script: add simple signature support (checker/creator) #16653
Conversation
2098ca9 to
02a1db1
Compare
|
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers. ConflictsReviewers, this pull request conflicts with the following ones:
If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first. |
|
ACK 02a1db1 |
|
Concept ACK. It strictly adds new functions so that seems a pretty safe approach. This PR needs tests though. |
|
Concept NACK until it is being used actively. |
|
@emilengler Did you read the PR description? |
|
@Sjors Added tests. The multisig ones are based on the |
cb50c61 to
a2b4370
Compare
|
@kallewoof I did but until nothing is merged I don't think this should be added. |
|
lol good trolling there |
|
@kallewoof thanks for adding the tests. They pass for me on macOS. I haven't followed the BIP-322 discussion in great detail, so can't really comment on the cryptography itself or how likely that is to change. It would be nice if it remained consistent with signet. @emilengler when you built the binary, how many bytes were added? Even if this difference is non-trivial, it only matters if for some reason this PR makes it into the the 0.19 release and neither of the two followup PRs make the cut-off. This PR seems well worth the reduced review burden and the improved coordination between both projects. |
|
On my side I am fine both about either having it in this PR or on the same PR as signet. |
|
@Sjors Sure thing but why isn't this being added to the original PR? @kallewoof |
|
This interface, where the caller provides the hash of a message, and then "verifies" that the signature is valid, seems problematic to me at this layer of our code -- my understanding is that without knowing the preimage of the hash (ie the message being signed), this doesn't prove that the signature could only have come from someone with knowledge of the private key. I know at some layer of our cryptography code we will have verification methods like this, but at this layer it seems inconsistent with all our other signature checkers, which are operating under different assumptions (well, except maybe for the DummySignatureChecker which does not do signature verifications, but hopefully that is clear to any callers). So my initial thought is that this is not a good place to have what is effectively a lower-level API call to a crypto library function. I'm not very familiar with the broader work this is part of, so if this is in fact necessary or expedient from an implementation perspective, then I'd say at a minimum that we should at least include comments explaining that the assumptions here are different than for the other signature checkers. |
|
Maybe I'm misunderstanding, but I'm not sure if it's that inconsistent in the end. The "CreateSig" methods right now
This is consistent across all of these, and in fact, the other implementations could become sub-classes of this one (perform step 2 into internal sighash then have master do the rest; edit: I actually tried to do this, but it turns out a bit messy as the checker has to be re-constructed for every CreateSig call). To pass the preimage rather than the hash itself would only lock this down to using some specific type of hasher, and would have no practical meaning for the actual implementation. The two (current) uses of these are here (#16411): Lines 31 to 36 in 55d7c4e which gets the hash from Lines 54 to 58 in 55d7c4e and here (#16440): Lines 226 to 233 in 203464e which gets the hash from Lines 15 to 18 in 203464e I made a note that these lack some assumptions that are normally present about the validity of the signature. |
a2b4370 to
9b910a1
Compare
There was a problem hiding this comment.
@kallewoof Thanks for providing that context, now I understand a bit better why this is being implemented in this way. My only suggestion is that we improve the comments to explain the implications of this for verification.
src/script/interpreter.h
Outdated
| @@ -162,6 +162,18 @@ class BaseSignatureChecker | |||
| virtual ~BaseSignatureChecker() {} | |||
| }; | |||
|
|
|||
| /** A general purpose signature checker. Note that this lacks assumptions about the `sighash`, as the preimage is not known to the signer. */ | |||
There was a problem hiding this comment.
This should emphasize that the issue about not knowing the hash preimage is for the verifier, not the signer. Perhaps:
/** A low level signature checker. Note that the caller must verify that the hash passed in relates to a known message (unlike for the other signature checkers). */
There was a problem hiding this comment.
Sorry for delay. Yes, that looks great, thanks. Adopting.
9b910a1 to
0bd274f
Compare
|
utACK 0bd274f An alternative that perhaps @sdaftuar would like more given his reasonings, is having a templated class that will work for any object implementing a GetHash() method. But that would require a wrapper class for signet and another one for the signed messages, I think. |
7704285 to
7ba973a
Compare
src/script/interpreter.h
Outdated
|
|
||
| public: | ||
| const uint256& GetHash() const { return hash; } | ||
| explicit SimpleSignatureChecker(const uint256& hash_in) : hash(hash_in) {} |
There was a problem hiding this comment.
nit: Move constructor one line up, immediately after public (like for the other class SimpleSignatureCreator and for most classes in general I'd say)
There was a problem hiding this comment.
I think it's fine as is, and there are plenty of examples of the constructor not being right below public:.
7ba973a to
b872f8c
Compare
b872f8c to
f808d72
Compare
f808d72 to
58bc964
Compare
58bc964 to
ffe9624
Compare
ffe9624 to
cdcb377
Compare
|
concept and approach ACK. It's ok sometimes to have really small tooling to support not-yet-merged uses, provided there are tests |
|
Closing this as it's no longer certain whether it will be used, now that BIP-322 switched to a tx based version. |
The simple signature takes a sighash as argument and verifies a signature and pubkey against it.
It is used in signet (#16411) for verifying blocks and in BIP-322 implementation (#16440) for verifying messages.