Chain Code Delegation: Private Access Control for Bitcoin Keys

Over the past several months, a novel approach to collaborative custody named Chain Code Delegation has been developed by Jesse Posner and a colleague. This technique revolves around withholding BIP-32 chain codes while only providing scalar tweaks at the time of signing. This method enables custodians to implement policies such as spending velocity controls without needing access to an XPUB, which would otherwise give them visibility into the entire key tree of a key. Chain Code Delegation presents a significant shift from traditional methods by focusing on privacy and security through selective information sharing.

In typical multisig arrangements, the visibility of all public keys in a redeem script allows custodians to monitor transaction histories, posing privacy concerns. Solutions like using multiparty computation (MPC) or disjoint spending paths with Tapscript have been proposed, yet they fall short with ECDSA. Chain Code Delegation circumvents these limitations by enabling custodians to sign transactions without revealing the complete scope of their capabilities, as they lack access to the chain code needed for deriving child keys or observing transactions not explicitly shared with them.

The process involves the counterparty generating a chain code and computing a scalar tweak for each transaction that needs signing. The custodian then uses this tweak to sign the transaction without ever knowing the chain code, effectively limiting their knowledge and potential security vulnerabilities. This setup ensures that even if a custodian's system is compromised, the damage is confined to the transactions for which they have received scalar tweaks, significantly reducing the security risk.

Chain Code Delegation also introduces mechanisms for validating change outputs and ensuring privacy even in transactions the custodian signs. By applying BIP32 tweaks to blind Schnorr signatures, it's possible to maintain confidentiality about which transactions a custodian has signed. Additionally, the use of predicate blind signatures can enforce policies during the signing process without compromising privacy.

This approach not only enhances privacy but also significantly reduces the security risks associated with compromised custodian keys. By restricting a custodian's ability to sign only for UTXOs for which they've received scalar tweaks, it limits the attacker's window of opportunity. The methodology could be particularly beneficial in environments with large attack surfaces, such as mobile phones, by enabling users to control the scope of their keys' capabilities through selective disclosure of scalar tweaks.

For further reading, references include discussions on Private Collaborative Custody with FROST (link) and Concurrently Secure Blind Schnorr Signatures (link). These materials provide deeper insights into the technical underpinnings and potential applications of Chain Code Delegation in secure, privacy-focused collaborative custody solutions.