Verifying SegWit messages

[OmegaStarScream]

I signed a message using my SegWit address (using the Trezor web interface). I tried multiple online services, and even Electrum for verifying the message, that didn't work. I was only able to verify it using Trezor for now. If someone is aware of a service where I could do that, please share it.

[TryNinja]

I don’t think there is any tool/service that supports it.

There is no standard way of signing Segwit messages, so they just did their way (thus they are the only ones supporting it so far).

For segwit addresses there is no standard. You can sign and verify only using trezor-trezor device. Which make this feature a bit pointless.

The problem is that there is no standard algorithm for verifying with segwit addresses. In particular, the site you mentioned will never accept a signature for a 3.. or bc1.. address as valid. It doesn't matter what signature you use. I think the same is true for Bitcoin Core. You can't create any signature for a 3.. or bc1.. address that Bitcoin Core would accept.

To solve this, we need a standard algorithm for segwit addresses and we need everyone to accept it.

The algorithm the TREZOR wallet uses is a straight-forward extension of the existing signature schemes. It signs the message with the public key and only changes the first character of the signature to indicate that it is a segwit address. Previously, the first character was either "H" for old uncompressed keys, or "I" for compressed keys (introduced 2012). We added "J" for segwit p2sh addresses (3...) and "K" for bc1q... addresses.

[o_e_l_e_o]

1. Sign a message with SegWit address using Electrum, so other people could verify it easier (since they just need to download Electrum)

This is the best option. If you already have a Trezor set up, it is very easy to import your wallets on to Electrum. Just download the latest version, set up a new wallet, select "Standard wallet" then "Use a hardware device", select your Trezor, and select native SegWit. Once it syncs, all the addresses your Trezor usually unlocks on your Trezor Wallet will be available on Electrum. You can sign a message in there, and it is easy for anyone else to verify.

[pooya87]

this is stupidly easy to implement though! there isn't any need for that much of a code change either. every function in any of these tools that is doing a message signature verification has a final step that derives the key from the public key they just recovered, in that last step they just have to add a 1 line code to derive a different address (P2WPKH or P2WSH). basically these are the steps:
1- decode base64
2- take first byte as indicator of "address type", first 32 byte is `r`, second 32 byte is `s`
3. take the message, hash it.
4. use 2+3 to find possible public keys (up to 4)
5. based on 2 (or in this case based on the address type user inputs) convert 4 result(s) to address(es)
6. check against the given address.

so only step 5 has to be modified.

[nc50lc]

AFAIK, Trezor implements it differently than Electrum's method.
It signs the legacy format of the address using the same private key of the SegWit address.

I'm not sure if it's Trezor or another Hardware wallet though.

For the meantime, here's an open-source "verifyer" of messages signed to SegWit addresses using Trezor wallet (not mine).
https://jhoenicke.github.io/brainwallet.github.io/#verify <- Different than the regular brainwallet/#verify link.
I already tried it, and it worked.

[pooya87]

AFAIK, Trezor implements it differently than Electrum's method.
It signs the legacy format of the address using the same private key of the SegWit address.

address doesn't even come in when you are signing a message with a private key and there is no difference between private keys! it is just a number.
the only difference is in the first byte of the 65 byte result. Electrum and all other old/unchanged tools are expecting the first byte to be 27 + [1-4] + [0 or 4] so basically a number between 28 and 32 but Trezor is adding an extra amount to indicate SegWit addresses, i haven't looked at the code to know what the amount is exactly but i believe it is [1 or 2] added based on being P2WPKH or P2WSH respectively.