bips icon indicating copy to clipboard operation
bips copied to clipboard
verified publisher icon bitcoin

BIP-341: Explain the 64-byte signature format

Open david-bakin opened this issue 3 years ago • 8 comments

The signature would be expected to be 65-bytes: the 64-byte Schnorr signature plus the appended sighash byte. But the new sighash value SIGHASH_DEFAULT, encoded as 0x00, allows the space optimization of omitting the sighash byte, allowing for a 64-byte signature.

This is now explained explicitly in the text.

david-bakin avatar Jun 06 '22 17:06 david-bakin

@sipa @jonasnick @ajtowns

luke-jr avatar Jul 25 '22 21:07 luke-jr

Looks good to me. Feel free to squash the "address PR comments" commit.

Squash done.

david-bakin avatar Aug 07 '22 02:08 david-bakin

What’s the status of this PR? I see one ACK conditional on another author agreeing, all authors have commented, but it’s not clear to me whether they are supportive of this change. Can you please clarify @sipa, @ajtowns?

murchandamus avatar Apr 26 '24 20:04 murchandamus

I'd like to see https://github.com/bitcoin/bips/pull/1330#discussion_r1068101634 addressed. The text still seems to imply that the omission is optional for SIGHASH_DEFAULT.

sipa avatar Apr 26 '24 20:04 sipa

To be honest, I think the (consensus-critical) specification section should be as short as possible, as long as it's unambiguous, which seems to be the case here. There's even a footnote about the two permitted signature lengths, so it really doesn't seem necessary to reiterate that in the document body.

vostrnad avatar Apr 26 '24 20:04 vostrnad

What would you think of the following text as a replacement for line 140:

However, in the common case of SIGHASH_DEFAULT, encoded as 0x00, the sighash byte is omitted, resulting in a 64-byte signature (and SIGHASH_DEFAULT assumed). (This ensures that there are not two valid formats for the same SIGHASH_DEFAULT signature: with and without the 0x00 sighash byte.)

david-bakin avatar Apr 26 '24 21:04 david-bakin

I don't think this paragraph needs to go into too much detail; the full specification follows in the lines below, which already includes a footnote about avoiding malleation between 64 and 64-byte signatures.

@vostrnad In abstract I agree with you, but we often follow a structure where there is first an informal description of what is going on, followed by a more formal specification with the exact rules. I think of this as this informal description.

@david-bakin What about just:

This sighash byte is optional. If omitted the resulting signatures are 64 bytes, and a SIGHASH_DEFAULT mode is implied.

sipa avatar Apr 26 '24 21:04 sipa

@david-bakin What about just:

This sighash byte is optional. If omitted the resulting signatures are 64 bytes, and a SIGHASH_DEFAULT mode is implied.

OK by me.

david-bakin avatar Apr 26 '24 21:04 david-bakin