summaryrefslogtreecommitdiff
path: root/ec/2a97008cae6ad98e0d13963e4d648a0d2e7584
blob: b081cd90e1d3e043ed908390279741a1aaec5098 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
Return-Path: <karljohan-alm@garage.co.jp>
Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 73E7CC1787
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon, 21 Dec 2020 05:45:28 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by hemlock.osuosl.org (Postfix) with ESMTP id 5B02387C99
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon, 21 Dec 2020 05:45:28 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from hemlock.osuosl.org ([127.0.0.1])
 by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id Bq1dlgP6wlFF
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon, 21 Dec 2020 05:45:26 +0000 (UTC)
X-Greylist: delayed 00:07:21 by SQLgrey-1.7.6
Received: from mta65.mta.hdems.com (mta65.mta.hdems.com [3.112.23.32])
 by hemlock.osuosl.org (Postfix) with ESMTPS id 1629787C96
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon, 21 Dec 2020 05:45:26 +0000 (UTC)
Received: from mo.hdems.com (unknown [10.5.84.207])
 by mta65.mta.hdems.com ('HDEMS') with ESMTPSA id 4CzpCb0Llxzlfbkk
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon, 21 Dec 2020 05:38:03 +0000 (UTC)
X-HDEMS-MO-TENANT: garage.co.jp
Received: from mail-lf1-f69.google.com (mail-lf1-f69.google.com.
 [209.85.167.69]) by gwsmtp.prod.mo.hdems.com with ESMTPS id
 gwsmtpd-trans-835a9263-d61c-4ffd-8430-11da7697cd2d
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon, 21 Dec 2020 05:37:57 +0000
Received: by mail-lf1-f69.google.com with SMTP id m20so8559254lfl.20
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Sun, 20 Dec 2020 21:37:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=garage.co.jp; s=google;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :content-transfer-encoding;
 bh=l5gCbUqvcSgYSr5DdT/X5faNXIXc7lPIs1Gqp5NooIo=;
 b=KoTvNCHFlLm7GARx3e0hJeGkSMKKbJBLURJ4Hk9TebniJRoYt0CTA1ErySHjkZhgcg
 0UO1f706Z+UxIcCCujRqxw7vHoT1GXa4lcNucPc+81dX8jBl8aiMZXMT/ji2Ok+QnI40
 ocqpGV2TJumQzWZAE+FLksISUAW3IdSRviXb8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:content-transfer-encoding;
 bh=l5gCbUqvcSgYSr5DdT/X5faNXIXc7lPIs1Gqp5NooIo=;
 b=iZx0J9P3lPQHRGXxvDqfFFdO3HsMMNF5QxIoGKs/d484hgLbtzVu0NXHGfVIBF29QK
 qHsNcZRxmq7AwapNpjCWZaHXjclYgyZ9Ym1wvqsfSlaKoDt8dlcTdX+yyrrdjcD53yFf
 aav+XR2IYpsLXZBAEIq2VocJuw6iRamaz83Gdv1GuKGRj8pR+KmnWh/ecIz24sDdZABi
 vOQIJkQk0/jNh3XdYF9165UGajfNjZmPYYioJQlqk/gNM7x/hg2aVmcorDaNNa5pe6ca
 +egzVUOQ4wAK9VBNiM/31gxeb1skWILaXhGImLqx9+fCN7hqlN1LosPKddtWlM6XzAKw
 HMCQ==
X-Gm-Message-State: AOAM530i+w5SUMrwaIC+P1vAtU52ssnu6e/iG7gb7FVCSG3EGsjdSFSu
 CE7lS+lxjaGYjG+mP4v7LWBp6S5K1edTbv+6X0gCSQ2mt2uCuNH+T85FBbAZfr8MlaCW3lNQD2x
 EHhQ4XwoVjPe4YsU4Ryjykmdi5tE0xFg3tq+SwVUykPgNohcdl7SBnH8aSYu03EW4C72YX7fRlo
 0o/TtDHhK60kAziLczQeq3WaNBSUvG5Y20ocUVLDow4wzDbH/R8pN/9e0IrXAB/c65w/P+YO4H/
 zviWNwtR7oDK1xfkUBN2fZaCGabvmIq/Z+rhMRsBMCJTIAO2pDxd00Sjjx88SCZP9opjpUr46a4
 PixdGnesTC3e7fx9x/rl+xf5SRef
X-Received: by 2002:a2e:7e05:: with SMTP id z5mr6924723ljc.353.1608529074654; 
 Sun, 20 Dec 2020 21:37:54 -0800 (PST)
X-Google-Smtp-Source: ABdhPJxon795iHAn/FirStw0G0XaN9hc5zVUjiRFFpzVe3o7g/yULbYddiMoodvkwXjp+RJUkB6mDg3kD8+wy4OGsyE=
