BIP352: PSBT support

Gotcha! I had read this as “fail if ACP was used on outputs that are not your own.”

I think “If a sighash type is provided, the signer must check that the sighash is acceptable. If unacceptable, they must fail” is sufficient, perhaps with a footnote that explains what unacceptable is for a silent payments transaction?

In the case of multiple signers where each signer has multiple inputs, this would require the signer to compute the ECDH shares individually (vs summing up the private keys and then doing the ECDH step. If we imagine something like a coinjoin, this could recreate the problem of “I have 10 inputs, so now I need to do ~30 ECC mults.” Another alternative would be:

  • Global proof is the signer owns all inputs
  • Proof per group of inputs (proof is duplicated on each input)

In the case where each signer owns their own input, this would be the same as @achow101 's proposal. This does add more data to the PSBT in the form of duplicate proofs in the case of multiple signers signing for multiple inputs, but that seems better to me than requiring the signers to do more CPU intensive work. That being said, I’m not sure which is better. If a signer has low compute power, doing 30 ECC mults can be annoying. On the flipside, if the signer has low memory and we want to require a signer to verify proofs on each input before signing, the inline proofs for each input seems better.