BIP 174: Partially Signed Bitcoin Transaction Format

2017-07-12

  BIP: 174
  Layer: Applications
  Title: Partially Signed Bitcoin Transaction Format
  Author: Andrew Chow <achow101@gmail.com>
  Comments-Summary: No comments yet.
  Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-0174
  Status: Final
  Type: Standards Track
  Created: 2017-07-12
  License: BSD-2-Clause

Introduction

Abstract

This document proposes a binary transaction format which contains the information necessary for a signer to produce signatures for the transaction and holds the signatures for an input while the input does not have a complete set of signatures. The signer can be offline as all necessary information will be provided in the transaction.

The generic format is described here in addition to the specification for version 0 of this format.

This BIP is licensed under the 2-clause BSD license.

Motivation

Creating unsigned or partially signed transactions to be passed around to multiple signers is currently implementation dependent, making it hard for people who use different wallet software from being able to easily do so. One of the goals of this document is to create a standard and extensible format that can be used between clients to allow people to pass around the same transaction to sign and combine their signatures. The format is also designed to be easily extended for future use which is harder to do with existing transaction formats.

Signing transactions also requires users to have access to the UTXOs being spent. This transaction format will allow offline signers such as air-gapped wallets and hardware wallets to be able to sign transactions without needing direct access to the UTXO set and without risk of being defrauded.

Specification

The Partially Signed Bitcoin Transaction (PSBT) format consists of key-value maps. Each map consists of a sequence of key-value records, terminated by a 0x00 byte [1].

 :=   *
 := 0x70 0x73 0x62 0x74 0xFF
 := * 0x00
 := * 0x00
 := * 0x00
 :=  
 :=   
 :=  

Where:

  • A compact size unsigned integer representing the type. This compact size unsigned integer must be minimally encoded, i.e. if the value can be represented using one byte, it must be represented as one byte. There can be multiple entries with the same within a specific , but the must be unique.
  • The compact size unsigned integer containing the combined length of and
  • The compact size unsigned integer containing the length of .
  • Magic bytes which are ASCII for psbt **Why use 4 bytes for psbt?** The

transaction format needed to start with a 5 byte header which uniquely identifies it. The first bytes were chosen to be the ASCII for psbt because that stands for Partially Signed Bitcoin Transaction. followed by a separator of 0xFF[2]. This integer must be serialized in most significant byte order.

The currently defined global types are as follows:

Name Description DescriptionVersions Requiring InclusionVersions Requiring ExclusionVersions Allowing InclusionParent BIP
Unsigned TransactionPSBT_GLOBAL_UNSIGNED_TX = 0x00NoneNo key dataThe transaction in network serialization. The scriptSigs and witnesses for each input must be empty. The transaction must be in the old serialization format (without witnesses).00174
Extended Public KeyPSBT_GLOBAL_XPUB = 0x01The 78 byte serialized extended public key as defined by BIP 32. Extended public keys are those that can be used to derive public keys used in the inputs and outputs of this transaction. It should be the public key at the highest hardened derivation index so that the unhardened child keys used in the transaction can be derived.<32-bit uint> <32-bit uint>*The master key fingerprint as defined by BIP 32 concatenated with the derivation path of the public key. The derivation path is represented as 32-bit little endian unsigned integer indexes concatenated with each other. The number of 32 bit unsigned integer indexes must match the depth provided in the extended public key.0, 2174
Transaction VersionPSBT_GLOBAL_TX_VERSION = 0x02NoneNo key data<32-bit uint>The 32-bit little endian signed integer representing the version number of the transaction being created. Note that this is not the same as the PSBT version number specified by the PSBT_GLOBAL_VERSION field.202370
Fallback LocktimePSBT_GLOBAL_FALLBACK_LOCKTIME = 0x03NoneNo key data<32-bit uint>The 32-bit little endian unsigned integer representing the transaction locktime to use if no inputs specify a required locktime.02370
Input CountPSBT_GLOBAL_INPUT_COUNT = 0x04NoneNo key dataCompact size unsigned integer representing the number of inputs in this PSBT.202370
Output CountPSBT_GLOBAL_OUTPUT_COUNT = 0x05NoneNo key dataCompact size unsigned integer representing the number of outputs in this PSBT.202370
Transaction Modifiable FlagsPSBT_GLOBAL_TX_MODIFIABLE = 0x06NoneNo key data A single byte boolean (0 for False, 1 for True) representing whether inputs can be modified, followed by a single byte boolean representing whether outputs can be modified.02370
SIGHASH_SINGLE InputsPSBT_GLOBAL_SIGHASH_SINGLE_INPUTS = 0x07NoneNo key dataA bit vector representing which input indexes use SIGHASH_SINGLE. If the bit for an index is set to 1, then the input and output pair at that index are tied together with SIGHASH_SINGLE and must be moved together.02370
PSBT Version NumberPSBT_GLOBAL_VERSION = 0xFBNoneNo key data<32-bit uint>The 32-bit little endian unsigned integer representing the version number of this PSBT. If omitted, the version number is 0.0, 2174
Proprietary Use TypePSBT_GLOBAL_PROPRIETARY = 0xFC Compact size unsigned integer , followed by identifier prefix of that length , followed by a subtype , followed by the key data itself .Any value data as defined by the proprietary type user.0, 2174

The currently defined per-input types are defined as follows:

Name

Description

Description

Versions Requiring Inclusion

Versions Requiring Exclusion

Versions Allowing Inclusion

Parent BIP

Non-Witness UTXO

PSBT_IN_NON_WITNESS_UTXO = 0x00

None

No key data

The transaction in network serialization format the current input spends from. This should be present for inputs that spend non-segwit outputs and can be present for inputs that spend segwit outputs. An input can have both PSBT_IN_NON_WITNESS_UTXO and PSBT_IN_WITNESS_UTXO. [3]

0, 2

174

Witness UTXO

PSBT_IN_WITNESS_UTXO = 0x01

None

No key data

<64-bit int>

The entire transaction output in network serialization which the current input spends from. This should only be present for inputs which spend segwit outputs, including P2SH embedded ones. An input can have both PSBT_IN_NON_WITNESS_UTXO and PSBT_IN_WITNESS_UTXO

0, 2

174

Partial Signature

PSBT_IN_PARTIAL_SIG = 0x02

The public key which corresponds to this signature.

