Implement Taproot Sighash

src/bench/verify_script.cpp

@@ -68,6 +68,7 @@ static void VerifyScriptBench(benchmark::Bench& bench)
  CDataStream streamVal(SER_NETWORK, PROTOCOL_VERSION);
  streamVal << txCredit.vout[0].nValue;
  int csuccess = bitcoinconsensus_verify_script_with_amount(
+ NULL,
  txCredit.vout[0].scriptPubKey.data(),
  txCredit.vout[0].scriptPubKey.size(),
  (const unsigned char*)&streamVal[0], streamVal.size(),

src/chainparams.h

@@ -97,7 +97,8 @@ class CChainParams
  const CCheckpointData& Checkpoints() const { return checkpointData; }
  const ChainTxData& TxData() const { return chainTxData; }
  // ELEMENTS extra fields:
- const uint256 ParentGenesisBlockHash() const { return parentGenesisBlockHash; }
+ const uint256& ParentGenesisBlockHash() const { return parentGenesisBlockHash; }
+ const uint256& HashGenesisBlock() const { return consensus.hashGenesisBlock; }
  bool anyonecanspend_aremine;
  const std::string& ParentBech32HRP() const { return parent_bech32_hrp; }
  const std::string& ParentBlech32HRP() const { return parent_blech32_hrp; }

src/script/bitcoinconsensus.cpp

@@ -8,6 +8,7 @@
 #include <primitives/transaction.h>
 #include <pubkey.h>
 #include <script/interpreter.h>
+#include <streams.h>
 #include <version.h>
 
 namespace {
@@ -76,7 +77,8 @@ static bool verify_flags(unsigned int flags)
  return (flags & ~(bitcoinconsensus_SCRIPT_FLAGS_VERIFY_ALL)) == 0;
 }
 
-static int verify_script(const unsigned char *scriptPubKey, unsigned int scriptPubKeyLen, CConfidentialValue amount,
+static int verify_script(const unsigned char *hash_genesis_block,
+ const unsigned char *scriptPubKey, unsigned int scriptPubKeyLen, CConfidentialValue amount,
  const unsigned char *txTo , unsigned int txToLen,
  unsigned int nIn, unsigned int flags, bitcoinconsensus_error* err)
 {
@@ -94,15 +96,18 @@ static int verify_script(const unsigned char *scriptPubKey, unsigned int scriptP
  // Regardless of the verification result, the tx did not error.
  set_error(err, bitcoinconsensus_ERR_OK);
 
- PrecomputedTransactionData txdata(tx);
+ auto hash_genesis_block_ = hash_genesis_block ? uint256{hash_genesis_block, 32} : uint256{};
+ PrecomputedTransactionData txdata(hash_genesis_block_);
+ txdata.Init(tx, {});
  const CScriptWitness* pScriptWitness = (tx.witness.vtxinwit.size() > nIn ? &tx.witness.vtxinwit[nIn].scriptWitness : NULL);
  return VerifyScript(tx.vin[nIn].scriptSig, CScript(scriptPubKey, scriptPubKey + scriptPubKeyLen), pScriptWitness, flags, TransactionSignatureChecker(&tx, nIn, amount, txdata), NULL);
  } catch (const std::exception&) {
  return set_error(err, bitcoinconsensus_ERR_TX_DESERIALIZE); // Error deserializing
  }
 }
 
-int bitcoinconsensus_verify_script_with_amount(const unsigned char *scriptPubKey, unsigned int scriptPubKeyLen,
+int bitcoinconsensus_verify_script_with_amount(const unsigned char *hash_genesis_block,
+ const unsigned char *scriptPubKey, unsigned int scriptPubKeyLen,
  const unsigned char *amount, unsigned int amountLen,
  const unsigned char *txTo , unsigned int txToLen,
  unsigned int nIn, unsigned int flags, bitcoinconsensus_error* err)
@@ -112,14 +117,15 @@ int bitcoinconsensus_verify_script_with_amount(const unsigned char *scriptPubKey
  CConfidentialValue am;
  stream >> am;
 
- return ::verify_script(scriptPubKey, scriptPubKeyLen, am, txTo, txToLen, nIn, flags, err);
+ return ::verify_script(hash_genesis_block, scriptPubKey, scriptPubKeyLen, am, txTo, txToLen, nIn, flags, err);
  } catch (const std::exception&) {
  return set_error(err, bitcoinconsensus_ERR_TX_DESERIALIZE); // Error deserializing
  }
 }
 
