* [bitcoin-dev] Derivation Paths for Single Key Taproot Scripts
@ 2021-06-23 1:17 Andrew Chow
2021-06-23 8:22 ` Craig Raw
2021-07-02 20:03 ` Andrew Chow
0 siblings, 2 replies; 4+ messages in thread
From: Andrew Chow @ 2021-06-23 1:17 UTC (permalink / raw)
To: Bitcoin Protocol Discussion
Hi All,
I would like to propose a simple derivation path scheme for keys to be
used in single key Taproot scripts. This is based on BIP 44 so it is
basically identical to BIPs 49 and 84. Like with those BIPs, the actual
value to be used in the purpose level will be set to the BIP number,
once assigned.
Note that the keys derived in this method should be for the Taproot
internal key, which should then be tweaked with the hash of itself as
recommended by BIP 341. The keys derived at this path should not be used
directly as the Taproot output pubkey. Additionally, this BIP does not
specify new version bytes for extended key serialization because, with
the advent of descriptors, I think that is unnecessary. In fact, this
BIP feels somewhat unnecessary to me, but it seems like it will be
needed for now in order to drive adoption and implementation of Taproot
into software and hardware wallets.
The text can be viewed below, with the rendered text available at
https://github.com/achow101/bips/blob/taproot-bip44/bip-taproot-bip44.mediawiki
Andrew Chow
---
<pre>
BIP: bip-taproot-bip44
Layer: Applications
Title: Derivation scheme for P2TR based accounts
Author: Andrew Chow <andrew@achow101•com>
Comments-Summary: No comments yet.
Comments-URI:
https://github.com/bitcoin/bips/wiki/Comments:BIP-taproot-bip44
Status: Draft
Type: Informational
Created: 2021-06-22
License: BSD-2-Clause
</pre>
==Abstract==
This document suggests a derivation scheme for HD wallets whose keys are
involved in single key
P2TR ([[bip-0341.mediawiki|BIP 341]]) outputs as the Taproot internal key.
===Copyright===
This BIP is licensed under the 2-clause BSD license.
==Motivation==
With the usage of single key P2TR transactions, it is useful to have a
common derivation scheme so
that HD wallets that only have a backup of the HD seed can be likely to
recover single key Taproot
outputs. Although there are now solutions which obviate the need for
fixed derivation paths for
specific script types, many software wallets and hardware signers still
use seed backups which
lack derivation path and script information. Thus we largely use the
same approach used in BIPs
[[bip-0049.mediawiki|49]] and [[bip-0084.mediawiki|84]] for ease of
implementation.
==Specifications==
This BIP defines the two needed steps to derive multiple deterministic
addresses based on a
[[bip-0032.mediawiki|BIP 32]] master private key.
===Public key derivation===
To derive a public key from the root account, this BIP uses the same
account-structure as
defined in BIPs [[bip-0044.mediawiki|44]], [[bip-0049.mediawiki|49]],
and [[bip-0084.mediawiki|84]],
but with a different purpose value for the script type.
<pre>
m / purpose' / coin_type' / account' / change / address_index
</pre>
For the <tt>purpose</tt>-path level it uses <tt><BIPNUMBER>'</tt>.
The rest of the levels are used as defined in BIPs 44, 49, and 84.
===Address derivation===
To derive the output key used in the P2TR script from the derived public
key, we use the method
recommended in
[[bip-0341.mediawiki#constructing-and-spending-taproot-outputs|BIP 341]]:
<pre>
internal_key: lift_x(derived_key)
32_byte_output_key: internal_key + int(HashTapTweak(bytes(internal_key)))G
</pre>
In a transaction, the scripts and witnesses are as defined in
[[bip-0341.mediawiki#specification|BIP 341]]:
<pre>
witness: <signature>
scriptSig: (empty)
scriptPubKey: 1 <32_byte_output_key>
(0x5120{32_byte_output_key})
</pre>
==Backwards Compatibility==
This BIP is not backwards compatible by design.
An incompatible wallet will not discover these accounts at all and the
user will notice that
something is wrong.
However this BIP uses the same method used in BIPs 44, 49, and 84, so it
should not be difficult
to implement.
