public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
* Re: [bitcoin-dev] Signature and Script Independent Hierarchy for Deterministic Wallets.
@ 2021-03-14 15:13 SomberNight
  2021-03-14 20:46 ` Robert Spigler
  0 siblings, 1 reply; 9+ messages in thread
From: SomberNight @ 2021-03-14 15:13 UTC (permalink / raw)
  To: Bitcoin Protocol Discussion, Robert Spigler

See some replies inline. (quoted text from BIP draft)

> Date: Sun, 14 Mar 2021 01:51:15 +0000
> From: Robert Spigler <RobertSpigler@protonmail.ch>
> Subject: [bitcoin-dev] Signature and Script Independent Hierarchy for Deterministic Wallets.

> There are many issues with the current standards. As background, BIP 44/49/84 specifies:
> `m / purpose' / coin_type' / account' / change / address_index`
> where the BIP43 `purpose'` path is separate for each script (P2PKH, P2WPKH-in-P2SH, and P2WPKH respectively).  However, these per-script derivations are made redundant with descriptors

> We should not be mixing keys and scripts in the same layer. The wallet should create extended private/public keys independent of the script or signature type

You say that keys and scripts should not be mixed in the same layer, and imply that this was solely done due to these standards predating output script descriptors. Even if this was the case, it is not the only reason for doing it. BIP44/49/84 mixing scripts and keys in the same layer makes recovery from seed/mnemonic much easier.
Note the significant overlap between the authors of BIP39 and BIP44. I am fairly certain BIP44 was designed with recovering from a BIP39 seed (and no additional information backed up) in mind. Note the "Account discovery" section of BIP44.
(Electrum seeds go even further, as such seeds contain a version number that encodes both the script type and the key derivation path to use.)

> We define the following 5 levels in the BIP32 path:
> `m / purpose' / coin_type' / account' / change / address_index`

> [Account]
> It is crucial that this level is increased for each new wallet joined or private/public keys created; for both privacy and cryptographic purposes.
> For example, in multisignature wallets, before sending a new key record to a coordinator, the wallet must increment the `account'` level.  Before creating it's own single signature wallet, the `account'` level must again be incremented.

Imagine a user who has a BIP39 (or similar) seed. Even today, recovering most non-singlesig scripts from that is obviously infeasible. However, all singlesig scripts at least can be discovered if the keys are using the suggested derivation paths.
By trying to create a standard that mixes discoverable and non-discoverable scripts in the same derivation scheme and incrementing a single index, you are turning all scripts into being non-discoverable.
Note that even if a user only used singlesig scripts and followed this proposal, during recovery from seed the wallet would have to check all script types for all account indices (which is only ever going to get more expensive as new script types come).
The workaround and I imagine your suggested solution is clearly to backup both seed words and output script descriptors; and to keep appending new output script descriptors to existing backups when the account index is incremented. While much less user-friendly than backing up just a seed, it is more generic and extendable.

My point is simply that your proposal is making a tradeoff here. The tradeoff itself seems easy to miss on first read of the text, so I just wanted to explicitly point it out for the record.

ghost43 / SomberNight


^ permalink raw reply	[flat|nested] 9+ messages in thread
* [bitcoin-dev] Signature and Script Independent Hierarchy for Deterministic Wallets.
@ 2021-03-14  1:51 Robert Spigler
  0 siblings, 0 replies; 9+ messages in thread
From: Robert Spigler @ 2021-03-14  1:51 UTC (permalink / raw)
  To: bitcoin-dev

[-- Attachment #1: Type: text/plain, Size: 1867 bytes --]

Hello,

I am working on a draft BIP for a signature and script independent hierarchy for deterministic wallets.

I believe with the implementation of descriptor wallets, the typical use case of of a BIP43 `purpose’` level per script type is redundant. The differentiation of separate BIPs for multisignature derivation paths, with BIP45 and “BIP” 48, is also redundant – with path levels such as `cosigner_index` and `script_type`. Descriptors can set the order of the public keys with `multi` or have them sorted lexicographically with `sortedmulti`.

I don’t believe we should be mixing keys and scripts in the same layer. The wallet should create extended private/public keys independent of the script or signature type, whereas the descriptor language tells wallets to watch (single or multi-sig) outputs with the specified public keys.

The BIP defines the following 5 levels in the BIP32 path:

m / purpose' / coin_type' / account' / change / address_index

It is crucial that the `account’` level is increased for each new wallet joined or private/public keys created; for both privacy and cryptographic purposes. For example, in multisignature wallets, before sending a new key record to a coordinator, the wallet must increment the `account’` level. Before creating it's own single signature wallet, the `account’` level must again be incremented. This prevents key reuse - across single signature and multisignature wallets, across ECDSA and Schnorr signatures, and inbetween the same wallet types.

For full details, please see the BIP here: https://github.com/Rspigler/bips-1/blob/Sane_Mulitisg_deriv/Modern%20Derivation%20Standard.mediawiki

Please see the PR here: https://github.com/Rspigler/bips-1/pull/1

Looking forward to comments.

Thank you,

Robert Spigler

Personal Fingerprint: BF0D 3C08 A439 5AC6 11C1 5395 B70B 4A77 F850 548F

[-- Attachment #2: Type: text/html, Size: 3251 bytes --]

^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2021-03-19  8:59 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-14 15:13 [bitcoin-dev] Signature and Script Independent Hierarchy for Deterministic Wallets SomberNight
2021-03-14 20:46 ` Robert Spigler
2021-03-17  7:26   ` Craig Raw
2021-03-18 15:29   ` Jochen Hoenicke
2021-03-18 20:44     ` Robert Spigler
2021-03-18 21:42       ` Robert Spigler
2021-03-19  7:54         ` Craig Raw
2021-03-19  8:59           ` Robert Spigler
  -- strict thread matches above, loose matches on Subject: below --
2021-03-14  1:51 Robert Spigler

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox