-
Notifications
You must be signed in to change notification settings - Fork 5.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Bip Draft: Sending Silent Payments in PSBTs
- Loading branch information
1 parent
71aafb2
commit 81187dc
Showing
1 changed file
with
187 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,187 @@ | ||
<pre> | ||
BIP: ? | ||
Layer: Applications | ||
Title: Sending Silent Payments with PSBTs | ||
Author: Andrew Toth <[email protected]> | ||
Ava Chow <[email protected]> | ||
josibake <[email protected]> | ||
Comments-Summary: No comments yet. | ||
Comments-URI: TBD | ||
Status: Draft | ||
Type: Standards Track | ||
Created: 2024-05-14 | ||
License: BSD-2-Clause | ||
</pre> | ||
|
||
==Introduction== | ||
|
||
===Abstract=== | ||
|
||
This document proposes additional fields and updated role responsibilities for BIP 370 PSBTv2 | ||
which adds support for sending to silent payments as described in BIP352. | ||
|
||
===Copyright=== | ||
|
||
This BIP is licensed under the 2-clause BSD license. | ||
|
||
===Motivation=== | ||
|
||
Partially Signed Bitcoin Transaction Version 2 as described in BIP 370 is not compatible with sending to silent payments as described in BIP352. In particular, the output script of a silent payment cannot be computed until after all transaction inputs have been added. | ||
Also, any inputs that the Signer has the private keys for must be signed with SIGHASH_ALL and all inputs must not have any scriptPubKeys with Segwit version > 1. | ||
Additionally, the silent payment outputs computed by a signer must be verifiable to other entities. | ||
Therefore, new fields and role responsibilities must be added to carry, compute, and verify the silent payment data. | ||
|
||
==Specification== | ||
|
||
This document specifies new fields and new field inclusion/exclusion requirements. | ||
|
||
<tt>PSBT_OUT_SCRIPT</tt> is modified to be optional for outputs in silent payments capable PSBTs. If this field is not included in the output, then the field PSBT_OUT_SP_V0_INFO must be included. | ||
|
||
The new global types are defined as follows: | ||
|
||
{| | ||
! Name | ||
! <tt><keytype></tt> | ||
! <tt><keydata></tt> | ||
! <tt><keydata></tt> Description | ||
! <tt><valuedata></tt> | ||
! <tt><valuedata></tt> Description | ||
! Versions Requiring Inclusion | ||
! Versions Requiring Exclusion | ||
! Versions Allowing Inclusion | ||
|- | ||
| Silent Payment Global ECDH Share | ||
| <tt>PSBT_GLOBAL_SP_ECDH_SHARE = 0x07</tt> | ||
| <tt><33 byte scan key> <34 byte outpoint>*</tt> | ||
| The scan key and a list of outpoints corresponding to the prevouts of the inputs that this ECDH share is for. The outpoints are composed of a 32 byte txid followed by a 32-bit little endian uint. | ||
| <tt><32 byte share></tt> | ||
| An ECDH share for a scan key, followed by a list of outpoints. The ECDH shared is computed with ''a * B_scan'', where ''a'' is the sum of all private keys of the inputs matching the list of outpoints, and ''B_scan'' is the scan key of a recipient. | ||
| | ||
| 0 | ||
| 2 | ||
|- | ||
| Silent Payment Global DLEQ Proof | ||
| <tt>PSBT_GLOBAL_SP_DLEQ = 0x08</tt> | ||
| <tt><33 byte scan key> <34 byte outpoint>*</tt> | ||
| The scan key and a list of outpoints corresponding to the prevouts of the inputs that this proof covers. The outpoints are composed of a 32 byte txid followed by a 32-bit little endian uint. | ||
| <tt><64-byte proof></tt> | ||
| A DLEQ proof computed for the matching ECDH share. | ||
| | ||
| 0 | ||
| 2 | ||
|} | ||
|
||
One new per-output type is defined as follows: | ||
|
||
{| | ||
! Name | ||
! <tt><keytype></tt> | ||
! <tt><keydata></tt> | ||
! <tt><keydata></tt> Description | ||
! <tt><valuedata></tt> | ||
! <tt><valuedata></tt> Description | ||
! Versions Requiring Inclusion | ||
! Versions Requiring Exclusion | ||
! Versions Allowing Inclusion | ||
|- | ||
| Silent Payment Data | ||
| <tt>PSBT_OUT_SP_V0_INFO = 0x08</tt> | ||
| None | ||
| No key data | ||
| <tt><33 byte scan key> <33 byte spend key></tt> | ||
| The scan and spend public keys from the silent payments address. | ||
| | ||
| 0 | ||
| 2 | ||
|} | ||
|
||
===Unique Identification=== | ||
|
||
Silent payment capable PSBTs can be uniquely identified the same way as PSBTv2s, except when including silent payment outputs. For silent payment capable PSBTs, all silent payment outputs must use the PSBT_OUT_SP_V0_INFO instead of PSBT_OUT_SCRIPT as the output script when creating the unsigned transaction used for unique identification. | ||
|
||
==Roles== | ||
|
||
This document modifies some existing roles. | ||
|
||
===Constructor=== | ||
|
||