X-Received: by 2002:a2e:7e05:: with SMTP id z5mr6924705ljc.353.1608529074120; 
 Sun, 20 Dec 2020 21:37:54 -0800 (PST)
MIME-Version: 1.0
References: <20201218152720.GW106279@boulet>
In-Reply-To: <20201218152720.GW106279@boulet>
From: Karl-Johan Alm <karljohan-alm@garage.co.jp>
Date: Mon, 21 Dec 2020 14:37:38 +0900
Message-ID: <CALJw2w4bFp8qcxNzz7hn_ZeGG8WWTPu-mRv6A4cPt66EHimyeg@mail.gmail.com>
To: Andrew Poelstra <apoelstra@wpsoftware.net>, 
 Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [bitcoin-dev] BIP-0322 (generic signmessage) improvements
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Dec 2020 05:45:28 -0000

Thanks a lot for taking the time to brush up the BIP. For what it's
worth, I am all for these changes, and I see them as clear
improvements all around.

IIRC Pieter was the one who originally suggested the two-checks
approach (invalid, inconclusive, valid) which is being modified here,
so would be good if you chimed in (or not -- which I'll assume means
you don't mind).

On Sat, Dec 19, 2020 at 12:27 AM Andrew Poelstra via bitcoin-dev
<bitcoin-dev@lists.linuxfoundation.org> wrote:
>
> I have gone over BIP-0322 and substantially rewritten the text.
> Everything I did is (I think) simply clarifying the existing
> protocol, which felt like it was written by committee and wasn't
> easy to follow, EXCEPT:
>
> 1. I rewrote the motivation section, which I believe originally
>    was a paraphrase of Luke-jr's general objections to having any
>    signmessage functionality. I hope Luke in particular can take
>    a look at what I wrote under "Motivation" and see if it
>    captures his concerns.
>
> 2. I merged the "consensus" and "upgradeable" rules to simply be
>    one set of rules, consisting of consensus checks plus additional
>    restrictions, all of which must be included. The new "Extensions"
>    section allows validators to output the state "consensus-valid"
>    if they really don't want to check the additional restrictions.
>
> 3. The "inconclusive" state, which was originally used for what I've
>    called "consensus-valid", now indicates that a validator does not
>    understand the script that it is checking (also described in the
>    new "Extensions" section). The goal is that implementors are able
>    to be meaningfully BIP-0322 while only supporting a subset of
>    Script, e.g. the templates that their own software supports, or
>    Miniscript, or the non-raw non-address set of output descriptors,
>    or whatever.
>
>    We have seen opposition to supporting BIP-322, e.g. [1] because
>    of the requirement that you either have a full script interpreter
>    (plus an open-ended list of Core's standardness flags, which is
>    not even available through libbitcoinconsensus) or nothing. On
>    the other hand, the vast majority of outputs are single-key p2pkh,
>    p2pkwh or p2sh-wpkh.
>
> The new text is here (and for posterity I will also include it
> inline below, though unless Github deletes it it will be easier
> to read in rendered form):
>
> https://github.com/apoelstra/bips/blob/2020-12--bip322-overhaul/bip-0322.=
mediawiki
>
> I'll also PR this to the BIPs repo in the next day or two, and
> comments on Github are then welcome.
>
>
> [1] https://bitcointalk.org/index.php?topic=3D5261605.0
>
>
>
> * * * * * Full text of the above link * * * * *
>
> <pre>
>   BIP: 322
>   Layer: Applications
>   Title: Generic Signed Message Format
>   Author: Karl-Johan Alm <karljohan-alm@garage.co.jp>
>   Comments-Summary: No comments yet.
>   Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-0322
>   Status: Draft
>   Type: Standards Track
>   Created: 2018-09-10
>   License: CC0-1.0
> </pre>
>
> =3D=3D Abstract =3D=3D
>
> A standard for interoperable signed messages based on the Bitcoin Script =
format, either for proving fund availability, or committing to a message as=
 the intended recipient of funds sent to the invoice address.
>
> =3D=3D Motivation =3D=3D
>
> The current message signing standard only works for P2PKH (1...) invoice =
addresses. We propose to extend and generalize the standard by using a Bitc=
oin Script based approach. This ensures that any coins, no matter what scri=
pt they are controlled by, can in-principle be signed for. For easy interop=
erability with existing signing hardware, we also define a signature messag=
e format which resembles a Bitcoin transaction (except that it contains an =
invalid input, so it cannot be spent on any real network).
>
> Additionally, the current message signature format uses ECDSA signatures =
which do not commit to the public key, meaning that they do not actually pr=
ove knowledge of any secret keys. (Indeed, valid signatures can be tweaked =
by 3rd parties to become valid signatures on certain related keys.)
>
> Ultimately no message signing protocol can actually prove control of fund=
s, both because a signature is obsolete as soon as it is created, and becau=
se the possessor of a secret key may be willing to sign messages on others'=
 behalf even if it would not sign actual transactions. No signmessage proto=
col can fix these limitations.
>
> =3D=3D Types of Signatures =3D=3D
>
> This BIP specifies three formats for signing messages: ''legacy'', ''simp=
le'' and ''full''. Additionally, a variant of the ''full'' format can be us=
ed to demonstrate control over a set of UTXOs.
>
> =3D=3D=3D Legacy =3D=3D=3D
>
> New proofs should use the new format for all invoice address formats, inc=
luding P2PKH.
>
> The legacy format MAY be used, but must be restricted to the legacy P2PKH=
 invoice address format.
>
> =3D=3D=3D Simple =3D=3D=3D
>
> A ''simple'' signature consists of a witness stack, consensus encoded as =
a vector of vectors of bytes, and base64-encoded. Validators should constru=
ct <code>to_spend</code> and <code>to_sign</code> as defined below, with de=
fault values for all fields except that
>
> * <code>message_hash</code> is a BIP340-tagged hash of the message, as sp=
ecified below
> * <code>message_challenge</code> in <code>to_spend</code> is set to the s=
criptPubKey being signed with
> * <code>message_signature</code> in <code>to_sign</code> is set to the pr=
ovided simple signature.
>
> and then proceed as they would for a full signature.
>
> =3D=3D=3D Full =3D=3D=3D
>
> Full signatures follow an analogous specification to the BIP-325 challeng=
es and solutions used by Signet.
>
> Let there be two virtual transactions to_spend and to_sign.
>
> The "to_spend" transaction is:
>
>     nVersion =3D 0
>     nLockTime =3D 0
>     vin[0].prevout.hash =3D 0000...000
>     vin[0].prevout.n =3D 0xFFFFFFFF
>     vin[0].nSequence =3D 0
>     vin[0].scriptSig =3D OP_0 PUSH32[ message_hash ]
>     vin[0].scriptWitness =3D []
>     vout[0].nValue =3D 0
>     vout[0].scriptPubKey =3D message_challenge
>
> where <code>message_hash</code> is a BIP340-tagged hash of the message, i=
.e. sha256_tag(m), where tag =3D <code>BIP0322-signed-message</code>, and <=
code>message_challenge</code> is the to be proven (public) key script.
