Skip to content

Commit

Permalink
Fully specify, and add schnorr signature checking for legacy and segw…
Browse files Browse the repository at this point in the history
…itv0.
  • Loading branch information
reardencode committed Jan 2, 2024
1 parent 28d4c31 commit faffb36
Showing 1 changed file with 41 additions and 23 deletions.
64 changes: 41 additions & 23 deletions bip-csfs.mediawiki
Original file line number Diff line number Diff line change
Expand Up @@ -15,53 +15,71 @@
This BIP describes two new opcode for the purpose of checking cryptographic
signatures in bitcoin scripts against data other than bitcoin transactions.

==Specification==
==Summary==

We propose replacing OP_NOP5 in bitcoin script with
'''OP_CHECKSIGFROMSTACKVERIFY'''. When verifying taproot script spends having
leaf version 0xc0 (as defined in BIP342), we propose '''OP_CHECKSIGFROMSTACK'''
to replace '''OP_SUCCESS188''' (0xbc).
<code>OP_CHECKSIGFROMSTACKVERIFY</code>. When verifying taproot script spends having
leaf version 0xc0 (as defined in BIP342), we propose <code>OP_CHECKSIGFROMSTACK</code>
to replace <code>OP_SUCCESS188</code> (0xbc).

<code>OP_CHECKSIGFROMSTACK</code> and <code>OP_CHECKSIGFROMSTACKVERIFY</code>
have semantics similar to <code>OP_CHECKSIG</code> and
<code>OP_CHECKSIGVERIFY</code> respectively, as specified below.

'''OP_CHECKSIGFROMSTACK''' and '''OP_CHECKSIGFROMSTACKVERIFY''' have identical
semantics to '''OP_CHECKSIG''' and '''OP_CHECKSIGVERIFY''' respectively,
except:
For legacy and segwit v0 scripts, 32-byte and 33-byte keys are supported for
BIP340 signature verification and ECDSA signature verification respectively.

==Specification==

* On success the arguments to '''OP_CHECKSIGFROMSTACKVERIFY''' are left unchanged on the stack.
* They pop (or read, respectively) 3 arguments (rather than 2) from the stack in the following order: '''&lt;pubkey&gt; &lt;data&gt; &lt;sig&gt;'''
* Signatures must not have a sighash byte appended
* The message being verified is '''&lt;data&gt;'''
** '''&lt;data&gt;''' may be any length.
** For ECDSA signature verification '''&lt;data&gt;''' is SHA256 hashed before being used as the message.
* If fewer than 3 elements are on the stack, the script MUST fail and terminate immediately.
* The public key (top element), message (second to top element), and signature (third from top element) are read from the stack.
* For <code>OP_CHECKSIGFROMSTACK</code> the top three elements are popped from the stack.
* If the public key size is zero, the script MUST fail and terminate immediately.
* If the public key size is 32 bytes, it is considered to be a public key as described in BIP340:
** If the signature is not the empty vector, the signature is validated against the public key and message according to BIP340. Validation failure in this case immediately terminates script execution with failure.
* For legacy and segwit v0 scripts, if the public key size is 33 bytes and its first byte is 0x02 or 0x03, it is considered a compressed public key as described in BIP137:
** If the signature is not the empty vector, the signature is validated against the public key and message using ECDSA. Validation failure in this case immediately terminates script execution with failure.
* If the public key size is not zero, and it is not a BIP340 public key, nor a BIP137 compressed public key; the public key is of an unknown public key type, and no actual signature verification is applied. During script execution of signature opcodes they behave exactly as known public key types except that signature validation is considered to be successful.
* If the script did not fail and terminate before this step, regardless of the public key type:
** If the signature is the empty vector:
*** For <code>OP_CHECKSIGFROMSTACKVERIFY</code>, the script MUST fail and terminate immediately.
*** For <code>OP_CHECKSIGFROMSTACK</code>, an empty vector is pushed onto the stack, and execution continues with the next opcode.
** If the signature is not the empty vector:
*** For tapscript 0xc0, the opcode is counted towards the sigops budget as described in BIP341.
*** For legacy and segwit v0, the opcode is counted towards the sigops limit, as described in BIP141
*** For <code>OP_CHECKSIGFROMSTACKVERIFY</code>, execution continues without any further changes to the stack.
*** For <code>OP_CHECKSIGFROMSTACK</code>, a 1-byte value 0x01 is pushed onto the stack.
==Design Considerations==

