BIP-0322: clarify motivation/purpose, add prefix, clarify Proof of Funds format, describe PSBT based signing #2141

pull guggero wants to merge 13 commits into bitcoin:master from guggero:bip-0322-finalization changing 5 files +756 −216
  1. guggero commented at 2:32 PM on April 14, 2026: contributor

    This PR is an attempt to push this PR forward, hopefully closer to a Complete state.

    If it helps the process and @kallewoof agrees, I'm volunteering to be named as a deputy for this BIP.

    The PR addresses the following discussion items:

    TODO (will follow up with these items soon):

    • https://github.com/bitcoin/bitcoin/pull/16440#issuecomment-568479290
      • Clean up wording: Clarify that there might not always be a cryptographic signature involved (e.g. pure script spend address types)
    • Update btcd pull request to reflect above changes, update test vectors in this PR (prefix and Proof of Funds implementation)
    • Rebase and update after #2135 is merged @murchandamus I went through the different discussions you linked and also both Bitcoin Core PRs and tried to extract all discussion items that I felt were not yet addressed. If anyone feels like a previous discussion item is missing here and not yet addressed by my changes, please comment below!
  2. in bip-0322.mediawiki:186 in 1f65ed5ae0 outdated 
     179 | @@ -180,6 +180,13 @@ Thanks to David Harding, Jim Posen, Kalle Rosenbaum, Pieter Wuille, Andrew Poels
 180 |  
 181 |  # Original mailing list thread: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-March/015818.html
 182 |  
 183 | +== Changelog ==
 184 | +
 185 | +* '''1.0.0''' (202?-??-??):
 186 | +** Mark Final
    murchandamus commented at 3:23 PM on April 14, 2026:

    In commit "BIP-0322: add tentative changelog"

    Final is a loaded term in context of the BIPs process. It used to refer to the status that we now call Deployed. Perhaps you could clarify whether you intend to move the BIP to Complete ("all planned work is done, and you are recommending it for adoption") or to Deployed ("all of the above, and at least one project is using it in production on mainnet"). This Changelog entry would then best be paired with the corresponding status change.

    guggero commented at 4:38 AM on April 15, 2026:

    Yeah, you're right, changed to Complete.

  3. jonatack added the label Proposed BIP modification on Apr 14, 2026
  4. jonatack added the label Pending acceptance on Apr 14, 2026
  5. jonatack commented at 3:28 PM on April 14, 2026: member

    Thank you @guggero for picking this up.

    If it helps the process and @kallewoof agrees, I'm volunteering to be named as a deputy for this BIP. @kallewoof thoughts? (If helpful, see BIP3 here for details about the Deputy role.)

  6. in bip-0322.mediawiki:22 in 429c24f66e outdated 
      18 | @@ -19,9 +19,13 @@ A standard for interoperable signed messages based on the Bitcoin Script format,
  19 |  
  20 |  The current message signing standard only works for P2PKH (1...) invoice addresses. We propose to extend and generalize the standard by using a Bitcoin Script based approach. This ensures that any coins, no matter what script they are controlled by, can in-principle be signed for. For easy interoperability with existing signing hardware, we also define a signature message format which resembles a Bitcoin transaction (except that it contains an invalid input, so it cannot be spent on any real network).
  21 |  
  22 | +The Proof-of-Funds variant allows demonstrating control of a set of UTXOs. The list of UTXOs may or may not be related to the address being signed (the address is optional in the Proof-of-Funds variant). But in any case, the UTXO list does not aim to prove completeness (e.g. it does NOT mean: "these are all UTXOs that exist for an address") nor that they are unspent (e.g. a validator must consult the blockchain to verify that).
    murchandamus commented at 3:34 PM on April 14, 2026:

    “The list of UTXOs may or may not be related to the address being signed”

    What “address” is this referring to? I thought BIP 322 message signing works by essentially creating a “fake” transaction where the list of inputs demonstrates control of UTXOs by providing valid inputs for the corresponding output scripts. I’m confused by the singular address vs UTXO list in this line.

    guggero commented at 4:41 AM on April 15, 2026:

    The address is the pkScript you spend in the to_spend transaction, also called the message_challenge in the BIP. In the simple and full case, that's the single UTXO you spend with the fake transaction. In the proof of funds case, you can add more UTXOs, but those don't have to be related to the address. I clarified this in the latest update.

  7. in bip-0322.mediawiki:26 in 429c24f66e outdated 
      18 | @@ -19,9 +19,13 @@ A standard for interoperable signed messages based on the Bitcoin Script format,
  19 |  
  20 |  The current message signing standard only works for P2PKH (1...) invoice addresses. We propose to extend and generalize the standard by using a Bitcoin Script based approach. This ensures that any coins, no matter what script they are controlled by, can in-principle be signed for. For easy interoperability with existing signing hardware, we also define a signature message format which resembles a Bitcoin transaction (except that it contains an invalid input, so it cannot be spent on any real network).
  21 |  
  22 | +The Proof-of-Funds variant allows demonstrating control of a set of UTXOs. The list of UTXOs may or may not be related to the address being signed (the address is optional in the Proof-of-Funds variant). But in any case, the UTXO list does not aim to prove completeness (e.g. it does NOT mean: "these are all UTXOs that exist for an address") nor that they are unspent (e.g. a validator must consult the blockchain to verify that).
  23 | +
  24 |  Additionally, the current message signature format uses ECDSA signatures which do not commit to the public key, meaning that they do not actually prove knowledge of any secret keys. (Indeed, valid signatures can be tweaked by 3rd parties to become valid signatures on certain related keys.)
  25 |  
  26 | -Ultimately no message signing protocol can actually prove control of funds, both because a signature is obsolete as soon as it is created, and because the possessor of a secret key may be willing to sign messages on others' behalf even if it would not sign actual transactions. No signmessage protocol can fix these limitations.
  27 | +Ultimately no message signing protocol can actually prove control of funds, both because a signature is obsolete as soon as it is created, and because the possessor of a secret key may be willing to sign messages on others' behalf even if it would not sign actual transactions. No message signing protocol can fix these limitations.
    murchandamus commented at 3:51 PM on April 14, 2026:

    Could you please generally limit the length of any lines you add? Whitespace in the Mediawiki sourcecode doesn’t affect the rendering of the document, but GitHub stops highlighting the changed words after certain lengths:

    <img width="982" height="145" alt="Image" src="https://github.com/user-attachments/assets/1759914b-8396-40ea-b5d6-a1782885f6d0" />

    It is easier to parse what changed across commits when the text is composed of shorter lines, and it is also easier to provide suggestions in review comments. I would suggest a maximum text-width of 100 characters for the initial additions, and would request that diffs are minimized afterwards (i.e., when updating any line, allow for slightly shorter or longer lines over rebreaking or otherwise affecting untouched lines; for longer additions prefer inserting another line over changing linebreak of the following lines).

    E.g., in the example below instead of moving "procedures" to the next line to make the first line adhere to the original length limit, which would make the diff appear bigger than it is, it’s kept in the same line to minimize the diff.

    <img width="1031" height="172" alt="Image" src="https://github.com/user-attachments/assets/95b7db11-e202-42f2-aab2-009a1ba0ee59" />

    Basically, please treat the document’s text like code! 🤓

    Please Note that I’m not requesting that you reformat the entire existing document. Should you decide to do that, please make it a separate commit.

    guggero commented at 4:47 AM on April 15, 2026:

    Hmm, yeah, I also don't like long lines. I remembered mediawiki being really weird when it comes to lists, so I didn't change the line length initially (I also try to match the code style of any project I contribute to). But shorter lines makes it much easier to work with text, I agree. So I added a commit at the beginning that does some formatting.

    IMO the deeply nested lists don't become easier to read with this. So I opted for just keeping the long lines there for now. Let me know if you think it's worth changing those.

    The alternative of course would be to move over to markdown completely. Which I'm not sure is a documented process?

  8. in bip-0322.mediawiki:274 in b58cff9e67 
     274 |  # Original mailing list thread: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-March/015818.html
 275 |  
 276 | +== Changelog ==
 277 | +
 278 | +* '''1.0.0''' (202?-??-??):
 279 | +** Mark Final
    jonatack commented at 4:10 PM on April 14, 2026:

    Per BIP3, statuses are now one of Draft | Complete | Deployed | Closed.

    The BIP status doesn't appear to be updated from Draft in this PR.

    guggero commented at 4:38 AM on April 15, 2026:

    Right, added the change from Draft -> Complete now in the last commit and fixed the changelog.

  9. murchandamus commented at 4:22 PM on April 14, 2026: member

    Partial review of the first three commits.