>
> The "to_sign" transaction is:
>
>     nVersion =3D 0 or as appropriate (e.g. 2, for time locks)
>     nLockTime =3D 0 or as appropriate (for time locks)
>     vin[0].prevout.hash =3D to_spend.txid
>     vin[0].prevout.n =3D 0
>     vin[0].nSequence =3D 0 or as appropriate (for time locks)
>     vin[0].scriptWitness =3D message_signature
>     vout[0].nValue =3D 0
>     vout[0].scriptPubKey =3D OP_RETURN
>
> A full signature consists of the base64-encoding of the to_spend and to_s=
ign transactions concatenated in standard network serialisation.
>
> =3D=3D=3D Full (Proof of Funds) =3D=3D=3D
>
> A signer may construct a proof of funds, demonstrating control of a set o=
f UTXOs, by constructing a full signature as above, with the following modi=
fications.
>
> * <code>message_challenge</code> is unused and shall be set to <code>OP_T=
RUE</code>
> * Similarly, <code>message_signature</code> is then empty.
> * All outputs that the signer wishes to demonstrate control of are includ=
ed as additional outputs to <code>to_sign</code>, and their witness and scr=
iptSig data should be set as though these outputs were actually being spent=
.
>
> Unlike an ordinary signature, validators of a proof of funds need access =
to the current UTXO set, to learn that the claimed inputs exist on the bloc=
kchain, and to learn their scriptPubKeys.
>
> =3D=3D Detailed Specification =3D=3D
>
> For all signature types, except legacy, the <code>to_spend</code> and <co=
de>to_sign</code> transactions must be valid transactions which pass all co=
nsensus checks, except of course that the output with prevout <code>000...0=
00:FFFFFFFF</code> does not exist.
>
> We additionally require the following restrictions be met.
>
> * All signatures must use the SIGHASH_ALL flag.
> * The use of <code>CODESEPARATOR</code> or <code>FindAndDelete</code> is =
forbidden.
> * The use of NOPs reserved for upgrades is forbidden.
> * The use of segwit versions greater than 1 are forbidden.
> * <code>LOW_S</code>, <code>STRICTENC</code> and <code>NULLFAIL</code>: v=
alid ECDSA signatures must be strictly DER-encoded and have a low-S value; =
invalid ECDSA signature must be the empty push
> * <code>MINIMALDATA</code>: all pushes must be minimally encoded
> * <code>CLEANSTACK</code>: require that only a single stack element remai=
ns after evaluation
> * <code>MINIMALIF</code>: the argument of <code>IF</code>/<code>NOTIF</co=
de> must be exactly 0x01 or empty push
>
> Future versions of this BIP may relax these rules, in particular those ar=
ound NOPs and future Segwit versions, as they are deployed on Bitcoin.
>
> =3D=3D=3D Verification =3D=3D=3D
>
> Validation consists of the following steps. A validator is given as input=
 an address ''A'' (which may be omitted in a proof-of-funds), signature ''s=
'' and message ''m'', and outputs one of four states (although validators a=
re only required to be able to output the first and last):
> * ''valid'' indicates that the signature passed all checks described belo=
w
> * ''valid at time t and age s'' indicates that the signature has set time=
locks but is otherwise valid (see "Extensions" below)
> * ''consensus-valid'' indicates that the signature passed validation exce=
pt for the additonal restrictions in the above section (see "Extensions" be=
low)
> * ''inconclusive'' means the validator was unable to check the scripts (s=
ee "Extensions" below)
> * ''invalid'' means none of the other states
>
> # Decode ''s'' as the transactions <code>to_sign</code> and <code>to_spen=
d</code>
> # Confirm that <code>message_hash</code> is the correct hash of ''m''
> # Confirm that <code>message_challenge</code> is the scriptPubKey corresp=
onding to ''A'' if ''A'' is present, and otherwise must be <code>OP_TRUE</c=
ode>
> # Confirm that all other fields are set as specified above; in particular=
 that
> ** <code>to_spend</code> has exactly one input and one output
> ** <code>to_sign</code> has at least one input and its first input spends=
 the output of </code>to_spend</code>
> ** <code>to_sign</code> has exactly one output, as specified above
> # Confirm that the two transactions together satisfy all consensus rules,=
 except for <code>to_spend</code>'s missing input, and except that ''nSeque=
nce'' of <code>to_sign</code>'s first input and ''nLockTime'' of <code>to_s=
ign</code> are not checked.
