From: Robert Spigler <RobertSpigler@protonmail.ch>
To: SomberNight <somber.night@protonmail.com>,
"bitcoin-dev@lists.linuxfoundation.org"
<bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Signature and Script Independent Hierarchy for Deterministic Wallets.
Date: Sun, 14 Mar 2021 20:46:14 +0000 [thread overview]
Message-ID: <QZfbtDnhhbNNFo6859MyCotRPeN-sdotrP2qM-Uitq5DYATVzqIgIb_UEtXETGk941M3HWDzxCmO9j84wjzuKndHOo6kxg3A9qCd8WWlAOI=@protonmail.ch> (raw)
In-Reply-To: <z1Vokp3jct_xwR8wt3n6r8t24DqtMpnrogF22YFc0_V3riIMWEq3WBiOriJOm2kVrVgtsu5p7wDTMrN3dLdA8DilhITMXb4tHY6wCnk3y1g=@protonmail.com>
No, wallets don't and shouldn't have to check all script types on recovery. Descriptor Wallets solve all of this.
To back up a multisignature wallet, each cosigner stores their xprv (how you do this; BIP39, WIF, etc, is out of scope). and the wallet descriptor. This is done, for example, in Yeti. To recover, simply combine `M` private keys, and check the script designated in 1 of the descriptor copies.
For single signature wallets, it is the same, except only one signature is needed. Store xprv and descriptor.
It is not fair nor accurate to say that currently, in order to recover, wallets need "just the seed words". They also need all public keys, and derivation paths.
Descriptors (and this BIP), is a much cleaner way to handle wallet creation and backup, by separating the two layers (keys and scripts) and getting rid of redundant information.
Personal Fingerprint: BF0D 3C08 A439 5AC6 11C1 5395 B70B 4A77 F850 548F
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Sunday, March 14, 2021 11:13 AM, SomberNight <somber.night@protonmail.com> wrote:
> See some replies inline. (quoted text from BIP draft)
>
> > Date: Sun, 14 Mar 2021 01:51:15 +0000
> > From: Robert Spigler RobertSpigler@protonmail.ch
> > Subject: [bitcoin-dev] Signature and Script Independent Hierarchy for Deterministic Wallets.
>
> > There are many issues with the current standards. As background, BIP 44/49/84 specifies:
> > `m / purpose' / coin_type' / account' / change / address_index`
> > where the BIP43 `purpose'` path is separate for each script (P2PKH, P2WPKH-in-P2SH, and P2WPKH respectively). However, these per-script derivations are made redundant with descriptors
>
> > We should not be mixing keys and scripts in the same layer. The wallet should create extended private/public keys independent of the script or signature type
>
> You say that keys and scripts should not be mixed in the same layer, and imply that this was solely done due to these standards predating output script descriptors. Even if this was the case, it is not the only reason for doing it. BIP44/49/84 mixing scripts and keys in the same layer makes recovery from seed/mnemonic much easier.
> Note the significant overlap between the authors of BIP39 and BIP44. I am fairly certain BIP44 was designed with recovering from a BIP39 seed (and no additional information backed up) in mind. Note the "Account discovery" section of BIP44.
> (Electrum seeds go even further, as such seeds contain a version number that encodes both the script type and the key derivation path to use.)
>
> > We define the following 5 levels in the BIP32 path:
> > `m / purpose' / coin_type' / account' / change / address_index`
>
> > [Account]
> > It is crucial that this level is increased for each new wallet joined or private/public keys created; for both privacy and cryptographic purposes.
> > For example, in multisignature wallets, before sending a new key record to a coordinator, the wallet must increment the `account'` level. Before creating it's own single signature wallet, the `account'` level must again be incremented.
>
> Imagine a user who has a BIP39 (or similar) seed. Even today, recovering most non-singlesig scripts from that is obviously infeasible. However, all singlesig scripts at least can be discovered if the keys are using the suggested derivation paths.
> By trying to create a standard that mixes discoverable and non-discoverable scripts in the same derivation scheme and incrementing a single index, you are turning all scripts into being non-discoverable.
> Note that even if a user only used singlesig scripts and followed this proposal, during recovery from seed the wallet would have to check all script types for all account indices (which is only ever going to get more expensive as new script types come).
> The workaround and I imagine your suggested solution is clearly to backup both seed words and output script descriptors; and to keep appending new output script descriptors to existing backups when the account index is incremented. While much less user-friendly than backing up just a seed, it is more generic and extendable.
>
> My point is simply that your proposal is making a tradeoff here. The tradeoff itself seems easy to miss on first read of the text, so I just wanted to explicitly point it out for the record.
>
> ghost43 / SomberNight
next prev parent reply other threads:[~2021-03-14 20:46 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-14 15:13 [bitcoin-dev] Signature and Script Independent Hierarchy for Deterministic Wallets SomberNight
2021-03-14 20:46 ` Robert Spigler [this message]
2021-03-17 7:26 ` Craig Raw
2021-03-18 15:29 ` Jochen Hoenicke
2021-03-18 20:44 ` Robert Spigler
2021-03-18 21:42 ` Robert Spigler
2021-03-19 7:54 ` Craig Raw
2021-03-19 8:59 ` Robert Spigler
-- strict thread matches above, loose matches on Subject: below --
2021-03-14 1:51 Robert Spigler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='QZfbtDnhhbNNFo6859MyCotRPeN-sdotrP2qM-Uitq5DYATVzqIgIb_UEtXETGk941M3HWDzxCmO9j84wjzuKndHOo6kxg3A9qCd8WWlAOI=@protonmail.ch' \
--to=robertspigler@protonmail.ch \
--cc=bitcoin-dev@lists.linuxfoundation.org \
--cc=somber.night@protonmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox