Return-Path: Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 555BDC013E for ; Wed, 4 Mar 2020 14:43:28 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id 4474720469 for ; Wed, 4 Mar 2020 14:43:28 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WQFo3TkukWju for ; Wed, 4 Mar 2020 14:43:27 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-ed1-f49.google.com (mail-ed1-f49.google.com [209.85.208.49]) by silver.osuosl.org (Postfix) with ESMTPS id A937720009 for ; Wed, 4 Mar 2020 14:43:26 +0000 (UTC) Received: by mail-ed1-f49.google.com with SMTP id n18so2580034edw.9 for ; Wed, 04 Mar 2020 06:43:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=uu9BrKVBwA0W0OPBRaAkQz0hdtkDSw4Ly/FjU3gmsMg=; b=uuKRR9kwIpaSeX8HxT7DCwrfbazGcn89u6lqf6EDNCjVPejCIsfT2yHUFbhnas3xhW FJtyqPRH878EsWjQp7A5wH5ZOVQUcKsDh884spPMd266Q70FjM9tkQClY2QCJHh+X56r 3HLkFoYHPUtjcMrAXaxcMAP1QjTdGXxTw6Y7IhQ4JVzhN2nGJhfE39DpVadcMFPHG+he xFIzz7K2IwfMoZ4wfEHSfIrlUCAteGM5aaU9A4nAOCyU+Ap5dKUgDd94UqIyXlnYGIpa /gWg+aUYR8nievP4Wh4U+OZgMrmRP/TRus3U1rCMS2SOa9+a54lKWptEuSCtWhi1Qmy6 qyDg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=uu9BrKVBwA0W0OPBRaAkQz0hdtkDSw4Ly/FjU3gmsMg=; b=nsKM2CErT4AYBBOUfHHpE1QhFBdfe9BXoPv8erW0ZqloZSi+iStpsbTpAWWozyL98o I99BY9tuz7G3mSnmFOEmpEl8Jn0d+xUXyIhITkre2duCLOpD53fsd1ZYuHjczpOjsM2o bQ+mbrpVJtv0EMztgxDOPGfQbM8WwMQTDHfr/0aIXBMTuafwexZEyvHrs/EjVC68VxXs +5LKrg9jtejSXRIcPFnJgaK4tubCj1VOq2oHsTj0oIdOp/PSd5yxWhatq19akb37keKC V5ovU+YLl5Ob7jtq8e9AY0lUVULZiRWtiBHqs5Y4Hvhpzs050J5GsqJ4ySHWK3g4IFD5 7Hrw== X-Gm-Message-State: ANhLgQ3bpBoozoyT9VeGxmSsUKMOFaqaYYNsWRSUQTywHbUNeRgMRJ/r psLwA3UjD4h47D6jfnRRYtMMIinuI7pyGjlXP2bJO+Be X-Google-Smtp-Source: ADFU+vvDMSJhS8YW1YF5rjgR7vU2CMkz+anGZhqLLByr9ig02gZ0EiyyNKyDqdEV9DoGS4MctKUrldwtNNgBQzJZWRw= X-Received: by 2002:a17:906:7d5:: with SMTP id m21mr2875151ejc.356.1583333005022; Wed, 04 Mar 2020 06:43:25 -0800 (PST) MIME-Version: 1.0 References: <202003041435.17644.luke@dashjr.org> In-Reply-To: <202003041435.17644.luke@dashjr.org> From: Greg Sanders Date: Wed, 4 Mar 2020 09:43:13 -0500 Message-ID: To: Luke Dashjr , Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="000000000000535b2905a0087121" Subject: Re: [bitcoin-dev] RFC: Kicking BIP-322 (message signing) into motion X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Mar 2020 14:43:28 -0000 --000000000000535b2905a0087121 Content-Type: text/plain; charset="UTF-8" OP_MESSAGEONLY would make "dumb" signers like HWW more difficult to support. They'd have to do script interpretation to make sure they're not signing something real with funds. Just FYI. On Wed, Mar 4, 2020 at 9:35 AM Luke Dashjr via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > In addition to starting with proof-of-funds instead of proof-of-receiver, > it > would be nice to integrate with Taproot somehow or another. Perhaps > OP_MESSAGEONLY is the most straightforward way to do this? It might be a > good > idea to have a message type after the opcode too. > > On Wednesday 04 March 2020 06:23:53 Karl-Johan Alm via bitcoin-dev wrote: > > Hello, > > > > I noticed recently that a PR to Bitcoin Core that pretty much touched > > everything my BIP-322 pull request touches (around the same > > complexity) was merged without a thought given to BIP-322 > > compatibility, despite the BIP-322 PR being open for 2x the time. I > > can only conclude from this that people dislike BIP-322 in its current > > form, which