bigspider
commented
2 months ago Hi, thanks for your comments!
You can read BIP-0388 for more precise info and more context on why the restrictions are there. I should indeed update the docs in this repo.
The limitation on the derivation steps is also true for BIP-380 descriptors, not just for wallet policies. That is, if you have:
tr(A/<0;1>/*, pk(B/<0;1>/*))
you can't allow things like tr(A/0/3, pk(B/1/7)), otherwise you have a combinatorial explosions of possible addresses that is impossible to scan for. Descriptors guarantee that you have only one (or a few) lists of possible addresses (typically, 1 list of receive addresses, and one list of change addresses), so software wallets can linearly scan these lists.
BIP-388 further restricts the derivations in order to avoid trivial fingerprinting. If a descriptor like
tr(A, pk(B/<0;1>/*))
was to be allowed, then all the addresses derived from this wallet/account would have the same pubkey for the keypath. That would be revealed when the script is spent, allowing an external observer to trivially link all the outputs on-chain as belonging to the same wallet as soon as they are spent.
Public keys are cheap, you can use a backup xpub from which the actual keys are derived, avoiding the fingerprinting issues. While the app doesn't enforce it, it is also recommended to use hardened derivations for the root xpubs used in the wallet policy.
crypto7world
Linked to #268
Context
I'm developing a Taproot Bitcoin wallet designed to allow on-chain backup access / inheritance of bitcoins. Kind of what Liana does, but in a full Taproot manner.
A possible descriptor of the wallet at some point in time could be this one (this is the external descriptor):
It allows a key-path spend at any time from the owner keys under
[44990794/86'/1'/6']and after a fixed date (and if the UTXO is older than 8640 blocks or ~60 days) it allows spending using a backup key[99ccb69a/86'/1'/1751476594'/0/0].As per the wallet.md document specification, I should be able to register this policy:
Unfortunately there is currently an "implementation specific restriction" that prevent the use of compressed public keys in the policy.
Therefore, I tested using a policy with the backup key replaced by a corresponding xpub (even if it does not make much sense for my use-case):
I was able to register this policy with my Ledger Nano X, but then I discovered the bug.
Problem
It seems that the app-bitcoin-new (at least on testnet) is always using the same derivation steps for all the keys of the policy when it computes the Merkle hash of the taptree.
Returning to my example where the real policy is using
[99ccb69a/86'/1'/1751476594'/0/0]as the backup key, the Ledger is only able to sign a PSBT (key spending path) with an input coming out of the Taproot address corresponding to[44990794/86'/1'/6'/0/0]. I could confirm that, if I change the policy to use[99ccb69a/86'/1'/1751476594'/0/1]as the backup key, then the Ledger can only sign a PSBT with an input coming out of[44990794/86'/1'/6'/0/1].Further, I think we can see in sign_psbt.c that the taptree hash is computed with a single
is_changeand a singleaddress_indexprovided as argument in awallet_derivation_info_tstructure.Expected behavior
When computing the Merkle root of the Taptree, the app should not assume that the derivation steps of every keys are the same. It put an unexpected obligation on a wallet software to always take care to derive addresses by "aligning" all the derivation steps for every xpub of the policy. It is not necessary, nor realistic in usecases outside of a multisig wallet (e.g. my usecase or Liana usecase). The PSBT provide the
tap_key_originswith each key derivation steps and should be taken into account.Final note
To be fair, using the exact same derivation steps for all xpubs of a policy is a fair assumption even if it is not strictly necessary. The real problem here is that for inheritance/backup usecase, we don't want to use xpubs in the Tapscripts. Which brings me to open another issue.