segregated witness – generating a zprv from a base58 rootKey with bitcoinjs-lib

var bitcoin = require('bitcoinjs-lib');
let bip32 = require('bip32');

let rootKey = 'xprv9s21ZrQH143K32CfqoCQHtbKiEb5BqFazXX6jCtNCnuty3gUjxS4CsXWi9rcNyHdjDVPiC6P1bnyEZr2ioouRq56h6HAdwejeTty1BsSEtL'
const node = bip32.fromBase58(rootKey, bitcoin.networks.bitcoin);

//legacy account extended private key
console.log("LEGACY: " + node.derivePath("m/44'/0'/0").toBase58())
(works as expected)

//segwit account extended private key
//trying to get a segwit extended private key (zprv) using the same inputs as above.

I want to get a segwit/bech32 extended private key using the same root key as above. How can I do this using bitcoinjs-lib? BIP84 only works for mnemonics IIRC.

segregated witness – Why are P2WSH addresses larger than P2SH addresses?

Because P2SH addresses are too short to provide typically desirable levels of security security level we expect from Bitcoin, against certain attacks. On top of that, they use bech32 encoding rather than base58, which means they’re slightly longer for the same amount of data, but are case insensitive instead.

For any kind of “multi party” address (that is, an address constructed by multiple distinct and distrusting participants that each have their own key, such as multisig), a particular collision attack exists that has runtime O(2bits/2), where bits is the number of bits of entropy in the address.

P2PKH, P2WPKH, and P2SH addresses have 160-bit hashes in their addresses. For P2PKH and P2WPKH this is fine, as it only supports single-party construction. However, as P2SH supports multisig and other multi-party constructions, it means an ~280 attack is possible(*). Bitcoin typically has a 2128 security target for attacks, so this is insufficient. That doesn’t mean such a collision attack is practical – it’s just far weaker than what the rest of the system provides, and as computing performance increases it may become feasible for well-funded parties.

To address this, P2WSH introduced a multi-party-capable address that contains a 256-bit hash, so it has ~2128 collision security.

In the upcoming Taproot upgrade, a new P2TR address type is introduced. It has the same length as P2WSH addresses, and also contains ~256 bits of entropy. Due to the nature of Taproot, which merges P2PKH and P2SH style spending into one, this means even single-party addresses are 256 bits in it.

For details of the attack, see

(*) There are ways to avoid the collision attack problem, even with short hashes. They significantly complicate address construction and spending however. So the choice to provide a 256-bit script hash mechanism is really just to make sure multi-party address construction isn’t needlessly complicated.

How is the witness reserved value set in a coinbase transaction?

In a coinbase transaction the second transaction output seems always to be a 32-byte witness reserved value. Is there any constraint on this value?

segregated witness – How hard is it for an exchange to adopt native segwit? Is it not as simple as updating the address regex checker on the front-end?

Stack Exchange Network

Stack Exchange network consists of 176 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Visit Stack Exchange

segregated witness – createPaymentTransactionNew with Bech32 address

How to properly call createPaymentTransactionNew using @ledgerhq/hw-app-bt to spend utxos from a bech32 transaction?

This is the code I’m using to call it, having previously defined inputs and purpose, coinPath, accountNumber:

tx = await appBtc.createPaymentTransactionNew({
                    inputs: inputs,
                    associatedKeysets: `${purpose}'/${coinPath}'/${accountNumber}'/0/0`,
                    outputScriptHex: outputScriptHex,
                    additionals: ("bech32")

segregated witness – How do I convert a private key in hex to a Segwit private key expected by Electrum?

I’ve been following this code to generate SegWit addresses with python. However, I’m confused because this script doesn’t output the private key in a usable way for Electrum.

I found this site which told me how to convert the key to a compressed WIF.

Here’s one example, I ran the script and got this output:

Private key: ce534f3d1f481f8736c30d866a6b2c5defe5edc36afaafc0e923586791a2462b
Verifiction key: e5ee63efe153ebf1ec537831f2fba227f4b5f80275e750a9d0a8284c9fb4f91fb5427e034ffec25bacc346263f0f6281f951926f924f7c53f771f632ca9e3cbb
Compressed public key: 03e5ee63efe153ebf1ec537831f2fba227f4b5f80275e750a9d0a8284c9fb4f91f
keyhash: 17f022e2c24238760a0a1b070eaa456df4e8b915
Native address: bc1qzlcz9ckzggu8vzs2rvrsa2j9dh6w3wg4atezy6
P2WPKH_V0: 001417f022e2c24238760a0a1b070eaa456df4e8b915
Hashed P2WPKH_VO: b9502db522524782980563a09355fa7052ee7ff1
P2SH_P2WPKH_V0: a9b9502db522524782980563a09355fa7052ee7ff187
Checksum: 7fcb7c1d
Binary address: 05b9502db522524782980563a09355fa7052ee7ff17fcb7c1d
Nested address: 3JarywCp1dbFiykdGNWyo5pdZyvSLEGZ96

I then added my own additional code to convert to WIF.