> # Confirm that all of the above restrictions are met.
>
> If the above conditions are met, the signature is considered ''valid''. O=
therwise the signature is ''invalid''.
>
> =3D=3D=3D Signing =3D=3D=3D
>
> Signers who control an address ''A'' who wish to sign a message ''m'' act=
 as follows:
>
> # They construct <code>to_spend</code> and <code>to_sign</code> as specif=
ied above, using the scriptPubKey of ''A'' for <code>message_challenge</cod=
e> and tagged hash of ''m'' as <code>message_hash</code>.
> # Optionally, they may set nLockTime of <code>to_sign</code> or nSequence=
 of its first input.
> # Optionally, they may add any additional outputs to <code>to_sign</code>=
 that they wish to prove control of.
> # They satisfy <code>to_sign</code> as they would any other transaction.
>
> They then encode their signature, choosing either ''simple'' or ''full'' =
as follows:
>
> * If they added no inputs to <code>to_sign</code>, left nSequence and nLo=
ckTime at 0, and ''A'' is a Segwit address (either pure or P2SH-wrapped), t=
hen they may base64-encode <code>message_signature</code>
> * Otherwise they must base64-encode the concatenation of <code>to_spend</=
code> followed by <code>to_sign</code>.
>
> =3D=3D Extensions =3D=3D
>
> To ease implementation, we allow some additional states to be output rath=
er than ''valid'' or ''invalid''. Users who do not understand or who do not=
 wish to deal with these states may treat them as ''invalid''.
>
> =3D=3D=3D Timelocks =3D=3D=3D
>
> If the nLockTime of <code>to_sign</code> is set to ''t'', and the nSequen=
ce of the first input of <code>to_sign</code> is set to ''s'', the validato=
r may output the state ''valid at time t and age s''.
>
> If both ''t'' and ''s'' are 0, the validator must instead output ''valid'=
'.
>
> Users may then wish to interpret this state as ''valid'' or ''invalid'' r=
elative to the state of the current blockchain, but the rules for doing so =
are out of scope of this BIP.
>
> =3D=3D=3D Incomplete Validation =3D=3D=3D
>
> Some validators may not wish to implement a full script interpreter, choo=
sing instead to support only specific script templates, or only Miniscript,=
 for example. In this case, if they are unable to execute the scripts used =
by <code>to_sign</code>, they should output the state ''inconclusive''.
>
> Users should interpret this state as the same thing as ''invalid'', altho=
ugh take it as a sign that they should find more capable software.
>
> =3D=3D=3D Consensus-Only Validation =3D=3D=3D
>
> Validators which are only able to check consensus-correctness of witnesse=
s, but not the additional restrictions imposed by this BIP, may output the =
state ''consensus-valid'' to indicate that a signature has passed all conse=
nsus and structural checks.
>
> Users should interpret this state as the same thing as ''valid'' but be a=
ware that other software may fail to validate the same signature.
>
> =3D=3D Compatibility =3D=3D
>
> This specification is backwards compatible with the legacy signmessage/ve=
rifymessage specification through the special case as described above.
>
> =3D=3D Reference implementation =3D=3D
>
> TODO
>
> =3D=3D Acknowledgements =3D=3D
>
> Thanks to David Harding, Jim Posen, Kalle Rosenbaum, Pieter Wuille, Andre=
w Poelstra, and many others for their feedback on the specification.
>
> =3D=3D References =3D=3D
>
> # Original mailing list thread: https://lists.linuxfoundation.org/piperma=
il/bitcoin-dev/2018-March/015818.html
>
> =3D=3D Copyright =3D=3D
>
> This document is licensed under the Creative Commons CC0 1.0 Universal li=
cense.
>
> =3D=3D Test vectors =3D=3D
>
> TODO
>
> * * * * * End full text * * * * *
>
> --
> Andrew Poelstra
> Director of Research, Blockstream
> Email: apoelstra at wpsoftware.net
> Web:   https://www.wpsoftware.net/andrew
>
> The sun is always shining in space
>     -Justin Lewis-Webster
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev