Skip to content

Commit 07228b6

Browse files
luke-jrluke-jr
authored
Merge pull request bitcoin#1137 from achow101/taproot-bip44
BIP 86: Key Derivation for Single Key P2TR Outputs
2 parents 8659829 + 330b56b commit 07228b6

File tree

2 files changed

+135
-0
lines changed

2 files changed

+135
-0
lines changed

README.mediawiki

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -434,6 +434,13 @@ Those proposing changes should consider that ultimately consent may rest with th
434434
| Ethan Kosakovsky
435435
| Informational
436436
| Draft
437+
|-
438+
| [[bip-0086.mediawiki|86]]
439+
| Applications
440+
| Key Derivation for Single Key P2TR Outputs
441+
| Andrew Chow
442+
| Standard
443+
| Draft
437444
|- style="background-color: #ffffcf"
438445
| [[bip-0087.mediawiki|87]]
439446
| Applications

bip-0086.mediawiki

Lines changed: 128 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,128 @@
1+
<pre>
2+
BIP: 86
3+
Layer: Applications
4+
Title: Key Derivation for Single Key P2TR Outputs
5+
Author: Andrew Chow <[email protected]>
6+
Comments-Summary: No comments yet.
7+
Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-0086
8+
Status: Draft
9+
Type: Standards Track
10+
Created: 2021-06-22
11+
License: BSD-2-Clause
12+
</pre>
13+
14+
==Abstract==
15+
16+
This document suggests a derivation scheme for HD wallets whose keys are involved in single key
17+
P2TR ([[bip-0341.mediawiki|BIP 341]]) outputs as the Taproot internal key.
18+
19+
===Copyright===
20+
21+
This BIP is licensed under the 2-clause BSD license.
22+
23+
==Motivation==
24+
25+
With the usage of single key P2TR transactions, it is useful to have a common derivation scheme so
26+
that HD wallets that only have a backup of the HD seed can be likely to recover single key Taproot
27+
outputs. Although there are now solutions which obviate the need for fixed derivation paths for
28+
specific script types, many software wallets and hardware signers still use seed backups which
29+
lack derivation path and script information. Thus we largely use the same approach used in BIPs
30+
[[bip-0049.mediawiki|49]] and [[bip-0084.mediawiki|84]] for ease of implementation.
31+
32+
==Specifications==
33+
34+
This BIP defines the two needed steps to derive multiple deterministic addresses based on a
35+
[[bip-0032.mediawiki|BIP 32]] master private key.
36+
37+
===Public key derivation===
38+
39+
To derive a public key from the root account, this BIP uses the same account-structure as
40+
defined in BIPs [[bip-0044.mediawiki|44]], [[bip-0049.mediawiki|49]], and [[bip-0084.mediawiki|84]],
41+
but with a different purpose value for the script type.
42+
43+
<pre>
44+
m / purpose' / coin_type' / account' / change / address_index
45+
</pre>
46+
47+
For the <tt>purpose</tt>-path level it uses <tt>86'</tt>.
48+
The rest of the levels are used as defined in BIPs 44, 49, and 84.
49+
50+
A key derived with this derivation path pattern will be referred to as <tt>derived_key</tt> further
51+
in this document.
52+
53+
===Address derivation===
54+
55+
56+
[[bip-0341.mediawiki#cite_ref-22-0|BIP 341]] states: "If the spending conditions do not require a
57+
script path, the output key should commit to an unspendable script path instead of having no
58+
script path. This can be achieved by computing the output key point as
59+
''Q = P + int(hash<sub>TapTweak</sub>(bytes(P)))G''." Thus:
60+
61+
<pre>
62+
internal_key: lift_x(derived_key)
63+
32_byte_output_key: internal_key + int(HashTapTweak(bytes(internal_key)))G
64+
</pre>
65+
66+
In a transaction, the scripts and witnesses are as defined in
67+
[[bip-0341.mediawiki#specification|BIP 341]]:
68+
