mirror of
https://github.com/bitcoin/bips.git
synced 2024-11-19 01:40:05 +01:00
Merge branch 'master' into patch-4
This commit is contained in:
commit
f9a81b7791
@ -1,4 +1,4 @@
|
||||
People wishing to submit BIPs, first should propose their idea or document to the [https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev bitcoin-dev@lists.linuxfoundation.org] mailing list. After discussion, please open a PR. After copy-editing and acceptance, it will be published here.
|
||||
People wishing to submit BIPs, first should propose their idea or document to the [https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev bitcoin-dev@lists.linuxfoundation.org] mailing list (do <em>not</em> assign a number - read <a href="bip-0002.mediawiki">BIP 2</a> for the full process). After discussion, please open a PR. After copy-editing and acceptance, it will be published here.
|
||||
|
||||
We are fairly liberal with approving BIPs, and try not to be too involved in decision making on behalf of the community. The exception is in very rare cases of dispute resolution when a decision is contentious and cannot be agreed upon. In those cases, the conservative option will always be preferred.
|
||||
|
||||
@ -258,6 +258,13 @@ Those proposing changes should consider that ultimately consent may rest with th
|
||||
| Justus Ranvier
|
||||
| Informational
|
||||
| Draft
|
||||
|- style="background-color: #ffffcf"
|
||||
| [[bip-0048.mediawiki|48]]
|
||||
| Applications
|
||||
| Multi-Script Hierarchy for Multi-Sig Wallets
|
||||
| Fontaine
|
||||
| Standard
|
||||
| Proposed
|
||||
|- style="background-color: #cfffcf"
|
||||
| [[bip-0049.mediawiki|49]]
|
||||
| Applications
|
||||
@ -392,7 +399,7 @@ Those proposing changes should consider that ultimately consent may rest with th
|
||||
| Nicolas Dorier
|
||||
| Standard
|
||||
| Draft
|
||||
|- style="background-color: #ffffcf"
|
||||
|- style="background-color: #ffcfcf"
|
||||
| [[bip-0079.mediawiki|79]]
|
||||
| Applications
|
||||
| Bustapay :: a practical coinjoin protocol
|
||||
@ -434,6 +441,27 @@ Those proposing changes should consider that ultimately consent may rest with th
|
||||
| Ethan Kosakovsky
|
||||
| Informational
|
||||
| Draft
|
||||
|-
|
||||
| [[bip-0086.mediawiki|86]]
|
||||
| Applications
|
||||
| Key Derivation for Single Key P2TR Outputs
|
||||
| Andrew Chow
|
||||
| Standard
|
||||
| Draft
|
||||
|- style="background-color: #ffffcf"
|
||||
| [[bip-0087.mediawiki|87]]
|
||||
| Applications
|
||||
| Hierarchy for Deterministic Multisig Wallets
|
||||
| Robert Spigler
|
||||
| Standard
|
||||
| Proposed
|
||||
|- style="background-color: #ffffcf"
|
||||
| [[bip-0088.mediawiki|88]]
|
||||
| Applications
|
||||
| Hierarchical Deterministic Path Templates
|
||||
| Dmitry Petukhov
|
||||
| Informational
|
||||
| Proposed
|
||||
|- style="background-color: #cfffcf"
|
||||
| [[bip-0090.mediawiki|90]]
|
||||
|
|
||||
@ -577,8 +605,8 @@ Those proposing changes should consider that ultimately consent may rest with th
|
||||
|-
|
||||
| [[bip-0118.mediawiki|118]]
|
||||
| Consensus (soft fork)
|
||||
| SIGHASH_NOINPUT
|
||||
| Christian Decker
|
||||
| SIGHASH_ANYPREVOUT for Taproot Scripts
|
||||
| Christian Decker, Anthony Towns
|
||||
| Standard
|
||||
| Draft
|
||||
|-
|
||||
@ -645,6 +673,13 @@ Those proposing changes should consider that ultimately consent may rest with th
|
||||
| Standard
|
||||
| Draft
|
||||
|- style="background-color: #ffffcf"
|
||||
| [[bip-0129.mediawiki|129]]
|
||||
| Applications
|
||||
| Bitcoin Secure Multisig Setup (BSMS)
|
||||
| Hugo Nguyen, Peter Gray, Marko Bencun, Aaron Chen, Rodolfo Novak
|
||||
| Standard
|
||||
| Proposed
|
||||
|- style="background-color: #ffffcf"
|
||||
| [[bip-0130.mediawiki|130]]
|
||||
| Peer Services
|
||||
| sendheaders message
|
||||
@ -847,20 +882,20 @@ Those proposing changes should consider that ultimately consent may rest with th
|
||||
| Pieter Wuille, Greg Maxwell
|
||||
| Informational
|
||||
| Final
|
||||
|- style="background-color: #ffffcf"
|
||||
|- style="background-color: #cfffcf"
|
||||
| [[bip-0174.mediawiki|174]]
|
||||
| Applications
|
||||
| Partially Signed Bitcoin Transaction Format
|
||||
| Andrew Chow
|
||||
| Standard
|
||||
| Proposed
|
||||
|-
|
||||
| Final
|
||||
|- style="background-color: #ffcfcf"
|
||||
| [[bip-0175.mediawiki|175]]
|
||||
| Applications
|
||||
| Pay to Contract Protocol
|
||||
| Omar Shibli, Nicholas Gregory
|
||||
| Informational
|
||||
| Draft
|
||||
| Rejected
|
||||
|-
|
||||
| [[bip-0176.mediawiki|176]]
|
||||
|
|
||||
@ -953,6 +988,13 @@ Those proposing changes should consider that ultimately consent may rest with th
|
||||
| Standard
|
||||
| Draft
|
||||
|-
|
||||
| [[bip-0338.mediawiki|338]]
|
||||
| Peer Services
|
||||
| Disable transaction relay message
|
||||
| Suhas Daftuar
|
||||
| Standard
|
||||
| Draft
|
||||
|-
|
||||
| [[bip-0339.mediawiki|339]]
|
||||
| Peer Services
|
||||
| WTXID-based transaction relay
|
||||
@ -980,6 +1022,34 @@ Those proposing changes should consider that ultimately consent may rest with th
|
||||
| Pieter Wuille, Jonas Nick, Anthony Towns
|
||||
| Standard
|
||||
| Draft
|
||||
|- style="background-color: #ffffcf"
|
||||
| [[bip-0343.mediawiki|343]]
|
||||
| Consensus (soft fork)
|
||||
| Mandatory activation of taproot deployment
|
||||
| Shinobius, Michael Folkson
|
||||
| Standard
|
||||
| Proposed
|
||||
|-
|
||||
| [[bip-0350.mediawiki|350]]
|
||||
| Applications
|
||||
| Bech32m format for v1+ witness addresses
|
||||
| Pieter Wuille
|
||||
| Standard
|
||||
| Draft
|
||||
|-
|
||||
| [[bip-0370.mediawiki|370]]
|
||||
| Applications
|
||||
| PSBT Version 2
|
||||
| Andrew Chow
|
||||
| Standard
|
||||
| Draft
|
||||
|-
|
||||
| [[bip-0371.mediawiki|371]]
|
||||
| Applications
|
||||
| Taproot Fields for PSBT
|
||||
| Andrew Chow
|
||||
| Standard
|
||||
| Draft
|
||||
|}
|
||||
|
||||
<!-- IMPORTANT! See the instructions at the top of this page, do NOT JUST add BIPs here! -->
|
||||
|
@ -41,14 +41,14 @@ It also helps to make sure the idea is applicable to the entire community and no
|
||||
Once the champion has asked the Bitcoin community as to whether an idea has any chance of acceptance, a draft BIP should be presented to the [https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev Bitcoin development mailing list].
|
||||
This gives the author a chance to flesh out the draft BIP to make it properly formatted, of high quality, and to address additional concerns about the proposal.
|
||||
Following a discussion, the proposal should be submitted to the [https://github.com/bitcoin/bips BIPs git repository] as a pull request.
|
||||
This draft must be written in BIP style as described below, and named with an alias such as "bip-johndoe-infinitebitcoins" until the editor has assigned it a BIP number (authors MUST NOT self-assign BIP numbers).
|
||||
This draft must be written in BIP style as described below, and named with an alias such as "bip-johndoe-infinitebitcoins" until an editor has assigned it a BIP number (authors MUST NOT self-assign BIP numbers).
|
||||
|
||||
BIP authors are responsible for collecting community feedback on both the initial idea and the BIP before submitting it for review. However, wherever possible, long open-ended discussions on public mailing lists should be avoided. Strategies to keep the discussions efficient include: setting up a separate SIG mailing list for the topic, having the BIP author accept private comments in the early design phases, setting up a wiki page or git repository, etc. BIP authors should use their discretion here.
|
||||
|
||||
It is highly recommended that a single BIP contain a single key proposal or new idea. The more focused the BIP, the more successful it tends to be. If in doubt, split your BIP into several well-focused ones.
|
||||
|
||||
When the BIP draft is complete, the BIP editor will assign the BIP a number, label it as Standards Track, Informational, or Process, and merge the pull request to the BIPs git repository.
|
||||
The BIP editor will not unreasonably reject a BIP.
|
||||
When the BIP draft is complete, a BIP editor will assign the BIP a number, label it as Standards Track, Informational, or Process, and merge the pull request to the BIPs git repository.
|
||||
The BIP editors will not unreasonably reject a BIP.
|
||||
Reasons for rejecting BIPs include duplication of effort, disregard for formatting rules, being too unfocused or too broad, being technically unsound, not providing proper motivation or addressing backwards compatibility, or not in keeping with the Bitcoin philosophy.
|
||||
For a BIP to be accepted it must meet certain minimum criteria.
|
||||
It must be a clear and complete description of the proposed enhancement.
|
||||
@ -61,16 +61,19 @@ The BIP author may update the draft as necessary in the git repository. Updates
|
||||
|
||||
It occasionally becomes necessary to transfer ownership of BIPs to a new champion. In general, we'd like to retain the original author as a co-author of the transferred BIP, but that's really up to the original author. A good reason to transfer ownership is because the original author no longer has the time or interest in updating it or following through with the BIP process, or has fallen off the face of the 'net (i.e. is unreachable or not responding to email). A bad reason to transfer ownership is because you don't agree with the direction of the BIP. We try to build consensus around a BIP, but if that's not possible, you can always submit a competing BIP.
|
||||
|
||||
If you are interested in assuming ownership of a BIP, send a message asking to take over, addressed to both the original author and the BIP editor. If the original author doesn't respond to email in a timely manner, the BIP editor will make a unilateral decision (it's not like such decisions can't be reversed :).
|
||||
If you are interested in assuming ownership of a BIP, send a message asking to take over, addressed to both the original author and the BIP editors. If the original author doesn't respond to email in a timely manner, the BIP editors will make a unilateral decision (it's not like such decisions can't be reversed :).
|
||||
|
||||
===BIP Editors===
|
||||
|
||||
The current BIP editor is Luke Dashjr who can be contacted at [[mailto:luke_bipeditor@dashjr.org|luke_bipeditor@dashjr.org]].
|
||||
The current BIP editors are:
|
||||
|
||||
* Luke Dashjr ([[mailto:luke_bipeditor@dashjr.org|luke_bipeditor@dashjr.org]])
|
||||
* Kalle Alm ([[mailto:karljohan-alm@garage.co.jp|karljohan-alm@garage.co.jp]])
|
||||
|
||||
===BIP Editor Responsibilities & Workflow===
|
||||
|
||||
The BIP editor subscribes to the Bitcoin development mailing list.
|
||||
Off-list BIP-related correspondence should be sent (or CC'd) to luke_bipeditor@dashjr.org.
|
||||
The BIP editors subscribe to the Bitcoin development mailing list.
|
||||
Off-list BIP-related correspondence should be sent (or CC'd) to the BIP editors.
|
||||
|
||||
For each new BIP that comes in an editor does the following:
|
||||
|
||||
@ -186,13 +189,13 @@ The typical paths of the status of BIPs are as follows:
|
||||
<img src="bip-0002/process.png"></img>
|
||||
|
||||
Champions of a BIP may decide on their own to change the status between Draft, Deferred, or Withdrawn.
|
||||
The BIP editor may also change the status to Deferred when no progress is being made on the BIP.
|
||||
A BIP editor may also change the status to Deferred when no progress is being made on the BIP.
|
||||
|
||||
A BIP may only change status from Draft (or Rejected) to Proposed, when the author deems it is complete, has a working implementation (where applicable), and has community plans to progress it to the Final status.
|
||||
|
||||
BIPs should be changed from Draft or Proposed status, to Rejected status, upon request by any person, if they have not made progress in three years. Such a BIP may be changed to Draft status if the champion provides revisions that meaningfully address public criticism of the proposal, or to Proposed status if it meets the criteria required as described in the previous paragraph.
|
||||
|
||||
An Proposed BIP may progress to Final only when specific criteria reflecting real-world adoption has occurred. This is different for each BIP depending on the nature of its proposed changes, which will be expanded on below. Evaluation of this status change should be objectively verifiable, and/or be discussed on the development mailing list.
|
||||
A Proposed BIP may progress to Final only when specific criteria reflecting real-world adoption has occurred. This is different for each BIP depending on the nature of its proposed changes, which will be expanded on below. Evaluation of this status change should be objectively verifiable, and/or be discussed on the development mailing list.
|
||||
|
||||
When a Final BIP is no longer relevant, its status may be changed to Replaced or Obsolete (which is equivalent to Replaced). This change must also be objectively verifiable and/or discussed.
|
||||
|
||||
@ -326,7 +329,7 @@ For example, a preamble might include the following License header:
|
||||
|
||||
In this case, the BIP text is fully licensed under both the OSI-approved BSD 2-clause license as well as the GNU All-Permissive License, and anyone may modify and redistribute the text provided they comply with the terms of *either* license. In other words, the license list is an "OR choice", not an "AND also" requirement.
|
||||
|
||||
It is also possible to license source code differently from the BIP text. A optional License-Code header is placed after the License header. Again, each license must be referenced by their respective abbreviation given below.
|
||||
It is also possible to license source code differently from the BIP text. An optional License-Code header is placed after the License header. Again, each license must be referenced by their respective abbreviation given below.
|
||||
|
||||
For example, a preamble specifying the optional License-Code header might look like:
|
||||
|
||||
|
@ -16,13 +16,13 @@
|
||||
|
||||
This document specifies an alternative to [[bip-0009.mediawiki|BIP9]] that corrects for a number of perceived mistakes.
|
||||
Block heights are used for start and timeout rather than POSIX timestamps.
|
||||
It additionally introduces an additional activation parameter to guarantee activation of backward-compatible changes (further called "soft forks").
|
||||
It additionally introduces an activation parameter that can guarantee activation of backward-compatible changes (further called "soft forks").
|
||||
|
||||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.
|
||||
|
||||
==Motivation==
|
||||
|
||||
BIP9 introduced a mechanism for doing parallel soft forking deployments based on repurposing the block nVersion field. Activation is dependent on near unanimous hashrate signalling which may be impractical and result in veto by a small minority of non-signalling hashrate. Super majority hashrate based activation triggers allow for accelerated activation where the majority hash power enforces the new rules in lieu of full nodes upgrading. Since all consensus rules are ultimately enforced by full nodes, eventually any new soft fork will be enforced by the economy. This proposal combines these two aspects to provide eventual flag day activation after a reasonable time (recommended a year), as well as for accelerated activation by majority of hash rate before the flag date.
|
||||
BIP9 introduced a mechanism for doing parallel soft forking deployments based on repurposing the block nVersion field. Activation is dependent on near unanimous hashrate signalling which may be impractical and result in veto by a small minority of non-signalling hashrate. Super majority hashrate based activation triggers allow for accelerated activation where the majority hash power enforces the new rules in lieu of full nodes upgrading. Since all consensus rules are ultimately enforced by full nodes, eventually any new soft fork will be enforced by the economy. This proposal combines these two aspects to provide optional flag day activation after a reasonable time, as well as for accelerated activation by majority of hash rate before the flag date.
|
||||
|
||||
Due to using timestamps rather than block heights, it was found to be a risk that a sudden loss of significant hashrate could interfere with a late activation.
|
||||
|
||||
@ -34,26 +34,30 @@ Block time is somewhat unreliable and may be intentionally or unintentionally in
|
||||
|
||||
Each soft fork deployment is specified by the following per-chain parameters (further elaborated below):
|
||||
|
||||
# The '''name''' specifies a very brief description of the soft fork, reasonable for use as an identifier. For deployments described in a single BIP, it is recommended to use the name "bipN" where N is the appropriate BIP number.
|
||||
# The '''name''' specifies a very brief description of the soft fork, reasonable for use as an identifier.
|
||||
# The '''bit''' determines which bit in the nVersion field of the block is to be used to signal the soft fork lock-in and activation. It is chosen from the set {0,1,2,...,28}.
|
||||
# The '''startheight''' specifies the height of the first block at which the bit gains its meaning.
|
||||
# The '''timeoutheight''' specifies a block height at which the miner signalling ends. Once this height has been reached, if the soft fork has not yet locked in (excluding this block's bit state), the deployment is considered failed on all descendants of the block.
|
||||
# The '''threshold''' specifies the minimum number of block per retarget period which indicate lock-in of the soft fork during the subsequent period.
|
||||
# The '''minimum_activation_height''' specifies the height of the first block at which the soft fork is allowed to become active.
|
||||
# The '''lockinontimeout''' boolean if set to true, blocks are required to signal in the final period, ensuring the soft fork has locked in by timeoutheight.
|
||||
|
||||
===Selection guidelines===
|
||||
|
||||
The following guidelines are suggested for selecting these parameters for a soft fork:
|
||||
|
||||
# '''name''' should be selected such that no two softforks, concurrent or otherwise, ever use the same name.
|
||||
# '''bit''' should be selected such that no two concurrent softforks use the same bit.
|
||||
# '''startheight''' should be set to some block height in the future, approximately 30 days (or 4320 blocks) after a software release date including the soft fork. This allows for some release delays, while preventing triggers as a result of parties running pre-release software, and ensures a reasonable number of full nodes have upgraded prior to activation. It should be rounded up to the next height which begins a retarget period for simplicity.
|
||||
# '''timeoutheight''' should be 1 year, or 52416 blocks (26 retarget intervals) after '''startheight'''.
|
||||
# '''name''' should be selected such that no two softforks, concurrent or otherwise, ever use the same name. For deployments described in a single BIP, it is recommended to use the name "bipN" where N is the appropriate BIP number.
|
||||
# '''bit''' should be selected such that no two concurrent softforks use the same bit. The bit chosen should not overlap with active usage (legitimately or otherwise) for other purposes.
|
||||
# '''startheight''' should be set to some block height in the future. If '''minimum_activation_height''' is not going to be set, then '''startheight''' should be set to a height when a majority of economic activity is expected to have upgraded to software including the activation parameters. Some allowance should be made for potential release delays. If '''minimum_activation_height''' is going to be set, then '''startheight''' can be set to be soon after software with parameters is expected to be released. This shifts the time for upgrading from before signaling begins to during the LOCKED_IN state.
|
||||
# '''timeoutheight''' should be set to a block height when it is considered reasonable to expect the entire economy to have upgraded by, probably at least 1 year, or 52416 blocks (26 retarget intervals) after '''startheight'''.
|
||||
# '''threshold''' should be 1815 blocks (90% of 2016), or 1512 (75%) for testnet.
|
||||
# '''minimum_activation_height''' should be set to several retarget periods in the future if the '''startheight''' is to be very soon after software with parameters is expected to be released. '''minimum_activation_height''' should be set to a height when a majority of economic activity is expected to have upgraded to software including the activation parameters. This allows more time to be spent in the LOCKED_IN state so that nodes can upgrade. This may be set to 0 to have the LOCKED_IN state be a single retarget period.
|
||||
# '''lockinontimeout''' should be set to true for any softfork that is expected or found to have political opposition from a non-negligible percent of miners. (It can be set after the initial deployment, but cannot be cleared once set.)
|
||||
|
||||
A later deployment using the same bit is possible as long as the startheight is after the previous one's
|
||||
timeoutheight or activation, but it is discouraged until necessary, and even then recommended to have a pause in between to detect buggy software.
|
||||
|
||||
'''startheight''' and '''timeoutheight''' must be an exact multiple of 2016 (ie, at a retarget boundary), and '''timeoutheight''' must be at least 4096 blocks (2 retarget intervals) after '''startheight'''.
|
||||
'''startheight''', '''timeoutheight''', and '''minimum_activation_height''' must be an exact multiple of 2016 (ie, at a retarget boundary), and '''timeoutheight''' must be at least 4032 blocks (2 retarget intervals) after '''startheight'''.
|
||||
|
||||
===States===
|
||||
|
||||
@ -62,8 +66,8 @@ With each block and soft fork, we associate a deployment state. The possible sta
|
||||
# '''DEFINED''' is the first state that each soft fork starts out as. The genesis block is by definition in this state for each deployment.
|
||||
# '''STARTED''' for blocks at or beyond the startheight.
|
||||
# '''MUST_SIGNAL''' for one retarget period prior to the timeout, if LOCKED_IN was not reached and '''lockinontimeout''' is true.
|
||||
# '''LOCKED_IN''' for one retarget period after the first retarget period with STARTED (or MUST_SIGNAL) blocks of which at least threshold have the associated bit set in nVersion.
|
||||
# '''ACTIVE''' for all blocks after the LOCKED_IN retarget period.
|
||||
# '''LOCKED_IN''' for at least one retarget period after the first retarget period with STARTED (or MUST_SIGNAL) blocks of which at least threshold have the associated bit set in nVersion. A soft fork remains in LOCKED_IN until at least '''minimum_activation_height''' is reached.
|
||||
# '''ACTIVE''' for all blocks after the LOCKED_IN state.
|
||||
# '''FAILED''' for all blocks after the timeoutheight if LOCKED_IN is not reached.
|
||||
|
||||
===Bit flags===
|
||||
@ -79,18 +83,20 @@ for the purposes of this proposal, and support two future upgrades for different
|
||||
When a block nVersion does not have top bits 001, it is treated as if all
|
||||
bits are 0 for the purposes of deployments.
|
||||
|
||||
Miners should continue setting the bit in LOCKED_IN phase so uptake is visible, though this has no effect on consensus rules.
|
||||
|
||||
===New consensus rules===
|
||||
|
||||
The new consensus rules for each soft fork are enforced for each block that has ACTIVE state.
|
||||
|
||||
During the MUST_SIGNAL and LOCKED_IN phases, blocks that fail to signal are invalid.
|
||||
For flexibility, during the LOCKED_IN phase only, this rule does NOT require the top 3 bits to be set any particular way.
|
||||
During the MUST_SIGNAL phase, if '''(2016 - threshold)''' blocks in the retarget period have already failed to signal, any further blocks that fail to signal are invalid.
|
||||
|
||||
===State transitions===
|
||||
|
||||
<img src="bip-0008/states.png" align="middle"></img>
|
||||
|
||||
Note that when '''lockinontimeout''' is true, the LOCKED_IN state will be reached no later than at a height of '''timeoutheight''', and ACTIVE will be reached no later than at a height of '''timeoutheight + 2016'''.
|
||||
Note that when '''lockinontimeout''' is true, the LOCKED_IN state will be reached no later than at a height of '''timeoutheight'''.
|
||||
Regardless of the value of '''lockinontimeout''', if LOCKED_IN is reached, ACTIVE will be reached either one retarget period later, or at '''minimum_activation_height''', whichever comes later.
|
||||
|
||||
The genesis block has state DEFINED for each deployment, by definition.
|
||||
|
||||
@ -121,7 +127,7 @@ We remain in the initial state until we reach the start block height.
|
||||
|
||||
After a period in the STARTED state, we tally the bits set,
|
||||
and transition to LOCKED_IN if a sufficient number of blocks in the past period set the deployment bit in their
|
||||
version numbers. The threshold is ≥1916 blocks (95% of 2016), or ≥1512 for testnet (75% of 2016).
|
||||
version numbers.
|
||||
If the threshold hasn't been met, lockinontimeout is true, and we are at the last period before the timeout, then we transition to MUST_SIGNAL.
|
||||
If the threshold hasn't been met and we reach the timeout, we transition directly to FAILED.
|
||||
|
||||
@ -150,10 +156,14 @@ If we have finished a period of MUST_SIGNAL, we transition directly to LOCKED_IN
|
||||
case MUST_SIGNAL:
|
||||
return LOCKED_IN;
|
||||
|
||||
After a retarget period of LOCKED_IN, we automatically transition to ACTIVE.
|
||||
After at least one retarget period of LOCKED_IN, we automatically transition to ACTIVE if the minimum activation height is reached. Otherwise LOCKED_IN continues.
|
||||
|
||||
case LOCKED_IN:
|
||||
return ACTIVE;
|
||||
if (block.height >= minimum_activation_height) {
|
||||
return ACTIVE;
|
||||
} else {
|
||||
return LOCKED_IN;
|
||||
}
|
||||
|
||||
And ACTIVE and FAILED are terminal states, which a deployment stays in once they're reached.
|
||||
|
||||
@ -176,16 +186,23 @@ block, indexed by its parent.
|
||||
|
||||
===Mandatory signalling===
|
||||
|
||||
Blocks received while in the MUST_SIGNAL and LOCKED_IN phases must be checked to ensure that they signal. For example:
|
||||
Blocks received while in the MUST_SIGNAL phase must be checked to ensure that they signal as required. For example:
|
||||
|
||||
if (GetStateForBlock(block) == MUST_SIGNAL) {
|
||||
if ((block.nVersion & 0xE0000000) != 0x20000000 || ((block.nVersion >> bit) & 1) != 1) {
|
||||
return state.Invalid(BlockValidationResult::RECENT_CONSENSUS_CHANGE, "bad-version-bip8-must-signal");
|
||||
}
|
||||
}
|
||||
if (GetStateForBlock(block) == LOCKED_IN) {
|
||||
if (((block.nVersion >> bit) & 1) != 1) {
|
||||
return state.Invalid(BlockValidationResult::RECENT_CONSENSUS_CHANGE, "bad-version-bip8-locked-in");
|
||||
int nonsignal = 0;
|
||||
walk = block;
|
||||
while (true) {
|
||||
if ((walk.nVersion & 0xE0000000) != 0x20000000 || ((walk.nVersion >> bit) & 1) != 1) {
|
||||
++nonsignal;
|
||||
if (nonsignal > 2016 - threshold) {
|
||||
return state.Invalid(BlockValidationResult::RECENT_CONSENSUS_CHANGE, "bad-version-bip8-must-signal");
|
||||
}
|
||||
}
|
||||
if (walk.nHeight % 2016 == 0) {
|
||||
// checked every block in this retarget period
|
||||
break;
|
||||
}
|
||||
walk = walk.parent;
|
||||
}
|
||||
}
|
||||
|
||||
@ -226,7 +243,7 @@ The template Object is also extended:
|
||||
The "version" key of the template is retained, and used to indicate the server's preference of deployments.
|
||||
If versionbits is being used, "version" MUST be within the versionbits range of [0x20000000...0x3FFFFFFF].
|
||||
Miners MAY clear or set bits in the block version WITHOUT any special "mutable" key, provided they are listed among the template's "vbavailable" and (when clearing is desired) NOT included as a bit in "vbrequired".
|
||||
Servers MUST set bits in "vbrequired" for deployments in MUST_SIGNAL and LOCKED_IN states, to ensure blocks produced are valid.
|
||||
Servers MUST set bits in "vbrequired" for deployments in MUST_SIGNAL state, to ensure blocks produced are valid.
|
||||
|
||||
Softfork deployment names listed in "rules" or as keys in "vbavailable" may be prefixed by a '!' character.
|
||||
Without this prefix, GBT clients may assume the rule will not impact usage of the template as-is; typical examples of this would be when previously valid transactions cease to be valid, such as BIPs 16, 65, 66, 68, 112, and 113.
|
||||
|
@ -7,7 +7,8 @@ digraph {
|
||||
"DEFINED" -> "STARTED" [label="height >= start_height"];
|
||||
"STARTED" -> "MUST_SIGNAL" [label="height + 2016 >= timeoutheight AND lockinontimeout"];
|
||||
"STARTED" -> "FAILED" [label="height >= timeoutheight\nAND\nNOT lockinontimeout"];
|
||||
"LOCKED_IN" -> "ACTIVE" [label="always"];
|
||||
"LOCKED_IN" -> "ACTIVE" [label="height >= minimum_activation_height"];
|
||||
"LOCKED_IN":se -> "LOCKED_IN":ne [label="height < minimum_activation_height"];
|
||||
"MUST_SIGNAL" -> "LOCKED_IN" [label="always"];
|
||||
|
||||
edge [weight = 1];
|
||||
|
Binary file not shown.
Before Width: | Height: | Size: 45 KiB After Width: | Height: | Size: 59 KiB |
@ -1,14 +1,13 @@
|
||||
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
|
||||
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
|
||||
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
|
||||
<!-- Generated by graphviz version 2.42.3 (20191010.1750)
|
||||
<!-- Generated by graphviz version 2.46.1 (0)
|
||||
-->
|
||||
<!-- Title: %3 Pages: 1 -->
|
||||
<svg width="563pt" height="348pt"
|
||||
viewBox="0.00 0.00 563.00 348.37" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
|
||||
<!-- Pages: 1 -->
|
||||
<svg width="937pt" height="348pt"
|
||||
viewBox="0.00 0.00 937.00 348.37" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
|
||||
<g id="graph0" class="graph" transform="scale(1 1) rotate(0) translate(4 344.37)">
|
||||
<title>%3</title>
|
||||
<polygon fill="white" stroke="transparent" points="-4,4 -4,-344.37 559,-344.37 559,4 -4,4"/>
|
||||
<polygon fill="white" stroke="transparent" points="-4,4 -4,-344.37 933,-344.37 933,4 -4,4"/>
|
||||
<!-- DEFINED -->
|
||||
<g id="node1" class="node">
|
||||
<title>DEFINED</title>
|
||||
@ -16,7 +15,7 @@
|
||||
<text text-anchor="middle" x="72" y="-312.05" font-family="Arial" font-size="14.00">DEFINED</text>
|
||||
</g>
|
||||
<!-- DEFINED->DEFINED -->
|
||||
<g id="edge8" class="edge">
|
||||
<g id="edge9" class="edge">
|
||||
<title>DEFINED:sw->DEFINED:nw</title>
|
||||
<path fill="none" stroke="black" d="M18,-297.75C12,-287.25 0,-287.25 0,-315.75 0,-334.01 4.92,-340.57 10.04,-340.17"/>
|
||||
<polygon fill="black" stroke="black" points="12.41,-342.75 18,-333.75 8.02,-337.3 12.41,-342.75"/>
|
||||
@ -32,10 +31,10 @@
|
||||
<title>DEFINED->STARTED</title>
|
||||
<path fill="none" stroke="black" d="M72,-297.55C72,-285.91 72,-270.3 72,-256.99"/>
|
||||
<polygon fill="black" stroke="black" points="75.5,-256.93 72,-246.93 68.5,-256.93 75.5,-256.93"/>
|
||||
<text text-anchor="middle" x="133" y="-268.55" font-family="Times,serif" font-size="14.00">height >= start_height</text>
|
||||
<text text-anchor="middle" x="155" y="-268.55" font-family="Times,serif" font-size="14.00">height >= start_height</text>
|
||||
</g>
|
||||
<!-- STARTED->STARTED -->
|
||||
<g id="edge9" class="edge">
|
||||
<g id="edge10" class="edge">
|
||||
<title>STARTED:sw->STARTED:nw</title>
|
||||
<path fill="none" stroke="black" d="M18,-210.75C12,-200.25 0,-200.25 0,-228.75 0,-247.01 4.92,-253.57 10.04,-253.17"/>
|
||||
<polygon fill="black" stroke="black" points="12.41,-255.75 18,-246.75 8.02,-250.3 12.41,-255.75"/>
|
||||
@ -43,15 +42,15 @@
|
||||
<!-- MUST_SIGNAL -->
|
||||
<g id="node3" class="node">
|
||||
<title>MUST_SIGNAL</title>
|
||||
<path fill="#a0a0ff" stroke="black" stroke-width="2" d="M543,-246.75C543,-246.75 459,-246.75 459,-246.75 453,-246.75 447,-240.75 447,-234.75 447,-234.75 447,-222.75 447,-222.75 447,-216.75 453,-210.75 459,-210.75 459,-210.75 543,-210.75 543,-210.75 549,-210.75 555,-216.75 555,-222.75 555,-222.75 555,-234.75 555,-234.75 555,-240.75 549,-246.75 543,-246.75"/>
|
||||
<text text-anchor="middle" x="501" y="-225.05" font-family="Arial" font-size="14.00">MUST_SIGNAL</text>
|
||||
<path fill="#a0a0ff" stroke="black" stroke-width="2" d="M634,-246.75C634,-246.75 550,-246.75 550,-246.75 544,-246.75 538,-240.75 538,-234.75 538,-234.75 538,-222.75 538,-222.75 538,-216.75 544,-210.75 550,-210.75 550,-210.75 634,-210.75 634,-210.75 640,-210.75 646,-216.75 646,-222.75 646,-222.75 646,-234.75 646,-234.75 646,-240.75 640,-246.75 634,-246.75"/>
|
||||
<text text-anchor="middle" x="592" y="-225.05" font-family="Arial" font-size="14.00">MUST_SIGNAL</text>
|
||||
</g>
|
||||
<!-- STARTED->MUST_SIGNAL -->
|
||||
<g id="edge2" class="edge">
|
||||
<title>STARTED->MUST_SIGNAL</title>
|
||||
<path fill="none" stroke="black" d="M126.33,-228.75C205.44,-228.75 352.08,-228.75 436.54,-228.75"/>
|
||||
<polygon fill="black" stroke="black" points="436.77,-232.25 446.77,-228.75 436.77,-225.25 436.77,-232.25"/>
|
||||
<text text-anchor="middle" x="286.5" y="-235.55" font-family="Times,serif" font-size="14.00">height + 2016 >= timeoutheight AND lockinontimeout</text>
|
||||
<path fill="none" stroke="black" d="M126.18,-228.75C222.75,-228.75 424.19,-228.75 527.64,-228.75"/>
|
||||
<polygon fill="black" stroke="black" points="527.94,-232.25 537.94,-228.75 527.94,-225.25 527.94,-232.25"/>
|
||||
<text text-anchor="middle" x="332" y="-235.55" font-family="Times,serif" font-size="14.00">height + 2016 >= timeoutheight AND lockinontimeout</text>
|
||||
</g>
|
||||
<!-- FAILED -->
|
||||
<g id="node4" class="node">
|
||||
@ -64,57 +63,64 @@
|
||||
<title>STARTED->FAILED</title>
|
||||
<path fill="none" stroke="black" d="M72,-210.28C72,-191.69 72,-161.99 72,-140.25"/>
|
||||
<polygon fill="black" stroke="black" points="75.5,-140 72,-130 68.5,-140 75.5,-140"/>
|
||||
<text text-anchor="middle" x="139" y="-181.55" font-family="Times,serif" font-size="14.00">height >= timeoutheight</text>
|
||||
<text text-anchor="middle" x="139" y="-166.55" font-family="Times,serif" font-size="14.00">AND</text>
|
||||
<text text-anchor="middle" x="139" y="-151.55" font-family="Times,serif" font-size="14.00">NOT lockinontimeout</text>
|
||||
<text text-anchor="middle" x="162.5" y="-181.55" font-family="Times,serif" font-size="14.00">height >= timeoutheight</text>
|
||||
<text text-anchor="middle" x="162.5" y="-166.55" font-family="Times,serif" font-size="14.00">AND</text>
|
||||
<text text-anchor="middle" x="162.5" y="-151.55" font-family="Times,serif" font-size="14.00">NOT lockinontimeout</text>
|
||||
</g>
|
||||
<!-- LOCKED_IN -->
|
||||
<g id="node5" class="node">
|
||||
<title>LOCKED_IN</title>
|
||||
<path fill="#ffffa0" stroke="black" stroke-width="2" d="M543,-129.75C543,-129.75 459,-129.75 459,-129.75 453,-129.75 447,-123.75 447,-117.75 447,-117.75 447,-105.75 447,-105.75 447,-99.75 453,-93.75 459,-93.75 459,-93.75 543,-93.75 543,-93.75 549,-93.75 555,-99.75 555,-105.75 555,-105.75 555,-117.75 555,-117.75 555,-123.75 549,-129.75 543,-129.75"/>
|
||||
<text text-anchor="middle" x="501" y="-108.05" font-family="Arial" font-size="14.00">LOCKED_IN</text>
|
||||
<path fill="#ffffa0" stroke="black" stroke-width="2" d="M634,-129.75C634,-129.75 550,-129.75 550,-129.75 544,-129.75 538,-123.75 538,-117.75 538,-117.75 538,-105.75 538,-105.75 538,-99.75 544,-93.75 550,-93.75 550,-93.75 634,-93.75 634,-93.75 640,-93.75 646,-99.75 646,-105.75 646,-105.75 646,-117.75 646,-117.75 646,-123.75 640,-129.75 634,-129.75"/>
|
||||
<text text-anchor="middle" x="592" y="-108.05" font-family="Arial" font-size="14.00">LOCKED_IN</text>
|
||||
</g>
|
||||
<!-- STARTED->LOCKED_IN -->
|
||||
<g id="edge6" class="edge">
|
||||
<g id="edge7" class="edge">
|
||||
<title>STARTED->LOCKED_IN</title>
|
||||
<path fill="none" stroke="black" d="M126.15,-214.34C151.63,-207.94 182.41,-200.1 210,-192.75 281.79,-173.62 299.35,-167.41 371,-147.75 392.5,-141.85 416.03,-135.49 437.09,-129.83"/>
|
||||
<polygon fill="black" stroke="black" points="438.14,-133.17 446.89,-127.19 436.32,-126.41 438.14,-133.17"/>
|
||||
<text text-anchor="middle" x="434" y="-181.55" font-family="Times,serif" font-size="14.00">height < timeoutheight</text>
|
||||
<text text-anchor="middle" x="434" y="-166.55" font-family="Times,serif" font-size="14.00">AND</text>
|
||||
<text text-anchor="middle" x="434" y="-151.55" font-family="Times,serif" font-size="14.00">threshold reached</text>
|
||||
<path fill="none" stroke="black" d="M126.08,-218.75C163.11,-212.29 213.23,-202.95 257,-192.75 329.78,-175.79 346.33,-165.17 419,-147.75 454.78,-139.17 495.06,-130.94 527.74,-124.62"/>
|
||||
<polygon fill="black" stroke="black" points="528.47,-128.04 537.63,-122.72 527.15,-121.17 528.47,-128.04"/>
|
||||
<text text-anchor="middle" x="503.5" y="-181.55" font-family="Times,serif" font-size="14.00">height < timeoutheight</text>
|
||||
<text text-anchor="middle" x="503.5" y="-166.55" font-family="Times,serif" font-size="14.00">AND</text>
|
||||
<text text-anchor="middle" x="503.5" y="-151.55" font-family="Times,serif" font-size="14.00">threshold reached</text>
|
||||
</g>
|
||||
<!-- MUST_SIGNAL->LOCKED_IN -->
|
||||
<g id="edge5" class="edge">
|
||||
<g id="edge6" class="edge">
|
||||
<title>MUST_SIGNAL->LOCKED_IN</title>
|
||||
<path fill="none" stroke="black" d="M501,-210.28C501,-191.69 501,-161.99 501,-140.25"/>
|
||||
<polygon fill="black" stroke="black" points="504.5,-140 501,-130 497.5,-140 504.5,-140"/>
|
||||
<text text-anchor="middle" x="520" y="-166.55" font-family="Times,serif" font-size="14.00">always</text>
|
||||
<path fill="none" stroke="black" d="M592,-210.28C592,-191.69 592,-161.99 592,-140.25"/>
|
||||
<polygon fill="black" stroke="black" points="595.5,-140 592,-130 588.5,-140 595.5,-140"/>
|
||||
<text text-anchor="middle" x="616.5" y="-166.55" font-family="Times,serif" font-size="14.00">always</text>
|
||||
</g>
|
||||
<!-- FAILED->FAILED -->
|
||||
<g id="edge11" class="edge">
|
||||
<g id="edge12" class="edge">
|
||||
<title>FAILED:sw->FAILED:nw</title>
|
||||
<path fill="none" stroke="black" d="M18,-93.75C12,-83.25 0,-83.25 0,-111.75 0,-130.01 4.92,-136.57 10.04,-136.17"/>
|
||||
<polygon fill="black" stroke="black" points="12.41,-138.75 18,-129.75 8.02,-133.3 12.41,-138.75"/>
|
||||
</g>
|
||||
<!-- FAILED->LOCKED_IN -->
|
||||
<!-- LOCKED_IN->LOCKED_IN -->
|
||||
<g id="edge5" class="edge">
|
||||
<title>LOCKED_IN:se->LOCKED_IN:ne</title>
|
||||
<path fill="none" stroke="black" d="M646,-93.75C652,-83.25 664,-83.25 664,-111.75 664,-130.01 659.08,-136.57 653.96,-136.17"/>
|
||||
<polygon fill="black" stroke="black" points="655.98,-133.3 646,-129.75 651.59,-138.75 655.98,-133.3"/>
|
||||
<text text-anchor="middle" x="796.5" y="-108.05" font-family="Times,serif" font-size="14.00">height < minimum_activation_height</text>
|
||||
</g>
|
||||
<!-- ACTIVE -->
|
||||
<g id="node6" class="node">
|
||||
<title>ACTIVE</title>
|
||||
<path fill="#a0ffa0" stroke="black" stroke-width="2" d="M543,-42.75C543,-42.75 459,-42.75 459,-42.75 453,-42.75 447,-36.75 447,-30.75 447,-30.75 447,-18.75 447,-18.75 447,-12.75 453,-6.75 459,-6.75 459,-6.75 543,-6.75 543,-6.75 549,-6.75 555,-12.75 555,-18.75 555,-18.75 555,-30.75 555,-30.75 555,-36.75 549,-42.75 543,-42.75"/>
|
||||
<text text-anchor="middle" x="501" y="-21.05" font-family="Arial" font-size="14.00">ACTIVE</text>
|
||||
<path fill="#a0ffa0" stroke="black" stroke-width="2" d="M634,-42.75C634,-42.75 550,-42.75 550,-42.75 544,-42.75 538,-36.75 538,-30.75 538,-30.75 538,-18.75 538,-18.75 538,-12.75 544,-6.75 550,-6.75 550,-6.75 634,-6.75 634,-6.75 640,-6.75 646,-12.75 646,-18.75 646,-18.75 646,-30.75 646,-30.75 646,-36.75 640,-42.75 634,-42.75"/>
|
||||
<text text-anchor="middle" x="592" y="-21.05" font-family="Arial" font-size="14.00">ACTIVE</text>
|
||||
</g>
|
||||
<!-- LOCKED_IN->ACTIVE -->
|
||||
<g id="edge4" class="edge">
|
||||
<title>LOCKED_IN->ACTIVE</title>
|
||||
<path fill="none" stroke="black" d="M501,-93.55C501,-81.91 501,-66.3 501,-52.99"/>
|
||||
<polygon fill="black" stroke="black" points="504.5,-52.93 501,-42.93 497.5,-52.93 504.5,-52.93"/>
|
||||
<text text-anchor="middle" x="520" y="-64.55" font-family="Times,serif" font-size="14.00">always</text>
|
||||
<path fill="none" stroke="black" d="M592,-93.55C592,-81.91 592,-66.3 592,-52.99"/>
|
||||
<polygon fill="black" stroke="black" points="595.5,-52.93 592,-42.93 588.5,-52.93 595.5,-52.93"/>
|
||||
<text text-anchor="middle" x="730.5" y="-64.55" font-family="Times,serif" font-size="14.00">height >= minimum_activation_height</text>
|
||||
</g>
|
||||
<!-- ACTIVE->ACTIVE -->
|
||||
<g id="edge10" class="edge">
|
||||
<g id="edge11" class="edge">
|
||||
<title>ACTIVE:sw->ACTIVE:nw</title>
|
||||
<path fill="none" stroke="black" d="M447,-6.75C441,3.75 429,3.75 429,-24.75 429,-43.01 433.92,-49.57 439.04,-49.17"/>
|
||||
<polygon fill="black" stroke="black" points="441.41,-51.75 447,-42.75 437.02,-46.3 441.41,-51.75"/>
|
||||
<path fill="none" stroke="black" d="M538,-6.75C532,3.75 520,3.75 520,-24.75 520,-43.01 524.92,-49.57 530.04,-49.17"/>
|
||||
<polygon fill="black" stroke="black" points="532.41,-51.75 538,-42.75 528.02,-46.3 532.41,-51.75"/>
|
||||
</g>
|
||||
</g>
|
||||
</svg>
|
||||
|
Before Width: | Height: | Size: 7.9 KiB After Width: | Height: | Size: 8.4 KiB |
@ -19,9 +19,9 @@ This document specifies a proposed change to the semantics of the 'version' fiel
|
||||
|
||||
==Motivation==
|
||||
|
||||
BIP 34 introduced a mechanism for doing soft-forking changes without a predefined flag timestamp (or flag block height), instead relying on measuring miner support indicated by a higher version number in block headers. As it relies on comparing version numbers as integers however, it only supports one single change being rolled out at once, requiring coordination between proposals, and does not allow for permanent rejection: as long as one soft fork is not fully rolled out, no future one can be scheduled.
|
||||
[[bip-0034.mediawiki|BIP 34]] introduced a mechanism for doing soft-forking changes without a predefined flag timestamp (or flag block height), instead relying on measuring miner support indicated by a higher version number in block headers. As it relies on comparing version numbers as integers however, it only supports one single change being rolled out at once, requiring coordination between proposals, and does not allow for permanent rejection: as long as one soft fork is not fully rolled out, no future one can be scheduled.
|
||||
|
||||
In addition, BIP 34 made the integer comparison (nVersion >= 2) a consensus rule after its 95% threshold was reached, removing 2<sup>31</sup>+2 values from the set of valid version numbers (all negative numbers, as nVersion is interpreted as a signed integer, as well as 0 and 1). This indicates another downside this approach: every upgrade permanently restricts the set of allowed nVersion field values. This approach was later reused in BIP 66 and BIP 65, which further removed nVersions 2 and 3 as valid options. As will be shown further, this is unnecessary.
|
||||
In addition, BIP 34 made the integer comparison (nVersion >= 2) a consensus rule after its 95% threshold was reached, removing 2<sup>31</sup>+2 values from the set of valid version numbers (all negative numbers, as nVersion is interpreted as a signed integer, as well as 0 and 1). This indicates another downside this approach: every upgrade permanently restricts the set of allowed nVersion field values. This approach was later reused in [[bip-0066.mediawiki|BIP 66]] and [[bip-0065.mediawiki|BIP 65]], which further removed nVersions 2 and 3 as valid options. As will be shown further, this is unnecessary.
|
||||
|
||||
==Specification==
|
||||
|
||||
@ -195,9 +195,9 @@ If versionbits is being used, "version" MUST be within the versionbits range of
|
||||
Miners MAY clear or set bits in the block version WITHOUT any special "mutable" key, provided they are listed among the template's "vbavailable" and (when clearing is desired) NOT included as a bit in "vbrequired".
|
||||
|
||||
Softfork deployment names listed in "rules" or as keys in "vbavailable" may be prefixed by a '!' character.
|
||||
Without this prefix, GBT clients may assume the rule will not impact usage of the template as-is; typical examples of this would be when previously valid transactions cease to be valid, such as BIPs 16, 65, 66, 68, 112, and 113.
|
||||
Without this prefix, GBT clients may assume the rule will not impact usage of the template as-is; typical examples of this would be when previously valid transactions cease to be valid, such as BIPs [[bip-0016.mediawiki|16]], [[bip-0065.mediawiki|65]], [[bip-0066.mediawiki|66]], [[bip-0068.mediawiki|68]], [[bip-0112.mediawiki|112]], and [[bip-0113.mediawiki|113]].
|
||||
If a client does not understand a rule without the prefix, it may use it unmodified for mining.
|
||||
On the other hand, when this prefix is used, it indicates a more subtle change to the block structure or generation transaction; examples of this would be BIP 34 (because it modifies coinbase construction) and 141 (since it modifies the txid hashing and adds a commitment to the generation transaction).
|
||||
On the other hand, when this prefix is used, it indicates a more subtle change to the block structure or generation transaction; examples of this would be [[bip-0034.mediawiki|BIP 34]] (because it modifies coinbase construction) and [[bip-0141.mediawiki|141]] (since it modifies the txid hashing and adds a commitment to the generation transaction).
|
||||
A client that does not understand a rule prefixed by '!' must not attempt to process the template, and must not attempt to use it for mining even unmodified.
|
||||
|
||||
==Support for future changes==
|
||||
@ -205,7 +205,7 @@ A client that does not understand a rule prefixed by '!' must not attempt to pro
|
||||
The mechanism described above is very generic, and variations are possible for future soft forks. Here are some ideas that can be taken into account.
|
||||
|
||||
'''Modified thresholds'''
|
||||
The 1916 threshold (based on in BIP 34's 95%) does not have to be maintained for eternity, but changes should take the effect on the warning system into account. In particular, having a lock-in threshold that is incompatible with the one used for the warning system may have long-term effects, as the warning system cannot rely on a permanently detectable condition anymore.
|
||||
The 1916 threshold (based on BIP 34's 95%) does not have to be maintained for eternity, but changes should take the effect on the warning system into account. In particular, having a lock-in threshold that is incompatible with the one used for the warning system may have long-term effects, as the warning system cannot rely on a permanently detectable condition anymore.
|
||||
|
||||
'''Conflicting soft forks'''
|
||||
At some point, two mutually exclusive soft forks may be proposed. The naive way to deal with this is to never create software that implements both, but that is making a bet that at least one side is guaranteed to lose. Better would be to encode "soft fork X cannot be locked-in" as consensus rule for the conflicting soft fork - allowing software that supports both, but can never trigger conflicting changes.
|
||||
|
@ -58,10 +58,9 @@ The scheme component ("bitcoin:") is case-insensitive, and implementations must
|
||||
*label: Label for that address (e.g. name of receiver)
|
||||
*address: bitcoin address
|
||||
*message: message that describes the transaction to the user ([[#Examples|see examples below]])
|
||||
*size: amount of base bitcoin units ([[#Transfer amount/size|see below]])
|
||||
*(others): optional, for future extensions
|
||||
|
||||
==== Transfer amount/size ====
|
||||
==== Transfer amount ====
|
||||
|
||||
If an amount is provided, it MUST be specified in decimal BTC.
|
||||
All amounts MUST contain no commas and use a period (.) as the separating character to separate whole numbers and decimal fractions.
|
||||
|
@ -4,6 +4,7 @@ RECENT CHANGES:
|
||||
* (25 May 2013) Added test vectors
|
||||
* (15 Jan 2014) Rename keys with index ≥ 0x80000000 to hardened keys, and add explicit conversion functions.
|
||||
* (24 Feb 2017) Added test vectors for hardened derivation with leading zeros
|
||||
* (4 Nov 2020) Added new test vectors for hardened derivation with leading zeros
|
||||
|
||||
<pre>
|
||||
BIP: 32
|
||||
@ -118,7 +119,7 @@ To shorten notation, we will write CKDpriv(CKDpriv(CKDpriv(m,3<sub>H</sub>),2),5
|
||||
* N(m/a<sub>H</sub>/b/c) = N(m/a<sub>H</sub>/b)/c = N(m/a<sub>H</sub>)/b/c.
|
||||
However, N(m/a<sub>H</sub>) cannot be rewritten as N(m)/a<sub>H</sub>, as the latter is not possible.
|
||||
|
||||
Each leaf node in the tree corresponds to an actual key, while the internal nodes correspond to the collections of keys that descend from them. The chain codes of the leaf nodes are ignored, and only their embedded private or public key is relevant. Because of this construction, knowing an extended private key allows reconstruction of all descendant private keys and public keys, and knowing an extended public keys allows reconstruction of all descendant non-hardened public keys.
|
||||
Each leaf node in the tree corresponds to an actual key, while the internal nodes correspond to the collections of keys that descend from them. The chain codes of the leaf nodes are ignored, and only their embedded private or public key is relevant. Because of this construction, knowing an extended private key allows reconstruction of all descendant private keys and public keys, and knowing an extended public key allows reconstruction of all descendant non-hardened public keys.
|
||||
|
||||
===Key identifiers===
|
||||
|
||||
@ -274,7 +275,22 @@ Seed (hex): 4b381541583be4423346c643850da4b320e46a87ae3d2a4e6da11eba819cd4acba45
|
||||
|
||||
===Test vector 4===
|
||||
|
||||
This vector tests that invalid extended keys are recognized as invalid.
|
||||
These vectors test for the retention of leading zeros. See [https://github.com/btcsuite/btcutil/issues/172 btcsuite/btcutil#172] for more information.
|
||||
|
||||
Seed (hex): 3ddd5602285899a946114506157c7997e5444528f3003f6134712147db19b678
|
||||
* Chain m
|
||||
** ext pub: xpub661MyMwAqRbcGczjuMoRm6dXaLDEhW1u34gKenbeYqAix21mdUKJyuyu5F1rzYGVxyL6tmgBUAEPrEz92mBXjByMRiJdba9wpnN37RLLAXa
|
||||
** ext prv: xprv9s21ZrQH143K48vGoLGRPxgo2JNkJ3J3fqkirQC2zVdk5Dgd5w14S7fRDyHH4dWNHUgkvsvNDCkvAwcSHNAQwhwgNMgZhLtQC63zxwhQmRv
|
||||
* Chain m/0<sub>H</sub>
|
||||
** ext pub: xpub69AUMk3qDBi3uW1sXgjCmVjJ2G6WQoYSnNHyzkmdCHEhSZ4tBok37xfFEqHd2AddP56Tqp4o56AePAgCjYdvpW2PU2jbUPFKsav5ut6Ch1m
|
||||
** ext prv: xprv9vB7xEWwNp9kh1wQRfCCQMnZUEG21LpbR9NPCNN1dwhiZkjjeGRnaALmPXCX7SgjFTiCTT6bXes17boXtjq3xLpcDjzEuGLQBM5ohqkao9G
|
||||
* Chain m/0<sub>H</sub>/1<sub>H</sub>
|
||||
** ext pub: xpub6BJA1jSqiukeaesWfxe6sNK9CCGaujFFSJLomWHprUL9DePQ4JDkM5d88n49sMGJxrhpjazuXYWdMf17C9T5XnxkopaeS7jGk1GyyVziaMt
|
||||
** ext prv: xprv9xJocDuwtYCMNAo3Zw76WENQeAS6WGXQ55RCy7tDJ8oALr4FWkuVoHJeHVAcAqiZLE7Je3vZJHxspZdFHfnBEjHqU5hG1Jaj32dVoS6XLT1
|
||||
|
||||
===Test vector 5===
|
||||
|
||||
These vectors test that invalid extended keys are recognized as invalid.
|
||||
|
||||
* xpub661MyMwAqRbcEYS8w7XLSVeEsBXy79zSzH1J8vCdxAZningWLdN3zgtU6LBpB85b3D2yc8sfvZU521AAwdZafEz7mnzBBsz4wKY5fTtTQBm (pubkey version / prvkey mismatch)
|
||||
* xprv9s21ZrQH143K24Mfq5zL5MhWK9hUhhGbd45hLXo2Pq2oqzMMo63oStZzFGTQQD3dC4H2D5GBj7vWvSQaaBv5cxi9gafk7NF3pnBju6dwKvH (prvkey version / pubkey mismatch)
|
||||
|
@ -22,7 +22,7 @@ Bitcoin blocks and transactions are versioned binary structures. Both currently
|
||||
==Specification==
|
||||
|
||||
# Treat transactions with a version greater than 1 as non-standard (official Satoshi client will not mine or relay them).
|
||||
# Add height as the first item in the coinbase transaction's scriptSig, and increase block version to 2. The format of the height is "serialized CScript" -- first byte is number of bytes in the number (will be 0x03 on main net for the next 150 or so years with 2<sup>23</sup>-1 blocks), following bytes are little-endian representation of the number (including a sign bit). Height is the height of the mined block in the block chain, where the genesis block is height zero (0).
|
||||
# Add height as the first item in the coinbase transaction's scriptSig, and increase block version to 2. The format of the height is "minimally encoded serialized CScript" -- first byte is number of bytes in the number (will be 0x03 on main net for the next 150 or so years with 2<sup>23</sup>-1 blocks), following bytes are little-endian representation of the number (including a sign bit). Height is the height of the mined block in the block chain, where the genesis block is height zero (0).
|
||||
# 75% rule: If 750 of the last 1,000 blocks are version 2 or greater, reject invalid version 2 blocks. (testnet3: 51 of last 100)
|
||||
# 95% rule ("Point of no return"): If 950 of the last 1,000 blocks are version 2 or greater, reject all version 1 blocks. (testnet3: 75 of last 100)
|
||||
|
||||
|
@ -113,7 +113,14 @@ will make the desired wallet available.
|
||||
|
||||
==Wordlists==
|
||||
|
||||
* [[bip-0039/bip-0039-wordlists.md|Moved to separate document]]
|
||||
Since the vast majority of BIP39 wallets supports only the English wordlist,
|
||||
it is '''strongly discouraged''' to use non-English wordlists for generating
|
||||
the mnemonic sentences.
|
||||
|
||||
If you still feel your application really needs to use a localized wordlist,
|
||||
use one of the following instead of inventing your own.
|
||||
|
||||
* [[bip-0039/bip-0039-wordlists.md|Wordlists]]
|
||||
|
||||
==Test vectors==
|
||||
|
||||
@ -137,6 +144,9 @@ http://github.com/trezor/python-mnemonic
|
||||
Go:
|
||||
* https://github.com/tyler-smith/go-bip39
|
||||
|
||||
Python:
|
||||
* https://github.com/meherett/python-hdwallet
|
||||
|
||||
Elixir:
|
||||
* https://github.com/aerosol/mnemo
|
||||
|
||||
@ -153,7 +163,7 @@ Haskell:
|
||||
* https://github.com/NicolasDorier/NBitcoin
|
||||
|
||||
JavaScript:
|
||||
* https://github.com/bitpay/bitcore-mnemonic
|
||||
* https://github.com/bitpay/bitcore/tree/master/packages/bitcore-mnemonic
|
||||
* https://github.com/bitcoinjs/bip39 (used by [[https://github.com/blockchain/My-Wallet-V3/blob/v3.8.0/src/hd-wallet.js#L121-L146|blockchain.info]])
|
||||
|
||||
Java:
|
||||
@ -164,6 +174,10 @@ Ruby:
|
||||
|
||||
Rust:
|
||||
* https://github.com/maciejhirsz/tiny-bip39/
|
||||
* https://github.com/koushiro/bip0039-rs
|
||||
|
||||
Smalltalk:
|
||||
* https://github.com/eMaringolo/pharo-bip39mnemonic
|
||||
|
||||
Swift:
|
||||
* https://github.com/CikeQiu/CKMnemonic
|
||||
@ -177,3 +191,6 @@ C++:
|
||||
|
||||
C (with Python/Java/Javascript bindings):
|
||||
* https://github.com/ElementsProject/libwally-core
|
||||
|
||||
Python:
|
||||
* https://github.com/scgbckbone/btc-hd-wallet
|
||||
|
@ -9,6 +9,7 @@
|
||||
* [French](french.txt)
|
||||
* [Italian](italian.txt)
|
||||
* [Czech](czech.txt)
|
||||
* [Portuguese](portuguese.txt)
|
||||
|
||||
## Wordlists (Special Considerations)
|
||||
|
||||
@ -98,3 +99,19 @@ Words chosen using the following rules:
|
||||
6. No very similar words with 1 letter of difference.
|
||||
7. Words are sorting according English alphabet (Czech sorting has difference in "ch").
|
||||
8. No words already used in other language mnemonic sets (english, italian, french, spanish). Letters with diacritical marks from these sets are counted as analogous letters without diacritical marks.
|
||||
|
||||
### Portuguese
|
||||
|
||||
Credits: @alegotardo @bitmover-studio @brenorb @kuthullu @ninjastic @sabotag3x @Trimegistus
|
||||
|
||||
1. Words can be uniquely determined typing the first 4 characters.
|
||||
2. No accents or special characters.
|
||||
3. No complex verb forms.
|
||||
4. No plural words, unless there's no singular form.
|
||||
5. No words with double spelling.
|
||||
6. No words with the exact sound of another word with different spelling.
|
||||
7. No offensive words.
|
||||
8. No words already used in other language mnemonic sets.
|
||||
9. The words which have not the same spelling in Brazil and in Portugal are excluded.
|
||||
10. No words that remind negative/sad/bad things.
|
||||
11. No very similar words with 1 letter of difference.
|
||||
|
2048
bip-0039/portuguese.txt
Normal file
2048
bip-0039/portuguese.txt
Normal file
File diff suppressed because it is too large
Load Diff
251
bip-0048.mediawiki
Normal file
251
bip-0048.mediawiki
Normal file
@ -0,0 +1,251 @@
|
||||
<pre>
|
||||
BIP: 48
|
||||
Layer: Applications
|
||||
Title: Multi-Script Hierarchy for Multi-Sig Wallets
|
||||
Author: Fontaine <dentondevelopment@protonmail.com>
|
||||
Comments-Summary: No comments
|
||||
Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-0048
|
||||
Status: Proposed
|
||||
Type: Standards Track
|
||||
Created: 2020-12-16
|
||||
License: MIT
|
||||
</pre>
|
||||
|
||||
==Abstract==
|
||||
|
||||
This BIP defines a logical hierarchy for deterministic multi-sig wallets based on an algorithm
|
||||
described in BIP-0067 (BIP67 from now on), BIP-0032 (BIP32 from now on), purpose scheme described in
|
||||
BIP-0043 (BIP43 from now on), and multi-account hierarchy described in
|
||||
BIP-0044 (BIP44 from now on).
|
||||
|
||||
This BIP is a particular application of BIP43.
|
||||
|
||||
==Copyright==
|
||||
|
||||
This BIP falls under the MIT License.
|
||||
|
||||
==Motivation==
|
||||
|
||||
The motivation of this BIP is to define the existing industry wide practice of utilizing m/48'
|
||||
derivation paths in hierarchical deterministic multi-sig wallets so that other developers may
|
||||
benefit from a standard. This BIP allows for future script types to easily be appended to the
|
||||
specification so that a new BIP is not required for every future script type.
|
||||
|
||||
The hierarchy proposed in this paper is quite comprehensive. It allows the handling of
|
||||
multiple accounts, external and internal chains per account, multiple script types and
|
||||
millions of addresses per chain.
|
||||
|
||||
This paper was inspired from BIP44.
|
||||
|
||||
==Backwards compatibility==
|
||||
|
||||
Currently a number of wallets utilize the <code>m/48'</code> derivation scheme for HD multi-sig accounts.
|
||||
This BIP is intended to maintain the *existing* real world use of the <code>m/48'</code> derivation.
|
||||
No breaking changes are made so as to avoid "loss of funds" to existing users.
|
||||
Wallet's which currently support the <code>m/48'</code> derivation will not need to make any changes
|
||||
to comply with this BIP.
|
||||
|
||||
==Specification==
|
||||
|
||||
===Key sorting===
|
||||
|
||||
Any wallet that supports BIP48 inherently supports deterministic key sorting as per BIP67 so that all possible
|
||||
multi-signature addresses/scripts are derived from deterministically sorted public keys.
|
||||
|
||||
===Path levels===
|
||||
|
||||
We define the following 6 levels in BIP32 path:
|
||||
|
||||
<pre>
|
||||
m / purpose' / coin_type' / account' / script_type' / change / address_index
|
||||
</pre>
|
||||
|
||||
<code>h</code> or <code>'</code> in the path indicates that BIP32 hardened derivation is used.
|
||||
|
||||
Each level has a special meaning, described in the chapters below.
|
||||
|
||||
===Purpose===
|
||||
|
||||
Purpose is a constant set to 48' following the BIP43 recommendation.
|
||||
It indicates that the subtree of this node is used according to this specification.
|
||||
|
||||
Hardened derivation is used at this level.
|
||||
|
||||
===Coin type===
|
||||
|
||||
One master node (seed) can be used for multiple Bitcoin networks.
|
||||
Sharing the same space for various networks has some disadvantages.
|
||||
|
||||
Avoiding reusing addresses across networks and improving privacy issues.
|
||||
|
||||
Coin type <code>0</code> for mainnet and <code>1</code> for testnet.
|
||||
|
||||
Hardened derivation is used at this level.
|
||||
|
||||
===Account===
|
||||
|
||||
This level splits the key space into independent user identities, following the BIP44 pattern,
|
||||
so the wallet never mixes the coins across different accounts.
|
||||
|
||||
Users can use these accounts to organize the funds in the same
|
||||
fashion as bank accounts; for donation purposes (where all
|
||||
addresses are considered public), for saving purposes,
|
||||
for common expenses etc.
|
||||
|
||||
Accounts are numbered from index 0 in sequentially increasing manner.
|
||||
This number is used as child index in BIP32 derivation.
|
||||
|
||||
Hardened derivation is used at this level.
|
||||
|
||||
===Script===
|
||||
|
||||
This level splits the key space into two separate <code>script_type</code>(s). To provide
|
||||
forward compatibility for future script types this specification can be easily extended.
|
||||
|
||||
Currently the only script types covered by this BIP are Native Segwit (p2wsh) and
|
||||
Nested Segwit (p2sh-p2wsh).
|
||||
|
||||
The following path represents Nested Segwit (p2sh-p2wsh) mainnet, account 0:
|
||||
<code>1'</code>: Nested Segwit (p2sh-p2wsh) <code>m/48'/0'/0'/1'</code></br>
|
||||
|
||||
The following path represents Native Segwit (p2wsh) mainnet, account 0:
|
||||
<code>2'</code>: Native Segwit (p2wsh) <code>m/48'/0'/0'/2'</code></br>
|
||||
|
||||
The recommended default for wallets is pay to witness script hash <code>m/48'/0'/0'/2'</code>.
|
||||
|
||||
To add new script types submit a PR to this specification and include it in the list above:
|
||||
<code>X'</code>: Future script type <code>m/48'/0'/0'/X'</code></br>
|
||||
|
||||
===Change===
|
||||
|
||||
Constant 0 is used for external chain and constant 1 for internal chain (also
|
||||
known as change addresses). External chain is used for addresses that are meant
|
||||
to be visible outside of the wallet (e.g. for receiving payments). Internal
|
||||
chain is used for addresses which are not meant to be visible outside of the
|
||||
wallet and is used for return transaction change.
|
||||
|
||||
Public derivation is used at this level.
|
||||
|
||||
===Index===
|
||||
|
||||
Addresses are numbered from index 0 in sequentially increasing manner.
|
||||
This number is used as child index in BIP32 derivation.
|
||||
|
||||
Public derivation is used at this level.
|
||||
|
||||
==Examples==
|
||||
|
||||
{|
|
||||
|network
|
||||
|account
|
||||
|script
|
||||
|chain
|
||||
|address
|
||||
|path
|
||||
|-
|
||||
|mainnet
|
||||
|first
|
||||
|p2wsh
|
||||
|external
|
||||
|first
|
||||
|m / 48' / 0' / 0' / 2' / 0 / 0
|
||||
|-
|
||||
|mainnet
|
||||
|first
|
||||
|p2wsh
|
||||
|external
|
||||
|second
|
||||
|m / 48' / 0' / 0' / 2' / 0 / 1
|
||||
|-
|
||||
|mainnet
|
||||
|first
|
||||
|p2wsh
|
||||
|change
|
||||
|first
|
||||
|m / 48' / 0' / 0' / 2' / 1 / 0
|
||||
|-
|
||||
|mainnet
|
||||
|first
|
||||
|p2wsh
|
||||
|change
|
||||
|second
|
||||
|m / 48' / 0' / 0' / 2' / 1 / 1
|
||||
|-
|
||||
|mainnet
|
||||
|second
|
||||
|p2wsh
|
||||
|external
|
||||
|first
|
||||
|m / 48' / 0' / 1' / 2' / 0 / 0
|
||||
|-
|
||||
|mainnet
|
||||
|second
|
||||
|p2wsh
|
||||
|external
|
||||
|second
|
||||
|m / 48' / 0' / 1' / 2' / 0 / 1
|
||||
|-
|
||||
|testnet
|
||||
|first
|
||||
|p2sh-p2wsh
|
||||
|external
|
||||
|first
|
||||
|m / 48' / 1' / 0' / 1' / 0 / 0
|
||||
|-
|
||||
|testnet
|
||||
|first
|
||||
|p2wsh
|
||||
|external
|
||||
|second
|
||||
|m / 48' / 1' / 0' / 2' / 0 / 1
|
||||
|-
|
||||
|testnet
|
||||
|first
|
||||
|p2wsh
|
||||
|change
|
||||
|first
|
||||
|m / 48' / 1' / 0' / 2' / 1 / 0
|
||||
|-
|
||||
|testnet
|
||||
|first
|
||||
|p2wsh
|
||||
|change
|
||||
|second
|
||||
|m / 48' / 1' / 0' / 2' / 1 / 1
|
||||
|-
|
||||
|testnet
|
||||
|second
|
||||
|p2wsh
|
||||
|external
|
||||
|first
|
||||
|m / 48' / 1' / 1' / 2' / 0 / 0
|
||||
|-
|
||||
|testnet
|
||||
|second
|
||||
|p2wsh
|
||||
|external
|
||||
|second
|
||||
|m / 48' / 1' / 1' / 2' / 0 / 1
|
||||
|-
|
||||
|testnet
|
||||
|second
|
||||
|p2wsh
|
||||
|change
|
||||
|first
|
||||
|m / 48' / 1' / 1' / 2' / 1 / 0
|
||||
|-
|
||||
|testnet
|
||||
|second
|
||||
|p2wsh
|
||||
|change
|
||||
|second
|
||||
|m / 48' / 1' / 1' / 2' / 1 / 1
|
||||
|}
|
||||
|
||||
|
||||
==Reference==
|
||||
|
||||
* [[bip-0067.mediawiki|BIP67 - Deterministic Pay-to-script-hash multi-signature addresses through public key sorting]]
|
||||
* [[bip-0032.mediawiki|BIP32 - Hierarchical Deterministic Wallets]]
|
||||
* [[bip-0043.mediawiki|BIP43 - Purpose Field for Deterministic Wallets]]
|
||||
* [[bip-0044.mediawiki|BIP44 - Multi-Account Hierarchy for Deterministic Wallets]]
|
@ -209,7 +209,7 @@ In such case, the receiver will need to increase the fee of the transaction afte
|
||||
* The sender's wallet software is using round fee rate.
|
||||
|
||||
If the sender's fee rate is always round, then a blockchain analyst can easily spot the transactions of the sender involving payjoin by checking if, when removing a single input to the suspected payjoin transaction, the resulting fee rate is round.
|
||||
To prevent this, the sender can agree to pay more more fee so the receiver make sure that the payjoin transaction fee is also round.
|
||||
To prevent this, the sender can agree to pay more fee so the receiver make sure that the payjoin transaction fee is also round.
|
||||
|
||||
* The sender's transaction is time sensitive.
|
||||
|
||||
@ -249,7 +249,7 @@ The receiver needs to do some check on the original PSBT before proceeding:
|
||||
===Sender's payjoin proposal checklist===
|
||||
|
||||
The sender should check the payjoin proposal before signing it to prevent a malicious receiver from stealing money.
|
||||
|
||||
|
||||
* Verify that the absolute fee of the payjoin proposal is equals or higher than the original PSBT.
|
||||
* If the receiver's BIP21 signalled <code>pjos=0</code>, disable payment output substitution.
|
||||
* Verify that the transaction version, and the nLockTime are unchanged.
|
||||
@ -272,7 +272,7 @@ The sender should check the payjoin proposal before signing it to prevent a mali
|
||||
** If the output is the [[#fee-output|fee output]]:
|
||||
*** The amount that was substracted from the output's value is less than or equal to <code>maxadditionalfeecontribution</code>. Let's call this amount <code>actual contribution</code>.
|
||||
*** Make sure the actual contribution is only paying fee: The <code>actual contribution</code> is less than or equals to the difference of absolute fee between the payjoin proposal and the original PSBT.
|
||||
*** Make sure the actual contribution is only paying for fee incurred by additional inputs: <code>actual contribution</code> is less than or equals to <code>originalPSBTFeeRate * vsize(sender_input_type) * (count(original_psbt_inputs) - count(payjoin_proposal_inputs))</code>. (see [[#fee-output|Fee output]] section)
|
||||
*** Make sure the actual contribution is only paying for fee incurred by additional inputs: <code>actual contribution</code> is less than or equals to <code>originalPSBTFeeRate * vsize(sender_input_type) * (count(payjoin_proposal_inputs) - count(original_psbt_inputs))</code>. (see [[#fee-output|Fee output]] section)
|
||||
** If the output is the payment output and payment output substitution is allowed.
|
||||
*** Do not make any check
|
||||
** Else
|
||||
@ -325,7 +325,7 @@ Because the receiver needs to bump the fee to keep the same fee rate as the orig
|
||||
|
||||
The validation (policy and consensus) of the original transaction is optional: a receiver without a full node can decide to create the payjoin transaction and automatically broadcast the original transaction after a timeout of 1 minute, and only verify that it has been propagated in the network.
|
||||
|
||||
However, non-interactive receivers (like a payment processor) need to verify the transaction to prevent UTXO probing attacks.
|
||||
However, non-interactive receivers (like a payment processor) need to verify the transaction to prevent UTXO probing attacks.
|
||||
|
||||
This is not a concern for interactive receivers like Wasabi Wallet, because those receivers can just limit the number of original PSBT proposals of a specific address to one. With such wallets, the attacker has no way to generate new deposit addresses to probe the UTXOs.
|
||||
|
||||
@ -498,7 +498,7 @@ public async Task<PSBT> RequestPayjoin(
|
||||
if (proposedPSBTInput.NonWitnessUtxo != null || proposedPSBTInput.WitnessUtxo != null)
|
||||
throw new PayjoinSenderException("The receiver added non_witness_utxo or witness_utxo to one of our inputs");
|
||||
sequences.Add(proposedTxIn.Sequence);
|
||||
|
||||
|
||||
// Fill up the info from the original PSBT input so we can sign and get fees.
|
||||
proposedPSBTInput.NonWitnessUtxo = input.SignedPSBTInput.NonWitnessUtxo;
|
||||
proposedPSBTInput.WitnessUtxo = input.SignedPSBTInput.WitnessUtxo;
|
||||
@ -660,7 +660,7 @@ A successful exchange with:
|
||||
* [[https://github.com/BlueWallet/BlueWallet|BlueWallet]] is in the process of implementing the protocol.
|
||||
* [[https://github.com/btcpayserver/btcpayserver|BTCPay Server]] has implemented sender and receiver side of this protocol.
|
||||
* [[https://github.com/zkSNACKs/WalletWasabi/|Wasabi Wallet]] has merged sender's support.
|
||||
* [[https://github.com/JoinMarket-Org/joinmarket-clientserver|Join Market]] is in the process of implementing the protocol.
|
||||
* [[https://github.com/JoinMarket-Org/joinmarket-clientserver|Join Market]] has implemented sender and receiver side of this protocol.
|
||||
* [[https://github.com/bitcoinjs/payjoin-client|JavaScript sender implementation]].
|
||||
|
||||
==Backward compatibility==
|
||||
|
@ -68,7 +68,7 @@ The template transaction should be sent to the receiver via an HTTP POST to the
|
||||
|
||||
The receiver is then responsible for validating the template transaction. If there is a problem with the transaction, or the receiver is generally unhappy with the transaction (e.g. fees are too small) the HTTP response code of 422 should be used and a human-readable string containing information on why which can be directly given to the user.
|
||||
|
||||
Should the receiver reject a transaction, it should not attempt to propagate it on the network. However it is important for the sender to be aware that the receiver *could* at any time (regardless of which error was given) send this transaction. The client should therefor assume the receiver will, and act accordingly (either retry with adjustments or just propagate the transaction). It is imperative that the sender never finds themselves in a situation where two payments to the sender could be valid.
|
||||
Should the receiver reject a transaction, it should not attempt to propagate it on the network. However it is important for the sender to be aware that the receiver *could* at any time (regardless of which error was given) send this transaction. The client should therefore assume the receiver will, and act accordingly (either retry with adjustments or just propagate the transaction). It is imperative that the sender never finds themselves in a situation where two payments to the sender could be valid.
|
||||
|
||||
=== Contributed Input Choice ===
|
||||
|
||||
@ -118,7 +118,7 @@ For anyone wanting to implement bustapay payments, here are some notes for recei
|
||||
|
||||
== Backwards Compatibility ==
|
||||
|
||||
Bustapay is an optional payment protocol and therefor has no backwards compatibility concerns. It in fact can only be supported in addition to normal transaction processing, as falling back to a normal bitcoin transaction is a required behavior.
|
||||
Bustapay is an optional payment protocol and therefore has no backwards compatibility concerns. It in fact can only be supported in addition to normal transaction processing, as falling back to a normal bitcoin transaction is a required behavior.
|
||||
|
||||
|
||||
== Credits ==
|
||||
|
@ -25,6 +25,8 @@ As HD keychains are essentially derived from initial entropy, this proposal prov
|
||||
|
||||
==Definitions==
|
||||
|
||||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.
|
||||
|
||||
The terminology related to keychains used in the wild varies widely, for example `seed` has various different meanings. In this document we define the terms
|
||||
|
||||
# '''BIP32 root key''' is the root extended private key that is represented as the top root of the keychain in BIP32.
|
||||
@ -33,19 +35,19 @@ The terminology related to keychains used in the wild varies widely, for example
|
||||
|
||||
==Motivation==
|
||||
|
||||
Most wallets implement BIP32 which defines how a BIP32 root key can be used to derive keychains. As a consequence, a backup of just the BIP32 root key is sufficient to include all keys derived from it. BIP32 does not have a human friendly serialization of the BIP32 root key (or BIP32 extended keys in general) which makes paper backups or manually restoring the key more error-prone. BIP39 was designed solve this problem but rather than serialize the BIP32 root key, it takes some entropy, encoded to a "seed mnemonic", which is then hashed to derive the BIP39 seed which can be turned into the BIP32 root key. Saving the BIP39 mnemonic is enough to reconstruct the entire BIP32 keychain, but a BIP32 root key cannot be reversed back to the BIP39 mnemonic.
|
||||
Most wallets implement BIP32 which defines how a BIP32 root key can be used to derive keychains. As a consequence, a backup of just the BIP32 root key is sufficient to include all keys derived from it. BIP32 does not have a human friendly serialization of the BIP32 root key (or BIP32 extended keys in general) which makes paper backups or manually restoring the key more error-prone. BIP39 was designed to solve this problem but rather than serialize the BIP32 root key, it takes some entropy, encoded to a "seed mnemonic", which is then hashed to derive the BIP39 seed which can be turned into the BIP32 root key. Saving the BIP39 mnemonic is enough to reconstruct the entire BIP32 keychain, but a BIP32 root key cannot be reversed back to the BIP39 mnemonic.
|
||||
|
||||
Most wallets implement BIP39, so on initialization or restoration, the user must interact with a BIP39 mnemonic. Most wallets do not support of BIP32 extended private keys so each wallet must either share the same BIP39 mnemonic, or have a separate BIP39 mnemonic entirely. Neither scenarios are particularly satisfactory for security reasons. For example, some wallets may be inherently less secure like hot wallets on smartphones, Join Market servers, Lightning Network nodes. Having multiple seeds is far from desirable especially for those who rely on split key or redundancy backups in different geological locations. Adding is necessarily difficult and may result in users being more lazy with subsequent keys, such that compromises security or leads to key loss.
|
||||
Most wallets implement BIP39, so on initialization or restoration, the user must interact with a BIP39 mnemonic. Most wallets do not support BIP32 extended private keys, so each wallet must either share the same BIP39 mnemonic, or have a separate BIP39 mnemonic entirely. Neither scenarios are particularly satisfactory for security reasons. For example, some wallets may be inherently less secure like hot wallets on smartphones, Join Market servers, or Lightning Network nodes. Having multiple seeds is far from desirable, especially for those who rely on split key or redundancy backups in different geological locations. Adding is necessarily difficult and may result in users being more lazy with subsequent keys, resulting in compromised security or loss of keys.
|
||||
|
||||
There is added complication with wallets that implement other standards, or no standards at all. Bitcoin Core wallet uses a WIF as the ''hdseed'', and yet other wallets use different mnemonic schemes like Electrum to derive the BIP32 root key. Other cryptocurrencies like Monero also use a different mnemonic scheme entirely.
|
||||
There is added complication with wallets that implement other standards, or no standards at all. Bitcoin Core wallet uses a WIF as the ''hdseed'', and yet other wallets like Electrum use different mnemonic schemes to derive the BIP32 root key. Other cryptocurrencies like Monero also use an entirely different mnemonic scheme.
|
||||
|
||||
Ultimately, all of the mnemonic/seed schemes start with some "initial entropy" to derive a mnemonic/seed, and then process the mnemonic into a BIP32 key, or private key. We can use BIP32 itself to derive the "initial entropy" to then recreate the same mnemonic or seed according the specific application standard of the target wallet. We can use a BIP44 like categorization to ensure unitform derivation according to the target application type.
