Date: Tue, 22 Dec 2020 20:12:22 +0000
To: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
From: Andrew Chow <achow101-lists@achow101.com>
Reply-To: Andrew Chow <achow101-lists@achow101.com>
Message-ID: <5a4697cb-b9cb-b925-e78f-d5b53f025704@achow101.com>
In-Reply-To: <1dd8c285-e3f4-4f03-d608-103a5026146d@achow101.com>
References: <1dd8c285-e3f4-4f03-d608-103a5026146d@achow101.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [bitcoin-dev] New PSBT version proposal
Precedence: list

Hi All,

I have some updates on this after speaking with some people off-list.

Firstly, the version number will be set to 2. In most discussions, this=20
proposal was being referred to as PSBT version 2, so it'll be easier and=20
clearer to set the version number to 2.

For lock times, instead of a single=C2=A0 PSBT_IN_REQUIRED_LOCKTIME field,=
=20
there will be 2 of them, one for a time based lock time, and the other=20
for height based. These will be:
* PSBT_IN_REQUIRED_TIME_LOCKTIME =3D 0x10
 =C2=A0 * Key: empty
 =C2=A0 * Value: 32 bit unsigned little endian integer greater than or equa=
l=20
to 500000000 representing the minimum Unix timestamp that this input=20
requires to be set as the transaction's lock time. Must be omitted in=20
PSBTv0, and may be omitted in PSBTv2
* PSBT_IN_REQUIRED_HEIGHT_LOCKTIME =3D 0x11
 =C2=A0 * Key: empty
 =C2=A0 * Value: 32 bit unsigned little endian integer less than 500000000=
=20
representing the minimum block height that this input requires to be set=20
as the transaction's lock time. Must be omitted in PSBTv0, and may be=20
omitted in PSBTv2.

Having two lock time fields is necessary due to the behavior where all=20
inputs must use the same type of lock time (height or time). Thus if an=20
input requires a particular type of lock time, it must set the requisite=20
field. Any new inputs being added must be able to accommodate all=20
existing inputs' lock time type. This means they either must not have a=20
lock time specified (i.e. no OP_CLTV involved), or have branches that=20
allow the acceptance of either type. If an input has a lock time type=20
that is incompatible with the rest of the transaction, it must not be added=
.

PSBT_GLOBAL_PREFERRED_LOCKTIME is changed to purely be the fallback=20
option if no input lock time fields are present. If there are input lock=20
times, all lock time calculations must ignore it.

Any role which does lock time calculation will first check if there are=20
input lock time fields. If there are not, it must then check for a=20
PSBT_GLOBAL_PREFERRED_LOCKTIME. If this field exists, its value is the=20
transaction's lock time. If it does not, the lock time is 0. If there=20
are input lock time fields, it must choose the type which does not=20
invalidate any inputs. The lock time is then determined to be the=20
maximum value of all of the lock time fields for the chosen type.


Additionally, I would like to add a new global field:
* PSBT_GLOBAL_UNDER_CONSTRUCTION =3D 0x05
 =C2=A0 * Key: empty
 =C2=A0 * Value: A single byte as a boolean. 0 for False, 1 for True. All=
=20
other values ore prohibited. Must be omitted for PSBTv0, may be omitted=20
in PSBTv2.

PSBT_GLOBAL_UNDER_CONSTRUCTION is used to signal whether inputs and=20
outputs can be added to the PSBT. This flag may be set to True when=20
inputs and outputs are being updated, signed, and finalized. However=20
care must be taken when there are existing signatures. If this field is=20
omitted or set to False, no further inputs and outputs may be added to=20
the PSBT.

Several rules must be followed to ensure that adding additional inputs=20
and outputs will not invalidate existing signatures. First, an input or=20
output adder must check for any existing signatures in all of the other=20
inputs. If there are none, the input or output may be added in any=20
position. If there are one or more signatures, each signature's sighash=20
type must be examined. Inputs may only be added if all existing=20
signatures use SIGHASH_ANYONECANPAY. Outputs may only be added if all=20
existing signatures use SIGHASH_NONE. If an input has a signature using=20
SIGHASH_SINGLE, the same number of inputs and outputs must be added=20
before that input and it's corresponding output. For all other sighash=20
types (i.e. SIGHASH_ALL and any future sighash types), no inputs or=20
outputs may be added to the PSBT. Specific exceptions can be made in the=20
future for additional sighash types.

Furthermore, these newly added inputs must follow additional lock time=20
rules. Because all signatures, regardless of sighash type, sign the=20
transaction lock time, newly added inputs when there are existing=20
signatures must have the same type of lock time used in the transaction,=20
and must be less than or equal to the transaction lock time. It must not=20
cause the transaction lock time to change, otherwise the signatures will=20
be invalidated.


Lastly, to uniquely identify transactions for combiners, a txid can be=20
computed from the information present in the PSBT. Internally, combiners=20
can create an unsigned transaction given the transaction version, the=20
input prevouts, the outputs, and the computed locktime. This can then be=20
used to calculate a txid and thus used as a way to identify PSBTs.=20
Combiners will need to do this for all version 2 PSBTs in order to avoid=20
combining distinct transactions.


Andrew Chow

On 12/9/20 5:25 PM, Andrew Chow wrote:
> Hi All,
>
> I would like to propose a new PSBT version that addresses a few
> deficiencies in the current PSBT v0. As this will be backwards
> incompatible, a new PSBT version will be used, v1.
>
> The primary change is to truly have all input and output data for each
> in their respective maps. Instead of having to parse an unsigned
> transaction and lookup some data from there, and other data from the
> correct map, all of the data for an input will be contained in its map.
> Doing so also disallows PSBT_GLOBAL_UNSIGNED_TX in this new version.
> Thus I propose that the following fields be added:
>
> Global:
> * PSBT_GLOBAL_TX_VERSION =3D 0x02
>   =C2=A0 * Key: empty
>   =C2=A0 * Value: 32-bit little endian unsigned integer for the transacti=
on
> version number. Must be provided in PSBT v1 and omitted in v0.
> * PSBT_GLOBAL_PREFERRED_LOCKTIME =3D 0x03
>   =C2=A0 * Key: empty
>   =C2=A0 * Value: 32 bit little endian unsigned integer for the preferred
> transaction lock time. Must be omitted in PSBT v0. May be provided in
> PSBT v1, assumed to be 0 if not provided.
> * PSBT_GLOBAL_INPUT_COUNT =3D 0x04
>   =C2=A0 * Key: empty
>   =C2=A0 * Value: Compact size unsigned integer. Number of inputs in this
> PSBT. Must be provided in PSBT v1 and omitted in v0.
> * PSBT_GLOBAL_OUTPUT_COUNT =3D 0x05
>   =C2=A0 * Key: empty
>   =C2=A0 * Value: Compact size unsigned integer. Number of outputs in thi=
s
> PSBT. Must be provided in PSBT v1 and omitted in v0.
>
> Input:
> * PSBT_IN_PREVIOUS_TXID =3D 0x0e
>   =C2=A0 * Key: empty
>   =C2=A0 * Value: 32 byte txid of the previous transaction whose output a=
t
> PSBT_IN_OUTPUT_INDEX is being spent. Must be provided in PSBT v1 and
> omitted in v0.
> * PSBT_IN_OUTPUT_INDEX =3D 0x0f
>   =C2=A0 * Key: empty
>   =C2=A0 * Value: 32 bit little endian integer for the index of the outpu=
t
> being spent. Must be provided in PSBT v1 and omitted in v0.
> * PSBT_IN_SEQUENCE =3D 0x0f
>   =C2=A0 * Key: empty
>   =C2=A0 * Value: 32 bit unsigned little endian integer for the sequence
> number. Must be omitted in PSBT v0. May be provided in PSBT v1 assumed
> to be max sequence (0xffffffff) if not provided.
> * PSBT_IN_REQUIRED_LOCKTIME =3D 0x10
>   =C2=A0 * Key: empty
>   =C2=A0 * Value: 32 bit unsigned little endian integer for the lock time=
 that
> this input requires. Must be omitted in PSBT v0. May be provided in PSBT
> v1, assumed to be 0 if not provided.
>
> Output:
> * PSBT_OUT_VALUE =3D 0x03
>   =C2=A0 * Key: empty
>   =C2=A0 * Value: 64-bit unsigned little endian integer for the output's
> amount in satoshis. Must be provided in PSBT v1 and omitted in v0.
> * PSBT_OUT_OUTPUT_SCRIPT =3D 0x04
>   =C2=A0 * Key: empty
>   =C2=A0 * Value: The script for this output. Otherwise known as the
> scriptPubKey. Must be provided in PSBT v1 and omitted in v0.
>
> This change allows for PSBT to be used in the construction of
> transactions. With these new fields, inputs and outputs can be added as
> needed. One caveat is that there is no longer a unique transaction
> identifier so more care must be taken when combining PSBTs.
> Additionally, adding new inputs and outputs must be done such that
> signatures are not invalidated. This may be harder to specify.
>
> An important thing to note in this proposal are the fields
> PSBT_GLOBAL_PREFERRED_LOCKTIME and PSBT_IN_REQUIRED_LOCKTIME. A Bitcoin
> transaction only has a single locktime yet a PSBT may have multiple
> locktimes. To choose the locktime for the transaction, finalizers must
> choose the maximum of all of the *_LOCKTIME fields.
> PSBT_IN_REQUIRED_LOCKTIME is added because some inputs, such as those
> involving OP_CHECKLOCKTIMEVERIFY, require a specific minimum locktime to
> be set. This field allows finalizers to choose a locktime that is high
> enough for all inputs without needing to understand the scripts
> involved. The PSBT_GLOBAL_PREFERRED_LOCKTIME is the locktime to use if
> no inputs require a particular locktime.
>
> As these changes disallow the PSBT_GLOBAL_UNSIGNED_TX field, PSBT v1
> needs the version number bump to enforce backwards incompatibility.
> However once the inputs and outputs of a PSBT are decided, a PSBT could
> be "downgraded" back to v0 by creating the unsigned transaction from the
> above fields, and then dropping these new fields.
>
> If the list finds that these changes are reasonable, I will write a PR
> to modify BIP 174 to incorporate them.
>
> Thanks,
> Andrew Chow