Bip Draft: Sending Silent Payments in PSBTs

[andrewtoth]

This BIP adds support for sending silent payments using PSBTs.

If there are multiple entities handling the PSBT that do not have access to some input private keys, a DLEQ proof by the signer may be added for other entities to verify the corresponding ECDH shares used to derive the output scripts were generated correctly. This will be specified in a following BIP. For the common case of a single entity that has access to all private keys, the DLEQ proof generation is unnecessary.

Spending support is trivial and can be done with a modification to BIP370 to add a new input field for the tweak data.

[jonatack]

Mailing list post on Oct 17 at https://groups.google.com/g/bitcoindev/c/5G5wzqUXyk4.

[jonatack]

Suggest defining "Discrete Log Equality Proofs (DLEQ)" above this / on first use, and discuss overlap with #1689 (if any) or linkage to be made between the two.

[theStack]

as already noted in the DLEQ gist, this should have a size of 33 bytes instead, as it represents a point on the curve (https://gist.github.com/andrewtoth/df97c3260cc8d12f09d3855ee61322ea?permalink_comment_id=5250407#gistcomment-5250407), and representing it as x-only very likely only increases complexity for the DLEQ proof.

[murchandamus]

I did a light review and left a few questions mostly. Your idea makes sense, the content is coming along nicely, and I have found no issues regarding the formatting.

Perhaps some of the answers to my questions could be recorded as footnotes in the Rationale, where they seem likely to be of interest to future readers.

[murchandamus]

Consistency nit: "BIP 370", but "BIP352"

[murchandamus]

What creates the requirement to sign with SIGHASH_ALL? A quick check suggests that BIP 352 only recommends it, but doesn’t require it, and BIP 370 doesn’t seem to impose such a requirement. I might have missed something of course.

[nothingmuch]

I had the same question. The rationale in BIP 352 seems to imply that just forbidding ANYONECANPAY, i.e. that all signatures must fully commit to the input set, which seems sufficient even the PSBT setting?

[andrewtoth]

Signing with SIGHASH_NONE doesn't make sense because you will have to generate the ECDH shares for all payments, but they could then be removed or new ones added. So you will have to go back to the signer again. I suppose technically this could be allowed but I don't see a use for it, and it could be used by a griefer to force the party to keep going back to the signer. If you want to have a signer sign all non-eligible inputs with SIGHASH_NONE, give the signer the inputs before adding any silent payment outputs. It would then fall back to BIP 370.
Signing with SIGHASH_SINGLE would allow another participant to add a payment to the same scan key, but a lower lexicographic order, invalidating the k value in the output script.
Signing with SIGHASH_ANYONECANPAY is unsafe as per BIP 352.

I suppose I could add this as a footnote.
But also, I don't think this sentence should be in the motivation section.

[murchandamus]

If there is a single signer, why would others need to be able to verify? If there are multiple signers, wouldn’t all signers need to collaborate by putting forth shares rather than "computing silent payment outputs"?

[andrewtoth]

If there is a single signer, why would others need to be able to verify?

In the case of a hardware wallet connected to a software wallet, the hardware wallet is the single signer but the software wallet must verify that the output is computed properly before broadcasting.

If there are multiple signers, wouldn’t all signers need to collaborate by putting forth shares rather than "computing silent payment outputs"?

Yes, all signers need to collaborate and put forth shares, but they must also compute the output script before signing. This computed output script must be added to the PSBT before signing to be compatible with BIP 370 signing process. After it is added, the other signers can compute the output script to verify themselves before signing.

[murchandamus]

Does it make sense to require the presence of either PSBT_OUT_SCRIPT or PSBT_OUT_SP_V0_INFO? What if there is another future extension of BIP 370 that provides a third option?

Would it perhaps be sufficient to declare an output that has both the fields PSBT_OUT_SCRIPT and PSBT_OUT_SP_V0_INFO to make the PSBT invalid (i.e. at most one of these two can be present)?

Perhaps the interplay of these two fields could be elaborated.

[andrewtoth]

I don't think making these fields exclusive will work. The PSBT_OUT_SCRIPT must be added to sign the PSBT. The PSBT_OUT_SP_V0_INFO must be present to verify that the PSBT_OUT_SCRIPT is actually correct after it is added.

What if there is another future extension of BIP 370 that provides a third option?

That would indeed soften this requirement. This BIP would have to be modified to support that extension, making it

If either PSBT_OUT_SCRIPT or PSBT_OUT_NEW_EXTENSION are not included in the output, then the field PSBT_OUT_SP_V0_INFO must be included.

