Test Mode

All Guides

Understanding BIP-322: Generic Message Signing

A standard way to sign messages for modern Bitcoin address types.

Contents

1. What is BIP-322?

2. Why it exists

3. How it works

4. Taproot

5. VerifyBTC support

What is BIP-322?

BIP-322 is Bitcoin's generic signed message format. It was written for the address types that came after legacy P2PKH: native SegWit, script addresses, and Taproot.

The old message-signing method assumes a recoverable ECDSA signature. That is too narrow. A Bitcoin address may be controlled by a script, a witness program, or a Taproot key. BIP-322 uses Bitcoin Script itself as the common language.

The result is still simple for the user: sign this message with this wallet. The difference is in the proof format. It can represent more than one kind of spending condition.

Why it exists

BIP-137 works well for legacy message signatures. It encodes the address class in a header byte and recovers an ECDSA public key from the signature.

That design does not fit every modern address. Taproot uses Schnorr signatures. Script-based addresses may require a witness stack, not a single public key. Multisig and policy wallets can have conditions that are not visible from the address alone.

BIP-322 handles this by making the message proof look like a Bitcoin spending operation that cannot be broadcast. It proves the signer can satisfy the address script for the given message, without moving coins.

How it works

BIP-322 defines a virtual transaction pair. The first transaction commits to the message. The second transaction spends that virtual output using the script rules for the address being proved.

The verifier provides a message.

The wallet builds a message challenge for the address.

The wallet signs the challenge with the required script path.

The verifier checks the resulting witness or transaction data.

The BIP defines legacy, simple, and full formats. VerifyBTC accepts BIP-322 simple signatures for standard modern addresses.

Taproot

Taproot addresses are defined by BIP-341. They use Schnorr signatures from BIP-340 and Tapscript rules from BIP-342. BIP-322 is the message-signing scheme that lets those addresses prove control without spending funds.

In practice, this means a bc1p... address should not be treated as a legacy message-signing address. Use BIP-322.

VerifyBTC support

VerifyBTC checks the address network first. Production mode accepts mainnet addresses. Test mode accepts test-network addresses such as tb1..., m..., n..., and 2....

Verification tries BIP-322 simple signatures before falling back to BIP-137 for legacy signatures. Reports record the method used in the signature_method field.

  • Use BIP-322 for SegWit, Taproot, and script-based address proofs.
  • Use BIP-137 when a legacy wallet can only produce the classic base64 message signature.
  • Use BIP-127 when the proof is about reserve UTXOs, not a single address message signature.