69+
<pre>
70+
witness: <signature>
71+
scriptSig: (empty)
72+
scriptPubKey: 1 <32_byte_output_key>
73+
(0x5120{32_byte_output_key})
74+
</pre>
75+
76+
==Backwards Compatibility==
77+
78+
This BIP is not backwards compatible by design.
79+
An incompatible wallet will not discover these accounts at all and the user will notice that
80+
something is wrong.
81+
82+
However this BIP uses the same method used in BIPs 44, 49, and 84, so it should not be difficult
83+
to implement.
84+
85+
==Test vectors==
86+
87+
<pre>
88+
mnemonic = abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about
89+
rootpriv = xprv9s21ZrQH143K3GJpoapnV8SFfukcVBSfeCficPSGfubmSFDxo1kuHnLisriDvSnRRuL2Qrg5ggqHKNVpxR86QEC8w35uxmGoggxtQTPvfUu
90+
rootpub = xpub661MyMwAqRbcFkPHucMnrGNzDwb6teAX1RbKQmqtEF8kK3Z7LZ59qafCjB9eCRLiTVG3uxBxgKvRgbubRhqSKXnGGb1aoaqLrpMBDrVxga8
91+
92+
// Account 0, root = m/86'/0'/0'
93+
xprv = xprv9xgqHN7yz9MwCkxsBPN5qetuNdQSUttZNKw1dcYTV4mkaAFiBVGQziHs3NRSWMkCzvgjEe3n9xV8oYywvM8at9yRqyaZVz6TYYhX98VjsUk
94+
xpub = xpub6BgBgsespWvERF3LHQu6CnqdvfEvtMcQjYrcRzx53QJjSxarj2afYWcLteoGVky7D3UKDP9QyrLprQ3VCECoY49yfdDEHGCtMMj92pReUsQ
95+
96+
// Account 0, first receiving address = m/86'/0'/0'/0/0
97+
xprv = xprvA449goEeU9okwCzzZaxiy475EQGQzBkc65su82nXEvcwzfSskb2hAt2WymrjyRL6kpbVTGL3cKtp9herYXSjjQ1j4stsXXiRF7kXkCacK3T
98+
xpub = xpub6H3W6JmYJXN49h5TfcVjLC3onS6uPeUTTJoVvRC8oG9vsTn2J8LwigLzq5tHbrwAzH9DGo6ThGUdWsqce8dGfwHVBxSbixjDADGGdzF7t2B
99+
internal_key = cc8a4bc64d897bddc5fbc2f670f7a8ba0b386779106cf1223c6fc5d7cd6fc115
100+
output_key = a60869f0dbcf1dc659c9cecbaf8050135ea9e8cdc487053f1dc6880949dc684c
101+
scriptPubKey = 5120a60869f0dbcf1dc659c9cecbaf8050135ea9e8cdc487053f1dc6880949dc684c
102+
address = bc1p5cyxnuxmeuwuvkwfem96lqzszd02n6xdcjrs20cac6yqjjwudpxqkedrcr
103+
104+
// Account 0, second receiving address = m/86'/0'/0'/0/1
105+
xprv = xprvA449goEeU9okyiF1LmKiDaTgeXvmh87DVyRd35VPbsSop8n8uALpbtrUhUXByPFKK7C2yuqrB1FrhiDkEMC4RGmA5KTwsE1aB5jRu9zHsuQ
106+
xpub = xpub6H3W6JmYJXN4CCKUSnriaiQRCZmG6aq4sCMDqTu1ACyngw7HShf59hAxYjXgKDuuHThVEUzdHrc3aXCr9kfvQvZPit5dnD3K9xVRBzjK3rX
107+
internal_key = 83dfe85a3151d2517290da461fe2815591ef69f2b18a2ce63f01697a8b313145
108+
output_key = a82f29944d65b86ae6b5e5cc75e294ead6c59391a1edc5e016e3498c67fc7bbb
109+
scriptPubKey = 5120a82f29944d65b86ae6b5e5cc75e294ead6c59391a1edc5e016e3498c67fc7bbb
110+
address = bc1p4qhjn9zdvkux4e44uhx8tc55attvtyu358kutcqkudyccelu0was9fqzwh
111+
112+
// Account 0, first change address = m/86'/0'/0'/1/0
113+
xprv = xprvA3Ln3Gt3aphvUgzgEDT8vE2cYqb4PjFfpmbiFKphxLg1FjXQpkAk5M1ZKDY15bmCAHA35jTiawbFuwGtbDZogKF1WfjwxML4gK7WfYW5JRP
114+
xpub = xpub6GL8SnQwRCGDhB59LEz9HMyM6sRYoByXBzXK3iEKWgCz8XrZNHUzd9L3AUBELW5NzA7dEFvMas1F84TuPH3xqdUA5tumaGWFgihJzWytXe3
115+
internal_key = 399f1b2f4393f29a18c937859c5dd8a77350103157eb880f02e8c08214277cef
116+
output_key = 882d74e5d0572d5a816cef0041a96b6c1de832f6f9676d9605c44d5e9a97d3dc
117+
scriptPubKey = 5120882d74e5d0572d5a816cef0041a96b6c1de832f6f9676d9605c44d5e9a97d3dc
118+
address = bc1p3qkhfews2uk44qtvauqyr2ttdsw7svhkl9nkm9s9c3x4ax5h60wqwruhk7
119+
</pre>
120+
121+
==Reference==
122+
123+
* [[bip-0032.mediawiki|BIP32 - Hierarchical Deterministic Wallets]]
124+
* [[bip-0043.mediawiki|BIP43 - Purpose Field for Deterministic Wallets]]
125+
* [[bip-0044.mediawiki|BIP44 - Multi-Account Hierarchy for Deterministic Wallets]]
126+
* [[bip-0049.mediawiki|BIP49 - Derivation scheme for P2WPKH-nested-in-P2SH based accounts]]
127+
* [[bip-0084.mediawiki|BIP84 - Derivation scheme for P2WPKH based accounts]]
128+
* [[bip-0341.mediawiki|BIP341 - Taproot: SegWit version 1 spending rules]]

0 commit comments

Comments
 (0)