Allow different derivation paths for different key placeholders of a TapRoot descriptor with scripts #267
Comments
|
Hi, thanks for your comments! You can read BIP-0388 for more precise info and more context on why the restrictions are there. I should indeed update the docs in this repo. The limitation on the derivation steps is also true for BIP-380 descriptors, not just for wallet policies. That is, if you have:
you can't allow things like BIP-388 further restricts the derivations in order to avoid trivial fingerprinting. If a descriptor like
was to be allowed, then all the addresses derived from this wallet/account would have the same pubkey for the keypath. That would be revealed when the script is spent, allowing an external observer to trivially link all the outputs on-chain as belonging to the same wallet as soon as they are spent. Public keys are cheap, you can use a backup xpub from which the actual keys are derived, avoiding the fingerprinting issues. While the app doesn't enforce it, it is also recommended to use hardened derivations for the root xpubs used in the wallet policy. |
|
Ok thank you for your answer and your time, I understand the need of a single derivation path from every account-level xpubs, it makes sense. I'm sorry to have open another issue, but can you answer my final question in the other issue about the roadmap for support of compressed pub keys and x-only pub keys in the tapscripts? To be clear, I'm not referring to using something like |
You have the same problem: if you receive two separate UTXOs at |
|
Granted, but in my backup/inheritance usecase the script paths are never used unless I'm dead or in another situation when I cannot use the main wallet (derived from A) anymore. Also, the script-path are not just Can you tell me if Ledger plan to support using compressed pub keys and x-only pub keys in Tapscript at some point, and the time-scale? The documentation is really not clear whereas the "Implementation Specific Restrictions" (wallet.md) are temporary or definitive. I just want to be able correctly plan my own next steps, that's all. |
|
It is still unclear to me what would prevent you from using an xpub for There is no plan to relax the wallet policy constraints, as that would weaken their security/privacy properties for existing use cases. There is certainly an interest in generalizing the signing flow to allow for use cases not supported in the wallet policy model (see for example #210), but nothing conclusive at this point: the design space it's big, and it's not clear exactly what those use cases are, and how they should be supported. |
|
Thank you for your answer and your time, I will close the issue. Regarding your inquiry, nothing prevents me from adjusting my design. It's just a lot of troubles to change code, docs, etc... and there is little value to do it for my particular use-case besides complying with the extra-limitations Ledger put on top of their own formal definition of a wallet policy. I'm a little frustrated by that, that's all. |
Linked to #268
Context
I'm developing a Taproot Bitcoin wallet designed to allow on-chain backup access / inheritance of bitcoins. Kind of what Liana does, but in a full Taproot manner.
A possible descriptor of the wallet at some point in time could be this one (this is the external descriptor):
It allows a key-path spend at any time from the owner keys under
[44990794/86'/1'/6']and after a fixed date (and if the UTXO is older than 8640 blocks or ~60 days) it allows spending using a backup key[99ccb69a/86'/1'/1751476594'/0/0].As per the wallet.md document specification, I should be able to register this policy:
Unfortunately there is currently an "implementation specific restriction" that prevent the use of compressed public keys in the policy.
Therefore, I tested using a policy with the backup key replaced by a corresponding xpub (even if it does not make much sense for my use-case):
I was able to register this policy with my Ledger Nano X, but then I discovered the bug.
Problem
It seems that the app-bitcoin-new (at least on testnet) is always using the same derivation steps for all the keys of the policy when it computes the Merkle hash of the taptree.
Returning to my example where the real policy is using
[99ccb69a/86'/1'/1751476594'/0/0]as the backup key, the Ledger is only able to sign a PSBT (key spending path) with an input coming out of the Taproot address corresponding to[44990794/86'/1'/6'/0/0].I could confirm that, if I change the policy to use
[99ccb69a/86'/1'/1751476594'/0/1]as the backup key, then the Ledger can only sign a PSBT with an input coming out of[44990794/86'/1'/6'/0/1].Further, I think we can see in
sign_psbt.c that the taptree hash is computed with a single
is_changeand a singleaddress_indexprovided as argument in awallet_derivation_info_tstructure.Expected behavior
When computing the Merkle root of the Taptree, the app should not assume that the derivation steps of every keys are the same. It put an unexpected obligation on a wallet software to always take care to derive addresses by "aligning" all the derivation steps for every xpub of the policy. It is not necessary, nor realistic in usecases outside of a multisig wallet (e.g. my usecase or Liana usecase).
The PSBT provide the
tap_key_originswith each key derivation steps and should be taken into account.Final note
To be fair, using the exact same derivation steps for all xpubs of a policy is a fair assumption even if it is not strictly necessary. The real problem here is that for inheritance/backup usecase, we don't want to use xpubs in the Tapscripts. Which brings me to open another issue.
The text was updated successfully, but these errors were encountered: