diff --git a/bip-0322.mediawiki b/bip-0322.mediawiki
index b4a04bf1..1166a504 100644
--- a/bip-0322.mediawiki
+++ b/bip-0322.mediawiki
@@ -65,22 +65,27 @@ UTXOs.
|- style="font-weight:bold;"
!
! Compatible script types
+! Signature prefix
! Signature format
|-
| Legacy
| P2PKH, P2SH-P2WPKH1, P2WPKH1
+| n/a
| compact, public key recoverable ECDSA signature, base64-encoded
|-
| Simple
| P2WPKH, P2WSH2, P2TR2
+| smp
| witness stack, consensus encoded and base64-encoded
|-
| Full
| all
+| ful
| full to_sign transaction, consensus and base64-encoded
|-
| Full (Proof of Funds)
| all
+| pof
| full finalized PSBT of the to_sign transaction, consensus and base64-encoded
|}
@@ -88,6 +93,10 @@ UTXOs.
BIP.
2: Excluding time lock scripts.
+Signers must prefix the signature with the variant that was used to create the signature.
+To support backward compatibility with implementations of this BIP before it was finalized, a
+verifier might assume the ''simple'' variant in the absence of a prefix.
+
=== Legacy ===
New proofs should use the new format for all invoice address formats, including P2PKH.
@@ -97,8 +106,9 @@ The legacy format MAY be used, but must be restricted to the legacy P2PKH invoic
=== Simple ===
A ''simple'' signature consists of a witness stack, consensus encoded as a vector of vectors of
-bytes, and base64-encoded. Validators should construct to_spend and
-to_sign as defined below, with default values for all fields except that
+bytes, and base64-encoded, prefixed by the variant (smp). Validators should construct
+to_spend and to_sign as defined below, with default values for all fields
+except that
-
@@ -151,8 +161,8 @@ The
to_sign transaction is:
vout[0].nValue = 0
vout[0].scriptPubKey = OP_RETURN
-A full signature consists of the base64-encoding of the to_sign transaction in standard
-network serialisation once it has been signed.
+A ''full'' signature consists of the variant-prefixed (ful) base64-encoding of the
+to_sign transaction in standard network serialisation once it has been signed.
=== Full (Proof of Funds) ===
@@ -181,8 +191,8 @@ full signature as above, with the following modifications.
-A ''full Proof of Funds'' signature consists of the base64-encoding of the finalized PSBT once it
-has been signed.
+A ''full Proof of Funds'' signature consists of the variant-prefixed (pof)
+base64-encoding of the finalized PSBT once it has been signed.
Unlike an ordinary signature, validators of a proof of funds need access to the current UTXO set, to
learn that the claimed inputs exist on the blockchain and remain unspent.
@@ -267,19 +277,21 @@ Signers who control an address ''A'' who wish to sign a message ''m'' act as fol
-They then encode their signature, choosing either ''simple'' or ''full'' as follows:
+They then encode their signature, choosing either ''simple'', ''full'' or ''full-pof'' as follows:
-
If they added no inputs to
to_sign, left nVersion, nSequence and nLockTime at 0, and
''A'' is a "native" Segwit address (P2WPKH, P2WSH, P2TR), then they may base64-encode
- message_signature
+ message_signature with smp as prefix.
-
- If they added no inputs to
to_sign, they may base64-encode to_sign
+ If they added no inputs to to_sign, they may base64-encode to_sign with
+ ful as prefix.
-
- Otherwise, they must base64-encode the finalized PSBT of
to_sign
+ Otherwise, they must base64-encode the finalized PSBT of to_sign with
+ pof as prefix.
@@ -287,6 +299,8 @@ They then encode their signature, choosing either ''simple'' or ''full'' as foll
This specification is backwards compatible with the legacy signmessage/verifymessage specification
through the special case as described above.
+To support backward compatibility with implementations of this BIP before it was finalized, a
+verifier might assume the ''simple' variant in the absence of a prefix.
== Reference implementation ==