new ELIP: Confidential Transaction descriptors

[apoelstra]

This ELIP describes CT descriptors, as needed to attach blinding keys to existing descriptors and therefore create confidential addresses.

It does not cover:

• Ordinary Elements descriptors, e.g. eltr; these need a separate standard preceding this one
• Pegins or pegouts
• Anything related to PAK keys

Dupliicate of #1 created because of Github bugs.

[LeoComandini]

github does not render ct(<BLINDING_KEY>, <DESCRIPTOR>) correctly,
see https://github.com/apoelstra/ELIPs/blob/2022-10--ct-descriptors/elip-ct-descriptors.mediawiki#overview

Also in the "specification" section the bullet points have few rendering issues.

[apoelstra]

Yeah, I see, it's because I'm using MD rather than mediawiki tags. I need to go over the entire doc.

[LeoComandini]

non-concrete descriptor

What is a "concrete" descriptor?

[apoelstra]

One that is not derived. I should change this to "non-derived" which I think would be clearer.

[LeoComandini]

(extended) public key

What do you mean by extended here?
Does this mean we can have xpubs here?

[apoelstra]

Yes, it means an xpub.

[LeoComandini]

as it will when used for wallet backups,

nit: This is a bit misleading to me,
why a wallet should include private keys there?

I'm not against allowing to have private keys in hash_to_private,
but I don't understand how setting private keys set in hash_to_private helps the wallet backup and why a wallet should do that.

Anyway this is a nit, so feel free to ignore.

[apoelstra]

Bitcoin Core's wallet backups consist of descriptors where every public key slot is filled by a private key. It can also import descriptors of this form, in which case it is able to sign with them.

I agree that in the case of hash_to_private there's no value in making these keys private, since they're never interpreted as private keys. But when dealing with import/export it is easiest if all the keys have the same datatype, which means that all keys, including these, would end up being private ones.

[apoelstra]

@LeoComandini thanks for your review! I have fixed the formatting (I think/hope), and changed the "non-concrete descriptor" text to be clearer.

[LeoComandini]

nit:

both

now we have single variant with <KEY>

[LeoComandini]

extended

Why a wallet should use a xpub/xprv as a bare blinding key?

Now that the key is tweaked with the scriptpubkey (which in most cases should be derived from some xpubs),
I can't think of a reason why a wallet should use xpub/xprv as "master" blinding key rather than a public/private key.

Does it make sense to disallow extended keys for the "bare" variant?

[apoelstra]

I don't think so. We definitely should support xpubs/xprivs so that they can specify things that have BIP32 paths starting from an existing master seed (otherwise they will need to do a bunch of extra work to derive a public key and then remember how they got it).

I agree that supporting ranged xpubs no longer has a clear utility ... but I see no reason to ban it either.

[jgriffiths]

which is an ordinary (extended) public key;

This should probably read something like:

<code><KEY></code> which is an ordinary (or extended) private or public key;

An example bare key with xpub/xprv would be useful in the examples, as would a raw private rather than public key.

[apoelstra]

Rebased, fixed both nit, added test vectors.

[LeoComandini]

Should this be H<sub>tag</sub>(K, <code>scriptPubKey</code>) * G? or K is a private key?

[apoelstra]

Nope, you're right.

[LeoComandini]

nit: missing reason here and below

[apoelstra]

oops, I was supposed to fill those in by hand :P

[LeoComandini]

Can we please have a valid test vector for the bare variant specifying a private key?
That should be the most practical use case, i.e. allowing unblinding

[apoelstra]

Sure, though I'd need to implement that :P. Give me a day or two. I think I can do it before ElementsProject/rust-elements#166 (which is blocking the reference implementation) gets in.

[apoelstra]

Sorry for the long delay. Switching to xpubs was easy but the view key support was pretty annoying because our elements-miniscript implementation doesn't directly relate secret key types to public key types, making it difficult to elegantly have "one key private, others public" for view keys. In the end I hacked it in, but as implemented it does not support e.g. ranged blinding keys.

I have updated the test vectors in the ELIP, and the reference implementation at ElementsProject/elements-miniscript#31

[LeoComandini]

Can we add test vectors with non-extended public and private blinding keys?

[LeoComandini]

nit: the name here is slightly confusing, "blinding public key" is the one encoded in the confidential address, this is more like the "SLIP77 master blinding key", perhaps we should name it "master blinding public key" or "descriptor blinding public key". But any name is fine for me, as long we have different one wrt the derived (public) blinding keys

[apoelstra]

Oh, good point. I think I'll change this to "Descriptor blinding [public] key". Agreed it's confusing now that the key in the descriptor is different from the key in the address.

[sanket1729]

ACK 530cbf4. Sorry for my confusion on the PR review.

[sanket1729]

nit: It would be great if this specifically mentions KEY expression in descriptor spec. Reading the words compressed key confused me a bit.

another nit: This also mentions multi-path KEY expressions. I don't think we want to support that.

[apoelstra]

Where does it mention multi-path KEY expressions? I did not even know those existed when I was writing this.

[real-or-random]

Perhaps the "all key(s)" is confusing. There's just a single key.

[apoelstra]

It might be a musig of multiple keys.

[real-or-random]

in the <KEY> expression?

[sanket1729]

Key expressions are defined as follows. https://github.com/bitcoin/bips/blob/master/bip-0380.mediawiki#key-expressions. I think what we mean to say that all KEY expressions that are not uncompressed keys are allowed.

[real-or-random]

I'm not sure. We say <code><KEY></code> which is an ordinary (extended) public key. We don't state anywhere that this is a "key expression" as in BIP380.

If it's supposed to be a key expression as in BIP380, we should say this. If not, we should consider renaming KEY.

[apoelstra]

Ok, I will reword this. Yes, it is supposed to be a key expression.

[apoelstra]

Though it would be nice if we had our own ELIP for key expressions so that we can extend it to support musig() eventually. Though I have zero interest in doing that. This ELIP has been more than enough standards work for one lifetime.

[apoelstra]

I apologize for not doing the test vectors yet. I will try to get them before the end of this week.

Meanwhile we should really give this a number. I propose 150. If nobody complains I will assign this and update the PR tomorrow.

[delta1]

Suggested change

	Here <code>DESCRIPTOR</code> refers to any existing descriptor, e.g. <code>elwsh(...)</code> or <code>eltr(...)</code> and <code>BLINDING_KEY</code> is a new expression which must be one of
	Here <code>DESCRIPTOR</code> refers to any existing descriptor, e.g. <code>elwsh(...)</code> or <code>eltr(...)</code>

Is this recursive - can a ct descriptor include another ct descriptor?

[apoelstra]

No.

[delta1]

Cool, might be worth specifying (edit: sorry didn't realize you already had a reference implementation)

[apoelstra]

How can I be more specific than "any existing descriptor"?

[apoelstra]

Updated exposition, added new test vectors, and assigned ELIP 150.

[sanket1729]

ACK 5726891 . One small missing thing is that test vectors don't mention the address was created for elements regtest network.

    pub const ELEMENTS: AddressParams = AddressParams {
        p2pkh_prefix: 235,
        p2sh_prefix: 75,
        blinded_prefix: 4,
        bech_hrp: "ert",
        blech_hrp: "el",
    };

[apoelstra]

Thanks! Going to merge this. The test network thing is somewhat implicit by the prefix of the addresses, but we should mention it nonetheless. Can do this in a followup PR.