Digital Signature Creation and Verification

Ty Everett (ty@projectbabbage.com)

Abstract

We define a mechanism for requesting and receiving digital signatures over the abstract communications channel first described by BRC-1. We rely on the BRC-43 invoice numbering and permission scheme on top of BRC-42 for key derivation, enabling the creation of private digital signatures that can only be verified by the counterparty. A signer derives their own child private key and uses it to compute an ECDSA signature, which is then communicated to the verified, together with the signer's identity key, the message, and the protocol ID and key ID used. The verifier uses this information to derive the corresponding child public key for the signer, which is then checked against the signature and message with ECDSA. Without the BRC-42 shared secret, no third parties can discover the correct child public key, making then unable to validate the signature.

Motivation

The increasing use of Bitcoin wallets has highlighted the need for a secure and interoperable digital signature standard that can be used across different applications. Digital signatures provide a vital aspect of data authentication, allowing for the verification of information and secure transactions, and are critical to ensuring the integrity of the Bitcoin network.

While other solutions have proposed digital signatures within a wallet, none of them have provided a unified and open standard that supports both privately and publicly verifiable signatures, while also incorporating proper BRC-42 key derivation. The lack of such a standard has created a fragmentation within the ecosystem, with each application requiring its own solution, thus hindering interoperability and leading to duplicated effort.

To address this issue, the BRC-3 standard has been created to enable the creation and verification of digital signatures using BRC-43 invoice numbering and permission scheme on top of BRC-42 for key derivation. This allows for the creation of private digital signatures that can only be verified by the intended counterparty, while maintaining security against third-party tampering.

The BRC-3 standard not only provides a secure and interoperable solution for wallet implementations, but it also enables new use cases and experiences that were previously not possible. With a unified standard, different wallets can create and verify each other's digital signatures seamlessly, reducing friction and enabling greater innovation.

Specification

We start with the same constructs defined in BRC-43: users with clients, protocols and applications. We stipulate the use of BRC-43 invoice numbers in the context of BRC-42 key derivation, and we build on top of the permissions architecture defined by BRC-43.

When an application sends a message to a client requesting that data be signed, the message comprises:

  • The BRC-43 security level, protocol ID, key ID and counterparty to facilitate BRC-42 key derivation and permissioning

  • The data to sign

We stipulate the following process for digital signature creation:

  • The message signer begins by computing the BRC-43 invoice number based on the security level, protocol ID, and key ID

  • The message signer uses BRC-42 key derivation with the computed invoice number to derive their own child private key

  • The message signer computes the digital signature using ECDSA with their derived child private key (this specification is silent about ECDSA k-value utilization)

We stipulate the following process for message verification:

  • The verifier somehow comes to know the signature, the counterparty (signer), the security level, protocol ID, and key ID. The mechanism for conveying this information to the verifier is beyond the scope of this specification.

  • The verifier begins by computing the BRC-43 invoice number based on the security level, protocol ID, and key ID

  • The verifier uses BRC-42 key derivation with the computed invoice number, their own private key and the public key of the sender, to compute the signer's child public key

  • The verifier uses ECDSA to verify the signature against the message using the signer's child public key

We build upon the abstract messaging layer first described in BRC-1. Specifically, we define five new BRC-1 messages to facilitate requests and responses for signatures and verification operations, and error handling. For each of the messages, we stipulate that there exists some out-of-band mechanism for the parties to communicate which of the messages are being exchanged, removing the need for a message type field. Finally, specifically for the request messages, we stipulate that the message comprises a header and a payload, with the payload containing the data (ciphertext or plaintext), and the header containing the other information. For the response messages, no message header is defined and the payload simply contains the specified data.

Signature Creation Request

The signature creation request is a message sent by the BRC-43 application to the client. It contains a header with the following information:

FieldDescription

protocolID

The BRC-43 security level and protocol ID represented as an array. For example, [0, "hello world"] represents a level-0 protocol with open permissions, while [2, "document signing"] represents a level 2 protocol.

keyID

The BRC-43 key ID

counterparty

The BRC-43 counterparty, anyone or self

The message payload comprises the data to sign.

Signature Creation Response

The response message comprises the ECDSA digital signature in DER format.

Signature Verification Request

The signature verification request is a message sent by the application to the client. It contains a header with the following information:

FieldDescription

protocolID

The BRC-43 security level and protocol ID represented as an array. For example, [0, "hello world"] represents a level-0 protocol with open permissions, while [2, "document signing"] represents a level 2 protocol.

keyID

The BRC-43 key ID

counterparty

The BRC-43 counterparty, self or anyone

signature

The DER-formatted signature for verification

The message payload comprises the data to verify.

Signature Verification Response

The response message comprises a JSON payload containing the following fields:

FieldDescription

result

The value is true if the signature is valid, otherwise it is false.

Signature Error

If the client is unable to fulfill the signature creation or verification requests for any reason, we specify that it should respond with a JSON-formatted Signature Error. The fields for the object are specified as follows:

FieldDescription

status

This should always be a string comprising "error".

code

A machine-readable error code. Extensions to this standard can define specific error codes and standardize additional fields. Codes are strings, for example "ERR_VERIFICATION_FAILED".

description

All errors must have a human-readable description field that describes the error. This allows the application to represent the error for the user.

One example of a Signature Error is given below:

{
  "status": "error",
  "code": "ERR_PERMISSION_DENIED",
  "description": "You have denied permission for signing this data."
}

Test Vectors

For compatibility with this signature scheme, we stipulate the following:

Any user who knows the following identity private key (counterparty=anyone)...

0000000000000000000000000000000000000000000000000000000000000001

...should be able to use security level 0, the BRC3 Test protocolID with keyID 42 and the following counterparty (signer)...

02bc91718b3572462a471de6193f357b6e85ee0f8636cb87db456cb1590f913bea

...to verify the message with the following digital signature (DER format)...

3045022100f517cf5bf29fb6590e8f7cdca03e2549246e838456ce0a1faa26933ee68ea0e20220099365c0a400643a42924e592209ae711f4b233bffa5913a81576a33006d785c

The message that was signed is:

BRC-3 Compliance Validated!

Implementations

  • This digital signature capability is incorporated into the Babbage SDK

PreviousData Encryption and DecryptionNextInput Redemption

Last updated