BIP-341: Explain the 64-byte signature format #1330

pull david-bakin wants to merge 1 commits into bitcoin:master from david-bakin:bip-341-define-65-byte-signature-65th-byte changing 1 files +4 −1
  1. david-bakin commented at 5:37 PM on June 6, 2022: none

    The signature would be expected to be 65-bytes: the 64-byte Schnorr signature plus the appended sighash byte. But the new sighash value SIGHASH_DEFAULT, encoded as 0x00, allows the space optimization of omitting the sighash byte, allowing for a 64-byte signature.

    This is now explained explicitly in the text.

  2. bitcoin deleted a comment on Jun 7, 2022
  3. luke-jr commented at 9:14 PM on July 25, 2022: member

    @sipa @jonasnick @ajtowns

  4. luke-jr added the label Proposed BIP modification on Jul 25, 2022
  5. in bip-0341.mediawiki:139 in 1911a9be08 outdated 
     135 | @@ -136,6 +136,9 @@ In summary, the semantics of the [[bip-0143.mediawiki|BIP143]] sighash types rem
 136 |  
 137 |  ==== Taproot key path spending signature validation ====
 138 |  
 139 | +A Taproot signature is the 64-byte Schnorr signature defined in [[bip-0340.mediawiki|BIP340]] with the sighash byte appended in the usual Bitcoin fashion<ref>See [https://en.bitcoin.it/wiki/OP_CHECKSIG#How_it_works '''OP_CHECKSIG''' "How it works"].</ref>.
    sipa commented at 9:24 PM on July 25, 2022:

    I'm not very keen on linking to the bitcoin.it wiki, especially not without a fixed timestamp. It's hard to say the OP_CHECKSIG article there will forever include an explanation of this concept.

    david-bakin commented at 10:50 PM on July 25, 2022:

    I will look elsewhere in the BIPs for a proper reference.

    jonasnick commented at 3:28 PM on July 26, 2022:

    How about s/is the 64-byte/is a 64-byte/ ?

    sipa commented at 12:24 AM on July 27, 2022:

    I don't think you'll find any, since the "append a byte to the ECDSA signature to indicate the sighash type" dates back to the original release, long before the BIP process. I'd just leave the text without a reference.

    david-bakin commented at 5:46 PM on July 27, 2022:

    ok.

    david-bakin commented at 5:47 PM on July 27, 2022:

    Changed to "A Taproot signature is a 64-byte Schnorr signature, as defined in ..." - ?

  6. in bip-0341.mediawiki:140 in 1911a9be08 outdated 
     135 | @@ -136,6 +136,9 @@ In summary, the semantics of the [[bip-0143.mediawiki|BIP143]] sighash types rem
 136 |  
 137 |  ==== Taproot key path spending signature validation ====
 138 |  
 139 | +A Taproot signature is the 64-byte Schnorr signature defined in [[bip-0340.mediawiki|BIP340]] with the sighash byte appended in the usual Bitcoin fashion<ref>See [https://en.bitcoin.it/wiki/OP_CHECKSIG#How_it_works '''OP_CHECKSIG''' "How it works"].</ref>.
 140 | +However, in the common case of '''SIGHASH_DEFAULT''', encoded as ''0x00'', a space optimization can be made by ''omitting'' the sighash byte, resulting in a 64-byte signature with '''SIGHASH_DEFAULT''' assumed.
    jonasnick commented at 3:29 PM on July 26, 2022:

    For consistency you should replace ''' with <code> and </code>.

    david-bakin commented at 5:47 PM on July 27, 2022:

    Done. (I had looked in the mediawiki markup docs rather than look around in this file.)

  7. jonasnick commented at 3:34 PM on July 26, 2022: contributor

    I'd be ok with adding this explanatory paragraph. Note that this defines a new term, "Taproot signature". But as far as I can see that doesn't hurt.

  8. david-bakin force-pushed on Jul 27, 2022
  9. jonasnick commented at 9:09 PM on July 28, 2022: contributor

    Looks good to me. Feel free to squash the "address PR comments" commit.

  10. BIP-341: Explain the 64-byte signature format
    The signature would be expected to be 65-bytes: the 64-byte Schnorr
signature plus the appended sighash byte.  But the new sighash value
SIGHASH_DEFAULT, encoded as 0x00, allows the space optimization of
omitting the sighash byte, allowing for a 64-byte signature.

This is now explained explicitly in the text.

Address PR comments

- remove ref to `bitcoin.it` wiki - may change or disappear in future (just don't
  refer to a definition)
- Slight wording change to sentence
- Make markup consistent with rest of file
    5c85131cff
  11. david-bakin force-pushed on Aug 7, 2022
  12. david-bakin commented at 2:02 AM on August 7, 2022: none

    Looks good to me. Feel free to squash the "address PR comments" commit.

    Squash done.

  13. jonasnick commented at 3:12 PM on August 16, 2022: contributor

    ACK 5c85131cfff22f7116eec6a93b9cfb5567373bf9 (conditional on another coauthor's ACK).

  14. jackromo888 approved
  15. scgbckbone approved
  16. scgbckbone commented at 12:57 PM on January 12, 2023: contributor

    very helpful addition!!

  17. in bip-0341.mediawiki:140 in 5c85131cff 
     135 | @@ -136,6 +136,9 @@ In summary, the semantics of the [[bip-0143.mediawiki|BIP143]] sighash types rem
 136 |  
 137 |  ==== Taproot key path spending signature validation ====
 138 |  
 139 | +A Taproot signature is a 64-byte Schnorr signature, as defined in [[bip-0340.mediawiki|BIP340]], with the sighash byte appended in the usual Bitcoin fashion.
 140 | +However, in the common case of <code>SIGHASH_DEFAULT</code>, encoded as ''0x00'', a space optimization can be made by ''omitting'' the sighash byte, resulting in a 64-byte signature with <code>SIGHASH_DEFAULT</code> assumed.
    ajtowns commented at 1:08 PM on January 12, 2023:

    I read "a space optimization can be made" as suggesting that you could have a 65 byte SIGHASH_DEFAULT signature, as omitting the sighash byte would just be optional.

    Perhaps

    However, in the common case when the default sighash flags being used (<code>SIGHASH_DEFAULT</code>, encoded as ''0x00'') the sighash byte is omitted from the encoding entirely, resulting in a 64-byte signature.

    ?

    scgbckbone commented at 1:13 PM on January 12, 2023:

    or just replace can with must?

    Can confirm that 65bytes sig with 0x00 appended is considered invalid for bitcoind (v24.0)

    sipa commented at 3:13 PM on January 12, 2023:

    Can confirm that 65bytes sig with 0x00 appended is considered invalid for bitcoind (v24.0)

    Hopefully, it's explicitly spelled out in footnote 21 that that is not allowed.

    david-bakin commented at 8:33 PM on April 26, 2024:

    I will make it explicit, give me a minute.

  18. murchandamus commented at 8:27 PM on April 26, 2024: contributor

    What’s the status of this PR? I see one ACK conditional on another author agreeing, all authors have commented, but it’s not clear to me whether they are supportive of this change. Can you please clarify @sipa, @ajtowns?

  19. sipa commented at 8:31 PM on April 26, 2024: member

    I'd like to see #1330 (review) addressed. The text still seems to imply that the omission is optional for SIGHASH_DEFAULT.

  20. vostrnad commented at 8:38 PM on April 26, 2024: contributor

    To be honest, I think the (consensus-critical) specification section should be as short as possible, as long as it's unambiguous, which seems to be the case here. There's even a footnote about the two permitted signature lengths, so it really doesn't seem necessary to reiterate that in the document body.

  21. david-bakin commented at 9:13 PM on April 26, 2024: none

    What would you think of the following text as a replacement for line 140:

    However, in the common case of SIGHASH_DEFAULT, encoded as 0x00, the sighash byte is omitted, resulting in a 64-byte signature (and SIGHASH_DEFAULT assumed). (This ensures that there are not two valid formats for the same SIGHASH_DEFAULT signature: with and without the 0x00 sighash byte.)

  22. sipa commented at 9:20 PM on April 26, 2024: member

    I don't think this paragraph needs to go into too much detail; the full specification follows in the lines below, which already includes a footnote about avoiding malleation between 64 and 64-byte signatures. @vostrnad In abstract I agree with you, but we often follow a structure where there is first an informal description of what is going on, followed by a more formal specification with the exact rules. I think of this as this informal description. @david-bakin What about just:

    This sighash byte is optional. If omitted the resulting signatures are 64 bytes, and a SIGHASH_DEFAULT mode is implied.

  23. david-bakin commented at 9:29 PM on April 26, 2024: none

    @david-bakin What about just:

    This sighash byte is optional. If omitted the resulting signatures are 64 bytes, and a SIGHASH_DEFAULT mode is implied.

    OK by me.

  24. murchandamus commented at 1:37 PM on April 29, 2024: contributor

    Do I understand right, that the next step is that @david-bakin will update the PR to adopt the phrasing suggested by @sipa?

  25. murchandamus added the label PR Author action required on May 8, 2024
  26. 5twelve approved
  27. murchandamus commented at 8:24 PM on November 14, 2024: contributor

    Is anyone still working on this?

  28. jonatack commented at 11:11 PM on January 6, 2025: member

    Picked up by #1741 due to author inactivity here.

  29. jonatack closed this on Jan 6, 2025
Contributors
david-bakinluke-jrsipajonasnickjackromo888scgbckboneajtownsmurchandamusvostrnad5twelvejonatack
Labels
Proposed BIP modificationPR Author action required
Linked (view graph)
#1741 BIP341: Explain the 64-byte signature format
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bips. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-20 13:10 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me