Skip to content

Instantly share code, notes, and snippets.

@roconnor-blockstream

roconnor-blockstream/ElementsSigMsg.md Secret

Last active March 17, 2025 16:29
Show Gist options
  • Save roconnor-blockstream/9f0753711153de2e254f7e54314f7169 to your computer and use it in GitHub Desktop.
Save roconnor-blockstream/9f0753711153de2e254f7e54314f7169 to your computer and use it in GitHub Desktop.
Download ZIP
Modified BIP-341 SigMsg for Elements
Raw
ElementsSigMsg.md

Modified BIP-341 SigMsg for Elements

The Common signature message section from BIP-341 would be ammended to the following for Elements:

Common signature message

The function ''SigMsg(hash_type, ext_flag)'' computes the message being signed as a byte array. It is implicitly also a function of the spending transaction and the outputs it spends, but these are not listed to keep notation simple.

The parameter ''hash_type'' is an 8-bit unsigned value. The SIGHASH encodings from the legacy script system are reused, including SIGHASH_ALL, SIGHASH_NONE, SIGHASH_SINGLE, and SIGHASH_ANYONECANPAY, plus the default ''hash_type'' value ''0x00'' which results in signing over the whole transaction just as for SIGHASH_ALL. The following restrictions apply, which cause validation failure if violated:

  • Using any undefined ''hash_type'' (not ''0x00'', ''0x01'', ''0x02'', ''0x03'', ''0x81'', ''0x82'', or ''0x83'''''Why reject unknown ''hash_type'' values?''' By doing so, it is easier to reason about the worst case amount of signature hashing an implementation with adequate caching must perform.).
  • Using SIGHASH_SINGLE without a "corresponding output" (an output with the same index as the input being verified).

The parameter ''ext_flag'' is an integer in range 0-127, and is used for indicating (in the message) that extensions are added at the end of the message'''What extensions use the ''ext_flag'' mechanism?''' [[bip-0342.mediawiki|BIP342]] reuses the same common signature message algorithm, but adds BIP342-specific data at the end, which is indicated using ''ext_flag = 1''..

If the parameters take acceptable values, the message is the concatenation of the following data, in order (with byte size of each item listed in parentheses). Numerical values in 2, 4, or 8-byte are encoded in little-endian (NEW) with the exception that non-confidential asset amounts are 8-byte big-endian (after their 0x01 version prefix).

  • Blockchain data:
    • NEW ''genesis_block_txid'' (32): the txid of the blockchain's genesis block. (Rationale: Signatures cannot be reused across different Elements instances even if pubkeys are reused.)
    • NEW ''genesis_block_txid_again'' (32): the txid of the blockchain's genesis block. (Rationale: A 64 byte prefix creates a fixed midstate per Elements instance.)
  • Control:
    • ''hash_type'' (1).
  • Transaction data:

    • ''nVersion'' (4): the ''nVersion'' of the transaction.

    • ''nLockTime'' (4): the ''nLockTime'' of the transaction.

    • If the ''hash_type & 0x80'' does not equal SIGHASH_ANYONECANPAY:

      • NEW ''sha_outpoint_flags'' (32): the SHA256 of the serialization of the concatenation of one byte per input of the input's outpoint flags shifted right by 24 bits. The byte for an pegin input would be 0x40. The byte for an issuance input would be 0x80. The byte for both a pegin and issuance would be 0xc0.
      • ''sha_prevouts'' (32): the SHA256 of the serialization of all input outpoints.
      • UPDATED ''sha_amounts'' (32): the SHA256 of the serialization of pairs of all spent output nAssets along with their nValues.
      • ''sha_scriptpubkeys'' (32): the SHA256 of the serialization of all spent output ''scriptPubKey''s.
      • ''sha_sequences'' (32): the SHA256 of the serialization of all input ''nSequence''.
      • NEW ''sha_issuances'' (32): the SHA256 of the serialization of the concatenation of all input ''assetIssuance'' or '0x00' for inputs with no issuance. (Note: this is the same messaged hashed that used in Elements Segwit V0 signatures.)

    • If ''hash_type & 3'' does not equal SIGHASH_NONE or SIGHASH_SINGLE

      • ''sha_outputs'' (32): the SHA256 of the serialization of all outputs in CTxOut format.
  • Data about this input:
    • ''spend_type'' (1): equal to ''(ext_flag * 2) + annex_present'', where ''annex_present'' is 0 if no annex is present, or 1 otherwise (the original witness stack has two or more witness elements, and the first byte of the last element is ''0x50'')
    • If ''hash_type & 0x80'' equals SIGHASH_ANYONECANPAY:
      • NEW ''outpoint_flag'' (1): the input's outpoint flags shifted right by 24 bits. The byte for an pegin input would be 0x40. The byte for an issuance input would be 0x80. The byte for both a pegin and issuance would be 0xc0.
      • ''outpoint'' (36): the COutPoint of this input (32-byte hash + 4-byte little-endian).
      • NEW ''nAsset'' (33): (possibly confidential) assetID of the previous output spent by this input.
      • UPDATED ''nValue'' (9--33): (possibly confidential) amount of the previous output spent by this input.
      • ''scriptPubKey'' (35): ''scriptPubKey'' of the previous output spent by this input, serialized as script inside CTxOut. Its size is always 35 bytes.
      • ''nSequence'' (4): ''nSequence'' of this input.
      • NEW if ''outpoint_flag & 0x80 == 0x80'': ''assetIssuance'' (74 -- 130): ''assetIssuance'' of this input.
    • If ''hash_type & 0x80'' does not equal SIGHASH_ANYONECANPAY:
      • ''input_index'' (4): index of this input in the transaction input vector. Index of the first input is 0.
    • If an annex is present (the lowest bit of ''spend_type'' is set):
      • ''sha_annex'' (32): the SHA256 of ''(compact_size(size of annex) || annex)'', where ''annex'' includes the mandatory ''0x50'' prefix.
  • Data about this output:
    • If ''hash_type & 3'' equals SIGHASH_SINGLE:
      • ''sha_single_output'' (32): the SHA256 of the corresponding output in CTxOut format.

Tagged Hashes

Furthermore replace ''hashTapSighash'' with ''hashTapSighash/Elements'' throughout BIP-341 and BIP-342.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment