Author: Pieter Wuille 2022-07-28 15:27:05
Published on: 2022-07-28T15:27:05+00:00
A recent message on the bitcoin-dev mailing list discussed the compatibility of zero-knowledge proofs, such as Schnorr, with address message signing. It was noted that the public key cannot be retrieved from the address or the signature, making it difficult to prove the authenticity of a Schnorr signature. This was an intentional design choice in BIP340, which prioritized batch verifiability over public key recovery. The author of the message regretted using public key recovery when introducing the old legacy message signing scheme and suggested that script signatures like BIP322 proposes would have been better. They also mentioned that it's possible to avoid relying on public key recovery by including the public key + BIP340 signature in the encoded signature.In response to concerns about compatibility with address signing mechanisms, the author suggested either sacrificing the zero-knowledge part in their BIP or creating a completely separate message signing format just for Taproot. However, they believed that this would be redundant since BIP322 could verify anything and everything and was compatible with every script type.Overall, the author believed that cooperation to move BIP322 forward would be a better solution than inventing new formats.
Updated on: 2023-05-22T20:54:39.209115+00:00