their transaction into the blockchain gets the redeem this yes yes how long will be going and Mormonism I think I have time for one more example which is the final example from Chapter seven all right so at this point this should be crystal clear it's the same thing with a couple of little twists and seeing principles of how you put things off the stack top things off the stack and then evaluate them in sequence what this is is a partnership company that has three partners now B C and D these three partners operate a multi signature account to store the company's money three lawyers working together they have a lawyer who's not part of the company called a and that lawyer is responsible for assisting in the case there is key loss so if one of the partner loses the keys the lawyer was under contract has a fiduciary responsibility etc can step in and provides a backup key and basically what this script does is it says two out of three of the partners can spend this anytime so the basic clause is down here which is a two of three multi-sig yeah it requires two of the three partners to sign if they sign it works like a normal multi-sig small twist but mostly normal unless the applet has not been spent within 30 days of being mined if it hasn't been spent 30 days after its mines it can also be redeemed by a signature from the lawyer and one of the partners not to me or if ninety days have elapsed from the moment this output has been mined the lawyer can spend it without any other partner signatures yes so there are the three execution paths at any moment in time all three of the execution paths can be selected but not all of them can be run successfully because they have guard clauses and those dark guard clauses are based on time locks relativistic time locks check sequence verify is relative to when this was mine that's why I put the notation plus 30 days plus 90 days right that would be in seconds relative to the time it was fine everybody good so far did I make a mistake by the time there according to median time past which is a specific consensus measurement of time introduced by pip 68 which introduced check sequence verified check sequence verify came also with BIP 1 1 3 when it was activated in November I think it measures the median time of the last 11 blocks so it's permanently about an hour in the past but because it depends on the time stamps and 11 blocks no single miner can monkey with it because so it makes it a useful consensus rule of time you have to adjust mentally to the fact that it will always be an hour behind because it's looking at the median time past 11 blocks right it is just short of 2 hours and the midpoint is exactly an hour ago right not wall clock time consensus time and because each miner can make small changes and can drift any one block by a bit but they can't drift all 11 of the past blocks by a lot therefore it's not in their hands to modify this and start sniping transactions that are not yet you under the time log so that's a consensus security feature that was introduced with dip 1 1 3 questions employers B C and D you would have to update this transaction every day maybe though in order for this to be effective you have to roll it over every 30 days every 29 days to be precise to prevent one of the other lawyers from colluding with the one of the other partners from colluding with the external lawyer and taking the money right so they would have to sign with two out of three a transaction every 30 days and roll it back into a script like this with a current fee structure in Bitcoin not likely they would do that so maybe this isn't suitable for now depends maybe they're very rich law firm they're moving like ten million dollars out of this you TXO into another you TXO so one dollar a five dollar fee it's a big script is it a big deal yes okay now let's go into some of the nuances right so you notice you you get the big picture everybody I think gets the big picture right what this is trying to achieve multi-sig in the middle very straightforward two or three partners 30-day clause that allows one partner and the lawyer and the 90 day clause which is the they all died in the car crash together I told them not to go in the same car and now he's the last will executor for their last will and testament and he's like dearly beloved we have gathered here to split ten million dollars so that's the final clause right that's the background awesome what we don't hear is we've sequence of events in time and this is really important using time walks now I want to point out some nuances do you remember how I said the time locks can be activated but not expired so they only work one way so once something is valid so the time lock has passed it comes into play but it doesn't go out of play right so let me just point something out you might at first glance think it's either or either or yes but in fact it's this and this after 30 days and also this after 90 days meaning that 36 days after this is mined these guys could still do the two of three this Clause doesn't go away this is always an option maybe it's hey who got into a car crash and his key disappeared so none of the other stuff matters this is always an option right 92 days after this is mines all three clauses come into play they could it can be redeemed in any of the three ways right so the clauses come into place Eclipse through time but they never expire you can't say and you can't redeem anymore that is a problem or solution but the way it's done in lightning is using a replication script which you can find in chapter 12 all right so everybody got that part okay here's a little interesting twist you may notice this like is that doing there there's it – it's just hanging it out like how number 2 up here like what is that doing up there anybody you've got some ideas ok let me give you some hints check multi-sig check multi-sig right takes at least three parameters admin which is the poor a number of keys minimum of one and n which is the how many keys are total right so check multi singer that's the end it says there are three keys total one key to key three key where's the M or one version of it because there's another n now this we start giving you a tiny bit of a glimpse of how flexible this is I just took the check multi-sig and I spread it all over two different conditional clauses over two different flows over two execution paths one way of doing this is you go through this way and then it's to key key key three check multi-sig pretty pretty much straightforward all teasing right or you go through this path guard clause thirty days and the signature from the attorney and then one of key key III check multi-sig so that it's a one of three so this one plays two different ways it's a two or three or it's a one two three does that make sense that's a really powerful feature we just leave it dangling on the stack and then check multi-sig will pick it up when it's time yes was there an error or a 2 or 4 it's very good point it's a 2 of 3 or 2 of 4 because we've inserted another key up here but it's difficult to write it to a 4 in this particular formulation you could probably do it with by splitting the check multisig at the different parts right very good point it is a 2 a 4 because we introduced this they were two different checks what is that's a check stick verify and it won't even go to the chickens they can I see if it succeeds Morris like either it's one of three or two or three but it never reaches the one yeah so actually it's not a tool for it's a 1 of 1 and a 1 of 2 and 1 of 3 because 2 of 4 would imply the two of these guys could do it right but it has to be this plus one of the other three right so subtle nuances there right now also you start to realize the this stuff needs some debugging right you really have to very carefully think about all of the scenarios and how many keys come into play and when they come into play and what combinations exist and what these people might do to collude with each other this isn't even a Turing complete language it's only 12 lines and you could fit an entire dao mess right about here oops what do you mean a run away with all the money well you see if this happens before this we're even within people and scripts even though it's true and complete even though it's a very very simple stack based language you could introduce quite a bit of complexity there if you see some of the Lightning Network scripts and you think about all of the game theoretical aspects of who can work who can operate on which timeframes and what can they do it gets rather complicated to think about homeless scenarios so there's some subtleties there all right who wants to try and tell me what you have to put on the stack as the unlocking script in order to get to a two of three we have two nested ifs and to ifs nested anybody who hasn't tried so far come on yes two signatures and two trees very good so two signatures followed by two trees what first true if we go here secondly if we go here right then this gets put on the stack everything from the else to the end if goes away then this gets put on the stack then it gets evaluated with the two signatures boom boom doctor yes all right great so we we got here and here was true true how do we get here true-false no reverse polish notation false true right you have to put the thing that's going to be executed first last in your life so unlocking script would be I say that correct yes false true false gets pushed on the stack sure gets pushed on the stack true execute false execute you go in here you forget the signature and of course the the two signatures that are required to do that so signature signature false true yes etc okay final question of the day what the hell is that drawn yes op check multi-sig has a bhagat pops an extra parameter before the first signature you also need to put an OP 0 in fact BIP 1 I want to say 1:45 my camera about the top of my head actually restricts what that one thing that can be popped is down to a null Tommy value called the null down no Dom means if it requires that the value that gets popped by check multi-sig is a zero and the reason is to remove malleability because at the moment that pops whatever is there so if you create a script that has 0 and I change it to script that has 1 even though I don't have any of the keys it still works because it will accept any value there so if I think it's bit 1:45 narrows that down to only zero accepted to overcome that pop esoteric but very useful yes there's a chapter in the book home wide bugs in Bitcoin become consensus rules forever and the final thing is the drop anybody care to comment on why that drop is there yes bingo every other form of verifying leaves nothing behind the stack check sequence verify and check lock time verify leave this value on the stack why because you might want to do more with it for example let's say after this we wanted to do plus another five days check sequence verify so we could do five days or add objects infants verify so it takes the value that was left on the stack adds five to it or five days or whatever equivalent in seconds once all pad pops the two values moshus them together what's the sum and that's what check sequence verify so you can do arithmetic with this later right one of the exceptions to the verifier rule now that's all good yeah we've got a value that's going to stay on the stack but what if the very next thing is going to leave us some junk on the stack we don't want that junk passing on to the next thing so we drop it so you'll very often see after a checkbox I verified then check sequence verify you'll see a drop occur immediately after and that's just to clean up the junk that's left over you never get to the drop unless the time is right questions check checks if that's verifying is a command that was added by the m60 age which is a relative long time yes verify only exists as specific uploads you can't just slap the word verify onto something it is a specific opcode whose name also includes verify it's not a compound operator it's a single operator check sequence verify and it doesn't exist in the other form yes yes what happens after 29 days what happens after 29 days you said that do we do the transaction maybe well so if the partners don't want to ever open the door to a pub key to be able to collude with one of the partners they better spend this within the 30-day window and creates a new you tip so whose time starts again so they have to keep it's a Deadman switch right you have to restore reset the clock before it runs out otherwise the Deadman switch false gets activated by the understand what a Deadman switches yeah [Music] you

You May Also Like