|
| 1 | +# Overview: Multiparty transaction construction in honest peer threat model |
| 2 | + |
| 3 | +The following is a concrete description of the honest multiparty transaction construction protocol. To understand why certain choices design were made, it is recommended to read the [overview document](./00_overview.md) first. |
| 4 | + |
| 5 | +## Motivation |
| 6 | + |
| 7 | +This protocol is best understood as a collaborative transaction construction protocol for mutually trusting parties. Its purpose is to let participants jointly build a transaction with potentially better privacy properties and cost savings than a unilateral construction. |
| 8 | + |
| 9 | +## Trust Model |
| 10 | + |
| 11 | +* Liveness: peers are expected to follow the protocol flow and remain reachable long enough for protocol messages to eventually disseminate and for participants to converge. Some deployments may use timeout-based progress under partial synchrony, while others may rely on eventual delivery without strict timing guarantees. |
| 12 | + |
| 13 | +* Privacy: peers are trusted not to leak or retain their sensitive observations learned during the protocol, including timing, message ordering, and transport metadata (for example IP-layer linkability data) beyond what is needed to complete the session. |
| 14 | + |
| 15 | +Importantly, fund safety does not depend on peer honesty. Each participant signs only a transaction they locally validate and accept under `SIGHASH_ALL`. Therefore, malformed or economically unacceptable constructions are treated as liveness failures, not fund-loss safety failures. |
| 16 | + |
| 17 | +## Roles |
| 18 | + |
| 19 | +### Initiator and Responder |
| 20 | + |
| 21 | +The Initiator signals willingness to batch to their counterparty over an authenticated bidirectional channel. In this document, signaling `mppj=1` via BIP21 is treated as one practical bootstrap example, not a normative long-term mechanism. Either BIP-77 receiver or sender may be the Initiator. |
| 22 | + |
| 23 | +For multiparty deployments, the preferred direction is richer payment instructions that can support post-quantum HPKE choices, sender-initiated interactions, and long-lived/reusable authenticated channels. |
| 24 | +// TODO: elaborate more on payment instructions |
| 25 | + |
| 26 | +The Responder is the counterparty who receives this signal. If a peer does not support the chosen multiparty signaling mechanism, it falls back to standard BIP77 behavior. If it does support the mechanism, it waits for a session to be created. |
| 27 | + |
| 28 | +Two timeouts govern the phase of the whole protocol: |
| 29 | + |
| 30 | +* `T_intent`: the absolute expiration time After which if no session is created within `T_intent`, both parties must fall back to standard BIP77 over their existing bidirectional channel. Since the intent can be delivered over an async. channel this is an absolute expiration not a relative duration. |
| 31 | +* `T_session`: the duration of the multiparty session itself, after which the session is considered expired. |
| 32 | + |
| 33 | +`T_session` is defined by the `SessionCreator` while `T_intent` is defined by the `Initiator`. |
| 34 | + |
| 35 | +// TODO: specify a concrete signaling/payment-instructions format once requirements for PQ HPKE, sender initiation, and reusable authenticated channels are finalized |
| 36 | + |
| 37 | +### SessionCreator |
| 38 | + |
| 39 | +Either an `Initiator` or a `Responder` may create the session. The party that does so is the `SessionCreator`. |
| 40 | +The `SessionCreator` is responsible to creating session parameters (defined below), bootstrapping the transport mechanism and disseminating session information to the rest of the peers to the best of their capabilities. `SessionCreator` holds no special authority once the session is live. They simply become a participant. |
| 41 | + |
| 42 | +### Participant |
| 43 | + |
| 44 | +Once a party joins a session they become a `Participant`. All participants share the same obligations as outlined below in the phases section. |
| 45 | + |
| 46 | +### Diagrams |
| 47 | + |
| 48 | +Single receiver, two senders. Receiver is `Initiator` for both senders and becomes the `SessionCreator`. |
| 49 | + |
| 50 | +```mermaid |
| 51 | +sequenceDiagram |
| 52 | + participant R as Receiver (Initiator) |
| 53 | + participant S1 as Sender 1 (Responder) |
| 54 | + participant S2 as Sender 2 (Responder) |
| 55 | +
|
| 56 | + R->>S1: BIP21 URI (mppj=1) |
| 57 | + R->>S2: BIP21 URI (mppj=1) |
| 58 | +
|
| 59 | + R->>S1: session invitation (s, session params) |
| 60 | + R->>S2: session invitation (s, session params) |
| 61 | +``` |
| 62 | + |
| 63 | +Sender 1 is the `Initiator` to the receiver who is an `Initiator` to sender 2. The receiver at time 3 becomes the `SessionCreator`. |
| 64 | + |
| 65 | +```mermaid |
| 66 | +sequenceDiagram |
| 67 | + participant S1 as Sender 1 (Initiator) |
| 68 | + participant R as Receiver (Responder / Initiator / SessionCreator) |
| 69 | + participant S2 as Sender 2 (Responder) |
| 70 | +
|
| 71 | + S1->>R: BIP21 URI (mppj=1) |
| 72 | + R->>S2: BIP21 URI (mppj=1) |
| 73 | +
|
| 74 | + R->>S1: session invitation (s, session params) |
| 75 | + R->>S2: session invitation (s, session params) |
| 76 | +``` |
| 77 | + |
| 78 | +## Session Parameters |
| 79 | + |
| 80 | +The `SessionCreator` fixes the following parameters before the session opens. All participants must verify that the final transaction conforms to the relevant parameters before signing. Size limit cannot be enforced. The `SessionCreator` only knows their immediate neighborhood of peers but those peers may invite others. |
| 81 | + |
| 82 | +* **Global transaction fields**: `nVersion`, `locktype` (time or height based) |
| 83 | +* **Feerate**: each participant contributes fees proportional to the weight of their inputs and outputs |
| 84 | +* **Input constraints**: `nSequence` |
| 85 | +* **Timeout**: `T_session` |
| 86 | + |
| 87 | +## PSBT CRDT |
| 88 | + |
| 89 | +### Join Semantics |
| 90 | + |
| 91 | +Participants learn transaction fragments in arbitrary order and accumulate them as they arrive. In the honest setting there are no conflicting writes: global fields are fixed by the session parameters and each participant controls disjoint inputs and outputs. Any two valid fragments can therefore be always merged. |
| 92 | + |
| 93 | +For this document, `balance` means the running value equation over the accumulated transaction view: |
| 94 | + |
| 95 | +`balance = sum(inputs) - sum(outputs) - sum(pseudo outputs)` |
| 96 | + |
| 97 | +If the accumulated transaction does not balance, or any fragment violates the session parameters, a participant can refuse to sign and abandon the session. |
| 98 | + |
| 99 | +For more information please refere to the [draft BIP](https://github.com/payjoin/multiparty-protocol-docs/pull/6) |
| 100 | + |
| 101 | +## Communication model |
| 102 | + |
| 103 | +The protocol assumes an abstract session-scoped broadcast channel for disseminating PSBT fragments. |
| 104 | + |
| 105 | +**Required channel properties:** |
| 106 | + |
| 107 | +All participants can publish protocol messages to the same session channel, with messages authenticated and kept confidential within the participant set. Each participant is able to read and merge messages from all others into their own local transaction view. While message delivery may be delayed or received out of order, the protocol ensures eventual dissemination and reconciliation of all messages within the session window `T_session` if all parties behave honestly. |
| 108 | + |
| 109 | +In this honest setting, a separate agreement protocol is not required for the success path. Gossip dissemination plus deterministic transaction construction is sufficient: if participants receive the same valid fragments, they converge to the same unsigned transaction. Any temporary view differences are primarily a liveness concern. |
| 110 | + |
| 111 | +Candidate instantiations include [Iroh documents](https://docs.iroh.computer/protocols/documents), [MDK](https://github.com/marmot-protocol/mdk), or a shared append-only mailbox like a [BIP-77 Directory](https://github.com/bitcoin/bips/blob/master/bip-0077.md). These are examples, not normative requirements. |
| 112 | + |
| 113 | +This setting does not require transport-layer metadata privacy as a protocol requirement. Participants are already mutually trusted with privacy in the honest model, including trust not to retain or misuse linkability information learned during the session. As a result, unlike the semi-honest setting, the protocol does not depend on anonymous transport primitives to maintain the intended privacy properties within the participant set. |
| 114 | + |
| 115 | +Note that encryption alone does not prevent traffic analysis, so an external passive adversary, and in particular a global passive adversary, may be able to infer the use of this protocol, potentially correlate its use to a transaction broadcast and even attribute particular inputs and outputs to the specific participants based on metadata such as message sizes. |
| 116 | + |
| 117 | +### Message Delivery |
| 118 | + |
| 119 | +The channel must provide reliable delivery at the session level: every valid protocol message must eventually be delivered to every participant within `T_session`, so all honest participants converge on the same message set before signing. |
| 120 | + |
| 121 | +Different instantiations can satisfy this in different ways. Unordered gossip-style channels may use set reconciliation. The protocol specifies only the delivery/convergence property, not the mechanism. |
| 122 | + |
| 123 | +### Network Partitions |
| 124 | + |
| 125 | +Network disruptions can partition the broadcast channel. If a partition occurs before session creation, each component can treat its activity as an independent session. |
| 126 | + |
| 127 | +The critical failure case is a partition during an active session. Disconnected components can each converge to a locally balanced transaction and sign independently. In arbitrary transaction construction, one partition may temporarily over-declare outputs while waiting for missing inputs, or abort and restart after timeout. If value flows happen to balance differently across components, one partition may finalize while another stalls, and a sender can pay an unintended receiver. This is a safety failure. |
| 128 | + |
| 129 | +A global consensus protocol over the inputs set could prevent this class of error, but the honest setting does not assume a pre-established participant set or PKI needed to bootstrap that mechanism. |
| 130 | + |
| 131 | +Before signing, each sender must receive explicit confirmation from all of its receivers of the PSBT’s unique ID (defined in the [draft BIP](https://github.com/payjoin/multiparty-protocol-docs/pull/6/)) which commits to the complete output set and verify that every confirmed ID matches the one computed locally. |
| 132 | + |
| 133 | +In a cyclic payment graph, such as Alice pays Bob, Bob pays Carol, and Carol pays Alice, net-positive receivers can initiate safely and break the dependency cycle. Senders sign only after every receiver has confirmed the PSBT unique ID. Once all net-positive receivers confirm, the protocol can treat all funds as fully accounted for. |
| 134 | + |
| 135 | +Any confirmation mismatch indicates that at least one party still lacks the complete message set. If a receiver discovers an additional input or output after confirming, that receiver must issue new confirmations for the updated unique ID that commits to the new data. If a sender discovers an additional input or output, the sender derives the updated unique ID and resumes only when it matches every receiver confirmation. |
| 136 | + |
| 137 | +## Protocol Phases |
| 138 | + |
| 139 | +Inputs and outputs can be sent in any order. Ordering semantics must be defined a priori. |
| 140 | + |
| 141 | +All messages are raw binary encoded PSBT fragments. |
| 142 | + |
| 143 | +### Input Registration |
| 144 | + |
| 145 | +Each participant submits the transaction inputs they control. Inputs must be posted as independent messages. |
| 146 | +Global passive observers should not be able to determine which inputs originate from the same party. |
| 147 | + |
| 148 | +### Psuedo Outputs |
| 149 | + |
| 150 | +A pseudo output is an declaration of fee contribution above the session-mandated minimum. It participates in the balance equation like a real output but does not appear in the final transaction. Participants must post a pseudo output only when their intended fee contribution exceeds what the session parameters require. Peers must be careful to exclude such outputs from size and fee calculations. And exclude them from the final serialized transaction to sign. |
| 151 | + |
| 152 | +### Output Registration |
| 153 | + |
| 154 | +Both output and pseudo output messages must carry a unique identifier to prevent double accounting. E.g a peer may read an output message multiple times. Since `TxOut`'s are not uniquely indentifiable that peer would have no ability to de-duplicate. |
| 155 | + |
| 156 | +To signal their intent to back out of the session, a participant can deliberately post outputs that exceed their input contribution, causing the transaction balance to overflow. This action makes the balance equation unsatisfiable and prompts all other participants to refuse to sign. |
| 157 | + |
| 158 | +When the `balance` reaches zero and receiver confirmations are received, every participant can independently verify the transaction is balanced and proceed to witness provision. |
| 159 | + |
| 160 | +This honest variant does not require an explicit Ready-to-Sign declaration on the success path. With pseudo-output accounting, readiness is implicit once participants converge on the same message set and each participant has contributed at least one input before final output/pseudo-output closure. |
| 161 | + |
| 162 | +### Witness provision |
| 163 | + |
| 164 | +Participants provide [finalized](https://github.com/bitcoin/bips/blob/master/bip-0174.mediawiki#user-content-Input_Finalizer) witnesses for the inputs they control. Once all witnesses are available, any participant can serve as the [BIP-174 combiner role](https://github.com/bitcoin/bips/blob/master/bip-0174.mediawiki#user-content-Combiner), assemble the fully signed transaction and broadcast it to the Bitcoin network. |
| 165 | + |
| 166 | +## Silent Payments |
| 167 | + |
| 168 | +To support Silent Payments, the recipient broadcasts its [BIP 352 scan public key](https://github.com/bitcoin/bips/blob/master/bip-0352.mediawiki) as a independent message. Each participant derives the Silent Payment `scriptPubKey` from the shared transaction inputs and recipient scan public key. When the input set changes, all participants recompute the Silent Payment output before signing. |
0 commit comments