You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: bip-0322.mediawiki
+14-55Lines changed: 14 additions & 55 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -34,24 +34,8 @@ The current message signing standard only works for P2PKH (1...) addresses. By e
34
34
35
35
A new structure <code>SignatureProof</code> is added, which is a simple serializable scriptSig & witness container.
36
36
37
-
Two actions "Sign" and "Verify" are defined along with one ''purpose'', "SignMessage", with the ability to expand in the future to add a potential "ProveFunds" purpose.
38
-
39
37
=== SignatureProof container ===
40
38
41
-
{|class="wikitable" style="text-align: center;"
42
-
|-
43
-
!Type
44
-
!Length
45
-
!Name
46
-
!Comment
47
-
|-
48
-
|Uint32||4||version||BIP322 version format; must be equal to 1; if > 1, verifier must abort the verification process
49
-
|-
50
-
|Uint8||1||entries||number of proof entries<ref><strong>Why support multiple proofs?</strong> It is non-trivial to check a large number of individual proofs for duplicates. Software could be written to do so, but it seems more efficient to build this check into the specification itself.</ref>
51
-
|}
52
-
53
-
The above is followed by [entries] number of signature entries:
54
-
55
39
{|class="wikitable" style="text-align: center;"
56
40
|-
57
41
!Type
@@ -79,74 +63,51 @@ A verification call will return a result code according to the table below.
79
63
!Code
80
64
!Description
81
65
|-
82
-
|INCOMPLETE||One or several of the given challenges had an empty proof. The prover may need some other entity to complete the proof.
66
+
|INCOMPLETE||Empty proof.
83
67
|-
84
-
|INCONCLUSIVE||One or several of the given proofs was consensus-valid but policy-invalid.
68
+
|INCONCLUSIVE||The given proof was consensus-valid but policy-invalid.
85
69
|-
86
-
|VALID||All proofs were deemed valid.
70
+
|VALID||The proof was valid.
87
71
|-
88
-
|INVALID||One or more of the given proofs were invalid
72
+
|INVALID||The proof was invalid
89
73
|-
90
74
|ERROR||An error was encountered
91
75
|}
92
76
93
77
== Signing and Verifying ==
94
78
95
-
If the challenge consists of a single address and the address is in the P2PKH (legacy) format, sign using the legacy format (further information below). Otherwise continue as stated below.
79
+
If the challenge consists of an address is in the P2PKH (legacy) format, sign using the legacy format (further information below). Otherwise continue as stated below.
96
80
97
-
Let there be an empty set <code>inputs</code> which is populated and tested at each call to one of the actions below.
81
+
For both cases, generate a sighash based on the given scriptPubKey and message as follows:
98
82
99
-
=== Purpose: SignMessage ===
100
-
101
-
The "SignMessage" purpose generates a sighash based on a scriptPubKey and a message. It emits a VALID verification result code unless otherwise stated.
102
-
103
-
# Return INVALID if scriptPubKey already exists in <code>inputs</code> set, otherwise insert it<ref><strong>Why track duplicates?</strong> Because a 3-entry proof is not proving 3 entries unless they are all distinct</ref>
104
83
# Define the message pre-image as the sequence "Bitcoin Signed Message:\n" concatenated with the message, encoded in UTF-8 using Normalization Form Compatibility Decomposition (NFKD)
105
84
# Let sighash = sha256(sha256(scriptPubKey || pre-image))
106
85
107
86
A private key may be used directly to sign a message. In this case, its P2WPKH bech32 address shall be derived, and used as the input.
108
87
109
-
===Action: Sign===
88
+
===Signing===
110
89
111
-
The "Sign" action takes as input a purpose. It returns a signature or fails.
90
+
The signature is generated as follows:
112
91
113
-
# Obtain the sighash and scriptPubKey from the purpose; FAIL if not VALID
114
92
# Derive the private key privkey for the scriptPubKey; FAIL if not VALID
115
93
# Generate and return a signature sig with privkey=privkey, sighash=sighash
116
94
117
-
The resulting signature proof should be encoded using base64 encoding.
118
-
119
-
=== Action: Verify ===
95
+
=== Verifying ===
120
96
121
-
The "Verify" action takes as input a standard flags value, a script sig, an optional witness, and a purpose.
122
-
It emits one of INCONCLUSIVE, VALID, INVALID, or ERROR.
97
+
Verify a proof, given a standard flags value, a script sig, an optional witness, and a derived sighash as described above.
123
98
124
99
While omitted below, ERROR is returned if an unforeseen error occurs at any point in the process. A concrete example of this is if a legacy proof is given as input to a non-legacy address; the deserialization of the proof will fail in this case, and this should result in an ERROR result.
125
100
126
-
# Obtain the sighash and scriptPubKey from the purpose; pass on result code if not VALID
127
101
# Verify Script with flags=consensus flags (currently P2SH, DERSIG, NULLDUMMY, CLTV, CSV, WITNESS), scriptSig=script sig, scriptPubKey=scriptPubKey, witness=witness, and sighash=sighash
128
102
# Return INVALID if verification fails
129
103
# Verify Script with flags=standard flags (above plus STRICTENC, MINIMALDATA, etc.), scriptSig=script sig, scriptPubKey=scriptPubKey, witness=witness, and sighash=sighash
130
104
# Return VALID if verification succeeds, otherwise return INCONCLUSIVE
131
105
132
-
=== Multiple Proofs ===
133
-
134
-
When more than one proof is created or verified, repeat the operation for each proof, retaining the inputs set. As noted, if the same input appears more than once, the operation must fail accordingly.
135
-
136
-
Note that the order of the entries in the proof must match the order of the entries given by the verifier.
137
-
138
-
* If any of the proofs are empty during a verification process, skip the verification and set the INCOMPLETE flag
139
-
* If a verification call returns ERROR or INVALID, return ERROR or INVALID immediately, ignoring as yet unverified entries
140
-
* After all verifications complete,
141
-
** return INCONCLUSIVE if any verification call returned INCONCLUSIVE
142
-
** return INCOMPLETE if the INCOMPLETE flag is set
143
-
** return VALID
144
-
145
106
== Legacy format ==
146
107
147
-
The legacy format is restricted to the legacy P2PKH address format, and restricted to one single challenge (address).
108
+
The legacy format is restricted to the legacy P2PKH address format.
148
109
149
-
Any other input (e.g. multiple addresses, or non-P2PKH address format(s)) must be signed using the new format described above.
110
+
Any other input (i.e. non-P2PKH address format) must be signed using the new format described above.
150
111
151
112
=== Signing ===
152
113
@@ -174,10 +135,6 @@ Given the P2PKH address <code>a</code>, the message <code>m</code>, the compact
174
135
175
136
This specification is backwards compatible with the legacy signmessage/verifymessage specification through the special case as described above.
176
137
177
-
== Rationale ==
178
-
179
-
<references/>
180
-
181
138
== Reference implementation ==
182
139
183
140
# Pull request to Bitcoin Core: https://github.com/bitcoin/bitcoin/pull/16440
@@ -228,6 +185,8 @@ All of the above, plus (subject to change):
228
185
229
186
== Test vectors ==
230
187
188
+
(TODO: update test vectors, which are based on previous iteration where signature proofs contained additional data)
0 commit comments