the 9 month old pull request stagnating can probably > > attest to. > > > > There are several things that I can do to make this a bit more > > appealing to people, which would hopefully kick the progress on this > > forward. I have already put in a non-trivial amount of energy and > > effort into maintaining the pull request as is, so I'd prefer if > > people were harsh and unfiltered in their criticism rather than polite > > and buffered, so I can beat this thing into shape (or abandon it, in > > the worst case). > > > > ============= > > 1. People use signmessage as a way to prove funds. This is misleading > > and should be discouraged; throw the sign message stuff out and > > replace it entirely with a prove funds system. > > > > I know in particular luke-jr is of this opinion, and Greg Maxwell in > > https://github.com/bitcoin/bitcoin/pull/16440#issuecomment-568194168 > > leans towards this opinion as well, it seems. > > > > ============= > > 2. Use a transaction rather than a new format; make the first input's > > txid the message hash to ensure the tx cannot be broadcasted. This has > > the benefit of being able to provide to an existing hardware wallet > > without making any modifications to its firmware. > > > > I think Mark Friedenbach and Johnson Lau are of this opinion, except > > Johnson Lau also suggests that the signature hash is modified, see > > https://github.com/bitcoin/bips/pull/725#issuecomment-420040430 -- > > which defeats the benefit above since now hw wallets can no longer > > sign. > > > > Prusnak (I think he works at Trezor; apologies if I am mistaken) is > > against this idea, and proposes (3) below: > > https://github.com/bitcoin/bips/pull/725#issuecomment-420210488 > > > > ============= > > 3. Use Trezor style > > > > See https://github.com/trezor/trezor-mcu/issues/169 > > > > This has the benefit of already being adopted (which clearly BIP-322 > > is failing hard at right now), but has the drawback that we can no > > longer do *generic* signing; we are stuck with the exact same > > limitations as in the legacy system, which we kinda wanted to fix in > > the updated version. > > > > ============= > > 4. Introduce OP_MESSAGEONLY > > > > Quoting Johnson Lau at > > https://github.com/bitcoin/bips/pull/725#issuecomment-420421058 : > > """ > > OP_MESSAGEONLY means the script following the code would never be > > valid. For example, a scriptPubKey: > > > > OP_IF OP_MESSAGEONLY OP_ELSE OP_ENDIF OP_CHECKSIG > > > > For messaging purpose, OP_MESSAGEONLY is considered as OP_NOP and is > > ignored. A message could be signed with either key_m or key_s. > > > > For spending, only key_s is valid. > > > > I don't think it is a big problem to consume a op_code. If this is a > > real concern, I could modify it as follow: in message system, > > OP_RETURN will pop the top stack. If top stack is msg in hex, it is > > ignored. Otherwise, the script fails. > > """ > > > > ============= > > 5. Some other solution > > _______________________________________________ > > bitcoin-dev mailing list > > bitcoin-dev@lists.linuxfoundation.org > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > --000000000000535b2905a0087121 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
OP_MESSAGEONLY would make "dumb" signers like HW= W more difficult to support. They'd have to do script interpretation to= make sure they're not signing something real with funds.

