BIP 143 (SegWit Transaction Signature Verification)

BIP-143 specifies how signatures are computed and verified for SegWit version 0 outputs - the P2WPKH and P2WSH script types introduced by SegWit (BIP-141). Activated as part of the SegWit soft fork in August 2017.

Three changes from legacy ECDSA signature verification, each of which mattered:

• Signature data moves into the witness. In legacy P2PKH spends, the signature and pubkey live in the scriptSig. In SegWit v0, they live in a separate witness field that is structurally outside the transaction body. This is the change that fixes transaction malleability at scale: third parties can no longer tweak the signature encoding to change the transaction id (txid) before confirmation.
• The signed message includes the input amount. Legacy ECDSA verification did not commit to how many satoshis the spent output held. A hardware wallet signing a transaction had to trust the host software's claim about the input amount, opening a fee-overpayment attack where a malicious host could trick a signer into spending more than expected. BIP-143 fixes this by including the input amount in the sighash.
• A different sighash computation pattern. The new pattern avoids the quadratic-time hashing problem that affected very large legacy transactions, where signature verification cost grew with the square of the transaction size.

A consequence worth knowing: the SegWit v0 witness for a P2WPKH spend contains the spender's signature and the spender's public key. Until the first spend, the address is a 160-bit hash of the pubkey; after the first spend, the pubkey is on chain in the witness of that spending transaction. This is the mechanism behind the "reuse-exposed" class of addresses: once spent, the pubkey is permanently visible to anyone reading the chain.

Authored by Johnson Lau and Pieter Wuille. Activated alongside BIP-141 (the SegWit umbrella), BIP-144 (the block relay format for witness data), and BIP-147 (NULLDUMMY soft fork rule).

Spec: BIP-143.