The signature as would be pushed to the stack from a scriptSig or witness.

0, 2

174

Sighash Type

PSBT_IN_SIGHASH_TYPE = 0x03

None

No key data

<32-bit uint>

The 32-bit unsigned integer specifying the sighash type to be used for this input. Signatures for this input must use the sighash type, finalizers must fail to finalize inputs which have signatures that do not match the specified sighash type. Signers who cannot produce signatures with the sighash type must not provide a signature.

0, 2

174

Redeem Script

PSBT_IN_REDEEM_SCRIPT = 0x04

None

No key data

The redeemScript for this input if it has one.

0, 2

174

Witness Script

PSBT_IN_WITNESS_SCRIPT = 0x05

None

No key data

The witnessScript for this input if it has one.

0, 2

174

BIP 32 Derivation Path

PSBT_IN_BIP32_DERIVATION = 0x06

The public key

<32-bit uint> <32-bit uint>*

The master key fingerprint as defined by BIP 32 concatenated with the derivation path of the public key. The derivation path is represented as 32 bit unsigned integer indexes concatenated with each other. Public keys are those that will be needed to sign this input.

0, 2

174

Finalized scriptSig

PSBT_IN_FINAL_SCRIPTSIG = 0x07

None

No key data

The Finalized scriptSig contains a fully constructed scriptSig with signatures and any other scripts necessary for the input to pass validation.

0, 2

174

Finalized scriptWitness

PSBT_IN_FINAL_SCRIPTWITNESS = 0x08

None

No key data

The Finalized scriptWitness contains a fully constructed scriptWitness with signatures and any other scripts necessary for the input to pass validation.

0, 2

174

Proof-of-reserves commitment

PSBT_IN_POR_COMMITMENT = 0x09

None

No key data

The UTF-8 encoded commitment message string for the proof-of-reserves. See BIP 127 for more information.

0, 2

127

RIPEMD160 preimage

PSBT_IN_RIPEMD160 = 0x0a

<20-byte hash>

The resulting hash of the preimage

The hash preimage, encoded as a byte vector, which must equal the key when run through the RIPEMD160 algorithm

0, 2

174

SHA256 preimage

PSBT_IN_SHA256 = 0x0b

<32-byte hash>

The resulting hash of the preimage

The hash preimage, encoded as a byte vector, which must equal the key when run through the SHA256 algorithm

0, 2

174

HASH160 preimage

PSBT_IN_HASH160 = 0x0c

<20-byte hash>

The resulting hash of the preimage

The hash preimage, encoded as a byte vector, which must equal the key when run through the SHA256 algorithm followed by the RIPEMD160 algorithm

0, 2

174

HASH256 preimage

PSBT_IN_HASH256 = 0x0d

<32-byte hash>

The resulting hash of the preimage

The hash preimage, encoded as a byte vector, which must equal the key when run through the SHA256 algorithm twice

0, 2

174

Previous TXID

PSBT_IN_PREVIOUS_TXID = 0x0e

None

No key data

32 byte txid of the previous transaction whose output at PSBT_IN_OUTPUT_INDEX is being spent.

2

0

2

370

Spent Output Index

PSBT_IN_OUTPUT_INDEX = 0x0f

None

No key data

<32-bit uint>

32 bit little endian integer representing the index of the output being spent in the transaction with the txid of PSBT_IN_PREVIOUS_TXID.

2

0

2

370

Sequence Number

PSBT_IN_SEQUENCE = 0x10

None

No key data

<32-bit uint>

The 32 bit unsigned little endian integer for the sequence number of this input. If omitted, the sequence number is assumed to be the final sequence number (0xffffffff).

0

2

370

Required Time-based Locktime

PSBT_IN_REQUIRED_TIME_LOCKTIME = 0x11

None

No key data

<32-bit uint>

32 bit unsigned little endian integer greater than or equal to 500000000 representing the minimum Unix timestamp that this input requires to be set as the transaction's lock time.

0

2

370

Required Height-based Locktime

PSBT_IN_REQUIRED_HEIGHT_LOCKTIME = 0x12

None

No key data

<32-bit uiht>

32 bit unsigned little endian integer less than 500000000 representing the minimum block height that this input requires to be set as the transaction's lock time.

0

2

370

Taproot Key Spend Signature

PSBT_IN_TAP_KEY_SIG = 0x13

None

No key data

The 64 or 65 byte Schnorr signature for key path spending a Taproot output. Finalizers should remove this field after PSBT_IN_FINAL_SCRIPTWITNESS is constructed.

0, 2

371

Taproot Script Spend Signature

PSBT_IN_TAP_SCRIPT_SIG = 0x14

A 32 byte X-only public key involved in a leaf script concatenated with the 32 byte hash of the leaf it is part of.

The 64 or 65 byte Schnorr signature for this pubkey and leaf combination. Finalizers should remove this field after PSBT_IN_FINAL_SCRIPTWITNESS is constructed.

0, 2

371

Taproot Leaf Script

PSBT_IN_TAP_LEAF_SCRIPT = 0x15

The control block for this leaf as specified in BIP 341. The control block contains the merkle tree path to this leaf.