Just FYI.

On Wed, Mar 4, 2020 at 9:35 AM Luke Dashjr via bitcoin= -dev <bitcoin-d= ev@lists.linuxfoundation.org> wrote:
In addition to starting with proof-of-funds ins= tead of proof-of-receiver, it
would be nice to integrate with Taproot somehow or another. Perhaps
OP_MESSAGEONLY is the most straightforward way to do this? It might be a go= od
idea to have a message type after the opcode too.

On Wednesday 04 March 2020 06:23:53 Karl-Johan Alm via bitcoin-dev wrote: > Hello,
>
> I noticed recently that a PR to Bitcoin Core that pretty much touched<= br> > everything my BIP-322 pull request touches (around the same
> complexity) was merged without a thought given to BIP-322
> compatibility, despite the BIP-322 PR being open for 2x the time. I > can only conclude from this that people dislike BIP-322 in its current=
> form, which the 9 month old pull request stagnating can probably
> attest to.
>
> There are several things that I can do to make this a bit more
> appealing to people, which would hopefully kick the progress on this > forward. I have already put in a non-trivial amount of energy and
> effort into maintaining the pull request as is, so I'd prefer if > people were harsh and unfiltered in their criticism rather than polite=
> and buffered, so I can beat this thing into shape (or abandon it, in > the worst case).
>
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> 1. People use signmessage as a way to prove funds. This is misleading<= br> > and should be discouraged; throw the sign message stuff out and
> replace it entirely with a prove funds system.
>
> I know in particular luke-jr is of this opinion, and Greg Maxwell in > https://github.com/bitcoin/= bitcoin/pull/16440#issuecomment-568194168
> leans towards this opinion as well, it seems.
>
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> 2. Use a transaction rather than a new format; make the first input= 9;s
> txid the message hash to ensure the tx cannot be broadcasted. This has=
> the benefit of being able to provide to an existing hardware wallet > without making any modifications to its firmware.
>
> I think Mark Friedenbach and Johnson Lau are of this opinion, except > Johnson Lau also suggests that the signature hash is modified, see
> https://github.com/bitcoin/bips/= pull/725#issuecomment-420040430 --
> which defeats the benefit above since now hw wallets can no longer
> sign.
>
> Prusnak (I think he works at Trezor; apologies if I am mistaken) is > against this idea, and proposes (3) below:
> https://github.com/bitcoin/bips/= pull/725#issuecomment-420210488
>
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> 3. Use Trezor style
>
> See https://github.com/trezor/trezor-mcu/issues/= 169
>
> This has the benefit of already being adopted (which clearly BIP-322 > is failing hard at right now), but has the drawback that we can no
> longer do *generic* signing; we are stuck with the exact same
> limitations as in the legacy system, which we kinda wanted to fix in > the updated version.
>
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> 4. Introduce OP_MESSAGEONLY
>
> Quoting Johnson Lau at
> https://github.com/bitcoin/bips/= pull/725#issuecomment-420421058 :
> """
> OP_MESSAGEONLY means the script following the code would never be
> valid. For example, a scriptPubKey:
>
> OP_IF OP_MESSAGEONLY <key_m> OP_ELSE <key_s> OP_ENDIF OP_C= HECKSIG
>
> For messaging purpose, OP_MESSAGEONLY is considered as OP_NOP and is > ignored. A message could be signed with either key_m or key_s.
>
> For spending, only key_s is valid.
>
> I don't think it is a big problem to consume a op_code. If this is= a
> real concern, I could modify it as follow: in message system,
> OP_RETURN will pop the top stack. If top stack is msg in hex, it is > ignored. Otherwise, the script fails.
> """
>
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> 5. Some other solution
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org= /mailman/listinfo/bitcoin-dev

_______________________________________________
bitcoin-dev mailing list
= bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev
--000000000000535b2905a0087121--