The Present and Future of Message Signing Standards
In our previous blog post, Trezor or Electrum: A Pitfall in Manual Signing, we explored how manual message signing can pose problems for users trying to establish ownership proofs over their self-hosted wallet. With the example of Trezor and Electrum, we saw how applications that use different signature encoding schemes could lead to valid signatures being rejected by the verifier. This illustrates one of the many benefits of standards that can mandate an exact signature and encoding scheme, leaving no room for inconsistencies and, thus, unnecessary rejections.
In this post, we will look at this problem more generally and explore the difficulties of using message signing to establish ownership proofs. We will then look at current message signing standards for Bitcoin and potential future approaches.
Address Ownership Proofs via Message Signing
Standard message signing in public key cryptography is conceptually very simple: The private key holder uses said key to create a signature, whose validity can be verified by anyone who knows the public key.
However, some thorny complications arise when applying this to Blockchain addresses (and in consequence, also for the address ownership use-case). The main difficulty is that the link between a single private-public-keypair and a Blockchain address can be indirect, ambiguous to third parties, or even nonexistent.
A good example for the last one is a standard Bitcoin Multisig wallet: The ownership is shared among multiple keypairs, multiple of which would need to submit signatures to the verifier. The address itself completely hides the nature of the specific ownership structure. The wallet participants would first need to submit ancillary data to prove the multisig structure in the first place.
Present Message Signing in Bitcoin
The current standard for message signing in Bitcoin is BIP 137, which is widely supported. It deals with the problem from the previous section by only defining the procedure for address formats where the address has a direct and discoverable 1-to-1 relationship with the keypair used for signing and verifying.
However, even with this restricted scope, there still remain areas where implementors differ, leading to potential false rejections of signatures. See our previous blog post for more details.
The Future of Message Signing in Bitcoin
Due to the shortcomings of this restricted standard, a new standard (BIP 322) was proposed in 2018, which employed a much more general approach, allowing to establish address proofs over any Bitcoin address. It achieves this via an elegant scheme where the message being signed includes a Bitcoin UTXO that does not exist, thus ensuring that any address or script that could hold coins can also sign arbitrary messages.
Unfortunately, the standard has not attracted widespread support so far and remains in draft status after multiple years. This is also partly due to some people rejecting the use-case of generic message signing altogether.
Address ownership proofs thus remain restricted to more standard addresses to this day.
Conclusion
The above issues underline the challenging nature of message signing in general and for the address ownership use case in particular. It is thus even more important to have a user-friendly and clearly specified mechanism to handle these signatures, which remains the central motivation for Address Ownership Proof Protocol (AOPP).