 
-int bitcoinconsensus_verify_script(const unsigned char *scriptPubKey, unsigned int scriptPubKeyLen,
+int bitcoinconsensus_verify_script(const unsigned char *hash_genesis_block,
+ const unsigned char *scriptPubKey, unsigned int scriptPubKeyLen,
  const unsigned char *txTo , unsigned int txToLen,
  unsigned int nIn, unsigned int flags, bitcoinconsensus_error* err)
 {
@@ -128,7 +134,7 @@ int bitcoinconsensus_verify_script(const unsigned char *scriptPubKey, unsigned i
  }
 
  CConfidentialValue am(0);
- return ::verify_script(scriptPubKey, scriptPubKeyLen, am, txTo, txToLen, nIn, flags, err);
+ return ::verify_script(hash_genesis_block, scriptPubKey, scriptPubKeyLen, am, txTo, txToLen, nIn, flags, err);
 }
 
 unsigned int bitcoinconsensus_version()

src/script/bitcoinconsensus.h

@@ -64,11 +64,13 @@ enum
 /// txTo correctly spends the scriptPubKey pointed to by scriptPubKey under
 /// the additional constraints specified by flags.
 /// If not nullptr, err will contain an error/success code for the operation
-EXPORT_SYMBOL int bitcoinconsensus_verify_script(const unsigned char *scriptPubKey, unsigned int scriptPubKeyLen,
+EXPORT_SYMBOL int bitcoinconsensus_verify_script(const unsigned char *hash_genesis_block,
+ const unsigned char *scriptPubKey, unsigned int scriptPubKeyLen,
  const unsigned char *txTo , unsigned int txToLen,
  unsigned int nIn, unsigned int flags, bitcoinconsensus_error* err);
 
-EXPORT_SYMBOL int bitcoinconsensus_verify_script_with_amount(const unsigned char *scriptPubKey, unsigned int scriptPubKeyLen,
+EXPORT_SYMBOL int bitcoinconsensus_verify_script_with_amount(const unsigned char *hash_genesis_block,
+ const unsigned char *scriptPubKey, unsigned int scriptPubKeyLen,
  const unsigned char *amount, unsigned int amountLen,
  const unsigned char *txTo , unsigned int txToLen,
  unsigned int nIn, unsigned int flags, bitcoinconsensus_error* err);

src/script/interpreter.cpp

@@ -1757,6 +1757,17 @@ class CTransactionSignatureSerializer
  }
 };
 
+/** Compute the (single) SHA256 of the concatenation of all outpoint flags of a tx. */
+template <class T>
+uint256 GetOutpointFlagsSHA256(const T& txTo)
+{
+ CHashWriter ss(SER_GETHASH, 0);
+ for (const auto& txin : txTo.vin) {
+ ss << (unsigned char) ((!txin.assetIssuance.IsNull() << 7) + (txin.m_is_pegin << 6));
+ }
+ return ss.GetSHA256();
+}
+
 /** Compute the (single) SHA256 of the concatenation of all prevouts of a tx. */
 template <class T>
 uint256 GetPrevoutsSHA256(const T& txTo)
@@ -1779,7 +1790,8 @@ uint256 GetSequencesSHA256(const T& txTo)
  return ss.GetSHA256();
 }
 
-/** Compute the (single) SHA256 of the concatenation of all txouts of a tx. */
+/** Compute the (single) SHA256 of the concatenation of all issuances of a tx. */
+// Used for segwitv0/taproot sighash calculation
 template <class T>
 uint256 GetIssuanceSHA256(const T& txTo)
 {
@@ -1793,6 +1805,34 @@ uint256 GetIssuanceSHA256(const T& txTo)
  return ss.GetSHA256();
 }
 
+/** Compute the (single) SHA256 of the concatenation of all output witnesses
+ * (rangeproof and surjection proof) in `CTxWitness`*/
+// Used in taphash calculation
+template <class T>
+uint256 GetOutputWitnessesSHA256(const T& txTo)
+{
+ CHashWriter ss(SER_GETHASH, 0);
+ for (const auto& outwit : txTo.witness.vtxoutwit) {
+ ss << outwit;
+ }
+ return ss.GetSHA256();
+}
+
+/** Compute the (single) SHA256 of the concatenation of all input issuance witnesses
+ * (vchIssuanceAmountRangeproof and vchInflationKeysRangeproof proof) in `CTxInWitness`*/
+// Used in taphash calculation
+template <class T>
+uint256 GetIssuanceRangeproofsSHA256(const T& txTo)
+{
+ CHashWriter ss(SER_GETHASH, 0);
+ for (const auto& inwit : txTo.witness.vtxinwit) {
+ ss << inwit.vchIssuanceAmountRangeproof;
+ ss << inwit.vchInflationKeysRangeproof;
+ }
+ return ss.GetSHA256();
+}
+
+// Compute a (single) SHA256 of the concatenation of all outputs
 template <class T>
 uint256 GetOutputsSHA256(const T& txTo)
 {
@@ -1803,11 +1843,13 @@ uint256 GetOutputsSHA256(const T& txTo)
  return ss.GetSHA256();
 }
 
