Delivery-date: Sun, 05 May 2024 07:54:36 -0700
Sender: bitcoindev@googlegroups.com
Received-SPF: pass (google.com: domain of luke@dashjr.org designates 192.3.11.21 as permitted sender) client-ip=192.3.11.21;
Content-Type: multipart/alternative;
 boundary="------------Aujo0o2M0Gz3kQf5GKwVZcPV"
Message-ID: <b7861fc2-d980-4c3a-a472-ea7aead01692@dashjr.org>
Date: Sun, 5 May 2024 10:50:12 -0400
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [bitcoindev] BIP 322 use case
To: bitcoindev@googlegroups.com
References: <9004c5d4-6b9d-4ac1-834c-902ba4901e05n@googlegroups.com>
 <e617f6eb-dd11-4ca2-aba6-f80ace8863a8@dashjr.org>
 <5fcc4168-b4fd-4efd-b11c-6bbf852871ccn@googlegroups.com>
Content-Language: en-US, en-GB
From: Luke Dashjr <luke@dashjr.org>
In-Reply-To: <5fcc4168-b4fd-4efd-b11c-6bbf852871ccn@googlegroups.com>
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com

This is a multi-part message in MIME format.
--------------Aujo0o2M0Gz3kQf5GKwVZcPV
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding: quoted-printable

Addresses are not tied to UTXOs. A proof-of-funds would only ever be=20
proving a numeric amount, not an address. While the proof would=20
necessarily use UTXOs behind-the-scenes, the signature would not be=20
committing to those specific UTXOs being the property of the=20
message-signer; this property is necessary for plausible deniability as=20
well as hot/cold wallet separation (multiple users could have signed=20
messages using the same UTXOs, yet reflecting distinct bitcoin claims).

Proof-of-sender, on the other hand, would make a claim to have sent a=20
specific txid and output index. Where this gets fairly complicated is=20
that it's somewhat important to have a mechanism that is compatible with=20
coinjoins, and without requiring the coinjoin participants to keep in=20
contact after the transaction is formed. It should able be compatible=20
with signing for transactions sent without preparation to sign messages=20
later. Ultimately, this requires delegation.

And since it wouldn't be great to be able to distinguish between=20
delegated and non-delegated, probably everything should just always be=20
delegated (perhaps to a deterministic keypair in some scenarios).

There's also potentially a use case for accepting an opcode rejects on=20
mainnet as invalid, so tapscripts can commit to sign-only script paths.

One thing all the current message signing standards lack is some kind of=20
magic heading to identify what they are, like bech32's "bc1" prefix.=20
This would be a trivial addition rather than trying to decode signatures=20
N different ways and seeing which verify.

I do agree being able to, at least internally, convert to/from PSBTs=20
would improve compatibility significantly. This was the approach I aimed=20
for when I tried to tackle it a few months ago. One limitation with=20
PSBTs is that each input needs non-witness and/or witness input data -=20
repeatedly, if multiple of the same transaction's outputs are used as=20
inputs. To address that, I was planning to support having them refer=20
back to previous inputs' data.

Hope all this helps, if someone wants to pick up the task...

Luke

On 5/5/24 08:09, Ali Sherief wrote:
> >=C2=A0But the feature with much higher demand is proof-of-funds and=20
> proof-of-sender, which BIP322 began to address, but turns out to be=20
> much more complicated than it seems at face value (I recently looked=20
> into this again as part of relaunching OCEAN).
>
> BIP322 is trying to figure two things: Collecting an authentic UTXO=20
> set for a given list of addresses, and actually making the signed=20
> message. It appears that only the latter of the two has been solved.
>
> I think one of the things that would help unstuck this is an RPC for=20
> getting the UTXO set of a list of addresses. I am aware that this is=20
> already possible with some SPV implementations, but to have the=20
> functionality directly in Core would make this BIP more viable.
>
> >=C2=A0That being said, BIP322 as-is has already been adopted by at least=
=20
> some wallets, despite its unfinished state. So if someone were to pick=20
> up this task, it would probably need to be done as a new BIP
>
> Probably the best solution would be to make a split, where the BIP322=20
> draft as it currently is can be used unofficially and then programmed=20
> into software that needs it, and then you can have the actual=20
> authentication/contract mechanism constructed in a new BIP. Actually,=20
> we already have some of the framework for this in Core, since PSBTs=20
> can be used to distribute and sign "message contracts". All that's=20
> needed is an RPC to get the UTXO set and another to create an unsigned=20
> template transaction for the message.
>
> -Ali
>
> On Saturday, May 4, 2024 at 12:14:53=E2=80=AFAM UTC Luke Dashjr wrote:
>
>     KYC is not an intended use case for signed messages, and attempts
>     to use it for that are probably one of the bigger reasons BIP322
>     has not moved further - most people do not want to encourage nor
>     enable such nonsense. If you absolutely must only allow withdrawls
>     to the user's own address, I would suggest taking a more
>     traditional approach of asking the user to affirm it with a
>     checkbox. (This is not legal advice, but it seems crazy to demand
>     cryptographic proof from Bitcoin companies, when traditional
>     finance is okay with a mere attestation)
>
>     Technically speaking, however, the biggest hurdle is that there is
>     very little apparent interest in the one limited use case it *is*
>     meant for: agreeing to a contract before funds are sent. To a
>     limited extent, a secondary use case has been simply using Bitcoin
>     addresses as a kind of login mechanism (eg, #Bitcoin-OTC and
>     OCEAN). But the feature with much higher demand is proof-of-funds
>     and proof-of-sender, which BIP322 began to address, but turns out
>     to be much more complicated than it seems at face value (I
>     recently looked into this again as part of relaunching OCEAN).
>     That being said, BIP322 as-is has already been adopted by at least
>     some wallets, despite its unfinished state. So if someone were to
>     pick up this task, it would probably need to be done as a new BIP. :/
>
>     Luke
>
>
>     On 5/3/24 19:53, ProfEduStream wrote:
>>
>>     Hey,
>>
>>     As a Bitcoin association, we're currently facing an issue because
>>     we're unable to sign an address with our multi-sig wallet.
>>     After conducting some research, I came across BIP322 in these
>>     threads:https://bitcointalk.org/index.php?topic=3D5408898.0 &
>>     https://github.com/bitcoin/bips/pull/1347
>>
>>     _Explanation_:
>>
>>     As a Bitcoin association, we offer membership to everyone for a
>>     few thousand sats per year. To facilitate this process, we
>>     utilize "Swiss Bitcoin Pay". It's an application that allows us
>>     to easily manage our accounting. Additionally, we onboard
>>     merchants with this app because of its user-friendly interface
>>     and self-custodial capabilities, making it very convenient. The
>>     accounting features are also highly beneficial.
>>
>>     To utilize this application in a self-custodial manner, users
>>     need to paste a Bitcoin address on the "Swiss Bitcoin Pay"
>>     dashboard and then sign a message with this address. This serves
>>     as a "Proof-of-Ownership" and is a legal requirement in some
>>     regulated countries. "Swiss Bitcoin Pay" is not the only
>>     application that requires signing a message as a
>>     "Proof-of-Ownership". Peach, a non-KYC P2P Bitcoin application,
>>     is another example.
>>
>>     Given our goal to decentralize our treasury, we naturally opt for
>>     a multi-sig wallet, similar to many companies. However, as you
>>     know, BIP 322 hasn't been pushed and it's currently impossible to
>>     sign a message with a multi-sig wallet.
>>
>>
>>     _Conclusion_:
>>
>>     I'm unsure why BIP322 hasn't been pushed or addressed in the past
>>     few months/years, but I want to highlight its necessity.
>>     Additionally, I hope that this comment sheds light on a
>>     deficiency in our Bitcoin ecosystem, and I trust that further
>>     improvements will be made to enable people to sign a message with
>>     a multi-sig wallet.
>>
>>
>>     I'm available to assist if needed.
>>
>>     @ProfEduStream
>>
>>     --=20
>>     You received this message because you are subscribed to the
>>     Google Groups "Bitcoin Development Mailing List" group.
>>     To unsubscribe from this group and stop receiving emails from it,
>>     send an email to bitcoindev+...@googlegroups.com.
>>     To view this discussion on the web visit
>>     https://groups.google.com/d/msgid/bitcoindev/9004c5d4-6b9d-4ac1-834c=
-902ba4901e05n%40googlegroups.com
>>     <https://groups.google.com/d/msgid/bitcoindev/9004c5d4-6b9d-4ac1-834=
c-902ba4901e05n%40googlegroups.com?utm_medium=3Demail&utm_source=3Dfooter>.
>
> --=20
> You received this message because you are subscribed to the Google=20
> Groups "Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send=20
> an email to bitcoindev+unsubscribe@googlegroups.com.
> To view this discussion on the web visit=20
> https://groups.google.com/d/msgid/bitcoindev/5fcc4168-b4fd-4efd-b11c-6bbf=
852871ccn%40googlegroups.com=20
> <https://groups.google.com/d/msgid/bitcoindev/5fcc4168-b4fd-4efd-b11c-6bb=
f852871ccn%40googlegroups.com?utm_medium=3Demail&utm_source=3Dfooter>.

--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/=
bitcoindev/b7861fc2-d980-4c3a-a472-ea7aead01692%40dashjr.org.

--------------Aujo0o2M0Gz3kQf5GKwVZcPV
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html>
<html>
  <head>
    <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DUTF-8=
">
  </head>
  <body>
    <p>Addresses are not tied to UTXOs. A proof-of-funds would only ever
      be proving a numeric amount, not an address. While the proof would
      necessarily use UTXOs behind-the-scenes, the signature would not
      be committing to those specific UTXOs being the property of the
      message-signer; this property is necessary for plausible
      deniability as well as hot/cold wallet separation (multiple users
      could have signed messages using the same UTXOs, yet reflecting
      distinct bitcoin claims).</p>
    <p>Proof-of-sender, on the other hand, would make a claim to have
      sent a specific txid and output index. Where this gets fairly
      complicated is that it's somewhat important to have a mechanism
      that is compatible with coinjoins, and without requiring the
      coinjoin participants to keep in contact after the transaction is
      formed. It should able be compatible with signing for transactions
      sent without preparation to sign messages later. Ultimately, this
      requires delegation.</p>
    <p>And since it wouldn't be great to be able to distinguish between
      delegated and non-delegated, probably everything should just
      always be delegated (perhaps to a deterministic keypair in some
      scenarios).</p>
    <p>There's also potentially a use case for accepting an opcode
      rejects on mainnet as invalid, so tapscripts can commit to
      sign-only script paths.</p>
    <p>One thing all the current message signing standards lack is some
      kind of magic heading to identify what they are, like bech32's
      "bc1" prefix. This would be a trivial addition rather than trying
      to decode signatures N different ways and seeing which verify.</p>
    <p>I do agree being able to, at least internally, convert to/from
      PSBTs would improve compatibility significantly. This was the
      approach I aimed for when I tried to tackle it a few months ago.
      One limitation with PSBTs is that each input needs non-witness
      and/or witness input data - repeatedly, if multiple of the same
      transaction's outputs are used as inputs. To address that, I was
      planning to support having them refer back to previous inputs'
      data.</p>
    <p>Hope all this helps, if someone wants to pick up the task...</p>
    <p>Luke<br>
    </p>
    <div class=3D"moz-cite-prefix">On 5/5/24 08:09, Ali Sherief wrote:<br>
    </div>
    <blockquote type=3D"cite"
      cite=3D"mid:5fcc4168-b4fd-4efd-b11c-6bbf852871ccn@googlegroups.com">
      <div>&gt;=C2=A0But the feature with much higher demand is
        proof-of-funds and proof-of-sender, which BIP322 began to
        address, but turns out to be much more complicated than it seems
        at face value (I recently looked into this again as part of
        relaunching OCEAN).</div>
      <div><br>
      </div>
      <div>BIP322 is trying to figure two things: Collecting an
        authentic UTXO set for a given list of addresses, and actually
        making the signed message. It appears that only the latter of
        the two has been solved.</div>
      <div><br>
      </div>
      <div>I think one of the things that would help unstuck this is an
        RPC for getting the UTXO set of a list of addresses. I am aware
        that this is already possible with some SPV implementations, but
        to have the functionality directly in Core would make this BIP
        more viable.</div>
      <div><br>
      </div>
      &gt;=C2=A0That being said, BIP322 as-is has already been adopted by a=
t
      least some wallets, despite its unfinished state. So if someone
      were to pick up this task, it would probably need to be done as a
      new BIP
      <div><br>
      </div>
      <div>Probably the best solution would be to make a split, where
        the BIP322 draft as it currently is can be used unofficially and
        then programmed into software that needs it, and then you can
