From f0784c6e922724c674550ee8aa4bfc72d6d32a8a Mon Sep 17 00:00:00 2001 From: Karl-Johan Alm Date: Tue, 6 Aug 2019 17:09:25 +0900 Subject: BIP322: added background to explain why BIP322 exists, and what it changes --- bip-0322.mediawiki | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'bip-0322.mediawiki') diff --git a/bip-0322.mediawiki b/bip-0322.mediawiki index 9448945..a4973d8 100644 --- a/bip-0322.mediawiki +++ b/bip-0322.mediawiki @@ -15,6 +15,17 @@ A standard for interoperable generic signed messages based on the Bitcoin Script format. +== Background == + +* Assume two actors, a prover P and a verifier V. +* P wants to prove that they own the private key k associated with a given address A (which in turn is derived from the pubkey kG). +* Let V generate a message M and hand this to P. +* P generates a signature S by signing the message M using k. Given S, V can prove that P has the private key associated with A. + +The astute reader will notice that the above is missing a critical part, namely the pubkey kG, without which the verifier cannot actually verify the message. The current message signing standard solves this via a cryptographic trick, wherein the signature S above is a special "recoverable signature" type. Given the message M and the signature S, it is then possible to recover the pubkey kG. The system thus derives the address for the pubkey kG, and if it does not match A, the proof is deemed invalid. + +While this is a neat trick, it unnecessarily restricts and complicates the message signing mechanism; for instance, it is currently not possible to sign a message for a P2SH address, because there is no pubkey to recover from the resulting signature. + == Motivation == The current message signing standard only works for P2PKH (1...) addresses. By extending it to use a Bitcoin Script based approach, it could be made more generic without causing a too big burden on implementers, who most likely have access to Bitcoin Script interpreters already. -- cgit v1.2.3