1

We know that a P2PKH script looks as follows:

scriptPubKey: OP_DUP OP_HASH160 <PubKeyHash> OP_EQUALVERIFY OP_CHECKSIG
scriptSig: <Signature> <PubKey>

Since full nodes are maintaing UTXO sets, wouldn't it save space to omit the OP_DUP and have the user provide their public key twice instead, like so? And would that create any sort of security issues?

scriptPubKey: OP_HASH160 <PubKeyHash> OP_EQUALVERIFY OP_CHECKSIG
scriptSig: <Signature> <PubKey> <PubKey>
csstudent1418
  • 135
  • 5

1 Answers1

4

Unfortunately, that would not be secure. Imagine an output with scriptPubkey OP_HASH160 <hash(P1)> OP_EQUALVERIFY OP_CHECKSIG. Now anyone can spend such an output by generating their own key P2, and spending with scriptSig <sig with P2> <P2> <P1>.

Pieter Wuille
  • 98,249
  • 9
  • 183
  • 287
  • But the attacker doesn't know `P1`. So that would require the attacker to compute the pubkey `P1` from `hash(P1)`. Isn't that (practically) impossible since the hash function is preimage-resistant? – csstudent1418 Aug 01 '21 at 21:44
  • 5
    The attacker does know if they are a miner. They can look at a legitimate transaction and substitute their own key. You cannot assume that anything except the private key is private. – Pieter Wuille Aug 01 '21 at 21:54
  • Follow-up question moved to https://bitcoin.stackexchange.com/questions/116509/a-question-about-the-role-of-op-dup-in-the-p2pkh-transaction-specification-an – Poseidon Dec 26 '22 at 15:52