        have the actual authentication/contract mechanism constructed in
        a new BIP. Actually, we already have some of the framework for
        this in Core, since PSBTs can be used to distribute and sign
        "message contracts". All that's needed is an RPC to get the UTXO
        set and another to create an unsigned template transaction for
        the message.</div>
      <div><br>
      </div>
      <div>-Ali<br>
        <br>
        <div>
          <div dir=3D"auto">On Saturday, May 4, 2024 at 12:14:53=E2=80=AFAM=
 UTC
            Luke Dashjr wrote:<br>
          </div>
          <blockquote>
            <div>
              <p>KYC is not an intended use case for signed messages,
                and attempts to use it for that are probably one of the
                bigger reasons BIP322 has not moved further - most
                people do not want to encourage nor enable such
                nonsense. If you absolutely must only allow withdrawls
                to the user's own address, I would suggest taking a more
                traditional approach of asking the user to affirm it
                with a checkbox. (This is not legal advice, but it seems
                crazy to demand cryptographic proof from Bitcoin
                companies, when traditional finance is okay with a mere
                attestation)<br>
              </p>
              <p>Technically speaking, however, the biggest hurdle is
                that there is very little apparent interest in the one
                limited use case it *is* meant for: agreeing to a
                contract before funds are sent. To a limited extent, a
                secondary use case has been simply using Bitcoin
                addresses as a kind of login mechanism (eg, #Bitcoin-OTC
                and OCEAN). But the feature with much higher demand is
                proof-of-funds and proof-of-sender, which BIP322 began
                to address, but turns out to be much more complicated
                than it seems at face value (I recently looked into this
                again as part of relaunching OCEAN). That being said,
                BIP322 as-is has already been adopted by at least some
                wallets, despite its unfinished state. So if someone
                were to pick up this task, it would probably need to be
                done as a new BIP. :/<br>
              </p>
              <p>Luke</p>
            </div>
            <div>
              <p><br>
              </p>
              <div>On 5/3/24 19:53, ProfEduStream wrote:<br>
              </div>
            </div>
            <div>
              <blockquote type=3D"cite">
                <p dir=3D"auto">Hey,</p>
                <p dir=3D"auto">As a Bitcoin association, we're currently
                  facing an issue because we're unable to sign an
                  address with our multi-sig wallet.<br>
                  After conducting some research, I came across BIP322
                  in these threads:<span> </span><a
href=3D"https://bitcointalk.org/index.php?topic=3D5408898.0" target=3D"_bla=
nk"
                    rel=3D"nofollow" moz-do-not-send=3D"true"
                    class=3D"moz-txt-link-freetext">https://bitcointalk.org=
/index.php?topic=3D5408898.0</a>
                  &amp; <a
                    href=3D"https://github.com/bitcoin/bips/pull/1347"
                    target=3D"_blank" rel=3D"nofollow"
                    moz-do-not-send=3D"true" class=3D"moz-txt-link-freetext=
">https://github.com/bitcoin/bips/pull/1347</a><br>
                  <br>
                </p>
                <p dir=3D"auto"><u>Explanation</u>:</p>
                <p dir=3D"auto">As a Bitcoin association, we offer
                  membership to everyone for a few thousand sats per
                  year. To facilitate this process, we utilize "Swiss
                  Bitcoin Pay". It's an application that allows us to
                  easily manage our accounting. Additionally, we onboard
                  merchants with this app because of its user-friendly
                  interface and self-custodial capabilities, making it
