BIP 124: Hierarchical Deterministic Script Templates #246

pull CodeShark wants to merge 1 commits into bitcoin:master from CodeShark:script_templates changing 2 files +129 −0
  1. CodeShark commented at 3:23 AM on November 21, 2015: contributor

    Defines a generalized script template format for wallet interoperability.

  2. CodeShark force-pushed on Nov 21, 2015
  3. CodeShark force-pushed on Nov 21, 2015
  4. CodeShark force-pushed on Nov 21, 2015
  5. CodeShark force-pushed on Nov 21, 2015
  6. CodeShark force-pushed on Nov 21, 2015
  7. CodeShark force-pushed on Nov 21, 2015
  8. CodeShark force-pushed on Nov 21, 2015
  9. CodeShark force-pushed on Nov 21, 2015
  10. CodeShark force-pushed on Nov 21, 2015
  11. CodeShark force-pushed on Nov 21, 2015
  12. CodeShark force-pushed on Nov 21, 2015
  13. CodeShark force-pushed on Nov 21, 2015
  14. CodeShark force-pushed on Nov 21, 2015
  15. CodeShark force-pushed on Nov 21, 2015
  17. CodeShark force-pushed on Nov 21, 2015
  18. CodeShark force-pushed on Nov 21, 2015
  19. CodeShark force-pushed on Nov 21, 2015
  20. CodeShark force-pushed on Nov 21, 2015
  21. CodeShark force-pushed on Nov 21, 2015
  22. luke-jr added the label New BIP on Nov 21, 2015
  23. luke-jr added the label Needs number assignment on Nov 21, 2015
  24. in bip-scripttemplates.mediawiki:None in 6449e5b7a7 outdated 
       0 | @@ -0,0 +1,70 @@
   1 | +<pre>
   2 | +  BIP:     BIP-?
   3 | +  Title:   Hierarchical Deterministic Script Templates
   4 | +  Author:  Eric Lombrozo <eric@ciphrex.com>, William Swanson
   5 | +  Status:  Draft
   6 | +  Type:    Informational
   7 | +  Created: 2015-11-20
    jtimon commented at 12:29 PM on November 23, 2015:

    Can you add a "Post-History" field with kanzure's link ?

  25. NicolasDorier commented at 2:48 PM on November 23, 2015: contributor

    I really don't like the lexicographic sorting of keys. Why not assuming that when m's are chosen, the order is important.

    Instead of defining a particular key by using Sort<sub>i</sub>(K<sub>k</sub>) it is way easier to use K<sub>k,i</sub>.

    Worse than that. Normally a key derivation m<sub>i</sub> should define a particular function for all the k derived keys (for example, "temp keys" in HTLC). If you use lexicographic order, Sort<sub>i</sub>(K<sub>k</sub>) will not refer to a key which has the same function as Sort<sub>i</sub>(K<sub>k+1</sub>)

    So for example in multi sig take

    K/k = {m<sub>1</sub>/k,m<sub>2</sub>/k,m<sub>3</sub>/k}

    Where m is derivation respectively of Alice,Bob,Satoshi.

    Sort<sub>1</sub>(K<sub>1</sub>) may define Alice but Sort<sub>1</sub>(K<sub>2</sub>) will define Bob. This is odd... It might not matter for multi sig because the order of keys does not matter as long as everybody agrees the same. But this is a special case.

    Better say K<sub>1,1</sub> define first key of Alice, K<sub>2,1</sub> second one etc...

  26. btcdrak commented at 3:23 PM on November 23, 2015: contributor

    @NicolasDorier Ordering of keys is really important, see BIP67 - https://github.com/bitcoin/bips/blob/master/bip-0067.mediawiki

  27. afk11 commented at 4:08 PM on November 23, 2015: contributor

    @NicolasDorier

    What use-cases does sorting prevent? It's just as stateful a process as "sort in the order of [Alice, Bob, Satoshi] always", but sorting addresses a privacy leak, and is a bit more universal (and if everyone sorts, there's one less barrier to wallet interoperability)

    I would think software advanced enough to perform signing should be able to tell which public key is it's own, and add the signature irrespective of the actual ordering scheme?

