You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: bip-0388.mediawiki
+13-3Lines changed: 13 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -42,7 +42,7 @@ A more native, compact representation of the wallet receive and change addresses
42
42
43
43
We remark that wallet policies are not related to the ''policy'' language, a higher level language that can be compiled to miniscript.
44
44
45
-
=== Security and UX concerns for hardware signing devices ===
45
+
=== Security, privacy and UX concerns for hardware signing devices ===
46
46
47
47
The usage of complex scripts presents challenges in terms of both security and user experience for a hardware signing device.
48
48
@@ -57,6 +57,18 @@ The hardware signing device must guarantee that the user knows precisely what "p
57
57
58
58
This makes it impossible for an attacker to surreptitiously modify the policy, therefore stealing or burning the user's funds.
59
59
60
+
==== Avoiding key reuse ====
61
+
62
+
Reusing public keys within a Script is a source of malleability when using miniscript policies, which has potential security implications.
63
+
64
+
Reusing keys across different UTXOs harms user privacy by allowing external parties to link these UTXOs to the same entity once they are spent.
65
+
66
+
By constraining the derivation path patterns to have a uniform structure, wallet policies prevent key reuse among the same or different UTXOs of the same account.
67
+
68
+
Using distinct public keys obtained from hardened derivation paths guarantees that no key reuse can happen also across accounts, and is strongly recommended. However, wallet policies do not mandate hardened derivation paths for the public keys, in order to maintain compatibility with existing deployments that do not adhere to this recommendation.
69
+
70
+
It is out of scope for this document to guarantee that users do not reuse extended public keys among different wallet accounts. This responsibility is left to the users and their software wallet.
71
+
60
72
==== UX issues ====
61
73
62
74
Miniscript (and taproot trees) allow substantially more complex spending policies. It is a challenge to ensure that the user can practically verify such spending policies per the screen.
@@ -189,8 +201,6 @@ Implementations can add additional metadata that is stored together with the wal
189
201
190
202
Any implementation in a software wallet that allows wallet policies not matching any of the specifications in [[bip-0044.mediawiki|BIP-44]], [[bip-0049.mediawiki|BIP-49]], [[bip-0084.mediawiki|BIP-84]], [[bip-0086.mediawiki|BIP-86]] (especially if involving external cosigners) should put great care into a process for backing up the wallet policy that represents the account. In fact, unlike standard single-signature scenarios, the seed alone is no longer enough to discover wallet policies with existing funds, and the loss of the backup is likely to lead to permanent loss of funds. Unlike the seed, leaking such backups only affects the privacy of the user, but it does not allow the attacker to steal funds.
191
203
192
-
Avoiding key reuse among different wallet accounts is also extremely important, but out of scope for this document.
193
-
194
204
=== Optional derivation paths ===
195
205
196
206
In order to allow supporting legacy derivation schemes (for example, using simply <tt>/*</tt> instead of the more common <tt>/<M;N>/*</tt> scheme most software wallets use today), or other schemes that are not covered in this document, implementations might choose to permit additional derivation patterns for the key placeholder (<tt>KP</tt>) expressions.
0 commit comments