Author: Greg Sanders 2022-07-20 21:50:53
Published on: 2022-07-20T21:50:53+00:00
Ali Sherief has proposed a BIP to address the lack of standardization for Segwit message signatures. The current state of affairs is that wallets that support signing and verifying bitcoin messages can only sign legacy addresses. Although it is technically possible to sign and verify segwit addresses, there is no generally-accepted standard for signing segwit messages, so wallets that do support this feature simply insert the segwit address into the address field. Verification also only works using the procedure on that specific wallet software. The proposed BIP does not replace, supersede, or obsolete BIPs 173 or 322. It simply standardizes the practice of placing the segwit address into the address field and sets guidelines for writing a message signing and verification procedure. In the verification part, the following address hashing algorithms will be tried in sequence in an attempt to reconstruct the address in the signed message: P2PKH (legacy address), P2WPKH-P2SH (nested segwit), and P2WPKH with version from 0 to MAX_WITNESS_VERSION (covers native segwit with version 0 as well as future native segwit address types such as Taproot) - where MAX_WITNESS_VERSION is the maximum supported witness version by the bech32 encoding. The verification procedure stops if any of these hashes yield the correct address and fails if all of the above methods fail to reproduce the address in the signed message. In the signing procedure, the only modification is the insertion of the segwit address in place of the legacy address in the signed message.The proposal does not require any changes to existing signed messages, and the original sign/verify algorithms will continue to interoperate with this improved sign/verify algorithm without any action necessary from the developers. Peter from Coinkite Inc. supports the proposal, stating that COLDCARD makes signatures exactly like that when told to sign with a segwit address. Unfortunately, he does not know of any "verifiers" that will accept the signature. Bitcoin Core does not support verifying that message, even though the UX makes it look possible. In effect, segwit features never got implemented to that depth in Core. Ali Sherief has asked for advice on how he should draft such a BIP and whether there is a BIP for the original signing method. DocHEX from Coinkite suggests that a "defacto" BIP is needed and useful to do, and then Core should be updated to support it as well.
Updated on: 2023-06-15T22:59:46.457980+00:00