  10. kallewoof commented at 11:25 PM on April 14, 2026: contributor

    Thank you @guggero for picking this up.

    If it helps the process and @kallewoof agrees, I'm volunteering to be named as a deputy for this BIP.

    @kallewoof thoughts? (If helpful, see BIP3 here for details about the Deputy role.)

    Sounds good to me!

  11. BIP-0322: wrap long lines at 100 characters
    This re-formats the document for easier editing and diff viewing.
Wiki syntax is weird for lists and line wraps break them. Simple lists
were changed to <ul> or <ol> tags but complex lists remain as they are
to not bloat the diff too much.
    421803f06c
  12. BIP-0322: small semantic and formatting fixes
    This fixes small inconsistencies or incomplete definitions based on
previous, already merged changes.
    864200eb96
  13. BIP-0322: reference btcd implementation b45f8e292e
  14. BIP-0322: update motivation, clarify Proof of Funds purpose
    This addresses two discussion items:
 - The list of UTXOs should not be interpreted as a "proof that no other
   UTXOs for an address exist".
 - The BIP only addresses "signer receives funds with the address" and
   not "signer sent a previous transaction" use case.
    833202ce49
  15. guggero force-pushed on Apr 15, 2026
  16. guggero force-pushed on Apr 15, 2026
  17. guggero commented at 5:17 AM on April 15, 2026: contributor

    I updated the prefixes to be fixed-size (smp, ful, pof) and removed the colon to make copy/paste errors by users less likely. @murchandamus I don't really understand the failing CI check... Am I supposed to change the background color of the row in the README?

  18. guggero commented at 12:48 PM on April 15, 2026: contributor

    I've implemented the proposed changes (prefix, Proof of Funds format) in the btcd PR and updated the test vectors here. With that, all (current) TODOs are addressed and I think this PR is ready for a closer look by anyone interested.

  19. BIP-0322: clarify terminology used
    Since the term "signature" can be pretty overloaded dependin on the
context, we clarify what it actually means in this BIP.
    1a2d08f390
  20. BIP-0322: encode finalized PSBT for Proof of Funds
    This commit proposes a fix for the problem that an offline verifier
previously was not able to even verify the witness stack of additional
inputs. By providing the full finalized PSBT, a verifier has all the
input data necessary to run the script through the validation engine.

We require the PSBT to be finalized to make sure it contains the final
script witness or final script sig but no extra potentially
privacy-sensitive fields. The Non-Witness and Witness UTXO fields are
explicitly allowed for finalized PSBTs, which makes the format perfect
for the use case.
    d6a7320092
  21. BIP-0322: add prefix to message signature b01fa36f91
  22. BIP-0174+BIP-0322: describe PSBT based signing
    This commit proposes a new PSBT input field type for transporting the
message to be signed to different signers in a multisig signing use
case.
    600d0e27ff
  23. BIP-0322: update test vectors
    This commit updates the test vectors to reflect all the changes in the
previous commits and also introduces new test vectors for the Proof of
Funds variant.
    7d66f80476
  24. BIP-0322: add guggero as deputy 148c100d25
  25. README+BIP-0322: add changelog, mark Complete 1ee1a210d2
  26. guggero force-pushed on Apr 15, 2026
  27. fixup! BIP-0322: update test vectors a926641a34
  28. fixup! BIP-0322: update motivation, clarify Proof of Funds purpose 81b5a1ce3c
  29. in bip-0322.mediawiki:303 in b01fa36f91 
     302 |  == Compatibility ==
 303 |  
 304 |  This specification is backwards compatible with the legacy signmessage/verifymessage specification
 305 |  through the special case as described above.
 306 | +To support backward compatibility with implementations of this BIP before it was finalized, a
 307 | +verifier might assume the ''simple' variant in the absence of a prefix.
    murchandamus commented at 3:50 PM on April 15, 2026:

    This sounds like it warrants a Changelog entry. Could you please record the breaking change there?

    You can find guidance about that in BIP3 here: https://github.com/bitcoin/bips/blob/master/bip-0003.md#changelog-section-and-version-header

  30. in bip-0322.mediawiki:8 in 1ee1a210d2 
       5 | @@ -6,7 +6,7 @@
   6 |    Deputies: guggero <gugger@gmail.com>
   7 |    Comments-Summary: No comments yet.
   8 |    Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-0322
    murchandamus commented at 4:52 PM on April 15, 2026:

    I took a look at the comments wiki page. It just contains a couple questions and a link to this Bitcoin Talk discussion: https://bitcointalk.org/index.php?topic=5408898.l0.