# Message hashing: ECDSA requires the message to be securely hashed to 32-bytes before being used in the signing protocol, so a SHA256 hash is taken before the message is passed for ECDSA signing. BIP340 is compatible with any size of message and does not require it to be a securely hashed input, so the message is not hashed prior to BIP340 signing.
# Verify NOP upgrade: To bring both ECDSA and BIP340 signing to bitcoin script, a NOP upgrade path was chosen for '''OP_CHECKSIGFROMSTACKVERIFY'''. This necessarily means leaving the 3 arguments on the stack when executing '''OP_CHECKSIGFROMSTACKVERIFY'''. Scripts will need to drop or otherwise manage these stack elements.
# Add/multisig: No concession is made to ```OP_CHECKMULTISIG``` or ```OP_CHECKSIGADD``` semantics with '''OP_CHECKSIGFROMSTACK(VERIFY)'''. In Tapscript, add semantics can be implemented with 1 additional vByte per key ('''OP_TOALTSTACK OP_CHECKSIGFROMSTACK OP_FROMALTSTACK OP_ADD OP_TOALTSTACK''').
# Splitting R/S on the stack: Implementing split/separate signatures is left as an exercise for future bitcoin upgrades, such as '''OP_CAT'''.
# Verify NOP upgrade: To bring both ECDSA and BIP340 signing to bitcoin script, a NOP upgrade path was chosen for <code>OP_CHECKSIGFROMSTACKVERIFY</code>. This necessarily means leaving the 3 arguments on the stack when executing <code>OP_CHECKSIGFROMSTACKVERIFY</code>. Scripts will need to drop or otherwise manage these stack elements.
# Add/multisig: No concession is made to ```OP_CHECKMULTISIG``` or ```OP_CHECKSIGADD``` semantics with <code>OP_CHECKSIGFROMSTACK(VERIFY)</code>. In Tapscript, add semantics can be implemented with 1 additional vByte per key (<code>OP_TOALTSTACK OP_CHECKSIGFROMSTACK OP_FROMALTSTACK OP_ADD OP_TOALTSTACK</code>).
# Splitting R/S on the stack: Implementing split/separate signatures is left as an exercise for future bitcoin upgrades, such as <code>OP_CAT</code>.
# BIP118-style Taproot internal key: Rather than introducing an additional key type in this change, we suggest implementing OP_INTERNALKEY or separately introducing that key type for all Tapscript signature checking operations in a separate change.
# Unknown key lengths: The semantics of other signature checking opcodes in their respective script types (legacy, segwit-v0, tapscript-c0) are applied.
==Resource Limits==

These opcodes are treated identically to other signature checking opcodes and
count against the various sigops limits in their respective script types.
count against the various sigops limits and budgets in their respective script
types.

==Motivation==

===LN Symmetry===

When combined with '''OP_CHECKTEMPLATEVERIFY''' (BIP119/CTV),
'''OP_CHECKSIGFROMSTACK''' (CSFS) can be used in Lightning Symmetry channels.
The construction '''OP_CHECKTEMPLATEVERIFY &lt;pubkey&gt; OP_CHECKSIGFROMSTACK''' is
logically equivalent to '''&lt;bip118_pubkey&gt; OP_CHECKSIG''' and a signature over
'''SIGHASH_ALL|SIGHASH_ANYPREVOUTANYSCRIPT'''. The '''OP_CHECKSIGFROMSTACK'''
When combined with <code>OP_CHECKTEMPLATEVERIFY</code> (BIP119/CTV),
<code>OP_CHECKSIGFROMSTACK</code> (CSFS) can be used in Lightning Symmetry channels.
The construction <code>OP_CHECKTEMPLATEVERIFY &lt;pubkey&gt; OP_CHECKSIGFROMSTACK</code> is
logically equivalent to <code>&lt;bip118_pubkey&gt; OP_CHECKSIG</code> and a signature over
<code>SIGHASH_ALL|SIGHASH_ANYPREVOUTANYSCRIPT</code>. The <code>OP_CHECKSIGFROMSTACK</code>
construction is 8 vBytes larger.

===Delegation===

Using a script like:
'''OP_DUP &lt;pubkey&gt; OP_CHECKSIGFROMSTACK OP_DROP OP_CHECKSIG'''
<code>OP_DUP &lt;pubkey&gt; OP_CHECKSIGFROMSTACK OP_DROP OP_CHECKSIG</code>
A script can delegate signing to another key.

==Reference Implementation==
Expand Down

0 comments on commit faffb36

Please sign in to comment.