WIF: 5KP9tSHuzYd1WTCTwr5ewace9eNM8Kv8xjsWYyELHdEkKcQkiUZ
Compressed WIF: L48nE2detzZwEzdbw5dYTuNJy9wDqLVY92DwS7Br8NwgD6S8NiyT

I imported the compressed WIF key into Electrum, but I get 13BaDNdBXkfrGkvJT41HNosBBbbLZRWyZJ as a public key. Everything online confirms that only legacy addresses begin with a ‘1’, but surely it is a SegWit address, no?.

When I view ‘details’, Electrum gives me the correct compressed public key (03e5ee63efe153ebf1ec537831f2fba227f4b5f80275e750a9d0a8284c9fb4f91f).

Why doesn’t Electrum give me a bech32 address or a nested address? Have I done the correct conversion of the private key?

Here’s my code just in case there’s an obvious mistake somehow.

fullkey = '80' + (private_key.hex())
sha256a = hashlib.sha256(binascii.unhexlify(fullkey)).hexdigest()
sha256b = hashlib.sha256(binascii.unhexlify(sha256a)).hexdigest()
WIF = base58.b58encode(binascii.unhexlify(fullkey+sha256b(:8)))

compressedPubKey = private_key.hex()+'01'
compressed_fullkey = '80' + (compressedPubKey)
compressed_sha256a = hashlib.sha256(binascii.unhexlify(compressed_fullkey)).hexdigest()
compressed_sha256b = hashlib.sha256(binascii.unhexlify(compressed_sha256a)).hexdigest()
compressed_WIF = base58.b58encode(binascii.unhexlify(compressed_fullkey+compressed_sha256b(:8)))

segregated witness – Were anyone-can-spend transactions valid before SegWit?

Non-segwit nodes (legacy nodes) see segwit transactions as anyone-can-spend (ACS) transactions. It is clear that such a nodes can (and do) validate blocks containing ACS transactions, because the scripts they run are compatible with the original rules of Bitcoin (this is why SegWit is considered a soft fork). However, I see around the statement that a miner running a non-segwit node cannot include a ACS transaction in his own mining block, because, if he had managed to mine that block, segwits nodes would reject it because digital signatures were missing, resulting in an orphaned block.

Is it correct what I’m saying? If yes, let me consider the following scenario BEFORE the creation and implementation of SegWit on Bitcoin:

Before the creation and implementation of SegWit, when all running nodes were non-segwit, if a miner had included an ACS transaction in his own block and he had managed to mine it, would such a block be accepted by others nodes? I don’t see the reason why such a block could be forbidden. From the point of view of the other nodes (which are all non-segwit), they see this new block a one containing ACS transactions, and like any other block nowadays, they should validate it.

What I’m trying to say is that, in the previous version of Bitcoin (before SegWit), there was nothing to “prohibit” a miner from spending/stealing someone else’s funds. If the answer is that before SegWit nodes would never accept blocks containing ACS transactions, this means that SegWit is in fact a hard fork, because nowadays they do accept them.

Hence, I see the following three “scenarios”

  1. Before SegWit implementation, miners could include ACS transactions in their blocks and all the other nodes should validate them. The fact that it never happened is because all miners were “honest”.
  2. Before SegWit, nodes did not validate blocks containing ACS transactions. But they do validate them now. This results in a HARD fork.
  3. There is something that I’m missing or I’m misunderstanding.

I hope the answer is number 3. I’ll appreciate if somebody could help me.

How New Bitcoin Addresses not using Signature ? Only witness or Very Short Signature?

I have Noticed Something strange to me
Newly Used Bitcoin Addresses show repeated very short Signatures
and Multiple Witness ??
and Some not even any signature for the transaction ?
what is happening actually ?

example :

segregated witness – How are segwit block transactions verified?

This is not correct.

All segwit blocks do differently is having the witnesses (which include the signature) in a separately-hashed area. They’re still an integral part of the block, and full validation cannot proceed without the witness data. Removing or altering the witness data will invalidate a block.

What this does permit is stripping the witness data without affecting validity according to pre-segwit validation rules. This is the basis for using segwit as a blocksize increase (the old 1 MB block size limit thus only applies to the non-witness part, as old nodes don’t see the witness data). However, nodes that implement the segwit rules need the full witness.

segregated witness – What is the new segwit network option on binance and how does it work?

Stack Exchange Network

Stack Exchange network consists of 176 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Visit Stack Exchange