Author

Topic: [DISCUSSION] BIP-notatether-messageverify: Standardizes message verification (Read 651 times)

legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Well, I sent it to the mailing list. Let's see how this goes.

A temporary location of the final draft can be viewed at https://github.com/ZenulAbidin/bips/blob/master/bip-notatether-signedmessage.mediawiki .

Edit: thread locked while I prepare the new one.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
And now it's time for one last hulk smash on this draft. I'll assume everybody is OK with 43-46 header defining Taproot address and 46 as its default designation, since nobody commented about it. Apparently, Schnorr as used in BIP340 fails if x of R is not equal to r any way.

To keep the BIP reasonably short, I'm going to offload having to specify the internals of base58check and bech32[m] encoding algorithms by writing that it's out of scope for the BIP, and point to working implementations of these encoding/decoding algorithms instead and specify where they have to be used.





== Abstract ==

Bitcoin wallets have the capability of signing and verifying messages from individual addresses, by using ECDSA and the public/private key pair belonging to that address. These are often used to prove ownership of coins in the address, the address itself, or simply to relay a message as the owner of that particular address.

Message signing in its current form has been present since the earliest Bitcoin implementations, and its processes are largely still the same as how Satoshi designed it, with a few deviations by some wallet software here and there.

The purpose of message signing from an address is to prove that the signer has ownership of that address, since a valid signature implies a person has access the private key to that address. To that extent, message verification consists of two parts: 1) verifying the signature, and 2) ensuring that the address can be derived from the public key.

The original message signing format (hereby referred to in this BIP as the "Satoshi format") will briefly be described here. Parts of this description were copied from BIP137[1].

ECDSA signatures generate a 32-byte r-value and a 32-byte s-value, which collectively represent the signature. Bitcoin signatures have the r and s values mentioned above, and a 1-byte header. Therefore, the size of a signature in the Satoshi format is 65 bytes.

The header is used to specify information about the signature. It can be thought of as a bitmask with each bit in this byte having a meaning. The serialization format of a Bitcoin signature is as follows:

[1 byte of header data][32 bytes for r-value][32 bytes for s-value]

The header byte has a few components to it. First, it stores something known as the recID. This value is stored in the least significant 2 bits of the header, and uniquely identifies the correct signature for the signing public key. The lower bit represents the parity of the Y coordinate of the singature - even or odd - and the higher bit represents the correct r-value: 'r' or 'n+r'. For a rare subset of signatures which have r>=p-n, the only possible r-value will be 'r', thus the highest bit of the recID should be zero.

The following list demonstrates the correct signature corresponding to the value of recID:

0: even Y, r = r
1: odd Y, r = r
2: even Y, r = n+r
3: odd Y, r = n+r

The remaining bytes of the header format must be read together to fetch the correct address format. The Satoshi format defines the following ranges for address types:

Header byte is 27-30: P2PKH uncompressed
Header byte is 31-34: P2PKH compressed

BIP137 additionally defines the following ranges for compressed segwit address types:

Header byte is 35-38: P2WPKH-P2SH compressed
Header byte is 39-42: P2WPKH compressed

The word "Standardization" will be used here to mean reaching a consensus to using a particular proposal by implementing it in software. "Design-standardization" will be used to refer to the original meaning - the verbal consensus of technical persons for a particular proposal without necessarily implementing it in software.

== Motivation ==

The Satoshi format's message verification algorithm has only been designed to validate messages from Legacy addresses, since that was the only existing address type when message signing was invented. Unlike how BIP 322 words it, message signing and verification is technically possible for Segwit addresses, and a signature format has even been invented for it [See 1], but it has never been standardized by wallet implementations.

The result of this oversight on the part of the wallet developers is that some wallets allow you to sign messages from a Segwit address, such as Electrum, but those messages cannot be verified anywhere except on that particular wallet software.

Critically, no attempt has been made so far to officially standardize the message signing algorithm for the Segwit address types P2WPKH, P2WPKH-P2SH, also known as Nested and native Segwit respectively (the existing proposals have only design-standardized. The existing BIPs only attempt to define a new message signing format, and have not gained a large-enough consensus for their de facto use over existing signature formats.

== Rationale ==

This document should be viewed as a manual for implementing address signing rather than as a standard. That is because it does not attempt to define a novel message signing format. It also avoids extending existing message formats, unless such extensions are required to identify or verify a particular signature type.

The only non-standard extention to the message signing format that this BIP introduces is in the Signature field format for Taproot addresses, to enable message verification for these addresses and also to make the format compatible with the Satoshi format and BIP137. In this respect, signatures generated by this BIP differ from those from BIP340[2] (albeit BIP340 does not define signing formats for addresses), but the signing and verification algorithms are otherwise compatible with BIP340. The extensions made are as follows:

- The (R,s) payload of the Schnorr signature is preceded by the one-byte header.
- When constructing the signature, the header must have a value of 46 for Taproot addresses. This is because the points used will always be even, and r values greater than or equal to n are not allowed (hence x = r+n is not a possibility).
-- However, for compatibility reasons, conforming implementations must also identify any header value between 43-46 inclusive as from a Taproot address when verifying a signature. In other words, the recID bits must be set to zero when signing a message.
- Immediately following the (R,s) payload is the 32-byte x-coordinate of the public key. The public key MUST be interpreted as even and compressed. This is necessary because BIP340 Schnorr signatures do not allow for public key recovery, so the public keys need to be concatenated in the signature.

Thus, the signature payload for Schnorr signatures will be 97 bytes long in total (1-byte header + 64-byte (R,s) + 32-byte public key). For ECDSA signatures, it will be 65 bytes long (1-byte header + 64-byte (r,s)).

This BIP attempts to define the precise algorithms for signing and verifying messages, that are signed using the Satoshi format (a subset of BIP137), BIP137 format, or the Schnorr signature format defined above. Hence, compliance with this BIP implies compliance with BIP137.

A number of extensions to the message signature format have been defined, for error checking purposes. All of these extensions are strictly optional. Implementations are free to implement only the base standard and none of the extensions, or some but not all of the extensions, if this is desired. All of the extensions can be implemented independently from each other. The full list of extensions defined by this BIP are listed below:

- Message Sanitization - Before signing and verification, removes all NUL characters, converts tabs to 8 spaces, converts CRLF and CR to LF, strips trailing space and tab from the ends of lines, and strips all trailing whitespace from the end of the message.
-- The original message is always unmodified.
-- Some users experience difficulties in verifying signatures that contain hidden spaces and tabs, due to naunces in current implementations, so this extension remedies that by eliminating the traling spaces and tabs altogether.
--- In particular, this means that even in the case of a single newline at the end of the message, it is stripped for uniformity with messages without any such newlines.
-- Also, operating systems and programs may have different line ending formats, and lengths for the tab character.
--- To avoid verification errors due to these mis-matches, tabs are expanded to 8 characters (the recognized length of a tab), and sequences of carrige and line feed are reduced to simply line-feed.
-- Also, parsing NUL characters is a common source of vulnerabilities, because most implementations cannot detect them correctly, therefore, they are stripped form the entire message before signing and verification.
--- No other non-graphical characters are removed apart from the trailing whitespace.
-- For the purposes of this extension, the defined whitespace characters are space ' ', newline '\n', tab '\t' and carrige return '\r'.

- UTF-8 Serialization - Converts the character set of the message body to UTF-8 before signing and verifying.
-- Due to operating systems using incongruent default character set (for example Windows uses Windows-1252 by default and Linux programs tend to use ISO 8859-1 aka. Latin-1), signed message containing non-ASCII characters might fail verification depending on the operating system. This is because the actual byte sequences of the message are different for each encoding.
-- By converting the message into UTF-8 using a library such as GNU libiconv[3] or ICU[4], errors due to differences in character sets are eliminated.
-- Even in UTF-8, there are several different valid forms to represent the same text. The result is more verification errors because the byte sequences are inherently different. This BIP resolves this issue by normalizing all UTF-8 text into NFC form, which takes the smallest amount of storage space of all UTF-8 forms.

The phrases "Requirements for extension EXTENSION_NAME" and "End extension requirements" by themselves on a line are used to delimit the parameters and processes that are only required for a specific extension.

While BIP 322 has superior message verification capabilities, such as the ability to verify scripts, no attempt is made to define a verification algorithm for BIP 322 in this proposal.

No attempt is made to define the bodies of the Base58Check, Bech32, Bech32m encoding algorithms, in order to avoid unnecessarily increasing the length of the BIP. Instead, the reader is referred to existing implementations of these algorithms in the Notes section. Any well-formed implementation of the encoding algorithm can be used where the BIP specifies the algorithm's name. It is recommended to thoroughly test the encoding implementations with specially-crafted data to eliminate the security risk of buffer overruns.

The following terminologies apply for the rest of this document:

"Message Signing Format", or simply "Format", refers to one of the cryptographic algorithms and address formats detailed in the Specification section.

"Method" refers to either message signing, message verification, or both.

"Algorithm" refers to the sub-method required to support signing and verification of one of the defined Formats.

== Specification ==

The message signing processes consist of two sub-processes - the signing Method, and the verification Method, the specification for both of these items is detailed separately.


The message signing and verification Methods shall use at least one of the following Formats to create a signature, depending on the wallet implementation:

- ECDSA signatures, with P2PKH uncompressed addresses.
- ECDSA signatures, with P2PKH compressed addresses.
- ECDSA signatures, with P2WPKH-P2SH compressed addresses.
- ECDSA signatures, with P2WPKH compressed addresses.
- Schnorr signatures, with P2TR (Taproot) compressed addresses.

For a particular Format:
- If the implementation shall be used in a wallet software, both its signing and verification Methods must be implemented. In other words, you cannot only implement a Format for signing or verification separately.
- If the implementation shall be ran as a stand-alone application (for example, hosted on a web page), then only the verification Method is required to be implemented. For this scenario it is recommended that the signing should not be implemented, to eliminate the possibility of rogue private key or public key data being supplied at user input.
- Conforming implementations must not implement only the signing Method without the verification Method under any circumstances. This inhibits users from verifying that their signatures are correct.

The "ECDSA with P2PKH", "ECDSA with P2WPKH-P2SH", and "ECDSA with P2WPKH" format produce BIP137-compatible signatures. The "ECDSA with P2PKH" format produces a Satoshi format-compatible signature.

Three fields are defined for all Message Signing Formats: Message, Address, and Signature.

In the case of both ECDSA and Schnorr signatures, the address which is used to sign the message is placed inside the Address area. The message that is being signed should be placed in the Message area. The Signature area will be filled with the output of the method described below.

No other fields are defined by this BIP. Conforming implementations must not define additional fields in the message signature.


=== Definitions ===

Byte concatenation is written as '||' and implies that both operands shall be cast to byte arrays before concatenation.

Array subscripting is written as 'x[i:j]' and should be interpreted to create a copy of the byte array x of length (j-i) with the i-th byte as the first byte and the (j-1)-th byte as the last byte (i >= 0, j >= 0).

Floor division is written as '/' and involves truncating the floating-point remainder from the division result.

Modular inverse is written as 'modinv(x,n)', where n is a constant, variable, or expression, and is equivalent to x^-1 mod p.

Modular exponentation is written as 'x^n' where n is a constant, variable, or expression, and does not include modulus. The modulus must be explicitly specified using 'mod' eg. 'x^2 mod n'.

Bitwise AND is written as 'AND'.

Bitwise XOR is written as 'XOR'.

Cast from byte array to 256-bit integer is represented as 'int(x)'.

Cast from 256-bit integer to byte array is represented as 'bytes(x)'.

Hexadecimal byte arrays are represented as 'hex(byte sequence)', where the byte sequence consists of sequences of two hexadecimal characters separated by space (for example 'hex(01 02)' generates the byte array identical to the evaluation of '\x01\x02' in the C programming language). There is no leading '0x' or '0X' in the output.

=== Common steps for all signing and verification Algorithms ===

These steps must be executed before any other step in the Algorithm is ran.

The preliminary steps are listed below, and all operate on the Message field exclusively.

Requirements for extension UTF-8 Serialization:
1. The message is converted to the UTF-8 encoding, if it isn't already in that encoding. If the character set conversion fails (for example if there are invalid bytes in the encoding), then fail signing with a error similar to "UTF-8 conversion error".
2. Scan the message for invalid UTF-8 byte sequences. If any are found, then fail signing with an error similar to "Message contains invalid UTF-8 characters".
3. The resulting UTF-8 should be compressed into NFC form.
End extension requirements

Requirements for extension Message Sanitization:
4. Scan the message for NUL (0x00, or '\0') bytes. If any are found, fail signing with an error similar to "Message contains embedded NUL characters".
5. Strip all tab and space characters from the ends of all lines.
6. Convert CRLF and CR newlines to LF.
7. Remove all trailing newlines from the end of the message.
End extension requirements

=== Message signing method ===

The following parameters must be inserted into all supported signing Algorithms:

- The private key (PrivateKey)
- The public key (PublicKey)
-- Implementations can choose whether to include this parameter or calculate the public key directly in the signing Method, but it is the implementation's responsibility to ensure that the correct public key is being passed to this method.
--- This is because PublicKey is considered as implementation data, not user-generated data.
- The address (Address)
-- It is the implementation's responsibility to ensure that Address corresponds to PrivateKey and PublicKey.
- The message (Message)

Depending on the Format from which the signed message is being created, implementations should choose the apropriate Algorithm from the subsections below.

==== ECDSA signing, with P2PKH uncompressed addresses ====

1. Obtain the generator point G, curve order n and the curve characteristic p for secp256k1.
2. Compute z = SHA256(Message)
3. Generate a cryptographically secure random nonce k between 1 and n-1. This can be implemented by generating four 64-bit random unsigned integers. If the resulting integer is out of range (e.g. it's 0 or >=n), then discard the entire nonce and generate its entirety all over again. This is to avoid attacks on specific parts of the nonce.
4. Compute (x,y) = G*k
5. If r mod n is 0 or (x,y) is the point at infinity, go back to step 3.
6. Compute s = modinv(k) * (z + r * PrivateKey) mod n. If s is 0, go back to step 3.
7. Compute the header byte. If r < p-n and y is even, set HeaderByte to 30. If r < p-n and y is odd, set HeaderByte to 27. If r >= p-n and y is even, set HeaderByte to 28. If r >= p-n and y is odd, set HeaderByte to 29.
8. Compute Signature=Base64(HeaderByte || r || s)

==== ECDSA signing, with P2PKH compressed addresses ====

1. Obtain the generator point G, curve order n and the curve characteristic p for secp256k1.
2. Compute z = SHA256(Message)
3. Generate a cryptographically secure random nonce k between 1 and n-1. This can be implemented by generating four 64-bit random unsigned integers. If the resulting integer is out of range (e.g. it's 0 or >=n), then discard the entire nonce and generate its entirety all over again. This is to avoid attacks on specific parts of the nonce.
4. Compute (x,y) = G*k
5. If r mod n is 0 or (x,y) is the point at infinity, go back to step 3.
6. Compute s = modinv(k, n) * (z + r * PrivateKey) mod n. If s is 0, go back to step 3.
7. Compute the header byte. If r < p-n and y is even, set HeaderByte to 34. If r < p-n and y is odd, set HeaderByte to 31. If r >= p-n and y is even, set HeaderByte to 32. If r >= p-n and y is odd, set HeaderByte to 31.
8. Compute Signature=Base64(HeaderByte || r || s)

==== ECDSA signing, with P2WPKH-P2SH compressed addresses ====

1. Obtain the generator point G, curve order n and the curve characteristic p for secp256k1.
2. Compute z = SHA256(Message)
3. Generate a cryptographically secure random nonce k between 1 and n-1. This can be implemented by generating four 64-bit random unsigned integers. If the resulting integer is out of range (e.g. it's 0 or >=n), then discard the entire nonce and generate its entirety all over again. This is to avoid attacks on specific parts of the nonce.
4. Compute (x,y) = G*k
5. If r mod n is 0 or (x,y) is the point at infinity, go back to step 3.
6. Compute s = modinv(k, n) * (z + r * PrivateKey) mod n. If s is 0, go back to step 3.
7. Compute the header byte. If r < p-n and y is even, set HeaderByte to 38. If r < p-n and y is odd, set HeaderByte to 35. If r >= p-n and y is even, set HeaderByte to 36. If r >= p-n and y is odd, set HeaderByte to 37.
8. Compute Signature=Base64(HeaderByte || r || s)

==== ECDSA signing, with P2WPKH compressed addresses ====

1. Obtain the generator point G, curve order n and the curve characteristic p for secp256k1.
2. Compute z = SHA256(Message)
3. Generate a cryptographically secure random nonce k between 1 and n-1. This can be implemented by generating four 64-bit random unsigned integers. If the resulting integer is out of range (e.g. it's 0 or >=n), then discard the entire nonce and generate its entirety all over again. This is to avoid attacks on specific parts of the nonce.
4. Compute (x,y) = G*k
5. If r mod n is 0 or (x,y) is the point at infinity, go back to step 3.
6. Compute s = modinv(k, n) * (z + r * PrivateKey) mod n. If s is 0, go back to step 3.
7. Compute the header byte. If r < p-n and y is even, set HeaderByte to 42. If r < p-n and y is odd, set HeaderByte to 39. If r >= p-n and y is even, set HeaderByte to 40. If r >= p-n and y is odd, set HeaderByte to 41.
8. Compute Signature=Base64(HeaderByte || r || s)

==== Schnorr signing, with P2TR (Taproot) compressed addresses ====


1. Obtain the generator point G, curve order n and the curve characteristic p for secp256k1.
2. Generate a cryptographically secure random 32-bit number a. This is recommended by BIP340 to avoid private key leaks, particularly if the public key is supplied as a parameter.
3. If PublicKey has an odd y coordinate, set PrivateKey = n - PrivateKey.
4. Compute t = PrivateKey XOR SHA256(SHA256(BIP0340/aux) || SHA256(BIP340/aux) || a).
5. Compute rand = SHA256(SHA256(BIP0340/nonce) || SHA256(BIP340/nonce) || t || PublicKey's x-coordinate || Message)
6. Compute k = int(rand) mod n. If k = 0, go back to step 2.
7. Compute R = k*G
8. If R has odd y coordinate, compute k = n-k.
9. Compute e = int(SHA256(SHA256(BIP0340/challenge) || SHA256(BIP0340/challenge) || R's x coordinate || P's x coordinate || Message)) mod n.
10. Compute sig = R's x coordinate || (k + e*PrivateKey mod n)
11. Set HeaderByte = 46 (even Y coordinate, r size will never be n+r or greater than or equal to n).
12. Compute Signature = Base64(HeaderByte || sig || PublicKey).

=== Message verification method ===

The following parameters must be inserted into all supported verification Algorithms:

- The message (Message)
- The address (Address)
- An ECDSA or Schnorr signature (Signature)

The Header byte in the signature shall dictate the verification Algorithm that is used.

Upon verification success, implementations must display a status message similar to: "Genuine signed message from address
".

==== Preliminary steps for all verification Algorithms ====

1. Set DecodedSignature = The decoded Base64 of Signature.
2. Set HeaderByte = DecodedSignature[0].
- If HeaderByte is bettwen 27 and 30 inclusive, use "ECDSA verification, P2PKH uncompressed address".
- Else, if HeaderByte is bettwen 31 and 34 inclusive, use "ECDSA verification, P2PKH compressed address".
- Else, if HeaderByte is bettwen 35 and 38 inclusive, use "ECDSA verification, P2WPKH-P2SH compressed address".
- Else, if HeaderByte is bettwen 39 and 42 inclusive, use "ECDSA verification, P2WPKH compressed address".
- Else, if HeaderByte is bettwen 43 and 46 inclusive, use "Schnorr verification, P2TR (Taproot) compressed address".
- Else, fail verification with an error similar to "Unknown signature type".

==== ECDSA verification, P2PKH uncompressed address ====

1. Set r = DecodedSignature[1:33]. If r >= n or r == 0, fail verification with an error similar to "Invalid ECDSA signature parameters".
2. Set s = DecodedSignature[33:65]. If s >= n or s == 0, fail verification with an error similar to "Invalid Ecdsa signature parameters".
3. Set z = SHA256(Message)
4. Set recID = Header AND 0x3
5. If recID AND 0x2 is not zero, set x = r+n, else set x = r.
6. Set alpha = (x^3 + 7) mod p
7. Set beta = alpha^((p+1)/4) mod p
8. If least-significant-bit of beta-recID is 0 (i.e. beta-recID is even):
-- Set y = beta
-- Else, set y = p-beta
9. Set R = Point(x,y)
10. Set e = (-(bytes(z))) % n
11. Set PublicKey = (R*s + G*e) * modinv(r, n)).
12. Compute EncodedPublicKey = "04" || hex(x) || hex(y)
13. Compute AddressHash = RIPEMD160(SHA256(EncodedPublicKey)
14. Compute DerivedAddress = Base58Check(hex(00) || AddressHash).
15. If DerivedAddress is equal to Address, succeed verificaion. Else fail verification with an error similar to "Wrong address for signature".

==== ECDSA verification, P2PKH compressed address ====

1. Set r = DecodedSignature[1:33]. If r >= n or r == 0, fail verification with an error similar to "Invalid ECDSA signature parameters".
2. Set s = DecodedSignature[33:65]. If s >= n or s == 0, fail verification with an error similar to "Invalid Ecdsa signature parameters".
3. Set z = SHA256(Message)
4. Set recID = Header AND 0x3
5. If recID AND 0x2 is not zero, set x = r+n, else set x = r.
6. Set alpha = (x^3 + 7) mod p
7. Set beta = alpha^((p+1)/4) mod p
8. If least-significant-bit of beta-recID is 0 (i.e. beta-recID is even):
-- Set y = beta
-- Else, set y = p-beta
9. Set R = Point(x,y)
10. Set e = (-(bytes(z))) % n
11. Set PublicKey = (R*s + G*e) * modinv(r, n)
12. If y is even, compute EncodedPublicKey = "02" || hex(x). Else, compute EncodedPublicKey = "03" || hex(x).
13. Compute AddressHash = RIPEMD160(SHA256(EncodedPublicKey)
14. Compute DerivedAddress = Base58Check(hex(00) || AddressHash).
15. If DerivedAddress is equal to Address, succeed verificaion. Else fail verification with an error similar to "Wrong address for signature".

==== ECDSA verification, P2WPKH-P2SH compressed address ====

1. Set r = DecodedSignature[1:33]. If r >= n or r == 0, fail verification with an error similar to "Invalid ECDSA signature parameters".
2. Set s = DecodedSignature[33:65]. If s >= n or s == 0, fail verification with an error similar to "Invalid Ecdsa signature parameters".
3. Set z = SHA256(Message)
4. Set recID = Header AND 0x3
5. If recID AND 0x2 is not zero, set x = r+n, else set x = r.
6. Set alpha = (x^3 + 7) mod p
7. Set beta = alpha^((p+1)/4) mod p
8. If least-significant-bit of beta-recID is 0 (i.e. beta-recID is even):
-- Set y = beta
-- Else, set y = p-beta
9. Set R = Point(x,y)
10. Set e = (-(bytes(z))) % n
11. Set PublicKey = (R*s + G*e) * modinv(r, n)
12. If y is even, compute EncodedPublicKey = "02" || hex(x). Else, compute EncodedPublicKey = "03" || hex(x).
13. Compute AddressHash = RIPEMD160(SHA256(EncodedPublicKey)
14. Compute RedeemScript = hex(00 14) || AddressHash
15. Compute RedeemScriptHash = RIPEMD160(SHA256(RedeemScript)).
16. Compute DerivedAddress = Base58Check(hex(05) || RedeemScriptHash).
17. If DerivedAddress is equal to Address, succeed verificaion. Else fail verification with an error similar to "Wrong address for signature".

==== ECDSA verification, P2WPKH compressed address ====

1. Set r = DecodedSignature[1:33]. If r >= n or r == 0, fail verification with an error similar to "Invalid ECDSA signature parameters".
2. Set s = DecodedSignature[33:65]. If s >= n or s == 0, fail verification with an error similar to "Invalid Ecdsa signature parameters".
3. Set z = SHA256(Message)
4. Set recID = Header AND 0x3
5. If recID AND 0x2 is not zero, set x = r+n, else set x = r.
6. Set alpha = (x^3 + 7) mod p
7. Set beta = alpha^((p+1)/4) mod p
8. If least-significant-bit of beta-recID is 0 (i.e. beta-recID is even):
-- Set y = beta
-- Else, set y = p-beta
9. Set R = Point(x,y)
10. Set e = (-(bytes(z))) % n
11. Set PublicKey = (R*s + G*e) * modinv(r, n)
12. If y is even, compute EncodedPublicKey = "02" || hex(x). Else, compute EncodedPublicKey = "03" || hex(x).
13. Compute AddressHash = RIPEMD160(SHA256(EncodedPublicKey)
16. Compute DerivedAddress = Bech32("bc", 0, AddressHash).
17. If DerivedAddress is equal to Address, succeed verificaion. Else fail verification with an error similar to "Wrong address for signature".

==== Schnorr verification, P2TR (Taproot) compressed addresss ====

1. Set DecodedSignature = The decoded Base64 of Signature.
2. Set HeaderByte = DecodedSignature[0]. If HeaderByte is less than 43 or greater than 46, fail verification with an error similar to "Not a Taproot address signature".
3. Set r = DecodedSignature[1:33]. If r >= p or r == 0, fail verification with an error similar to "Invalid Schnorr signature parameters".
4. Set s = DecodedSignature[33:65]. If s >= n or s == 0, fail verification with an error similar to "Invalid Schnorr signature parameters".
5. Set x = DecondedSignature[65:97].
6. Compute c = x^3 + 7 mod p
7. Compute y = c^((p+1)/4) mod p
8. If y^2 mod p is not equal to c, fail verification with an error similar to "Invalid Schnorr signature parameters".
9. If y mod 2 is equal to zero, compute P = the point (x,y), else compute P = the point (x,p-y).
10. Compute e = int(SHA256(SHA256(BIP0340/challenge) || SHA256(BIP0340/challenge) || r || x || Message)) mod n
11. Compute R = s*G - e*P. If R is infinity or has an odd y, or if R's x coordinate is not equal to r, fail verification with an error similar to "Invalid Schnorr signature parameters".
12. Compute EncodedPublicKey = "02" || hex(x).
13. Compute AddressHash = RIPEMD160(SHA256(EncodedPublicKey)
16. Compute DerivedAddress = Bech32m("bc", 1, AddressHash).
17. If DerivedAddress is equal to Address, succeed verificaion. Else fail verification with an error similar to "Wrong address for signature".

== Displaying signed messages ==

Implementations can choose to display and process the Message, Address, and Signature separately. Alternatively, all three of these fields can be condensed into the following standardized format:

-----BEGIN BITCOIN SIGNED MESSAGE-----
Message
-----BEGIN BITCOIN SIGNATURE-----
Address
Signature
-----END BITCOIN SIGNATURE-----

If implementations choose to display the signed message using this format, it should be able to extract the Message, Address and Signature parts from it as well.

== Notes ==

The signing methods do not check whether Address can be generated from the PrivateKey or PublicKey. This ommission allows for the generation and distribution of "forged signatures" - signed messages where Signature derives an address different from the supplied Address, but this vulnerability is mitigated by thorough checking in the verification Method that the address can be generated from the public key, this failing verification for all such signatures. This is why when the signing Method is implemented, the verification Method must also be implemented.

Checking that the correct address can be derived from the public key and displaying an appropriate message, as opposed to just checking the validity of the signature, ensures that a signed message can be cryptographically proven to be legitimate or a fake. In particular, displaying error text such as "The signed message is not genuine" as opposed to "Message verification failed" gives credibility to the theorem that the message is of fraudulent origin, since faults in the verification Method of the implementation can be ruled out.

For instance, a conforming implementation with all extensions implemented can be utilized to demonstrate whether person A can provide a valid signed message from address B, thereby proving whether they have access to that address.

For this reason, it is highly recommended for implementations to implement both the Message Sanitization and UTF-8 serialization extensions, to eliminate byte-level differences that could prevent the signatures from being verified correctly.

A Base58 and Base58Check implementation written in Python is available at https://github.com/keis/base58, and a Bech32 and Bech32m implementation in multiple languages is available at https://github.com/sipa/bech32.

== References ==

[1] - https://github.com/bitcoin/bips/blob/master/bip-0137.mediawiki

[2] - https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki

[3] - https://www.gnu.org/software/libiconv/

[4] - https://icu.unicode.org/
hero member
Activity: 510
Merit: 4005
Yeah, I need to see how to compute the Bech32 checksum (and if Bech32m uses a very different algorithm from Bech32 - I also need to see some code for that), that would be very helpful.

Okay, I'm about to add some SegWit/Taproot address generation stuff to my own code, so I need to research Bech32/Bech32m anyway. Once I've got it all working on my end I'll let you know.

After reading BIP173 and BIP350, here's what I ended up with for my own project (Python 3 with mypy annotations):

Code:
def bech32Polymod(valueList: 'list[int]') -> 'int':
   result = 1
   for value in valueList:
      upper = result >> 25
      result = (result << 5 | value) & 0x3fffffff
      result ^= 0x3b6a57b2 if upper & 1 else 0
      result ^= 0x26508e6d if upper & 2 else 0
      result ^= 0x1ea119fa if upper & 4 else 0
      result ^= 0x3d4233dd if upper & 8 else 0
      result ^= 0x2a1462b3 if upper & 16 else 0
   return result

Code:
def bech32Checksum(valueList: 'list[int]', *, isModified: 'bool' = False) -> 'list[int]':
   code = (0x2bc830a3 if isModified else 1) ^ bech32Polymod([3, 3, 0, 2, 3] + valueList + [0, 0, 0, 0, 0, 0])
   return [code >> 25, code >> 20 & 31, code >> 15 & 31, code >> 10 & 31, code >> 5 & 31, code & 31]

It's less general than the reference implementation (e.g. you have to replace '[3, 3, 0, 2, 3]' with '[3, 3, 0, 20, 2]' for testnet addresses) but you may find it helpful seeing a slightly different take on the same algorithm.

Has only been lightly tested. Parameter 'isModified' switches between Bech32/Bech32m.

For anyone unaware, these functions expect their input lists to only contain (unsigned) 5-bit ints.

Edit: That's all the attention I can spare for now, good luck with your BIP! Smiley
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
If the header is between 27 and 30 inclusive, define SigAddressType to P2PKH Uncompressed.
Else, if the header is between 31 and 34 inclusive, define SigAddressType to P2PKH Compressed.
Else, if the header is between 35 and 38 inclusive, define SigAddressType to P2WPKH-P2SH Compressed.
Else, if the header is between 39 and 42 inclusive, define SigAddressType to P2WPKH Compressed.
Else, fail verification with a message similar to "Unknown address type in ECDS signature".

The usage of word "between" could cause some confusion for few people. Few people could interpret it as 28 to 29 rather than 27 to 30.

I think that's already been addressed by following each[1] case with the word "inclusive".

[1] There's one case where an "inclusive" is missing ("Verify that both r and s are between 1 and n-1").

Yeah, inclusive should cover all of the cases where there is a between range.

Let me eliminate the spelling errors very quickly and add the Schnorr signature code, and then I will come back for the bech32[m] algo.

Bech32 (BIP137[1]) and Bech32m (BIP350[2]) both have reference implementation that could help you see how things are done. The difference between the two BIPs is the checksum computation where BIP137 uses 1 as its constant while BIP350 uses 0x2bc830a3. That's all.

[1] https://github.com/bitcoin/bips/blob/master/bip-0173.mediawiki
[2] https://github.com/bitcoin/bips/blob/master/bip-0350.mediawiki


I think you meant BIP173.



So guys, I guess everyone's OK with the header byte in front to Taproot signatures as well, set to the value 46?
hero member
Activity: 510
Merit: 4005
If the header is between 27 and 30 inclusive, define SigAddressType to P2PKH Uncompressed.
Else, if the header is between 31 and 34 inclusive, define SigAddressType to P2PKH Compressed.
Else, if the header is between 35 and 38 inclusive, define SigAddressType to P2WPKH-P2SH Compressed.
Else, if the header is between 39 and 42 inclusive, define SigAddressType to P2WPKH Compressed.
Else, fail verification with a message similar to "Unknown address type in ECDS signature".

The usage of word "between" could cause some confusion for few people. Few people could interpret it as 28 to 29 rather than 27 to 30.

I think that's already been addressed by following each[1] case with the word "inclusive".

[1] There's one case where an "inclusive" is missing ("Verify that both r and s are between 1 and n-1").
legendary
Activity: 3472
Merit: 10611
Yeah, I need to see how to compute the Bech32 checksum (and if Bech32m uses a very different algorithm from Bech32 - I also need to see some code for that), that would be very helpful.
Bech32 (BIP173[1]) and Bech32m (BIP350[2]) both have reference implementation that could help you see how things are done. The difference between the two BIPs is the checksum computation where BIP173 uses 1 as its constant while BIP350 uses 0x2bc830a3. That's all.

[1] https://github.com/bitcoin/bips/blob/master/bip-0173.mediawiki
[2] https://github.com/bitcoin/bips/blob/master/bip-0350.mediawiki
hero member
Activity: 510
Merit: 4005
Yeah, I need to see how to compute the Bech32 checksum (and if Bech32m uses a very different algorithm from Bech32 - I also need to see some code for that), that would be very helpful.

Okay, I'm about to add some SegWit/Taproot address generation stuff to my own code, so I need to research Bech32/Bech32m anyway. Once I've got it all working on my end I'll let you know.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Edit: If you have small bits of work that need doing (researching something, going through Electrum's source code, etc.) feel free to let me know (by PM or post) and I'll help if I'm able to.

Yeah, I need to see how to compute the Bech32 checksum (and if Bech32m uses a very different algorithm from Bech32 - I also need to see some code for that), that would be very helpful.
hero member
Activity: 510
Merit: 4005
[Where did everyone go? I obviously did not make this topic just for merit. Besides, I can't be replying to myself forever. Come on don't you guys want to see standardized segwit signatures? Undecided]

...

[edited to correct recID behavior. I will clean up the spelling and grammar in a moment.]

I'm sure you would have spotted these, but here you go (no overlap with Cricktor's notes):

    (Abstract) "ECDSA signatures generate a 32-byte r-value and a 32-bit s-value" -> "ECDSA signatures generate a 32-byte r-value and a 32-byte s-value"

    (Motivation) "since that were the only existing address type when message signing was invented" -> "since that was the only existing address type when message signing was invented"

    "=== Message verificaion method ===" -> "=== Message verification method ==="

    (ECDSA verification) "If they match, succeed verifcation, else fail." -> "If they match, succeed verification, else fail."

    (ECDSA verification) "Compare Base58Check(RedeemScriptHash) it with the read address." -> "Compare Base58Check(RedeemScriptHash) with the read address."

    (ECDSA verification) "If they match, succeed verificaiton" -> "If they match, succeed verification"

    (ECDSA verification) "fail verification with the message similar to" -> "fail verification with a message similar to"

I also think (to prevent confusion with xor):

    (ECDSA verification) "Note: '/' represents floor division, truncating the floating-point part, and '%' represents modulus." -> "Note: '/' represents floor division, truncating the floating-point part, '^' represents exponentiation, and '%' represents modulus."

Edit: If you have small bits of work that need doing (researching something, going through Electrum's source code, etc.) feel free to let me know (by PM or post) and I'll help if I'm able to.
hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
Minimal corrections while reading your post and by no means a complete proof reading:
Note before I post the draft: It appears that all "Brainwallet sites" such as https://jochen-hoenicke.de/brainwallet/#verify are using a subset of the BIP137 data format internally [but cannot verify anything but legacy address messages - keep reading]. They use 27-30[1] in the first byte, before any R or S bytes, to represent a P2PKH uncompressed, 31-34 to represent P2PKH uncompressed, and BIP137 additionally defines the following additional designations:
"31-34 to represent P2PKH uncompressed" should be "... P2PKH compressed" which is properly expressed in the == Abtract == section.

I highlighted proposed corrections or missing characters...
== Abstract ==
...
The header byte has a few components to it. First, it stores something known as the recID. This value is stored in the least significant 2 bits of the header.
...
== Motivation ==
...
The result of this oversight on the part of the wallet developers is that some wallets allow you to sign messages from a Segwit address, such as Electrum, but those messages cannot be verified anywhere except on that particular wallet software.

Critically, no attempt has been made so far to officially standardize the message signing algorithm for the Segwit address types P2WPKH, P2WPKH-P2SH, also known as Nested and native Segwit respectively (the existing proposals have only design-standardized. The existing BIPs only attempt to define a new message signing format, and have not gained a large-enough consensus for their de facto use over existing signature formats.

== Rationale ==
...
=== Message signing method ===

The message signing method shall use at least one of the following algorithms to create a signature, depending on the wallet implementation:
- ECDSA signatures, with P2PKH addresses.
- ECDSA signatures, with P2WPKH-P2SH addresses.
- ECDSA signatures, with P2WPKH addresses.
- Schnorr signatures, with P2TR (Taproot) addresses.
- BIP 137 signatures, with P2PKH, P2WPKH-P2SH, and P2WPKH addresses.

In the case of the ECDSA signatures, the address which is used to sign the message is placed inside the Address area.

[As this is not yet a draft, I will fill in the exact ECDSA signing process on a later date. Essentially, it is exactly the same as the current algorithm.]

=== Message verificaion method ===
...
==== ECDSA verification ====

For the ECDSA verification method, the following values will be extracted from the signature:

- The header [byte 0, using 0-based indices]
- The r-value [bytes 1-32 inclusive]
- The s-value [bytes 33-64 inclusive]

After the signature is decoded from Base64 notation, The value of the header is compared to the ranges below, and the appropriate address type is deduced:

If the header is between 27 and 30 inclusive, define SigAddressType to P2PKH Uncompressed.
Else, if the header is between 31 and 34 inclusive, define SigAddressType to P2PKH Compressed.
Else, if the header is between 35 and 38 inclusive, define SigAddressType to P2WPKH-P2SH Compressed.
Else, if the header is between 39 and 42 inclusive, define SigAddressType to P2WPKH Compressed.
Else, fail verification with a message similar to "Unknown address type in ECDSA signature".

...
Then, compute the AddressHash:
...
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
[Where did everyone go? I obviously did not make this topic just for merit. Besides, I can't be replying to myself forever. Come on don't you guys want to see standardized segwit signatures? Undecided]

I got the green light from Pieter Wuille on the mailing list to append the public key to the signature payload, so this is what I will do for Taproot. The address field will be left unmolested.

Note before I post the draft: It appears that all "Brainwallet sites" such as https://jochen-hoenicke.de/brainwallet/#verify are using a subset of the BIP137 data format internally [but cannot verify anything but legacy address messages - keep reading]. They use 27-30[1] in the first byte, before any R or S bytes, to represent a P2PKH uncompressed, 31-34 to represent P2PKH compressed, and BIP137 additionally defines the following additional designations:

35-38: P2WPKH-P2SH
39-42: P2WPKH

[1] Why is it between 27 and 30 inclusive? Because the lowest two bits of the first byte are occupied by something known as the recID, and is auxilliary data for verifying ECDSA signatures. This is not needed for Schnorr signatures, so for Taproot signatures the lowest two bits should be set to 0.

So, that is the signature field for legacy signing standard and also for BIP137. Can we reuse this format for Taproot addresses? I think so, but we have to add the public key after the signature as I mentioned above. So I will define the following range for taproot P2TR addresses:
43-46: P2TR

Since the two-bit, recID is not used in Taproot, implementations are recommended to always set the first byte to 46 (for backwads compatibility, besides the signature will always generate even Y - I am not so sure about if it generates X = r though) however, any of these four values can identify a P2TR Schnorr signature.

Warning: I have no idea if this data-range definition will be shot down by the community as some kind of unorthodox construct. After all, I am shoehorning Schnorr signature format into BIP137 format. Alternatively, I'm open to considering specifying Taproot Schnorr signatures to be ONLY the (e,s) or (R,s) signature, followed by the public key.




== Abstract ==

Bitcoin wallets have the capability of signing and verifying messages from individual addresses, by using ECDSA and the public/private key pair belonging to that address. These are often used to prove ownership of coins in the address, the address itself, or simply to relay a message as the owner of that particular address.

Message signing in its current form has been present since the earliest Bitcoin implementations, and its processes are largely still the same as how Satoshi designed it, with a few deviations by some wallet software here and there.

The original message signing format (hereby referred to in this BIP as the "Satoshi format") will briefly be described here. Parts of this description were copied from BIP137[TODO include reference].

ECDSA signatures generate a 32-byte r-value and a 32-byte s-value, which collectively represent the signature. Bitcoin signatures have the r and s values mentioned above, and a 1-byte header. Therefore, the size of a signature in the Satoshi format is 65 bytes.

The header is used to specify information about the signature. It can be thought of as a bitmask with each bit in this byte having a meaning. The serialization format of a Bitcoin signature is as follows:

[1 byte of header data][32 bytes for r-value][32 bytes for s-value]

The header byte has a few components to it. First, it stores something known as the recID. This value is stored in the least significant 2 bits of the header, and uniquely identifies the correct signature for the signing public key. The lower bit represents the parity of the Y coordinate of the singature - even or odd - and the higher bit represents the correct r-value: 'r' or 'n+r'. For a rare subset of signatures which have r>=p-n, the only possible r-value will be 'r', thus the highest bit of the recID should be zero.

The following list demonstrates the correct signature corresponding to the value of recID:

0: even Y, r = r
1: odd Y, r = r
2: even Y, r = n+r
3: odd Y, r = n+r

The remaining bytes of the header format must be read together to fetch the correct address format. The Satoshi format defines the following ranges for address types:

Header byte is 27-30: P2PKH uncompressed
Header byte is 31-34: P2PKH compressed

BIP137 additionally defines the following ranges for compressed segwit address types:

Header byte is 35-38: P2WPKH-P2SH compressed
Header byte is 39-42: P2WPKH compressed

The word "Standardization" will be used here to mean reaching a consensus to using a particular proposal by implementing it in software. "Design-standardization" will be used to refer to the original meaning - the verbal consensus of technical persons for a particular proposal without necessarily implementing it in software.

== Motivation ==

The Satoshi format's message verification algorithm has only been designed to validate messages from Legacy addresses, since that was the only existing address type when message signing was invented. Unlike how BIP 322 words it, message signing and verification is technically possible for Segwit addresses, and a signature format has even been invented for it [See 1], but it has never been standardized by wallet implementations.

The result of this oversight on the part of the wallet developers is that some wallets allow you to sign messages from a Segwit address, such as Electrum, but those messages cannot be verified anywhere except on that particular wallet software.

Critically, no attempt has been made so far to officially standardize the message signing algorithm for the Segwit address types P2WPKH, P2WPKH-P2SH, also known as Nested and native Segwit respectively (the existing proposals have only design-standardized. The existing BIPs only attempt to define a new message signing format, and have not gained a large-enough consensus for their de facto use over existing signature formats.

== Rationale ==

This BIP does not attempt to define a novel message signing format. It also avoids extending existing message formats, unless such an extension is required to verify a particular signature.

This BIP attempts to define the precise algorithms for signing and verifying messages, that are signed using one of the existing formats. While BIP 322 has superior message verification capabilities, such as the ability to verify scripts, no attempt is made to define a verification algorithm for BIP 322 in this proposal.

Hereafter, this BIP will refer to the methods that sign and verify messages as "message signing processes".

The message signing processes consist of two sub-processes - the signing method, and the verification method, the specification for both of these items is detailed separately.

=== Message signing method ===

The message signing method shall use at least one of the following algorithms to create a signature, depending on the wallet implementation:
- ECDSA signatures, with P2PKH addresses.
- ECDSA signatures, with P2WPKH-P2SH addresses.
- ECDSA signatures, with P2WPKH addresses.
- Schnorr signatures, with P2TR (Taproot) addresses.
- BIP 137 signatures, with P2PKH, P2WPKH-P2SH, and P2WPKH addresses.

In the case of the ECDSA signatures, the address which is used to sign the message is placed inside the Address area.

[As this is not yet a draft, I will fill in the exact ECDSA signing process on a later date. Essentially, it is exactly the same as the current algorithm.]

=== Message verification method ===

First, the message, address, and signature fields are read from the signed message document.

The Length of the signature is calculated and the appropriate code path is chosen based on its length:

- If the Length is 65 bytes, then the ECDSA verification algorithm will be used.
- If the Length is 96 bytes, then the Schnorr verification algorithm will be used.

==== ECDSA verification ====

For the ECDSA verification method, the following values will be extracted from the signature:

- The header [byte 0, using 0-based indices]
- The r-value [bytes 1-32 inclusive]
- The s-value [bytes 33-64 inclusive]

After the signature is decoded from Base64 notation, The value of the header is compared to the ranges below, and the appropriate address type is deduced:

If the header is between 27 and 30 inclusive, define SigAddressType to P2PKH Uncompressed.
Else, if the header is between 31 and 34 inclusive, define SigAddressType to P2PKH Compressed.
Else, if the header is between 35 and 38 inclusive, define SigAddressType to P2WPKH-P2SH Compressed.
Else, if the header is between 39 and 42 inclusive, define SigAddressType to P2WPKH Compressed.
Else, fail verification with a message similar to "Unknown address type in ECDSA signature".

Next, the address is compared to the SigAddressType to ensure that the types match:

Then, the public key will be computed from the r-value and s-value (for brevity they will be referred to as "r" and "s"):

- Compute "z", the byte representation of the SHA256 hash of the message that is to be verified
- Verify that both r and s are between 1 and n-1. Otherwise, fail verification with a message similar to "malformed ECDSA signature".
- Set "n" equal to the curve order, and "p" equal to the curve characteristic.
- Next, the public key must be computed. The following algorithm has been derived from bitcoinsig.js [it will be uploaded soon because I could not find the main Github repository for it]:
-- Set x = r + n * recID/2
[Note: This will almost always be just "r", but in extremely rare cases it could also be "r+n", because if r < p-n, then r=p+n is another valid r-value]
-- Set alpha = (x^3 + 7) % p
-- Set beta = alpha^((p+1)/4) % p
-- If least-significant-bit of beta-recID is 0 (i.e. beta-recID is even):
--- Set y = beta
--- Else, set y = p-beta
-- Set R = Point(x,y)
-- Set e = (-(byte_array_to_unsigned_bigint(z))) % n
-- Set PublicKey = (R*s + G*e) * (r^(-1) % n)).
Note: '/' represents floor division, truncating the floating-point part, '^' represents modular exponentation (that is, the modulus must be taken after the exponentation) and '%' represents modulus. 'byte_array_to_unsigned_bigint()' converts a byte array into an unsigned integer which can represent arbitrarily large values.

Next, the public key must be verified against the r,s values [TODO: I am not a cryptographer, can someone weigh in on this and tell me if this is necessary, or will the autogenerated pubkey pass this part every time? It's not necessar because we derived pubkey from x=r. But this can be used to calculate the recID - bitcoinsig.js just cycles through each value of recID and verifies the signature until it finds one that passes successfully. This should be moved into the messaeg signing part. Thanks to https://bitcointalksearch.org/topic/m.54542481 for the recID codes.]

-- Compute u[1] = z*s^-1 mod n and u[2] = r*s^-1 mod n.
--  Compute (x, y) = u[1]*G + u[2]*PublicKey. If (x,y) is equal to the point at infinity, fail verification with a message similar to "malformed ECDSA signature".
-- If x = r and y is even (least significant bit is 0), then set recID to 0
-- Else if x = r and y is odd (least significant bit is 1), then set recID to 1
-- Else if x = r + n and y is even, then set recID to 2
-- Else if x = r + n and y is odd, then set recID to 3
[There is no Else clause. x will always generate either r or r+n. Also, do not apply modulus to the r, or you will break the recID check.]
[TODO delete]
-- If r = x mod n, then continue. Else, fail verification with a message similar to "malformed ECDSA signature".
[end of TODO]

Then, compute the AddressHash:
If SigAddressType is P2WSH Uncompressed set AddressHash to be RIPEMD160(SHA256(PublicKey encoded in uncompressed form)).
Else set AddressHash to be RIPEMD160(SHA256(PublicKey encoded in compressed form)).

After that, the first bytes (not individual Unicode characters) inside the address are inspected:

- If the address begins with '1':
-- Assert that the Header is between 27 and 34 inclusive. Otherwise, fail verification with a message similar to "Address prefix does not match type in signature".
-- Assume Address is a P2PKH aka Legacy address, encode AddressHash using Base58Check, and compare it with the read address. If they match, succeed verifcation, else fail.
- Else, if the address begins with '3',
-- Assert that the Header is between 35 and 38 inclusive. Otherwise, fail verification with a message similar to "Address prefix does not match type in signature".
-- Assume it is P2WPKH-P2SH
-- Set RedeemScript to the hexadecimal bytes "0x0014" concatenated with the AddressHash.
-- Set RedeemScriptHash to the concatenation of the hexadecimal byte "0x05" with RIPEMD160(SHA256(RedeemScript))
-- Compare Base58Check(RedeemScriptHash) it with the read address. If they match, succeed verificaiton, else fail verification with a message similar to "Address prefix does not match type in signature".
[XXX I do not like doing this for the reason that @achow101 stated, so if anyone has a better way to accomplish this, please let me know. For now this seems to be the only option.]
- Else, if the address begins with 'bc1q', perform additional checks:
-- In accordance to BIP141, this will either be a P2WPKH address or a P2WSH address. However, we do not have a redeem script, but an address hash, so we directly derive a bech32 address from it:
-- Prefix AddressHash with the bits '00000' to create a version 0 address, and then map the groups of 5 bits to bech32 characters, and generate the Bech32 checksum.
--- If this matches the address, succeed verification, else, fail verification with a message similar to "Address prefix does not match type in signature".
-- If the first byte is anything else, fail verification.
- Else, fail verification.

==== Schnorr verification ====

[Work in progress, the ECDSA section took too much time to make.]

== Notes ==

[I may or may not put a header byte in front of the Schnorr signature. I don't want to, because I think it's redundant, but I'm wondering if it is necessary for consistency.]
[I am shocked at how little material is available for generating Bech32 addresses (and the same goes for Bech32m addresses too)!]

== References ==

[1] - https://github.com/bitcoin/bips/blob/master/bip-0137.mediawiki

[2] - https://en.bitcoin.it/wiki/Elliptic_Curve_Digital_Signature_Algorithm

[edited to correct recID behavior.]
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Bump [24 hour limit on consecutive posts should be up by now, according to UTC time.]

So I have mostly figured out what should be done regarding the signing and verification from Taproot addresses. The good news is that BIP340 has already made this a standard saving me the headache of having to re-implement this all over again (not that I want to in the first place).

Despite being a draft, I see it as a net positive to include this signing format for Taproot addresses ahead of time i.e. before wallets even support Taproot addresses yet.

A few notes before I begin the quote of relevant parts:

- Eventually they chose "BIP340/challenge" as the key prefix aka. the tag. So I guess a different tag "BIP-notatether" would be incompatible with that so I drop my signing tag.

- They selected encoding only the x coord of R and P (not that this is relevant to use since I chose (e,s) encoding format), and they chose Y must be the even for P and R. It might not be relevant here since I can also use (e,s) as a signature format, but I am having great difficulty deciding between that or (R,s). I believe that only one of these formats should be used for maximum consistency. [But I do not see wallets placing multiple fields for public keys just to support batch verification.]

- The public key is required for all Schnorr verification schemes. This complicates the message signing/verification UI as "address" is supposed to contain an address, however the verification scheme cannot recover the public key (as achow101 mentioned). These differences might call for making a separate draft just for Schnorr signatures. Personally, I want to refrain from making any decision until I review the BIP137 signatures.

Quote from: bip340
==== Default Signing ====

Input:
* The secret key ''sk'': a 32-byte array
* The message ''m'': a 32-byte array
* Auxiliary random data ''a'': a 32-byte array

The algorithm ''Sign(sk, m)'' is defined as:
* Let ''d' = int(sk)''
* Fail if ''d' = 0'' or ''d' ≥ n''
* Let ''P = d' · G''
* Let ''d = d' '' if ''has_even_y(P)'', otherwise let ''d = n - d' ''.
* Let ''t'' be the byte-wise xor of ''bytes(d)'' and ''hashBIP0340/aux(a)''The auxiliary random data is hashed (with a unique tag) as a precaution against situations where the randomness may be correlated with the private key itself. It is xored with the private key (rather than combined with it in a hash) to reduce the number of operations exposed to the actual secret key..
* Let ''rand = hashBIP0340/nonce(t || bytes(P) || m)''Including the [https://moderncrypto.org/mail-archive/curves/2020/001012.html public key as input to the nonce hash] helps ensure the robustness of the signing algorithm by preventing leakage of the secret key if the calculation of the public key ''P'' is performed incorrectly or maliciously, for example if it is left to the caller for performance reasons..
* Let ''k' = int(rand) mod n''Note that in general, taking a uniformly random 256-bit integer modulo the curve order will produce an unacceptably biased result. However, for the secp256k1 curve, the order is sufficiently close to ''2256'' that this bias is not observable (''1 - n / 2256'' is around ''1.27 * 2-128'')..
* Fail if ''k' = 0''.
* Let ''R = k' · G''.
* Let ''k = k' '' if ''has_even_y(R)'', otherwise let ''k = n - k' ''.
* Let ''e = int(hashBIP0340/challenge(bytes(R) || bytes(P) || m)) mod n''.
* Let ''sig = bytes(R) || bytes((k + ed) mod n)''.
* If ''Verify(bytes(P), m, sig)'' (see below) returns failure, abortVerifying the signature before leaving the signer prevents random or attacker provoked computation errors. This prevents publishing invalid signatures which may leak information about the secret key. It is recommended, but can be omitted if the computation cost is prohibitive..
* Return the signature ''sig''.


==== Verification ====

Input:
* The public key ''pk'': a 32-byte array
* The message ''m'': a 32-byte array
* A signature ''sig'': a 64-byte array

The algorithm ''Verify(pk, m, sig)'' is defined as:
* Let ''P = lift_x(int(pk))''; fail if that fails.
* Let ''r = int(sig[0:32])''; fail if ''r ≥ p''.
* Let ''s = int(sig[32:64])''; fail if ''s ≥ n''.
* Let ''e = int(hashBIP0340/challenge(bytes(r) || bytes(P) || m)) mod n''.
* Let ''R = s · G - e · P''.
* Fail if ''is_infinite(R)''.
* Fail if ''not has_even_y(R)''.
* Fail if ''x(R) ≠ r''.
* Return success iff no failure occurred before reaching this point.

For every valid secret key ''sk'' and message ''m'', ''Verify(PubKey(sk),m,Sign(sk,m))'' will succeed.

It's too early for my draft to cut off some dead wood from this draft, but I will end this post with a note:

- The purpose of address message signing/verification is to cryptographically prove that a message has come from a specific address. Granted, this is malleable, since the signing isn't technically done with address, but with public keys in the case of both ECDSA and Schnorr, so a legacy address which validates a message implies that its corresponding segwit addresses can also validate it, since they all share the same public key. In the case of Taproot, if somebody wanted to verify that a message indeed came from a taproot address, 'Signature' can be overloaded by concatenating the Schnorr signature [/edit] and public key together like this:

(e,s) or (R,s) || public key

And the public key sent to the verification algorithm. The signature will still be a fixed-size payload. It is true that it destructs the "zero-knowledge" benefit with Schnorr signatures, but this will allow maximum compatibility with ECDSA address verification. After all, hasn't BIP340 itself made tradeoffs of its own to preserve compatibility with ECDSA message generation, such as choosing the parity of Y coordinates?

[edit]:

The truth is, is that you can't verify an address message without general knowledge of the public key. And zero-knowledge signatures such as Schnorr completely disallow for that. Given that it is highly likely that future address types will also make use of Schnorr signatures, and the growing disproportion betwen legacy addresses and the rest of the addresses requires that the community make a choice regarding message signatures now - Do they really want them, or not?

I am hoping that the anwser from the majority of readers here is "yes", since many crypto users do in fact rely on messages (in fact it is one of the ONLY ways to recover a bitcointalk account if you lost access to it, with a staked address - the other being with PGP keys that nobody uses - The Stake Your PGP Key Thread can testify to that).
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
I have decided that Multisig is too complex in order to feasibly support in this BIP. It just leaves generating/verifying the BIP137 signatures and Schnorr signatures correctly as the only obstacles to overcome for the completion of this rough draft (sans code).
legendary
Activity: 1456
Merit: 1176
Always remember the cause!
Quote
0x41
Why uncompressed keys? Also note that in case of Taproot, OP_CHECKMULTISIG is disabled. See: https://bitcointalksearch.org/topic/replacing-opcheckmultisigverify-with-opchecksigadd-5349148

So, if it will be a new standard, it could be based just on ECDSA operations, where "s=(z+rd)/k" would be the default for legacy, and "s=zd+k" would be the default for Schnorr signatures. That means, the standard could define some things like "Point*number" or "Point+number", then any existing signature could be handled by this kind of format, because any legacy signature is just a relation "k=d*first_number+second_number". That means, by storing Q, R, first_number and second_number, you can express any signature, if you can make sure that it is valid from ECDSA point of view, and if the message is hashed correctly.
You are right. Above I just tried to give an example, the actual standard should go deeper, however it is not necessary to do too much generalization, user should disclose the standard template of the script she is supplying, it'd be useful for other applications as well, e.g., wallets could use such templates asking for the placeholders from users to generate a script which its type is already decided, somehow.
copper member
Activity: 821
Merit: 1992
Quote
0x41
Why uncompressed keys? Also note that in case of Taproot, OP_CHECKMULTISIG is disabled. See: https://bitcointalksearch.org/topic/replacing-opcheckmultisigverify-with-opchecksigadd-5349148

So, if it will be a new standard, it could be based just on ECDSA operations, where "s=(z+rd)/k" would be the default for legacy, and "s=zd+k" would be the default for Schnorr signatures. That means, the standard could define some things like "Point*number" or "Point+number", then any existing signature could be handled by this kind of format, because any legacy signature is just a relation "k=d*first_number+second_number". That means, by storing Q, R, first_number and second_number, you can express any signature, if you can make sure that it is valid from ECDSA point of view, and if the message is hashed correctly.
legendary
Activity: 1456
Merit: 1176
Always remember the cause!
@pooya87 I will put a more detailed version of your Taproot signature generation step inside the BIP, as soon as I can figure out how to verify the Schnorr signatures.

Exactly. Just drop it along with the whole sign-with-script thing, as far as it is about scripts generally, I think the actual improvement would be including well-formed srcipts with standard format and extracting public keys (e.g. using a simple parser) then succeeding to the rest. It is where standards could help.

I guess that this includes specializations for checking for (and verifying) multisig scripts? Not that there is any standard way.
Yes, and it should have, if it is going to be used for signing-with-script. There are zillion ways for writing a n-of-m multisig script but there is one neat way to do this:
|0x41[...]||OP_CHECKMULTISIG

A verifier should scan the supplied script to follow the exact definition:
Code:
BYTE * multisig_Script_scanner (BYTE &script){
    u_int len;
    len = (u_int *) script;
    u_ int m;
    m = (len - 2) / 66 ; // size of ECDSA public key = 65 + 1 stackpush directive=66
    if (m > MAX_KEYS_ALLOWED || m * 66 + 2 <>  len)  
        return null; // not a valid pubkey list
    if (script[len+1] <> 0xAE // OP_CHECKMulTISIG
       return null;
    if (scipt[2] <>  0x52 ) // OP_1 we accept only 1 of m for now
         return; // should be a multiply of 66
    int i = 0;
    for ( ; i    if i < m
      return null; // bad format we need pubkeys with a size descriptor of 0x41
    return (script+3);
    }  
We should have a series of  public keys beginning with 0x41 as their length descriptor, otherwise it is failed, already. Hereafter, it'd be the validators job to check the supplied signature against all the supplied keys until it finds a match, otherwise it fails.

EDIT: improved the code, covering my own mess  Wink
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
@pooya87 I will put a more detailed version of your Taproot signature generation step inside the BIP, as soon as I can figure out how to verify the Schnorr signatures.

Exactly. Just drop it along with the whole sign-with-script thing, as far as it is about scripts generally, I think the actual improvement would be including well-formed srcipts with standard format and extracting public keys (e.g. using a simple parser) then succeeding to the rest. It is where standards could help.

I guess that this includes specializations for checking for (and verifying) multisig scripts? Not that there is any standard way to make them, and the address field won't accomidate multiple public keys. It's like dealing with P2SH and P2PK mashed together.

And in the case of P2WSH, which can be detected precisely, it will have to unilaterally fail verification if one is encountered.
legendary
Activity: 3472
Merit: 10611
[TODO figure out what to do with Schnorr signatures.]
Pretty much the same thing:
- Message hash could be computed the same way as before (append constant, compute SHA256d)
- Compute k using Tagged hash (instead of RFC6979) by using BIP-notatether as its tag
- Generate signature using Schnorr digital signature algorithm the same way you sign a transaction hash

The important part is the second step.
legendary
Activity: 1456
Merit: 1176
Always remember the cause!
It is pretty much contradictory to have both: your BIP-notatheter and BIP322.

Essentially, BIP 322 says something like this:
1- For signer: To prove your ownership of some UTXO(s), make a vanity txn with the UTXO(s) as input(s) and the message you are signing as output, supply auxiliary data needed (if any) and sign!
2- For verifier: To verify such messages, do a routine verification with some tweaks and tricks, for instance don't abort because of time-locks, just isssue warnings and so fort.
3- For both: More details about the tweaks and tricks in the BIP.

I see. So in that case, with it not being a regular signed message, BIP 322 signatures, which are apparently just transactions, cannot even be verified in the same place as everything else. Because their implementations are incongruent - one is a transaction, which would require interested wallets to copy the verification code of Bitcoin Core [no wonder why practically no wallets implement it!], the other has a fixed collection of data fields.

Exactly. Just drop it along with the whole sign-with-script thing, as far as it is about scripts generally, I think the actual improvement would be including well-formed srcipts with standard format and extracting public keys (e.g. using a simple parser) then succeeding to the rest. It is where standards could help.

I've already discussed it above thread, tho.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
It is pretty much contradictory to have both: your BIP-notatheter and BIP322.

Essentially, BIP 322 says something like this:
1- For signer: To prove your ownership of some UTXO(s), make a vanity txn with the UTXO(s) as input(s) and the message you are signing as output, supply auxiliary data needed (if any) and sign!
2- For verifier: To verify such messages, do a routine verification with some tweaks and tricks, for instance don't abort because of time-locks, just isssue warnings and so fort.
3- For both: More details about the tweaks and tricks in the BIP.

I see. So in that case, with it not being a regular signed message, BIP 322 signatures, which are apparently just transactions, cannot even be verified in the same place as everything else. Because their implementations are incongruent - one is a transaction, which would require interested wallets to copy the verification code of Bitcoin Core [no wonder why practically no wallets implement it!], the other has a fixed collection of data fields.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Guys, I am thinking about adding BIP 322 as a fourth detection & code path in the verification algorithm - the motivation would be to support verifying messages from P2[W]SH (without mandating anything on the signature method, so that I don't have to create my own message format), in case people *do* end up using BIP322. Do you agree with this idea?

Quote
whether BIP322 is used in any walets at all
It is almost used in Signet. Almost, because there is one difference: in Signet, you sign blocks. Here, you sign messages. But otherwise, it is almost identical, so almost ready implementation is already created in Bitcoin Core. As long as BIP-322 is not yet implemented, there are two options:
1) implement needed parts
2) hack the signet

If I do end up including BIP 322, it will certainly be done by implementing needed parts. I don't want to mess with signet, especially since wallets may not want to mess with a different network just to verify mssages.

[EDIT: I have decided against including P2PK "addresses" as a separate code path because these are actually not addresses (I don't know why I keep calling them that). These can be verified using BIP322 signatures anyway, so their inclusion depends on whether or not the community thinks its a good idea to standardize BIP322 signature verification, just like P2SH.]




== Abstract ==

Bitcoin wallets have the capability of signing and verifying messages from individual addresses, by using ECDSA and the public/private key pair belonging to that address. These are often used to prove ownership of coins in the address, the address itself, or simply to relay a message as the owner of that particular address.

Message signing in its current form has been present since the earliest Bitcoin implementations, and its processes are largely still the same as how Satoshi designed it, with a few deviations by some wallet software here and there.

== Motivation ==

The message verification algorithm has only been designed to validate messages from Legacy addresses, since that were the only existing address type when message signing was invented. Unlike how BIP-322 words it, message signing and verification is technically possible for Segwit addresses, but no standardized signing and verification process has been invented for it yet.

The result of this oversight is that some wallets allow you to sign messages form Segwit address, such as Electrum, but those messages cannot be verified anywhere except on that particular wallet software.

Critically, no attempt has been made so far to officially standardize the message signing algorithm for the segwit address types P2WPKH, P2WPKH-P2SH, also known as Nested and native Segwit respectively. The existing BIPs only attempt to define a new message signing format, and have not gained a large-enough conesnsus for their de facto use over existing signature formats.

== Rationale ==

This BIP does not attempt to define a new message signing format. Instead, it attempts to define the precise algorithms for signing and verifying messages, that is interopable with all of the widely-used message format. The message signing formats which are used only by a tiny minority of wallets will not be standardized in this BIP, to avoid bloating it.

Hereafter, this BIP will refer to the methods that sign and verify messages as "message signing processes".

The message signing processes consist of two sub-processes - the signing method, and the verification method, the specification for both of these items is detailed separately.

=== Message signing method ===

The message signing method shall use at least one of the following algorithms to create a signature, depending on the wallet implementation:
- ECDSA signatures, with P2PKH addresses.
- ECDSA signatures, with P2WPKH-P2SH addresses.
- ECDSA signatures, with P2WPKH addresses.
- ECDSA signatures, with P2WSH addresses [used in multisig wallets e.g. Electrum].
- Shnorr signatures, with P2TR (Taproot) addresses.
- BIP 137 signatures.

In the case of the ECDSA signatures, the address which is used to sign the message is placed inside the Address area.

[As this is not yet a draft, I will fill in the exact ECDSA signing process on a later date. Essentally, it is exactly the same as the current algorithm.]

[TODO figure out what to do with Schnorr signatures.]

=== Message verificaion method ===

First, the message, address, and signature fields are read from the signed message document.

Then, the public key of the signed message will be deduced from the signature and the message, followed by the RIPEMD160 hashing of the public key into the address has. [Again, the exact algorithm has to be specified here later even though it's not going to change.]

After that, the first bytes (not individual Unicode characters) inside the address are inspected:

- If the address begins with '1', assume it is a P2PKH aka Legacy address, encode the address hash using Base58, and compare it with the read address. If they match, succeed verifcation, else fail.
- Else, if the address begins with '3', assume it is P2WPKH-P2SH, encode the address hash using Base58, and compare it with the read address. If they match, succeed verificaiton, else fail.
[XXX I do not like doing this for the reason that @achow101 stated, so if anyone has a better way to accomplish this, please let me know. For now this seems to be the only option.]
- Else, if the address begins with 'bc1q', perform additional checks:
-- In accordance to BIP141, this will either be a P2WPKH address or a P2WSH address.
-- Read the first byte of the witness program, which is located after the witness version 0 (i.e. 'q' in Bech32)
-- If the first byte is 0x20, then it is a P2WPKH address:
--- Ensure that the rest of the witness program is 32 bytes long.
--- Attempt to construct a P2WPKH address from the generated public key. If this succeeds, succeed verification. Else, fail verification.
-- If the first byte is 0x14, then it is a P2WSH address:
--- Ensure that the rest of the witness program is 20 bytes long.
--- Attempt to construct a P2WSH address from the generated public key. If this succeeds, succeed verification. Else, fail verification.
[XXX P2WSH is a script hash, so without the script, the pubkey is useless. Should I only detect P2WSH multisig, and defer everything else to BIP322?]
-- If the first byte is anything else, fail verification.
- [Else if it is bc1p, it is a Taproot address, but I have to study Schnorr signatures some more to see how message signing would even work with that.]
- Else, if the prefix matches that of a BIP137 signature, attempt to use the BIP137 verification algorithm on the address hash. If the addresses match, succeed verifcation, else fail.
- Else, fail verification.

== Notes ==

BIP 322 signatures might be supported here (see the beginning of this post).

P2SH, P2WKPH-P2SH, and P2WSH-P2SH addresses cannot be distinguished from each other using the '3' prefix alone, generation of the latter two addresses will only identify whether an address is positively that address type. Without BIP322, there is no way to conclude that an address is NOT one of the above types, or if an address is a generic P2SH address that is not one of the other specializations.

Similarly, P2PK is not an address type, so cannot be directly supported in a message signing format that deals with addresses.
copper member
Activity: 821
Merit: 1992
Quote
whether BIP322 is used in any walets at all
It is almost used in Signet. Almost, because there is one difference: in Signet, you sign blocks. Here, you sign messages. But otherwise, it is almost identical, so almost ready implementation is already created in Bitcoin Core. As long as BIP-322 is not yet implemented, there are two options:
1) implement needed parts
2) hack the signet
Code:
bitcoin-qt -noconnect -signet -signetchallenge=a9144266fc6f2c2861d7fe229b279a79803afca7ba3487
submitblock ...
And currently, you can see that all official signet blocks can prove that signing some 1-of-2 multisig address is possible. The only drawback of using "hack the signet" solution here and now, is that you have to mine a block to get a valid solution for "submitblock".
legendary
Activity: 1456
Merit: 1176
Always remember the cause!
. BIP 322 allows signing with any script, as it runs the script interpreter when verifying.
BIP 322 goes beyond message signing as its agenda is to cover a proof of fund availability which other than not being achievable in some (very important) cases like HTLC, it also suffers from a confused definition:
A signed and verified message is typically timeless, i.e., it doesn't expire ever, Alice can sign such a message and have it proven by some verifier, being credited somehow because of her funds, while at the same time she is publishing a tx, spending the funds, and materializing the credit.

So, such a 'proof' is no proof, not a meaningful one, even susceptible to be misleading. It is an over utilization and falls short of compatibility with bitcoin general design principles, where less utility is better than vague or confusing ones, bitcoin is no Ethereum, we don't brag with the portfolio of problem domain we (loosely) cover.

It is why I think Greg Maxwell's comment in support of such an expanded problem domain, is basically wrong and not compatible with his usual hesitation for such practices.

On the other hand, for a more humbly defined problem domain, like when Alice wants to prove her access to a secret without revealing it and this secret is kinda linked to a bitcoin public key which gives Alice an anonymous identity somehow: Like when bitcoitalk users sign messages with their profile key, or when Alice is just saying: I'm the one who made this donation or the person who has/had a call on the address you deposited to etc. It is straightforward for legacy P2PKH addresses, obviously, but for P2SH, p2WSH, … in their most general form it'd be a more efficient way for all the parties to use their human knowledge and spot the appropriate address out of the disclosed script, and go through the trivial process.

In case they need to do it using automated techniques, there is a second option: narrow down the domain to well-formed, standardized script templates for sniffing out the keys and succeed with the basic procedure. The rule of thumb is always: avoid coding as much as possible by trading off costs against the gains.

Going beyond the above recommended specs not only adds restrictions but also is error-prone because either, wallets need to simulate bitcoin interpreter, or the latter has to add such a functionality and support wallets via RPC, whatever be the case we are expanding the code/attack/failure surface for almost nothing.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Back to your message,

Hello NotATether.

This was my first bitcointalk post. I was trying to recover some altcoin airdrop for bitcoin holders and I needed to sign a message. Then I discovered it was not possible.

By the time, in 2018, nullius gave me some technical details about the problems for creating this standard.

Take a look, it might help you:

...

A lot of good links in that mailing list thread, but I think this one is going to be the most helpful - https://github.com/brianddk/bips/blob/legacysignverify/bip-0xyz.mediawiki . I'll study this draft BIP and see what I can get from it.




OK, so I apparently forgot that Taproot addresses do not even use ECDSA signatures in the first place. So I'm going to rule those out of the BIP.
[EDIT: since I'm already including BIP 137 signature detection in this method, I suppose I should construct this verification method like this:
- Detects one of the following three types of signature:
-- ECDSA signature
-- Schnorr signature (so that Taproot gets verified in a second code path)
-- BIP 137 signature (ditto)
END OF EDIT]

According to @achow101, guessing the signature type from the prefix still makes ambiguous address types, so I'll have to figure out a different strategy to identify P2WPKH-P2SH and P2WPKH (P2SH and P2WSH have already been stiken out of this BIP).
staff
Activity: 3458
Merit: 6793
Just writing some code
BIP 322 - I'm not even sure if this supports signing from P2[W]SH
It does, that's the point. BIP 322 allows signing with any script, as it runs the script interpreter when verifying.

- Else, if the address begins with '3', assume it is P2WPKH-P2SH, encode the address hash using Base58, and compare it with the read address. If they match, succeed verificaiton, else fail.
Bad assumption. P2SH addresses can include any script, not just segwit.

- Else, if the address begins with 'bc1q', assume it is P2WPKH, encode the address using Bech32, with version 'q', and compare it with the read address. If they match, succeed verification, else fail.
Bad assumption. P2WSH addresses also begin with bc1q.

- Else, if the address begins with 'bc1p', assume it is a P2TR aka Taproot address, encode the address using Bech32m, with version 'p', and compare it with the read address. If they match, succeed verification, else fail.
No, don't do that. Do not mix things that are used for schnorr signatures with generating ECDSA signatures. Note that the verification process for Taproot addresses will be different to the verification process of the other ones that use ECDSA because Schnorr does not allow for pubkey recovery. Since a Taproot address encodes a pubkey directly, you can do normal verification, but it means that there is no shared code between verifying Taproot and verifying everything else.

Also, this doesn't work for Taproot script path spends, and addresses which are script path spend only.
legendary
Activity: 3472
Merit: 10611
As I said above, it needs the ugly, infeasible practice of interpreting the script by the verifier using sophisticated techniques beyond the sopes of any existing or future wallet software.
That depends on how clean or ugly the code already is. If we are dealing with a clean loosely coupled code, it is very easy and smooth to change different parts of it just like replacing a cog in a big machine.
I don't know any C++ but signature verification is already in separate methods and GenericTransactionSignatureChecker seems to be replaceable.

Quote
More specifically, putting yourself in the shoes of a dev who wants to support this use case, you'd realize that you need to somehow virtually execute the given script (on a virtual stack, I suppose) to answer a few questions:
1- How many branches are involved?
2- Which addresses are involved in each branch?
3- Except for reasonably set (what is reasonable BTW?) time-Locks, pick the addresses which are eligible for claiming this output by supplying trivial data (not a preimage of a hash, for instance) for their branch to be reached. If an address is  able to unilaterally unlock this branch,  now or some practical future, put it in the special list of "rightful addresses", i.e., people who are able to claim the funds, some when.
4- Does the pubkey of the signature match any of the members of above list?
You are overthinking it. Only small modifications need to be made in the interpreter to verify the given script. You just evaluate it as if you were evaluating a transaction only treating certain OP codes differently meaning OP_CHECK(MULTI)SIG(VERIFY/ADD) computes hash of the message instead of tx. Multi-sigs return how many more signatures were missing. OP_CLV acts as OP_NOP, etc. Any complication in script evaluation already taken care of by the existing code.

Since this would require a new message format and @NotATether pointed out he wants to keep it Informational, I think I should stop further expansion on this idea.
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
@ETFBitcoin:

It's a good idea. Does this mean the witness version is technically counted as part of the witness program?

Sorry, i made little mistake. I just remember 1st byte in witness program doesn't refer to witness version, but refer to length of witness program (0x0014 for P2WPKH). But IIRC Bech32 specification doesn't include length of witness program to generate Bech32 address.

--snip--
Code:
   scriptPubKey: 0 <20-byte-key-hash>
                  (0x0014{20-byte-key-hash})

The '0' in scriptPubKey indicates the following push is a version 0 witness program. The length of the witness program indicates that it is a P2WPKH type. The witness must consist of exactly 2 items.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
@ETFBitcoin:

It's a good idea. Does this mean the witness version is technically counted as part of the witness program?

- Else, if the address begins with 'bc1q', assume it is P2WPKH, encode the address using Bech32, with version 'q', and compare it with the read address. If they match, succeed verification, else fail.

Why don't you check bc1q followed by 38 ASCII character to determine whether an address is P2WPKH? BIP 141 clearly state this.

If the version byte is 0, and the witness program is 20 bytes:

    It is interpreted as a pay-to-witness-public-key-hash (P2WPKH) program.

Don't forget 20 bytes include q (in bc1q) which is witness version and the rest 19 bytes represent 38 ASCII character.
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
- Else, if the address begins with 'bc1q', assume it is P2WPKH, encode the address using Bech32, with version 'q', and compare it with the read address. If they match, succeed verification, else fail.

Why don't you check bc1q followed by 38 ASCII character to determine whether an address is P2WPKH? BIP 141 clearly state this.

If the version byte is 0, and the witness program is 20 bytes:

    It is interpreted as a pay-to-witness-public-key-hash (P2WPKH) program.

Don't forget 20 bytes include q (in bc1q) which is witness version and the rest 19 bytes represent 38 ASCII character.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
That's the problem with P2SH, the redeem script can not be fetched from the address since it only includes the hash of it. So the redeem script has to either be guessed (like in case of wrapped SegWit) or be included in the signature+message combo. The later would significantly change the proposal since BIP-137 doesn't include the scripts.

I just read that P2SH and P2WSH addresses are hashed from the redeem script and not a public key. That's going to throw everything out of course because the ECDSA depends on keypairs to work properly.

That is to say, verifying messages from P2SH addresses may not be possible at all.

There's two factors in me making this decision:

1) They are not hashed from a public key, so not only can't these addresses be verified, but we also can't sign a message with them in the first place. Yes, in scripts like Multisig, there are private keys involved, but without defining a new format [which I am trying to refrain from doing to avoid another BIP-322[1]], it is impossible to retrieve them from the redeem script.
2) Almost no wallet has ever supported the generation of P2SH/P2WSH address, wtith the exception for multisig addresses. Generally, these had to be constructed manually.

---
[1] The reason I am abstaining from defining a new format is to attempt to avoid making a BIP that is either stuck in Draft for years (BIP 322 - I'm not even sure if this supports signing from P2[W]SH) or is Final but nobody uses (BIP 137 - I heard that Sparrow wallet can verify BIP 137 signatures but that is just a drop in the bucket).


I believe you're thinking in terms that a new message format would definitely be needed to enable the signing of messages from these "edge case" addresses e.g. P2SH and also Mutlisig, "send funds to the next block reward" - type of addresses (I forgot the script opcode that does that but I read it in one of these threads). I agree, but from a practical point of view, I can't shove all this in one BIP - and in particular I cannot define a new message format for the reason above, so in this BIP I chose to tackle only the problem of verifying all address types that can be generated from a public key.

The nice thing about Informational BIPs is that they can instantly be made up-to-date by making another BIP that supersedes it. They only have an "Active" status, unlike Standards Track and Process which both have a myriad of statuses.

@bitmover I will come back to your comment later.
legendary
Activity: 1456
Merit: 1176
Always remember the cause!
Your wallet could just as easily interpret it as a segwit address. We are working on creating something that actually specifies the address type, and more generally, allows signing with scripts.
So, the weird idea of 'signing with scripts' is old enough to make people confused. It is not good practice (check my posts, above thread). the only way would be implementing something such as 'script type' for the verifier, and go through the following steps:
1- verify the disclosed script against the P2SH.
2- verify the fitness of the actual script with the claimed script type.
3- Extract the address hash from the standardized place within the script.
4- go through the normal verification.

Note that it brings the specification from "generally signing with scripts" down to earth where we are able to do this just for well-formed, standardized scripts.
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
Hello NotATether.

This was my first bitcointalk post. I was trying to recover some altcoin airdrop for bitcoin holders and I needed to sign a message. Then I discovered it was not possible.

By the time, in 2018, nullius gave me some technical details about the problems for creating this standard.

Take a look, it might help you:

Known issue.  There are some subtle problems here.  I’ve wanted to kick around ideas for a potential BIP, but it’s been fairly low on my list.

https://github.com/bitcoin/bitcoin/issues/10542

https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-December/015374.html

https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-December/thread.html#15374

See especially:
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-December/015441.html

(I seem to recall further discussion last month, but I can’t find it now.  It may be a memory bitflip.)


OP which wallet are you using? Because electrum can very well sign and verify messages signed from bech32 addresses. I think some of the other segwit wallets like samurai don't have a feature to sign message yet. I'm assuming since electrum can sign message then bitcoin core 0.16 also should be able to do that when its released.

Just signed one with electrum.
Code:
Message: Signed message
Address: bc1qyjqygpulgd6y69ync6wvd256qjltszekd2pz0x
Signature: HwNkc1x7GtforrqObazbOOure4XV5Jpx51Uf/dQ7hLQNEhkO+914HqUupdYJd3LH0eBtfENXBWRj3mb+HbQOoDw=  

I know this, too.  I have not yet tried to figure out what Electrum is doing; but it’s nonstandard.  Core cannot verify those signatures (as I know for certain), and AFAIK that will not change with v0.16.

This is also interesting. As you sign with a private-public key pair (and not with an address), there should be a more generic solution.

Note that you don't actually sign with an address. You sign with a public-private keypair and your wallet interprets it as an address. Your wallet could just as easily interpret it as a segwit address. We are working on creating something that actually specifies the address type, and more generally, allows signing with scripts.
legendary
Activity: 1456
Merit: 1176
Always remember the cause!
Signing messages with P2SH address, doesn't make any sense, it is metaphorically, and not exactly, an address. Disclosing the script behind P2SH addresses wouldn't help either, as it is infeasible to parse/interpret the script to extract conventional, true address(es) choosing one (which one if many?) to be verified against the public key, then succeeding to verification of the signature.
Actually it makes perfect sense. When you sign a message you are actually proving ownership of any balance that is locked behind a certain locking script. In other words you claim that you can spend that output.

If you sign a message using public key in OP_CLV OP_DROP OP_CHECKSIG you prove you can spend this output.
If you sign a message from pubkey #1 in OP_2 OP_CHECKMULTISIG you prove that you are one of the 2 persons who can spend this output.
I'm afraid, it doesn't, you missed the point.
As I said above, it needs the ugly, infeasible practice of interpreting the script by the verifier using sophisticated techniques beyond the sopes of any existing or future wallet software.

More specifically, putting yourself in the shoes of a dev who wants to support this use case, you'd realize that you need to somehow virtually execute the given script (on a virtual stack, I suppose) to answer a few questions:
1- How many branches are involved?
2- Which addresses are involved in each branch?
3- Except for reasonably set (what is reasonable BTW?) time-Locks, pick the addresses which are eligible for claiming this output by supplying trivial data (not a preimage of a hash, for instance) for their branch to be reached. If an address is  able to unilaterally unlock this branch,  now or some practical future, put it in the special list of "rightful addresses", i.e., people who are able to claim the funds, some when.
4- Does the pubkey of the signature match any of the members of above list?

It is because answering the final question is not trivial and needs diving in semantics of the script.

The only reasonable solution for the owners of such utxos is to rely on the counterparty's human intelligence by Simply signing a message with their actual address which is included in the script, convincing them by disclosing the script with fingers crossed.


Edit:
Taproot scripts have an edge, a huge one, as a candidate for this use:
The owner supplies a path to its branch and trivial data which brings us to her desired branch and all we have to do is to again 'virtually' execute this branch for deciding whether the supplied public key is unilaterally eligible for claiming the funds?
A same optimization is possible for the legacy scripts, but nothing would help the inherent dependency of an ill-defined piece of software.

EDIT 2: I just checked BIP 322 which, thanks God, is in draft stage, with the same purpose of covering something called "proving fund availability" which I'll address below thread.
legendary
Activity: 3472
Merit: 10611
Signing messages with P2SH address, doesn't make any sense, it is metaphorically, and not exactly, an address. Disclosing the script behind P2SH addresses wouldn't help either, as it is infeasible to parse/interpret the script to extract conventional, true address(es) choosing one (which one if many?) to be verified against the public key, then succeeding to verification of the signature.
Actually it makes perfect sense. When you sign a message you are actually proving ownership of any balance that is locked behind a certain locking script. In other words you claim that you can spend that output.

If you sign a message using public key in OP_CLV OP_DROP OP_CHECKSIG you prove you can spend this output.
If you sign a message from pubkey #1 in OP_2 OP_CHECKMULTISIG you prove that you are one of the 2 persons who can spend this output.
legendary
Activity: 1456
Merit: 1176
Always remember the cause!
I am assuming there was a standardized way to create P2SH addresses before segwit, that maybe requires the redeem script to encode, which can be fetched from the Address in the signed message anyway.
That's the problem with P2SH, the redeem script can not be fetched from the address since it only includes the hash of it. So the redeem script has to either be guessed (like in case of wrapped SegWit) or be included in the signature+message combo. The later would significantly change the proposal since BIP-137 doesn't include the scripts.
Signing messages with P2SH addresses, doesn't make any sense, it is called metaphorically, and not literally, an address. Disclosing the script behind P2SH addresses wouldn't help too, as it is infeasible to parse/interpret the script to extract conventional, true address(es) for choosing one (which one if there are many?) to be verified against the public key, before succeeding to verification of the signature, not to mention the privacy/security consequences.
legendary
Activity: 3472
Merit: 10611
I am assuming there was a standardized way to create P2SH addresses before segwit, that maybe requires the redeem script to encode, which can be fetched from the Address in the signed message anyway.
That's the problem with P2SH, the redeem script can not be fetched from the address since it only includes the hash of it. So the redeem script has to either be guessed (like in case of wrapped SegWit) or be included in the signature+message combo. The later would significantly change the proposal since BIP-137 doesn't include the scripts.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
If the algorithm and the format are not going to change then it may be best to update the existing BIP-137 that already standardized message signing for P2PKH, P2WPKH-P2SH and P2WPKH.

It does not make much sense for me to update BIP 137. It is a Standards Track BIP whereas I plan mine to be an Informational BIP where a consensus is not required as I'm not creating or modifying signing formats. I don't expect every wallet to drop their original verification methods and adopt this one, as a Standards Track BIP would require them to, but I'd be happy if a majority do, especially online ones that Brainwallet website.

Besides, BIP 137 is already in the Final state, so I'd have to create a second BIP anyway in order to (what they call) "replace" it. I am only going to change the verification algorithm - despite about half of it remaining the same.

Quote
Otherwise what is your solution to other cases that could be common but not covered here such as P2PK outputs or any other legacy P2SH script types like a simple lock-time script or multi-signature addresses or P2TR that is not using the simple single key spending route?

I'll probably include the first as an additional test for '1' addresss, and the second as an additional test for '3' addresses - that is, for '1' addresses I attempt P2PKH followed by P2PK, and for '3' addresses I attempt P2WPKH-P2SH followed by P2SH.

I am assuming there was a standardized way to create P2SH addresses before segwit, that maybe requires the redeem script to encode, which can be fetched from the Address in the signed message anyway.
legendary
Activity: 3472
Merit: 10611
This BIP does not attempt to define a new message signing format. Instead, it attempts to define the precise algorithms for signing and verifying messages, that is interopable with all of the widely-used message format.
If the algorithm and the format are not going to change then it may be best to update the existing BIP-137 that already standardized message signing for P2PKH, P2WPKH-P2SH and P2WPKH.

Otherwise what is your solution to other cases that could be common but not covered here such as P2PK outputs or any other legacy P2SH script types like a simple lock-time script or multi-signature addresses or P2TR that is not using the simple single key spending route?
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Amendments:

(This will be regularly cleared as I make new rough drafts of the BIP)

- Message signing as well as message verification will be clearly defined.

- I will not implement BIP322 signature verification. The reason is that those messages have to be signed and verified under completely different circumstances (as a transaction, not as a data format), therefore it is impossible to include it along with all the other verification types in the same method. This also include Multisig signatures, although it is technically possible, it will make this BIP unnecessarily complicated.
- Should implement a code path for verifying P2PK addresses (we have the length to differentiate it from P2PKH, so this is doable) Thrown out
- With the current message format it is impossible to sign/verify P2SH addresses. This is not an amendment just a note, since it wasn't in the rough draft in the first place. Thrown out
- P2WSH addresses will not be verified, in accordance with the decision to scrap BIP 322. I will still detect P2WPKH addresses properly to avoid any P2WSH addresses from slipping through.

The final codepath for P2WPKH address will look like this:

Code:
if (address starts with bc1q) {
    read first byte of witness program (it starts after bc1q);
    if (first byte is 0x20) {
        assert(rest of witness program is 32 bytes long)
        // from the public key, construct a P2WPKH address;
    }
    else {
fail; // Fail, even for P2WSH addresses which we are able to detect above.
    }
}

- A blind generation test for P2WPKH-P2SH address is being used, since differentiation from P2SH address is otherwise not possible (i.e. you can't conclusively say that this is not a *-P2SH address).

- BIP 137's header bytes are adopted by this proposal because they overlap with the legacy signing format and also what I was trying to propose. Since the expected idea-apocalypse hasn't come, I will most likely do the same for Taproot addresses, to future-proof the standard.

- I cannot support Taproot multi-key verification, without radically changing the message signing format by adding multiple fields for *addresses* (and the corresponding public keys concatenated). This would make Schnorr signature sizes arbitrary, and leaves the risk of vulnerabilities from incorrect implementations. People who want this in practice are better off supporting BIP 322's efforts instead.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
This is a self-moderated thread, for dicussion about the workability of the standardization of the message verification process below. It will be locked when the draft is submitted to the mailing list, and a new thread for the draft will be created.



BIP-notatether-messageverify is the temporary name I have given to the BIP I'm drafting that is supposed to standardize the message signature verification method (and in particular, officially recognize segwit signed messages at long last). The rough idea I have devised for it is given below. This is not the draft.

This revision is obsolete, the newest revision is always available here.



== Abstract ==

Bitcoin wallets have the capability of signing and verifying messages from individual addresses, by using ECDSA and the public/private key pair belonging to that address. These are often used to prove ownership of coins in the address, the address itself, or simply to relay a message as the owner of that particular address.

Message signing in its current form has been present since the earliest Bitcoin implementations, and its processes are largely still the same as how Satoshi designed it, with a few deviations by some wallet software here and there.

== Motivation ==

The message verification algorithm has only been designed to validate messages from Legacy addresses, since that were the only existing address type when message signing was invented. Unlike how BIP-322 words it, message signing and verification is technically possible for Segwit addresses, but no standardized signing and verification process has been invented for it yet.

The result of this oversight is that some wallets allow you to sign messages form Segwit address, such as Electrum, but those messages cannot be verified anywhere except on that particular wallet software.

Critically, no attempt has been made so far to officially standardize the message signing algorithm for Segwit-type addresses (Nested, Native, and Taproot). The existing BIPs only attempt to define a new message signing format, and have not gained a large-enough conesnsus for their de facto use over existing signature formats.

== Rationale ==

This BIP does not attempt to define a new message signing format. Instead, it attempts to define the precise algorithms for signing and verifying messages, that is interopable with all of the widely-used message format. The message signing formats which are used only by a tiny minority of wallets will not be standardized in this BIP, to avoid bloating it.

Hereafter, this BIP will refer to the methods that sign and verify messages as "message signing processes".

The message signing processes consist of two sub-processes - the signing method, and the verification method, the specification for both of these items is detailed separately.

=== Message signing method ===

The message signing method shall create the ECDSA signature from the private key and message, and place it into the signature category as usual. However, in the Address section, the address that the user has selected to sign the message with will be placed inside there.

[As this is not yet a draft, I will fill in the exact ECDSA signing process on a later date. Essentally, it is exactly the same as the current algorithm.]

=== Message verificaion method ===

First, the message, address, and signature fields are read from the signed message document.

Then, the public key of the signed message will be deduced from the signature and the message, followed by the RIPEMD160 hashing of the public key into the address has. [Again, the exact algorithm has to be specified here later even though it's not going to change.]

After that, the first bytes (not individual Unicode characters) inside the address are inspected:

- If the address begins with '1', assume it is a P2PKH aka Legacy address, encode the address hash using Base58, and compare it with the read address. If they match, succeed verifcation, else fail.
- Else, if the address begins with '3', assume it is P2WPKH-P2SH, encode the address hash using Base58, and compare it with the read address. If they match, succeed verificaiton, else fail.
- Else, if the address begins with 'bc1q', assume it is P2WPKH, encode the address using Bech32, with version 'q', and compare it with the read address. If they match, succeed verification, else fail.
- Else, if the address begins with 'bc1p', assume it is a P2TR aka Taproot address, encode the address using Bech32m, with version 'p', and compare it with the read address. If they match, succeed verification, else fail.
- Else, if the prefix matches that of a BIP137 signature, attempt to use the BIP137 verification algorithm on the address hash. If the addresses match, succeed verifcation, else fail.
- Else, fail verification.

== Notes ==

I have elected not to support BIP322 message signing format because I did not get an answer on the mailing list on whether BIP322 is used in any walets at all. If there is provable evidence that it is, this BIP might be amended to verify this message format as well.



Local rules: No flame wars like in some of the other threads here. This thread will be posted to the mailing list, so I must keep it spot clean. All other comments are welcome.
Jump to: