bitcoincore development – Verification of a digital signature that a transaction goes to an X value output in a script

but in bitcoin, the message is usually a hash of the previous transaction and the & # 39; to & # 39; pubkey-hash and / or transaction? Unless I miss something, the SIGHASH_SINGLE parameter only specifically reports the inputs and outputs of the new transaction. So, if you could create this entry and exit and sign it in an OP_CODE with a private key, you could verify that an output was directed to a given person in a bitcoin script sig. Of course, the private key containing UTXO would be unusable except for returning BTC to the user, or maybe another public key could be used to spend the UTXO.

This is an error. The transaction signature works by:

for each entry i in entries:
Start with a transaction skeleton that matches the transaction for non-input / output fields like the tx version
Add the entry i
Add other inputs and outputs according to the sighash flag
Chop this update tx skeleton
Sign the hash

SIGHASH indicators simplify the specification of inputs and outputs covered by the signature. For SIGHASH_ALL, the set of inputs and outputs is signed. For SIGHASH_SINGLE, only the output corresponding to the index of the entry is signed (for the first entry of a tx, the first output will be signed). You also have additional options, such as ANYONE_CAN_PAY, that allow you to add additional entries later, by signing only your entry (for use with coins).

Using SIGHASH_ALL | SIGHASH_ANYONECANPAY or SIGHASH_SINGLE | SIGHASH_ANYONECANPAY If you already control an output, you can specify options such as:

If this output is used as input, at least X BTC must be sent to {this | this} new release (s).

However, this restriction applies only if the final transaction uses this specific signed entry – nothing prevents you from creating another signed shipment that spends that same output to another destination and delivers it first.

Your example fails because in the signature, you have no information about the output. The signed data are those of a skeleton of tx increased as a whole. You can not use Bitcoin Script to inspect a subset of this data and validate the signature.

To take another example, suppose we build a bitcoin script equivalent to:

Accept a signature and a public key
Verify that the signature is on the data (entry, hash160 (public key)
Verify that the signature is made with the same key that unlocks the current entry

This would seem to imply that we can sign the destination public key using the same private key as the one that has the entry, and then have a script that validates the tx signature and signature on the public key that we purport to send.

However, in this case, nothing prevents you from providing the script with a valid signature and a destination public key, but to specify a completely different output in the actual message. Indeed, the Bitcoin script program has no way of reading and checking where the tx output (s) actually go.