  28. NicolasDorier commented at 4:26 PM on November 23, 2015: contributor

    @btcdrak I know this bip and never enforced it in what I develop because there is stricly no utility into doing that. @afk11 , except if I don't understand the goal of what is called "group key" here is an example (but if I understand correctly, the concept of group is only useful in multi sig scenario thus hurting the generic aspect of this BIP):

    Let's take this contract sample (don't need to understand, this is only for my point)

    OP_IF
        OP_DUP OP_HASH160 <Alice pubKeyHash> OP_EQUALVERIFY OP_CHECKSIG
OP_ELSE
        <TIMEOUT> OP_CHECKLOCKTIMEVERIFY OP_DROP
        OP_DUP OP_HASH160 <Bob pubKeyHash> OP_EQUALVERIFY OP_CHECKSIG
OP_ENDIF

    If I wanted to represent this contract as in this bip I would define the following group.

    K/k = { m<sub>1</sub>/k, m<sub>2</sub>/k }

    m<sub>1</sub> is Alice choice m<sub>2</sub> is Bob choice

    If I rewrite this script according to this BIP you may be tempted to define a template as

    OP_IF
        OP_DUP OP_HASH160 Sort1(Kk) OP_EQUALVERIFY OP_CHECKSIG
OP_ELSE
        <TIMEOUT> OP_CHECKLOCKTIMEVERIFY OP_DROP
        OP_DUP OP_HASH160 Sort2(Kk)  OP_EQUALVERIFY OP_CHECKSIG
OP_ENDIF

    Except that Sort1(K1) may represent Alice key for the first transaction, but for the second transaction Sort1(K2) may represent Bob's key in the following way

    1st transaction based on the template

    OP_IF
        OP_DUP OP_HASH160 Sort1(K1)==m1/1==Alice OP_EQUALVERIFY OP_CHECKSIG
OP_ELSE
        <TIMEOUT> OP_CHECKLOCKTIMEVERIFY OP_DROP
        OP_DUP OP_HASH160 Sort2(K1)==m2/1==Bob  OP_EQUALVERIFY OP_CHECKSIG
OP_ENDIF

    2nd transaction based on the template

    OP_IF
        OP_DUP OP_HASH160 Sort1(K2)==m2/2==Bob OP_EQUALVERIFY OP_CHECKSIG
OP_ELSE
        <TIMEOUT> OP_CHECKLOCKTIMEVERIFY OP_DROP
        OP_DUP OP_HASH160 Sort2(K2)==m1/2==Alice  OP_EQUALVERIFY OP_CHECKSIG
OP_ENDIF

    Because the sorting is done on the actual public keys derived with k as currently specified.

    I don't see why ordering should be done at all. When one define a group of key, you can define any order at this moment.

  29. NicolasDorier commented at 4:35 PM on November 23, 2015: contributor

    if you want to define a multi sig contract by using this template language, with address reuse you have no need of lexical ordering:

    Define K/k and number of signature required. K/k's order being significant no lexical ordering is needed.

  30. CodeShark commented at 8:55 PM on November 23, 2015: contributor

    @NicolasDorier you can define multiple key groups for a script template - and using key groups is optional. This preserves full generality but also affords key sorting, which is important for certain use cases (i.e. m-of-n with full key symmetry, since the p2sh depends on the ordering and the number of permutations increases factorially in n making p2sh lookups impratical...and sorting also improves privacy).

  31. CodeShark commented at 10:13 PM on November 23, 2015: contributor

    @NicolasDorier Specifically, for the example you gave key groups wouldn't provide any real benefit. Might as well define Ak for Alice and Bk for Bob:

    OP_IF
        OP_DUP OP_HASH160 [Ak] OP_EQUALVERIFY OP_CHECKSIG
OP_ELSE
        <TIMEOUT> OP_CHECKLOCKTIMEVERIFY OP_DROP
        OP_DUP OP_HASH160 [Bk] OP_EQUALVERIFY OP_CHECKSIG
OP_ENDIF
  32. NicolasDorier commented at 12:32 AM on November 24, 2015: contributor

    Not having alphabetical ordering would not make permutation increases factorially, because I expected the m's in the K group to be sorted. (so for example in 2-2 Alice key is always the first and Bob always second, because it is the order in which they appear in the K group) I did not thought about sorting for increasing privacy though.

    I admit I have lots of difficulty to think about another use case expect multi sig for the key group structure.

    Anyway, I think it is easy to at least simplify the notation:

    Define group B: B<sub>k</sub> = { m<sub>1</sub>/k, m<sub>2</sub>/k, m<sub>3</sub>/k }

    Then, in a script template [Bk] would mean [Sort<sub>1</sub>(B<sub>k</sub>)] [Sort<sub>2</sub>(B<sub>k</sub>)] [Sort<sub>3</sub>(B<sub>k</sub>)]

    OP_IF
        OP_DUP OP_HASH160 [Ak] OP_EQUALVERIFY OP_CHECKSIG
OP_ELSE
        <TIMEOUT> OP_CHECKLOCKTIMEVERIFY OP_DROP
        2 [Bk] 3 OP_CHECKMULTISIGVERIFY
OP_ENDIF

    I see a group as a way to express : "The order of the keys is not important but should be deterministic..so let's decide it is lexical".

  33. CodeShark commented at 12:40 AM on November 24, 2015: contributor

    @NicolasDorier yes, a group essentially means that permutations of the set don't affect the authorization policy...the key set is fully symmetric.

    There could potentially be other use cases we have not considered, so although the simplified notation is useful, we might still want to support interspersing opcodes between the keys.

  34. NicolasDorier commented at 12:52 AM on November 24, 2015: contributor

    Ok I understand, waiting the next commits. :)

    I'll probably do a script template parser for NBitcoin in the future, the problem with using the [Sort1(Bk)] notation is that you can't use it during template design, because you don't know the number of keys in the group.

    If you want to concatenate, then maybe notation [Bk | &lt;script&gt; ] might do the deal. [Bk | OP_CHECKSIG ] meaning [Sort1(Bk)] OP_CHECKSIG [Sort2(Bk)]

  35. CodeShark force-pushed on Nov 24, 2015
  36. CodeShark force-pushed on Nov 24, 2015
  37. CodeShark force-pushed on Nov 24, 2015
  38. CodeShark force-pushed on Nov 24, 2015
  39. CodeShark force-pushed on Nov 24, 2015
  40. CodeShark force-pushed on Nov 24, 2015
  41. CodeShark commented at 4:53 AM on November 24, 2015: contributor

    @NicolasDorier I've incorporated your simplified notation idea and your example.Just one caveat: I think we should make the distinction between a sorted key group and an individual key, so I suggest we use [{Bk}] to denote a sorted key group as opposed to [Bk] which is just a single key.

    We can still improve upon the notation, perhaps, by making the distinction between a key group and an individual key more explicit as well. Perhaps something like:

    Single key: Bk Key group: {Bk} Sorted key group: S{Bk} or {Bk}_s

  42. CodeShark commented at 4:56 AM on November 24, 2015: contributor

    Or perhaps {Bk} can be used to denote both the key group itself and the sorted expansion. Sorting would always be implied when used in a template.

  43. CodeShark force-pushed on Nov 24, 2015
  44. CodeShark force-pushed on Nov 24, 2015
  45. CodeShark force-pushed on Nov 24, 2015
  46. NicolasDorier commented at 8:19 AM on November 24, 2015: contributor

    Yes I think Bk and {Bk} is clear enough, I don't think there will be any need of saying "sorted key group", it is implied. There is no reason to make a keygroup if they can't be sorted by lexical order without changing the semantic of the script.

  47. CodeShark force-pushed on Nov 29, 2015
  48. CodeShark force-pushed on Nov 29, 2015
  49. CodeShark force-pushed on Nov 29, 2015
  50. CodeShark force-pushed on Nov 29, 2015
  51. CodeShark force-pushed on Nov 29, 2015
  52. luke-jr assigned luke-jr on Jan 8, 2016
  53. luke-jr renamed this:
    Added BIP for hierarchical deterministic script templates.
    BIP 124: Hierarchical Deterministic Script Templates
    on Jan 8, 2016
  54. luke-jr removed the label Needs number assignment on Jan 8, 2016
  55. luke-jr commented at 5:49 PM on January 8, 2016: member

    Needs Copyright section.

  56. luke-jr unassigned luke-jr on Jan 8, 2016
  57. CodeShark force-pushed on Jan 13, 2016
  58. Added BIP 124 a8ace6d608
  59. CodeShark commented at 4:15 AM on January 13, 2016: contributor

    @luke-jr copyright section added.

  60. luke-jr referenced this in commit 5afe46e257 on Jan 13, 2016
  61. luke-jr merged this on Jan 13, 2016
  62. luke-jr closed this on Jan 13, 2016
Contributors
CodeSharkkanzurejtimonNicolasDorierbtcdrakafk11luke-jr
Labels
New BIP
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bips. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-14 15:10 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me