feat: unspendable key path for multisig #1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
andrewtoth
reviewed
Jan 6, 2025
| </pre> | ||
|
|
||
| ==Abstract== | ||
| This document specifies a <tt>unspendable()</tt> key expression for output script descriptors. The <tt>unspendable()</tt> expression takes multiple public keys as input and produces an unspendable public key that can be independently verified by anyone with knowledge of all the constituent public keys. |
There was a problem hiding this comment.
I don't think we want to give keys to the expression. It should introspect the the descriptor and collect the keys itself.
It should also specify that it's constituent extended public keys.
| This document introduces a mechanism to compute a NUMS (Nothing Up My Sleeve) point for use in the Taproot key path that: | ||
| * Allows active participants involved in constructing the output script to independently verify the unspendable key. | ||
| * Prevents passive observers from recognizing that the key path is unspendable. | ||
| * Enables signers with limited information, such as hardware wallets, to verify unspendability without requiring user interaction. |
There was a problem hiding this comment.
Another motivation is having a deterministic key that can be recreated from the rest of the descriptor, so that the entropy does not have to be backed up separately.
bip-xxxx.mediawiki
Outdated
|
|
||
| The vector of keys is processed in the following sequence: deduplication, compression, sorting, concatenation, and finally, SHA256 hashing to generate a chaincode <tt>r</tt>. | ||
| A new unspendable key is constructed by taking the NUMS point <tt>H</tt>, suggested in BIP-0341, and attaching the chaincode <tt>r</tt> we previously computed. | ||
| <tt>H + r*G</tt> where <tt>H = lift_x(0x50929b74c1a04954b78b4b6035e97a5e078a5a0f28ec96d547bfee9ace803ac0)</tt> |
There was a problem hiding this comment.
We don't want to do this, we will use the pubkey 0x50929b74c1a04954b78b4b6035e97a5e078a5a0f28ec96d547bfee9ace803ac0 and r is the chaincode.
bip-xxxx.mediawiki
Outdated
| <tt>H + r*G</tt> where <tt>H = lift_x(0x50929b74c1a04954b78b4b6035e97a5e078a5a0f28ec96d547bfee9ace803ac0)</tt> | ||
|
|
||
| Q: should we add a prefix like the "BIPXXXX" before we SHA256 the keys to ensure the preimage was not previously leaked before this BIP? | ||
| Q: is it desireable to specify the keys in the expressions or to extract it from the script expression indirectly? |
bip-xxxx.mediawiki
Outdated
|
|
||
| Q: should we add a prefix like the "BIPXXXX" before we SHA256 the keys to ensure the preimage was not previously leaked before this BIP? | ||
| Q: is it desireable to specify the keys in the expressions or to extract it from the script expression indirectly? | ||
| Q: compress first and then sort, or sort and then compress? |
There was a problem hiding this comment.
I think we should only use this with compressed public keys. So, fail if not compressed.
bip-xxxx.mediawiki
Outdated
| A new unspendable key is constructed by taking the NUMS point <tt>H</tt>, suggested in BIP-0341, and attaching the chaincode <tt>r</tt> we previously computed. | ||
| <tt>H + r*G</tt> where <tt>H = lift_x(0x50929b74c1a04954b78b4b6035e97a5e078a5a0f28ec96d547bfee9ace803ac0)</tt> | ||
|
|
||
| Q: should we add a prefix like the "BIPXXXX" before we SHA256 the keys to ensure the preimage was not previously leaked before this BIP? |
There was a problem hiding this comment.
Ahh yes we should probably use a tagged hash with BIPXXXX/pubkeys.
…path Update specification and add test vectors
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.