==Test vectors==
TBD
==Reference==
* [[bip-0032.mediawiki|BIP32 - Hierarchical Deterministic Wallets]]
* [[bip-0043.mediawiki|BIP43 - Purpose Field for Deterministic Wallets]]
* [[bip-0044.mediawiki|BIP44 - Multi-Account Hierarchy for Deterministic
Wallets]]
* [[bip-0049.mediawiki|BIP49 - Derivation scheme for
P2WPKH-nested-in-P2SH based accounts]]
* [[bip-0084.mediawiki|BIP84 - Derivation scheme for P2WPKH based accounts]]
* [[bip-0341.mediawiki|BIP341 - Taproot: SegWit version 1 spending rules]]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [bitcoin-dev] Derivation Paths for Single Key Taproot Scripts
2021-06-23 1:17 [bitcoin-dev] Derivation Paths for Single Key Taproot Scripts Andrew Chow
@ 2021-06-23 8:22 ` Craig Raw
2021-06-30 11:07 ` Pavol Rusnak
2021-07-02 20:03 ` Andrew Chow
1 sibling, 1 reply; 4+ messages in thread
From: Craig Raw @ 2021-06-23 8:22 UTC (permalink / raw)
To: Andrew Chow, Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 5541 bytes --]
+1
While other derivation schemes have been proposed, the simple "purpose per
script type" based approach started with BIP44 is very widely used and has
done much to improve recoverability of wallets. The products and
understanding around this approach are now relatively mature, while backing
up an output descriptor (in addition to seed words) is still not well
understood or supported. Early standardisation around a known derivation
path will ease implementation for wallets implementing Taproot and help
prevent confusion (as we have had over the still draft BIP48). I also agree
we don't need (and should avoid) a new version for extended key
serialization.
Craig
On Wed, Jun 23, 2021 at 3:17 AM Andrew Chow via bitcoin-dev <
bitcoin-dev@lists•linuxfoundation.org> wrote:
> Hi All,
>
> I would like to propose a simple derivation path scheme for keys to be
> used in single key Taproot scripts. This is based on BIP 44 so it is
> basically identical to BIPs 49 and 84. Like with those BIPs, the actual
> value to be used in the purpose level will be set to the BIP number,
> once assigned.
>
> Note that the keys derived in this method should be for the Taproot
> internal key, which should then be tweaked with the hash of itself as
> recommended by BIP 341. The keys derived at this path should not be used
> directly as the Taproot output pubkey. Additionally, this BIP does not
> specify new version bytes for extended key serialization because, with
> the advent of descriptors, I think that is unnecessary. In fact, this
> BIP feels somewhat unnecessary to me, but it seems like it will be
> needed for now in order to drive adoption and implementation of Taproot
> into software and hardware wallets.
>
> The text can be viewed below, with the rendered text available at
>
> https://github.com/achow101/bips/blob/taproot-bip44/bip-taproot-bip44.mediawiki
>
> Andrew Chow
>
> ---
>
> <pre>
> BIP: bip-taproot-bip44
> Layer: Applications
> Title: Derivation scheme for P2TR based accounts
> Author: Andrew Chow <andrew@achow101•com>
> Comments-Summary: No comments yet.
> Comments-URI:
> https://github.com/bitcoin/bips/wiki/Comments:BIP-taproot-bip44
> Status: Draft
> Type: Informational
> Created: 2021-06-22
> License: BSD-2-Clause
> </pre>
>
> ==Abstract==
>
> This document suggests a derivation scheme for HD wallets whose keys are
> involved in single key
> P2TR ([[bip-0341.mediawiki|BIP 341]]) outputs as the Taproot internal key.
>
> ===Copyright===
>
> This BIP is licensed under the 2-clause BSD license.
>
> ==Motivation==
>
> With the usage of single key P2TR transactions, it is useful to have a
> common derivation scheme so
> that HD wallets that only have a backup of the HD seed can be likely to
> recover single key Taproot
> outputs. Although there are now solutions which obviate the need for
> fixed derivation paths for
> specific script types, many software wallets and hardware signers still
> use seed backups which
> lack derivation path and script information. Thus we largely use the
> same approach used in BIPs
> [[bip-0049.mediawiki|49]] and [[bip-0084.mediawiki|84]] for ease of
> implementation.
>
> ==Specifications==
>
> This BIP defines the two needed steps to derive multiple deterministic
> addresses based on a
> [[bip-0032.mediawiki|BIP 32]] master private key.