                  very convenient. The accounting features are also
                  highly beneficial.</p>
                <p dir=3D"auto">To utilize this application in a
                  self-custodial manner, users need to paste a Bitcoin
                  address on the "Swiss Bitcoin Pay" dashboard and then
                  sign a message with this address. This serves as a
                  "Proof-of-Ownership" and is a legal requirement in
                  some regulated countries. "Swiss Bitcoin Pay" is not
                  the only application that requires signing a message
                  as a "Proof-of-Ownership". Peach, a non-KYC P2P
                  Bitcoin application, is another example.</p>
                <p dir=3D"auto">Given our goal to decentralize our
                  treasury, we naturally opt for a multi-sig wallet,
                  similar to many companies. However, as you know, BIP
                  322 hasn't been pushed and it's currently impossible
                  to sign a message with a multi-sig wallet.</p>
                <p dir=3D"auto"><br>
                </p>
                <p dir=3D"auto"><u>Conclusion</u>:</p>
                <p dir=3D"auto">I'm unsure why BIP322 hasn't been pushed
                  or addressed in the past few months/years, but I want
                  to highlight its necessity.<br>
                  Additionally, I hope that this comment sheds light on
                  a deficiency in our Bitcoin ecosystem, and I trust
                  that further improvements will be made to enable
                  people to sign a message with a multi-sig wallet.</p>
                <p dir=3D"auto"><br>
                </p>
                <p dir=3D"auto">I'm available to assist if needed<span>.</s=
pan></p>
                <p dir=3D"auto"><span>@ProfEduStream<br>
                  </span></p>
              </blockquote>
            </div>
            <div>
              <blockquote type=3D"cite"> -- <br>
                You received this message because you are subscribed to
                the Google Groups "Bitcoin Development Mailing List"
                group.<br>
                To unsubscribe from this group and stop receiving emails
                from it, send an email to <a rel=3D"nofollow"
                  moz-do-not-send=3D"true">bitcoindev+...@googlegroups.com<=
/a>.<br>
                To view this discussion on the web visit <a
href=3D"https://groups.google.com/d/msgid/bitcoindev/9004c5d4-6b9d-4ac1-834=
c-902ba4901e05n%40googlegroups.com?utm_medium=3Demail&amp;utm_source=3Dfoot=
er"
                  target=3D"_blank" rel=3D"nofollow" moz-do-not-send=3D"tru=
e">https://groups.google.com/d/msgid/bitcoindev/9004c5d4-6b9d-4ac1-834c-902=
ba4901e05n%40googlegroups.com</a>.<br>
              </blockquote>
            </div>
          </blockquote>
          <div>=C2=A0</div>
        </div>
      </div>
      -- <br>
      You received this message because you are subscribed to the Google
      Groups "Bitcoin Development Mailing List" group.<br>
      To unsubscribe from this group and stop receiving emails from it,
      send an email to <a
        href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com"
        moz-do-not-send=3D"true" class=3D"moz-txt-link-freetext">bitcoindev=
+unsubscribe@googlegroups.com</a>.<br>
      To view this discussion on the web visit <a
href=3D"https://groups.google.com/d/msgid/bitcoindev/5fcc4168-b4fd-4efd-b11=
c-6bbf852871ccn%40googlegroups.com?utm_medium=3Demail&amp;utm_source=3Dfoot=
er"
        moz-do-not-send=3D"true">https://groups.google.com/d/msgid/bitcoind=
ev/5fcc4168-b4fd-4efd-b11c-6bbf852871ccn%40googlegroups.com</a>.<br>
    </blockquote>
  </body>
</html>

<p></p>

-- <br />
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List&quot; group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoind=
ev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion on the web visit <a href=3D"https://groups.google.c=
om/d/msgid/bitcoindev/b7861fc2-d980-4c3a-a472-ea7aead01692%40dashjr.org?utm=
_medium=3Demail&utm_source=3Dfooter">https://groups.google.com/d/msgid/bitc=
oindev/b7861fc2-d980-4c3a-a472-ea7aead01692%40dashjr.org</a>.<br />

--------------Aujo0o2M0Gz3kQf5GKwVZcPV--