TYVM -> https://stacker.news/items/1278645



beyond_turbulence

Before SegWit, there was a serious scalability issue in Bitcoin called the 

It made signature validation slow, especially for transactions with many inputs, and opened the door to denial-of-service attacks.

In 2015, F2Pool mined a block containing one huge 

Slow validation means fewer people can run full nodes

→ which increases the risk of centralization.

To verify each signature, Bitcoin must hash a 

Input #1 → message #1  
Input #2 → message #2  

2 inputs × 2 messages = 4 hashing operations

n inputs  →  n × n  =  n²  hashing work

A miner could include a single huge multi-input tx that takes seconds/minutes to validate.

Proposed fix: cap tx size to 100 KB.
Rejected because:
❌ Doesn't fix root cause
❌ Just delays the attack
❌ Breaks legitimate large-input transactions (eg batching)

SegWit changed how transactions are serialized and hashed. It reduced sighash cost back to 

bitcoin

# The Quadratic Sighash Problem 

Before SegWit, there was a serious scalability issue in Bitcoin called the **Quadratic Sighash problem**.

It made signature validation slow, especially for transactions with many inputs, and opened the door to denial-of-service attacks.

---

## What Happened?

In 2015, F2Pool mined a block containing one huge [“mega-transaction”](https://mempool.space/tx/bb41a757f405890fb0f5856228e23b715702d714d59bf2b1feb70d8b2b4e3e08) (≈1 MB, 522 inputs). 

It took about **25 seconds** for a full node to validate just *that* transaction.

Slow validation means fewer people can run full nodes  
→ which increases the risk of centralization.

---

## Why Does It Happen?

Imagine a transaction with **2 inputs**.

To verify each signature, Bitcoin must hash a *modified* version of the transaction.

So for 2 inputs, we hash **2 different messages**:

    Input #1 → message #1  
    Input #2 → message #2  

So far, this looks linear:  
2 inputs → 2 messages

---

## The Trick: Each Message Contains *All* Inputs

When signing input *i*:

- include **every input**
- but remove `scriptSig` from all other inputs  
  (so they can't change the message being signed)

That means each input needs its own *version* of the transaction to hash.

So with 2 inputs:

    2 inputs × 2 messages = 4 hashing operations

---

## Scaling Up

Now imagine **3 inputs**:

Each message now contains 3 inputs:

    3 inputs × 3 messages = 9 units of work

In general:

    n inputs  →  n × n  =  n²  hashing work

That’s why it’s called **Quadratic Sighash** -> cost grows as n².

---

### Example Table

| Inputs | Messages | Total Work |
|--------|----------|------------|
| 1 | 1 | 1 |
| 2 | 2 | 4 |
| 3 | 3 | 9 |
| 10 | 10 | 100 |
| 100 | 100 | 10,000 |

---

## Why This Was Dangerous

A miner could include a single huge multi-input tx that takes seconds/minutes to validate.

- Slow full nodes can’t keep up
- They fall behind the chain tip
- They aren’t participating in consensus
- Network centralizes to only fast validators

---

## Why "just limit transaction size" failed

Proposed fix: cap tx size to 100 KB.
Rejected because:
❌ Doesn't fix root cause
❌ Just delays the attack
❌ Breaks legitimate large-input transactions (eg batching)

---

## SegWit Fixed This

SegWit changed how transactions are serialized and hashed. It reduced sighash cost back to **O(n)** (we’ll explain it in the next posts)

Follow [@Bitcoin_Devs](https://stacker.news/bitcoin_devs) for more technical explainers.


The Quadratic Sighash ProblemThe Quadratic Sighash Problem

What Happened?What Happened?

Why Does It Happen?Why Does It Happen?

The Trick: Each Message Contains All InputsThe Trick: Each Message Contains All Inputs

Scaling UpScaling Up

Example TableExample Table

Why This Was DangerousWhy This Was Dangerous

Why "just limit transaction size" failedWhy "just limit transaction size" failed

SegWit Fixed ThisSegWit Fixed This