>
> ===Public key derivation===
>
> To derive a public key from the root account, this BIP uses the same
> account-structure as
> defined in BIPs [[bip-0044.mediawiki|44]], [[bip-0049.mediawiki|49]],
> and [[bip-0084.mediawiki|84]],
> but with a different purpose value for the script type.
>
> <pre>
> m / purpose' / coin_type' / account' / change / address_index
> </pre>
>
> For the <tt>purpose</tt>-path level it uses <tt><BIPNUMBER>'</tt>.
> The rest of the levels are used as defined in BIPs 44, 49, and 84.
>
> ===Address derivation===
>
> To derive the output key used in the P2TR script from the derived public
> key, we use the method
> recommended in
> [[bip-0341.mediawiki#constructing-and-spending-taproot-outputs|BIP 341]]:
>
> <pre>
> internal_key: lift_x(derived_key)
> 32_byte_output_key: internal_key + int(HashTapTweak(bytes(internal_key)))G
> </pre>
>
> In a transaction, the scripts and witnesses are as defined in
> [[bip-0341.mediawiki#specification|BIP 341]]:
>
> <pre>
> witness: <signature>
> scriptSig: (empty)
> scriptPubKey: 1 <32_byte_output_key>
> (0x5120{32_byte_output_key})
> </pre>
>
> ==Backwards Compatibility==
>
> This BIP is not backwards compatible by design.
> An incompatible wallet will not discover these accounts at all and the
> user will notice that
> something is wrong.
>
> However this BIP uses the same method used in BIPs 44, 49, and 84, so it
> should not be difficult
> to implement.
>
> ==Test vectors==
>
> TBD
>
> ==Reference==
>
> * [[bip-0032.mediawiki|BIP32 - Hierarchical Deterministic Wallets]]
> * [[bip-0043.mediawiki|BIP43 - Purpose Field for Deterministic Wallets]]
> * [[bip-0044.mediawiki|BIP44 - Multi-Account Hierarchy for Deterministic
> Wallets]]
> * [[bip-0049.mediawiki|BIP49 - Derivation scheme for
> P2WPKH-nested-in-P2SH based accounts]]
> * [[bip-0084.mediawiki|BIP84 - Derivation scheme for P2WPKH based
> accounts]]
> * [[bip-0341.mediawiki|BIP341 - Taproot: SegWit version 1 spending rules]]
>
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists•linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 6986 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [bitcoin-dev] Derivation Paths for Single Key Taproot Scripts
2021-06-23 8:22 ` Craig Raw
@ 2021-06-30 11:07 ` Pavol Rusnak
0 siblings, 0 replies; 4+ messages in thread
From: Pavol Rusnak @ 2021-06-30 11:07 UTC (permalink / raw)
To: Craig Raw, Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 179 bytes --]
+1 from the author of BIP43, BIP44 and BIP84. The proposed BIP follows this
pattern nicely.
--
Best Regards / S pozdravom,
Pavol "stick" Rusnak
Co-founder and CTO, SatoshiLabs
[-- Attachment #2: Type: text/html, Size: 427 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [bitcoin-dev] Derivation Paths for Single Key Taproot Scripts
2021-06-23 1:17 [bitcoin-dev] Derivation Paths for Single Key Taproot Scripts Andrew Chow
2021-06-23 8:22 ` Craig Raw
@ 2021-07-02 20:03 ` Andrew Chow
1 sibling, 0 replies; 4+ messages in thread
From: Andrew Chow @ 2021-07-02 20:03 UTC (permalink / raw)
To: Bitcoin Protocol Discussion
This was assigned BIP number 86, so the purpose level path will be m/86'
Andrew
On 6/22/21 9:17 PM, Andrew Chow wrote:
> Hi All,
>
> I would like to propose a simple derivation path scheme for keys to be
> used in single key Taproot scripts. This is based on BIP 44 so it is
> basically identical to BIPs 49 and 84. Like with those BIPs, the actual
> value to be used in the purpose level will be set to the BIP number,
> once assigned.
>
> Note that the keys derived in this method should be for the Taproot
> internal key, which should then be tweaked with the hash of itself as
> recommended by BIP 341. The keys derived at this path should not be used
> directly as the Taproot output pubkey. Additionally, this BIP does not
> specify new version bytes for extended key serialization because, with
> the advent of descriptors, I think that is unnecessary. In fact, this
> BIP feels somewhat unnecessary to me, but it seems like it will be
> needed for now in order to drive adoption and implementation of Taproot
> into software and hardware wallets.
>
> The text can be viewed below, with the rendered text available at
> https://github.com/achow101/bips/blob/taproot-bip44/bip-taproot-bip44.mediawiki
>
> Andrew Chow
>
> ---
>
> <pre>
> BIP: bip-taproot-bip44
> Layer: Applications
> Title: Derivation scheme for P2TR based accounts
> Author: Andrew Chow <andrew@achow101•com>
> Comments-Summary: No comments yet.
> Comments-URI:
> https://github.com/bitcoin/bips/wiki/Comments:BIP-taproot-bip44
> Status: Draft
> Type: Informational
> Created: 2021-06-22
> License: BSD-2-Clause
> </pre>
>
> ==Abstract==
>
> This document suggests a derivation scheme for HD wallets whose keys are
> involved in single key
> P2TR ([[bip-0341.mediawiki|BIP 341]]) outputs as the Taproot internal key.
>
> ===Copyright===
>
> This BIP is licensed under the 2-clause BSD license.
>
> ==Motivation==
>
> With the usage of single key P2TR transactions, it is useful to have a
> common derivation scheme so
> that HD wallets that only have a backup of the HD seed can be likely to
> recover single key Taproot
> outputs. Although there are now solutions which obviate the need for
> fixed derivation paths for
> specific script types, many software wallets and hardware signers still
> use seed backups which
> lack derivation path and script information. Thus we largely use the
> same approach used in BIPs
> [[bip-0049.mediawiki|49]] and [[bip-0084.mediawiki|84]] for ease of
> implementation.
>
> ==Specifications==
>
> This BIP defines the two needed steps to derive multiple deterministic
> addresses based on a
> [[bip-0032.mediawiki|BIP 32]] master private key.
>
> ===Public key derivation===
>
> To derive a public key from the root account, this BIP uses the same
> account-structure as
> defined in BIPs [[bip-0044.mediawiki|44]], [[bip-0049.mediawiki|49]],
> and [[bip-0084.mediawiki|84]],
> but with a different purpose value for the script type.
>
> <pre>
> m / purpose' / coin_type' / account' / change / address_index
> </pre>
>
> For the <tt>purpose</tt>-path level it uses <tt><BIPNUMBER>'</tt>.
> The rest of the levels are used as defined in BIPs 44, 49, and 84.
>
> ===Address derivation===
>
> To derive the output key used in the P2TR script from the derived public
> key, we use the method
> recommended in
> [[bip-0341.mediawiki#constructing-and-spending-taproot-outputs|BIP 341]]:
>
> <pre>
> internal_key: lift_x(derived_key)
> 32_byte_output_key: internal_key + int(HashTapTweak(bytes(internal_key)))G
> </pre>
>
> In a transaction, the scripts and witnesses are as defined in
> [[bip-0341.mediawiki#specification|BIP 341]]:
>
> <pre>
> witness: <signature>
> scriptSig: (empty)
> scriptPubKey: 1 <32_byte_output_key>
> (0x5120{32_byte_output_key})
> </pre>
>
> ==Backwards Compatibility==
>
> This BIP is not backwards compatible by design.
> An incompatible wallet will not discover these accounts at all and the
> user will notice that
> something is wrong.
>
> However this BIP uses the same method used in BIPs 44, 49, and 84, so it
> should not be difficult
> to implement.
>
> ==Test vectors==
>
> TBD
>
> ==Reference==
>
> * [[bip-0032.mediawiki|BIP32 - Hierarchical Deterministic Wallets]]
> * [[bip-0043.mediawiki|BIP43 - Purpose Field for Deterministic Wallets]]
> * [[bip-0044.mediawiki|BIP44 - Multi-Account Hierarchy for Deterministic
> Wallets]]
> * [[bip-0049.mediawiki|BIP49 - Derivation scheme for
> P2WPKH-nested-in-P2SH based accounts]]
> * [[bip-0084.mediawiki|BIP84 - Derivation scheme for P2WPKH based accounts]]
> * [[bip-0341.mediawiki|BIP341 - Taproot: SegWit version 1 spending rules]]
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-07-02 20:03 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-23 1:17 [bitcoin-dev] Derivation Paths for Single Key Taproot Scripts Andrew Chow
2021-06-23 8:22 ` Craig Raw
2021-06-30 11:07 ` Pavol Rusnak
2021-07-02 20:03 ` Andrew Chow
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox