Thank you.

I can't really see from your proposal if you had thought of this: A soft fork can make old nodes accept invalid message signatures as valid. For example, a "signer" can use a witness version unknown to the verifier to fool the verifier. Witness version is detectable (just reject unknown witness versions) but there may be more subtle changes. Segwit was not "detectable" in that way, for example.

This is the reason why I withdrew BIP120. If you have thought about the above, I'd be very interested.

/Kalle

Sent from my Sinclair ZX81

Den 14 mars 2018 16:10 skrev "Karl Johan Alm via bitcoin-dev" <bitcoin-dev@lists.linuxfoundation.org>:

Hello,

I am considering writing a replacement for the message signing tools
that are currently broken for all but the legacy 1xx addresses. The
approach (suggested by Pieter Wuille) is to do a script based
approach. This does not seem to require a lot of effort for
implementing in Bitcoin Core*. Below is my proposal for this system:

A new structure SignatureProof is added, which is a simple scriptSig &
witnessProgram container that can be serialized. This is passed out
from/into the signer/verifier.

RPC commands:

sign <address> <message> [<prehashed>=false]

Generates a signature proof for <message> using the same method that
would be used to spend coins sent to <address>.**

verify <address> <message> <proof> [<prehashed>=false]

Deserializes and executes the proof using a custom signature checker
whose sighash is derived from <message>. Returns true if the check
succeeds, and false otherwise. The scriptPubKey is derived directly
from <address>.**

Feedback welcome.

-Kalle.

(*) Looks like you can simply use VerifyScript with a new signature
checker class. (h/t Nicolas Dorier)
(**) If <prehashed> is true, <message> is the sighash, otherwise
sighash=sha256d(message).
_______________________________________________
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev