BIP: 174
  Layer: Applications
  Title: Partially Signed Bitcoin Transaction Format
  Author: Andrew Chow 
  Comments-Summary: No comments yet.
  Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-0174
  Status: Final
  Type: Standards Track
  Created: 2017-07-12
  License: BSD-2-Clause
==Introduction== ===Abstract=== This document proposes a binary transaction format which contains the information necessary for a signer to produce signatures for the transaction and holds the signatures for an input while the input does not have a complete set of signatures. The signer can be offline as all necessary information will be provided in the transaction. The generic format is described here in addition to the specification for version 0 of this format. ===Copyright=== This BIP is licensed under the 2-clause BSD license. ===Motivation=== Creating unsigned or partially signed transactions to be passed around to multiple signers is currently implementation dependent, making it hard for people who use different wallet software from being able to easily do so. One of the goals of this document is to create a standard and extensible format that can be used between clients to allow people to pass around the same transaction to sign and combine their signatures. The format is also designed to be easily extended for future use which is harder to do with existing transaction formats. Signing transactions also requires users to have access to the UTXOs being spent. This transaction format will allow offline signers such as air-gapped wallets and hardware wallets to be able to sign transactions without needing direct access to the UTXO set and without risk of being defrauded. ==Specification== The Partially Signed Bitcoin Transaction (PSBT) format consists of key-value maps. Each map consists of a sequence of key-value records, terminated by a 0x00 byte '''Why is the separator here 0x00 instead of 0xff?''' The separator here is used to distinguish between each chunk of data. A separator of 0x00 would mean that the unserializer can read it as a key length of 0, which would never occur with actual keys. It can thus be used as a separator and allow for easier unserializer implementation.. := * * := 0x70 0x73 0x62 0x74 0xFF := * 0x00 := * 0x00 := * 0x00 := := := Where: ; : A compact size unsigned integer representing the type. This compact size unsigned integer must be minimally encoded, i.e. if the value can be represented using one byte, it must be represented as one byte. There can be multiple entries with the same within a specific , but the must be unique. ; : The compact size unsigned integer containing the combined length of and ; : The compact size unsigned integer containing the length of . ; : Magic bytes which are ASCII for psbt '''Why use 4 bytes for psbt?''' The transaction format needed to start with a 5 byte header which uniquely identifies it. The first bytes were chosen to be the ASCII for psbt because that stands for Partially Signed Bitcoin Transaction. followed by a separator of 0xFF'''Why Use a separator after the magic bytes?''' The separator is part of the 5 byte header for PSBT. This byte is a separator of 0xff because this will cause any non-PSBT unserializer to fail to properly unserialize the PSBT as a normal transaction. Likewise, since the 5 byte header is fixed, no transaction in the non-PSBT format will be able to be unserialized by a PSBT unserializer.. This integer must be serialized in most significant byte order. The currently defined global types are as follows: {| ! Name ! ! ! Description ! ! Description ! Versions Requiring Inclusion ! Versions Requiring Exclusion ! Versions Allowing Inclusion ! Parent BIP |- | Unsigned Transaction | PSBT_GLOBAL_UNSIGNED_TX = 0x00 | None | No key data | | The transaction in network serialization. The scriptSigs and witnesses for each input must be empty. The transaction must be in the old serialization format (without witnesses). | 0 | | 0 | 174 |- | Extended Public Key | PSBT_GLOBAL_XPUB = 0x01 | | The 78 byte serialized extended public key as defined by BIP 32. Extended public keys are those that can be used to derive public keys used in the inputs and outputs of this transaction. It should be the public key at the highest hardened derivation index so that the unhardened child keys used in the transaction can be derived. | <32-bit uint> <32-bit uint>* | The master key fingerprint as defined by BIP 32 concatenated with the derivation path of the public key. The derivation path is represented as 32-bit little endian unsigned integer indexes concatenated with each other. The number of 32 bit unsigned integer indexes must match the depth provided in the extended public key. | | | 0, 2 | 174 |- | Transaction Version | PSBT_GLOBAL_TX_VERSION = 0x02 | None | No key data | <32-bit uint> | The 32-bit little endian signed integer representing the version number of the transaction being created. Note that this is not the same as the PSBT version number specified by the PSBT_GLOBAL_VERSION field. | 2 | 0 | 2 | [[bip-psb2.mediawiki|psbt2]] |- | Fallback Locktime | PSBT_GLOBAL_FALLBACK_LOCKTIME = 0x03 | None | No key data | <32-bit uint> | The 32-bit little endian unsigned integer representing the transaction locktime to use if no inputs specify a required locktime. | | 0 | 2 | [[bip-psb2.mediawiki|psbt2]] |- | Input Count | PSBT_GLOBAL_INPUT_COUNT = 0x04 | None | No key data | | Compact size unsigned integer representing the number of inputs in this PSBT. | 2 | 0 | 2 | [[bip-psb2.mediawiki|psbt2]] |- | Output Count | PSBT_GLOBAL_OUTPUT_COUNT = 0x05 | None | No key data | | Compact size unsigned integer representing the number of outputs in this PSBT. | 2 | 0 | 2 | [[bip-psb2.mediawiki|psbt2]] |- | Transaction Modifiable Flags | PSBT_GLOBAL_TX_MODIFIABLE = 0x06 | None | No key data | | A single byte boolean (0 for False, 1 for True) representing whether inputs can be modified, followed by a single byte boolean representing whether outputs can be modified. | | 0 | 2 | [[bip-psb2.mediawiki|psbt2]] |- | SIGHASH_SINGLE Inputs | PSBT_GLOBAL_SIGHASH_SINGLE_INPUTS = 0x07 | None | No key data | | A bit vector representing which input indexes use SIGHASH_SINGLE. If the bit for an index is set to 1, then the input and output pair at that index are tied together with SIGHASH_SINGLE and must be moved together. | | 0 | 2 | [[bip-psb2.mediawiki|psbt2]] |- | PSBT Version Number | PSBT_GLOBAL_VERSION = 0xFB | None | No key data | <32-bit uint> | The 32-bit little endian unsigned integer representing the version number of this PSBT. If omitted, the version number is 0. | | | 0, 2 | 174 |- | Proprietary Use Type | PSBT_GLOBAL_PROPRIETARY = 0xFC | | Compact size unsigned integer , followed by identifier prefix of that length , followed by a subtype , followed by the key data itself . | | Any value data as defined by the proprietary type user. | | | 0, 2 | 174 |} The currently defined per-input types are defined as follows: {| ! Name ! ! ! Description ! ! Description ! Versions Requiring Inclusion ! Versions Requiring Exclusion ! Versions Allowing Inclusion ! Parent BIP |- | Non-Witness UTXO | PSBT_IN_NON_WITNESS_UTXO = 0x00 | None | No key data | | The transaction in network serialization format the current input spends from. This should be present for inputs that spend non-segwit outputs and can be present for inputs that spend segwit outputs. An input can have both PSBT_IN_NON_WITNESS_UTXO and PSBT_IN_WITNESS_UTXO. '''Why can both UTXO types be provided?''' Many wallets began requiring the full previous transaction (i.e. PSBT_IN_NON_WITNESS_UTXO) for segwit inputs when PSBT was already in use. In order to be compatible with software which were expecting PSBT_IN_WITNESS_UTXO, both UTXO types must be allowed. | | | 0, 2 | 174 |- | Witness UTXO | PSBT_IN_WITNESS_UTXO = 0x01 | None | No key data | <64-bit int> | The entire transaction output in network serialization which the current input spends from. This should only be present for inputs which spend segwit outputs, including P2SH embedded ones. An input can have both PSBT_IN_NON_WITNESS_UTXO and PSBT_IN_WITNESS_UTXO | | | 0, 2 | 174 |- | Partial Signature | PSBT_IN_PARTIAL_SIG = 0x02 | | The public key which corresponds to this signature. | | The signature as would be pushed to the stack from a scriptSig or witness. | | | 0, 2 | 174 |- | Sighash Type | PSBT_IN_SIGHASH_TYPE = 0x03 | None | No key data | <32-bit uint> | The 32-bit unsigned integer specifying the sighash type to be used for this input. Signatures for this input must use the sighash type, finalizers must fail to finalize inputs which have signatures that do not match the specified sighash type. Signers who cannot produce signatures with the sighash type must not provide a signature. | | | 0, 2 | 174 |- | Redeem Script | PSBT_IN_REDEEM_SCRIPT = 0x04 | None | No key data | | The redeemScript for this input if it has one. | | | 0, 2 | 174 |- | Witness Script | PSBT_IN_WITNESS_SCRIPT = 0x05 | None | No key data | | The witnessScript for this input if it has one. | | | 0, 2 | 174 |- | BIP 32 Derivation Path | PSBT_IN_BIP32_DERIVATION = 0x06 | | The public key | <32-bit uint> <32-bit uint>* | The master key fingerprint as defined by BIP 32 concatenated with the derivation path of the public key. The derivation path is represented as 32 bit unsigned integer indexes concatenated with each other. Public keys are those that will be needed to sign this input. | | | 0, 2 | 174 |- | Finalized scriptSig | PSBT_IN_FINAL_SCRIPTSIG = 0x07 | None | No key data | | The Finalized scriptSig contains a fully constructed scriptSig with signatures and any other scripts necessary for the input to pass validation. | | | 0, 2 | 174 |- | Finalized scriptWitness | PSBT_IN_FINAL_SCRIPTWITNESS = 0x08 | None | No key data | | The Finalized scriptWitness contains a fully constructed scriptWitness with signatures and any other scripts necessary for the input to pass validation. | | | 0, 2 | 174 |- | Proof-of-reserves commitment | PSBT_IN_POR_COMMITMENT = 0x09 | None | No key data | | The UTF-8 encoded commitment message string for the proof-of-reserves. See [[bip-0127.mediawiki|BIP 127]] for more information. | | | 0, 2 | [[bip-0127.mediawiki|127]] |- | RIPEMD160 preimage | PSBT_IN_RIPEMD160 = 0x0a | <20-byte hash> | The resulting hash of the preimage | | The hash preimage, encoded as a byte vector, which must equal the key when run through the RIPEMD160 algorithm | | | 0, 2 | 174 |- | SHA256 preimage | PSBT_IN_SHA256 = 0x0b | <32-byte hash> | The resulting hash of the preimage | | The hash preimage, encoded as a byte vector, which must equal the key when run through the SHA256 algorithm | | | 0, 2 | 174 |- | HASH160 preimage | PSBT_IN_HASH160 = 0x0c | <20-byte hash> | The resulting hash of the preimage | | The hash preimage, encoded as a byte vector, which must equal the key when run through the SHA256 algorithm followed by the RIPEMD160 algorithm | | | 0, 2 | 174 |- | HASH256 preimage | PSBT_IN_HASH256 = 0x0d | <32-byte hash> | The resulting hash of the preimage | | The hash preimage, encoded as a byte vector, which must equal the key when run through the SHA256 algorithm twice | | | 0, 2 | 174 |- | Previous TXID | PSBT_IN_PREVIOUS_TXID = 0x0e | None | No key data | | 32 byte txid of the previous transaction whose output at PSBT_IN_OUTPUT_INDEX is being spent. | 2 | 0 | 2 | [[bip-psb2.mediawiki|psbt2]] |- | Spent Output Index | PSBT_IN_OUTPUT_INDEX = 0x0f | None | No key data | <32-bit uint> | 32 bit little endian integer representing the index of the output being spent in the transaction with the txid of PSBT_IN_PREVIOUS_TXID. | 2 | 0 | 2 | [[bip-psb2.mediawiki|psbt2]] |- | Sequence Number | PSBT_IN_SEQUENCE = 0x10 | None | No key data | <32-bit uint> | The 32 bit unsigned little endian integer for the sequence number of this input. If omitted, the sequence number is assumed to be the final sequence number (0xffffffff). | | 0 | 2 | [[bip-psb2.mediawiki|psbt2]] |- | Required Time-based Locktime | PSBT_IN_REQUIRED_TIME_LOCKTIME = 0x11 | None | No key data | <32-bit uint> | 32 bit unsigned little endian integer greater than or equal to 500000000 representing the minimum Unix timestamp that this input requires to be set as the transaction's lock time. | | 0 | 2 | [[bip-psb2.mediawiki|psbt2]] |- | Required Height-based Locktime | PSBT_IN_REQUIRED_HEIGHT_LOCKTIME = 0x12 | None | No key data | <32-bit uiht> | 32 bit unsigned little endian integer less than 500000000 representing the minimum block height that this input requires to be set as the transaction's lock time. | | 0 | 2 | [[bip-psb2.mediawiki|psbt2]] |- | Proprietary Use Type | PSBT_IN_PROPRIETARY = 0xFC | | Compact size unsigned integer , followed by identifier prefix of that length , followed by a subtype , followed by the key data itself . | | Any value data as defined by the proprietary type user. | | | 0, 2 | 174 |} The currently defined per-output '''Why do we need per-output data?''' Per-output data allows signers to verify that the outputs are going to the intended recipient. The output data can also be use by signers to determine which outputs are change outputs and verify that the change is returning to the correct place. types are defined as follows: {| ! Name ! ! ! Description ! ! Description ! Versions Requiring Inclusion ! Versions Requiring Exclusion ! Versions Allowing Inclusion ! Parent BIP |- | Redeem Script | PSBT_OUT_REDEEM_SCRIPT = 0x00 | None | No key data | | The redeemScript for this output if it has one. | | | 0, 2 | 174 |- | Witness Script | PSBT_OUT_WITNESS_SCRIPT = 0x01 | None | No key data | | The witnessScript for this output if it has one. | | | 0, 2 | 174 |- | BIP 32 Derivation Path | PSBT_OUT_BIP32_DERIVATION = 0x02 | | The public key | <{32-bit uint> <32-bit uint>* | The master key fingerprint concatenated with the derivation path of the public key. The derivation path is represented as 32-bit little endian unsigned integer indexes concatenated with each other. Public keys are those needed to spend this output. | | | 0, 2 | 174 |- | Output Amount | PSBT_OUT_AMOUNT = 0x03 | None | No key data | <64-bit int> | 64 bit signed little endian integer representing the output's amount in satoshis. | 2 | 0 | 2 | [[bip-psb2.mediawiki|psbt2]] |- | Output Script | PSBT_OUT_SCRIPT = 0x04 | None | No key data |