š
Original date posted:2022-08-16
š Original message:(Note: I'm going to stick with this thread for all proposals for BIP322 polishing, not just delegation - unless the subject matter changes radically as other people discuss it.)
Instead of the admittingly complicated scheme using transactions, I've created one that utilizes multisig to make the possible delegatees known at signing time. I had a discussion with vjudeu, garlonicon, and aliashraf about this over the past week or so, and while we did not reach a consensus about the solution to use, I feel that this scheme requires the least amount of modifications to BIP322 draft.
The problem being solved is how to delegate signatures to other scriptPubKeys* [sic] for privacy purposes.
*Here, I use P2WPKH addresses, under the assumption that the delegatees are people. If the delegatees are just some automated scripts or processes [as was mentioned in the BIP], then this scheme is equally valid with P2WSH multisignatures with appropriately constructed scriptPubKeys.
What's about to follow was copied almost word-for-word from my forum post with extraneous paragraphs removed:
---
It is extremely simple and doesn't require any additional transactions:
- Replace the message challenge of "to_spend" with a 1-of-N standard P2WPKH multisig. N is the number of people you want to be able to create the signature, and their respective pubkeys are included in the script.
-- In this way the possible delegatees are fixed at signature creation time and cannot be extended by creating more transactions.
- Replace the challenge solution in "to_sign" (it's the input that spends the output we made in "to_spend") with a witness stack containing: n <pub1> <pub2> ... <pubn> 1 <a-signature> 0
-- The signature is generated as if it were for a real P2WPKH-multisig transaction. [the zero at the end is due to a bug in OP_CHECKMULTISIG that pops an extra element].
appendix - don't mix up this delegation and Full with UTXOs together - it increases the numebr of permutations that implementations have to verify.
Pros:
- No recursive transactions.
- If Alice and Bob are the two delegates of a signature (and one of them sign it), Carol does not know any of the private keys or challenge solutions and thus cannot claim the script was signed by her [besides the public keys of Alice and Bob are already in the signature]. Required, to avoid signature fraud.
- The Address field is not used when delegating, so the engine can actually print which (compressed) public key it is signed against - i.e. the address verification is provable, as opposed to reactive Legacy signatures.
-- Additionally, they will all be Segwit Bech32 addresses so it can just derive and print the corresponding bc1 address instead.
- There is no opcode or new algorithm introduced, so no soft-fork is required.
Cons:
- Everyone knows the public keys of the delegators, so there is no privacy [then again, in light of the signature fraud problem, this is possibly a non-issue].
---
I'd like to hear everyone's opinions about this.
I don't know who suggested the idea of delegation in the first place, but CCing luke-jr because he participated in that Github discussion, so his opinion about this scheme will clarify a lot of things about this problem.
- Ali
Ali Sherief [ARCHIVE] /
npub1xqā¦q2u5f
2023-06-08 01:12:41
in reply to nevent1qā¦jv43
Author Public Key
npub1xq96jnxfzrdq4zgre20yqjrjsd29vcw8ymypl4v59cg6q6p66cts8q2u5fPublished at
2023-06-08 01:12:41Event JSON
{
"id": "be89223b44fd28c9dfe24923fdbf012bcd70b03f51c87f1359c2a631f86be41f",
"pubkey": "300ba94cc910da0a8903ca9e40487283545661c726c81fd5942e11a0683ad617",
"created_at": 1686179561,
"kind": 1,
"tags": [
[
"e",
"94ff9a1b369e399138d10b54fe910d13ee4f990134d345c38243fe52d6e9a666",
"",
"root"
],
[
"e",
"4250c10863355401c66519ddc417d5ba5a7bc0460bc1b4fbce32d74ae0499a41",
"",
"reply"
],
[
"p",
"300ba94cc910da0a8903ca9e40487283545661c726c81fd5942e11a0683ad617"
]
],
"content": "š
Original date posted:2022-08-16\nš Original message:(Note: I'm going to stick with this thread for all proposals for BIP322 polishing, not just delegation - unless the subject matter changes radically as other people discuss it.)\n\nInstead of the admittingly complicated scheme using transactions, I've created one that utilizes multisig to make the possible delegatees known at signing time. I had a discussion with vjudeu, garlonicon, and aliashraf about this over the past week or so, and while we did not reach a consensus about the solution to use, I feel that this scheme requires the least amount of modifications to BIP322 draft.\n\nThe problem being solved is how to delegate signatures to other scriptPubKeys* [sic] for privacy purposes.\n\n*Here, I use P2WPKH addresses, under the assumption that the delegatees are people. If the delegatees are just some automated scripts or processes [as was mentioned in the BIP], then this scheme is equally valid with P2WSH multisignatures with appropriately constructed scriptPubKeys.\n\nWhat's about to follow was copied almost word-for-word from my forum post with extraneous paragraphs removed:\n\n---\n\nIt is extremely simple and doesn't require any additional transactions:\n\n- Replace the message challenge of \"to_spend\" with a 1-of-N standard P2WPKH multisig. N is the number of people you want to be able to create the signature, and their respective pubkeys are included in the script.\n-- In this way the possible delegatees are fixed at signature creation time and cannot be extended by creating more transactions.\n- Replace the challenge solution in \"to_sign\" (it's the input that spends the output we made in \"to_spend\") with a witness stack containing: n \u003cpub1\u003e \u003cpub2\u003e ... \u003cpubn\u003e 1 \u003ca-signature\u003e 0\n-- The signature is generated as if it were for a real P2WPKH-multisig transaction. [the zero at the end is due to a bug in OP_CHECKMULTISIG that pops an extra element].\n\nappendix - don't mix up this delegation and Full with UTXOs together - it increases the numebr of permutations that implementations have to verify.\n\nPros:\n\n- No recursive transactions.\n- If Alice and Bob are the two delegates of a signature (and one of them sign it), Carol does not know any of the private keys or challenge solutions and thus cannot claim the script was signed by her [besides the public keys of Alice and Bob are already in the signature]. Required, to avoid signature fraud.\n- The Address field is not used when delegating, so the engine can actually print which (compressed) public key it is signed against - i.e. the address verification is provable, as opposed to reactive Legacy signatures.\n-- Additionally, they will all be Segwit Bech32 addresses so it can just derive and print the corresponding bc1 address instead.\n- There is no opcode or new algorithm introduced, so no soft-fork is required.\n\nCons:\n\n- Everyone knows the public keys of the delegators, so there is no privacy [then again, in light of the signature fraud problem, this is possibly a non-issue].\n\n---\n\nI'd like to hear everyone's opinions about this.\n\nI don't know who suggested the idea of delegation in the first place, but CCing luke-jr because he participated in that Github discussion, so his opinion about this scheme will clarify a lot of things about this problem.\n\n- Ali",
"sig": "d6c04b65121e173df0ea3c8b5327e7944682b9dc4dfbda5946a9526b52dd84ef3df2086d2f3648931ae721450dc3e52600f4b15da74b26d7293b33baf545aba8"
}