    I did not read the discussion, but if you find it interesting, you could add it as an entry to the "Discussion" header. You would then be free to drop the Comments headers as they are not required per BIP3 and the page doesn’t seem useful to me for this BIP.

  31. in README.mediawiki:1081 in 1ee1a210d2 
    1077 | @@ -1078,7 +1078,7 @@ users (see also: [https://en.bitcoin.it/wiki/Economic_majority economic majority
1078 |  | Generic Signed Message Format
1079 |  | Karl-Johan Alm
1080 |  | Specification
1081 | -| Draft
1082 | +| Complete
    murchandamus commented at 4:54 PM on April 15, 2026:

    You also need to update the background color in line 1075 (above) to

    |- style="background-color: #cfffcf"

    murchandamus commented at 5:15 PM on April 15, 2026:

    To clarify, that’s the cause of the CI failure.

  32. in bip-0174/type-registry.mediawiki:193 in 81b5a1ce3c 
     186 | @@ -187,6 +187,10 @@ This document collects the fields and types used in PSBTs of any version from al
 187 |  | <tt>PSBT_IN_SP_TWEAK = 0x20</tt>
 188 |  | [[bip-0376.mediawiki|376]]
 189 |  |-
 190 | +| Generic Signed Message
 191 | +| <tt>PSBT_IN_GENERIC_SIGNED_MESSAGE = 0x21</tt>
 192 | +| [[bip-0322.mediawiki|322]]
 193 | +|-
    murchandamus commented at 4:57 PM on April 15, 2026:

    cc: @achow101, no action required, just wanted to make you aware of this overlap with PSBTs, in case you had thoughts on PSBTs being used for Generic Message Signing.

  33. in bip-0322.mediawiki:487 in 81b5a1ce3c 
     497 | +== Changelog ==
 498 | +
 499 | +* '''1.0.0''' (2026-04-15):
 500 | +** Mark Complete
 501 | +* '''0.0.1''' (2018-09-10):
 502 | +** Proposed as draft
    murchandamus commented at 5:00 PM on April 15, 2026:

    BIP322 has been out there for nigh a decade and I think there are some implementations of it in production. From what I understand this update includes a breaking change to the format. While it was in Draft status and changes should still be expected, this may come as a surprise due to the age of the proposal. Therefore, I would request that you clearly document the breaking change in the Changelog and write to the mailing list about this update to BIP322.

    murchandamus commented at 8:56 PM on April 15, 2026:

    When you start versioning the document per a Changelog section, please also add the Version header to the preamble!

  34. murchandamus commented at 5:02 PM on April 15, 2026: member

    Finished my first pass. I think it’s great that you want to pick up this proposal and bring it up to speed. Strong concept ACK. You also seem to have buy-in from @kallewoof, which is great. Given the age of the proposal and the breaking change, I would heartily recommend that you write to the mailing list about the changes you are proposing in this PR.

  35. in bip-0322.mediawiki:224 in 421803f06c 
     223 | +  control of.
 224 | +</li>
 225 | +<li>
 226 | +  They satisfy <code>to_sign</code> as they would any other transaction.
 227 | +</li>
 228 | +</ol>
    murchandamus commented at 5:07 PM on April 15, 2026:

    Thanks for changing the formatting to shorter lines!

    I am not sure what you mean about Mediawiki having issues with lists, I wasn’t aware, but if it helps, I wouldn’t have minded longer lines in lists. The HTML list syntax (…<ol><li>…) strikes me as more visual clutter in the source code compared to the Mediawiki syntax. It looks fine in the rendered document, though, so no need to change it again.

  36. murchandamus commented at 5:14 PM on April 15, 2026: member

    Oh one more observation:

  37. murchandamus removed the label Proposed BIP modification on Apr 15, 2026
  38. murchandamus removed the label Pending acceptance on Apr 15, 2026
  39. murchandamus added the label PR Author action required on Apr 15, 2026
  40. murchandamus added the label BIP update by author on Apr 15, 2026
Contributors
guggeromurchandamusjonatackkallewoof
Labels
PR Author action requiredBIP Update by Owner
Linked (view graph)
#2135 BIP174: Deduplicate type definitions by introducing registry file
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bips. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-16 15:10 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me