Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PSBT: Add pay-to-contract tweaks to tx inputs #1239

Closed
wants to merge 1 commit into from
Closed

PSBT: Add pay-to-contract tweaks to tx inputs #1239

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions bip-0174.mediawiki
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -494,6 +494,39 @@ The currently defined per-input types are defined as follows:
| 0, 2
| [[bip-0371.mediawiki|371]]
|-
| ECDSA P2C Key Tweak
| <tt>PSBT_IN_ECDSA_P2C_TWEAK = 0x19</tt>
| <tt><pubkey></tt>
| 33 bytes of compact public key serialization specifying to which of keys the ECDSA tweak must be applied (i.e. this MUST be a value of a public key before the tweak is applied)
| <tt><tweak></tt>
| The 32 byte value which MUST be added to a private key to produce correct ECDSA signature ("key tweak"). Signers should remove this field after <tt>PSBT_IN_PARTIAL_SIG</tt> is constructed.
|
|
| 0, 2
| 174
|-
| Taproot Per-key P2C Tweak
| <tt>PSBT_IN_TAP_P2C_TWEAK = 0x1a</tt>
| <tt><xonlypubkey></tt>
| 32 bytes of public key specifying to which of keys tweak must be applied (i.e. this MUST be a value of a public key before the tweak is applied)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does there need to be any consideration for keys in leaf scripts?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I expect this to be a bad practice: the commitment must be singular per output (for instance to prevent double spends in second-layer systems like RGB), so allowing multiple tweaks in the same output is a security risk.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would like to support keys in leaf scripts (and arbitrary numbers of tweaks on arbitrary sets of keys). If the possibility is a security risk for some other protocol there is nothing that PSBT can do about it.

Copy link
Contributor Author

@dr-orlovsky dr-orlovsky Jan 11, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, probably I was overcautious.

Actually there is no risk in spending P2C output, since the commitment is produced not at the spending time.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@apoelstra what do you mean by "tweaks on arbitrary sets of keys":

  • the same tweak must be applied to each of the keys in the set;
  • the tweak must be applied to one and only one key (i.e. the sum of this keys commits to the tweak)?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I came to conclusion that even most complex cases can be covered by a quite simple setup - pls see my description in https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-January/019761.html

| <tt><tweak></tt>
| The 32 byte value which MUST be added to a private key to produce correct BIP-340 signature ("key tweak"). Signers should remove this field after <tt>PSBT_IN_PARTIAL_SIG</tt> is constructed.
|
|
| 0, 2
| 174
|-
| Taproot Internal P2C Tweak
| <tt>PSBT_IN_INTERNAL_P2C_TWEAK = 0x1b</tt>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The difference between this and PSBT_IN_TAP_P2C_TWEAK is not clear to me. ISTM this is for the internal key specifically, but the same effect can be achieved by specifying the internal key in PSBT_IN_TAP_P2C_TWEAK.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree, good point

| <tt><xonlypubkey></tt>
| 32 bytes of the original internal taproot public key before any non-taproot tweak is applied, i.e. if <tt>Q = (P' + tweak * G) + TapTweakHash(P || m) * G</tt>, this should be a value of <tt>P</tt>
| <tt><tweak></tt>
| The 32 byte value which MUST be added to a private internal key to produce correct BIP-340 signature ("key tweak"). Signers should remove this field after <tt>PSBT_IN_PARTIAL_SIG</tt> is constructed.
|
|
| 0, 2
| 174
|-
| Proprietary Use Type
| <tt>PSBT_IN_PROPRIETARY = 0xFC</tt>
| <tt><identifierlen> <identifier> <subtype> <subkeydata></tt>
Expand Down