All rules must be followed from PSBTv2 for this role, with the following exception: | ||
When an output is added, it must have either PSBT_OUT_SCRIPT or PSBT_OUT_SP_V0_INFO, or both, set. | ||
|
||
Additionally to PSBTv2, the Constructor must also follow additional rules: | ||
|
||
Inputs spending an output with script using Segwit version > 1 may only be added if there are no outputs with PSBT_OUT_SP_V0_INFO set. | ||
Outputs with PSBT_OUT_SP_V0_INFO set may only be added if there are no inputs spending an output script using Segwit version > 1. | ||
|
||
===Signer=== | ||
|
||
All rules must be followed from PSBTv2 for this role. If there are any outputs with PSBT_OUT_SP_V0_INFO set, then the following additional rules must also be adhered to: | ||
|
||
If any input is spending an output with script using Segwit version > 1, the Signer must fail. | ||
|
||
For all outputs with PSBT_OUT_SP_V0_INFO set, the Signer should: | ||
- Compute and set an ECDH share and DLEQ proof using all inputs it has the private key for. | ||
- Verify the DLEQ proofs for all inputs it does not have the private keys for. | ||
- If all eligible inputs have an ECDH share, compute and set the PSBT_OUT_SCRIPT. | ||
|
||
If the Signer sets any missing PSBT_OUT_SCRIPTs, it must set the Inputs Modifiable flag to False. | ||
|
||
If any output does not have PSBT_OUT_SCRIPT set, the Signer must not yet add a signature. | ||
|
||
The Signer should additionally compute the silent payment addresses, optionally showing this data to the user instead of the computed segwit v1 addresses. | ||
|
||
If a sighash type is provided and there are silent payment outputs present, the signer must fail if the sighash type is not SIGHASH_ALL. | ||
If a sighash type is not provided and there are silent payment outputs present, the signer must sign using SIGHASH_ALL. | ||
|
||
====Computing the DLEQ Proof==== | ||
|
||
For each output with PSBT_OUT_SP_V0_INFO set, the Signer may generate a proof for other entities to generate the output scripts and verify that the output scripts were generated correctly. | ||
|
||
Generate a global ECDH share for each scan key ''B<sub>scan</sub>'' and all eligible inputs the Signer has private keys for as follows: | ||
|
||
Using the notation from [https://github.com/bitcoin/bips/blob/master/bip-0352.mediawiki#specification BIP352] | ||
|
||
* Let ''A<sub>n</sub>'' be the sum of the public keys ''A'' of all eligible inputs | ||
* Let ''a<sub>n</sub>'' be the sum of the private keys ''a'' of all eligible inputs | ||
* Let ''C = a<sub>n</sub>·B<sub>scan</sub>'' | ||
Use a key ''B<sub>scan</sub>'' followed by a list of the outpoints of all eligible inputs. | ||
|
||
Set the value for the key of PSBT_GLOBAL_SP_ECDH_SHARE to ''C''. | ||
|
||
Compute the DLEQ proof for ''C'' using ''a<sub>n</sub>'' and ''B<sub>scan</sub>''. | ||
Set the value for the key of PSBT_GLOBAL_SP_DLEQ to the proof. | ||
|
||
====Verifying the DLEQ Proof==== | ||
|
||
For each output with PSBT_OUT_SP_V0_INFO set, the Signer should verify the ECDH shares for all eligible inputs it does not have the private key for using the proofs provided by other Signers. | ||
|
||
====Computing the Output Scripts==== | ||
|
||
Compute the PSBT_OUT_SCRIPT using the procedure in [https://github.com/bitcoin/bips/blob/master/bip-0352.mediawiki#user-content-Creating_outputs BIP352] but substituting ''a·B<sub>scan</sub>'' with the sum of all PSBT_GLOBAL_SP_ECDH_SHAREs for that scan key. | ||
If there are multiple silent payment codes with the same scan key, sort the codes lexicographically in ascending order to determine the ordering of the ''k'' value. | ||
If there are multiple silent payment codes with both the same scan and spend keys, sort the subgroup by output index in ascending order. | ||
|
||
====Change Detection==== | ||
|
||
Updaters may add two PSBT_OUT_BIP32_DERIVATION key-value-pairs with the corresponding derivation path of both the scan and spend keys. The Signer can then use these fields to verify that the silent payment code is change. | ||
|
||
===Transaction Extractor=== | ||
|
||
For silent payment capable PSBTs, the transaction extractor should compute all output scripts for silent payment codes and verify they are correct using the ECDH shares and DLEQ proofs, otherwise fail. | ||
|
||
==Backwards Compatibility== | ||
|
||
Silent payment capable PSBTs are backwards compatible with PSBTv2 once all outputs have PSBT_OUT_SCRIPT set. Otherwise they are not backwards compatible. | ||
|
||
==Test Vectors== | ||
|
||
Todo | ||
|
||
==Rationale== | ||
|
||
<references/> | ||
|
||
==Reference implementation== | ||
|
||
Todo |