stevenroose
commented
5 years ago In the BIP, I describe prefixing the challenge with Proof-of-Reserves: as well. Didn't implement it yet, I have a refactor branch with updates from the BIP after review.
I haven't checked the code but from your explanations it seemed like the "challenge" could be a valid Bitcoin transaction such that the input being signed for does actually exist.
Just like the Bitcoin Core signmessage API the "challenge" could be prepended with magic bytes that is guaranteed to not be a prefix of a transaction. In Bitcoin Core that's
"Bitcoin Signed Message:\n"(but I'm missing the argument why that wouldn't be a valid prefix).Additionally, I'd suggest to rename "challenge" to "message" for now. "Challenge" implies that it is provided by the verifier. Message implies nothing, so it has at least the same caveats as signmessage. Making the proofs actually non-replayable would require looking into the bigger context in which the proof-of-reserve tool is used.