I don't really have an idea on how this could be made more graceful for that scenario.

Perhaps the interplay of these two fields could be elaborated.

I will add some more context in a footnote, thanks.

[murchandamus]

I found this sentence confusing. Does this also hold if both PSBT_OUT_SP_V0_INFO and PSBT_OUT_SCRIPT are specified on an output?

[andrewtoth]

No, it does not hold once PSBT_OUT_SCRIPT is added to an output. Only outputs without that field would need to fall back to PSBT_OUT_SP_V0_INFO. I will clarify this in the text.

[murchandamus]

This might be a bit out of scope for your PR, but I was just wondering:
Silent Payment transactions disallow inputs spending native segwit outputs with version > 1, but should it perhaps also exclude native segwit outputs with version 1 that are not P2TR inputs? Most of version 1 is yet unencumbered, are Silent Payments robust in regard to Pay to Anchor?

[andrewtoth]

I believe BIP 352 specifies that only the script template OP_1 <32 bytes> is used, and not that it is segwit v1. So, P2A does not follow that template, and will be ignored. But, segwit versions higher than v1 specifically are prohibited for forward compatibility reasons.

This is what I understood from @josibake's explanation.

[murchandamus]

As mentioned above, this seems to be stricter than BIP 352 itself. Is this intentional?

[andrewtoth]

This is intentional. SIGHASH_SINGLE is unsafe for k values. SIGHASH_NONE does not make sense since you will have to compute ECDH shares for the outputs, but you presumably don't care about the outputs if you are signing with that flag.

[murchandamus]

I was surprised that we provide a single share and a single DLEQ proof per participant rather than one per input. In case there are multiple participants, this leaks to all other participants which inputs were provided in bulk by one party. I was wondering if there might be better privacy properties if participants provide a separate share for each input, that way all subsequent participants do not know how previous inputs group if the PSBT is passed in a circle rather than shared with all participants after each step. Maybe I’m overthinking this, though.

[andrewtoth]

This is provided as a performance optimization so that there is only one proof for multiple inputs.
It is not required to combine all your inputs. You could selectively add different shares and proofs for each inputs you don't want to link. I suppose I could make that option more explicit in the text.

[murchandamus]

Should the "Updater" role perhaps appear before the "Signer"? Adding change would probably happen at the same time participants add inputs, so surely before signing?

[murchandamus]

Suggested change

	License: BSD-2-Clause
	License: BSD-2-Clause
	Post-History: https://groups.google.com/g/bitcoindev/c/5G5wzqUXyk4
	Requires: 352, 370

[nothingmuch]

As specified, computing the sum of ECDH_SHARE values requires some additional validation to ensure the computed script outputs are spendable.

This makes some intermediate states of a PSBT that are currently allowed either unsafe (potentially creating unspendable outputs) or with validation introduces potential for failure, because a signer is technically allowed to add ECDH shares for two non-disjoint input sets with a non-empty symmetric difference.

Instead of introducing this additional validation I think it would be simpler to specify one ECDH share per input, as a per input field, this is actually more compact without DLEQ proofs, as Murch notes, better for privacy, and IMO seems easier to implement, but at the very least I think this needs clarification on how to compute the sum safely.

[nothingmuch]

I had the same question. The rationale in BIP 352 seems to imply that just forbidding ANYONECANPAY, i.e. that all signatures must fully commit to the input set, which seems sufficient even the PSBT setting?

[nothingmuch]

Suggested change

	- Compute and set an ECDH share and DLEQ proof using all inputs it has the private key for.
	- Verify the DLEQ proofs for all inputs it does not have the private keys for.
	- If all eligible inputs have an ECDH share, compute and set the PSBT_OUT_SCRIPT.
	* Compute and set an ECDH share and DLEQ proof using all inputs it has the private key for.
	* Verify the DLEQ proofs for all inputs it does not have the private keys for.
	* If all eligible inputs have an ECDH share, compute and set the PSBT_OUT_SCRIPT.

[nothingmuch]

This seems to imply any subset of the inputs can be specified, presumably for grouping by owner.

The main advantage over allowing only one outpoint per ECDH share seems to be a reduction in proving complexity for signers who choose to provide DLEQ proofs, since the 36 byte outpoint outweighs a a * B_scan if it were provided in a per input field with an output index or even B_scan as the keydata.

Some disadvantages:

1. Mostly theoretical privacy concern: the DLEQ proof is publicly verifiable, and so much stronger heuristic for common ownership than the traditional common input ownership heuristic. Other parties or observers of the PSBT might store or leak such values, which hurts Signers' deniability.
2. If the outpoint lists are not disjoint, then the correct sum might not be computable even if all inputs are accounted for by some share. If every ECDH_SHARE corresponded to only a single outpoint, as long as each signer contributes a value for each input, in any order, the sum can always be computed. If users modify a PSBT over multiple devices with partly overlapping access to private keys, single input shares ensure all intermediate states can lead to a fully signed state, regardless of the order in which the user proceeded.

[andrewtoth]

The main advantage over allowing only one outpoint per ECDH share seems to be a reduction in proving complexity for signers who choose to provide DLEQ proofs

The main advantage is reduction in both ECDH share generation and proving complexity.
All outpoint private keys can be summed, and then only a single ECC mult for the shares, and 2 ECC mults for the proof.

Consider the common case of a single sig wallet using a hardware signing device receiving many small inputs over time. The wallet now contains 100 utxos and wants to spend to a single silent payment address.
By using single share and proof for each outpoint, that is 100 * ECDH share + 100 * DLEQ proof (2 ECC mults) + 100 * signatures = 400 ECC mults.
By summing all inputs, the result is now 1 * ECDH share + 1 * DLEQ proof (2 ECC mults) + 100 signatures = 103 ECC mults.
On a simple hardware signing device, this makes the signing time 4x, making it potentially a few minutes to over 10.

re: disadvantages

1. It is only an option to combine the inputs. You can still provide a share and proof per input or whatever combination of inputs you'd like. I will make this more clear in the text. I believe the single sig with hardware wallet is the most common case though, so we should optimize for that case.
2. This is indeed a potential pitfall. It could also be addressed by providing a share and proof per input as a fallback. I will add some text to address this situation.

[nothingmuch]

For a given set of outpoints, there are multiple relevant B_scan generators all of which share share the same a witness in their respective proofs. This could be one batch proof per SP output set, instead of per individual B_scan. Although only a single 64 byte proof per input set is required, the prover and verifier complexity is the same as n proofs, where n is the number of SP outputs.

[andrewtoth]

Yes, this is a great insight, thank you!

Would it not also reduce the complexity, since it would only be one proof to verify after summing the B_scan generators instead of verifying each proof individually?

[nothingmuch]

If you mean given $P = aG$, and scan keys $(B_i)_{i=1}^n$, it's possible to prove knowlege of $a$ in $Q = a (n^{-1} \sum B_i)$ where $n^{-1} \sum B_i$ is a public input, but I'm not sure this is sound / proving the same thing.

This reference (section 3.2.3.3) seems to suggest it isn't, see footnote 16 on page 73, there's additional delinearization terms which are similar to key cancellation mitigation (and afaict are amenable to Fiat-Shamir just the same). This is an improvement over my implied suggestion as batched multiplication be used, but it does not reduce it to a single multiplication. Admittedly I don't yet see how to actually attack soundness as a malicious prover, especially when the prover does not control the choice of the the B_scan keys.

The batch proof I'm familiar with involves having an R point per generator, so same structure as proposed in the DLEQ BIP, just generalized from 2 to n+1 verification equations. When the proof is encoded as the challenge and the response, the encoding the n+1 R points is implicit, so the size would still be 64 bytes and both prover and verifier work is concretely reduced (~half the verification equations, and a shared challenge hash), but not asymptotically as the total work is still linear for both prover and verifier.

[nothingmuch]

IIUC, if it were not for this, blinding the SP_V0_INFO field would be technically be possible.

Since that would necessarily add another round of communication between the various entities, as only only updaters with access to the blinding keys could set the output.

A global flag to indicate whether the additional round is required might make sense?

This flag might have 3 values, indicating if blinding is not used (allowing signers to update outputs), optional (precluding that), or required in which case all outputs must have SP_V0_INFO, with dummy values used for non-SP outputs. "required" or "mandatory" blinding is a bit misleading, it's providing deniability as to which outputs use SP, not requiring SP and blinding actually be used.

[nothingmuch]

Assuming my suggestion to make shares be one per input is rejected, this needs to verify that the sets of outpoints in all ECDH_SHARE fields for a given scan key form a valid partition of the BIP 352 input set (no duplicates, no missing outpoints) before computing the sum of the values, or this sum might differ from b_scan·A where A is also is computed as in BIP 352 scanning.