Date: Sun, 10 Sep 2023 17:13:02 +0000
To: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
From: Dr Maxim Orlovsky <orlovsky@lnp-bp.org>
Message-ID: <4zh22wKfn7dGB-ZolHCLixP4gv_-gsdkfndbDxdoE7K7yyO-LDMvxZk1UVpp0YTGSRCqGtYlMitSQ5aLP9bIa2wj5Ul38Rw-DmagwxRdWhc=@lnp-bp.org>
Feedback-ID: 18134079:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Subject: [bitcoin-dev] New BIP to align descriptors,
	xpub derivation and miniscript
Precedence: list

Hi,

Script output descriptors ("output descriptors", "wallet descriptors", or=
=20
simply "descriptors") are getting more and more traction. Descriptors work=
=20
in combination with miniscript, extended BIP32 keys (xpub/xprivs=20
"descriptors" equipped with origin and derivation information) and are used
to construct new primitives like "wallet templates" used in Ledger and=20
BitBox today.

Nevertheless, due to historical reasons, the resulting combination of the=
=20
mentioned technologies is frequently redundant and leaves a lot of=20
unspecified caveats, when it is unclear how descriptor with=20
internally-conflicting data has to be handled by wallets and/or devices.=20
For instance,
- derivation path standards (following BIP44) commit to the type of the=20
  script pubkey (P2PKH, P2SH, P2WSH, P2WPKH, P2TR), but the same informatio=
n
  is present in the descriptor itself;
- each of the public keys within the descriptor replicates the derivation=
=20
  information and information about Bitcoin network (testnet or mainnet);
- if the same signer participates in different miniscript branches, due=20
  to miniscript anti-malleability rules a new derivation path has to be use=
d
  in pre-Taproot context (but not in Taproot) -=3D and multiple contradicto=
ry
  approaches exist on how to handle that;
- client-side-validation approach, used by several projects, introduces new
  descriptor-level concepts, like taproot-ebmedded OP_RETURN commitments=20
  (so-called "tapret"), which are not handled by existing standards.

As a result, descriptors contain a lot of redundant information, which make=
s
them bulk, hard to read or type, and impossible to handle in the narrow UI
of hardware wallets.

At LNP/BP Standards Association we'd like to work/coordinate efforts on=20
a new BIP proposal removing all the issues above. Before working on the=20
BIP proposal text I would like to start by discussing an approach, seeking
Concept (n)ACKs and Approach (n)ACKs from this mail list.


The approach
------------

Existing separate BIP44 standards, committing to a specific form of script
pubkey are made redundant with the introduction of output descriptors. Thus=
,
I think we need a new BIP44 purpose field which will be used with all=20
descriptor formats. The standard must _lexicographically require_ all keys=
=20
to follow the same standard and use the same network and terminal derivatio=
n
format. By "lexicographically require" I mean that there must be no=20
syntactic option to do otherwise, i.e. the information must not repeat=20
within the descriptor for each of the keys and has to be placed in the=20
descriptor itself, using prefix (for the network) and suffix (for the=20
terminal derivation format):

```
wsh/test(or(
    and(1@[fe569a81//1']xpub1..., 2@[8871bad9//1h]xpub2..., 3@[beafcafe//1'=
]xpub3...),=20
    and(older(1000), thresh(2, @1, @2, @3))
))/<0;1>/*
```

Please note that each of the keys appears in the descriptor only once, and
is aliased using the `i@` construction preceding the key origin. These
aliases must be incremental starting from `1` (otherwise the descriptor is
invalid). Each other time the same account xpub is used in some other
condition only the alias should be used.

For the mainnet the prefix must be omitted: `wsh(or...)/<0;1>/*`

The descriptor is used to construct derivation for each of the keys=20
in the same way:

`m/89'/network'/account'/branch/<0;1>/*`

where:
- 89' is the purpose - an assumed number for the newly proposed BIP;
- `network'` is either `0'` or `1'` and is taken from the descriptor prefix=
;
- `account` is taken from the xpub origin in the descriptor (it follows the
  master fingerprint and `//` character) and the last `/<0;1>/*` must match
  the descriptor suffix.
- `branch` part, which is a new segment compared to BIP44. This branch inde=
x
  must be always unhardened and is computed from the descriptor, starting=
=20
  with 0 for each key and incrementing each time the same key alias is foun=
d
  in the descriptor;
- `<0;1>` may contain only 0, 1 index, unless a dedicated BIP extending=20
  the meaning of this segment is filed. One such case may be the use of=20
  a change index for storing an associated state in client-side-validation,
  like in RGB protocol, where indexes 9 and 10 are used to represent the
  assignation of an external state or the presence of a tapret commitment.
  It is important to require the standardization of new change indexes sinc=
e
  without that wallets unaware of clinet-side-validation may spend the UTXO
  and burn the external state.


Reference implementation
------------------------

Once the approach is acknowledged by the mailing list the reference=20
implementation will be written on Rust and deployed with MyCitadel wallet=
=20
(https://mycitadel.io), which is the only wallet supporting since spring
2022 combination of all three: descriptors, miniscript and taproot (there=
=20
are more descriptor/miniscript wallets which have appeared over the last=20
year, but they are still lacking taproot support AFAIK).


Kind regards,
Maxim Orlovsky
LNP/BP Standards Association
https://www.lnp-bp.org/

GitHub: @dr-orlovsky
Nostr: npub13mhg7ksq9efna8ullmc5cufa53yuy06k73q4u7v425s8tgpdr5msk5mnym