📅 Original date posted:2018-03-14
📝 Original message:On 14 March 2018 5:46:55 AM GMT-04:00, Kalle Rosenbaum via bitcoin-dev <bitcoin-dev at lists.linuxfoundation.org> wrote:
>Thank you.
>
>I can't really see from your proposal if you had thought of this: A
>soft
>fork can make old nodes accept invalid message signatures as valid. For
>example, a "signer" can use a witness version unknown to the verifier
>to
>fool the verifier. Witness version is detectable (just reject unknown
>witness versions) but there may be more subtle changes. Segwit was not
>"detectable" in that way, for example.
>
>This is the reason why I withdrew BIP120. If you have thought about the
>above, I'd be very interested.
>
>/Kalle
>
>Sent from my Sinclair ZX81
>
>Den 14 mars 2018 16:10 skrev "Karl Johan Alm via bitcoin-dev" <
>bitcoin-dev at lists.linuxfoundation.org>:
>
>Hello,
>
>I am considering writing a replacement for the message signing tools
>that are currently broken for all but the legacy 1xx addresses. The
>approach (suggested by Pieter Wuille) is to do a script based
>approach. This does not seem to require a lot of effort for
>implementing in Bitcoin Core*. Below is my proposal for this system:
>
>A new structure SignatureProof is added, which is a simple scriptSig &
>witnessProgram container that can be serialized. This is passed out
>from/into the signer/verifier.
>
>RPC commands:
>
>sign <address> <message> [<prehashed>=false]
>
>Generates a signature proof for <message> using the same method that
>would be used to spend coins sent to <address>.**
>
>verify <address> <message> <proof> [<prehashed>=false]
>
>Deserializes and executes the proof using a custom signature checker
>whose sighash is derived from <message>. Returns true if the check
>succeeds, and false otherwise. The scriptPubKey is derived directly
>from <address>.**
>
>Feedback welcome.
>
>-Kalle.
>
>(*) Looks like you can simply use VerifyScript with a new signature
>checker class. (h/t Nicolas Dorier)
>(**) If <prehashed> is true, <message> is the sighash, otherwise
>sighash=sha256d(message).
>_______________________________________________
>bitcoin-dev mailing list
>bitcoin-dev at lists.linuxfoundation.org
>https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Wouldn't it be sufficient for old nodes to check for standardness of the spending script and report non-standard scripts as either invalid outright, or at least highly questionable? That should prevent confusion as long as soft forks are only making nonstandard behaviours invalid.
Cheers,
aj
--
Sent from my phone.
Anthony Towns [ARCHIVE] /
npub17r…x9l2h
2023-06-07 20:11:13
in reply to nevent1q…rvwf
Author Public Key
npub17rld56k4365lfphyd8u8kwuejey5xcazdxptserx03wc4jc9g24stx9l2hPublished at
2023-06-07 20:11:13Event JSON
{
"id": "69e4265e9d5241c48fa53c47640e48b625f6d7ba7267e205d11fdbc681438bc4",
"pubkey": "f0feda6ad58ea9f486e469f87b3b9996494363a26982b864667c5d8acb0542ab",
"created_at": 1686161473,
"kind": 1,
"tags": [
[
"e",
"fde6d8b8cd384fa838810364bd9a6edd18aea9246ae8127a644187087642ae18",
"",
"root"
],
[
"e",
"658cca8111e361bba60ebfe6be0606048499035d47e935b09a5a10c1d5c398b8",
"",
"reply"
],
[
"p",
"e39d9ce3b0ed9cbb17528b25bb4b33bcee465476e44ea5980fb6f2693b97ab95"
]
],
"content": "📅 Original date posted:2018-03-14\n📝 Original message:On 14 March 2018 5:46:55 AM GMT-04:00, Kalle Rosenbaum via bitcoin-dev \u003cbitcoin-dev at lists.linuxfoundation.org\u003e wrote:\n\u003eThank you.\n\u003e\n\u003eI can't really see from your proposal if you had thought of this: A\n\u003esoft\n\u003efork can make old nodes accept invalid message signatures as valid. For\n\u003eexample, a \"signer\" can use a witness version unknown to the verifier\n\u003eto\n\u003efool the verifier. Witness version is detectable (just reject unknown\n\u003ewitness versions) but there may be more subtle changes. Segwit was not\n\u003e\"detectable\" in that way, for example.\n\u003e\n\u003eThis is the reason why I withdrew BIP120. If you have thought about the\n\u003eabove, I'd be very interested.\n\u003e\n\u003e/Kalle\n\u003e\n\u003eSent from my Sinclair ZX81\n\u003e\n\u003eDen 14 mars 2018 16:10 skrev \"Karl Johan Alm via bitcoin-dev\" \u003c\n\u003ebitcoin-dev at lists.linuxfoundation.org\u003e:\n\u003e\n\u003eHello,\n\u003e\n\u003eI am considering writing a replacement for the message signing tools\n\u003ethat are currently broken for all but the legacy 1xx addresses. The\n\u003eapproach (suggested by Pieter Wuille) is to do a script based\n\u003eapproach. This does not seem to require a lot of effort for\n\u003eimplementing in Bitcoin Core*. Below is my proposal for this system:\n\u003e\n\u003eA new structure SignatureProof is added, which is a simple scriptSig \u0026\n\u003ewitnessProgram container that can be serialized. This is passed out\n\u003efrom/into the signer/verifier.\n\u003e\n\u003eRPC commands:\n\u003e\n\u003esign \u003caddress\u003e \u003cmessage\u003e [\u003cprehashed\u003e=false]\n\u003e\n\u003eGenerates a signature proof for \u003cmessage\u003e using the same method that\n\u003ewould be used to spend coins sent to \u003caddress\u003e.**\n\u003e\n\u003everify \u003caddress\u003e \u003cmessage\u003e \u003cproof\u003e [\u003cprehashed\u003e=false]\n\u003e\n\u003eDeserializes and executes the proof using a custom signature checker\n\u003ewhose sighash is derived from \u003cmessage\u003e. Returns true if the check\n\u003esucceeds, and false otherwise. The scriptPubKey is derived directly\n\u003efrom \u003caddress\u003e.**\n\u003e\n\u003eFeedback welcome.\n\u003e\n\u003e-Kalle.\n\u003e\n\u003e(*) Looks like you can simply use VerifyScript with a new signature\n\u003echecker class. (h/t Nicolas Dorier)\n\u003e(**) If \u003cprehashed\u003e is true, \u003cmessage\u003e is the sighash, otherwise\n\u003esighash=sha256d(message).\n\u003e_______________________________________________\n\u003ebitcoin-dev mailing list\n\u003ebitcoin-dev at lists.linuxfoundation.org\n\u003ehttps://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev\n\nWouldn't it be sufficient for old nodes to check for standardness of the spending script and report non-standard scripts as either invalid outright, or at least highly questionable? That should prevent confusion as long as soft forks are only making nonstandard behaviours invalid.\n\nCheers,\naj\n\n-- \nSent from my phone.",
"sig": "2eddbdd278671876bc27afda6e7ba25df6883837446309bc3c46a47ea64a34ddb08b69c9287ba091cdbc5e9d2c2b934ac3f82689a95215a12a1688e207ba83d7"
}