Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 09194FF6 for ; Thu, 15 Mar 2018 10:15:21 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from APC01-HK2-obe.outbound.protection.outlook.com (mail-oln040092255063.outbound.protection.outlook.com [40.92.255.63]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id C8E35356 for ; Thu, 15 Mar 2018 10:15:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=live.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Oh0bRZVOLtTEzMhdup6k0eIASKFqt0zZbQ727j5x8Fk=; b=JGkeXpGi4yF7mWs3q3dpChlJ9ilr7eI3opWiskv3Xp4LWZSTkyI/H0d0BFh/gs8nTze1k6p2nPdCgiucOYw4xfUO9HXsOWRtIeG3cTbBQUogWjJCC6+xHnkf2g8ELCjBQkXOv78IEUK0Jh0vbC2mIZvAk//gavuca9MDt/G83KRpxY3wNAZ+tQnKn79n5j5eZbCMHfAOBrMRTe+m9G+Kb3Yb/aGhf690sC2fuolLL2Z2MfH2Lait4rtJn3qAaCybGZExW2uGBTWIEu/8mTy1o/3erfLM7vkiwSUDdzVkL3mbm2oRynqhcmS++ltnLpwhFajjUZiwQRCRnlxu3BXy8Q== Received: from HK2APC01FT006.eop-APC01.prod.protection.outlook.com (10.152.248.59) by HK2APC01HT066.eop-APC01.prod.protection.outlook.com (10.152.249.164) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.567.16; Thu, 15 Mar 2018 10:15:17 +0000 Received: from PS2P216MB0179.KORP216.PROD.OUTLOOK.COM (10.152.248.52) by HK2APC01FT006.mail.protection.outlook.com (10.152.248.74) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.506.19 via Frontend Transport; Thu, 15 Mar 2018 10:15:17 +0000 Received: from PS2P216MB0179.KORP216.PROD.OUTLOOK.COM ([10.171.225.19]) by PS2P216MB0179.KORP216.PROD.OUTLOOK.COM ([10.171.225.19]) with mapi id 15.20.0588.013; Thu, 15 Mar 2018 10:15:17 +0000 From: Damian Williamson To: Luke Dashjr , Bitcoin Protocol Discussion Thread-Topic: [bitcoin-dev] {sign|verify}message replacement Thread-Index: AQHTu2vq8wWAAfuXnUqGOoL8j+Ojt6PPq2OAgAFoofM= Date: Thu, 15 Mar 2018 10:15:17 +0000 Message-ID: References: , <201803141236.48869.luke@dashjr.org> In-Reply-To: <201803141236.48869.luke@dashjr.org> Accept-Language: en-AU, en-US Content-Language: en-AU X-MS-Has-Attach: X-MS-TNEF-Correlator: x-incomingtopheadermarker: OriginalChecksum:E67866C0F195EDB526E2CCFA8AB5ECB4D49F53FCDB0DB6B3434A9B82D7C31E0B; UpperCasedChecksum:53E0D7FB4FED2D292CE9ACDE1F0F97B997BF699D8F09A471FCF9FFB5693F7936; SizeAsReceived:7082; Count:46 x-ms-exchange-messagesentrepresentingtype: 1 x-tmn: [jlBAehbuq+X1nW0PMpRT67Fhgj/0OaoG] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; HK2APC01HT066; 6:nl7J8ED3i9jn+yR9owxqPoFYDQVcZuPAySwLEBGtaBXh5mEvv8wC9vmQwE/QBJD+E5E/EvuUURyzda30JWB/FUuoJDbp6oS25DETlOPyUDSGyNdxJ00r0KrkhSWkPm7/IWXbwcG0OJDGTpMIC7hlTA+0rbt35MWUJwuJ0PMfzG4Z/7WJA2hlg0v8gpsioMlLg1jjRCem8zUusi/mjCym8NHY30heXZLnO/GHMostn5gBWH4yQsFSqONA1gjtvthGb3YxNMEwS9H+vPkkU2M9r0EfKnzkgX5rYM2F6lBxdlKwA2i61s3mJlBZOF+CbSHiQVia593W8FGBG9PYh8e7v1MCQhNP/JqDmSVXj3g99vE=; 5:BsxbrK5d3TOMsvEvnrGprjlabH7ybNE3gJW/jpxpXmau4t3oy+olEJxDLL/BIYJ6mKt7DcGjWPEB5fhPAXhmdZ137isl6C2JT/yaG4sF3CYwHRXh1y+3D4uY8jgFrYweVxT/e/ITP7oNFwiPhDwdQNCTwbcsURO2OlAtTxjfPxs=; 24:jUe0mnc4lj3s9UiebYf7DUlKsB300NW5ivCndD3WeD0dvxmdyM1606OftzGVfzHUXNz/owhn+fYzZa/p2/JOkzWe5CFJYWIikD7Me3Wr9Jg=; 7:otVf2ERTHp0wy29Ek9Wmd+eoJ9yEvEiEbvGrJgwv0Mm4PCDySULszqIj+UDGrTZofZCOgIXfKwtfIsdfobmAL9qHdYzNu2OGP3UWdBJwpAzYdmqLgv+v0OPPTQjFbjONZ+c+Q8uj8J+Jh+R4STc96uFAURl8M+Z2wJ7VjfXZVqCEyzI0xjxZgSSkcct3ZMc0zDUpxFj5HC2gWFFCQzD7MStEgmvpaa7czD28iVobnnlE5wgVWII2wDIBOFAjiyzL x-incomingheadercount: 46 x-eopattributedmessage: 0 x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(201702061078)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031324274)(2017031323274)(2017031322404)(1601125374)(1603101448)(1701031045); SRVR:HK2APC01HT066; x-ms-traffictypediagnostic: HK2APC01HT066: x-ms-office365-filtering-correlation-id: 5f3fbc4d-dfaa-472f-2a16-08d58a5da695 x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(444000031); SRVR:HK2APC01HT066; BCL:0; PCL:0; RULEID:; SRVR:HK2APC01HT066; x-forefront-prvs: 0612E553B4 x-forefront-antispam-report: SFV:NSPM; SFS:(7070007)(98901004); DIR:OUT; SFP:1901; SCL:1; SRVR:HK2APC01HT066; H:PS2P216MB0179.KORP216.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:; x-microsoft-antispam-message-info: 0KB4qGHiB3bsXxyYdRgAweFGWTXV5AGSK04lWfjs0pZGx89VfY3lAucyClugnqs6KJ5JQR38iovVFNR1Q0EwRk9SZT2kW8oPW2TWsZU4Rqm1w6JcaEXytRUMe2E99ZcNt3lRKaCLR/n0i3tI/pt7kTvkGeDrCNislrtXhL8Zal+u0eFNG5KvL66cNwFHY2ms spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_PS2P216MB0179B77615F7FCD64EDFDDB09DD00PS2P216MB0179KORP_" MIME-Version: 1.0 X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 5f3fbc4d-dfaa-472f-2a16-08d58a5da695 X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Mar 2018 10:15:17.3709 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Internet X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-Transport-CrossTenantHeadersStamped: HK2APC01HT066 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, HTML_MESSAGE, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Thu, 15 Mar 2018 12:53:35 +0000 Subject: Re: [bitcoin-dev] {sign|verify}message replacement X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Mar 2018 10:15:21 -0000 --_000_PS2P216MB0179B77615F7FCD64EDFDDB09DD00PS2P216MB0179KORP_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable That is very helpful Luke. I would not have been concerned if it was necess= ary to sign multiple times for multiple utxo's on different addresses but, = since it is a feature it may as well be best usable. Signing for multiple i= nputs verifying that you have the priv key for each in your wallet is certa= inly usable for this popular misuse. >Ideally, it should support not only just "proof I receive at this address"= , but also "proof of funds" (as a separate feature) since this is a popular misuse of the current message signing (which doesn't actually prove funds a= t all). To do this, it needs to be capable of signing for multiple inputs. ________________________________ From: bitcoin-dev-bounces@lists.linuxfoundation.org on behalf of Luke Dashjr via bitcoin-dev Sent: Wednesday, 14 March 2018 11:36:47 PM To: Karl Johan Alm; Bitcoin Protocol Discussion Subject: Re: [bitcoin-dev] {sign|verify}message replacement I don't see a need for a new RPC interface, just a new signature format. Ideally, it should support not only just "proof I receive at this address", but also "proof of funds" (as a separate feature) since this is a popular misuse of the current message signing (which doesn't actually prove funds a= t all). To do this, it needs to be capable of signing for multiple inputs. Preferably, it should also avoid disclosing the public key for existing or future UTXOs. But I don't think it's possible to avoid this without somethi= ng MAST-like first. Perhaps it can be a MAST upgrade later on, but the new signature scheme should probably be designed with it in mind. Luke On Wednesday 14 March 2018 8:09:20 AM Karl Johan Alm via bitcoin-dev wrote: > Hello, > > I am considering writing a replacement for the message signing tools > that are currently broken for all but the legacy 1xx addresses. The > approach (suggested by Pieter Wuille) is to do a script based > approach. This does not seem to require a lot of effort for > implementing in Bitcoin Core*. Below is my proposal for this system: > > A new structure SignatureProof is added, which is a simple scriptSig & > witnessProgram container that can be serialized. This is passed out > from/into the signer/verifier. > > RPC commands: > > sign
[=3Dfalse] > > Generates a signature proof for using the same method that > would be used to spend coins sent to
.** > > verify
[=3Dfalse] > > Deserializes and executes the proof using a custom signature checker > whose sighash is derived from . Returns true if the check > succeeds, and false otherwise. The scriptPubKey is derived directly > from
.** > > Feedback welcome. > > -Kalle. > > (*) Looks like you can simply use VerifyScript with a new signature > checker class. (h/t Nicolas Dorier) > (**) If is true, is the sighash, otherwise > sighash=3Dsha256d(message). > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev --_000_PS2P216MB0179B77615F7FCD64EDFDDB09DD00PS2P216MB0179KORP_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

That is very helpful Luke. I woul= d not have been concerned if it was necessary to sign multiple times for mu= ltiple utxo's on different addresses but, since it is a feature it may as w= ell be best usable. Signing for multiple inputs verifying that you have the priv key for each in your wallet is cer= tainly usable for this popular misuse.


>Ideally, it should support not only just "proof I= receive at this address",
but also "proof of funds" (as a separate feature) since this is a= popular
misuse of the current message signing (which doesn't actually prove funds a= t
all). To do this, it needs to be capable of signing for multiple inputs.


From: bitcoin-dev-bounces@l= ists.linuxfoundation.org <bitcoin-dev-bounces@lists.linuxfoundation.org&= gt; on behalf of Luke Dashjr via bitcoin-dev <bitcoin-dev@lists.linuxfou= ndation.org>
Sent: Wednesday, 14 March 2018 11:36:47 PM
To: Karl Johan Alm; Bitcoin Protocol Discussion
Subject: Re: [bitcoin-dev] {sign|verify}message replacement
 
I don't see a need for a new RPC interface, just a= new signature format.

Ideally, it should support not only just "proof I receive at this addr= ess",
but also "proof of funds" (as a separate feature) since this is a= popular
misuse of the current message signing (which doesn't actually prove funds a= t
all). To do this, it needs to be capable of signing for multiple inputs.
Preferably, it should also avoid disclosing the public key for existing or =
future UTXOs. But I don't think it's possible to avoid this without somethi= ng
MAST-like first. Perhaps it can be a MAST upgrade later on, but the new signature scheme should probably be designed with it in mind.

Luke


On Wednesday 14 March 2018 8:09:20 AM Karl Johan Alm via bitcoin-dev wrote:=
> Hello,
>
> I am considering writing a replacement for the message signing tools > that are currently broken for all but the legacy 1xx addresses. The > approach (suggested by Pieter Wuille) is to do a script based
> approach. This does not seem to require a lot of effort for
> implementing in Bitcoin Core*. Below is my proposal for this system: >
> A new structure SignatureProof is added, which is a simple scriptSig &= amp;
> witnessProgram container that can be serialized. This is passed out > from/into the signer/verifier.
>
> RPC commands:
>
> sign <address> <message> [<prehashed>=3Dfalse]
>
> Generates a signature proof for <message> using the same method = that
> would be used to spend coins sent to <address>.**
>
> verify <address> <message> <proof> [<prehashed>= ;=3Dfalse]
>
> Deserializes and executes the proof using a custom signature checker > whose sighash is derived from <message>. Returns true if the che= ck
> succeeds, and false otherwise. The scriptPubKey is derived directly > from <address>.**
>
> Feedback welcome.
>
> -Kalle.
>
> (*) Looks like you can simply use VerifyScript with a new signature > checker class. (h/t Nicolas Dorier)
> (**) If <prehashed> is true, <message> is the sighash, oth= erwise
> sighash=3Dsha256d(message).
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
_______________________________________________
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
= https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
--_000_PS2P216MB0179B77615F7FCD64EDFDDB09DD00PS2P216MB0179KORP_--