From dbb81b36525aabf4ae5d0ad015b4865494aed33e Mon Sep 17 00:00:00 2001 From: Andrew Poelstra Date: Wed, 23 Dec 2020 15:42:41 +0000 Subject: bip-0322: move "legacy" section up, separate "proof of funds", summarize the signature types --- bip-0322.mediawiki | 42 +++++++++++++++++++++++++++++++++--------- 1 file changed, 33 insertions(+), 9 deletions(-) (limited to 'bip-0322.mediawiki') diff --git a/bip-0322.mediawiki b/bip-0322.mediawiki index f13544f..065eb7b 100644 --- a/bip-0322.mediawiki +++ b/bip-0322.mediawiki @@ -23,11 +23,31 @@ Additionally, the current message signature format uses ECDSA signatures which d Ultimately no message signing protocol can actually prove control of funds, both because a signature is obsolete as soon as it is created, and because the possessor of a secret key may be willing to sign messages on others' behalf even if it would not sign actual transactions. No signmessage protocol can fix these limitations. -== Specification == +== Types of Signatures == -This BIP follows the specification of BIP-325 challenges and solutions (see Signet comparison below). +This BIP specifies three formats for signing messages: ''legacy'', ''simple'' and ''full''. Additionally, a variant of the ''full'' format can be used to demonstrate control over a set of UTXOs. -Let there be two virtual transactions to_spend and to_sign. +=== Legacy === + +New proofs should use the new format for all invoice address formats, including P2PKH. + +The legacy format MAY be used, but must be restricted to the legacy P2PKH invoice address format. + +=== Simple === + +A ''simple'' signature consists of a witness stack, consensus encoded as a vector of vectors of bytes, and base64-encoded. Validators should construct to_spend and to_sign as defined below, with default values for all fields except that + +* message_hash is a BIP340-tagged hash of the message, as specified below +* message_challenge in to_spend is set to the scriptPubKey being signed with +* message_signature in to_sign is set to the provided simple signature. + +and then proceed as they would for a full signature. + +=== Full === + +Full signatures follow an analogous specification to the BIP-325 challenges and solutions used by Signet. + +Let there be two virtual transactions to_spend and to_sign. The "to_spend" transaction is: @@ -63,6 +83,16 @@ When a proof of funds is being created, additional inputs should be included for Proofs of funds are the base64-encoding of the to_spend and to_sign transactions concatenated in standard network serialisation, and proofs without additional inputs or time locks (simple proofs) are the base64-encoding of the to_sign script witness. +=== Full (Proof of Funds) === + +A signer may construct a proof of funds, demonstrating control of a set of UTXOs, by constructing a full signature as above, with the following modifications. + +* message_challenge is unused and shall be set to OP_TRUE +* Similarly, message_signature is then empty. +* All outputs that the signer wishes to demonstrate control of are included as additional inputs of to_sign, and their witness and scriptSig data should be set as though these outputs were actually being spent. + +Unlike an ordinary signature, validators of a proof of funds need access to the current UTXO set, to learn that the claimed inputs exist on the blockchain, and to learn their scriptPubKeys. + A validator must verify it is valid and meets the description of virtual transactions as specified above. See "Validation" below. === Validation === @@ -83,12 +113,6 @@ To validate a proof of funds, the following steps must be taken: # for each proof of fund input, set the corresponding values in the coins map; abort if the input cannot be found # check the signature of each input using consensus rules, then upgradable rules -== Legacy format == - -New proofs should use the new format for all invoice address formats, including P2PKH. - -The legacy format MAY be used, but must be restricted to the legacy P2PKH invoice address format. - === Signing === Given the P2PKH invoice address a and the message m, and the pubkey-hash function pkh(P) = ripemd160(sha256(P)): -- cgit v1.2.3