You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: bip-0352.mediawiki
+2-8Lines changed: 2 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -279,12 +279,6 @@ The sender performs the tweak using the private key for the nested ''P2WPKH'' ou
279
279
280
280
The receiver obtains the public key from the ''scriptSig''. The receiver MUST parse the ''scriptSig'' for the public key, even if the ''scriptSig'' does not match the template specified (e.g. <code><dummy> OP_DROP <Signature> <Public Key></code>). This is to address the [https://en.bitcoin.it/wiki/Transaction_malleability third-party malleability of ''P2PKH''''scriptSigs''].
281
281
282
-
=== Input hash ===
283
-
284
-
The sender and receiver MUST calculate an input hash for the transaction in the following manner:
285
-
286
-
* Let ''input_hash = hash<sub>BIP0352/Inputs</sub>(outpoint<sub>L</sub> || A)'', where ''outpoint<sub>L</sub>'' is the smallest outpoint lexicographically by txid and vout used in the transaction<refname="why_smallest_outpoint"></ref>
287
-
288
282
=== Sender ===
289
283
290
284
==== Selecting inputs ====
@@ -303,7 +297,7 @@ After the inputs have been selected, the sender can create one or more outputs f
303
297
* For each private key ''a<sub>i</sub>'' corresponding to a [https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki BIP341] taproot output, check that the private key produces a point with an even Y coordinate and negate the private key if not<refname="why_negate_taproot_private_keys">'''Why do taproot private keys need to be checked?''' Recall from [https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki BIP340] that each X-only public key has two corresponding private keys, ''d'' and ''n - d''. To maintain parity between sender and receiver, it is necessary to use the private key corresponding to the even Y coordinate when performing the ECDH step since the receiver will assume the even Y coordinate when summing the taproot X-only public keys.</ref>
304
298
* Let ''a = a<sub>1</sub> + a<sub>2</sub> + ... + a<sub>n</sub>'', where each ''a<sub>i</sub>'' has been negated if necessary
305
299
** If ''a = 0'', fail
306
-
* Generate the ''input_hash'' with the smallest outpoint lexicographically and ''A = a·G'', using the method described above
300
+
* Let ''input_hash = hash<sub>BIP0352/Inputs</sub>(outpoint<sub>L</sub> || A)'', where ''outpoint<sub>L</sub>'' is the smallest ''outpoint'' lexicographically used in the transaction<refname="why_smallest_outpoint"></ref> and ''A = a·G''
307
301
* Group receiver silent payment addresses by ''B<sub>scan</sub>'' (e.g. each group consists of one ''B<sub>scan</sub>'' and one or more ''B<sub>m</sub>'')
308
302
* For each group:
309
303
** Let ''ecdh_shared_secret = input_hash·a·B<sub>scan</sub>''
@@ -336,7 +330,7 @@ If each of the checks in ''[[#scanning-silent-payment-eligible-transactions|Scan
336
330
337
331
* Let ''A = A<sub>1</sub> + A<sub>2</sub> + ... + A<sub>n</sub>'', where each ''A<sub>i</sub>'' is the public key of an input from the ''[[#inputs-for-shared-secret-derivation|Inputs For Shared Secret Derivation]]'' list
338
332
** If ''A'' is the point at infinity, skip the transaction
339
-
* Generate the ''input_hash'' with the smallest outpoint lexicographically and ''A'', using the method described above
333
+
* Let ''input_hash = hash<sub>BIP0352/Inputs</sub>(outpoint<sub>L</sub> || A)'', where ''outpoint<sub>L</sub>'' is the smallest ''outpoint'' lexicographically used in the transaction<refname="why_smallest_outpoint"></ref>
340
334
* Let ''ecdh_shared_secret = input_hash·b<sub>scan</sub>·A''
341
335
* Check for outputs:
342
336
** Let ''outputs_to_check'' be the taproot output keys from all taproot outputs in the transaction (spent and unspent).
0 commit comments