mirrors/bitcoin-bips
1
0
Fork 0
mirror of https://github.com/bitcoin/bips.git synced 2025-03-04 03:03:53 +01:00
Code Issues Projects Releases Wiki Activity

Added more rationale

Browse source
This commit is contained in:
Andrew Toth 2025-01-17 09:48:27 -05:00
parent d375d8d2e9
commit a33c7035b1
No known key found for this signature in database
GPG key ID: 60007AFC8938B018
1 changed files with 12 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
bip-xxxx.mediawiki
View file

@ -13,6 +13,7 @@
</pre> </pre>
==Abstract== ==Abstract==
This document specifies a <tt>unspendable()</tt> key expression for output script descriptors. The <tt>unspendable()</tt> expression takes multiple public keys as input and produces an unspendable public key that can be independently verified by anyone with knowledge of all the constituent public keys. This document specifies a <tt>unspendable()</tt> key expression for output script descriptors. The <tt>unspendable()</tt> expression takes multiple public keys as input and produces an unspendable public key that can be independently verified by anyone with knowledge of all the constituent public keys.
==Copyright== ==Copyright==
@ -21,6 +22,8 @@ This BIP is licensed under the BSD 2-clause license.
==Motivation== ==Motivation==
When creating a multi-party Taproot transaction spending only from the script path, it is useful to be able to prove to all cosigners that they keypath is unspendable. Otherwise a malicious participant could use an internal key which they have the private key for and spend the transaction out from the rest of the participants.
This document introduces a mechanism to compute a NUMS (Nothing Up My Sleeve) point for use in the Taproot key path that: This document introduces a mechanism to compute a NUMS (Nothing Up My Sleeve) point for use in the Taproot key path that:
* Allows active participants involved in constructing the output script to independently verify the unspendable key. * Allows active participants involved in constructing the output script to independently verify the unspendable key.
* Prevents passive observers from recognizing that the key path is unspendable. * Prevents passive observers from recognizing that the key path is unspendable.
@ -82,8 +85,15 @@ Less than two derivation paths in a <tt>KEY</tt> expression:
A <tt>KEY</tt> expression is not an <tt>xpub</tt>: A <tt>KEY</tt> expression is not an <tt>xpub</tt>:
* <tt>tr(unspendable()/0, pk(0260b2003c386519fc9eadf2b5cf124dd8eea4c4e68d5e154050a9346ea98ce600))</tt> * <tt>tr(unspendable()/0, pk(0260b2003c386519fc9eadf2b5cf124dd8eea4c4e68d5e154050a9346ea98ce600))</tt>
A <tt>musig</tt> expression with derivation paths is used:
* <tt>tr(unspendable()/0, musig(xpub6ERApfZwUNrhLCkDtcHTcxd75RbzS1ed54G1LkBUHQVHQKqhMkhgbmJbZRkrgZw4koxb5JaHWkY4ALHY2grBGRjaDMzQLcgJvLJuZZvRcEL/0/0)/0/0)</tt>
==Rationale== ==Rationale==
The restrictions on <tt>KEY</tt> expressions is necessary to not allow multiple <tt>TREE</tt> expressions which would all produce the same merkle root to produce different internal keys.
* Using different lengths of derivation paths would allow a descriptor using a child xpub to generate a different key, while the merkle root would be identical.
* Not sorting the public keys would allow <tt>sortedmulti</tt> expressions to generate different keys depending on the order specified in the descriptor, while the merkle roots would be identical.
This proposal ensures: This proposal ensures:
* Compatibility with existing Taproot functionality by leveraging NUMS points. * Compatibility with existing Taproot functionality by leveraging NUMS points.
* Verifiability of unspendable constructions by participants, without exposing this property to outside observers. * Verifiability of unspendable constructions by participants, without exposing this property to outside observers.
@ -93,6 +103,8 @@ This proposal ensures:
This is backwards compatible with BIP386 by computing the unspendable key as a BIP380 <tt>KEY</tt> expression and replacing the <tt>unspendable</tt> expression as the first argument of the <tt>tr()</tt> expression. This is backwards compatible with BIP386 by computing the unspendable key as a BIP380 <tt>KEY</tt> expression and replacing the <tt>unspendable</tt> expression as the first argument of the <tt>tr()</tt> expression.
This is backwards compatible with BIP388, since the public keys are deduplicated. The key information vector will contain all the necessary public keys.
==Acknowledgements== ==Acknowledgements==
Thanks to Salvatore Ingala, Pieter Wuille, Antoine Poinsot, Andrew Kozlik and all others who Thanks to Salvatore Ingala, Pieter Wuille, Antoine Poinsot, Andrew Kozlik and all others who