|
||||
Ultimately, all of the mnemonic/seed schemes start with some "initial entropy" to derive a mnemonic/seed, and then process the mnemonic into a BIP32 key, or private key. We can use BIP32 itself to derive the "initial entropy" to then recreate the same mnemonic or seed according to the specific application standard of the target wallet. We can use a BIP44-like categorization to ensure uniform derivation according to the target application type.
|
||||
|
||||
==Specification==
|
||||
|
||||
We assume a single BIP32 master root key. This specification is not concerned with how this was derived (e.g. directly or via a mnemonic scheme such as BIP39).
|
||||
|
||||
For each application that requires its own wallet, a unique private key is derived from the BIP32 master root key using fully hardened derivation path. The resulting private key (k) is then processed with HMAC-SHA512, where the key is "bip-entropy-from-k", and the message payload is the private key k: <code>HMAC-SHA512(key="bip-entropy-from-k", msg=k)</code>. The result produces 512 bits of entropy. Each application SHOULD use up to the required number of bits necessary for their operation truncating the rest
|
||||
For each application that requires its own wallet, a unique private key is derived from the BIP32 master root key using a fully hardened derivation path. The resulting private key (k) is then processed with HMAC-SHA512, where the key is "bip-entropy-from-k", and the message payload is the private key k: <code>HMAC-SHA512(key="bip-entropy-from-k", msg=k)</code>. The result produces 512 bits of entropy. Each application SHOULD use up to the required number of bits necessary for their operation truncating the rest.
|
||||
|
||||
The HMAC-SHA512 function is specified in [http://tools.ietf.org/html/rfc4231 RFC 4231].
|
||||
|
||||
@ -69,28 +71,57 @@ OUTPUT
|
||||
* DERIVED KEY=503776919131758bb7de7beb6c0ae24894f4ec042c26032890c29359216e21ba
|
||||
* DERIVED ENTROPY=70c6e3e8ebee8dc4c0dbba66076819bb8c09672527c4277ca8729532ad711872218f826919f6b67218adde99018a6df9095ab2b58d803b5b93ec9802085a690e
|
||||
|
||||
==BIP85-DRNG==
|
||||
|
||||
BIP85-DRNG-SHAKE256 is a deterministic random number generator for cryptographic functions that require deterministic outputs, but where the input to that function requires more than the 64 bytes provided by BIP85's HMAC output. BIP85-DRNG-SHAKE256 uses BIP85 to seed a SHAKE256 stream (from the SHA-3 standard). The input must be exactly 64 bytes long (from the BIP85 HMAC output).
|
||||
|
||||
RSA key generation is an example of a function that requires orders of magnitude more than 64 bytes of random input. Further, it is not possible to precalculate the amount of random input required until the function has completed.
|
||||
|
||||
drng_reader = BIP85DRNG.new(bip85_entropy)
|
||||
rsa_key = RSA.generate_key(4096, drng_reader.read())
|
||||
|
||||
===Test Vectors===
|
||||
INPUT:
|
||||
xprv9s21ZrQH143K2LBWUUQRFXhucrQqBpKdRRxNVq2zBqsx8HVqFk2uYo8kmbaLLHRdqtQpUm98uKfu3vca1LqdGhUtyoFnCNkfmXRyPXLjbKb
|
||||
* MASTER BIP32 ROOT KEY: m/83696968'/0'/0'
|
||||
|
||||
OUTPUT
|
||||
* DERIVED KEY=cca20ccb0e9a90feb0912870c3323b24874b0ca3d8018c4b96d0b97c0e82ded0
|
||||
* DERIVED ENTROPY=efecfbccffea313214232d29e71563d941229afb4338c21f9517c41aaa0d16f00b83d2a09ef747e7a64e8e2bd5a14869e693da66ce94ac2da570ab7ee48618f7
|
||||
|
||||
* DRNG(80 bytes)=b78b1ee6b345eae6836c2d53d33c64cdaf9a696487be81b03e822dc84b3f1cd883d7559e53d175f243e4c349e822a957bbff9224bc5dde9492ef54e8a439f6bc8c7355b87a925a37ee405a7502991111
|
||||
|
||||
==Reference Implementation==
|
||||
|
||||
Python library implementation: [https://github.com/ethankosakovsky/bipentropy python-bipentropy]
|
||||
* Python library implementation: [https://github.com/ethankosakovsky/bip85]
|
||||
* JavaScript library implementation: [https://github.com/hoganri/bip85-js]
|
||||
|
||||
===Other Implementations===
|
||||
|
||||
Coldcard Firmware: [https://github.com/Coldcard/firmware/pull/39]
|
||||
* JavaScript library implementation: [https://github.com/hoganri/bip85-js]
|
||||
|
||||
* Coldcard Firmware: [https://github.com/Coldcard/firmware/pull/39]
|
||||
|
||||
* Ian Coleman's Mnemonic Code Converter: [https://github.com/iancoleman/bip39] and [https://iancoleman.io/bip39/]
|
||||
|
||||
* AirGap Vault: [https://github.com/airgap-it/airgap-vault/commit/d64332fc2f332be622a1229acb27f621e23774d6]
|
||||
|
||||
btc_hd_wallet: [https://github.com/scgbckbone/btc-hd-wallet]
|
||||
|
||||
==Applications==
|
||||
|
||||
Application number define how entropy will be used post processing. Some basic examples follow:
|
||||
The Application number defines how entropy will be used post processing. Some basic examples follow:
|
||||
|
||||
Derivation path uses the format <code>m/83696968/' + /app_no' + /index'</code> where ''app_no'' path for the application, and `index` in the index.
|
||||
Derivation path uses the format <code>m/83696968'/{app_no}'/{index}'</code> where ''{app_no}'' is the path for the application, and ''{index}'' is the index.
|
||||
|
||||
===BIP39===
|
||||
Application number: 39'
|
||||
|
||||
Truncate trailing (least significant) bytes of the entropy to the number of bits required to map to the relevant word length 128 bits for 12 words, 256 bits for 24 words.
|
||||
Truncate trailing (least significant) bytes of the entropy to the number of bits required to map to the relevant word length: 128 bits for 12 words, 256 bits for 24 words.
|
||||
|
||||
The derivation path format is: <code>m/83696968'/39'/{language}'/{words}'/{index}'</code>
|
||||
|
||||
Example a BIP39 mnemonic with 12 English words (first index) would have the path <code>m/83696968'/39'/0'/12'/0'</code> the next key would be <code>m/83696968'/39'/0'/12'/1'</code> etc.
|
||||
Example: a BIP39 mnemonic with 12 English words (first index) would have the path <code>m/83696968'/39'/0'/12'/0'</code>, the next key would be <code>m/83696968'/39'/0'/12'/1'</code> etc.
|
||||
|
||||
Language Table
|
||||
|
||||
@ -231,15 +262,45 @@ INPUT:
|
||||
OUTPUT
|
||||
* DERIVED ENTROPY=492db4698cf3b73a5a24998aa3e9d7fa96275d85724a91e71aa2d645442f878555d078fd1f1f67e368976f04137b1f7a0d19232136ca50c44614af72b5582a5c
|
||||
|
||||
===RSA===
|
||||
|
||||
Application number: 828365'
|
||||
|
||||
The derivation path format is: <code>m/83696968'/828365'/{key_bits}'/{key_index}'</code>
|
||||
|
||||
The RSA key generator should use BIP85-DRNG as the input RNG function.
|
||||
|
||||
===RSA GPG===
|
||||
|
||||
Keys allocated for RSA-GPG purposes use the following scheme:
|
||||
|
||||
- Main key <code>m/83696968'/828365'/{key_bits}'/{key_index}'</code>
|
||||
- Sub keys: <code>m/83696968'/828365'/{key_bits}'/{key_index}'/{sub_key}'</code>
|
||||
|
||||
- key_index is the parent key for CERTIFY capability
|
||||
- sub_key <code>0'</code> is used as the ENCRYPTION key
|
||||
- sub_key <code>1'</code> is used as the AUTHENTICATION key
|
||||
- sub_key <code>2'</code> is usually used as SIGNATURE key
|
||||
|
||||
Note on timestamps:
|
||||
|
||||
The resulting RSA key can be used to create a GPG key where the creation date MUST be fixed to unix Epoch timestamp 1231006505 (the Bitcoin genesis block time <code>'2009-01-03 18:05:05'</code> UTC) because the key fingerprint is affected by the creation date (Epoch timestamp 0 was not chosen because of legacy behavior in GNUPG implementations for older keys). Additionally, when importing sub-keys under a key in GNUPG, the system time must be frozen to the same timestamp before importing (e.g. by use of <code>faketime</code>).
|
||||
|
||||
Note on GPG key capabilities on smartcard/hardware devices:
|
||||
|
||||
GPG capable smart-cards SHOULD be be loaded as follows: The encryption slot SHOULD be loaded with the ENCRYPTION capable key; the authentication slot SHOULD be loaded with the AUTHENTICATION capable key. The signature capable slot SHOULD be loaded with the SIGNATURE capable key.
|
||||
|
||||
However, depending on available slots on the smart-card, and preferred policy, the CERTIFY capable key MAY be flagged with CERTIFY and SIGNATURE capabilities and loaded into the SIGNATURE capable slot (for example where the smart-card has only three slots and the CERTIFY capability is required on the same card). In this case, the SIGNATURE capable sub-key would be disregarded because the CERTIFY capable key serves a dual purpose.
|
||||
|
||||
==Backwards Compatibility==
|
||||
|
||||
This specification is not backwards compatible with any other existing specification.
|
||||
|
||||
This specification relies on BIP32 but is agnostic to how the BIP32 root key is derived, as such this standard is allows it to derive wallets with initialization schemes like BIP39 or Electrum wallet style mnemonics.
|
||||
This specification relies on BIP32 but is agnostic to how the BIP32 root key is derived. As such, this standard is able to derive wallets with initialization schemes like BIP39 or Electrum wallet style mnemonics.
|
||||
|
||||
==Discussion==
|
||||
|
||||
The reason for running the derived key through HMAC-SHA512 and truncating the result as necessary is to prevent leakage of the parent tree should the derived key (k) be compromized. While the specification requires the use of hardended key derivation which would prevent this, we cannot enforce hardened derivation, so this method ensures the derived entropy is hardened. Also from a semantic point of view, since the purpose is to derive entropy and not a private key, we are required to transform the child key. This acts in an abundance of caution to ward off unwanted side effects should k be used for a dual purpose, including as a nonce hash(k), where undesirable and unforeseen interactions could occur.
|
||||
The reason for running the derived key through HMAC-SHA512 and truncating the result as necessary is to prevent leakage of the parent tree should the derived key (''k'') be compromized. While the specification requires the use of hardended key derivation which would prevent this, we cannot enforce hardened derivation, so this method ensures the derived entropy is hardened. Also, from a semantic point of view, since the purpose is to derive entropy and not a private key, we are required to transform the child key. This is done out of an abundance of caution, in order to ward off unwanted side effects should ''k'' be used for a dual purpose, including as a nonce ''hash(k)'', where undesirable and unforeseen interactions could occur.
|
||||
|
||||
==Acknowledgements==
|
||||
|
||||
@ -251,10 +312,10 @@ BIP32, BIP39
|
||||
|
||||
==Footnotes==
|
||||
|
||||
[1] There is a very small chance that you'll make an invalid key that is zero or bigger than the order of the curve. If this occurs, software should hard fail (forcing users should iterate to the next index).
|
||||
[1] There is a very small chance that you'll make an invalid key that is zero or bigger than the order of the curve. If this occurs, software should hard fail (forcing users to iterate to the next index).
|
||||
|
||||
From BIP32:
|
||||
> In case parse<sub>256</sub>(I<sub>L</sub>) is 0 or ≥ n, the resulting key is invalid, and one should proceed with the next value for i. (Note: this has probability lower than 1 in 2<sup>127</sup>.)
|
||||
In case parse<sub>256</sub>(I<sub>L</sub>) is 0 or ≥ n, the resulting key is invalid, and one should proceed with the next value for i. (Note: this has probability lower than 1 in 2<sup>127</sup>.)
|
||||
|
||||
==Copyright==
|
||||
|
||||
|
128
bip-0086.mediawiki
Normal file
128
bip-0086.mediawiki
Normal file
@ -0,0 +1,128 @@
|
||||
<pre>
|
||||
BIP: 86
|
||||
Layer: Applications
|
||||
Title: Key Derivation for Single Key P2TR Outputs
|
||||
Author: Andrew Chow <andrew@achow101.com>
|
||||
Comments-Summary: No comments yet.
|
||||
Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-0086
|
||||
Status: Draft
|
||||
Type: Standards Track
|
||||
Created: 2021-06-22
|
||||
License: BSD-2-Clause
|
||||
</pre>
|
||||
|
||||
==Abstract==
|
||||
|
||||
This document suggests a derivation scheme for HD wallets whose keys are involved in single key
|
||||
P2TR ([[bip-0341.mediawiki|BIP 341]]) outputs as the Taproot internal key.
|
||||
|
||||
===Copyright===
|
||||
|
||||
This BIP is licensed under the 2-clause BSD license.
|
||||
|
||||
==Motivation==
|
||||
|
||||
With the usage of single key P2TR transactions, it is useful to have a common derivation scheme so
|
||||
that HD wallets that only have a backup of the HD seed can be likely to recover single key Taproot
|
||||
outputs. Although there are now solutions which obviate the need for fixed derivation paths for
|
||||
specific script types, many software wallets and hardware signers still use seed backups which
|
||||
lack derivation path and script information. Thus we largely use the same approach used in BIPs
|
||||
[[bip-0049.mediawiki|49]] and [[bip-0084.mediawiki|84]] for ease of implementation.
|
||||
|
||||
==Specifications==
|
||||
|
||||
This BIP defines the two needed steps to derive multiple deterministic addresses based on a
|
||||
[[bip-0032.mediawiki|BIP 32]] master private key.
|
||||
|
||||
===Public key derivation===
|
||||
|
||||
To derive a public key from the root account, this BIP uses the same account-structure as
|
||||
defined in BIPs [[bip-0044.mediawiki|44]], [[bip-0049.mediawiki|49]], and [[bip-0084.mediawiki|84]],
|
||||
but with a different purpose value for the script type.
|
||||
|
||||
<pre>
|
||||
m / purpose' / coin_type' / account' / change / address_index
|
||||
</pre>
|
||||
|
||||
For the <tt>purpose</tt>-path level it uses <tt>86'</tt>.
|
||||
The rest of the levels are used as defined in BIPs 44, 49, and 84.
|
||||
|
||||
A key derived with this derivation path pattern will be referred to as <tt>derived_key</tt> further
|
||||
in this document.
|
||||
|
||||
===Address derivation===
|
||||
|
||||
|
||||
[[bip-0341.mediawiki#cite_ref-22-0|BIP 341]] states: "If the spending conditions do not require a
|
||||
script path, the output key should commit to an unspendable script path instead of having no
|
||||
script path. This can be achieved by computing the output key point as
|
||||
''Q = P + int(hash<sub>TapTweak</sub>(bytes(P)))G''." Thus:
|
||||
|
||||
<pre>
|
||||
internal_key: lift_x(derived_key)
|
||||
32_byte_output_key: internal_key + int(HashTapTweak(bytes(internal_key)))G
|
||||
</pre>
|
||||
|
||||
In a transaction, the scripts and witnesses are as defined in
|
||||
[[bip-0341.mediawiki#specification|BIP 341]]:
|
||||
|
||||
<pre>
|
||||
witness: <signature>
|
||||
scriptSig: (empty)
|
||||
scriptPubKey: 1 <32_byte_output_key>
|
||||
(0x5120{32_byte_output_key})
|
||||
</pre>
|
||||
|
||||
==Backwards Compatibility==
|
||||
|
||||
This BIP is not backwards compatible by design.
|
||||
An incompatible wallet will not discover these accounts at all and the user will notice that
|
||||
something is wrong.
|
||||
|
||||
However this BIP uses the same method used in BIPs 44, 49, and 84, so it should not be difficult
|
||||
to implement.
|
||||
|
||||
==Test vectors==
|
||||
|
||||
<pre>
|
||||
mnemonic = abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about
|
||||
rootpriv = xprv9s21ZrQH143K3GJpoapnV8SFfukcVBSfeCficPSGfubmSFDxo1kuHnLisriDvSnRRuL2Qrg5ggqHKNVpxR86QEC8w35uxmGoggxtQTPvfUu
|
||||
rootpub = xpub661MyMwAqRbcFkPHucMnrGNzDwb6teAX1RbKQmqtEF8kK3Z7LZ59qafCjB9eCRLiTVG3uxBxgKvRgbubRhqSKXnGGb1aoaqLrpMBDrVxga8
|
||||
|
||||
// Account 0, root = m/86'/0'/0'
|
||||
xprv = xprv9xgqHN7yz9MwCkxsBPN5qetuNdQSUttZNKw1dcYTV4mkaAFiBVGQziHs3NRSWMkCzvgjEe3n9xV8oYywvM8at9yRqyaZVz6TYYhX98VjsUk
|
||||
xpub = xpub6BgBgsespWvERF3LHQu6CnqdvfEvtMcQjYrcRzx53QJjSxarj2afYWcLteoGVky7D3UKDP9QyrLprQ3VCECoY49yfdDEHGCtMMj92pReUsQ
|
||||
|
||||
// Account 0, first receiving address = m/86'/0'/0'/0/0
|
||||
xprv = xprvA449goEeU9okwCzzZaxiy475EQGQzBkc65su82nXEvcwzfSskb2hAt2WymrjyRL6kpbVTGL3cKtp9herYXSjjQ1j4stsXXiRF7kXkCacK3T
|
||||
xpub = xpub6H3W6JmYJXN49h5TfcVjLC3onS6uPeUTTJoVvRC8oG9vsTn2J8LwigLzq5tHbrwAzH9DGo6ThGUdWsqce8dGfwHVBxSbixjDADGGdzF7t2B
|
||||
internal_key = cc8a4bc64d897bddc5fbc2f670f7a8ba0b386779106cf1223c6fc5d7cd6fc115
|
||||
output_key = a60869f0dbcf1dc659c9cecbaf8050135ea9e8cdc487053f1dc6880949dc684c
|
||||
scriptPubKey = 5120a60869f0dbcf1dc659c9cecbaf8050135ea9e8cdc487053f1dc6880949dc684c
|
||||
address = bc1p5cyxnuxmeuwuvkwfem96lqzszd02n6xdcjrs20cac6yqjjwudpxqkedrcr
|
||||
|
||||
// Account 0, second receiving address = m/86'/0'/0'/0/1
|
||||
xprv = xprvA449goEeU9okyiF1LmKiDaTgeXvmh87DVyRd35VPbsSop8n8uALpbtrUhUXByPFKK7C2yuqrB1FrhiDkEMC4RGmA5KTwsE1aB5jRu9zHsuQ
|
||||
xpub = xpub6H3W6JmYJXN4CCKUSnriaiQRCZmG6aq4sCMDqTu1ACyngw7HShf59hAxYjXgKDuuHThVEUzdHrc3aXCr9kfvQvZPit5dnD3K9xVRBzjK3rX
|
||||
internal_key = 83dfe85a3151d2517290da461fe2815591ef69f2b18a2ce63f01697a8b313145
|
||||
output_key = a82f29944d65b86ae6b5e5cc75e294ead6c59391a1edc5e016e3498c67fc7bbb
|
||||
scriptPubKey = 5120a82f29944d65b86ae6b5e5cc75e294ead6c59391a1edc5e016e3498c67fc7bbb
|
||||
address = bc1p4qhjn9zdvkux4e44uhx8tc55attvtyu358kutcqkudyccelu0was9fqzwh
|
||||
|
||||
// Account 0, first change address = m/86'/0'/0'/1/0
|
||||
xprv = xprvA3Ln3Gt3aphvUgzgEDT8vE2cYqb4PjFfpmbiFKphxLg1FjXQpkAk5M1ZKDY15bmCAHA35jTiawbFuwGtbDZogKF1WfjwxML4gK7WfYW5JRP
|
||||
xpub = xpub6GL8SnQwRCGDhB59LEz9HMyM6sRYoByXBzXK3iEKWgCz8XrZNHUzd9L3AUBELW5NzA7dEFvMas1F84TuPH3xqdUA5tumaGWFgihJzWytXe3
|
||||
internal_key = 399f1b2f4393f29a18c937859c5dd8a77350103157eb880f02e8c08214277cef
|
||||
output_key = 882d74e5d0572d5a816cef0041a96b6c1de832f6f9676d9605c44d5e9a97d3dc
|
||||
scriptPubKey = 5120882d74e5d0572d5a816cef0041a96b6c1de832f6f9676d9605c44d5e9a97d3dc
|
||||
address = bc1p3qkhfews2uk44qtvauqyr2ttdsw7svhkl9nkm9s9c3x4ax5h60wqwruhk7
|
||||
</pre>
|
||||
|
||||
==Reference==
|
||||
|
||||
* [[bip-0032.mediawiki|BIP32 - Hierarchical Deterministic Wallets]]
|
||||
* [[bip-0043.mediawiki|BIP43 - Purpose Field for Deterministic Wallets]]
|
||||
* [[bip-0044.mediawiki|BIP44 - Multi-Account Hierarchy for Deterministic Wallets]]
|
||||
* [[bip-0049.mediawiki|BIP49 - Derivation scheme for P2WPKH-nested-in-P2SH based accounts]]
|
||||
* [[bip-0084.mediawiki|BIP84 - Derivation scheme for P2WPKH based accounts]]
|
||||
* [[bip-0341.mediawiki|BIP341 - Taproot: SegWit version 1 spending rules]]
|
274
bip-0087.mediawiki
Normal file
274
bip-0087.mediawiki
Normal file
@ -0,0 +1,274 @@
|
||||
<pre>
|
||||
BIP: 87
|
||||
Layer: Applications
|
||||
Title: Hierarchy for Deterministic Multisig Wallets
|
||||
Author: Robert Spigler <RobertSpigler@ProtonMail.ch>
|
||||
Comments-Summary: No comments yet.
|
||||
Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-0087
|
||||
Status: Proposed
|
||||
Type: Standards Track
|
||||
Created: 2020-03-11
|
||||
License: BSD-2-Clause
|
||||
</pre>
|
||||
|
||||
==Abstract==
|
||||
|
||||
This BIP defines a sane hierarchy for deterministic multisig wallets based on an algorithm described in BIP-0032 (BIP32 from now on), purpose scheme described in BIP-0043 (BIP43 from now on), and multi-account hierarchy described in BIP-0044 (BIP44 from now on).
|
||||
|
||||
This BIP is a particular application of BIP43.
|
||||
|
||||
==Copyright==
|
||||
|
||||
This BIP is licensed under the 2-clause BSD license.
|
||||
|
||||
==Motivation==
|
||||
|
||||
With the increase of more user friendly (offline) multisignature wallets, and adoption of new technologies such as [https://github.com/bitcoin/bitcoin/blob/master/doc/descriptors.md the descriptor language] and [https://github.com/bitcoin/bips/blob/master/bip-0174.mediawiki BIP-0174 (Partially Signed Bitcoin Transactions)], it is necessary to create a common derivation scheme that makes use of all new technologies.
|
||||
|
||||
As background, BIP 44/49/84 specifies:
|
||||
|
||||
<pre>
|
||||
m / purpose' / coin_type' / account' / change / address_index
|
||||
</pre>
|
||||
|
||||
where the BIP43 <code>purpose'</code> path is separate for each script (P2PKH, P2WPKH-in-P2SH, and P2WPKH respectively). Having a script-per-derivation for single sig wallets allows for easy backup and restore, with just the private key information.
|
||||
|
||||
Multisignature wallets need more information to backup and restore (such as all cosigner public keys), and these per-script derivations are made redundant with descriptors, which provide that information (while also specifying a collection of output scripts).
|
||||
A modern standardization is needed for multisig derivation paths. There are some in existence, but all have issues. For example, BIP45 specifies:
|
||||
|
||||
<pre>
|
||||
m / purpose' / cosigner_index / change / address_index
|
||||
</pre>
|
||||
|
||||
BIP45 unecessarily demands a single script type (here, P2SH). In addition, BIP45 sets <code>cosigner_index</code> in order to sort the <code>purpose'</code> public keys of each cosigner. This too is redundant, as descriptors can set the order of the public keys with <code>multi</code> or have them sorted lexicographically (as described in [https://github.com/bitcoin/bips/blob/master/bip-0067.mediawiki BIP67]) with <code>sortedmulti</code>. Sorting public keys between cosigners in order to create the full derivation path, prior to sending the key record to the coordinator to create the descriptor, merely adds additional unnecessary communication rounds.
|
||||
|
||||
The second multisignature "standard" in use is m/48', which specifies:
|
||||
|
||||
<pre>
|
||||
m / purpose' / coin_type' / account' / script_type' / change / address_index
|
||||
</pre>
|
||||
|
||||
Rather than following in BIP 44/49/84's path and having a separate BIP per script after P2SH (BIP45), vendors decided to insert <code>script_type'</code> into the derivation path (where P2SH-P2WSH=1, P2WSH=2, Future_Script=3, etc). As described previously, this is unnecessary, as the descriptor sets the script. While it attempts to reduce maintainence work by getting rid of new BIPs-per-script, it still requires maintaining an updated, redundant, <code>script_type</code> list.
|
||||
|
||||
The structure proposed later in this paper solves these issues and is quite comprehensive. It allows for the handling of multiple accounts, external and internal chains per account, and millions of addresses per chain, in a multi-party, multisignature, hierarchical deterministic wallet regardless of the script type <ref>'''Why propose this structure only for multisignature wallets?''' Currently, single-sig wallets are able to restore funds using just the master private key data (in the format of BIP39 usually). Even if the user doesn't recall the derivation used, the wallet implementation can iterate through common schemes (BIP44/49/84). With this proposed hierarchy, the user would either have to now backup additional data (the descriptor), or the wallet would have to attempt all script types for every account level when restoring. Because of this, even though the descriptor language handles the signature type just like it does the script type, it is best to restrict this script-agnostic hierarchy to multisignature wallets only.</ref>.
|
||||
|
||||
This paper was inspired from BIP44.
|
||||
|
||||
==Specification==
|
||||
|
||||
===Key sorting===
|
||||
|
||||
Any wallet that supports descriptors inherently supports deterministic key sorting as per BIP67 (through the <code>sortedmulti</code> function) so that all possible multisignature addresses/scripts are derived from deterministically sorted public keys.
|
||||
|
||||
===Path levels===
|
||||
|
||||
We should not be mixing keys and scripts in the same layer. The wallet should create extended private/public keys independent of the script type, whereas the descriptor language tells wallets to watch the multisig outputs with the specified public keys.
|
||||
|
||||
We define the following 5 levels in the BIP32 path:
|
||||
|
||||
<pre>
|
||||
m / purpose' / coin_type' / account' / change / address_index
|
||||
</pre>
|
||||
|
||||
<code>h</code> or <code>'</code> in the path indicates that BIP32 hardened derivation is used.
|
||||
|
||||
Each level has a special meaning, described in the chapters below.
|
||||
|
||||
===Purpose===
|
||||
|
||||
Purpose is a constant set to <code>87'</code> following the BIP43 recommendation.
|
||||
It indicates that the subtree of this node is used according to this specification.
|
||||
|
||||
Hardened derivation is used at this level.
|
||||
|
||||
===Coin type===
|
||||
|
||||
One master node (seed) can be used for multiple Bitcoin networks.
|
||||
Sharing the same space for various networks has some disadvantages.
|
||||
|
||||
This level creates a separate subtree for every network, avoiding reusing addresses across networks and improving privacy issues.
|
||||
|
||||
Coin type <code>0</code> for mainnet and <code>1</code> for testnets (testnet, regtest, and signet).
|
||||
|
||||
Hardened derivation is used at this level.
|
||||
|
||||
===Account===
|
||||
|
||||
This level splits the key space into independent user identities, following the BIP44 pattern, so the wallet never mixes the coins across different accounts.
|
||||
|
||||
Users can use these accounts to organize the funds in the same fashion as bank accounts; for donation purposes (where all addresses are considered public), for saving purposes, for common expenses, etc.
|
||||
|
||||
Accounts are numbered from index <code>0</code> in sequentially increasing manner.
|
||||
This number is used as child index in BIP32 derivation.
|
||||
|
||||
Hardened derivation is used at this level.
|
||||
|
||||
It is crucial that this level is increased for each new wallet joined or private/public keys created; for both privacy and cryptographic purposes.
|
||||
For example, before sending a new key record to a coordinator, the wallet must increment the <code>account'</code> level.
|
||||
This prevents key reuse - across ECDSA and Schnorr signatures, across different script types, and inbetween the same wallet types.
|
||||
|
||||
===Change===
|
||||
|
||||
Constant <code>0</code> is used for external chain and constant <code>1</code> for internal chain (also known as change addresses). External chain is used for addresses that are meant to be visible outside of the wallet (e.g. for receiving payments). Internal chain is used for addresses which are not meant to be visible outside of the wallet and is used for return transaction change.
|
||||
|
||||
Public derivation is used at this level.
|
||||
|
||||
===Index===
|
||||
|
||||
Addresses are numbered from index <code>0</code> in sequentially increasing manner.
|
||||
This number is used as child index in BIP32 derivation.
|
||||
|
||||
Public derivation is used at this level.
|
||||
|
||||
==Address Discovery==
|
||||
|
||||
The multisig descriptors or descriptor template that is generated from the cosigners' combined key records should be used to generate and discover addresses.
|
||||
|
||||
Please see [https://github.com/bitcoin/bips/blob/master/bip-0129.mediawiki BIP-0129 (Bitcoin Secure Multisig Setup)] for an introduction on descriptor templates.
|
||||
The descriptor or descriptor template should contain the key origin information for maximum compatibility with BIP-0174.
|
||||
|
||||
For example:
|
||||
|
||||
The following descriptor template and derivation path restrictions:
|
||||
|
||||
<code>wsh(sortedmulti(2,[xfpForA/87'/0'/0']XpubA/**,[xfpForB/87'/0'/0']XpubB/**))</code>
|
||||
|
||||
<code>/0/*,/1/*</code>
|
||||
|
||||
Expands to the two concrete descriptors:
|
||||
|
||||
<code>wsh(sortedmulti(2,[xfpForA/87'/0'/0']XpubA/0/*,[xfpForB/87'/0'/0']XpubB/0/*))</code>
|
||||
|
||||
<code>wsh(sortedmulti(2,[xfpForA/87'/0'/0']XpubA/1/*,[xfpForB/87'/0'/0']XpubB/1/*))</code>
|
||||
|
||||
To discover addresses, import both the receiving and change descriptors; respect the gap limit described below.
|
||||
|
||||
===Address Gap Limit===
|
||||
|
||||
Address gap limit is currently set to 20. If the software hits 20 unused addresses in a row, it expects there are no used addresses beyond this point and stops searching the address chain.
|
||||
|
||||
Wallet software should warn when the user is trying to exceed the gap limit on an external descriptor by generating multiple unused addresses.
|
||||
|
||||
==Backwards Compatibility==
|
||||
|
||||
Any script that is supported by descriptors (and the specific wallet implementation) is compatible with this BIP.
|
||||
|
||||
As wallets complying with this BIP are descriptor wallets, this therefore necessitates that the cosigners backup their private key information and the descriptor, in order to properly restore at a later time. This shouldn't be a user burden, since (to much user surprise), all cosigner public keys need to be supplied in addition to <code>M</code> seeds in any <code>M</code> of <code>N</code> multisig restore operation. The descriptor provides this information in a standardized format, with key origin information and error detection.
|
||||
|
||||
==Rationale==
|
||||
|
||||
<references/>
|
||||
|
||||
==Examples==
|
||||
|
||||
{|
|
||||
|network
|
||||
|account
|
||||
|chain
|
||||
|address
|
||||
|path
|
||||
|-
|
||||
|mainnet
|
||||
|first
|
||||
|external
|
||||
|first
|
||||
|m / 87' / 0' / 0' / 0 / 0
|
||||
|-
|
||||
|mainnet
|
||||
|first
|
||||
|external
|
||||
|second
|
||||
|m / 87' / 0' / 0' / 0 / 1
|
||||
|-
|
||||
|mainnet
|
||||
|first
|
||||
|change
|
||||
|first
|
||||
|m / 87' / 0' / 0' / 1 / 0
|
||||
|-
|
||||
|mainnet
|
||||
|first
|
||||
|change
|
||||
|second
|
||||
|m / 87' / 0' / 0' / 1 / 1
|
||||
|-
|
||||
|mainnet
|
||||
|second
|
||||
|external
|
||||
|first
|
||||
|m / 87' / 0' / 1' / 0 / 0
|
||||
|-
|
||||
|mainnet
|
||||
|second
|
||||
|external
|
||||
|second
|
||||
|m / 87' / 0' / 1' / 0 / 1
|
||||
|-
|
||||
|testnet
|
||||
|first
|
||||
|external
|
||||
|first
|
||||
|m / 87' / 1' / 0' / 0 / 0
|
||||
|-
|
||||
|testnet
|
||||
|first
|
||||
|external
|
||||
|second
|
||||
|m / 87' / 1' / 0' / 0 / 1
|
||||
|-
|
||||
|testnet
|
||||
|first
|
||||
|change
|
||||
|first
|
||||
|m / 87' / 1' / 0' / 1 / 0
|
||||
|-
|
||||
|testnet
|
||||
|first
|
||||
|change
|
||||
|second
|
||||
|m / 87' / 1' / 0' / 1 / 1
|
||||
|-
|
||||
|testnet
|
||||
|second
|
||||
|external
|
||||
|first
|
||||
|m / 87' / 1' / 1' / 0 / 0
|
||||
|-
|
||||
|testnet
|
||||
|second
|
||||
|external
|
||||
|second
|
||||
|m / 87' / 1' / 1' / 0 / 1
|
||||
|-
|
||||
|testnet
|
||||
|second
|
||||
|change
|
||||
|first
|
||||
|m / 87' / 1' / 1' / 1 / 0
|
||||
|-
|
||||
|testnet
|
||||
|second
|
||||
|change
|
||||
|second
|
||||
|m / 87' / 1' / 1' / 1 / 1
|
||||
|}
|
||||
|
||||
==Reference Implementation==
|
||||
|
||||
None at the moment.
|
||||
|
||||
==Acknowledgement==
|
||||
|
||||
Special thanks to SomberNight, Craig Raw, David Harding, Jochen Hoenicke, Sjors Provoost, and others for their feedback on the specification.
|
||||
|
||||
==References==
|
||||
|
||||
Original mailing list thread: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-March/018630.html
|
||||
|
||||
* [https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki BIP-0032 (Hierarchical Deterministic Wallets)]
|
||||
* [https://github.com/bitcoin/bips/blob/master/bip-0043.mediawiki BIP-0043 (Purpose Field for Deterministic Wallets)]
|
||||
* [https://github.com/bitcoin/bips/blob/master/bip-0044.mediawiki BIP-0044 (Multi-Account Hierarchy for Deterministic Wallets)]
|
||||
* [https://github.com/bitcoin/bitcoin/blob/master/doc/descriptors.md Output Descriptors]
|
||||
* [https://github.com/bitcoin/bips/blob/master/bip-0174.mediawiki BIP-0174 (Partially Signed Bitcoin Transaction Format)]
|
||||
* [https://github.com/bitcoin/bips/blob/master/bip-0067.mediawiki BIP-0067 (Deterministic Pay-to-script-hash multi-signature addresses through public key sorting)]
|
||||
* [https://github.com/bitcoin/bips/blob/master/bip-0129.mediawiki BIP-0129 (Bitcoin Secure Multisig Setup)]
|
233
bip-0088.mediawiki
Normal file
233
bip-0088.mediawiki
Normal file
@ -0,0 +1,233 @@
|
||||
<pre>
|
||||
BIP: 88
|
||||
Layer: Applications
|
||||
Title: Hierarchical Deterministic Path Templates
|
||||
Author: Dmitry Petukhov <dp@simplexum.com>
|
||||
Comments-Summary: No comments yet.
|
||||
Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-0088
|
||||
Status: Proposed
|
||||
Type: Informational
|
||||
Created: 2020-06-23
|
||||
License: BSD-2-Clause
|
||||
</pre>
|
||||
|
||||
==Abstract==
|
||||
|
||||
This document describes a format for the representation of the templates that specify
|
||||
the constraints that can be imposed on BIP32 derivation paths.
|
||||
|
||||
The constraints specified by the templates allow to easily discern 'valid' paths,
|
||||
that match the constraints, and 'invalid' paths, that exceed the constraints.
|
||||
|
||||
==Copyright==
|
||||
|
||||
This BIP is licensed under the 2-clause BSD license.
|
||||
|
||||
==Motivation==
|
||||
|
||||
BIP32 derivation path format is universal, and a number of schemes for derivation were proposed
|
||||
in BIP43 and other documents, such as BIPs 44,45,49,84. The flexibility of the format also allowed
|
||||
industry participants to implement custom derivation shemes that fit particular purposes,
|
||||
but not necessarily useful in general.
|
||||
|
||||
Even when existing BIPs for derivation schemes are used, their usage is not uniform across
|
||||
the different wallets, in part because software vendors might have different considerations
|
||||
and priorities when making decisions about derivation paths. This creates friction for users,
|
||||
which might face problems when they try to access their coins using the wallet that derives
|
||||
addresses differently than the one they used before.
|
||||
|
||||
===Known solutions===
|
||||
|
||||
The problem is common enough to warrant the creation of a dedicated website
|
||||
([https://walletsrecovery.org/ walletsrecovery.org]) that tracks paths used by different wallets.
|
||||
|
||||
At the time of writing, this website has used their own format to succintly describe multiple
|
||||
derivation paths. As far as author knows, it was the only publicitly used format to describe
|
||||
path templates before introduction of this BIP. The format was not specified anywhere beside
|
||||
the main page of the website. It used <code>|</code> to denote alternative derivation indexes
|
||||
(example: <code>m/|44'|49'|84'/0'/0'</code>) or whole alternative paths (<code>m/44'/0'/0'|m/44'/1'/0'</code>).
|
||||
|
||||
It was not declared as a template format to use for processing by software, and seems to be
|
||||
an ad-hoc format only intended for illustration. In contrast to this ad-hoc format, the format
|
||||
described in this BIP is intended for unambigouos parsing by software, and to be easily read by humans
|
||||
at the same time. Humans can visually detect the 'templated' parts of the path more easily than the use
|
||||
of <code>|</code> in the template could allow. Wider range of paths can be defined in a single template more
|
||||
succintly and unambiguously.
|
||||
|
||||
===Intended use and advantages===
|
||||
|
||||
Wallet software authors can use the proposed format to describe the derivation paths that
|
||||
their software uses. This can improve user experience when switching to different wallet
|
||||
software, restoring access to old wallets, etc.
|
||||
|
||||
Unrestricted derivation path usage might be unsafe in certain contexts. In particular, when "change"
|
||||
outputs of a transaction are sent to the addresses derived via paths unknown to the sender, the sender
|
||||
might lose access to the whole change amount.
|
||||
|
||||
A simplistic approach of hard-coding the checks for well-known paths into software and firmware leads
|
||||
to reduced interoperability. Vendors cannot choose custom paths that are appropriate for
|
||||
their particular, non-general-purpose applications, and are forced to shoehorn their solutions
|
||||
into using well-known paths, or convince other vendors to support their custom paths. This approach
|
||||
scales poorly.
|
||||
|
||||
A flexible approach proposed in this document is to define a standard notation for "BIP32 path templates"
|
||||
that succintly describes the constraints to impose on the derivation path.
|
||||
|
||||
Wide support for these path templates will increase interoperability and flexibility of solutions,
|
||||
and will allow vendors and individual developers to easily define their own custom restrictions.
|
||||
This way, they will be able to deal with the risks of accidental or malicious use of unrestricted
|
||||
derivation paths in a more flexible and precise manner.
|
||||
|
||||
Well-known path templates can be pre-configured by default on devices and applications,
|
||||
but users can have an option to turn off the templates that are not relevant to their uses.
|
||||
|
||||
Having a standardized format for custom path templates will enable a common approach to be developed
|
||||
in the enforcement of application-specific path restrictions in devices and applications.
|
||||
One example of such an approach might be for devices to allow application-specific profiles
|
||||
with path templates and possibly other custom parameters. Care must be taken to prevent the accidental
|
||||
installation of malicious or incorrect profiles, though.
|
||||
|
||||
==Specification==
|
||||
|
||||
The format for the template was choosen to make it easy to read, convenient and visually unambigous.
|
||||
|
||||
Template starts with optional prefix <code>m/</code>, and then one or more sections delimited by the slash character (<code>/</code>).
|
||||
|
||||
Implementations MAY limit the maximum number of sections.
|
||||
|
||||
Each section consists of ''index template'', optionally followed by the hardened marker: either an apostrophe (<code>'</code>) or letter <code>h</code>.
|
||||
|
||||
Index template can be:
|
||||
|
||||
* An integer value from 0 to 2147483647 ("Unit index template")
|
||||
* A single <code>*</code> character, which denotes any value from 0 to 2147483647 ("Wildcard index template")
|
||||
* The <code>{</code> character, followed by a number of ''index ranges'' delimited by commas (<code>,</code>), followed by <code>}</code> character ("Ranged index template")
|
||||
|
||||
Implementations MAY limit the maximum number of index ranges within the Ranged index template.
|
||||
|
||||
If an index template is immediately followed by hardened marker, this means that all values specified in this index template is to be increased by 2147483648 for the purposes of matching.
|
||||
|
||||
Index range can be:
|
||||
|
||||
* An integer value from 0 to 2147483647 ("Unit range")
|
||||
* An integer value from 0 to 2147483647, followed by the <code>-</code> character, followed by another integer value from 0 to 2147483647 ("Non-unit range")
|
||||
|
||||
For Non-unit range, value on the left side of the <code>-</code> character is the range_start, and the value on the right side of the <code>-</code> character is the range_end.
|
||||
|
||||
For Unit range, we say that range_start is equal to range_end, even though there is no start/end in the Unit range.
|
||||
|
||||
Unit index template contains a single index range, which is the Unit range
|
||||
|
||||
Wildcard index template contains a single index range, and we say that its range_start is set to 0 and its range_end is set to 2147483647
|
||||
|
||||
Constraints:
|
||||
|
||||
# To avoid ambiguity, whitespace MUST NOT appear within the path template.
|
||||
# Commas within the Ranged index template MUST only appear in between index ranges.
|
||||
# To avoid ambiguity, an index range that matches a single value MUST be specified as Unit range.
|
||||
# To avoid ambiguity, an index range <code>0-2147483647</code> is not allowed, and MUST be specified as Wildcard index template instead
|
||||
# For Non-unit range, range_end MUST be larger than range_start.
|
||||
# If there is more than one index range within the Ranged index template, range_start of the second and any subsequent range MUST be larger than the range_end of the preceeding range.
|
||||
# To avoid ambiguity, all representations of integer values larger than 0 MUST NOT start with character <code>0</code> (no leading zeroes allowed).
|
||||
# If hardened marker appears within any section in the path template, all preceding sections MUST also specify hardened matching.
|
||||
# To avoid ambiguity, if a hardened marker appears within any section in the path template, all preceding sections MUST also use the same hardened marker (either <code>h</code> or <code>'</code>).
|
||||
# To avoid ambiguity, trailing slashes (for example, <code>1/2/</code>) and duplicate slashes (for example, <code>0//1</code>) MUST NOT appear in the template.
|
||||
|
||||
It may be desireable to have fully unambiguous encoding, where for each valid path template string, there is no other valid template string that matches the exact same set of paths. This would enable someone to compare templates for equality through a simple string equality check, without any parsing.
|
||||
|
||||
To achieve this, two extra rules are needed:
|
||||
|
||||
* Within Ranged index template, subsequent range MUST NOT start with the value that is equal to the end of the previous range plus one. Thus, <code>{1,2,3-5}</code> is not allowed, and should be specified as <code>{1-5}</code> instead. This rule might make templates less convenient for frequent edits, though.
|
||||
|
||||
* Only one type of hardened marker should be allowed (either <code>h</code> or <code>'</code>).
|
||||
|
||||
Instead of requiring the second extra rule, implementations can simply replace one type of marker with another in the template strings before comparing them.
|
||||
|
||||
==Full and partial templates==
|
||||
|
||||
If the template starts with <code>m/</code>, that means that this is the "full" template, that matches the whole path.
|
||||
|
||||
If the template does not start with <code>m/</code>, that means that this is a "partial" template, and it can be used to match a part of the path, in the contexts where this might be appropriate (for example, when constraints for the suffix of the path might be dynamic, while constraints for the prefix of the path are fixed).
|
||||
|
||||
Full template can be combined with partial template, where partial template extends full template,
|
||||
resulting in new, longer full template.
|
||||
|
||||
Partial template can be combined with another partial template, resulting in new, longer partial template.
|
||||
|
||||
Full template can not be combined with another full template.
|
||||
|
||||
Implementations MUST support parsing full templates and matching paths against full templates.
|
||||
|
||||
Implementations MAY support parsing partial templates and matching portions of the paths against partial templates, as well as combining the templates.
|
||||
|
||||
==Parsing result==
|
||||
|
||||
The result of successful parsing of a valid path template can be represented by a list of sections, where each section is a list of index ranges, where index range is a tuple of (range_start, range_end). The length of the list of sections is also referred to as the "length of the template".
|
||||
|
||||
==Matching==
|
||||
|
||||
The matching is to be performed against a list of integer values that represent a BIP32 path (or a portion of BIP32 path, for partial templates). The length of this list is referred to as the "length of the path".
|
||||
|
||||
Non-hardened indexes in this list should be represented by values from 0 to 2147483647.
|
||||
|
||||
Hardened indexes in this list should be represented by values from 2147483648 to 4294967295.
|
||||
|
||||
The matching algorithm:
|
||||
|
||||
1. If the length of the path differs from the length of the template, fail
|
||||
2. For each value V at position N in the path:
|
||||
If for all index ranges within the section at position N in the template,
|
||||
value V is either less than range_start, or greater than range_end, fail
|
||||
3. Otherwise, succeed
|
||||
|
||||
==Formal specification==
|
||||
|
||||
The finite state machine (FSM) for the parser of the described template format,
|
||||
and the matching formula are specified in TLA+ specification language at https://github.com/dgpv/bip32_template_parse_tplaplus_spec
|
||||
|
||||
The specification can be used with TLC checker and accompanying script to generate test data for the implementations.
|
||||
|
||||
==Implementations==
|
||||
|
||||
While the formal specification specifies an FSM, which would be convenient for implementation without access to rich string handling facilities, when such facilities are available, the implementation might use the whole-string deconstruction approach where the templates are first split into sections, then sections are split into index templates, and then each index template are parsed individually.
|
||||
|
||||
A FSM-based approach can be made close to the formal specification, though, and the test data generated with TLC checker would give much better coverage for a FSM based implementation. If the template string contains several errors, an implementation that uses deconstruction approach might detect some of these errors earlier than FSM-based implementation, and vise versa.
|
||||
|
||||
At the moment, three implementations exist:
|
||||
|
||||
* FSM implementation in C: https://github.com/dgpv/bip32_template_c_implementation
|
||||
* FSM implementation in Python (micropython compatible): https://github.com/dgpv/bip32_template_python_implementation
|
||||
* non-FSM implementation in python: BIP32PathTemplate class in bitcointx.core.key module of python-bitcointx library (https://github.com/Simplexum/python-bitcointx)
|
||||
|
||||
==Compatibility==
|
||||
|
||||
The full path template that only contains Unit index templates represents a fully valid BIP32 path.
|
||||
|
||||
There's no other path template standards that is known to the author currently.
|
||||
|
||||
There is a discussion on path templating for bitcoin script descriptors at https://github.com/bitcoin/bitcoin/issues/17190, which proposes the format <code>xpub...{0,1}/*</code>, of which the <code>{0,1}/*</code> part would correspond to the partial path template in the format of this BIP.
|
||||
|
||||
==Examples==
|
||||
|
||||
<code>m/{44,49,84}'/0'/0'/{0-1}/{0-50000}</code> specifies a full template that matches both external and internal chains of BIP44, BIP49 and BIP84 paths, with a constraint that the address index cannot be larger than 50000
|
||||
|
||||
Its representation after parsing can be (using Python syntax, ignoring full/partial distinction):
|
||||
[[(2147483692, 2147483692), (2147483697, 2147483697), (2147483732, 2147483732)),
|
||||
[(2147483648, 2147483648)],
|
||||
[(2147483648, 2147483648)],
|
||||
[(0, 1)],
|
||||
[(0, 50000)]]
|
||||
|
||||
<code>{0-2,33,123}/*</code> specifies a partial template that matches non-hardened values 0, 1, 2, 33, 123 as first index, and any non-hardened value at second index
|
||||
|
||||
Its representation after parsing can be:
|
||||
[[(0, 2), (33, 33), (123, 123)], [(0, 2147483647)]]
|
||||
|
||||
<code>*h/0</code> specifies a partial template that matches any hardened index followed by non-hardened index 0
|
||||
|
||||
Its representation after parsing can be:
|
||||
[[(2147483648, 4294967295)], [(0, 0)]]
|
||||
|
||||
==Acknowledgements==
|
||||
|
||||
Special thanks to Peter D. Gray, Dr. Maxim Orlovsky, Robert Spigler and others for their feedback on the specification, and to Janine (github:@Enegnei) for the help in preparing the draft.
|
@ -1,144 +1,213 @@
|
||||
<pre>
|
||||
BIP: 118
|
||||
Layer: Consensus (soft fork)
|
||||
Title: SIGHASH_NOINPUT
|
||||
Title: SIGHASH_ANYPREVOUT for Taproot Scripts
|
||||
Author: Christian Decker <decker.christian@gmail.com>
|
||||
Anthony Towns <aj@erisian.com.au>
|
||||
Comments-Summary: No comments yet.
|
||||
Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-0118
|
||||
Status: Draft
|
||||
Type: Standards Track
|
||||
Created: 2017-02-28
|
||||
License: BSD-3-Clause
|
||||
Requires: 340, 341, 342
|
||||
</pre>
|
||||
|
||||
== Abstract ==
|
||||
This BIP describes a new signature hash flag (<tt>sighash</tt>-flag) for
|
||||
segwit transactions. It removes any commitment to the output being
|
||||
spent from the signature verification mechanism. This enables dynamic
|
||||
binding of transactions to outputs, predicated solely on the
|
||||
compatibility of output scripts to input scripts.
|
||||
== Introduction ==
|
||||
|
||||
== Motivation ==
|
||||
Off-chain protocols make use of transactions that are not yet
|
||||
broadcast to the Bitcoin network in order to renegotiate the final
|
||||
state that should be settled on-chain.
|
||||
In a number of cases it is desirable to react to a given transaction
|
||||
being seen on-chain with a predetermined reaction in the form of
|
||||
another transaction.
|
||||
Often the reaction is identical, no matter which transaction is seen
|
||||
on-chain, but the application still needs to create many identical
|
||||
transactions.
|
||||
This is because signatures in the input of a transaction uniquely
|
||||
commit to the hash of the transaction that created the output being
|
||||
spent.
|
||||
=== Abstract ===
|
||||
|
||||
This proposal introduces a new sighash flag that modifies the behavior
|
||||
of the transaction digest algorithm used in the signature creation and
|
||||
verification, to exclude the previous output commitment.
|
||||
By removing the commitment we enable dynamic rebinding of a signed
|
||||
transaction to outputs whose <tt>witnessProgram</tt> and value match the ones
|
||||
in the <tt>witness</tt> of the spending transaction.
|
||||
This BIP describes a new type of public key for tapscript ([[bip-0342.mediawiki|BIP 342]]) transactions.
|
||||
It allows signatures for these public keys to not commit to the exact UTXO being spent.
|
||||
This enables dynamic binding of transactions to different UTXOs, provided they have compatible scripts.
|
||||
|
||||
The dynamic binding is opt-in and can further be restricted by using
|
||||
unique <tt>witnessProgram</tt> scripts that are specific to the application
|
||||
instance, e.g., using public keys that are specific to the off-chain
|
||||
protocol instance.
|
||||
=== Copyright ===
|
||||
|
||||
This document is licensed under the 3-clause BSD license.
|
||||
|
||||
=== Motivation ===
|
||||
|
||||
Off-chain protocols make use of transactions that are not yet broadcast to the Bitcoin network in order to renegotiate the final state that should be settled on-chain.
|
||||
In a number of cases it is desirable to respond to a given transaction being seen on-chain with a predetermined reaction in the form of another transaction.
|
||||
Often the same reaction is desired for a variety of different transactions that may be seen on-chain, but because the input signatures in the response transaction commit to the exact transaction that is being reacted to, this means a new signature must be created for every possible transaction one wishes to be able to react to.
|
||||
|
||||
This proposal introduces a new public key type<ref>'''Why a new public key type?'''
|
||||
New public key types for tapscript can be introduced in a soft fork by specifying new rules for ''unknown public key types'' as specified in [[bip-0342.mediawiki|BIP 342]], as this only requires adding restrictions to the pre-existing signature opcodes.
|
||||
Possible alternative approaches would be to define new script opcodes, to use a different taproot leaf version, or to use a different set of SegWit outputs than those specified by [[bip-0341.mediawiki|BIP 341]]; however all of these approaches are more complicated, and are better reserved for other upgrades where the additional flexibility is actually needed.
|
||||
In this case, we specify a new transaction digest, but retain the same elliptic curve and signature algorithm (ie, secp256k1 and [[bip-0340.mediawiki|BIP 340]]).</ref>
|
||||
that modifies the behavior of the transaction digest algorithm used in the signature creation and verification, by excluding the commitment to the previous output (and, optionally, the witness script<ref>'''Why (and why not) commit to the witness script?'''
|
||||
The [https://blockstream.com/eltoo.pdf eltoo] paper provides an example of why committing to the witness script is not always appropriate.
|
||||
It uses script and the transaction <code>nLockTime</code> to make signatures asymmetric, so that a transaction with an earlier signature can be spent by a transaction with a later signature, but a transaction with a later signature cannot be spent by a transaction with an earlier signature.
|
||||
As a result, a single signature for a third, even later transaction must be able to spend both the prior transactions, even though they have a different tapscript.
|
||||
On the other hand, these cases also provide a good reason to have the option to commit to the script: because each transaction has a new script, committing to the script allows you to produce a signature that applies to precisely one of these transactions.
|
||||
In the eltoo case, this allows you to have a signature for an update transaction that can be applied to any prior update, and a signature for a settlement transaction that applies only to the corresponding update transaction, while using the same key for both, which in turn allows for a more compact script.
|
||||
</ref> and value <ref>'''Why (and why not) commit to the input value?'''
|
||||
Committing to the input value may provide additional safety that a signature can't be maliciously reused to claim funds that the signer does not intend to spend, so by default it seems sensible to commit to it. However, doing so prevents being able to use a single signature to consolidate a group of UTXOs with the same spending condition into a single UTXO which may be useful for some protocols, such as the proposal for [https://lists.linuxfoundation.org/pipermail/lightning-dev/2020-January/002448.html layered commitments with eltoo].</ref>).
|
||||
Removing this commitment allows dynamic rebinding of a signed transaction to another previous output that requires authorisation by the same key.
|
||||
|
||||
The dynamic rebinding is opt-in due to using a separate public key type, and the breadth of transactions the signature can be rebound to can be further restricted by using different keys, committing to the script being spent in the signature, using different amounts between UTXOs, using different nSequence values in the spending transaction, or using the codeseparator opcode to commit to the position in the script.
|
||||
|
||||
== Specification ==
|
||||
<tt>SIGHASH_NOINPUT</tt> is a flag with value <tt>0x40</tt> appended to a signature
|
||||
so that the signature does not commit to any of the inputs, and
|
||||
therefore to the outputs being spent. The flag applies solely to the
|
||||
verification of that single signature.
|
||||
|
||||
The <tt>SIGHASH_NOINPUT</tt> flag is only active for segwit scripts with
|
||||
version 1 or higher. Should the flag be used in a non-segwit script or
|
||||
a segwit script of version 0, the current behavior is maintained and
|
||||
the script execution MUST abort with a failure.
|
||||
This BIP modifies the behaviour of the [[bip-0342.mediawiki|BIP 342]] signature opcodes<ref>'''What about key path spends?'''
|
||||
This proposal only supports ANYPREVOUT signatures via script path spends, and does not support ANYPREVOUT signatures for key path spends.
|
||||
This is for two reasons: first, not supporting key path spends allows this proposal to be independent of the core changes included in [[bip-0341.mediawiki|BIP 341]] and [[bip-0342.mediawiki|BIP 342]]; second, it allows addresses to opt-in or opt-out of ANYPREVOUT support while remaining indistinguishable prior to being spent.
|
||||
</ref> (<code>CHECKSIG</code>, <code>CHECKSIGVERIFY</code>, and <code>CHECKSIGADD</code>) for public keys that have a length of 33 bytes and a first byte of <code>0x01</code> or the public key which is precisely the single byte vector <code>0x01</code><ref>'''Use of 0x01 public key type'''
|
||||
Because <code>OP_0</code> leaves an empty vector on the stack it would not satisfy [[bip-0342.mediawiki|BIP 342]]'s rules for unknown public key types. As such, it is convenient to use one of <code>OP_1..OP_16</code> or <code>OP_1NEGATE</code> as a way to reference the taproot internal key.
|
||||
To keep things as simple as possible, we use the first of these, and add the same byte as a prefix to allow ANYPREVOUT signatures for explicitly specified keys.
|
||||
</ref>.
|
||||
These keys are termed '''BIP 118 public keys'''.
|
||||
|
||||
The transaction digest algorithm from BIP 143 is used when verifying a
|
||||
<tt>SIGHASH_NOINPUT</tt> signature, with the following modifications:
|
||||
==== Rules for signature opcodes ====
|
||||
|
||||
2. hashPrevouts (32-byte hash) is 32 0x00 bytes
|
||||
3. hashSequence (32-byte hash) is 32 0x00 bytes
|
||||
4. outpoint (32-byte hash + 4-byte little endian) is
|
||||
set to 36 0x00 bytes
|
||||
5. scriptCode of the input is set to an empty script
|
||||
0x00
|
||||
The [[bip-0342.mediawiki|BIP 342]] rules for signature opcodes are modified by removing keys with the first byte <code>0x01</code> and length of either 1-byte or 33-bytes from the list of unknown public key types, and adding the following rule prior to the handling of unknown public key types:
|
||||
|
||||
The <tt>value</tt> of the previous output remains part of the transaction
|
||||
digest and is therefore also committed to in the signature.
|
||||
* If the public key is the single byte <code>0x01</code>, or if the public key is 33 bytes and the first byte of the public key is <code>0x01</code>, it is considered to be a BIP 118 public key:
|
||||
** If the signature is not the empty vector, the signature is validated according to the [[bip-0341.mediawiki|BIP 341]] signing validation rules with the public key, allowable <code>hash_type</code> values, and transaction digest modified as defined below.
|
||||
|
||||
The <tt>NOINPUT</tt> flag MAY be combined with the <tt>SINGLE</tt> flag in which
|
||||
case the <tt>hashOutputs</tt> is modified as per BIP
|
||||
143<ref>https://github.com/bitcoin/bips/blob/master/bip-0143.mediawiki</ref>: it
|
||||
only commits to the output with the matching index, if such output exists, and
|
||||
is a <tt>uint256</tt> <tt>0x0000......0000</tt> otherwise.
|
||||
==== Public key ====
|
||||
|
||||
Being a change in the digest algorithm, the <tt>NOINPUT</tt> flag applies to
|
||||
all segwit signature verification opcodes, specifically it applies to:
|
||||
To convert the 1-byte BIP 118 public key for use with [[bip-0340.mediawiki|BIP 340]], use the 32-byte taproot internal key, <code>p</code>, as defined in [[bip-0341.mediawiki|BIP 341]].
|
||||
|
||||
* <tt>OP_CHECKSIG</tt>
|
||||
To convert a 33-byte BIP 118 public key for use with [[bip-0340.mediawiki|BIP 340]], remove the <code>0x01</code> prefix and use the remaining 32 bytes.
|
||||
|
||||
* <tt>OP_CHECKSIGVERIFY</tt>
|
||||
==== Signature message ====
|
||||
|
||||
* <tt>OP_CHECKMULTISIG</tt>
|
||||
The function ''SigMsg118(hash_type, ext_flag)'' computes the message being signed as a byte array, analogously to ''SigMsg(hash_type, ext_flag)'' defined in [[bip-0341.mediawiki|BIP 341]], ''SigExt118(hash_type,key_version)'' computes the extension, similarly to [[bip-0342.mediawiki|BIP 342]].
|
||||
|
||||
* <tt>OP_CHECKMULTISIGVERIFY</tt>
|
||||
The parameter ''hash_type'' is an 8-bit unsigned value, reusing values defined in [[bip-0341.mediawiki|BIP 341]], with the addition that the values <code>0x41</code>, <code>0x42</code>, <code>0x43</code>, <code>0xc1</code>, <code>0xc2</code>, and <code>0xc3</code> are also valid for BIP 118 public keys.
|
||||
|
||||
== Binding through scripts ==
|
||||
Using <tt>NOINPUT</tt> the input containing the signature no longer
|
||||
references a specific output.
|
||||
Any participant can take a transaction and rewrite it by changing the
|
||||
hash reference to the previous output, without invalidating the
|
||||
signatures.
|
||||
This allows transactions to be bound to any output that matches the
|
||||
value committed to in the <tt>witness</tt> and whose <tt>witnessProgram</tt>,
|
||||
combined with the spending transaction's <tt>witness</tt> returns <tt>true</tt>.
|
||||
We define the following constants using bits 6 and 7 of <code>hash_type</code>:
|
||||
|
||||
Previously, all information in the transaction was committed in the
|
||||
signature itself, while now the relationship between the spending
|
||||
transaction and the output being spent is solely based on the
|
||||
compatibility of the <tt>witnessProgram</tt> and the <tt>witness</tt>.
|
||||
* <code>SIGHASH_ANYPREVOUT = 0x40</code>
|
||||
* <code>SIGHASH_ANYPREVOUTANYSCRIPT = 0xc0</code>
|
||||
|
||||
This also means that particular care has to be taken in order to avoid
|
||||
unintentionally enabling this rebinding mechanism. <tt>NOINPUT</tt> MUST NOT
|
||||
be used, unless it is explicitly needed for the application, e.g., it
|
||||
MUST NOT be a default signing flag in a wallet
|
||||
implementation. Rebinding is only possible when the outputs the
|
||||
transaction may bind to all use the same public keys. Any public key
|
||||
that is used in a <tt>NOINPUT</tt> signature MUST only be used for outputs
|
||||
that the input may bind to, and they MUST NOT be used for transactions
|
||||
that the input may not bind to. For example an application SHOULD
|
||||
generate a new key-pair for the application instance using <tt>NOINPUT</tt>
|
||||
signatures and MUST NOT reuse them afterwards.
|
||||
As per [[bip-0341.mediawiki|BIP 341]], the parameter ''ext_flag'' is an integer in the range 0-127, used for indicating that extensions are added at the end of the message. The parameter ''key_version'' is an 8-bit unsigned value (an integer in the range 0-255) used for committing to the public key version.
|
||||
|
||||
The following restrictions apply and cause validation failure if violated:
|
||||
* Using any undefined ''hash_type'' (not ''0x00'', ''0x01'', ''0x02'', ''0x03'', ''0x41'', ''0x42'', ''0x43'', ''0x81'', ''0x82'', ''0x83'', ''0xc1'', ''0xc2'', or ''0xc3'').
|
||||
* Using <code>SIGHASH_SINGLE</code> without a "corresponding output" (an output with the same index as the input being verified).
|
||||
|
||||
If these restrictions aren't violated, ''SigMsg118(hash_type,ext_flag)'' evaluates to the concatenation of the following data, in order (with byte size of each item listed in parentheses). Numerical values in 2, 4, or 8-byte items are encoded in little-endian.
|
||||
|
||||
* Control:
|
||||
** ''hash_type'' (1).
|
||||
* Transaction data:
|
||||
** ''nVersion'' (4): the ''nVersion'' of the transaction.
|
||||
** ''nLockTime'' (4): the ''nLockTime'' of the transaction.
|
||||
** If ''hash_type & 0xc0'' is zero:
|
||||
*** ''sha_prevouts'' (32): the SHA256 of the serialization of all input outpoints.
|
||||
*** ''sha_amounts'' (32): the SHA256 of the serialization of all spent output amounts.
|
||||
*** ''sha_scriptpubkeys'' (32): the SHA256 of the serialization of all spent output ''scriptPubKey''s.
|
||||
*** ''sha_sequences'' (32): the SHA256 of the serialization of all input ''nSequence''.
|
||||
** If ''hash_type & 3'' does not equal <code>SIGHASH_NONE</code> or <code>SIGHASH_SINGLE</code>:
|
||||
*** ''sha_outputs'' (32): the SHA256 of the serialization of all outputs in <code>CTxOut</code> format.
|
||||
* Data about this input:
|
||||
** ''spend_type'' (1): equal to ''(ext_flag * 2) + annex_present'', where ''annex_present'' is 0 if no annex is present, or 1 otherwise (the original witness stack has two or more witness elements, and the first byte of the last element is ''0x50'')
|
||||
** If ''hash_type & 0xc0'' is non-zero:
|
||||
*** If ''hash_type & 0xc0'' is <code>SIGHASH_ANYONECANPAY</code>:
|
||||
**** ''outpoint'' (36): the <code>COutPoint</code> of this input (32-byte hash + 4-byte little-endian).
|
||||
*** If ''hash_type & 0xc0'' is <code>SIGHASH_ANYONECANPAY</code> or <code>SIGHASH_ANYPREVOUT</code>:
|
||||
**** ''amount'' (8): value of the previous output spent by this input.
|
||||
**** ''scriptPubKey'' (35): ''scriptPubKey'' of the previous output spent by this input, serialized as script inside <code>CTxOut</code>. Its size is always 35 bytes.
|
||||
*** ''nSequence'' (4): ''nSequence'' of this input.
|
||||
** If ''hash_type & 0xc0'' is zero:
|
||||
*** ''input_index'' (4): index of this input in the transaction input vector. Index of the first input is 0.
|
||||
** If an annex is present (the lowest bit of ''spend_type'' is set):
|
||||
*** ''sha_annex'' (32): the SHA256 of ''(compact_size(size of annex) || annex)'', where ''annex'' includes the mandatory ''0x50'' prefix.
|
||||
* Data about this output:
|
||||
** If ''hash_type & 3'' equals <code>SIGHASH_SINGLE</code>:
|
||||
*** ''sha_single_output'' (32): the SHA256 of the corresponding output in <code>CTxOut</code> format.
|
||||
|
||||
Similarly, ''SigExt118(hash_type,key_version)'' evaluates to the concatenation of:
|
||||
|
||||
* Extension:
|
||||
** If ''hash_type & 0xc0'' is not <code>SIGHASH_ANYPREVOUTANYSCRIPT</codE>:
|
||||
*** ''tapleaf_hash'' (32): the tapleaf hash as defined in [[bip-0341.mediawiki|BIP 341]]
|
||||
** ''key_version'' (1).
|
||||
** ''codesep_pos'' (4): the opcode position of the last executed <code>OP_CODESEPARATOR</code> before the currently executed signature opcode, with the value in little endian (or ''0xffffffff'' if none executed). The first opcode in a script has a position of 0. A multi-byte push opcode is counted as one opcode, regardless of the size of data being pushed.
|
||||
|
||||
Note that if ''hash_type & 0x40'' is zero, ''SigMsg118(hash_type,ext_flag) == SigMsg(hash_type,ext_flag)'', and ''SigExt118(hash_type,0x00) == ext'' (where ''ext'' is the message extension as defined in [[bip-0342.mediawiki|BIP 342]]).
|
||||
|
||||
To verify a signature ''sig'' for a BIP 118 public key ''p'':
|
||||
|
||||
* If the ''sig'' is 64 bytes long, return ''Verify(p, hash<sub>TapSigHash</sub>(0x00 || SigMsg118(0x00, 1) || SigExt118(0x00, 0x01), sig)'', where ''Verify'' is defined in [[bip-0340.mediawiki|BIP 340]].
|
||||
* If the ''sig'' is 65 bytes long, return ''sig[64] ≠ 0x00 and Verify(p, hash<sub>TapSighash</sub>(0x00 || SigMsg118(sig[64], 1) || SigExt118(sig[64], 0x01), sig[0:64])''.
|
||||
* Otherwise, fail.
|
||||
|
||||
The key differences from [[bip-0342.mediawiki|BIP 342]] signature verification are:
|
||||
|
||||
* In all cases, <code>key_version</code> is set to the constant value <code>0x01</code> instead of <code>0x00</code>.<ref>'''Why change key_version?''' Changing <code>key_version</code> ensures that if the same private key is used to generate both a [[bip-0342.mediawiki|BIP 342]] key and a BIP 118 public key, that a signature for the [[bip-0342.mediawiki|BIP 342]] key is not also valid for the BIP 118 public key (and vice-versa).</ref>
|
||||
* If <code>SIGHASH_ANYPREVOUT</code> is set, the digest is calculated as if <code>SIGHASH_ANYONECANPAY</code> was set, except <code>outpoint</code> is not included in the digest.
|
||||
* If <code>SIGHASH_ANYPREVOUTANYSCRIPT</code> is set, the digest is calculated as if <code>SIGHASH_ANYONECANPAY</code> was set, except <code>outpoint</code>, <code>scriptPubKey</code> and <code>tapleaf_hash</code> are not included in the digest.
|
||||
|
||||
== Security ==
|
||||
|
||||
==== Signature replay ====
|
||||
|
||||
By design, <code>SIGHASH_ANYPREVOUT</code> and <code>SIGHASH_ANYPREVOUTANYSCRIPT</code> introduce additional potential for signature replay (that is they allow the same signature to be reused on a different transaction) when compared to <code>SIGHASH_ALL</code> and <code>SIGHASH_ANYONECANPAY</code> signatures.
|
||||
|
||||
Both <code>SIGHASH_ALL</code> and <code>SIGHASH_ANYONECANPAY</code> signatures prevent signature replay by committing to one or more inputs, so replay of the signature is only possible if the same input can be spent multiple times, which is not possible on the Bitcoin blockchain (due to enforcement of [[bip-0030.mediawiki|BIP 30]]).
|
||||
With <code>SIGHASH_ANYPREVOUT</code> signature replay is possible for different UTXOs with the same <code>scriptPubKey</code> and the same value, while with <code>SIGHASH_ANYPREVOUTANYSCRIPT</code> signature replay is possible for any UTXOs that reuse the same BIP 118 public key in one of their potential scripts.
|
||||
|
||||
As a consequence, implementors MUST ensure that BIP 118 public keys are only reused when signature replay cannot cause loss of funds (eg due to other features of the protocol or other constraints on the transaction), or when such a loss of funds is acceptable.
|
||||
|
||||
==== Malleability ====
|
||||
|
||||
Use of <code>SIGHASH_ANYPREVOUT</code> or <code>SIGHASH_ANYPREVOUTANYSCRIPT</code> may introduce additional malleability vectors.
|
||||
|
||||
In particular, a transaction authenticated using only ANYPREVOUT signatures is malleable to anyone able to provide an alternate input satisfied by the signature -- an input changed in this way would produce a new, valid transaction paying the same recipient, but with a different txid.
|
||||
Depending on the changes to the inputs, this might conflict with the original transaction (if some inputs remain shared) or might result in a double-payment to the recipient (if they do not).
|
||||
|
||||
Further, for a chain of transactions using the same <code>scriptPubKey</code> and value, and only authenticated via ANYPREVOUT signatures (as envisioned in eltoo for failure cases), it may be possible for any third party to malleate the transactions (and their txids) without having access to any of the private keys, particularly by omitting intermediate transactions.
|
||||
|
||||
This form of malleation can be dealt with by the child transactions also using ANYPREVOUT signatures -- when a parent transaction is malleated, its children can be adjusted to reference the new txid as the input and the ANYPREVOUT signatures remain valid.
|
||||
|
||||
However child transactions that are authorised by a <code>SIGHASH_ALL</code> or <code>SIGHASH_ANYONECANPAY</code> signature will need new signatures if their inputs are malleated in this way.
|
||||
This risk may be mitigated somewhat by using [[bip-0068.mediawiki|BIP 68]]/[[bip-0112.mediawiki|BIP 112]] relative time locks before spending a UTXO that had been authorised via an ANYPREVOUT signature with <code>SIGHASH_ALL</code> or <code>SIGHASH_ANYONECANPAY</code>: a relative timelock can ensure that the inputs have enough confirmations that they can only be replaced in the event of a large block reorg.
|
||||
Note that this approach has drawbacks: relative timelocks prevent fee-bumping via child-pays-for-parent, and have the obvious drawback of making the funds temporarily unusable until the timelock expires.
|
||||
|
||||
==== Privacy considerations ====
|
||||
|
||||
It is expected that ANYPREVOUT signatures will only be rarely used in practice.
|
||||
Protocol and wallet designers should aim to have their transactions use Taproot key path spends whenever possible, both for efficiency reasons due to the lower transaction weight, but also for privacy reasons to avoid third parties being able to distinguish their transactions from those of other protocols.
|
||||
|
||||
Transactions that do use ANYPREVOUT signatures will therefore reveal information about the transaction, potentially including that cooperation was impossible, or what protocol or software was used (due to the details of the script).
|
||||
|
||||
In order to maximise privacy, it is therefore recommended that protocol designers only use BIP 118 public keys in scripts that will be spent using at least one ANYPREVOUT signature, and either use key path spends or alternate scripts in the taproot merkle tree for any spends that can be authorised without ANYPREVOUT signatures.
|
||||
Following this recommendation may require additional script branches, which may mean disregarding this recommendation may result in a better tradeoff between cost and privacy in some circumstances.
|
||||
|
||||
== Rationale ==
|
||||
|
||||
<references />
|
||||
|
||||
== Deployment ==
|
||||
The <tt>NOINPUT</tt> sighash flag is to be deployed during a regular segwit
|
||||
script update.
|
||||
|
||||
== Backward compatibility ==
|
||||
As a soft fork, older software will continue to operate without
|
||||
modification. Non-upgraded nodes, however, will not verify the
|
||||
validity of the new sighash flag and will consider the transaction
|
||||
valid by default. Being only applicable to segwit transactions,
|
||||
non-segwit nodes will see an anyone-can-spend script and will consider
|
||||
it valid.
|
||||
TODO
|
||||
|
||||
== Acknowledgments ==
|
||||
This may be deployed as a soft-fork either concurrent with, or subsequent to the deployment of [[bip-0340.mediawiki|BIP 340]], [[bip-0341.mediawiki|BIP 341]] and [[bip-0342.mediawiki|BIP 342]].
|
||||
|
||||
The <tt>NOINPUT</tt> sighash flag was first proposed by Joseph Poon in
|
||||
February 2016<ref>https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2016-February/012460.html</ref>, after being mentioned in the original
|
||||
Lightning paper<ref>http://lightning.network/lightning-network.pdf</ref>. A formal proposal was however
|
||||
deferred until after the activation of segwit. This proposal is a
|
||||
continuation of this discussion and attempts to formalize it in such a
|
||||
way that it can be included in the Bitcoin protocol. As such we'd like
|
||||
acknowledge Joseph Poon and Thaddeus Dryja as the original inventors
|
||||
of the <tt>NOINPUT</tt> sighash flag, and its uses in off-chain protocols.
|
||||
== Backwards compatibility ==
|
||||
|
||||
== References ==
|
||||
As a soft fork, older software will continue to operate without modification.
|
||||
Nodes that have not upgraded to support [[bip-0341.mediawiki|BIP 341]] will see all taproot witness programs as anyone-can-spend scripts, and nodes that have upgraded to support [[bip-0341.mediawiki|BIP 341]] and [[bip-0342.mediawiki|BIP 342]] but not BIP 118 will simply treat any non-empty signature against a BIP 118 public key as valid.
|
||||
As such, nodes are strongly encourage to upgrade in order to fully validate signatures for the new public key type.
|
||||
|
||||
<references/>
|
||||
Non-upgraded wallets can receive and send bitcoin from non-upgraded and upgraded wallets using SegWit version 0 programs, traditional pay-to-pubkey-hash, etc.
|
||||
Depending on the implementation, non-upgraded wallets may be able to send to SegWit version 1 programs if they support sending to [[bip-0350.mediawiki|BIP350]] Bech32m addresses and do not prevent the transaction from being broadcast due to considering the outputs non-standard.
|
||||
|
||||
== Copyright ==
|
||||
== Revisions ==
|
||||
|
||||
Apart from being based on Taproot rather than SegWit v0, the main differences to prior revisions of this BIP are:
|
||||
|
||||
* The sighash flag has been renamed from "NOINPUT" to "ANYPREVOUT" to reflect that while any prevout may potentially be used with the signature, some aspects of the input are still committed to, namely the input nSequence value, and (optionally) the spending conditions and amount.
|
||||
* Previously NOINPUT would have worked for direct public key spends (assuming deployment was fleshed out in a way similar to BIP 141 P2WPKH and P2WSH), however this proposal only applies to signatures via tapscript, and not direct key path spends. This means that addresses must opt-in to the ability to be spent by a <code>SIGHASH_ANYPREVOUT</code> or <code>SIGHASH_ANYPREVOUTANYSCRIPT</code> signature by including an appropriate tapscript path when the address is created.
|
||||
* NOINPUT signatures do not commit to the output's spending conditions either via <code>scriptPubKey</code> or the redeem/witness script. This behaviour is preserved when <code>SIGHASH_ANYPREVOUTANYSCRIPT</code> is used, but when <code>SIGHASH_ANYPREVOUT</code> is used, the signature now commits to <code>scriptPubKey</code> and the tapscript.
|
||||
* NOINPUT signatures did commit to the input's amount. This behaviour is preserved when <code>SIGHASH_ANYPREVOUT</code> is used, but not when <code>SIGHASH_ANYPREVOUTANYSCRIPT</code> is used.
|
||||
* <code>OP_CODESEPARATOR</code> in script will affect both <code>SIGHASH_ANYPREVOUT</code> and <code>SIGHASH_ANYPREVOUTANYSCRIPT</code> signatures, whereas it would not have in the previous draft.
|
||||
|
||||
== Acknowledgements ==
|
||||
|
||||
The <code>SIGHASH_NOINPUT</code> flag was first proposed by Joseph Poon in [https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2016-February/012460.html February 2016], after being mentioned in the original [http://lightning.network/lightning-network-paper.pdf Lightning paper] by Joseph Poon and Thaddeus Dryja.
|
||||
This document is the result of discussions with many people and had direct input from Greg Maxwell, Jonas Nick, Pieter Wuille and others.
|
||||
|
||||
This document is licensed under the BSD 3 Clause license.
|
||||
|
@ -171,13 +171,9 @@ Actual replacement may be unreliable until two conditions have been satisfied:
|
||||
|
||||
# Enough hash rate has upgraded to support replacement, allowing for reasonable probability that a replacement can be mined.
|
||||
|
||||
==Client support==
|
||||
==Backwards compatibility==
|
||||
|
||||
No known wallet currently creates transactions by default with
|
||||
nSequence set below (0xffffffff - 1), so no known existing wallet
|
||||
explicitly signals replaceability by default. No known popular wallet
|
||||
spends other users' unconfirmed transactions by default, so no known
|
||||
existing wallets signals inherited replaceability.
|
||||
At the time opt-in RBF support was added/proposed, no known wallet created transactions by default with nSequence set below (0xffffffff - 1), so no known wallet explicitly signaled replaceability by default. Also no known popular wallet spent other users' unconfirmed transactions by default, so no known wallets signaled inherited replaceability.
|
||||
|
||||
==See also==
|
||||
|
||||
|
462
bip-0129.mediawiki
Normal file
462
bip-0129.mediawiki
Normal file
@ -0,0 +1,462 @@
|
||||
<pre>
|
||||
BIP: 129
|
||||
Layer: Applications
|
||||
Title: Bitcoin Secure Multisig Setup (BSMS)
|
||||
Author: Hugo Nguyen <hugo@nunchuk.io>
|
||||
Peter Gray <peter@coinkite.com>
|
||||
Marko Bencun <marko@shiftcrypto.ch>
|
||||
Aaron Chen <aarondongchen@gmail.com>
|
||||
Rodolfo Novak <rodolfo@coinkite.com>
|
||||
Comments-Summary: No comments yet.
|
||||
Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-0129
|
||||
Status: Proposed
|
||||
Type: Standards Track
|
||||
Created: 2020-11-10
|
||||
License: BSD-2-Clause
|
||||
</pre>
|
||||
|
||||
==Introduction==
|
||||
|
||||
===Abstract===
|
||||
|
||||
This document proposes a mechanism to set up multisig wallets securely.
|
||||
|
||||
===Copyright===
|
||||
|
||||
This BIP is licensed under the 2-clause BSD license.
|
||||
|
||||
===Motivation===
|
||||
|
||||
The Bitcoin multisig experience has been greatly streamlined under [https://github.com/bitcoin/bips/blob/master/bip-0174.mediawiki BIP-0174
|
||||
(Partially Signed Bitcoin Transaction)]. However, what is still missing is a standardized process for setting up multisig wallets securely across different vendors.
