Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Development & Technical Discussion
Merits 22 from 3 users
Re: BIP 322 draft design and improvement thread
by
Pieter Wuille
on 10/08/2022, 18:09:35 UTC
⭐ Merited by NotATether (10) ,ABCbits (8) ,nutildah (4)
The Bitcoin script system *is* a (programmable) digital signature scheme, built on top of ECDSA/Schnorr signing, which achow101 is referring to as "script signatures":

  • The "public keys" of this digital signature scheme are the scriptPubKeys in transaction outputs.
  • The "messages" of this scheme are the spending transactions, excluding witness data.
  • The "signatures" of this scheme are the scriptSigs and witnesses in transaction inputs.

It's a programmable signature scheme in that it supports more complex assertions than "a single party with key X agrees"; e.g. it can express agreement of multiple parties (using e.g. a P2SH scriptPubKey with a redeemscript that requires signatures with multiple keys). The actual script semantics are more-or-less irrelevant for this. It just suffices to express the kinds of assertions we care about.

BIP322 is taking this script signature system, and transposing it to a different context: messages that aren't transactions. Everything else remains the same: the scriptPubKeys remain the "public keys" verified against (=addresses), the "signatures" remain scriptSigs/witnesses (but now embedded in a BIP322 signature encoding, rather than being placed in a transaction). However, the "messages" are replaced with instead of using a real transaction, a virtual transaction constructed from the message being signed. This permits reusing all the script logic a signer and/or verifier may have (however complex or simplistic that may be) for transactions to be immediately applied to messages.