SegWit Witness Commitments
SegWit Witness Commitments: Binding Witness Data to the Coinbase Output
When the Segregated Witness (SegWit) upgrade was activated via BIP 141, it moved cryptographic signature vectors (witness data) out of the main transaction structure into a separate, isolated memory space.
To ensure this witness data remains cryptographically secure and cannot be altered or stripped by malicious miners, the protocol binds the Witness Merkle Root to the main blockchain header using a dedicated script commitment inside the Coinbase Transaction's Outputs.
๐ 1. The Dual-Merkle Tree Architecture
With SegWit active, a block validation engine processes two distinct trees:
DUAL-MERKLE TREE ARCHITECTURE
[ Standard Merkle Tree ] [ Witness Merkle Tree ]
โข Houses standard transaction data โข Houses witness signature data
โข Computes standard Merkle Root โข Computes Witness Merkle Root
โข Stored in 80-Byte Block Header โข Bound to Coinbase Output Script
โฒ โ
โ โผ
โ [ Coinbase Output commitment ]
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ (Leaf 0 of standard Merkle Tree)
- Standard Merkle Tree: Computes the standard transaction root stored in the 80-byte block header.
- Witness Merkle Tree: Computes the Witness Merkle Root, binding the witness signature data of all SegWit transactions.
- The Binding Loop: To secure the Witness Tree, its root is committed to an output of the coinbase transaction. Since the coinbase transaction is Leaf 0 of the Standard Merkle Tree, any modification to the Witness Tree will change the coinbase transaction, which alters the standard Merkle Root, invalidating the block header!
๐๏ธ 2. The Output Commitment Script Format
If a block contains at least one SegWit transaction, the coinbase transaction must include a specific output containing the witness commitment.
This commitment output is structured as a standard transaction output containing:
* Value: 0 Satoshis.
* scriptPubKey: A specialized non-standard script beginning with OP_RETURN and carrying a cryptographic hash.
The Byte-Level Layout
The commitment script must be exactly 38 bytes long and map these parameters:
$$\text{scriptPubKey} = \underbrace{\texttt{6A}}{1\text{ byte (OP_RETURN)}} \underbrace{\texttt{24}}{1\text{ byte (Length of push)}} \underbrace{\texttt{AA 21 A9 ED}}{4\text{ bytes (SegWit Magic)}} \underbrace{\text{Witness Commitment Hash}}{32\text{ bytes}}$$
| Size (Bytes) | Field Name | Hex Value | Description |
|---|---|---|---|
1 |
OP_RETURN | 0x6A |
Identifies this as an unspendable data-carrying output. |
1 |
Push Length | 0x24 |
Instructs the parser to read the next 36 bytes of data. |
4 |
SegWit Magic Prefix | 0xAA21A9ED |
Specific signature identifier for SegWit commitments. |
32 |
Witness Commitment | uint256 |
The calculated Witness Commitment Hash. |
๐งฎ 3. Calculating the Witness Commitment Hash
The 32-byte Witness Commitment Hash is calculated by combining the Witness Merkle Root and a special variable called the Witness Reserved Value:
$$\text{Witness Commitment} = \text{SHA256}\Big(\text{SHA256}\big(\text{Witness Merkle Root} \parallel \text{Witness Reserved Value}\big)\Big)$$
- Witness Reserved Value: A 32-byte field located in the coinbase transactionโs witness stack (usually set to all zeroes
0x0000...). - Witness Merkle Root: Built from the witness transaction hashes (wTXIDs) of all transactions in the block.
TeachMeBitcoin is an ad-free, open-source educational repository curated by a passionate team of Bitcoin researchers and educators for public benefit. If you found our articles helpful, please consider supporting our hosting and ongoing content updates with a clean donation: