MIME-Version: 1.0
From: Karl-Johan Alm <karljohan-alm@garage.co.jp>
Date: Wed, 17 Jul 2019 16:44:13 +0900
Message-ID: <CALJw2w6PZS8ERQmNczbLKudjfSF+xcew9qy_LjXnnmNzsghMiA@mail.gmail.com>
To: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: text/plain; charset="UTF-8"
Subject: [bitcoin-dev] BIP: Signet
Precedence: list

Hello,

I have written a BIP describing the Signet network. Feedback requested!

https://github.com/bitcoin/bips/pull/803

Pasted in its entirety below, with formatting issues left as is. See
above link for styled version.

<pre>
BIP: XXXX
Layer: Applications
Title: Signet
Author: Karl-Johan Alm <karljohan-alm@garage.co.jp>
Comments-Summary: No comments yet.
Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-XXXX
Status: Draft
Type: Standards Track
Created: 2019-03-20
License: CC0-1.0
</pre>

== Abstract ==

A new type of test network where signatures are used in addition to
proof of work for block progress, enabling much better coordination
and robustness (be reliably unreliable), for persistent, longer-term
testing scenarios involving multiple independent parties.

== Motivation ==

Testnet is a great place to try out new things without risking real
money, but it is notoriously unreliable. Huge block reorgs, long gaps
in between blocks being mined or sudden bursts of blocks in rapid
succession mean that realistic testing of software, especially
involving multiple independent parties running software over an
extended period of time, becomes infeasible in practice.

A new type of test network would be more suitable for integration
testing by organizations such as exchanges, or testing of next
generation Layer-2 protocols like Eltoo or sidechain pegs. The goal is
not to be perfectly reliable but rather to have a predictable amount
of unreliability. You want a test network to behave like mainnet (i.e.
no thousands of block reorgs) while also making it easier to trigger
expected but rare events like a 6-block reorg. Regtest is not suitable
for longer-term scenarios involving multiple independent parties
because creating blocks costs nothing, so any party can completely
control the test network.


== Specification ==

A new type of network ("signet"), which takes an additional consensus
parameter called the challenge (scriptPubKey). The challenge can be a
simple pubkey (P2PKH style), or a k-of-n multisig, or any other script
you would want.

The witness commitment of the coinbase transaction is extended to
include a secondary commitment (the signature/solution):

1-4 bytes - Push the following (x + 4) bytes
4 bytes - Signet header (0xecc7daa2)
x bytes - Solution (sigScript)

Any push operations that do not start with the 4 byte signet header
are ignored. Multiple push operations with the 4 byte signet header
are ignored except for the first entry.

Any signature operations contained within the challenge use
SHA256d(modifiedBlockHash), i.e. the double-SHA256 digest of the
following data as the sighash:

{|class="wikitable" style="text-align: center;"
|-
!Type
!Size
!Name
|-
|Int32||4||nVersion
|-
|Uint256||32||hashPrevBlock
|-
|Uint256||32||modifiedMerkleRoot
|-
|Uint32||4||nTime
|-
|Uint32||4||nBits
|}

The <code>modifiedMerkleRoot</code> hash is obtained by generating the
merkle root of the block transactions, with the coinbase witness
commitment as is, without the signet extension. This means the merkle
root of the block is different from the merkle root in the signet
commitment, but in return, the block nonce value is the only component
that the signet signature does not commit to. When grinding proof of
work, the extended nonce cannot be used as it would invalidate the
signature. Instead, simply resigning the same (or an updated) block
will give a new search space.

A block is considered fully validated if the above commitment is
found, and its solution is valid. This verification should be done
directly before or after the witness commitment verification.

== Compatibility ==

This specification is backwards compatible in the sense that existing
software can use Signet out of the box.

Simply by adding the network parameters for signet (magic number,
etc), a client can connect to and use any signet network without
further modifications. The block headers have valid proof of work, so
clients can trivially check that blocks are "probably" valid.

However, anyone can mine blocks that are accepted by the client for
any given signet network. These blocks do not contain the required
signatures, however, so any fully validating node will promptly reject
them. As such, clients need to either validate the block signature
inside the coinbase transaction, or connect to trusted peers.

Other software need not add block signature validation code that they
will not use in production. This is adequate for non-production test
purposes where the goal is to have a network behave as much like
mainnet as possible.

== Reference implementation ==

WIP implementation at https://github.com/kallewoof/bitcoin/pull/4

== Acknowledgements ==

TODO

== References ==

# Original mailing list thread:
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-March/016734.html
# Bitcoin Wiki entry: https://en.bitcoin.it/wiki/Signet

== Copyright ==

This document is licensed under the Creative Commons CC0 1.0 Universal license.