BIP 174: Partially Signed Bitcoin Transaction Format

2017-07-12

  BIP: 174
  Layer: Applications
  Title: Partially Signed Bitcoin Transaction Format
  Author: Andrew Chow <achow101@gmail.com>
  Comments-Summary: No comments yet.
  Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-0174
  Status: Final
  Type: Standards Track
  Created: 2017-07-12
  License: BSD-2-Clause

Introduction

Abstract

This document proposes a binary transaction format which contains the information necessary for a signer to produce signatures for the transaction and holds the signatures for an input while the input does not have a complete set of signatures. The signer can be offline as all necessary information will be provided in the transaction.

The generic format is described here in addition to the specification for version 0 of this format.

This BIP is licensed under the 2-clause BSD license.

Motivation

Creating unsigned or partially signed transactions to be passed around to multiple signers is currently implementation dependent, making it hard for people who use different wallet software from being able to easily do so. One of the goals of this document is to create a standard and extensible format that can be used between clients to allow people to pass around the same transaction to sign and combine their signatures. The format is also designed to be easily extended for future use which is harder to do with existing transaction formats.

Signing transactions also requires users to have access to the UTXOs being spent. This transaction format will allow offline signers such as air-gapped wallets and hardware wallets to be able to sign transactions without needing direct access to the UTXO set and without risk of being defrauded.

Specification

The Partially Signed Bitcoin Transaction (PSBT) format consists of key-value maps. Each map consists of a sequence of key-value records, terminated by a 0x00 byte [1].

 :=   *
 := 0x70 0x73 0x62 0x74 0xFF
 := * 0x00
 := * 0x00
 := * 0x00
 :=  
 :=   
 :=  

Where:

  • A compact size unsigned integer representing the type. This compact size unsigned integer must be minimally encoded, i.e. if the value can be represented using one byte, it must be represented as one byte. There can be multiple entries with the same within a specific , but the must be unique.
  • The compact size unsigned integer containing the combined length of and
  • The compact size unsigned integer containing the length of .
  • Magic bytes which are ASCII for psbt **Why use 4 bytes for psbt?** The

transaction format needed to start with a 5 byte header which uniquely identifies it. The first bytes were chosen to be the ASCII for psbt because that stands for Partially Signed Bitcoin Transaction. followed by a separator of 0xFF[2]. This integer must be serialized in most significant byte order.

The currently defined global types are as follows:

Name Description DescriptionVersions Requiring InclusionVersions Requiring ExclusionVersions Allowing InclusionParent BIP
Unsigned TransactionPSBT_GLOBAL_UNSIGNED_TX = 0x00NoneNo key dataThe transaction in network serialization. The scriptSigs and witnesses for each input must be empty. The transaction must be in the old serialization format (without witnesses).00174
Extended Public KeyPSBT_GLOBAL_XPUB = 0x01The 78 byte serialized extended public key as defined by BIP 32. Extended public keys are those that can be used to derive public keys used in the inputs and outputs of this transaction. It should be the public key at the highest hardened derivation index so that the unhardened child keys used in the transaction can be derived.<32-bit uint> <32-bit uint>*The master key fingerprint as defined by BIP 32 concatenated with the derivation path of the public key. The derivation path is represented as 32-bit little endian unsigned integer indexes concatenated with each other. The number of 32 bit unsigned integer indexes must match the depth provided in the extended public key.0, 2174
Transaction VersionPSBT_GLOBAL_TX_VERSION = 0x02NoneNo key data<32-bit uint>The 32-bit little endian signed integer representing the version number of the transaction being created. Note that this is not the same as the PSBT version number specified by the PSBT_GLOBAL_VERSION field.202psbt2
Fallback LocktimePSBT_GLOBAL_FALLBACK_LOCKTIME = 0x03NoneNo key data<32-bit uint>The 32-bit little endian unsigned integer representing the transaction locktime to use if no inputs specify a required locktime.02psbt2
Input CountPSBT_GLOBAL_INPUT_COUNT = 0x04NoneNo key dataCompact size unsigned integer representing the number of inputs in this PSBT.202psbt2
Output CountPSBT_GLOBAL_OUTPUT_COUNT = 0x05NoneNo key dataCompact size unsigned integer representing the number of outputs in this PSBT.202psbt2
Transaction Modifiable FlagsPSBT_GLOBAL_TX_MODIFIABLE = 0x06NoneNo key data A single byte boolean (0 for False, 1 for True) representing whether inputs can be modified, followed by a single byte boolean representing whether outputs can be modified.02psbt2
SIGHASH_SINGLE InputsPSBT_GLOBAL_SIGHASH_SINGLE_INPUTS = 0x07NoneNo key dataA bit vector representing which input indexes use SIGHASH_SINGLE. If the bit for an index is set to 1, then the input and output pair at that index are tied together with SIGHASH_SINGLE and must be moved together.02psbt2
PSBT Version NumberPSBT_GLOBAL_VERSION = 0xFBNoneNo key data<32-bit uint>The 32-bit little endian unsigned integer representing the version number of this PSBT. If omitted, the version number is 0.0, 2174
Proprietary Use TypePSBT_GLOBAL_PROPRIETARY = 0xFC Compact size unsigned integer , followed by identifier prefix of that length , followed by a subtype , followed by the key data itself .Any value data as defined by the proprietary type user.0, 2174

The currently defined per-input types are defined as follows:

Name Description DescriptionVersions Requiring InclusionVersions Requiring ExclusionVersions Allowing InclusionParent BIP
Non-Witness UTXOPSBT_IN_NON_WITNESS_UTXO = 0x00NoneNo key dataThe transaction in network serialization format the current input spends from. This should be present for inputs that spend non-segwit outputs and can be present for inputs that spend segwit outputs. An input can have both PSBT_IN_NON_WITNESS_UTXO and PSBT_IN_WITNESS_UTXO. [3]0, 2174
Witness UTXOPSBT_IN_WITNESS_UTXO = 0x01NoneNo key data<64-bit int> The entire transaction output in network serialization which the current input spends from. This should only be present for inputs which spend segwit outputs, including P2SH embedded ones. An input can have both PSBT_IN_NON_WITNESS_UTXO and PSBT_IN_WITNESS_UTXO0, 2174
Partial SignaturePSBT_IN_PARTIAL_SIG = 0x02The public key which corresponds to this signature.The signature as would be pushed to the stack from a scriptSig or witness.0, 2174
Sighash TypePSBT_IN_SIGHASH_TYPE = 0x03NoneNo key data<32-bit uint>The 32-bit unsigned integer specifying the sighash type to be used for this input. Signatures for this input must use the sighash type, finalizers must fail to finalize inputs which have signatures that do not match the specified sighash type. Signers who cannot produce signatures with the sighash type must not provide a signature.0, 2174
Redeem ScriptPSBT_IN_REDEEM_SCRIPT = 0x04NoneNo key dataThe redeemScript for this input if it has one.0, 2174
Witness ScriptPSBT_IN_WITNESS_SCRIPT = 0x05NoneNo key dataThe witnessScript for this input if it has one.0, 2174
BIP 32 Derivation PathPSBT_IN_BIP32_DERIVATION = 0x06The public key<32-bit uint> <32-bit uint>*The master key fingerprint as defined by BIP 32 concatenated with the derivation path of the public key. The derivation path is represented as 32 bit unsigned integer indexes concatenated with each other. Public keys are those that will be needed to sign this input.0, 2174
Finalized scriptSigPSBT_IN_FINAL_SCRIPTSIG = 0x07NoneNo key dataThe Finalized scriptSig contains a fully constructed scriptSig with signatures and any other scripts necessary for the input to pass validation.0, 2174
Finalized scriptWitnessPSBT_IN_FINAL_SCRIPTWITNESS = 0x08NoneNo key dataThe Finalized scriptWitness contains a fully constructed scriptWitness with signatures and any other scripts necessary for the input to pass validation.0, 2174
Proof-of-reserves commitmentPSBT_IN_POR_COMMITMENT = 0x09NoneNo key dataThe UTF-8 encoded commitment message string for the proof-of-reserves. See BIP 127 for more information.0, 2127
RIPEMD160 preimagePSBT_IN_RIPEMD160 = 0x0a<20-byte hash>The resulting hash of the preimageThe hash preimage, encoded as a byte vector, which must equal the key when run through the RIPEMD160 algorithm0, 2174
SHA256 preimagePSBT_IN_SHA256 = 0x0b<32-byte hash>The resulting hash of the preimageThe hash preimage, encoded as a byte vector, which must equal the key when run through the SHA256 algorithm0, 2174
HASH160 preimagePSBT_IN_HASH160 = 0x0c<20-byte hash>The resulting hash of the preimageThe hash preimage, encoded as a byte vector, which must equal the key when run through the SHA256 algorithm followed by the RIPEMD160 algorithm0, 2174
HASH256 preimagePSBT_IN_HASH256 = 0x0d<32-byte hash>The resulting hash of the preimageThe hash preimage, encoded as a byte vector, which must equal the key when run through the SHA256 algorithm twice0, 2174
Previous TXIDPSBT_IN_PREVIOUS_TXID = 0x0eNoneNo key data32 byte txid of the previous transaction whose output at PSBT_IN_OUTPUT_INDEX is being spent.202psbt2
Spent Output IndexPSBT_IN_OUTPUT_INDEX = 0x0fNoneNo key data<32-bit uint>32 bit little endian integer representing the index of the output being spent in the transaction with the txid of PSBT_IN_PREVIOUS_TXID.202psbt2
Sequence NumberPSBT_IN_SEQUENCE = 0x10NoneNo key data<32-bit uint>The 32 bit unsigned little endian integer for the sequence number of this input. If omitted, the sequence number is assumed to be the final sequence number (0xffffffff).02psbt2
Required Time-based LocktimePSBT_IN_REQUIRED_TIME_LOCKTIME = 0x11NoneNo key data<32-bit uint>32 bit unsigned little endian integer greater than or equal to 500000000 representing the minimum Unix timestamp that this input requires to be set as the transaction's lock time.02psbt2
Required Height-based LocktimePSBT_IN_REQUIRED_HEIGHT_LOCKTIME = 0x12NoneNo key data<32-bit uiht>32 bit unsigned little endian integer less than 500000000 representing the minimum block height that this input requires to be set as the transaction's lock time.02psbt2
Proprietary Use TypePSBT_IN_PROPRIETARY = 0xFC Compact size unsigned integer , followed by identifier prefix of that length , followed by a subtype , followed by the key data itself .Any value data as defined by the proprietary type user.0, 2174

The currently defined per-output [4] types are defined as follows:

Name

Description

Description

Versions Requiring Inclusion

Versions Requiring Exclusion

Versions Allowing Inclusion

Parent BIP

Redeem Script

PSBT_OUT_REDEEM_SCRIPT = 0x00

None

No key data

The redeemScript for this output if it has one.

0, 2

174

Witness Script

PSBT_OUT_WITNESS_SCRIPT = 0x01

None

No key data

The witnessScript for this output if it has one.

0, 2

174

BIP 32 Derivation Path

PSBT_OUT_BIP32_DERIVATION = 0x02

The public key

<{32-bit uint> <32-bit uint>*

The master key fingerprint concatenated with the derivation path of the public key. The derivation path is represented as 32-bit little endian unsigned integer indexes concatenated with each other. Public keys are those needed to spend this output.

0, 2

174

Output Amount

PSBT_OUT_AMOUNT = 0x03

None

No key data

<64-bit int>

64 bit signed little endian integer representing the output's amount in satoshis.

2

0

2

psbt2

Output Script

PSBT_OUT_SCRIPT = 0x03

None

No key data