|
||||
|
||||
There are a number of concerns when it comes to setting up a multisig wallet:
|
||||
|
||||
# Whether the multisig configuration, such as Signer membership, script type, derivation paths and number of signatures required, is correct and not tampered with.
|
||||
# Whether the keys or the multisig configuration are leaked during the setup.
|
||||
# Whether the Signer persists the multisig configuration in their respective storage, and under what format.
|
||||
# Whether the Signer's storage is tamper-proof.
|
||||
# Whether the Signer subsequently uses the multisig configuration to generate and verify receive and change addresses.
|
||||
|
||||
An attacker who can modify the multisig configuration can steal or hold funds for ransom by duping the user into sending funds to the wrong address. An attacker who cannot modify the configuration but can learn about the keys and/or the configuration can monitor transactions in the wallet, resulting in loss of privacy.
|
||||
|
||||
This proposal seeks to address concerns #1, #2 and #3: to mitigate the risk of tampering during the initial setup phase, and to define an interoperable multisig configuration format.
|
||||
|
||||
Concerns #4 and #5 should be handled by Signers and are out of scope of this proposal.
|
||||
|
||||
==Specification==
|
||||
|
||||
===Prerequisites===
|
||||
This proposal assumes the parties in the multisig support [https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki BIP-0032], [https://github.com/bitcoin/bips/blob/master/bip-0322.mediawiki BIP-0322], [https://github.com/bitcoin/bitcoin/blob/master/doc/descriptors.md the descriptor language] and [https://tools.ietf.org/html/rfc3686 AES encryption].
|
||||
|
||||
===File Extensions===
|
||||
All descriptor and key records should have a <tt>.bsms</tt> file extension. Encrypted data should have a <tt>.dat</tt> extension.
|
||||
|
||||
===Roles===
|
||||
====Coordinator====
|
||||
|
||||
The Coordinator initiates the multisig setup. The Coordinator determines what type of multisig is used and the exact policy script. If encryption is enabled, the Coordinator also distributes a shared secret or shared secrets to the parties involved for secure communication. The Coordinator gathers information from the Signers to generate a descriptor record. The Coordinator distributes the descriptor record back to the Signers.
|
||||
|
||||
====Signer====
|
||||
|
||||
The Signer is any software or hardware that controls the private keys and can sign using those keys. The Signer is a participating member in the multisig. Its responsibilities include providing its key record -- which contains a public key or an Extended Public Key (XPUB) -- to the Coordinator, verifying that its <tt>KEY</tt> is included in the descriptor record and persisting the descriptor record in its storage.
|
||||
|
||||
===Setup Process===
|
||||
|
||||
====Round 1====
|
||||
|
||||
=====Coordinator=====
|
||||
|
||||
* The Coordinator creates a new multisig wallet creation session. The Coordinator constructs the multisig script and its policy parameters, such as the required number of signatures and the total number of Signers (<tt>M</tt> and <tt>N</tt>).
|
||||
* The session should expire after some time period determined by the Coordinator, e.g., 24 hours. The timeout allows the encryption key to have lower entropy.
|
||||
* If encryption is enabled, the Coordinator distributes a secret <tt>TOKEN</tt> to each Signer over a secure channel. The Signer can use the <tt>TOKEN</tt> to derive an <tt>ENCRYPTION_KEY</tt>. Refer to the [[#Encryption]] section below for details on the <tt>TOKEN</tt>, the key derivation function and the encryption scheme. Depending on the use case, the Coordinator can decide whether to share one common <tt>TOKEN</tt> for all Signers, or to have one per Signer.
|
||||
* If encryption is disabled, the <tt>TOKEN</tt> is set to <tt>0x00</tt>, and all the encryption/decryption steps below can be skipped.
|
||||
|
||||
=====Signer=====
|
||||
|
||||
* The Signer initiates the multisig wallet creation session by setting the <tt>TOKEN</tt>. The Signer derives an <tt>ENCRYPTION_KEY</tt> from the <tt>TOKEN</tt>. The Signer can keep the session open until a different value for the <tt>TOKEN</tt> is set.
|
||||
* The Signer generates a key record by prompting the user for a multisig derivation path and retrieves the <tt>KEY</tt> at that derivation path. Alternatively, the Signer can choose a path on behalf of the user. If the Signer chooses the path, it should try to avoid reusing <tt>KEY</tt>s for different wallets.
|
||||
* The first line in the record must be the specification version (<tt>BSMS 1.0</tt> as of this writing). The second line must be the hex-encoded <tt>TOKEN</tt>. The third line must be the <tt>KEY</tt>. The <tt>KEY</tt> is a public key or an XPUB plus the key origin information, written in the descriptor-defined format, i.e.: <tt>[{master key fingerprint}/{derivation path}]{KEY}</tt>. The fourth line is a text description of the key, 80 characters maximum. The fifth line must be a <tt>SIG</tt>, whereas <tt>SIG</tt> is the signature generated by using the private key associated with the public key or XPUB to sign the first four lines. The signature should follow [https://github.com/bitcoin/bips/blob/master/bip-0322.mediawiki BIP-0322], legacy format accepted.
|
||||
* The Signer calculates the Message Authentication Code (<tt>MAC</tt>) for the record. The first 16 bytes of the <tt>MAC</tt> serves as the Initialization Vector (<tt>IV</tt>) for the encryption.
|
||||
* The Signer encrypts the key record with the <tt>ENCRYPTION_KEY</tt> and <tt>IV</tt>.
|
||||
* The Signer encodes the <tt>MAC</tt> and the ciphertext into hexadecimal format, then concatenates the results: <tt>(MAC || ciphertext)</tt>.
|
||||
|
||||
====Round 2====
|
||||
|
||||
=====Coordinator=====
|
||||
|
||||
* The Coordinator gathers key records from all participating Signers. The Coordinator verifies that there are exactly <tt>N</tt> unique key records before the wallet setup session expires.
|
||||
* For each key record, the Coordinator extracts the <tt>MAC</tt> from the data, sets <tt>IV</tt> to the first 16 bytes of the <tt>MAC</tt>, then decrypts the ciphertext using the <tt>ENCRYPTION_KEY</tt> and <tt>IV</tt>.
|
||||
* The Coordinator verifies that the included <tt>MAC</tt> is valid given the plaintext.
|
||||
* The Coordinator verifies that the key records have compatible specification versions.
|
||||
* The Coordinator verifies that the included <tt>SIG</tt> is valid given the <tt>KEY</tt>.
|
||||
* If all key records look good, the Coordinator fills in all necessary information to generate a descriptor record.
|
||||
* The first line in the descriptor record must be the specification version (<tt>BSMS 1.0</tt> as of this writing). The second line must be a descriptor or a descriptor template. The third line must be a comma-separated list of derivation path restrictions. The paths must start with <tt>/</tt> and use non-hardened derivation. If there are no template or restrictions, it must say <tt>No path restrictions</tt>. The fourth line must be the wallet's first address. If there are path restrictions, use the first address from the first path restriction.
|
||||
* The Coordinator calculates the <tt>MAC</tt> for the record. The first 16 bytes of the <tt>MAC</tt> serves as the <tt>IV</tt> for the encryption..
|
||||
* The Coordinator encrypts the descriptor record with the <tt>ENCRYPTION_KEY</tt> and <tt>IV</tt>.
|
||||
* The Coordinator encodes the <tt>MAC</tt> and the ciphertext into hexadecimal format, then concatenates the results: <tt>(MAC || ciphertext)</tt>.
|
||||
* The Coordinator sends the encrypted descriptor record to all participating Signers.
|
||||
|
||||
=====Signer=====
|
||||
|
||||
* The Signer imports the descriptor record.
|
||||
* The Signer extracts the <tt>MAC</tt> from the data, sets <tt>IV</tt> to the first 16 bytes of the <tt>MAC</tt>, then decrypts the ciphertext using the <tt>ENCRYPTION_KEY</tt> (derived from the open session) and <tt>IV</tt>.
|
||||
* The Signer verifies that the included <tt>MAC</tt> is valid given the plaintext.
|
||||
* The Signer verifies that it can support the included specification version.
|
||||
* The Signer verifies that it can support the descriptor or descriptor template.
|
||||
* The Signer checks that its <tt>KEY</tt> is included in the descriptor or descriptor template, using path and fingerprint information provided. The check must perform an exact match on the <tt>KEY</tt>s and not using shortcuts such as matching fingerprints, which is trivial to spoof.
|
||||
* The Signer verifies that it is compatible with the derivation path restrictions.
|
||||
* The Signer verifies that the wallet's first address is valid.
|
||||
* For confirmation, the Signer must display to the user the wallet's first address and policy parameters, including, but not limited to: the derivation path restrictions, <tt>M</tt>, <tt>N</tt>, and the position(s) of the Signer's own <tt>KEY</tt> in the policy script. The total number of Signers, <tt>N</tt>, is important to prevent a <tt>KEY</tt> insertion attack. The position is important for scripts where <tt>KEY</tt> order matters. When applicable, all positions of the <tt>KEY</tt> must be displayed. The full descriptor or descriptor template must also be available for review upon user request.
|
||||
* Parties must check with each other that all Signers have the same confirmation (except for the <tt>KEY</tt> positions).
|
||||
* If all checks pass, the Signer must persist the descriptor record in its storage.
|
||||
|
||||
This completes the setup.
|
||||
|
||||
===Encryption===
|
||||
|
||||
====The Token====
|
||||
We define three modes of encryption.
|
||||
|
||||
# <tt>NO_ENCRYPTION</tt> : the <tt>TOKEN</tt> is set to <tt>0x00</tt>. Encryption is disabled.
|
||||
# <tt>STANDARD</tt> : the <tt>TOKEN</tt> is a 64-bit nonce.
|
||||
# <tt>EXTENDED</tt> : the <tt>TOKEN</tt> is a 128-bit nonce.
|
||||
|
||||
The <tt>TOKEN</tt> can be converted to one of these formats:
|
||||
* A decimal number (recommended). The number must not exceed the maximum value of the nonce.
|
||||
* A mnemonic phrase using [https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki BIP-0039] word list. This would be 6 words in <tt>STANDARD</tt> mode. This encoding is not recommended in <tt>EXTENDED</tt> mode as it can result in potential confusion between seed mnemonics and <tt>TOKEN</tt> mnemonics.
|
||||
* A QR code.
|
||||
* Other formats.
|
||||
|
||||
The flexibility in the data format allows each Signer to customize the User Experience based on its respective capabilities.
|
||||
|
||||
====Key Derivation====
|
||||
The key derivation function is [https://tools.ietf.org/html/rfc2898 PBKDF2], with PRF = SHA512. Specifically:
|
||||
|
||||
<tt>DKey = PBKDF2(PRF, Password, Salt, c, dkLen)</tt>
|
||||
|
||||
Whereas:
|
||||
|
||||
* PRF = SHA512
|
||||
* Password = "No SPOF"
|
||||
* Salt = <tt>TOKEN</tt>
|
||||
* c = 2048
|
||||
* dkLen = 256
|
||||
* DKey = Derived <tt>ENCRYPTION_KEY</tt>
|
||||
|
||||
====Encryption Scheme====
|
||||
The encryption scheme is [https://tools.ietf.org/html/rfc3686 AES-256-CTR].
|
||||
|
||||
<tt>MAC = HMAC-SHA256(HMAC_Key, hex-encoded TOKEN || Data)</tt>
|
||||
|
||||
<tt>IV = First 16 bytes of MAC</tt>
|
||||
|
||||
<tt>Ciphertext = AES-256-CTR-Encrypt(Plaintext, DKey, IV)</tt>
|
||||
|
||||
<tt>Plaintext = AES-256-CTR-Decrypt(Ciphertext, DKey, IV)</tt>
|
||||
|
||||
Whereas:
|
||||
* DKey = <tt>ENCRYPTION_KEY</tt>
|
||||
* HMAC_Key = SHA256(<tt>ENCRYPTION_KEY</tt>)
|
||||
* Data = the plaintext, e.g. the entire key record in round 1 and the entire descriptor record in round 2
|
||||
|
||||
The <tt>MAC</tt> is to be sent along with the key and descriptor record, as specified above. Because it is a <tt>MAC</tt> over the entire plaintext, this is essentially an [https://en.wikipedia.org/wiki/Authenticated_encryption#Encrypt-and-MAC_(E&M) Encrypt-and-MAC] form of authenticated encryption.
|
||||
|
||||
===Descriptor Template===
|
||||
The output descriptor language only supports one-dimensional lists. This proposal introduces a descriptor template to represent multi-dimensional lists:
|
||||
|
||||
<tt>XPUB/**</tt>
|
||||
|
||||
Whereas <tt>/**</tt> can be replaced by any number of derivation path restrictions.
|
||||
|
||||
A descriptor template must be accompanied by derivation path restrictions. Signers should expand the template into concrete descriptors by replacing <tt>/**</tt> with the restrictions.
|
||||
|
||||
For example, the following template and derivation path restrictions:
|
||||
* <tt>wsh(sortedmulti(2,XPUB1/**,XPUB2/**))</tt>
|
||||
* <tt>/0/*,/1/*</tt>
|
||||
|
||||
Should translate to two concrete descriptors:
|
||||
* <tt>wsh(sortedmulti(2,XPUB1/0/*,XPUB2/0/*))</tt>
|
||||
* <tt>wsh(sortedmulti(2,XPUB1/1/*,XPUB2/1/*))</tt>
|
||||
|
||||
==QR Codes==
|
||||
For signers that use QR codes to transmit data, key and descriptor records can be converted to QR codes, following [https://github.com/BlockchainCommons/Research/blob/master/papers/bcr-2020-005-ur.md the BCR standard].
|
||||
|
||||
Also refer to [https://github.com/BlockchainCommons/Research/blob/master/papers/bcr-2020-015-account.md UR Type Definition for BIP44 Accounts] and [https://github.com/BlockchainCommons/Research/blob/master/papers/bcr-2020-010-output-desc.md UR Type Definition for Bitcoin Output Descriptors] for more details.
|
||||
|
||||
==Compatibility==
|
||||
This specification is not backwards compatible with existing multisig implementations.
|
||||
|
||||
BSMS is opt-in, meaning existing multisig implementations can continue working as-is, with the caveat that they are likely to have various pitfalls. Some of the problems with existing solutions have been described in the [[#Motivation]] section.
|
||||
|
||||
To comply with this standard, a Signer must be able to persist the descriptor record in its storage.
|
||||
|
||||
To use BSMS for a multisig wallet, the user should wait until all participating Signers in the multisig have implemented BSMS.
|
||||
|
||||
==Security==
|
||||
|
||||
This proposal introduces two layers of protection. The first one is a temporary, secret <tt>TOKEN</tt>. The second one is the confirmation of the wallet's first address.
|
||||
|
||||
The <tt>TOKEN</tt> is used to encrypt the two rounds of communication between the Signer and the Coordinator. A <tt>MAC</tt> is also generated from the <tt>TOKEN</tt> and plaintext to authenticate the data being exchanged. The <tt>TOKEN</tt> is only needed during the setup phase, and can be safely discarded afterwards. It is not recommended to use the same <tt>TOKEN</tt> for multiple wallet creation sessions.
|
||||
|
||||
The wallet's first address, on the other hand, can be used to verify the integrity of the multisig configuration. An attacker who tampers with the multisig configuration must also change the wallet's first address. Parties must check with each other that all Signers confirm to the same address and policy parameters to reduce the chance of tampering.
|
||||
|
||||
==Privacy==
|
||||
Encryption helps improve the privacy of the wallet by avoiding sharing keys and descriptors in plaintext.
|
||||
|
||||
If the parties wish to have stronger privacy, it is recommended to use a higher number of bits for the <tt>TOKEN</tt>, and to completely erase knowledge of the <tt>TOKEN</tt> after the multisig wallet has been set up.
|
||||
|
||||
==Test Vectors==
|
||||
|
||||
===Mode: <tt>NO_ENCRYPTION</tt> with Public Keys===
|
||||
====ROUND 1====
|
||||
* Coordinator
|
||||
** M-of-N: 1/2
|
||||
** ADDRESS_TYPE: NATIVE_SEGWIT
|
||||
** TOKEN: 0x00
|
||||
|
||||
* Signer 1
|
||||
** MASTER_KEY_FINGERPRINT: 59865f44
|
||||
** PRIVATE_KEY (m/48'/0'/0'/2'): L5TXU4SdD9e6QGgBjxeegJKxt4FgATLG1TCnFM8JLyEkFuyHEqNM
|
||||
** Public Key (m/48'/0'/0'/2'): 026d15412460ba0d881c21837bb999233896085a9ed4e5445bd637c10e579768ba
|
||||
** Legacy signature
|
||||
** <tt>signer_1_key.bsms</tt>:
|
||||
<pre>BSMS 1.0
|
||||
00
|
||||
[59865f44/48'/0'/0'/2']026d15412460ba0d881c21837bb999233896085a9ed4e5445bd637c10e579768ba
|
||||
Signer 1 key
|
||||
H6DXgqkCb353BDPkzppMFpOcdJZlpur0WRetQhIBqSn6DFzoQWBtm+ibP5wERDRNi0bxxev9B+FIvyQWq0s6im4=</pre>
|
||||
|
||||
* Signer 2
|
||||
** MASTER_KEY_FINGERPRINT: b7044ca6
|
||||
** PRIVATE_KEY (m/48'/0'/0'/2'): KwT7BZDWjos4JAdfKi8NqF46Kj3rppTwN8KGhPbzmmugiZioFW3r
|
||||
** Public Key (m/48'/0'/0'/2'): 030baf0497ab406ff50cb48b4013abac8a0338758d2fd54cd934927afa57cc2062
|
||||
** Legacy signature
|
||||
** <tt>signer_2_key.bsms</tt>:
|
||||
<pre>BSMS 1.0
|
||||
00
|
||||
[b7044ca6/48'/0'/0'/2']030baf0497ab406ff50cb48b4013abac8a0338758d2fd54cd934927afa57cc2062
|
||||
Signer 2 key
|
||||
H08mGNGN+NxX/snt+6eX2Q1HjjfDkOtotglshHi7xdsBdIrTVMCQbgQ5SdACNZ0B2AJcifK11nJj43SvaitSemI=</pre>
|
||||
|
||||
====ROUND 2====
|
||||
* Coordinator
|
||||
** <tt>my_multisig_wallet.bsms</tt>:
|
||||
<pre>BSMS 1.0
|
||||
wsh(sortedmulti(1,[59865f44/48'/0'/0'/2']026d15412460ba0d881c21837bb999233896085a9ed4e5445bd637c10e579768ba,[b7044ca6/48'/0'/0'/2']030baf0497ab406ff50cb48b4013abac8a0338758d2fd54cd934927afa57cc2062))#rzx9dffd
|
||||
No path restrictions
|
||||
bc1quqy523xu3l8che3s8vja8n33qtg0uyugr9l5z092s3wa50p8t7rqy6zumf</pre>
|
||||
|
||||
===Mode: <tt>NO_ENCRYPTION</tt>===
|
||||
====ROUND 1====
|
||||
* Coordinator
|
||||
** M-of-N: 2/2
|
||||
** ADDRESS_TYPE: NATIVE_SEGWIT
|
||||
** TOKEN: 0x00
|
||||
|
||||
* Signer 1
|
||||
** MASTER_KEY_FINGERPRINT: 1cf0bf7e
|
||||
** PRIVATE_KEY (m/48'/0'/0'/2'): L3q1sg7iso1L3QfzB1riC9bQpqMynWyBeuLLSKwCDGkHkahB7MgU
|
||||
** XPUB (m/48'/0'/0'/2'): xpub6FL8FhxNNUVnG64YurPd16AfGyvFLhh7S2uSsDqR3Qfcm6o9jtcMYwh6DvmcBF9qozxNQmTCVvWtxLpKTnhVLN3Pgnu2D3pAoXYFgVyd8Yz
|
||||
** Legacy signature
|
||||
** <tt>signer_1_key.bsms</tt>:
|
||||
<pre>BSMS 1.0
|
||||
00
|
||||
[1cf0bf7e/48'/0'/0'/2']xpub6FL8FhxNNUVnG64YurPd16AfGyvFLhh7S2uSsDqR3Qfcm6o9jtcMYwh6DvmcBF9qozxNQmTCVvWtxLpKTnhVLN3Pgnu2D3pAoXYFgVyd8Yz
|
||||
Signer 1 key
|
||||
IB7v+qi1b+Xrwm/3bF+Rjl8QbIJ/FMQ40kUsOOQo1SqUWn5QlFWbBD8BKPRetfo1L1N7DmYjVscZNsmMrqRJGWw=</pre>
|
||||
|
||||
* Signer 2
|
||||
** MASTER_KEY_FINGERPRINT: 4fc1dd4a
|
||||
** PRIVATE_KEY (m/48'/0'/0'/2'): L4JNkJfLBDyWfTLbKJ1H3w56GUMsvdfjCkzRo5RHXfJ6bdHqm6cN
|
||||
** XPUB (m/48'/0'/0'/2'): xpub6EebMbEps7ZcV3FYEnddRsvrFWDrt2tiPmCeM7pPXQEmphvq9ZfJ1LWFUDjf3vxCeBuPrfyGrMazWUsYsetrnHatQZVLJH7LsgCjtMqdzgj
|
||||
** Legacy signature
|
||||
** <tt>signer_2_key.bsms</tt>:
|
||||
<pre>BSMS 1.0
|
||||
00
|
||||
[4fc1dd4a/48'/0'/0'/2']xpub6EebMbEps7ZcV3FYEnddRsvrFWDrt2tiPmCeM7pPXQEmphvq9ZfJ1LWFUDjf3vxCeBuPrfyGrMazWUsYsetrnHatQZVLJH7LsgCjtMqdzgj
|
||||
Signer 2 key
|
||||
HzUa4Z76PFHMl54flIIF3XKiHZ+KbWjjxCEG5G3ZqZSqTd6OgTiFFLqq9PXJXdfYm6/cnL8IVWQgjFF9DQhIqQs=</pre>
|
||||
|
||||
====ROUND 2====
|
||||
* Coordinator
|
||||
** <tt>my_multisig_wallet.bsms</tt>:
|
||||
<pre>BSMS 1.0
|
||||
wsh(sortedmulti(2,[1cf0bf7e/48'/0'/0'/2']xpub6FL8FhxNNUVnG64YurPd16AfGyvFLhh7S2uSsDqR3Qfcm6o9jtcMYwh6DvmcBF9qozxNQmTCVvWtxLpKTnhVLN3Pgnu2D3pAoXYFgVyd8Yz/**,[4fc1dd4a/48'/0'/0'/2']xpub6EebMbEps7ZcV3FYEnddRsvrFWDrt2tiPmCeM7pPXQEmphvq9ZfJ1LWFUDjf3vxCeBuPrfyGrMazWUsYsetrnHatQZVLJH7LsgCjtMqdzgj/**))
|
||||
/0/*,/1/*
|
||||
bc1qrgc6p3kylfztu06ysl752gwwuekhvtfh9vr7zg43jvu60mutamcsv948ej</pre>
|
||||
|
||||
===Mode: <tt>STANDARD</tt> Encryption===
|
||||
====ROUND 1====
|
||||
* Coordinator
|
||||
** M-of-N: 2/2
|
||||
** ADDRESS_TYPE: NATIVE_SEGWIT
|
||||
** TOKEN (hex): a54044308ceac9b7
|
||||
*** TOKEN (decimal): 11907592390080907703
|
||||
*** TOKEN (mnemonic): pipe acquire around border prosper swift
|
||||
** ENCRYPTION_KEY (hex): 7673ffd9efd70336a5442eda0b31457f7b6cdf7b42fe17f274434df55efa9839
|
||||
|
||||
* Signer 1
|
||||
** MASTER_KEY_FINGERPRINT: b7868815
|
||||
** PRIVATE_KEY (m/48'/0'/0'/2'): KyKvR9kf8r7ZVtdn3kB9ifipr6UKnTNTpWJkGZbHwARDCz5iZ39E
|
||||
** XPUB (m/48'/0'/0'/2'): xpub6FA5rfxJc94K1kNtxRby1hoHwi7YDyTWwx1KUR3FwskaF6HzCbZMz3zQwGnCqdiFeMTPV3YneTGS2YQPiuNYsSvtggWWMQpEJD4jXU7ZzEh
|
||||
** Legacy signature
|
||||
** <tt>signer_1_key.bsms</tt>:
|
||||
<pre>BSMS 1.0
|
||||
a54044308ceac9b7
|
||||
[b7868815/48'/0'/0'/2']xpub6FA5rfxJc94K1kNtxRby1hoHwi7YDyTWwx1KUR3FwskaF6HzCbZMz3zQwGnCqdiFeMTPV3YneTGS2YQPiuNYsSvtggWWMQpEJD4jXU7ZzEh
|
||||
Signer 1 key
|
||||
H8DYht5P6ko0bQqDV6MtUxpzBSK+aVHxbvMavA5byvLrOlCEGmO1WFR7k2wu42J6dxXD8vrmDQSnGq5MTMMbZ98=</pre>
|
||||
|
||||
* Signer 1 encryption
|
||||
** HMAC_KEY (hex): 3d4c422806ba8964c9ee45070cd675c024d96648a0ddb4001325818c84951de2
|
||||
** MAC (hex): fbdbdb64e6a8231c342131d9f13dcd5a954b4c5021658fa5afcb3fc74dc82706
|
||||
** IV (hex) : fbdbdb64e6a8231c342131d9f13dcd5a
|
||||
** CIPHERTEXT (hex): 53f491cfd1431c292d922ea5a5dec3eb8ddaa6ed38ae109e7b040f0f23013e89a89b4d27476761a01197a3277850b2bc1621ae626efe65f2081eec6eb571c4f787bf1c49d061b43f70fd73cb3f37fa591d2400973ac0644c8941a83f1d4155e98f01fa2fdeb9f86c2e2413154fd18566a28fb0d9d8bd6172efabcfa6dab09ee7029bf3dd43376df52c118a6d291ec168f4ec7f7df951dfc6135fd8cb4b234da62eaea6017dfe5ca418f083e02e3aba2962ba313ba17b6468c7672fb218329a9f3fe4e4887fb87dac57c63ebff0e715a44498d18de8afc10e1cfeb46a1fc65ce871fef8a43b289305433a90c342d025aa4c19454fcfbcf911e9e2f928d5affd0536a6ddc2e816
|
||||
** <tt>signer_1_key.dat</tt>: <pre>fbdbdb64e6a8231c342131d9f13dcd5a954b4c5021658fa5afcb3fc74dc8270653f491cfd1431c292d922ea5a5dec3eb8ddaa6ed38ae109e7b040f0f23013e89a89b4d27476761a01197a3277850b2bc1621ae626efe65f2081eec6eb571c4f787bf1c49d061b43f70fd73cb3f37fa591d2400973ac0644c8941a83f1d4155e98f01fa2fdeb9f86c2e2413154fd18566a28fb0d9d8bd6172efabcfa6dab09ee7029bf3dd43376df52c118a6d291ec168f4ec7f7df951dfc6135fd8cb4b234da62eaea6017dfe5ca418f083e02e3aba2962ba313ba17b6468c7672fb218329a9f3fe4e4887fb87dac57c63ebff0e715a44498d18de8afc10e1cfeb46a1fc65ce871fef8a43b289305433a90c342d025aa4c19454fcfbcf911e9e2f928d5affd0536a6ddc2e816</pre>
|
||||
|
||||
* Signer 2
|
||||
** MASTER_KEY_FINGERPRINT: eedff89a
|
||||
** PRIVATE_KEY (m/48'/0'/0'/2'): Kz1ijnkDXmc65NWTYdg47DDaQgSGJAPfhJG9Unm36oqZPpPXuNR6
|
||||
** XPUB (m/48'/0'/0'/2'): xpub6EhJvMneoLWAf8cuyLBLQiKiwh89RAmqXEqYeFuaCEHdHwxSRfzLrUxKXEBap7nZSHAYP7Jfq6gZmucotNzpMQ9Sb1nTqerqW8hrtmx6Y6o
|
||||
** Legacy signature
|
||||
** <tt>signer_2_key.bsms</tt>:
|
||||
<pre>BSMS 1.0
|
||||
a54044308ceac9b7
|
||||
[eedff89a/48'/0'/0'/2']xpub6EhJvMneoLWAf8cuyLBLQiKiwh89RAmqXEqYeFuaCEHdHwxSRfzLrUxKXEBap7nZSHAYP7Jfq6gZmucotNzpMQ9Sb1nTqerqW8hrtmx6Y6o
|
||||
Signer 2 key
|
||||
H/IHW5dMGYsrRdYEz3ux+kKnkWBtxHzfYkREpnYbco38VnMvIxCbDuf7iu6960qDhBLR/RLjlb9UPtLmCMbczDE=</pre>
|
||||
|
||||
* Signer 2 encryption
|
||||
** HMAC_KEY (hex): 3d4c422806ba8964c9ee45070cd675c024d96648a0ddb4001325818c84951de2
|
||||
** MAC (hex): 383d05b7351a2cef7cca2850450f5efbbc4a3f8ea35707dda87a3692f0f2ebae
|
||||
** IV (hex) : 383d05b7351a2cef7cca2850450f5efb
|
||||
** CIPHERTEXT (hex): 71860b7c69f3a7665c3c3e85c45735bff78535a37ec6610b724627c73696820d519a9251703b17626b63898580233bebbb310aedbc370224b044ee19600bfe583445a6f26fb9bb5790bae516892655adb0e5dfc12be4609c2e0818d4f1f3bfccc4cd1a36f419d6cd842c913ae81eef4865ad473c32c3ee69cd98d6d0a088e2abdd01fe68b5c0503bb9183f9a912506204e5a9c6bd5a1626ff7eac30312a0b85004307c525e52fa3ad45a0b02eabc8cfaea0215bb6e60ee5f32d6673955290e008fbaef362977a21fd9830e3a604f9bb318cdcde456eae91dbedaa069bcd1efb0f981d5b0e502bd4dada903205458a00914887226a8dde317c02a8be4342acb97a8fee79fbe23
|
||||
** <tt>signer_2_key.dat</tt>: <pre>383d05b7351a2cef7cca2850450f5efbbc4a3f8ea35707dda87a3692f0f2ebae71860b7c69f3a7665c3c3e85c45735bff78535a37ec6610b724627c73696820d519a9251703b17626b63898580233bebbb310aedbc370224b044ee19600bfe583445a6f26fb9bb5790bae516892655adb0e5dfc12be4609c2e0818d4f1f3bfccc4cd1a36f419d6cd842c913ae81eef4865ad473c32c3ee69cd98d6d0a088e2abdd01fe68b5c0503bb9183f9a912506204e5a9c6bd5a1626ff7eac30312a0b85004307c525e52fa3ad45a0b02eabc8cfaea0215bb6e60ee5f32d6673955290e008fbaef362977a21fd9830e3a604f9bb318cdcde456eae91dbedaa069bcd1efb0f981d5b0e502bd4dada903205458a00914887226a8dde317c02a8be4342acb97a8fee79fbe23</pre>
|
||||
|
||||
====ROUND 2====
|
||||
*Coordinator
|
||||
** <tt>my_multisig_wallet.bsms</tt>:
|
||||
<pre>BSMS 1.0
|
||||
wsh(sortedmulti(2,[b7868815/48'/0'/0'/2']xpub6FA5rfxJc94K1kNtxRby1hoHwi7YDyTWwx1KUR3FwskaF6HzCbZMz3zQwGnCqdiFeMTPV3YneTGS2YQPiuNYsSvtggWWMQpEJD4jXU7ZzEh/**,[eedff89a/48'/0'/0'/2']xpub6EhJvMneoLWAf8cuyLBLQiKiwh89RAmqXEqYeFuaCEHdHwxSRfzLrUxKXEBap7nZSHAYP7Jfq6gZmucotNzpMQ9Sb1nTqerqW8hrtmx6Y6o/**))
|
||||
/0/*,/1/*
|
||||
bc1qhs4u273g4azq7kqqpe6vh5wfhasfmrq7nheyzsnq77humd7rwtkqagvakf</pre>
|
||||
|
||||
*Coordinator encryption
|
||||
** HMAC_KEY (hex): 3d4c422806ba8964c9ee45070cd675c024d96648a0ddb4001325818c84951de2
|
||||
** MAC (hex): 734ce791b466861945e1ef6f74c63faec590793de54831f0036b28d08714b71a
|
||||
** IV (hex) : 734ce791b466861945e1ef6f74c63fae
|
||||
** CIPHERTEXT (hex): 273cad18a5e1eff37dba6d850749594c9a3fd32b2069e8c69983ea269c5044b6bcaea26d9dbc8ad5d28bb8abfa02e3bfc7632fcc5c2b76e9abb1982ff11295858cfe44a8b97110ae970f58fff3fb6477f38ca9609eec78eedb1d640eaba489fd5e41e787b8d0bde48f1fa99cca641cabbee0f513fb1040cb73df10a57c9a34e4efcb069cd4c75467442c15d878ed9f40e3dffb98294931a6da4f444ae46f739b7fe002ce19fcfe71b05b9783d797ba45d568febbc8a2b0850da67f349d8567342352e1712c3d2a7ea1b2721df5efdb844431f0e5dcfa4acacb194c20785c9bb6dde90d64352fc913e9073b3b416be713bcc7632c821bbfddafa6199d471c54fb899f347f5fc706787ccaa82332dc8b93aeb3de3497d8e5c75f0f5d718c74bc6f8194fe999948e517f1c98398d9cb907d200f1d045394704b074dfb10e587f54fd78e95ef4bcbe77bf1376b390c3f47c91c12b2ed14073ea56bceab41f924302e62183c456b06d96b3da30439cb4320c764a0d6d1b3dabc06fc
|
||||
** <tt>my_multisig_wallet.dat</tt>: <pre>734ce791b466861945e1ef6f74c63faec590793de54831f0036b28d08714b71a273cad18a5e1eff37dba6d850749594c9a3fd32b2069e8c69983ea269c5044b6bcaea26d9dbc8ad5d28bb8abfa02e3bfc7632fcc5c2b76e9abb1982ff11295858cfe44a8b97110ae970f58fff3fb6477f38ca9609eec78eedb1d640eaba489fd5e41e787b8d0bde48f1fa99cca641cabbee0f513fb1040cb73df10a57c9a34e4efcb069cd4c75467442c15d878ed9f40e3dffb98294931a6da4f444ae46f739b7fe002ce19fcfe71b05b9783d797ba45d568febbc8a2b0850da67f349d8567342352e1712c3d2a7ea1b2721df5efdb844431f0e5dcfa4acacb194c20785c9bb6dde90d64352fc913e9073b3b416be713bcc7632c821bbfddafa6199d471c54fb899f347f5fc706787ccaa82332dc8b93aeb3de3497d8e5c75f0f5d718c74bc6f8194fe999948e517f1c98398d9cb907d200f1d045394704b074dfb10e587f54fd78e95ef4bcbe77bf1376b390c3f47c91c12b2ed14073ea56bceab41f924302e62183c456b06d96b3da30439cb4320c764a0d6d1b3dabc06fc</pre>
|
||||
|
||||
===Mode: <tt>EXTENDED</tt> Encryption===
|
||||
====ROUND 1====
|
||||
*Coordinator
|
||||
** M-of-N: 2/3
|
||||
** ADDRESS_TYPE: NESTED_SEGWIT
|
||||
** TOKEN for Signer 1 (hex): 108a2360adb302774eb521daebbeda5e
|
||||
*** TOKEN (decimal): 21984902443033505423410071144203475550
|
||||
*** ENCRYPTION_KEY (hex): 63dc1e57dfdc21fa11109d5088be01fb8078a383d2296925ad2b7612b7179777
|
||||
** TOKEN for Signer 2 (hex): d3fabc873b98165254fe18a71b5335b0
|
||||
*** TOKEN (decimal): 281769005132501859744421970528095647152
|
||||
*** ENCRYPTION_KEY (hex): 3dc860a53471ec03af14617fef60921cf215b45a9d684462fa65b9d804ad3ee7
|
||||
** TOKEN for Signer 3 (hex): 78a7d5e7549453d719150de5459c9ce5
|
||||
*** TOKEN (decimal): 160378811550692397333855096016467696869
|
||||
*** ENCRYPTION_KEY (hex): 62b90b4c08c03a0ee872e57aae73f9acfafb6cc09d20b5c9bc0bafaef33619db
|
||||
|
||||
* Signer 1
|
||||
** MASTER_KEY_FINGERPRINT: 793cc70b
|
||||
** PRIVATE_KEY (m/48'/0'/0'/1'): L1ZEgZ4zNYxyNc8UyeqwyKW1UHVMp9sxwPgSi3s9SW8mc7KsiSwJ
|
||||
** XPUB (m/48'/0'/0'/1'): xpub6ErVmcYYHmavsMgxEcTZyzN5sqth1ZyRpFNJC26ij1wYGC2SBKYrgt9yariSbn7HLRoZUvhUhmPfsRTPrdhhGFscpPZzmch6UTdmRP1aZUj
|
||||
** Legacy signature
|
||||
** <tt>signer_1_key.bsms</tt>:
|
||||
<pre>BSMS 1.0
|
||||
108a2360adb302774eb521daebbeda5e
|
||||
[793cc70b/48'/0'/0'/1']xpub6ErVmcYYHmavsMgxEcTZyzN5sqth1ZyRpFNJC26ij1wYGC2SBKYrgt9yariSbn7HLRoZUvhUhmPfsRTPrdhhGFscpPZzmch6UTdmRP1aZUj
|
||||
Signer 1 key
|
||||
ILG47LpCtjoD9UxL87jo5QFqA90t8g9fDQp/KBojdKgPPGB1pMx2bf9hPdORNZIOdCc/2+Gs6AOs3BEK9ubIuBw=</pre>
|
||||
|
||||
* Signer 1 encryption
|
||||
** HMAC_KEY (hex): 1162cdace4ac9fcde1f96924b93714143d057a701de83ebaed248d1c9154f9fd
|
||||
** MAC (hex): ea12776c73de4bd5ea57c2d19eb8e0be856ac0d7f5651f7b74be4563d61ba5b1
|
||||
** IV (hex) : ea12776c73de4bd5ea57c2d19eb8e0be
|
||||
** CIPHERTEXT (hex): a36f34232bff47a853092654a718fea4f5f57d6a1f3d38fede04e2414da12c90cefc24ef662f736886d9a7fd6e7db636ca47217803c86b7fbcebe4ad6b71cffc261069c135bd2b2430fb2b446ff0203df34fbbc6801243e8a930b9d0cd3a9b160b8dcdc9131ce6e97641e6314b3285ff341013f302e308c1b2eba7ced0103a8999fe2bd86f844392938e7926cd26d023b764d0b8ff92b2fbdf995884c738414b83563ef2a0050279bf46d0e8271ea5d6af8154847c5736129a7a83a35a3cc747b2be4b389886cb57456678353b60473ebc4ab85d9c9131a17a1e288717343d9008825b16c48d7e93927f37b530033192c67b70dec0411a3e5952d2525c7eb80721676e1a6299248c17f8078202f3bb0932e9f263b0ab
|
||||
** <tt>signer_1_key.dat</tt>: <pre>ea12776c73de4bd5ea57c2d19eb8e0be856ac0d7f5651f7b74be4563d61ba5b1a36f34232bff47a853092654a718fea4f5f57d6a1f3d38fede04e2414da12c90cefc24ef662f736886d9a7fd6e7db636ca47217803c86b7fbcebe4ad6b71cffc261069c135bd2b2430fb2b446ff0203df34fbbc6801243e8a930b9d0cd3a9b160b8dcdc9131ce6e97641e6314b3285ff341013f302e308c1b2eba7ced0103a8999fe2bd86f844392938e7926cd26d023b764d0b8ff92b2fbdf995884c738414b83563ef2a0050279bf46d0e8271ea5d6af8154847c5736129a7a83a35a3cc747b2be4b389886cb57456678353b60473ebc4ab85d9c9131a17a1e288717343d9008825b16c48d7e93927f37b530033192c67b70dec0411a3e5952d2525c7eb80721676e1a6299248c17f8078202f3bb0932e9f263b0ab</pre>
|
||||
|
||||
* Signer 2
|
||||
** MASTER_KEY_FINGERPRINT: b3118e52
|
||||
** PRIVATE_KEY (m/48'/0'/0'/1'): L4SnPjcHszMg3Wi2YYxEYnzM2zFeFkFr5NcLZ18YQeyJwaSFbTud
|
||||
** XPUB (m/48'/0'/0'/1'): xpub6Du5Jn6eYZE96ccmAc1ZTFPzdnzrvqfG4mpamDun2qZYKywoiQJMCbS3kWWMr6U3XW6s125RLsaPABWgv2yA749ieaMe67FxkTjMsbcxCch
|
||||
** Legacy signature
|
||||
** <tt>signer_2_key.bsms</tt>:
|
||||
<pre>BSMS 1.0
|
||||
d3fabc873b98165254fe18a71b5335b0
|
||||
[b3118e52/48'/0'/0'/1']xpub6Du5Jn6eYZE96ccmAc1ZTFPzdnzrvqfG4mpamDun2qZYKywoiQJMCbS3kWWMr6U3XW6s125RLsaPABWgv2yA749ieaMe67FxkTjMsbcxCch
|
||||
Signer 2 key
|
||||
IDK4d/oO0pgfrwRu4Zb8vqlPEmJb9aKT1K2CCnI3RKepVAKs3fZsBrypcCdQfUy1TG/3O5vAR3gjldxcCA1Wzg8=</pre>
|
||||
|
||||
* Signer 2 encryption
|
||||
** HMAC_KEY (hex): 43a4e704bd1bade703023004b00290f1a7b005474a581d869a217068eedf3f57
|
||||
** MAC (hex): 4a3ff970d027010e83b4fbf2845a23907a301b3df692a9265e2ca679697ac718
|
||||
** IV (hex) : 4a3ff970d027010e83b4fbf2845a2390
|
||||
** CIPHERTEXT (hex): c8f4a6a6714eff90aa48cbefe6750c2ee3cc72182eb455e964f0ba59ada3ecd758c29f0fab7e33aaa82a340a18d9c793ddab09dc7e714864faac1ecea370d4f102533b739da38aa0491433f35eadec08f203685f04d1f6ec35d397d99e4f8096a5691075e3f54fd9ff58faf947f276bbe1031f827b274bd2f60fcb526add7058889104b189d7da22ac7be1f7ddd380bbebd5c6983a8a3c5fa86913e3d23c40935072ce03d9bdeb07791dc836d44b4d4c62f364d0e4f3580369ea8f6ebb774b7fda4a7ac6f5ae6b2f52b10cd71bdf3cdb5889e77d5eb1f2f647b798cdd6b3e5b964c9265daea3668d7e4cb53f724151923da1a87bbcd2abd8b164de474d865c51af69885431d26f88a5c8eea7d0dfdb52ca622017808a
|
||||
** <tt>signer_2_key.dat</tt>: <pre>4a3ff970d027010e83b4fbf2845a23907a301b3df692a9265e2ca679697ac718c8f4a6a6714eff90aa48cbefe6750c2ee3cc72182eb455e964f0ba59ada3ecd758c29f0fab7e33aaa82a340a18d9c793ddab09dc7e714864faac1ecea370d4f102533b739da38aa0491433f35eadec08f203685f04d1f6ec35d397d99e4f8096a5691075e3f54fd9ff58faf947f276bbe1031f827b274bd2f60fcb526add7058889104b189d7da22ac7be1f7ddd380bbebd5c6983a8a3c5fa86913e3d23c40935072ce03d9bdeb07791dc836d44b4d4c62f364d0e4f3580369ea8f6ebb774b7fda4a7ac6f5ae6b2f52b10cd71bdf3cdb5889e77d5eb1f2f647b798cdd6b3e5b964c9265daea3668d7e4cb53f724151923da1a87bbcd2abd8b164de474d865c51af69885431d26f88a5c8eea7d0dfdb52ca622017808a</pre>
|
||||
|
||||
* Signer 3
|
||||
** MASTER_KEY_FINGERPRINT: 842bd2ed
|
||||
** PRIVATE_KEY (m/48'/0'/0'/1'): L1ehZHpo2UFHc1yaBWDU4bKVycUwcU2TESm92wbfq6xK6qpZZJP6
|
||||
** XPUB (m/48'/0'/0'/1'): xpub6Ex81KopPkEt9hJiWHabYy8LNsSR4A7sUQoFBk9dR8XxHrr4p9HrYWN3NCf5uwfopHnQkCG7FYnZMztKbtRtbh6tzZC4xtHPbmVVxRSN7ic
|
||||
** Legacy signature
|
||||
** <tt>signer_3_key.bsms</tt>:
|
||||
<pre>BSMS 1.0
|
||||
78a7d5e7549453d719150de5459c9ce5
|
||||
[842bd2ed/48'/0'/0'/1']xpub6Ex81KopPkEt9hJiWHabYy8LNsSR4A7sUQoFBk9dR8XxHrr4p9HrYWN3NCf5uwfopHnQkCG7FYnZMztKbtRtbh6tzZC4xtHPbmVVxRSN7ic
|
||||
Signer 3 key
|
||||
IL77mML0xo/O9dJn0T5EpQLuyRPPrdpgVJbtsdAugW5iX0MQ3Ci0f8jVnXu68Xm07CYjYGKX8af72jmkQKhNud0=</pre>
|
||||
|
||||
* Signer 3 encryption
|
||||
** HMAC_KEY (hex): ab93ce7bf0f91c62a66d00ea9bf5e5c00b854ee2cfc2fb06f6eeff738abcdc26
|
||||
** MAC (hex): e82cfcccbd4bd4d3b76e28133eecd13f7362f4a8b4c4baa3e5f6ba2dfb4d69b8
|
||||
** IV (hex) : e82cfcccbd4bd4d3b76e28133eecd13f
|
||||
** CIPHERTEXT (hex): b44433f0b564ec35a1e71371f25844088084b47402c90d52fee7237167b58a60a28c234af9123e104773136e8446d799541c8566882787caee7cd1fa8628aba63aa9e9d7cca0ddee92f96dd881535b19a131a1f487a1909e42d62945fd0ba08dacd7dc09a22ffe47e0410b8b85df92e4a8bbf9b46f0062da02e3ae94144a00bae917acc1246d8d1a4dca105708f55379caefef9d4c152f56b65ab4bd7b48f60233f57ba6d705387c79aeaa2a279e3314004bf16fcd7e7d2adef34b0ab3c22bc5461f2c09dce69065605e4fb96958c55984391712b3547e3914ad4ecca2c088be280dfcfe374a112515674aeca57b885e81dbef6a353ca387f4514db3158eb69f0d2725d42ad8102c05c26ad501d48b889c624035ead4
|
||||
** <tt>signer_3_key.dat</tt>: <pre>e82cfcccbd4bd4d3b76e28133eecd13f7362f4a8b4c4baa3e5f6ba2dfb4d69b8b44433f0b564ec35a1e71371f25844088084b47402c90d52fee7237167b58a60a28c234af9123e104773136e8446d799541c8566882787caee7cd1fa8628aba63aa9e9d7cca0ddee92f96dd881535b19a131a1f487a1909e42d62945fd0ba08dacd7dc09a22ffe47e0410b8b85df92e4a8bbf9b46f0062da02e3ae94144a00bae917acc1246d8d1a4dca105708f55379caefef9d4c152f56b65ab4bd7b48f60233f57ba6d705387c79aeaa2a279e3314004bf16fcd7e7d2adef34b0ab3c22bc5461f2c09dce69065605e4fb96958c55984391712b3547e3914ad4ecca2c088be280dfcfe374a112515674aeca57b885e81dbef6a353ca387f4514db3158eb69f0d2725d42ad8102c05c26ad501d48b889c624035ead4</pre>
|
||||
|
||||
====ROUND 2====
|
||||
* Coordinator
|
||||
** <tt>my_multisig_wallet.bsms</tt>:
|
||||
<pre>BSMS 1.0
|
||||
sh(wsh(multi(2,[793cc70b/48'/0'/0'/1']xpub6ErVmcYYHmavsMgxEcTZyzN5sqth1ZyRpFNJC26ij1wYGC2SBKYrgt9yariSbn7HLRoZUvhUhmPfsRTPrdhhGFscpPZzmch6UTdmRP1aZUj/**,[b3118e52/48'/0'/0'/1']xpub6Du5Jn6eYZE96ccmAc1ZTFPzdnzrvqfG4mpamDun2qZYKywoiQJMCbS3kWWMr6U3XW6s125RLsaPABWgv2yA749ieaMe67FxkTjMsbcxCch/**,[842bd2ed/48'/0'/0'/1']xpub6Ex81KopPkEt9hJiWHabYy8LNsSR4A7sUQoFBk9dR8XxHrr4p9HrYWN3NCf5uwfopHnQkCG7FYnZMztKbtRtbh6tzZC4xtHPbmVVxRSN7ic/**)))
|
||||
/0/*,/1/*
|
||||
3GzMtFXahiu4TpGNGFc4bHMvAcvz5vVQrT</pre>
|
||||
|
||||
* Send to Signer 1:
|
||||
** HMAC_KEY (hex): 1162cdace4ac9fcde1f96924b93714143d057a701de83ebaed248d1c9154f9fd
|
||||
** MAC (hex): 01bf557b6d44b3fbf07f8ec155cbdec42d85d856e174342563dd83b40ad7c025
|
||||
** IV (hex) : 01bf557b6d44b3fbf07f8ec155cbdec4
|
||||
** CIPHERTEXT (hex): 617ed25b4b8fd88b806cbebcc1731b071465514a805f7ba2de60e291bc9493f31aa0f9b0665ba822cf9a2e21c02649b5c3f7dbad317ae898292cb6fe992520f68c0ebe9d1434b348af10453f1be0a392a616d43ba21e5e7fa3c995dce54db947fe5dbad4a9a77f37b3aef58c54ee3e496c8312d3033359aed0de8cf28b82035ee7a38c9b23c9d95682fb15936bf2247546d2ba9b3ada605f5c89f0a3bbaa86cb4b5dded9a65004912c0afbbfd01f0115447f5625e8523f9de16165d32c4b21103d8ac965e2f7e17641ee1a8c5902e8dbb461c6c7d05141f7bba66b8b3608037fb251b55fa461c9441c6427921545a34a1798127d5bf9cc92423f7e62c769e232c65db8cc5124577012d49941143c3b4758212a8afa0475c9b3597da2e99d585039339b7d73611aa277878d212875051683053db9c630391e0b32356523e9fa8a58a334e16fe6650472f336ddaa8c587992b6c0c0e480b680261579a11cf9d036614abc113dde53653273f5ce82ea0bc10e38ca52ac66838aa49ff46c3a7d5096db439c15d3c2e8de55e4ac7315a57eb9997f219c378af86c858867ce583ed84e4d9c68aecfbca9ebff16b0ac91531125e273b215db688ffe52c8033eb78914b87c0fa2001c52e90c92765712e50384ddcf4d0953ac3cc8137abcb2a85d603a6cc207472677
|
||||
** <tt>my_multisig_wallet_for_signer_1.dat</tt>: <pre>01bf557b6d44b3fbf07f8ec155cbdec42d85d856e174342563dd83b40ad7c025617ed25b4b8fd88b806cbebcc1731b071465514a805f7ba2de60e291bc9493f31aa0f9b0665ba822cf9a2e21c02649b5c3f7dbad317ae898292cb6fe992520f68c0ebe9d1434b348af10453f1be0a392a616d43ba21e5e7fa3c995dce54db947fe5dbad4a9a77f37b3aef58c54ee3e496c8312d3033359aed0de8cf28b82035ee7a38c9b23c9d95682fb15936bf2247546d2ba9b3ada605f5c89f0a3bbaa86cb4b5dded9a65004912c0afbbfd01f0115447f5625e8523f9de16165d32c4b21103d8ac965e2f7e17641ee1a8c5902e8dbb461c6c7d05141f7bba66b8b3608037fb251b55fa461c9441c6427921545a34a1798127d5bf9cc92423f7e62c769e232c65db8cc5124577012d49941143c3b4758212a8afa0475c9b3597da2e99d585039339b7d73611aa277878d212875051683053db9c630391e0b32356523e9fa8a58a334e16fe6650472f336ddaa8c587992b6c0c0e480b680261579a11cf9d036614abc113dde53653273f5ce82ea0bc10e38ca52ac66838aa49ff46c3a7d5096db439c15d3c2e8de55e4ac7315a57eb9997f219c378af86c858867ce583ed84e4d9c68aecfbca9ebff16b0ac91531125e273b215db688ffe52c8033eb78914b87c0fa2001c52e90c92765712e50384ddcf4d0953ac3cc8137abcb2a85d603a6cc207472677</pre>
|
||||
|
||||
* Send to Signer 2:
|
||||
** HMAC_KEY (hex): 43a4e704bd1bade703023004b00290f1a7b005474a581d869a217068eedf3f57
|
||||
** MAC (hex): 974ba77900c43c463dadaa6eaf24aaeb1b25b443cf155229b719bcbf8b343092
|
||||
** IV (hex) : 974ba77900c43c463dadaa6eaf24aaeb
|
||||
** CIPHERTEXT (hex): 86288c97a6341974a35015f97fbbc8db7655639c839fc438706f82fce36a82dd17e2d4d4a674516c4fc5c3a33d6097dd8fc5c6605018946741ed9f58d8fe530a808f16f0dd705cacfd273e34a158bd7566774dd31506b8280e448fabb72d0e7dfc05cee1142b61921dfaf0b0039d885cc0aa76c429025efc2ba49a8af15b58e75a5a83ba4838a9a4c9f13725f5aecefd8511513d93797f37b93150b9dca725685883188e39142dd8d3cf4b617c7936bdb3875415bbf6dfb2fe1a39ae2aed9fd2909aebd0355a5cc9a55bcb84048c851a1873948e495180f336edeb63f54bcf83feaa4d2453251260e24293e49815c2369c1c045083c412c973987fd7c9296a71cda424823ed32380ba442394500b7d2d2335818099090aaf08ca4e180869c546f58da4cb4ff0f95b796a35c40ea455e2ddd3e08bc494ffddc706aaf4d479f4f359e6a89a90df7c9b8f23cab355855a72b90795a0db83a96bce0dd4f77e3f58c0957b4ffe9663251565098e6c31fd4bbf3e1295faaff05e29912d9c37cb944da379a9b2193b466910d05a681e53a2dbe5aa18a2b4874153fe36d8a1aa4cc6e612bd6dbc9abb8e1e61b927fc5458d8e1be9536cd462e4c37672af7928c39e94bdc124a2da7b1bd3cad2cfe559adc33e62eb45bff89db8a47a72dda4f49f21c01a9432f4802a1
|
||||
** <tt>my_multisig_wallet_for_signer_2.dat</tt>: <pre>974ba77900c43c463dadaa6eaf24aaeb1b25b443cf155229b719bcbf8b34309286288c97a6341974a35015f97fbbc8db7655639c839fc438706f82fce36a82dd17e2d4d4a674516c4fc5c3a33d6097dd8fc5c6605018946741ed9f58d8fe530a808f16f0dd705cacfd273e34a158bd7566774dd31506b8280e448fabb72d0e7dfc05cee1142b61921dfaf0b0039d885cc0aa76c429025efc2ba49a8af15b58e75a5a83ba4838a9a4c9f13725f5aecefd8511513d93797f37b93150b9dca725685883188e39142dd8d3cf4b617c7936bdb3875415bbf6dfb2fe1a39ae2aed9fd2909aebd0355a5cc9a55bcb84048c851a1873948e495180f336edeb63f54bcf83feaa4d2453251260e24293e49815c2369c1c045083c412c973987fd7c9296a71cda424823ed32380ba442394500b7d2d2335818099090aaf08ca4e180869c546f58da4cb4ff0f95b796a35c40ea455e2ddd3e08bc494ffddc706aaf4d479f4f359e6a89a90df7c9b8f23cab355855a72b90795a0db83a96bce0dd4f77e3f58c0957b4ffe9663251565098e6c31fd4bbf3e1295faaff05e29912d9c37cb944da379a9b2193b466910d05a681e53a2dbe5aa18a2b4874153fe36d8a1aa4cc6e612bd6dbc9abb8e1e61b927fc5458d8e1be9536cd462e4c37672af7928c39e94bdc124a2da7b1bd3cad2cfe559adc33e62eb45bff89db8a47a72dda4f49f21c01a9432f4802a1</pre>
|
||||
|
||||
* Send to Signer 3:
|
||||
** HMAC_KEY (hex): ab93ce7bf0f91c62a66d00ea9bf5e5c00b854ee2cfc2fb06f6eeff738abcdc26
|
||||
** MAC (hex): bb3c93b67d758f244de7ee73e5e61261cea6dff5b3852df8faf265cdf1c73dae
|
||||
** IV (hex) : bb3c93b67d758f244de7ee73e5e61261
|
||||
** CIPHERTEXT (hex): 7ac33bd9719a3cef6c68e09b3c9677565418933f188bbe50dc70f46329706732fe28ab230468e2a8798d3fbf641867d5b3322113204a372e7650ed06cf94d6df5cc7425b1b3a07690a32e12fd9cdad2c9f42d496c1b02215a7d8d63565aa4935bb2b087af39eebc02d4a2d30a4dbf1e72b9a0dab11473c7254ecf9065eb4f9d80a164c489d5fdae0d15d97b6100b79c3999b91341dfb4f599f738d4d631ae413c17b55daa09a67cb34b40d89c26f0e95ddfbf416033f869da32e502815d720bb342ec1c0e5c6910c598f32162016229cd37ea030b4d3b60f560105abb75531dc960ddf6830c26604c67c2da05b8adc45297dda58b2da4671104969b819cdf1c362bc20d7bdfe4a2fbdb79b4a69e285434d991c269e3d23ce3d95675a0acbec2cae04a310581148d3422c1c0a621fb6d79ecac1743b0e76837389b67cd4734ec5ab560c43a183de35fa98834e1f347a0c0c9b14273b76233f55f04553efcde873de92d766f3cdc5e56bc649bf0cc4951f051619ee9b931cd3872044b0e62ea2c2dacad978dbb8df3afa0b9386535278c295c6a30a56950e57f805770568e937ffafbadb226120991d5ec10effa9f4334800010d141a2ddddc00ac743efa821af37f69840487e4db48036c1e0730788cddbca2f68b3769ec6989d76161e6605af50651b6e86e
|
||||
** <tt>my_multisig_wallet_for_signer_3.dat</tt>: <pre>bb3c93b67d758f244de7ee73e5e61261cea6dff5b3852df8faf265cdf1c73dae7ac33bd9719a3cef6c68e09b3c9677565418933f188bbe50dc70f46329706732fe28ab230468e2a8798d3fbf641867d5b3322113204a372e7650ed06cf94d6df5cc7425b1b3a07690a32e12fd9cdad2c9f42d496c1b02215a7d8d63565aa4935bb2b087af39eebc02d4a2d30a4dbf1e72b9a0dab11473c7254ecf9065eb4f9d80a164c489d5fdae0d15d97b6100b79c3999b91341dfb4f599f738d4d631ae413c17b55daa09a67cb34b40d89c26f0e95ddfbf416033f869da32e502815d720bb342ec1c0e5c6910c598f32162016229cd37ea030b4d3b60f560105abb75531dc960ddf6830c26604c67c2da05b8adc45297dda58b2da4671104969b819cdf1c362bc20d7bdfe4a2fbdb79b4a69e285434d991c269e3d23ce3d95675a0acbec2cae04a310581148d3422c1c0a621fb6d79ecac1743b0e76837389b67cd4734ec5ab560c43a183de35fa98834e1f347a0c0c9b14273b76233f55f04553efcde873de92d766f3cdc5e56bc649bf0cc4951f051619ee9b931cd3872044b0e62ea2c2dacad978dbb8df3afa0b9386535278c295c6a30a56950e57f805770568e937ffafbadb226120991d5ec10effa9f4334800010d141a2ddddc00ac743efa821af37f69840487e4db48036c1e0730788cddbca2f68b3769ec6989d76161e6605af50651b6e86e</pre>
|
||||
|
||||
==Acknowledgement==
|
||||
|
||||
Special thanks to Pavol Rusnak, Dmitry Petukhov, Christopher Allen, Craig Raw, Robert Spigler, Gregory Sanders, Ta Tat Tai, Michael Flaxman, Pieter Wuille, Salvatore Ingala, Andrew Chow and others for their feedback on the specification.
|
||||
|
||||
==References==
|
||||
|
||||
Related mailing list threads:
|
||||
* https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-February/018385.html
|
||||
* https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-April/018732.html
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -127,7 +127,7 @@ Sigops per block is currently limited to 20,000. We change this restriction as f
|
||||
Sigops in the current pubkey script, signature script, and P2SH check script are counted at 4 times their previous value.
|
||||
The sigop limit is likewise quadrupled to ≤ 80,000.
|
||||
|
||||
Each P2WPKH input is counted as 1 sigop. In addition, opcodes within a P2WSH <code>witnessScript</code> are counted identically as previously within the P2SH <code>redeemScript</code>. That is, CHECKSIG is counted as only 1 sigop, and CHECKMULTISIG is counted as 1 to 20 sigops according to the arguments. This rule applies to both native witness program and P2SH witness program.
|
||||
Each P2WPKH input is counted as 1 sigop. In addition, opcodes within a P2WSH <code>witnessScript</code> are counted identically as previously within the P2SH <code>redeemScript</code>. That is, CHECKSIG is counted as only 1 sigop. When preceded by OP_1 to OP_16 CHECKMULTISIG is counted as 1 to 16 sigops respectively, otherwise it is counted as 20 sigops. This rule applies to both native witness program and P2SH witness program.
|
||||
|
||||
=== Additional definitions ===
|
||||
|
||||
|
@ -44,8 +44,7 @@ interpreted as described in RFC 2119<ref>[https://tools.ietf.org/html/rfc2119 RF
|
||||
|
||||
The <code>addrv2</code> message is defined as a message where <code>pchCommand == "addrv2"</code>.
|
||||
It is serialized in the standard encoding for P2P messages.
|
||||
Its format is similar to the current <code>addr</code> message format
|
||||
<ref>[https://bitcoin.org/en/developer-reference#addr Bitcoin Developer Reference: addr message]</ref>, with the difference that the
|
||||
Its format is similar to the current <code>addr</code> message format, with the difference that the
|
||||
fixed 16-byte IP address is replaced by a network ID and a variable-length address, and the services format has been changed to [https://en.bitcoin.it/wiki/Protocol_documentation#Variable_length_integer CompactSize].
|
||||
|
||||
This means that the message contains a serialized <code>std::vector</code> of the following structure:
|
||||
@ -132,9 +131,9 @@ See the appendices for the address encodings to be used for the various networks
|
||||
|
||||
==Signaling support and compatibility==
|
||||
|
||||
Introduce a new message type <code>sendaddrv2</code>. Sending such a message indicates that a node can understand and prefers to receive <code>addrv2</code> messages instead of <code>addr</code> messages. I.e. "Send me addrv2".
|
||||
Introduce a new message type <code>sendaddrv2</code>. Sending such a message indicates that a node can understand and prefers to receive <code>addrv2</code> messages instead of <code>addr</code> messages. I.e. "Send me addrv2". Sending or not sending this message does not imply any preference with respect to receiving unrequested address messages.
|
||||
|
||||
<code>sendaddrv2</code> SHOULD be sent after receiving the <code>verack</code> message from the peer.
|
||||
The <code>sendaddrv2</code> message MUST only be sent in response to the <code>version</code> message from a peer and prior to sending the <code>verack</code> message.
|
||||
|
||||
For older peers, that did not emit <code>sendaddrv2</code>, keep sending the legacy <code>addr</code> message, ignoring addresses with the newly introduced address types.
|
||||
|
||||
|
@ -208,7 +208,7 @@ be of the same length as the mainnet counterpart (to simplify
|
||||
implementations' assumptions about lengths), but still be visually
|
||||
distinct.</ref> for testnet.
|
||||
* The data-part values:
|
||||
** 1 byte: the witness version
|
||||
** 1 character (representing 5 bits of data): the witness version
|
||||
** A conversion of the 2-to-40-byte witness program (as defined by [https://github.com/bitcoin/bips/blob/master/bip-0141.mediawiki BIP141]) to base32:
|
||||
*** Start with the bits of the witness program, most significant bit per byte first.
|
||||
*** Re-arrange those bits into groups of 5, and pad with zeroes at the end if needed.
|
||||
|
1025
bip-0174.mediawiki
1025
bip-0174.mediawiki
File diff suppressed because it is too large
Load Diff
@ -6,7 +6,7 @@
|
||||
Nicholas Gregory <nicholas@commerceblock.com>
|
||||
Comments-Summary: No comments yet.
|
||||
Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-0175
|
||||
Status: Draft
|
||||
Status: Rejected
|
||||
Type: Informational
|
||||
Created: 2017-07-17
|
||||
License: BSD-2-Clause
|
||||
|
@ -17,19 +17,39 @@ A standard for interoperable signed messages based on the Bitcoin Script format,
|
||||
|
||||
== Motivation ==
|
||||
|
||||
The current message signing standard only works for P2PKH (1...) invoice addresses. We propose to extend and generalize the standard by using a Bitcoin Script based approach. This approach minimizes the burden for implementers as message signing can be expected to be part of a library or project that includes Bitcoin Script interpreters already.
|
||||
The current message signing standard only works for P2PKH (1...) invoice addresses. We propose to extend and generalize the standard by using a Bitcoin Script based approach. This ensures that any coins, no matter what script they are controlled by, can in-principle be signed for. For easy interoperability with existing signing hardware, we also define a signature message format which resembles a Bitcoin transaction (except that it contains an invalid input, so it cannot be spent on any real network).
|
||||
|
||||
Additionally, the current message signing only proves that the message has been committed to by the recipient of a given invoice address.
|
||||
It does not prove anything about the invoice address itself, nor that the signer has access to the private keys used to implement this invoice.
|
||||
More importantly, it does not prove ownership nor access to any funds, even if the same private key would be a valid signer for spending them - and this is a commonly desired use case.
|
||||
Additionally, the current message signature format uses ECDSA signatures which do not commit to the public key, meaning that they do not actually prove knowledge of any secret keys. (Indeed, valid signatures can be tweaked by 3rd parties to become valid signatures on certain related keys.)
|
||||
|
||||
== Specification ==
|
||||
Ultimately no message signing protocol can actually prove control of funds, both because a signature is obsolete as soon as it is created, and because the possessor of a secret key may be willing to sign messages on others' behalf even if it would not sign actual transactions. No signmessage protocol can fix these limitations.
|
||||
|
||||
This BIP follows the specification of BIP-325 challenges and solutions (see Signet comparison below).
|
||||
== Types of Signatures ==
|
||||
|
||||
Let there be two virtual transactions to_spend and to_sign.
|
||||
This BIP specifies three formats for signing messages: ''legacy'', ''simple'' and ''full''. Additionally, a variant of the ''full'' format can be used to demonstrate control over a set of UTXOs.
|
||||
|
||||
The "to_spend" transaction is:
|
||||
=== Legacy ===
|
||||
|
||||
New proofs should use the new format for all invoice address formats, including P2PKH.
|
||||
|
||||
The legacy format MAY be used, but must be restricted to the legacy P2PKH invoice address format.
|
||||
|
||||
=== Simple ===
|
||||
|
||||
A ''simple'' signature consists of a witness stack, consensus encoded as a vector of vectors of bytes, and base64-encoded. Validators should construct <code>to_spend</code> and <code>to_sign</code> as defined below, with default values for all fields except that
|
||||
|
||||
* <code>message_hash</code> is a BIP340-tagged hash of the message, as specified below
|
||||
* <code>message_challenge</code> in <code>to_spend</code> is set to the scriptPubKey being signed with
|
||||
* <code>message_signature</code> in <code>to_sign</code> is set to the provided simple signature.
|
||||
|
||||
and then proceed as they would for a full signature.
|
||||
|
||||
=== Full ===
|
||||
|
||||
Full signatures follow an analogous specification to the BIP-325 challenges and solutions used by Signet.
|
||||
|
||||
Let there be two virtual transactions <code>to_spend</code> and <code>to_sign</code>.
|
||||
|
||||
The <code>to_spend</code> transaction is:
|
||||
|
||||
nVersion = 0
|
||||
nLockTime = 0
|
||||
@ -41,10 +61,9 @@ The "to_spend" transaction is:
|
||||
vout[0].nValue = 0
|
||||
vout[0].scriptPubKey = message_challenge
|
||||
|
||||
where message_hash is a BIP340-tagged hash of the message, i.e. sha256_tag(m), where tag = "BIP0322-signed-message", and message_challenge is the to be proven (public) key script.
|
||||
For proving funds, message_challenge shall be simply OP_TRUE.
|
||||
where <code>message_hash</code> is a BIP340-tagged hash of the message, i.e. sha256_tag(m), where tag = <code>BIP0322-signed-message</code>, and <code>message_challenge</code> is the to be proven (public) key script.
|
||||
|
||||
The "to_sign" transaction is:
|
||||
The <code>to_sign</code> transaction is:
|
||||
|
||||
nVersion = 0 or as appropriate (e.g. 2, for time locks)
|
||||
nLockTime = 0 or as appropriate (for time locks)
|
||||
@ -55,61 +74,69 @@ The "to_sign" transaction is:
|
||||
vout[0].nValue = 0
|
||||
vout[0].scriptPubKey = OP_RETURN
|
||||
|
||||
When a proof of funds is being created, additional inputs should be included for virtually spending transaction outputs of desired value.
|
||||
A full signature consists of the base64-encoding of the <code>to_sign</code> transaction in standard network serialisation.
|
||||
|
||||
* All signatures must use the SIGHASH_ALL flag.
|
||||
* The proof is considered valid, inconclusive, or invalid based on whether the to_sign transaction is a valid spend of the to_spend transaction or not, according to the rules specified in the "Consensus and standard flags" section below.
|
||||
* Proofs of funds may be encumbered with the in_future flag, according to the rules specified in the "Locktime and Sequence" section below, in which case we refer to the result in text form as "valid_in_future", "inconclusive_in_future", etc.
|
||||
=== Full (Proof of Funds) ===
|
||||
|
||||
Proofs of funds are the base64-encoding of the to_spend and to_sign transactions concatenated in standard network serialisation, and proofs without additional inputs or time locks (simple proofs) are the base64-encoding of the to_sign script witness.
|
||||
A signer may construct a proof of funds, demonstrating control of a set of UTXOs, by constructing a full signature as above, with the following modifications.
|
||||
|
||||
A validator must verify it is valid and meets the description of virtual transactions as specified above. See "Validation" below.
|
||||
* <code>message_challenge</code> is unused and shall be set to <code>OP_TRUE</code>
|
||||
* Similarly, <code>message_signature</code> is then empty.
|
||||
* All outputs that the signer wishes to demonstrate control of are included as additional inputs of <code>to_sign</code>, and their witness and scriptSig data should be set as though these outputs were actually being spent.
|
||||
|
||||
=== Validation ===
|
||||
Unlike an ordinary signature, validators of a proof of funds need access to the current UTXO set, to learn that the claimed inputs exist on the blockchain, and to learn their scriptPubKeys.
|
||||
|
||||
To validate a simple proof, the following steps must be taken:
|
||||
== Detailed Specification ==
|
||||
|
||||
# construct the to_spend and to_sign transactions, based on the specification above
|
||||
# check the signature using consensus rules, then upgradable rules
|
||||
For all signature types, except legacy, the <code>to_spend</code> and <code>to_sign</code> transactions must be valid transactions which pass all consensus checks, except of course that the output with prevout <code>000...000:FFFFFFFF</code> does not exist.
|
||||
|
||||
To validate a proof of funds, the following steps must be taken:
|
||||
=== Verification ===
|
||||
|
||||
# deserialize the to_spend and to_sign transactions from the proof, and fail if the proof contains extraneous bytes
|
||||
# verify that the to_sign transaction uses all inputs covered by the proof of funds, exactly once
|
||||
# reconstruct the to_spend' and to_sign' transactions, based on the specification above, copying the version, lock time, and sequence values
|
||||
# verify that to_spend = to_spend', that to_sign has at least 1 input, has exactly 1 output, and that to_sign.vin[0] = to_sign'.vin[0]
|
||||
# set the "in_future" flag if the transaction's lock time is in the future according to consensus rules
|
||||
# establish a "coins map", a mapping of outpoints (hash, vout) to coins (scriptPubKey, amount), initialized to coins_map(to_spend.txid, 0) = (to_spend.vout[0], 0)
|
||||
# for each proof of fund input, set the corresponding values in the coins map; abort if the input cannot be found
|
||||
# check the signature of each input using consensus rules, then upgradable rules
|
||||
A validator is given as input an address ''A'' (which may be omitted in a proof-of-funds), signature ''s'' and message ''m'', and outputs one of three states
|
||||
* ''valid at time T and age S'' indicates that the signature has set timelocks but is otherwise valid
|
||||
* ''inconclusive'' means the validator was unable to check the scripts
|
||||
* ''invalid'' means that some check failed
|
||||
|
||||
== Legacy format ==
|
||||
==== Verification Process ====
|
||||
|
||||
New proofs should use the new format for all invoice address formats, including P2PKH.
|
||||
Validation consists of the following steps:
|
||||
|
||||
The legacy format MAY be used, but must be restricted to the legacy P2PKH invoice address format.
|
||||
# Basic validation
|
||||
## Compute the transaction <code>to_spend</code> from ''m'' and ''A''
|
||||
## Decode ''s'' as the transaction <code>to_sign</code>
|
||||
## If ''s'' was a full transaction, confirm all fields are set as specified above; in particular that
|
||||
##* <code>to_sign</code> has at least one input and its first input spends the output of </code>to_spend</code>
|
||||
##* <code>to_sign</code> has exactly one output, as specified above
|
||||
## Confirm that the two transactions together satisfy all consensus rules, except for <code>to_spend</code>'s missing input, and except that ''nSequence'' of <code>to_sign</code>'s first input and ''nLockTime'' of <code>to_sign</code> are not checked.
|
||||
# (Optional) If the validator does not have a full script interpreter, it should check that it understands all scripts being satisfied. If not, it should stop here and output ''inconclusive''.
|
||||
# Check the **required rules**:
|
||||
## All signatures must use the SIGHASH_ALL flag.
|
||||
## The use of <code>CODESEPARATOR</code> or <code>FindAndDelete</code> is forbidden.
|
||||
## <code>LOW_S</code>, <code>STRICTENC</code> and <code>NULLFAIL</code>: valid ECDSA signatures must be strictly DER-encoded and have a low-S value; invalid ECDSA signature must be the empty push
|
||||
## <code>MINIMALDATA</code>: all pushes must be minimally encoded
|
||||
## <code>CLEANSTACK</code>: require that only a single stack element remains after evaluation
|
||||
## <code>MINIMALIF</code>: the argument of <code>IF</code>/<code>NOTIF</code> must be exactly 0x01 or empty push
|
||||
## If any of the above steps failed, the validator should stop and output the ''invalid'' state.
|
||||
# Check the **upgradeable rules**
|
||||
## The version of <code>to_sign</code> must be 0 or 2.
|
||||
## The use of NOPs reserved for upgrades is forbidden.
|
||||
## The use of segwit versions greater than 0 are forbidden.
|
||||
## If any of the above steps failed, the validator should stop and output the ''inconclusive'' state.
|
||||
# Let ''T'' by the nLockTime of <code>to_sign</code> and ''S'' be the nSequence of the first input of <code>to_sign</code>. Output the state ''valid at time T and age S''.
|
||||
|
||||
=== Signing ===
|
||||
|
||||
Given the P2PKH invoice address <code>a</code> and the message <code>m</code>, and the pubkey-hash function <code>pkh(P) = ripemd160(sha256(P))</code>:
|
||||
Signers who control an address ''A'' who wish to sign a message ''m'' act as follows:
|
||||
|
||||
# let <code>p</code> be the pubkey-hash <code>pkh(P)</code> for the pubkey <code>P</code>, contained in <code>a</code>
|
||||
# let <code>x</code> be the private key associated with <code>P</code> so that <code>pkh(xG) = p</code>
|
||||
# let <code>digest</code> be <code>SHA56d(0x18||"Bitcoin Signed Message:\n"||compactint(len(m))||m)</code>
|
||||
# create a compact signature <code>sig</code> (aka "recoverable ECDSA signature") using <code>x</code> on <code>digest</code>
|
||||
# They construct <code>to_spend</code> and <code>to_sign</code> as specified above, using the scriptPubKey of ''A'' for <code>message_challenge</code> and tagged hash of ''m'' as <code>message_hash</code>.
|
||||
# Optionally, they may set nLockTime of <code>to_sign</code> or nSequence of its first input.
|
||||
# Optionally, they may add any additional outputs to <code>to_sign</code> that they wish to prove control of.
|
||||
# They satisfy <code>to_sign</code> as they would any other transaction.
|
||||
|
||||
The resulting proof is <code>sig</code>, serialized using the base64 encoding.
|
||||
They then encode their signature, choosing either ''simple'' or ''full'' as follows:
|
||||
|
||||
=== Verifying ===
|
||||
|
||||
Given the P2PKH invoice address <code>a</code>, the message <code>m</code>, the compact signature <code>sig</code>, and the pubkey-hash function <code>pkh(P) = ripemd160(sha256(P))</code>:
|
||||
|
||||
# let <code>p</code> be the pubkey-hash <code>pkh(P)</code> for the pubkey <code>P</code>, contained in <code>a</code>
|
||||
# let <code>digest</code> be <code>SHA56d(0x18||"Bitcoin Signed Message:\n"||compactint(len(m))||m)</code>
|
||||
# attempt pubkey recovery for <code>digest</code> using the signature <code>sig</code> and store the resulting pubkey into <code>Q</code>
|
||||
## fail verification if pubkey recovery above fails
|
||||
# let <code>q</code> be the pubkey-hash <code>pkh(Q)</code> for the pubkey <code>Q</code>
|
||||
# if <code>p == q</code>, the proof is valid, otherwise it is invalid
|
||||
* If they added no inputs to <code>to_sign</code>, left nSequence and nLockTime at 0, and ''A'' is a Segwit address (either pure or P2SH-wrapped), then they may base64-encode <code>message_signature</code>
|
||||
* Otherwise they must base64-encode <code>to_sign</code>.
|
||||
|
||||
== Compatibility ==
|
||||
|
||||
@ -121,7 +148,7 @@ TODO
|
||||
|
||||
== Acknowledgements ==
|
||||
|
||||
Thanks to David Harding, Jim Posen, Kalle Rosenbaum, Pieter Wuille, and many others for their feedback on the specification.
|
||||
Thanks to David Harding, Jim Posen, Kalle Rosenbaum, Pieter Wuille, Andrew Poelstra, and many others for their feedback on the specification.
|
||||
|
||||
== References ==
|
||||
|
||||
@ -131,38 +158,6 @@ Thanks to David Harding, Jim Posen, Kalle Rosenbaum, Pieter Wuille, and many oth
|
||||
|
||||
This document is licensed under the Creative Commons CC0 1.0 Universal license.
|
||||
|
||||
== Consensus and standard flags ==
|
||||
|
||||
Each flag is associated with some type of enforced rule (most often a soft fork). There are two sets of flags: consensus flags (which result in a block being rejected, if violated), and upgradable flags (which are typically policy-rejected by nodes specifically for the purpose of future network upgrades). The upgradable flags are a super-set of the consensus flags.
|
||||
|
||||
This BIP specifies that a proof that validates for both rulesets is valid, a proof that validates for consensus rules, but not for upgradable rules, is "inconclusive", and a proof that does not validate for consensus rules is "invalid" (regardless of upgradable rule validation).
|
||||
|
||||
The ruleset sometimes changes. This BIP does not intend to be complete, nor does it indicate enforcement of rules, it simply lists the rules as they stand at the point of writing.
|
||||
|
||||
=== Consensus rules ===
|
||||
|
||||
* P2SH: evaluate P2SH ([https://github.com/bitcoin/bips/blob/master/bip-0016.mediawiki BIP16]) subscripts
|
||||
* DERSIG: enforce strict DER ([https://github.com/bitcoin/bips/blob/master/bip-0066.mediawiki BIP66]) compliance
|
||||
* NULLDUMMY: enforce NULLDUMMY ([https://github.com/bitcoin/bips/blob/master/bip-0147.mediawiki BIP147])
|
||||
* CHECKLOCKTIMEVERIFY: enable CHECKLOCKTIMEVERIFY ([https://github.com/bitcoin/bips/blob/master/bip-0065.mediawiki BIP65])
|
||||
* CHECKSEQUENCEVERIFY: enable CHECKSEQUENCEVERIFY ([https://github.com/bitcoin/bips/blob/master/bip-0112.mediawiki BIP112])
|
||||
* WITNESS: enable WITNESS ([https://github.com/bitcoin/bips/blob/master/bip-0141.mediawiki BIP141])
|
||||
|
||||
=== Upgradable rules ===
|
||||
|
||||
All of the above, plus (subject to change):
|
||||
|
||||
* STRICTENC: non-strict DER signature or undefined hashtype
|
||||
* MINIMALDATA: require minimal encodings for all push operations
|
||||
* DISCOURAGE_UPGRADABLE_NOPS: discourage use of NOPs reserved for upgrades
|
||||
* CLEANSTACK: require that only a single stack element remains after evaluation
|
||||
* MINIMALIF: Segwit script only: require the argument of OP_IF/NOTIF to be exactly 0x01 or empty vector
|
||||
* NULLFAIL: signature(s) must be empty vector if a CHECK(MULTI)SIG operation failed
|
||||
* LOW_S: signature with S > order/2 in a checksig operation
|
||||
* DISCOURAGE_UPGRADABLE_WITNESS_PROGRAM: v1-16 witness programs are non-standard (i.e. forbidden)
|
||||
* WITNESS_PUBKEYTYPE: public keys in segregated witness scripts must be compressed
|
||||
* CONST_SCRIPTCODE: OP_CODESEPARATOR and FindAndDelete fail any non-segwit scripts
|
||||
|
||||
== Test vectors ==
|
||||
|
||||
TODO
|
||||
|
@ -110,10 +110,6 @@ Other software need not add block signature validation code that they will not u
|
||||
|
||||
Pull request at https://github.com/bitcoin/bitcoin/pull/18267
|
||||
|
||||
== Acknowledgements ==
|
||||
|
||||
TODO
|
||||
|
||||
== References ==
|
||||
|
||||
# Original mailing list thread: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-March/016734.html
|
||||
|
112
bip-0338.mediawiki
Normal file
112
bip-0338.mediawiki
Normal file
@ -0,0 +1,112 @@
|
||||
<pre>
|
||||
BIP: 338
|
||||
Layer: Peer Services
|
||||
Title: Disable transaction relay message
|
||||
Author: Suhas Daftuar <sdaftuar@chaincode.com>
|
||||
Comments-Summary: No comments yet.
|
||||
Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-0338
|
||||
Status: Draft
|
||||
Type: Standards Track
|
||||
Created: 2020-09-03
|
||||
License: BSD-2-Clause
|
||||
</pre>
|
||||
|
||||
==Abstract==
|
||||
|
||||
This BIP describes a change to the p2p protocol to allow a node to tell a peer
|
||||
that a connection will not be used for transaction relay, to support
|
||||
block-relay-only connections that are currently in use on the network.
|
||||
|
||||
==Motivation==
|
||||
|
||||
This proposal is part of an effort to increase the number of inbound
|
||||
connections that a peer can service, by distinguishing peers which will not
|
||||
relay transactions from those that do.
|
||||
|
||||
Since 2019, software has been deployed[1] which initiates
|
||||
connections on the Bitcoin network and sets the transaction relay field
|
||||
(introduced by BIP 37 and also defined in BIP 60) to false, to prevent
|
||||
transaction relay from occurring on the connection. Additionally, addr messages
|
||||
received from the peer are ignored by this software.
|
||||
|
||||
The purpose of these connections is two-fold: by making additional
|
||||
low-bandwidth connections on which blocks can propagate, the robustness of a
|
||||
node to network partitioning attacks is strengthened. Additionally, by not
|
||||
relaying transactions and ignoring received addresses, the ability of an
|
||||
adversary to learn the complete network graph (or a subgraph) is reduced[2],
|
||||
which in turn increases the cost or difficulty to an attacker seeking to carry
|
||||
out a network partitioning attack (when compared with having such knowledge).
|
||||
|
||||
The low-bandwidth / minimal-resource nature of these connections is currently
|
||||
known only by the initiator of the connection; this is because the transaction
|
||||
relay field in the version message is not a permanent setting for the lifetime
|
||||
of the connection. Consequently, a node receiving an inbound connection with
|
||||
transaction relay disabled cannot distinguish between a peer that will never
|
||||
enable transaction relay (as described in BIP 37) and one that will. Moreover,
|
||||
the node also cannot determine that the incoming connection will ignore relayed
|
||||
addresses; with that knowledge a node would likely choose other peers to
|
||||
receive announced addresses instead.
|
||||
|
||||
This proposal adds a new, optional message that a node can send a peer when
|
||||
initiating a connection to that peer, to indicate that connection should not be
|
||||
used for transaction relay for the connection's lifetime. In addition, without
|
||||
a current mechanism to negotiate whether addresses should be relayed on a
|
||||
connection, this BIP suggests that address messages not be sent on links where
|
||||
transaction relay has been disabled.
|
||||
|
||||
After this BIP is deployed, nodes could more easily implement inbound
|
||||
connection limiting that differentiates low-resource nodes (such as those
|
||||
sending disabletx) from full-relay peers, potentially allowing for an increase
|
||||
in the number of block-relay-only connections that can be made on the network.
|
||||
|
||||
==Specification==
|
||||
|
||||
# A new disabletx message is added, which is defined as an empty message with message type set to "disabletx".
|
||||
# The protocol version of nodes implementing this BIP must be set to 70017 or higher.
|
||||
# If a node sets the transaction relay field in the version message to a peer to false, then the disabletx message MAY also be sent in response to a version message from that peer if the peer's protocol version is >= 70017. If sent, the disabletx message MUST be sent prior to sending a verack.
|
||||
# A node that has sent or received a disabletx message to/from a peer MUST NOT send any of these messages to the peer:
|
||||
## inv messages for transactions
|
||||
## getdata messages for transactions
|
||||
## getdata messages for merkleblock (BIP 37)
|
||||
## filteradd/filterload/filterclear (BIP 37)
|
||||
## mempool (BIP 35)
|
||||
## tx message
|
||||
# It is RECOMMENDED that a node that has sent or received a disabletx message to/from a peer not send any of these messages to the peer:
|
||||
## addr/getaddr
|
||||
## addrv2 (BIP 155)
|
||||
# The behavior regarding sending or processing other message types is not specified by this BIP.
|
||||
# Nodes MAY decide to not remain connected to peers that send this message (for example, if trying to find a peer that will relay transactions).
|
||||
|
||||
==Compatibility==
|
||||
|
||||
Nodes with protocol version >= 70017 that do not implement this BIP, and nodes
|
||||
with protocol version < 70017, will continue to remain compatible with
|
||||
implementing software: transactions would not be relayed to peers sending the
|
||||
disabletx message (provided that BIP 37 or BIP 60 has been implemented), and while
|
||||
periodic address relay may still take place, software implementing this BIP
|
||||
should not be disconnecting such peers solely for that reason.
|
||||
|
||||
Disabling address relay is suggested but not required by this BIP, to allow for
|
||||
future protocol extensions that might specify more carefully how address relay
|
||||
is to be negotiated. This BIP's recommendations for software to not relay
|
||||
addresses is intended to be interpreted as guidance in the absence of any such
|
||||
future protocol extension, to accommodate existing software behavior.
|
||||
|
||||
Note that all messages specified in BIP 152, including blocktxn and
|
||||
getblocktxn, are permitted between peers that have sent/received a disabletx
|
||||
message, subject to the feature negotiation of BIP 152.
|
||||
|
||||
This proposal is compatible with, but independent of, BIP 37.
|
||||
|
||||
==Implementation==
|
||||
|
||||
https://github.com/bitcoin/bitcoin/pull/20726
|
||||
|
||||
==References==
|
||||
|
||||
# Bitcoin Core has [https://github.com/bitcoin/bitcoin/pull/15759 implemented this functionality] since version 0.19.0.1, released in November 2019.
|
||||
# For example, see https://www.cs.umd.edu/projects/coinscope/coinscope.pdf and https://arxiv.org/pdf/1812.00942.pdf.
|
||||
|
||||
==Copyright==
|
||||
|
||||
This BIP is licensed under the 2-clause BSD license.
|
@ -56,9 +56,7 @@ encodings and operations.
|
||||
|
||||
'''Schnorr signature variant''' Elliptic Curve Schnorr signatures for message ''m'' and public key ''P'' generally involve a point ''R'', integers ''e'' and ''s'' picked by the signer, and the base point ''G'' which satisfy ''e = hash(R || m)'' and ''s⋅G = R + e⋅P''. Two formulations exist, depending on whether the signer reveals ''e'' or ''R'':
|
||||
# Signatures are pairs ''(e, s)'' that satisfy ''e = hash(s⋅G - e⋅P || m)''. This variant avoids minor complexity introduced by the encoding of the point ''R'' in the signature (see paragraphs "Encoding R and public key point P" and "Implicit Y coordinates" further below in this subsection). Moreover, revealing ''e'' instead of ''R'' allows for potentially shorter signatures: Whereas an encoding of ''R'' inherently needs about 32 bytes, the hash ''e'' can be tuned to be shorter than 32 bytes, and [http://www.neven.org/papers/schnorr.pdf a short hash of only 16 bytes suffices to provide SUF-CMA security at the target security level of 128 bits]. However, a major drawback of this optimization is that finding collisions in a short hash function is easy. This complicates the implementation of secure signing protocols in scenarios in which a group of mutually distrusting signers work together to produce a single joint signature (see Applications below). In these scenarios, which are not captured by the SUF-CMA model due its assumption of a single honest signer, a promising attack strategy for malicious co-signers is to find a collision in the hash function in order to obtain a valid signature on a message that an honest co-signer did not intend to sign.
|
||||
# Signatures are pairs ''(R, s)'' that satisfy ''s⋅G = R + hash(R || m)⋅P''. This supports batch verification, as there are no elliptic curve operations inside the hashes. Batch verification enables significant speedups.
|
||||
|
||||
[[File:bip-0340/speedup-batch.png|center|frame|This graph shows the ratio between the time it takes to verify ''n'' signatures individually and to verify a batch of ''n'' signatures. This ratio goes up logarithmically with the number of signatures, or in other words: the total time to verify ''n'' signatures grows with ''O(n / log n)''.]]
|
||||
# Signatures are pairs ''(R, s)'' that satisfy ''s⋅G = R + hash(R || m)⋅P''. This supports batch verification, as there are no elliptic curve operations inside the hashes. Batch verification enables significant speedups.<ref>The speedup that results from batch verification can be demonstrated with the cryptography library [https://github.com/jonasnick/secp256k1/blob/schnorrsig-batch-verify/doc/speedup-batch.md libsecp256k1].</ref>
|
||||
|
||||
Since we would like to avoid the fragility that comes with short hashes, the ''e'' variant does not provide significant advantages. We choose the ''R''-option, which supports batch verification.
|
||||
|
||||
@ -227,7 +225,7 @@ Moreover, Schnorr signatures are compatible with [https://web.archive.org/web/20
|
||||
|
||||
=== Adaptor Signatures ===
|
||||
|
||||
[https://download.wpsoftware.net/bitcoin/wizardry/mw-slides/2018-05-18-l2/slides.pdf Adaptor signatures] can be produced by a signer by offsetting his public nonce with a known point ''T = t⋅G'', but not offsetting his secret nonce.
|
||||
[https://download.wpsoftware.net/bitcoin/wizardry/mw-slides/2018-05-18-l2/slides.pdf Adaptor signatures] can be produced by a signer by offsetting his public nonce ''R'' with a known point ''T = t⋅G'', but not offsetting the signature's ''s'' value.
|
||||
A correct signature (or partial signature, as individual signers' contributions to a multisignature are called) on the same message with same nonce will then be equal to the adaptor signature offset by ''t'', meaning that learning ''t'' is equivalent to learning a correct signature.
|
||||
This can be used to enable atomic swaps or even [https://eprint.iacr.org/2018/472 general payment channels] in which the atomicity of disjoint transactions is ensured using the signatures themselves, rather than Bitcoin script support. The resulting transactions will appear to verifiers to be no different from ordinary single-signer transactions, except perhaps for the inclusion of locktime refund logic.
|
||||
|
||||
|
Binary file not shown.
Before Width: | Height: | Size: 12 KiB |
@ -173,14 +173,14 @@ First, we define <code>taproot_tweak_pubkey</code> for 32-byte [[bip-0340.mediaw
|
||||
The function returns a bit indicating the tweaked public key's Y coordinate as well as the public key byte array.
|
||||
The parity bit will be required for spending the output with a script path.
|
||||
In order to allow spending with the key path, we define <code>taproot_tweak_seckey</code> to compute the secret key for a tweaked public key.
|
||||
For any byte string <code>h</code> it holds that <code>taproot_tweak_pubkey(pubkey_gen(seckey), h)[0] == pubkey_gen(taproot_tweak_seckey(seckey, h))</code>.
|
||||
For any byte string <code>h</code> it holds that <code>taproot_tweak_pubkey(pubkey_gen(seckey), h)[1] == pubkey_gen(taproot_tweak_seckey(seckey, h))</code>.
|
||||
|
||||
<source lang="python">
|
||||
def taproot_tweak_pubkey(pubkey, h):
|
||||
t = int_from_bytes(tagged_hash("TapTweak", pubkey + h))
|
||||
if t >= SECP256K1_ORDER:
|
||||
raise ValueError
|
||||
Q = point_add(lift_x(int_from_bytes(pubkey)), point_mul(G, t))
|
||||
Q = point_add(lift_x(pubkey), point_mul(G, t))
|
||||
return 0 if has_even_y(Q) else 1, bytes_from_int(x(Q))
|
||||
|
||||
def taproot_tweak_seckey(seckey0, h):
|
||||
@ -219,7 +219,7 @@ def taproot_output_script(internal_pubkey, script_tree):
|
||||
h = bytes()
|
||||
else:
|
||||
_, h = taproot_tree_helper(script_tree)
|
||||
output_pubkey, _ = taproot_tweak_pubkey(internal_pubkey, h)
|
||||
_, output_pubkey = taproot_tweak_pubkey(internal_pubkey, h)
|
||||
return bytes([0x51, 0x20]) + output_pubkey
|
||||
</source>
|
||||
|
||||
@ -284,9 +284,7 @@ The reason for this is to increase leaf entropy and prevent an observer from lea
|
||||
|
||||
== Test vectors ==
|
||||
|
||||
Examples with creation transaction and spending transaction pairs, valid and invalid.
|
||||
|
||||
Examples of preimage for sighashing for each of the sighash modes.
|
||||
The test vectors used in the [https://github.com/bitcoin/bitcoin/blob/3820090bd619ac85ab35eff376c03136fe4a9f04/src/test/script_tests.cpp#L1718 Bitcoin Core unit test framework] can be found [https://github.com/bitcoin-core/qa-assets/blob/main/unit_test_data/script_assets_test.json?raw=true here].
|
||||
|
||||
== Rationale ==
|
||||
|
||||
@ -294,7 +292,43 @@ Examples of preimage for sighashing for each of the sighash modes.
|
||||
|
||||
== Deployment ==
|
||||
|
||||
TODO
|
||||
This BIP is deployed concurrently with [[bip-0342.mediawiki|BIP342]].
|
||||
|
||||
For Bitcoin signet, these BIPs are always active.
|
||||
|
||||
For Bitcoin mainnet and testnet3, these BIPs will be deployed by "version bits" with the name "taproot" and bit 2, using [[bip-0009.mediawiki|BIP9]] modified to use a lower threshold, with an additional ''min_activation_height'' parameter and replacing the state transition logic for the DEFINED, STARTED and LOCKED_IN states as follows:
|
||||
|
||||
case DEFINED:
|
||||
if (GetMedianTimePast(block.parent) >= starttime) {
|
||||
return STARTED;
|
||||
}
|
||||
return DEFINED;
|
||||
|
||||
case STARTED:
|
||||
int count = 0;
|
||||
walk = block;
|
||||
for (i = 0; i < 2016; i++) {
|
||||
walk = walk.parent;
|
||||
if ((walk.nVersion & 0xE0000000) == 0x20000000 && ((walk.nVersion >> bit) & 1) == 1) {
|
||||
count++;
|
||||
}
|
||||
}
|
||||
if (count >= threshold) {
|
||||
return LOCKED_IN;
|
||||
} else if (GetMedianTimePast(block.parent) >= timeout) {
|
||||
return FAILED;
|
||||
}
|
||||
return STARTED;
|
||||
|
||||
case LOCKED_IN:
|
||||
if (block.nHeight < min_activation_height) {
|
||||
return LOCKED_IN;
|
||||
}
|
||||
return ACTIVE;
|
||||
|
||||
For Bitcoin mainnet, the starttime is epoch timestamp 1619222400 (midnight 24 April 2021 UTC), timeout is epoch timestamp 1628640000 (midnight 11 August 2021 UTC), the threshold is 1815 blocks (90%) instead of 1916 blocks (95%), and the min_activation_height is block 709632 (expected approximately 12 November 2021).
|
||||
|
||||
For Bitcoin testnet3, the starttime is epoch timestamp 1619222400 (midnight 24 April 2021 UTC), timeout is epoch timestamp 1628640000 (midnight 11 August 2021 UTC), the threshold is 1512 blocks (75%), and the min_activation_height is block 0.
|
||||
|
||||
== Backwards compatibility ==
|
||||
As a soft fork, older software will continue to operate without modification.
|
||||
@ -302,7 +336,7 @@ Non-upgraded nodes, however, will consider all SegWit version 1 witness programs
|
||||
They are strongly encouraged to upgrade in order to fully validate the new programs.
|
||||
|
||||
Non-upgraded wallets can receive and send bitcoin from non-upgraded and upgraded wallets using SegWit version 0 programs, traditional pay-to-pubkey-hash, etc.
|
||||
Depending on the implementation non-upgraded wallets may be able to send to Segwit version 1 programs if they support sending to [[bip-0173.mediawiki|BIP173]] Bech32 addresses.
|
||||
Depending on the implementation non-upgraded wallets may be able to send to Segwit version 1 programs if they support sending to [[bip-0350.mediawiki|BIP350]] Bech32m addresses.
|
||||
|
||||
== Acknowledgements ==
|
||||
|
||||
|
@ -133,8 +133,14 @@ In addition to changing the semantics of a number of opcodes, there are also som
|
||||
|
||||
<references />
|
||||
|
||||
==Deployment==
|
||||
|
||||
This proposal is deployed identically to Taproot ([[bip-0341.mediawiki|BIP341]]).
|
||||
|
||||
==Examples==
|
||||
|
||||
The Taproot ([[bip-0341.mediawiki|BIP341]]) test vectors also contain examples for Tapscript execution.
|
||||
|
||||
==Acknowledgements==
|
||||
|
||||
This document is the result of many discussions and contains contributions by a number of people. The authors wish to thank all those who provided valuable feedback and reviews, including the participants of the [https://github.com/ajtowns/taproot-review structured reviews].
|
||||
|
62
bip-0343.mediawiki
Normal file
62
bip-0343.mediawiki
Normal file
@ -0,0 +1,62 @@
|
||||
<pre>
|
||||
BIP: 343
|
||||
Layer: Consensus (soft fork)
|
||||
Title: Mandatory activation of taproot deployment
|
||||
Author: Shinobius <quantumedusa@gmail.com>
|
||||
Michael Folkson <michaelfolkson@gmail.com>
|
||||
Comments-Summary: No comments yet.
|
||||
Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-0343
|
||||
Status: Proposed
|
||||
Type: Standards Track
|
||||
Created: 2021-04-25
|
||||
License: BSD-3-Clause
|
||||
CC0-1.0
|
||||
</pre>
|
||||
|
||||
==Abstract==
|
||||
|
||||
This document specifies a BIP8 (LOT=true) deployment to activate taproot.
|
||||
|
||||
==Motivation==
|
||||
|
||||
The Taproot soft fork upgrade has been assessed to have overwhelming community consensus and hence should attempt to be activated. Lessons have been learned from the BIP148 and BIP91 deployments in 2017 with regards to giving many months of advance warning before the mandatory signaling is attempted. The mandatory signaling is only required if miners have failed to meet the signaling threshold during the BIP8 deployment. It is important that mandatory signaling is included as without it miners would effectively have the ability to indefinitely block the activation of a soft fork with overwhelming consensus.
|
||||
|
||||
==Specification==
|
||||
|
||||
This BIP will begin an activation signaling period using bit 2 at blockheight 681408 with a minimum activation height of 709632 and an activation threshold of 90%. The signaling period will timeout at blockheight 760032 with a latest activation height of 762048. Lockinontimeout (LOT) is set to true so mandatory signaling will be enforced in the last signaling period before the timeout height. Blocks without the signaling bit 2 set run the risk of being rejected during this period if taproot is not locked in prior. This BIP will cease to be active when taproot is locked in.
|
||||
|
||||
==Reference implementation==
|
||||
|
||||
*[[https://github.com/BitcoinActivation/bitcoin]]
|
||||
|
||||
==Backward Compatibility==
|
||||
|
||||
As a soft fork, older software will continue to operate without modification. Non-upgraded nodes, however, will consider all SegWit version 1 witness programs as anyone-can-spend scripts. They are strongly encouraged to upgrade in order to fully validate the new programs.
|
||||
|
||||
==Compatibility with later alternative activations==
|
||||
|
||||
The activation mechanism “Speedy Trial” as proposed by Russell O’Connor and outlined in this bitcoin-dev mailing list [https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-March/018583.html post] by David Harding was released in Bitcoin Core. It is effectively a BIP8 activation mechanism with one exception: start height and timeout height were defined using median time past (MTP) rather than block heights. It uses signaling bit 2, was deployed between midnight April 24th 2021 and midnight August 11th 2021, has a minimum activation height of 709632 and intends to activate BIPs 340, 341, and 342. The BIP8(LOT=true) deployment is compatible with the “Speedy Trial” deployment in Bitcoin Core as there was not a discrepancy between MTP and block height for the defined start heights.
|
||||
|
||||
The BIP8 (LOT=true) deployment has also been deliberately designed to be compatible with a future BIP8(LOT=false) or BIP8(LOT=true) deployment in Bitcoin Core assuming Bitcoin Core releases one of these activation mechanisms in the event of the Speedy Trial deployment failing to activate.
|
||||
|
||||
==Rationale==
|
||||
|
||||
The deployment of BIP148 demonstrated that multiple implementations with different activation mechanisms can incentivize the necessary actors to act so that the different deployments activate in sync. A BIP8 LOT=true deployment can run in parallel with other BIP8 activation mechanisms that have eventual mandatory signaling or no mandatory signaling. Eventual mandatory signaling ensures that miners cannot prevent the activation of a desired feature with community consensus indefinitely.
|
||||
|
||||
==Acknowledgements==
|
||||
|
||||
Thanks to Shaolin Fry and Luke Dashjr for their work on BIP148 and BIP8 which were important prerequisites for this proposal.
|
||||
|
||||
==References==
|
||||
|
||||
*[[bip-0008.mediawiki|BIP8 Version bits with lock-in by height]]
|
||||
*[[bip-0148.mediawiki|BIP148 Mandatory activation of segwit deployment]]
|
||||
*[[bip-0340.mediawiki|BIP340 Schnorr Signatures for secp256k1]]
|
||||
*[[bip-0341.mediawiki|BIP341 Taproot: SegWit version 1 spending rules]]
|
||||
*[[bip-0342.mediawiki|BIP342 Validation of Taproot Scripts]]
|
||||
*[https://taproot.works/taproot-faq/ Taproot benefits]
|
||||
|
||||
==Copyright==
|
||||
|
||||
This document is dual licensed as BSD 3-clause, and Creative Commons CC0 1.0 Universal.
|
||||
|
336
bip-0350.mediawiki
Normal file
336
bip-0350.mediawiki
Normal file
@ -0,0 +1,336 @@
|
||||
<pre>
|
||||
BIP: 350
|
||||
Layer: Applications
|
||||
Title: Bech32m format for v1+ witness addresses
|
||||
Author: Pieter Wuille <pieter@wuille.net>
|
||||
Comments-Summary: No comments yet.
|
||||
Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-0350
|
||||
Status: Draft
|
||||
Type: Standards Track
|
||||
Created: 2020-12-16
|
||||
License: BSD-2-Clause
|
||||
Replaces: 173
|
||||
Post-History: 2021-01-05: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-January/018338.html [bitcoin-dev] Bech32m BIP: new checksum, and usage for segwit address
|
||||
</pre>
|
||||
|
||||
==Introduction==
|
||||
|
||||
===Abstract===
|
||||
|
||||
This document defines an improved variant of Bech32 called '''Bech32m''', and amends BIP173 to use Bech32m for native segregated witness outputs of version 1 and later. Bech32 remains in use for segregated witness outputs of version 0.
|
||||
|
||||
===Copyright===
|
||||
|
||||
This BIP is licensed under the 2-clause BSD license.
|
||||
|
||||
===Motivation===
|
||||
|
||||
[[bip-0173.mediawiki|BIP173]] defined a generic checksummed base 32 encoded format called Bech32. It is in use for segregated witness outputs of version 0 (P2WPKH and P2WSH, see [[bip-0141.mediawiki|BIP141]]), and other applications.
|
||||
|
||||
Bech32 has an unexpected [https://github.com/sipa/bech32/issues/51 weakness]: whenever the final character is a 'p', inserting or deleting any number of 'q' characters immediately preceding it does not invalidate the checksum. This does not affect existing uses of witness version 0 BIP173 addresses due to their restriction to two specific lengths, but may affect future uses and/or other applications using the Bech32 encoding.
|
||||
|
||||
This document addresses that by specifying Bech32m, a variant of Bech32 that mitigates this insertion weakness and related issues.
|
||||
|
||||
==Specification==
|
||||
|
||||
We first specify the new checksum algorithm, and then document how it should be used for future Bitcoin addresses.
|
||||
|
||||
===Bech32m===
|
||||
|
||||
Bech32m modifies the checksum of the Bech32 specification, replacing the constant ''1'' that is xored into the checksum at the end with ''0x2bc830a3''. The resulting checksum verification and creation algorithm (in Python, cf. the code in [https://github.com/bitcoin/bips/blob/master/bip-0173.mediawiki#Bech32|BIP173 Bech32 section]):
|
||||
|
||||
<pre>
|
||||
BECH32M_CONST = 0x2bc830a3
|
||||
|
||||
def bech32m_polymod(values):
|
||||
GEN = [0x3b6a57b2, 0x26508e6d, 0x1ea119fa, 0x3d4233dd, 0x2a1462b3]
|
||||
chk = 1
|
||||
for v in values:
|
||||
b = (chk >> 25)
|
||||
chk = (chk & 0x1ffffff) << 5 ^ v
|
||||
for i in range(5):
|
||||
chk ^= GEN[i] if ((b >> i) & 1) else 0
|
||||
return chk
|
||||
|
||||
def bech32m_hrp_expand(s):
|
||||
return [ord(x) >> 5 for x in s] + [0] + [ord(x) & 31 for x in s]
|
||||
|
||||
def bech32m_verify_checksum(hrp, data):
|
||||
return bech32m_polymod(bech32m_hrp_expand(hrp) + data) == BECH32M_CONST
|
||||
|
||||
def bech32m_create_checksum(hrp, data):
|
||||
values = bech32m_hrp_expand(hrp) + data
|
||||
polymod = bech32m_polymod(values + [0,0,0,0,0,0]) ^ BECH32M_CONST
|
||||
return [(polymod >> 5 * (5 - i)) & 31 for i in range(6)]
|
||||
</pre>
|
||||
|
||||
All other aspects of Bech32 remain unchanged, including its human-readable parts (HRPs).
|
||||
|
||||
A combined function to decode both Bech32 and Bech32m simultaneously could be written using:
|
||||
|
||||
<pre>
|
||||
class Encoding(Enum):
|
||||
BECH32 = 1
|
||||
BECH32M = 2
|
||||
|
||||
def bech32_bech32m_verify_checksum(hrp, data):
|
||||
check = bech32_polymod(bech32_hrp_expand(hrp) + data)
|
||||
if check == 1:
|
||||
return Encoding.BECH32
|
||||
elif check == BECH32M_CONST:
|
||||
return Encoding.BECH32M
|
||||
else:
|
||||
return None
|
||||
</pre>
|
||||
|
||||
which returns either None for failure, or one of the BECH32 / BECH32M enumeration values to indicate successful decoding according to the respective standard.
|
||||
|
||||
===Addresses for segregated witness outputs===
|
||||
|
||||
Version 0 outputs (specifically, P2WPKH and P2WSH addresses) continue to use Bech32<ref>'''Why not permit both Bech32 and Bech32m for v0 addresses?''' Permitting both encodings reduces the error detection capabilities (it makes it equivalent to only have 29 bits of checksum).</ref> as specified in BIP173. Addresses for segregated witness outputs version 1 through 16 use Bech32m. Again, all other aspects of the encoding remain the same, including the 'bc' HRP.
|
||||
|
||||
To generate an address for a segregated witness output:
|
||||
|
||||
* If its witness version is 0, encode it using Bech32.
|
||||
* If its witness version is 1 or higher, encode it using Bech32m.
|
||||
|
||||
To decode an address, client software should either decode with both a Bech32 and a Bech32m decoder<ref>'''Can a single string simultaneously be valid as Bech32 and Bech32m?''' No, a valid Bech32 and Bech32m string will always differ by at least 3 characters if they are the same length.</ref>, or use a decoder that supports both simultaneously. In both cases, the address decoder has to verify that the encoding matches what is expected for the decoded witness version (Bech32 for version 0, Bech32m for others).
|
||||
|
||||
The following code demonstrates the checks that need to be performed. Refer to the Python code linked in the reference implementation section below for full details of the called functions.
|
||||
|
||||
<pre>
|
||||
def decode(hrp, addr):
|
||||
hrpgot, data, spec = bech32_decode(addr)
|
||||
if hrpgot != hrp:
|
||||
return (None, None)
|
||||
decoded = convertbits(data[1:], 5, 8, False)
|
||||
# Witness programs are between 2 and 40 bytes in length.
|
||||
if decoded is None or len(decoded) < 2 or len(decoded) > 40:
|
||||
return (None, None)
|
||||
# Witness versions are in range 0..16.
|
||||
if data[0] > 16:
|
||||
return (None, None)
|
||||
# Witness v0 programs must be exactly length 20 or 32.
|
||||
if data[0] == 0 and len(decoded) != 20 and len(decoded) != 32:
|
||||
return (None, None)
|
||||
# Witness v0 uses Bech32; v1 through v16 use Bech32m.
|
||||
if data[0] == 0 and spec != Encoding.BECH32 or data[0] != 0 and spec != Encoding.BECH32M:
|
||||
return (None, None)
|
||||
# Success.
|
||||
return (data[0], decoded)
|
||||
</pre>
|
||||
|
||||
'''Error locating'''
|
||||
|
||||
Bech32m, like Bech32, does support locating<ref>'''What about error correction?''' As explained in BIP173, introducing error correction reduces the ability to detect errors. While it is technically possible to correct a small number of errors due to Bech32(m)'s nature as a BCH code, implementations should refrain from using this for more than indicating where an error may be present.</ref> the positions of a few substitution errors. To combine this functionality with
|
||||
the segregated witness addresses proposed by this document, simply try locating errors for both Bech32 and Bech32m. If only one finds error locations, report that one. If both do (which should be very rare),
|
||||
there are a number of options:
|
||||
* Report the one that needs fewer corrections (if they differ).
|
||||
* Eliminate the response(s) that are inconsistent. Any symbol that isn't on an error location can be checked. For example, if the witness version symbol is not an error location, and it doesn't correspond to the specification used (0 for Bech32, 1+ for Bech32m), that response can be eliminated.
|
||||
|
||||
See the fancy Javascript decoder below for example of the above.
|
||||
|
||||
==Compatibility==
|
||||
|
||||
This document introduces a new encoding for v1 segregated witness outputs and higher versions. There should not be any compatibility issues on the receiver side; no wallets are creating v1 segregated witness addresses yet, as the output type is not usable on mainnet.
|
||||
|
||||
On the other hand, the Bech32m proposal breaks forward-compatibility for sending to v1 and higher version segregated witness addresses. This incompatibility is [https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-October/018236.html intentional]. An alternative design was [https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-November/017460.html considered] where Bech32 remained in use for certain subsets of future addresses, but ultimately [https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-December/018293.html discarded]. By introducing a clean break, we protect not only new software but also existing senders from the mutation issue, as new addresses will be incompatible with the existing Bech32 address validation. [https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-November/018268.html Experiments] by Taproot proponents had shown that hardly any wallets and services supported sending to higher segregated witness output versions, so little is lost by [https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-December/018298.html breaking] forward-compatibility. Furthermore, those experiments identified cases in which segregated witness implementations would have caused wallets to burn funds when sending to version 1 addresses. In case it is still in use, the chosen approach will prevent such software from destroying funds when attempting to send to a Bech32m address.
|
||||
|
||||
==Reference implementations==
|
||||
|
||||
* Reference encoder and decoder:
|
||||
** [https://github.com/sipa/bech32/blob/master/ref/python Reference Python implementation]
|
||||
** [https://github.com/sipa/bech32/blob/master/ref/c Reference C implementation]
|
||||
** [https://github.com/sipa/bech32/blob/master/ref/c++ Reference C++ implementation]
|
||||
** [https://github.com/bitcoin/bitcoin/pull/20861 Bitcoin Core C++ implementation]
|
||||
** [https://github.com/sipa/bech32/blob/master/ref/javascript Reference Javascript implementation]
|
||||
|
||||
* Fancy decoder that localizes errors:
|
||||
** [https://github.com/sipa/bech32/blob/master/ecc/javascript For JavaScript] ([http://bitcoin.sipa.be/bech32/demo/demo.html demo website])
|
||||
|
||||
==Test vectors==
|
||||
|
||||
'''Implementation advice''' Experiments testing BIP173 implementations found that many wallets and services did not support sending to higher version segregated witness outputs. In anticipation of the proposed [https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki Taproot] soft fork introducing v1 segregated witness outputs on the network, we emphatically recommend employing the complete set of test vectors provided below as well as ensuring that your implementation supports sending to v1 '''and higher versions'''. All higher versions of native segregated witness outputs should be recognized as valid recipients. As higher versions are not defined on the network, no wallet should ever create them and no recipient should ever provide them to a sender. Nor should a recipient ever want to falsely provide them as the recipient would simply see a payment intended to themselves burned instead. However, by defining higher versions as valid recipients now, future soft forks introducing higher versions of native segwit outputs will be forward-compatible to all wallets correctly implementing the Bech32m specification.
|
||||
|
||||
===Test vectors for Bech32m===
|
||||
|
||||
The following strings are valid Bech32m:
|
||||
* <tt>A1LQFN3A</tt>
|
||||
* <tt>a1lqfn3a</tt>
|
||||
* <tt>an83characterlonghumanreadablepartthatcontainsthetheexcludedcharactersbioandnumber11sg7hg6</tt>
|
||||
* <tt>abcdef1l7aum6echk45nj3s0wdvt2fg8x9yrzpqzd3ryx</tt>
|
||||
* <tt>11llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllludsr8</tt>
|
||||
* <tt>split1checkupstagehandshakeupstreamerranterredcaperredlc445v</tt>
|
||||
* <tt>?1v759aa</tt>
|
||||
|
||||
No string can be simultaneously valid Bech32 and Bech32m, so the above examples also serve as invalid test vectors for Bech32.
|
||||
|
||||
The following string are not valid Bech32m (with reason for invalidity):
|
||||
* 0x20 + <tt>1xj0phk</tt>: HRP character out of range
|
||||
* 0x7F + <tt>1g6xzxy</tt>: HRP character out of range
|
||||
* 0x80 + <tt>1vctc34</tt>: HRP character out of range
|
||||
* <tt>an84characterslonghumanreadablepartthatcontainsthetheexcludedcharactersbioandnumber11d6pts4</tt>: overall max length exceeded
|
||||
* <tt>qyrz8wqd2c9m</tt>: No separator character
|
||||
* <tt>1qyrz8wqd2c9m</tt>: Empty HRP
|
||||
* <tt>y1b0jsk6g</tt>: Invalid data character
|
||||
* <tt>lt1igcx5c0</tt>: Invalid data character
|
||||
* <tt>in1muywd</tt>: Too short checksum
|
||||
* <tt>mm1crxm3i</tt>: Invalid character in checksum
|
||||
* <tt>au1s5cgom</tt>: Invalid character in checksum
|
||||
* <tt>M1VUXWEZ</tt>: checksum calculated with uppercase form of HRP
|
||||
* <tt>16plkw9</tt>: empty HRP
|
||||
* <tt>1p2gdwpf</tt>: empty HRP
|
||||
|
||||
===Test vectors for v0-v16 native segregated witness addresses===
|
||||
|
||||
The following list gives valid segwit addresses and the scriptPubKey that they
|
||||
translate to in hex.
|
||||
* <tt>BC1QW508D6QEJXTDG4Y5R3ZARVARY0C5XW7KV8F3T4</tt>: <tt>0014751e76e8199196d454941c45d1b3a323f1433bd6</tt>
|
||||
* <tt>tb1qrp33g0q5c5txsp9arysrx4k6zdkfs4nce4xj0gdcccefvpysxf3q0sl5k7</tt>: <tt>00201863143c14c5166804bd19203356da136c985678cd4d27a1b8c6329604903262</tt>
|
||||
* <tt>bc1pw508d6qejxtdg4y5r3zarvary0c5xw7kw508d6qejxtdg4y5r3zarvary0c5xw7kt5nd6y</tt>: <tt>5128751e76e8199196d454941c45d1b3a323f1433bd6751e76e8199196d454941c45d1b3a323f1433bd6</tt>
|
||||
* <tt>BC1SW50QGDZ25J</tt>: <tt>6002751e</tt>
|
||||
* <tt>bc1zw508d6qejxtdg4y5r3zarvaryvaxxpcs</tt>: <tt>5210751e76e8199196d454941c45d1b3a323</tt>
|
||||
* <tt>tb1qqqqqp399et2xygdj5xreqhjjvcmzhxw4aywxecjdzew6hylgvsesrxh6hy</tt>: <tt>0020000000c4a5cad46221b2a187905e5266362b99d5e91c6ce24d165dab93e86433</tt>
|
||||
* <tt>tb1pqqqqp399et2xygdj5xreqhjjvcmzhxw4aywxecjdzew6hylgvsesf3hn0c</tt>: <tt>5120000000c4a5cad46221b2a187905e5266362b99d5e91c6ce24d165dab93e86433</tt>
|
||||
* <tt>bc1p0xlxvlhemja6c4dqv22uapctqupfhlxm9h8z3k2e72q4k9hcz7vqzk5jj0</tt>: <tt>512079be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798</tt>
|
||||
|
||||
The following list gives invalid segwit addresses and the reason for
|
||||
their invalidity.
|
||||
* <tt>tc1p0xlxvlhemja6c4dqv22uapctqupfhlxm9h8z3k2e72q4k9hcz7vq5zuyut</tt>: Invalid human-readable part
|
||||
* <tt>bc1p0xlxvlhemja6c4dqv22uapctqupfhlxm9h8z3k2e72q4k9hcz7vqh2y7hd</tt>: Invalid checksum (Bech32 instead of Bech32m)
|
||||
* <tt>tb1z0xlxvlhemja6c4dqv22uapctqupfhlxm9h8z3k2e72q4k9hcz7vqglt7rf</tt>: Invalid checksum (Bech32 instead of Bech32m)
|
||||
* <tt>BC1S0XLXVLHEMJA6C4DQV22UAPCTQUPFHLXM9H8Z3K2E72Q4K9HCZ7VQ54WELL</tt>: Invalid checksum (Bech32 instead of Bech32m)
|
||||
* <tt>bc1qw508d6qejxtdg4y5r3zarvary0c5xw7kemeawh</tt>: Invalid checksum (Bech32m instead of Bech32)
|
||||
* <tt>tb1q0xlxvlhemja6c4dqv22uapctqupfhlxm9h8z3k2e72q4k9hcz7vq24jc47</tt>: Invalid checksum (Bech32m instead of Bech32)
|
||||
* <tt>bc1p38j9r5y49hruaue7wxjce0updqjuyyx0kh56v8s25huc6995vvpql3jow4</tt>: Invalid character in checksum
|
||||
* <tt>BC130XLXVLHEMJA6C4DQV22UAPCTQUPFHLXM9H8Z3K2E72Q4K9HCZ7VQ7ZWS8R</tt>: Invalid witness version
|
||||
* <tt>bc1pw5dgrnzv</tt>: Invalid program length (1 byte)
|
||||
* <tt>bc1p0xlxvlhemja6c4dqv22uapctqupfhlxm9h8z3k2e72q4k9hcz7v8n0nx0muaewav253zgeav</tt>: Invalid program length (41 bytes)
|
||||
* <tt>BC1QR508D6QEJXTDG4Y5R3ZARVARYV98GJ9P</tt>: Invalid program length for witness version 0 (per BIP141)
|
||||
* <tt>tb1p0xlxvlhemja6c4dqv22uapctqupfhlxm9h8z3k2e72q4k9hcz7vq47Zagq</tt>: Mixed case
|
||||
* <tt>bc1p0xlxvlhemja6c4dqv22uapctqupfhlxm9h8z3k2e72q4k9hcz7v07qwwzcrf</tt>: zero padding of more than 4 bits
|
||||
* <tt>tb1p0xlxvlhemja6c4dqv22uapctqupfhlxm9h8z3k2e72q4k9hcz7vpggkg4j</tt>: Non-zero padding in 8-to-5 conversion
|
||||
* <tt>bc1gmk9yu</tt>: Empty data section
|
||||
|
||||
|
||||
==Appendix: checksum design & properties==
|
||||
|
||||
Checksums are used to detect errors introduced into data during transfer. A hash function-based checksum such as Base58Check detects any type of error uniformly, but not all classes of errors are equally likely to occur in practice. Bech32 prioritizes detection of substitution errors, but improving detection of one error class inevitably worsens detection of other error classes. During the design of Bech32, it was assumed that other simple error patterns beside substitutions would have a similar detection rate as in a hash function-based design, and detection would only be worse for complex, impractical errors. The discovered insertion weakness shows that this is not the case.
|
||||
|
||||
For Bech32m, we aim to retain Bech32's guarantees for substitution errors, but make sure that other common errors don't perform worse than a hash function-based checksum would. To make sure the new standard is easy to implement, we restrict the design space to only amending the final constant that is xored in, as it was [https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-December/017521.html observed] that that is sufficient to mitigate the 'q' insertion issue while retaining the intended substitution error detection. In what follows, we explain how the new constant ''0x2bc830a3'' was chosen.
|
||||
|
||||
===Error patterns & detection probability===
|
||||
|
||||
We define an error pattern as a sequence of first one or more deletions, then swaps of adjacent characters, followed by substitutions, insertions, and duplications, in that order, all in specific positions, applied to a string with valid checksum that is otherwise randomly chosen. For insertions and substitutions we assume a uniformly random new character. For example, "delete the 17th character, swap the 11th character with the 12th character, and insert a random character in the 24th position" is an error pattern. "Replace the 43rd through 48th character with 'aardvark'" is not a valid error pattern, because the new characters are not random and there is no reason why this particular string is more likely than any other to be substituted.
|
||||
|
||||
A hash function-based checksum design with a 30-bit hash would have a probability of incorrectly accepting equal to ''2<sup>-30</sup>'', for every error pattern. Bech32 has a probability of 0 to incorrectly accept error patterns consisting of up to 4 substitutions—they are always detected. The 'q'-insertion issue shows that for Bech32 a simple error pattern ("insert a random character in the penultimate position") with probability ''2<sup>-10</sup>'' exists: it requires the final character to be 'p' (leaving only 1 in 32 strings), and requires the inserted character to be 'q' (permitting only 1 of 32 possible inserted characters).
|
||||
|
||||
Note that the choice of ''what'' the error pattern is (which types of errors, and where) isn't part of our probabilities: we try to make sure that ''every'' pattern behaves well, not just randomly chosen ones, because presumably humans
|
||||
make some kinds of errors more than others, and we cannot easily model which ones.
|
||||
|
||||
===Detection properties of Bech32m===
|
||||
|
||||
The table below shows the error detection properties of Bech32m, and a comparison with Bech32. The code used for this analysis can be found [https://gist.github.com/sipa/14c248c288c3880a3b191f978a34508e#file-const_analysis-cpp here]. Every row specifies one error pattern via the constraints in the left four columns. The remaining columns report what percentage of those patterns have certain probabilities of not being detected. The columns are:
|
||||
|
||||
* '''errors''' The maximum number of individual errors considered
|
||||
* '''of type''' What type of errors are considered (either "subst. only" for just substitutions, or "any" to also include deletions, swaps, insertions, and duplications)
|
||||
* '''window''' The maximum size of the window in which the errors have to occur<ref>'''What is an error pattern’s window size?''' The window size of an error pattern is the length of the smallest consecutive range of characters that contains all modified characters (on input or output; whichever is larger). For example, an error pattern that turns "abcdef" into "accdbef" has a window size of 4, as it is replacing "bcd" with "ccdb", a 4 character string. Window size is only meaningful when the pattern consists of two or more errors.</ref>
|
||||
* '''code/verifier''' Whether this line is about Bech32 or Bech32m encoded strings, and whether those are evaluated regarding their probability of being accepted by either a Bech32 or a Bech32m verifier.<ref>'''Why do we care about probability of accepting Bech32m strings in Bech32 verifiers?''' For applications where Bech32m replaces an existing use of Bech32 (such as segregated witness addresses), we want to make sure that a Bech32m string created by new software won’t be erroneously accepted by old software that assumes Bech32 - even when a small number of errors were introduced as well.</ref><ref>'''Should we also take into account failures that occur due to taking a valid Bech32m string, and after errors it becoming acceptable to a Bech32 verifier?''' This situation may in theory occur for segregated witness addresses when errors occur that change the version number in a v1+ address to v0. Due to the specificity of this type of error, plus the additional constraints that apply for v0 addresses, this is both unlikely and hard to analyze.</ref>
|
||||
* '''error patterns with failure probability''' For each probability (''0'', ''2<sup>-30</sup>'', ''2<sup>-25</sup>'', ''2<sup>-20</sup>'', ''2<sup>-15</sup>'', and ''2<sup>-10</sup>'') this reports what percentage of error patterns restricted by the constraints in the previous columns have those probabilities of being incorrectly accepted.
|
||||
|
||||
The properties are divided into two classes: those that hold over all strings when averaged over all possible HRPs (human readable parts), and those specific to the "bc1" HRP with the length restrictions imposed by segregated witness addresses<ref>'''What restrictions were taken into account for the "bc1"-specific analysis?''' The minimum length (due to witness programs being at least 2 bytes), the maximum length (due to witness programs being at most 40 bytes), and the fact that the witness programs are a multiple of 8 bits. The fact that the first data symbol cannot be over 16, or that the padding has to be 0, is not taken into account.</ref>.
|
||||
|
||||
{| class="wikitable"
|
||||
! rowspan="2" | errors
|
||||
! rowspan="2" | of type
|
||||
! rowspan="2" | window
|
||||
! rowspan="2" | code/verifier
|
||||
! colspan="6" | error patterns with failure probability
|
||||
|-
|
||||
! ''0'' !! ''2<sup>-30</sup>'' !! ''2<sup>-25</sup>'' !! ''2<sup>-20</sup>'' !! ''2<sup>-15</sup>'' !! ''2<sup>-10</sup>''
|
||||
|-
|
||||
! colspan="10" | Properties averaged over all HRPs
|
||||
|-
|
||||
| ≤ 4 || only subst. || any || rowspan="6" | Bech32m/Bech32m || 100.00%|| colspan="5" | none<sup>(a)</sup>
|
||||
|-
|
||||
| any || any || ≤ 4 || 56.16%|| 43.84%|| colspan="4" | none<sup>(b)</sup>
|
||||
|-
|
||||
| ≤ 2 || any || ≤ 68 || 7.71%|| 92.28%|| colspan="4" | none<sup>(b)</sup>
|
||||
|-
|
||||
| ≤ 2 || any || any || 7.79%|| 92.20%|| 0.004%|| colspan="3" | none<sup>(b)</sup>
|
||||
|-
|
||||
| ≤ 3 || any || ≤ 69 || 7.73%|| 92.23%|| 0.033%<sup>(d)</sup> || colspan="3" | none<sup>(b)</sup>
|
||||
|-
|
||||
| ≤ 3 || any || any || 7.77%|| 92.19%|| 0.034%|| 0.000065% || colspan="2" | none<sup>(b)</sup>
|
||||
|-
|
||||
| ≤ 4 || only subst. || any || rowspan="6" | Bech32/Bech32 || 100.00%|| colspan="5" | none
|
||||
|-
|
||||
| any || any || ≤ 4 || 54.00%|| 43.84%|| 1.08%|| 0.90%|| 0.17%|| 0.0091%
|
||||
|-
|
||||
| ≤ 2 || any || ≤ 68 || 4.59%|| 92.29%|| 1.09%|| 1.01%|| 0.99%|| 0.039%
|
||||
|-
|
||||
| ≤ 2 || any || any || 4.58%|| 92.21%|| 1.11%|| 1.04%|| 1.02%|| 0.038%
|
||||
|-
|
||||
| ≤ 3 || any || ≤ 69 || 6.69%|| 92.23%|| 0.56%|| 0.48%|| 0.041%|| 0.00055%
|
||||
|-
|
||||
| ≤ 3 || any || any || 6.66%|| 92.19%|| 0.59%|| 0.52%|| 0.041%|| 0.00053%
|
||||
|-
|
||||
| 0 || - || - || rowspan="3" | Bech32m/Bech32 || 100.00%|| colspan="5" | none<sup>(a)</sup>
|
||||
|-
|
||||
| 1 || any || - || 46.53%|| 53.46%|| colspan="4" | none<sup>(b)</sup>
|
||||
|-
|
||||
| ≤ 2 || any || any || 22.18%|| 77.77%|| 0.048%|| colspan="3" | none<sup>(b)</sup>
|
||||
|-
|
||||
! colspan="10" | Properties for segregated witness addresses with HRP "bc"
|
||||
|-
|
||||
| ≤ 4 || only subst. || any || rowspan="6" | Bech32m/Bech32m || 100.00%|| colspan="5" | none<sup>(a)</sup>
|
||||
|-
|
||||
| 1 || any || - || 24.34%|| 75.66%|| colspan="4" | none<sup>(c)</sup>
|
||||
|-
|
||||
| ≤ 2 || any || ≤ 28 || 16.85%|| 83.15%|| colspan="4" | none<sup>(c)</sup>
|
||||
|-
|
||||
| any || any || ≤ 4 || 74.74%|| 25.25%|| 0.0016%|| colspan="3" | none<sup>(c)</sup>
|
||||
|-
|
||||
| ≤ 2 || any || any || 15.72%|| 84.23%|| 0.039%|| 0.0053%|| colspan="2" | none<sup>(c)</sup>
|
||||
|-
|
||||
| ≤ 3 || any || any || 13.98%|| 85.94%|| 0.078%|| 0.00063%|| colspan="2" | none<sup>(c)</sup>
|
||||
|-
|
||||
| ≤ 4 || only subst. || any || rowspan="6" | Bech32/Bech32 || 100.00%|| colspan="5" | none
|
||||
|-
|
||||
| 1 || any || - || 14.63%|| 75.71%|| 2.43%|| 2.43%|| 2.43%|| 2.38%
|
||||
|-
|
||||
| ≤ 2 || any || ≤ 28 || 14.22%|| 83.15%|| 0.94%|| 0.84%|| 0.79%|| 0.054%
|
||||
|-
|
||||
| any || any || ≤ 4 || 73.23%|| 25.26%|| 0.76%|| 0.63%|| 0.12%|| 0.0064%
|
||||
|-
|
||||
| ≤ 2 || any || any || 12.79%|| 84.24%|| 1.06%|| 0.95%|| 0.92%|| 0.041%
|
||||
|-
|
||||
| ≤ 3 || any || any || 13.00%|| 85.94%|| 0.57%|| 0.45%|| 0.044%|| 0.00067%
|
||||
|-
|
||||
| ≤ 3 || only subst. || any || rowspan="3" | Bech32m/Bech32 || 100.00%|| colspan="5" | none<sup>(c)</sup>
|
||||
|-
|
||||
| 1 || any || - || 70.89%|| 29.11%|| colspan="4" | none<sup>(c)</sup>
|
||||
|-
|
||||
| ≤ 2 || any || any || 36.12%|| 63.79%|| 0.092%|| 0.00049%|| colspan="2" | none<sup>(c)</sup>
|
||||
|}
|
||||
|
||||
The numbers in this table, as well as a comparison with the numbers for the ‘’1’’ constant and earlier proposed improved constants, can be found [https://gist.github.com/sipa/14c248c288c3880a3b191f978a34508e#file-results_final-txt here].
|
||||
|
||||
|
||||
===Selection process===
|
||||
|
||||
The details of the selection process can be found [https://gist.github.com/sipa/14c248c288c3880a3b191f978a34508e here], but in short:
|
||||
* Start with the set of all ''2<sup>30</sup>-1'' constants different from Bech32's ''1''. All of these satisfy the properties marked <sup>(a)</sup> in the table above.
|
||||
* Through exhaustive analysis, reject all constants that do not exhibit the properties<ref>'''How were the properties to select for chosen?''' All these properties are as strong as they can be without rejecting every constant: rejecting constants with lower probabilities, or more errors, or wider windows all result in nothing left.</ref> marked <sup>(b)</sup> in the table above (e.g. all constants that permit any error pattern of 2 errors or less in a window of 68 characters or less with a detection probability ''≥ 2<sup>-20</sup>''). This selection leaves us with 12054 candidates.
|
||||
* Reject all constants that do not exhibit the <sup>(c)</sup> properties in the table above<ref>'''Why optimize for segregated witness addresses (with HRP "bc1") specifically?''' Our analysis for generic HRP has limitations (see the detailed description [https://gist.github.com/sipa/14c248c288c3880a3b191f978a34508e#file-bech32m_mail-txt here], under "Technical details"). We optimize for generic usage first, but optimize for segregated witness addresses as a tiebreaker.</ref>. This leaves us with 79 candidates.
|
||||
* Finally, select the candidate that minimizes the number of error classes matching <sup>(d)</sup> in the table above as a final tiebreaker. The result is the single constant ''0x2bc830a3''.
|
||||
|
||||
==Footnotes==
|
||||
|
||||
<references />
|
||||
|
||||
==Acknowledgements==
|
||||
|
||||
Thanks to Greg Maxwell for doing most of the computation for code selection and analysis, and comments.
|
||||
Thanks to Mark Erhardt for help with writing and editing this document.
|
||||
Thanks to Rusty Russell and others on the bitcoin-dev list for the discussion around intentionally breaking compatibility with existing senders, which is used in this specification.
|
305
bip-0370.mediawiki
Normal file
305
bip-0370.mediawiki
Normal file
@ -0,0 +1,305 @@
|
||||
<pre>
|
||||
BIP: 370
|
||||
Layer: Applications
|
||||
Title: PSBT Version 2
|
||||
Author: Andrew Chow <achow101@gmail.com>
|
||||
Comments-Summary: No comments yet.
|
||||
Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-0370
|
||||
Status: Draft
|
||||
Type: Standards Track
|
||||
Created: 2021-01-14
|
||||
License: BSD-2-Clause
|
||||
</pre>
|
||||
|
||||
==Introduction==
|
||||
|
||||
===Abstract===
|
||||
|
||||
This document proposes a second version of the Partially Signed Bitcoin Transaction format
|
||||
described in BIP 174 which allows for inputs and outputs to be added to the PSBT after creation.
|
||||
|
||||
===Copyright===
|
||||
|
||||
This BIP is licensed under the 2-clause BSD license.
|
||||
|
||||
===Motivation===
|
||||
|
||||
Partially Signed Bitcoin Transaction Version 0 as described in BIP 174 is unable to have new
|
||||
inputs and outputs be added to the transaction. The fixed global unsigned transaction
|
||||
cannot be changed which prevents any additional inputs or outputs to be added.
|
||||
PSBT Version 2 is intended to rectify this problem.
|
||||
|
||||
An additional benficial side effect is that all information for a given input or output will be
|
||||
provided by its <tt><input-map></tt> or <tt><output-map></tt>. With Version 0, to retrieve
|
||||
all of the information for an input or output, data would need to be found in two locations:
|
||||
the <tt><input-map></tt>/<tt><output-map></tt> and the global unsigned transaction. PSBT
|
||||
Version 2 now moves all related information to one place.
|
||||
|
||||
==Specification==
|
||||
|
||||
PSBT Version 2 (PSBTv2) only specifies new fields and field inclusion/exclusion requirements.
|
||||
|
||||
<tt>PSBT_GLOBAL_UNSIGNED_TX</tt> must be excluded in PSBTv2.
|
||||
<tt>PSBT_GLOBAL_VERSION</tt> must be included in PSBTv2 and set to version number 2<ref>'''What happened to version number 1?'''
|
||||
Version number 1 is skipped because PSBT Version 0 has been colloquially referred to as version 1. Originally this BIP was to be
|
||||
version 1, but because it has been colloquially referred to as version 2 during its design phrase, it was decided to change the
|
||||
version number to 2 so that there would not be any confusion</ref>.
|
||||
|
||||
The new global types for PSBT Version 2 are as follows:
|
||||
|
||||
{|
|
||||
! Name
|
||||
! <tt><keytype></tt>
|
||||
! <tt><keydata></tt>
|
||||
! <tt><keydata></tt> Description
|
||||
! <tt><valuedata></tt>
|
||||
! <tt><valuedata></tt> Description
|
||||
! Versions Requiring Inclusion
|
||||
! Versions Requiring Exclusion
|
||||
! Versions Allowing Inclusion
|
||||
|-
|
||||
| Transaction Version
|
||||
| <tt>PSBT_GLOBAL_TX_VERSION = 0x02</tt>
|
||||
| None
|
||||
| No key data
|
||||
| <tt><32-bit uint></tt>
|
||||
| The 32-bit little endian signed integer representing the version number of the transaction being created. Note that this is not the same as the PSBT version number specified by the PSBT_GLOBAL_VERSION field.
|
||||
| 2
|
||||
| 0
|
||||
| 2
|
||||
|-
|
||||
| Fallback Locktime
|
||||
| <tt>PSBT_GLOBAL_FALLBACK_LOCKTIME = 0x03</tt>
|
||||
| None
|
||||
| No key data
|
||||
| <tt><32-bit uint></tt>
|
||||
| The 32-bit little endian unsigned integer representing the transaction locktime to use if no inputs specify a required locktime.
|
||||
|
|
||||
| 0
|
||||
| 2
|
||||
|-
|
||||
| Input Count
|
||||
| <tt>PSBT_GLOBAL_INPUT_COUNT = 0x04</tt>
|
||||
| None
|
||||
| No key data
|
||||
| <tt><compact size uint></tt>
|
||||
| Compact size unsigned integer representing the number of inputs in this PSBT.
|
||||
| 2
|
||||
| 0
|
||||
| 2
|
||||
|-
|
||||
| Output Count
|
||||
| <tt>PSBT_GLOBAL_OUTPUT_COUNT = 0x05</tt>
|
||||
| None
|
||||
| No key data
|
||||
| <tt><compact size uint></tt>
|
||||
| Compact size unsigned integer representing the number of outputs in this PSBT.
|
||||
| 2
|
||||
| 0
|
||||
| 2
|
||||
|-
|
||||
| Transaction Modifiable Flags
|
||||
| <tt>PSBT_GLOBAL_TX_MODIFIABLE = 0x06</tt>
|
||||
| None
|
||||
| No key data
|
||||
| <tt><8-bit uint></tt>
|
||||
| An 8 bit little endian unsigned integer as a bitfield for various transaction modification flags. Bit 0 is the Inputs Modifiable Flag and indicates whether inputs can be modified. Bit 1 is the Outputs Modifiable Flag and indicates whether outputs can be modified. Bit 2 is the Has SIGHASH_SINGLE flag and indicates whether the transaction has a SIGHASH_SINGLE signature who's input and output pairing must be preserved. Bit 2 essentially indicates that the Constructor must iterate the inputs to determine whether and how to add an input.
|
||||
|
|
||||
| 0
|
||||
| 2
|
||||
|}
|
||||
|
||||
The new per-input types for PSBT Version 2 are defined as follows:
|
||||
|
||||
{|
|
||||
! Name
|
||||
! <tt><keytype></tt>
|
||||
! <tt><keydata></tt>
|
||||
! <tt><keydata></tt> Description
|
||||
! <tt><valuedata></tt>
|
||||
! <tt><valuedata></tt> Description
|
||||
! Versions Requiring Inclusion
|
||||
! Versions Requiring Exclusion
|
||||
! Versions Allowing Inclusion
|
||||
|-
|
||||
| Previous TXID
|
||||
| <tt>PSBT_IN_PREVIOUS_TXID = 0x0e</tt>
|
||||
| None
|
||||
| No key data
|
||||
| <tt><txid></tt>
|
||||
| 32 byte txid of the previous transaction whose output at PSBT_IN_OUTPUT_INDEX is being spent.
|
||||
| 2
|
||||
| 0
|
||||
| 2
|
||||
|-
|
||||
| Spent Output Index
|
||||
| <tt>PSBT_IN_OUTPUT_INDEX = 0x0f</tt>
|
||||
| None
|
||||
| No key data
|
||||
| <tt><32-bit uint></tt>
|
||||
| 32 bit little endian integer representing the index of the output being spent in the transaction with the txid of PSBT_IN_PREVIOUS_TXID.
|
||||
| 2
|
||||
| 0
|
||||
| 2
|
||||
|-
|
||||
| Sequence Number
|
||||
| <tt>PSBT_IN_SEQUENCE = 0x10</tt>
|
||||
| None
|
||||
| No key data
|
||||
| <tt><32-bit uint></tt>
|
||||
| The 32 bit unsigned little endian integer for the sequence number of this input. If omitted, the sequence number is assumed to be the final sequence number (0xffffffff).
|
||||
|
|
||||
| 0
|
||||
| 2
|
||||
|-
|
||||
| Required Time-based Locktime
|
||||
| <tt>PSBT_IN_REQUIRED_TIME_LOCKTIME = 0x11</tt>
|
||||
| None
|
||||
| No key data
|
||||
| <tt><32-bit uint></tt>
|
||||
| 32 bit unsigned little endian integer greater than or equal to 500000000 representing the minimum Unix timestamp that this input requires to be set as the transaction's lock time.
|
||||
|
|
||||
| 0
|
||||
| 2
|
||||
|-
|
||||
| Required Height-based Locktime
|
||||
| <tt>PSBT_IN_REQUIRED_HEIGHT_LOCKTIME = 0x12</tt>
|
||||
| None
|
||||
| No key data
|
||||
| <tt><32-bit uiht></tt>
|
||||
| 32 bit unsigned little endian integer less than 500000000 representing the minimum block height that this input requires to be set as the transaction's lock time.
|
||||
|
|
||||
| 0
|
||||
| 2
|
||||
|}
|
||||
|
||||
The new per-output types for PSBT Version 2 are defined as follows:
|
||||
|
||||
{|
|
||||
! Name
|
||||
! <tt><keytype></tt>
|
||||
! <tt><keydata></tt>
|
||||
! <tt><keydata></tt> Description
|
||||
! <tt><valuedata></tt>
|
||||
! <tt><valuedata></tt> Description
|
||||
! Versions Requiring Inclusion
|
||||
! Versions Requiring Exclusion
|
||||
! Versions Allowing Inclusion
|
||||
|-
|
||||
| Output Amount
|
||||
| <tt>PSBT_OUT_AMOUNT = 0x03</tt>
|
||||
| None
|
||||
| No key data
|
||||
| <tt><64-bit int></tt>
|
||||
| 64 bit signed little endian integer representing the output's amount in satoshis.
|
||||
| 2
|
||||
| 0
|
||||
| 2
|
||||
|-
|
||||
| Output Script
|
||||
| <tt>PSBT_OUT_SCRIPT = 0x04</tt>
|
||||
| None
|
||||
| No key data
|
||||
| <tt><script></tt>
|
||||
| The script for this output, also known as the scriptPubKey. Must be omitted in PSBTv0. Must be provided in PSBTv2.
|
||||
| 2
|
||||
| 0
|
||||
| 2
|
||||
|}
|
||||
|
||||
===Determining Lock Time===
|
||||
|
||||
The nLockTime field of a transaction is determined by inspecting the PSBT_GLOBAL_PREFERRED_LOCKTIME and each input's PSBT_IN_REQUIRED_TIME_LOCKTIME and PSBT_IN_REQUIRED_HEIGHT_LOCKTIME fields.
|
||||
If none of the inputs have a PSBT_IN_REQUIRED_TIME_LOCKTIME and PSBT_IN_REQUIRED_HEIGHT_LOCKTIME, then PSBT_GLOBAL_PREFERRED_LOCKTIME must be used.
|
||||
If PSBT_GLOBAL_PREFERRED_LOCKTIME is not provided, then it is assumed to be 0.
|
||||
|
||||
If one or more inuts have a PSBT_IN_REQUIRED_TIME_LOCKTIME or PSBT_IN_REQUIRED_HEIGHT_LOCKTIME, then the field chosen is the one which is supported by all of the inputs.
|
||||
This can be determined by looking at all of the inputs which specify a locktime in either of those fields, and choosing the field which is present in all of those inputs.
|
||||
Inputs not specifying a lock time field can take both types of lock times, as can those that specify both.
|
||||
The lock time chosen is then the maximum value of the chosen type of lock time.
|
||||
|
||||
===Unique Identification===
|
||||
|
||||
PSBTv2s can be uniquely identified by constructing an unsigned transaction given the information provided in the PSBT and computing the transaction ID of that transaction.
|
||||
Since PSBT_IN_SEQUENCE can be changed by Updaters and Combiners, the sequence number in this unsigned transaction must be set to 0 (not final, nor the sequence in PSBT_IN_SEQUENCE).
|
||||
The lock time in this unsigned transaction must be computed as described previously.
|
||||
|
||||
==Roles==
|
||||
|
||||
PSBTv2 introduces new roles and modifies some existing roles.
|
||||
|
||||
===Creator===
|
||||
|
||||
In PSBTv2, the Creator initializes the PSBT with 0 inputs and 0 outputs.
|
||||
The PSBT version number is set to 2. The transaction version number must be set to at least 2. <ref>'''Why does the transaction version number need to be at least 2?''' The transaction version number is part of the validation rules for some features such as OP_CHECKSEQUENCEVERIFY. Since it is backwards compatible, and there are other ways to disable those features (e.g. through sequence numbers), it is easier to require transactions be able to support these features than to try to negotiate the transaction version number.</ref>
|
||||
The Creator should also set PSBT_GLOBAL_PREFERRED_LOCKTIME.
|
||||
If the Creator is not also a Constructor and will be giving the PSBT to others to add inputs and outputs, the PSBT_GLOBAL_TX_MODIFIABLE field must be present and and the Inputs Modifiable and Outputs Modifiable flags set appropriately.
|
||||
If the Creator is a Constructor and no inputs and outputs will be added by other entities, PSBT_GLOBAL_TX_MODIFIABLE may be omitted.
|
||||
|
||||
===Constructor===
|
||||
|
||||
This Constructor is only present for PSBTv2.
|
||||
Once a Creator initializes the PSBT, a constructor will add inputs and outputs.
|
||||
Before any input or output may be added, the constructor must check the PSBT_GLOBAL_TX_MODIFIABLE field.
|
||||
Inputs may only be added if the Inputs Modifiable flag is True.
|
||||
Outputs may only be added if the Outputs Modifiable flag is True.
|
||||
|
||||
When an input or output is added, the corresponding PSBT_GLOBAL_INPUT_COUNT or PSBT_GLOBAL_OUTPUT_COUNT must be incremeted to reflect the number of inputs and outputs in the PSBT.
|
||||
When an input is added, it must have PSBT_IN_PREVIOUS_TXID and PSBT_IN_OUTPUT_INDEX set.
|
||||
When an output is added, it must have PSBT_OUT_VALUE and PSBT_OUT_OUTPUT_SCRIPT set.
|
||||
If the input has a required timelock, Constructors must set the requisite timelock field.
|
||||
If the input has a required time based timelock, then PSBT_IN_REQUIRED_TIME_TIMELOCK must be set
|
||||
If the input has a required height based timelock, then PSBT_IN_REQUIRED_HEIGHT_TIMELOCK must be set.
|
||||
If an input has both types of timelocks, then both may be set.
|
||||
In some cases, an input that can allow both types, but a particular branch supporting only one type of timelock will be taken, then the type of timelock that will be used can be the only one set.
|
||||
|
||||
If an input being added specifies a required time lock, then the Constructor must iterate through all of the existing inputs and ensure that the time lock types are compatible.
|
||||
Additionally, if during this iteration, it finds that any inputs have signatures, it must ensure that the newly added input does not change the transaction's locktime.
|
||||
If the newly added input has an incompatible time lock, then it must not be added.
|
||||
If it changes the transaction's locktime when there are existing signatures, it must not be added.
|
||||
|
||||
If the Has SIGHASH_SINGLE flag is True, then the Constructor must iterate through the inputs and find the inputs which have signatures that use SIGHASH_SINGLE.
|
||||
The same number of inputs and outputs must be added before those inputs and their corresponding outputs.
|
||||
|
||||
A Constructor may choose to declare that no further inputs and outputs can be added to the transaction by setting the booleans in PSBT_GLOBAL_TX_MODIFIABLE to False or by removing this field entirely.
|
||||
|
||||
A single entity is likely to be both a Creator and Constructor.
|
||||
|
||||
===Updater===
|
||||
|
||||
For PSBTv2, an Updater can set the sequence number.
|
||||
|
||||
===Signer===
|
||||
|
||||
For PSBTv2s, a signer must update the PSBT_GLOBAL_TX_MODIFIABLE field after signing inputs so that it accurately reflects the state of the PSBT.
|
||||
If the Signer added a signature that does not use SIGHASH_ANYONECANPAY, the Input Modifiable flag must be set to False.
|
||||
If the Signer added a signature that does not use SIGHASH_NONE, the Outputs Modifiable flag must be set to False.
|
||||
If the Signer added a signature that uses SIGHASH_SINGLE, the Has SIGHASH_SINGLE flag must be set to True.
|
||||
|
||||
===Transaction Extractor===
|
||||
|
||||
For PSBTv2s, the transaction is constructed using the PSBTv2 fields.
|
||||
The lock time for this transaction is determined as described in the Determining Lock Time section.
|
||||
The Extractor should produce a fully valid, network serialized transaction if all inputs are complete.
|
||||
|
||||
==Backwards Compatibility==
|
||||
|
||||
PSBTv2 shares the same gemeric format as PSBTv0 as defined in BIP 174. Parsers for PSBTv0 should
|
||||
be able to deserialize PSBTv2 with only changes to support the new fields.
|
||||
|
||||
However PSBTv2 is incompatible with PSBTv0, and vice versa due to the use of the PSBT_GLOBAL_VERSION.
|
||||
This incompatibility is intentional so that PSBT_GLOBAL_UNSIGNED_TX could be removed in PSBTv2.
|
||||
However it is possible to convert a PSBTv2 to a PSBTv0 by creating an unsigned
|
||||
transaction from the PSBTv2 fields.
|
||||
|
||||
==Test Vectors==
|
||||
|
||||
TBD
|
||||
|
||||
==Rationale==
|
||||
|
||||
<references/>
|
||||
|
||||
==Reference implementation==
|
||||
|
||||
The reference implementation of the PSBT format is available at https://github.com/achow101/bitcoin/tree/psbt2.
|
179
bip-0371.mediawiki
Normal file
179
bip-0371.mediawiki
Normal file
@ -0,0 +1,179 @@
|
||||
<pre>
|
||||
BIP: 371
|
||||
Layer: Applications
|
||||
Title: Taproot Fields for PSBT
|
||||
Author: Andrew Chow <andrew@achow101.com>
|
||||
Comments-Summary: No comments yet.
|
||||
Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-0371
|
||||
Status: Draft
|
||||
Type: Standards Track
|
||||
Created: 2021-06-21
|
||||
License: BSD-2-Clause
|
||||
</pre>
|
||||
|
||||
==Introduction==
|
||||
|
||||
===Abstract===
|
||||
|
||||
This document proposes additional fields for BIP 174 PSBTv0 and BIP 370 PSBTv2 that allow for
|
||||
BIP 340/341/342 Taproot data to be included in a PSBT of any version. These will be fields for
|
||||
signatures and scripts that are relevant to the creation of Taproot inputs.
|
||||
|
||||
===Copyright===
|
||||
|
||||
This BIP is licensed under the 2-clause BSD license.
|
||||
|
||||
===Motivation===
|
||||
|
||||
BIPs 340, 341, and 342 specify Taproot which provides a wholly new way to create and spend Bitcoin outputs.
|
||||
The existing PSBT fields are unable to support Taproot due to the new signature algorithm and the method
|
||||
by which scripts are embedded inside of a Taproot output. Therefore new fields must be defined to allow
|
||||
PSBTs to carry the information necessary for signing Taproot inputs.
|
||||
|
||||
==Specification==
|
||||
|
||||
The new per-input types are defined as follows:
|
||||
|
||||
{|
|
||||
! Name
|
||||
! <tt><keytype></tt>
|
||||
! <tt><keydata></tt>
|
||||
! <tt><keydata></tt> Description
|
||||
! <tt><valuedata></tt>
|
||||
! <tt><valuedata></tt> Description
|
||||
! Versions Requiring Inclusion
|
||||
! Versions Requiring Exclusion
|
||||
! Versions Allowing Inclusion
|
||||
|-
|
||||
| Taproot Key Spend Signature
|
||||
| <tt>PSBT_IN_TAP_KEY_SIG = 0x13</tt>
|
||||
| None
|
||||
| No key data <ref>'''Why is there no key data for <tt>PSBT_IN_TAP_KEY_SIG</tt>'''The signature in a key path spend corresponds directly with the pubkey provided in the output script. Thus it is not necessary to provide any metadata that attaches the key path spend signature to a particular pubkey.</ref>
|
||||
| <tt><signature></tt>
|
||||
| The 64 or 65 byte Schnorr signature for key path spending a Taproot output. Finalizers should remove this field after <tt>PSBT_IN_FINAL_SCRIPTWITNESS</tt> is constructed.
|
||||
|
|
||||
|
|
||||
| 0, 2
|
||||
|-
|
||||
| Taproot Script Spend Signature
|
||||
| <tt>PSBT_IN_TAP_SCRIPT_SIG = 0x14</tt>
|
||||
| <tt><xonlypubkey> <leafhash></tt>
|
||||
| A 32 byte X-only public key involved in a leaf script concatenated with the 32 byte hash of the leaf it is part of.
|
||||
| <tt><signature></tt>
|
||||
| The 64 or 65 byte Schnorr signature for this pubkey and leaf combination. Finalizers should remove this field after <tt>PSBT_IN_FINAL_SCRIPTWITNESS</tt> is constructed.
|
||||
|
|
||||
|
|
||||
| 0, 2
|
||||
|-
|
||||
| Taproot Leaf Script
|
||||
| <tt>PSBT_IN_TAP_LEAF_SCRIPT = 0x15</tt>
|
||||
| <tt><control block></tt>
|
||||
| The control block for this leaf as specified in BIP 341. The control block contains the merkle tree path to this leaf.
|
||||
| <tt><script> <8-bit uint></tt>
|
||||
| The script for this leaf as would be provided in the witness stack followed by the single byte leaf version. Note that the leaves included in this field should be those that the signers of this input are expected to be able to sign for. Finalizers should remove this field after <tt>PSBT_IN_FINAL_SCRIPTWITNESS</tt> is constructed. Finalizers should remove this field after <tt>PSBT_IN_FINAL_SCRIPTWITNESS</tt> is constructed.
|
||||
|
|
||||
|
|
||||
| 0, 2
|
||||
|-
|
||||
| Taproot Key BIP 32 Derivation Path
|
||||
| <tt>PSBT_IN_TAP_BIP32_DERIVATION = 0x16</tt>
|
||||
| <tt><xonlypubkey></tt>
|
||||
| A 32 byte X-only public key involved in this input. It may be the internal key, or a key present in a leaf script.
|
||||
| <tt><hashes len> <leaf hash>* <4 byte fingerprint> <32-bit uint>*</tt>
|
||||
| A compact size unsigned integer representing the number of leaf hashes, followed by a list of leaf hashes, followed by the 4 byte master key fingerprint concatenated with the derivation path of the public key. The derivation path is represented as 32-bit little endian unsigned integer indexes concatenated with each other. Public keys are those needed to spend this output. The leaf hashes are of the leaves which involve this public key. The internal key does not have leaf hashes, so can be indicated with a <tt>hashes len</tt> of 0. Finalizers should remove this field after <tt>PSBT_IN_FINAL_SCRIPTWITNESS</tt> is constructed.
|
||||
|
|
||||
|
|
||||
| 0, 2
|
||||
|-
|
||||
| Taproot Internal Key
|
||||
| <tt>PSBT_IN_TAP_INTERNAL_KEY = 0x17</tt>
|
||||
| None
|
||||
| No key data
|
||||
| <tt><pubkey></tt>
|
||||
| The X-only pubkey used as the internal key in this output.<ref>'''Why is the internal key provided?'''The internal key is not necessarily the same key as in the Taproot output script. BIP 341 recommends tweaking the key with the hash of itself. It may be necessary for signers to know what the internal key actually is so that they are able to determine whether an input can be signed by it.</ref> Finalizers should remove this field after <tt>PSBT_IN_FINAL_SCRIPTWITNESS</tt> is constructed.
|
||||
|
|
||||
|
|
||||
| 0, 2
|
||||
|-
|
||||
| Taproot Merkle Root
|
||||
| <tt>PSBT_IN_TAP_MERKLE_ROOT = 0x18</tt>
|
||||
| None
|
||||
| No key data
|
||||
| <tt><pubkey></tt>
|
||||
| The 32 byte Merkle root hash. Finalizers should remove this field after <tt>PSBT_IN_FINAL_SCRIPTWITNESS</tt> is constructed.
|
||||
|
|
||||
|
|
||||
| 0, 2
|
||||
|}
|
||||
|
||||
The new per-output types are defined as follows:
|
||||
|
||||
{|
|
||||
! Name
|
||||
! <tt><keytype></tt>
|
||||
! <tt><keydata></tt>
|
||||
! <tt><keydata></tt> Description
|
||||
! <tt><valuedata></tt>
|
||||
! <tt><valuedata></tt> Description
|
||||
! Versions Requiring Inclusion
|
||||
! Versions Requiring Exclusion
|
||||
! Versions Allowing Inclusion
|
||||
|-
|
||||
| Taproot Internal Key
|
||||
| <tt>PSBT_OUT_TAP_INTERNAL_KEY = 0x05</tt>
|
||||
| None
|
||||
| No key data
|
||||
| <tt><pubkey></tt>
|
||||
| The X-only pubkey used as the internal key in this output.
|
||||
|
|
||||
|
|
||||
| 0, 2
|
||||
|-
|
||||
| Taproot Tree
|
||||
| <tt>PSBT_OUT_TAP_TREE = 0x06</tt>
|
||||
| None
|
||||
| No key data
|
||||
| <tt>{<8-bit uint depth> <8-bit uint leaf version> <scriptlen> <script>}*</tt>
|
||||
| One or more tuples representing the depth, leaf version, and script for a leaf in the Taproot tree, allowing the entire tree to be reconstructed. The tuples must be in depth first search order so that the tree is correctly reconstructed. Each tuple is an 8-bit unsigned integer representing the depth in the Taproot tree for this script, an 8-bit unsigned integer representing the leaf version, the length of the script as a compact size unsigned integer, and the script itself.
|
||||
|
|
||||
|
|
||||
| 0, 2
|
||||
|-
|
||||
| Taproot Key BIP 32 Derivation Path
|
||||
| <tt>PSBT_OUT_TAP_BIP32_DERIVATION = 0x07</tt>
|
||||
| <tt><xonlypubkey></tt>
|
||||
| A 32 byte X-only public key involved in this output. It may be the internal key, or a key present in a leaf script.
|
||||
| <tt><hashes len> <leaf hash>* <4 byte fingerprint> <32-bit uint>*</tt>
|
||||
| A compact size unsigned integer representing the number of leaf hashes, followed by a list of leaf hashes, followed by the 4 byte master key fingerprint concatenated with the derivation path of the public key. The derivation path is represented as 32-bit little endian unsigned integer indexes concatenated with each other. Public keys are those needed to spend this output. The leaf hashes are of the leaves which involve this public key. The internal key does not have leaf hashes, so can be indicated with a <tt>hashes len</tt> of 0. Finalizers should remove this field after <tt>PSBT_IN_FINAL_SCRIPTWITNESS</tt> is constructed.
|
||||
|
|
||||
|
|
||||
| 0, 2
|
||||
|}
|
||||
|
||||
===UTXO Types===
|
||||
|
||||
BIP 174 recommends using <tt>PSBT_IN_NON_WITNESS_UTXO</tt> for all inputs because of potential attacks involving
|
||||
an updater lying about the amounts in an output. Because a Taproot signature will commit to all of the amounts
|
||||
and output scripts spent by the inputs of the transaction, such attacks are prevented as any such lying would
|
||||
result in an invalid signature. Thus Taproot inputs can use just <tt>PSBT_IN_WITNESS_UTXO</tt>.
|
||||
|
||||
==Compatibility==
|
||||
|
||||
These are simply new fields added to the existing PSBT format. Because PSBT is designed to be extensible, old
|
||||
software will ignore the new fields.
|
||||
|
||||
==Test Vectors==
|
||||
|
||||
TBD
|
||||
|
||||
==Rationale==
|
||||
|
||||
<references/>
|
||||
|
||||
==Reference implementation==
|
||||
|
||||
The reference implementation of the PSBT format is available at TBD.
|
||||
|
||||
==Acknowledgements==
|
||||
|
||||
TBD
|
Loading…
Reference in New Issue
Block a user