TECHNICAL_DOC // KEYS / SIGNATURE
SIGNATURE
A Bitcoin signature/">digital signature proves that a transaction was authorized by the holder
of a specific private key, without revealing that key. Signatures are computed over
a sighash — a deterministic digest of the transaction fields being committed.
Bitcoin uses ECDSA (legacy outputs) and Schnorr (Taproot/P2TR) signatures.
SIGNATURE_IN_TRANSACTIONS
WHAT GETS SIGNED — THE SIGHASH
Sighash = deterministic hash of transaction data
ECDSA sighash (P2PKH, P2WPKH, P2SH):
Includes: version, inputs, outputs, locktime
Modified by sighash type flag
Taproot sighash (BIP 341):
Includes: version, locktime, all inputs, all amounts,
all scriptPubKeys, specific input being signed
More data committed → less signature malleability
Sighash types:
SIGHASH_ALL (0x01): sign all inputs and all outputs
SIGHASH_NONE (0x02): sign all inputs, no outputs
SIGHASH_SINGLE (0x03): sign all inputs, one output
SIGHASH_ANYONECANPAY (0x80): modifier — sign only this input
Taproot-only:
SIGHASH_DEFAULT (0x00): = SIGHASH_ALL equivalent
ECDSA SIGNATURE
SCHNORR SIGNATURE
Format: (R.x || s) — 64 bytes fixed
Size: 64 bytes + optional 1 byte sighash
Used in: P2TR (Taproot)
Always in witness stack
Size: 64 bytes + optional 1 byte sighash
Used in: P2TR (Taproot)
Always in witness stack
TERMINOLOGY_INDEX
Sighash
The transaction digest that is signed. Commits to specific tx fields depending on the sighash type.
SIGHASH_ALL
Default sighash type. Signs all inputs and all outputs. Prevents modification of the transaction.
DER Encoding
ASN.1 format for ECDSA (r,s) pairs. 70–73 bytes total. Required by BIP 66 (strict DER).
Low-S Rule
BIP 62 rule: s must be ≤ n/2. Prevents signature malleability by eliminating the high-s variant.
Witness
SegWit field containing signatures for SegWit inputs. Excluded from the TXID hash (malleability fix).
INTERACTIVE — TRY IT YOURSELF
CRYPTOGRAPHY / SIGNATURES
Bitcoin Signatures
A Bitcoin ECDSA signature is encoded in DER format (Distinguished Encoding Rules) and appended with a 1-byte sighash type flag. DER wraps two 32-byte integers r and s in a strict ASN.1 structure. The low-s rule (BIP66) requires
s ≤ n/2 to prevent signature malleability — any valid (r,s) pair has an equivalent (r, n−s) pair, so only the canonical lower form is accepted.
DER SIGNATURE DISSECTOR
PARSE DER-ENCODED SIGNATUREwith sighash byte appended
DER Structure: A DER-encoded ECDSA signature has the layout:
The integers are big-endian. If the high bit of the first byte is set, a
0x30 [total-len] 0x02 [r-len] [r-bytes] 0x02 [s-len] [s-bytes]The integers are big-endian. If the high bit of the first byte is set, a
0x00 padding byte is prepended (ASN.1 positive-integer convention). This means r and s can be 32 or 33 bytes each.
SIGHASH TYPES
The sighash type byte controls which parts of the transaction are signed. Different parts can be omitted to enable specific spending flexibilities:
| BYTE | NAME | WHAT IS SIGNED | USE CASE |
|---|---|---|---|
| 0x01 | SIGHASH_ALL | All inputs + all outputs | Default — most common |
| 0x02 | SIGHASH_NONE | All inputs, no outputs | Anyone can add any output — dangerous! |
| 0x03 | SIGHASH_SINGLE | All inputs + only the output at same index | Co-sign one output; others free |
| 0x81 | SIGHASH_ALL|ANYONECANPAY | Only this input + all outputs | Crowdfunding — others add inputs |
| 0x82 | SIGHASH_NONE|ANYONECANPAY | Only this input, no outputs | Donation: sign input, recipient constructs rest |
| 0x83 | SIGHASH_SINGLE|ANYONECANPAY | Only this input + matching output | Most flexible combination |
BIP341 (Taproot) sighash: Taproot introduces new sighash types including
0x00 (equivalent to SIGHASH_ALL) and SIGHASH_SINGLE/SIGHASH_NONE variants. The hash algorithm also changes — inputs and outputs are hashed separately and committed in a new Schnorr-specific format defined by BIP341.LOW-S ENFORCEMENT
NORMALIZE SIGNATURE TO LOW-S FORM
DER ENCODER
RAW R + S + SIGHASH → DER HEX