-/** Compute the (single) SHA256 of the concatenation of all amounts spent by a tx. */
-uint256 GetSpentAmountsSHA256(const std::vector<CTxOut>& outputs_spent)
+/** Compute the (single) SHA256 of the concatenation of all asset and amounts commitments spent by a tx. */
+// Elements TapHash only
+uint256 GetSpentAssetsAmountsSHA256(const std::vector<CTxOut>& outputs_spent)
 {
  CHashWriter ss(SER_GETHASH, 0);
  for (const auto& txout : outputs_spent) {
+ ss << txout.nAsset;
  ss << txout.nValue;
  }
  return ss.GetSHA256();
@@ -1878,24 +1920,29 @@ void PrecomputedTransactionData::Init(const T& txTo, std::vector<CTxOut>&& spent
  m_prevouts_single_hash = GetPrevoutsSHA256(txTo);
  m_sequences_single_hash = GetSequencesSHA256(txTo);
  m_outputs_single_hash = GetOutputsSHA256(txTo);
+ m_issuances_single_hash = GetIssuanceSHA256(txTo);
  }
  if (uses_bip143_segwit) {
  hashPrevouts = SHA256Uint256(m_prevouts_single_hash);
  hashSequence = SHA256Uint256(m_sequences_single_hash);
- hashIssuance = SHA256Uint256(GetIssuanceSHA256(txTo));
+ hashIssuance = SHA256Uint256(m_issuances_single_hash);
  hashOutputs = SHA256Uint256(m_outputs_single_hash);
  hashRangeproofs = GetRangeproofsHash(txTo);
  m_bip143_segwit_ready = true;
  }
  if (uses_bip341_taproot) {
- m_spent_amounts_single_hash = GetSpentAmountsSHA256(m_spent_outputs);
+ m_outpoints_flag_single_hash = GetOutpointFlagsSHA256(txTo);
+ m_spent_asset_amounts_single_hash = GetSpentAssetsAmountsSHA256(m_spent_outputs);
+ m_issuance_rangeproofs_single_hash = GetIssuanceRangeproofsSHA256(txTo);
+ m_output_witnesses_single_hash = GetOutputWitnessesSHA256(txTo);
  m_spent_scripts_single_hash = GetSpentScriptsSHA256(m_spent_outputs);
  m_bip341_taproot_ready = true;
  }
 }
 
 template <class T>
 PrecomputedTransactionData::PrecomputedTransactionData(const T& txTo)
+ : PrecomputedTransactionData(uint256{})
 {
  Init(txTo, {});
 }
@@ -1906,10 +1953,14 @@ template void PrecomputedTransactionData::Init(const CMutableTransaction& txTo,
 template PrecomputedTransactionData::PrecomputedTransactionData(const CTransaction& txTo);
 template PrecomputedTransactionData::PrecomputedTransactionData(const CMutableTransaction& txTo);
 
-static const CHashWriter HASHER_TAPSIGHASH = TaggedHash("TapSighash");
-static const CHashWriter HASHER_TAPLEAF = TaggedHash("TapLeaf");
-static const CHashWriter HASHER_TAPBRANCH = TaggedHash("TapBranch");
-static const CHashWriter HASHER_TAPTWEAK = TaggedHash("TapTweak");
+
+static const CHashWriter HASHER_TAPLEAF_ELEMENTS = TaggedHash("TapLeaf/elements");
+static const CHashWriter HASHER_TAPBRANCH_ELEMENTS = TaggedHash("TapBranch/elements");
+static const CHashWriter HASHER_TAPTWEAK_ELEMENTS = TaggedHash("TapTweak/elements");
+static const CHashWriter HASHER_TAPSIGHASH_ELEMENTS = TaggedHash("TapSighash/elements");
+
+PrecomputedTransactionData::PrecomputedTransactionData(const uint256& hash_genesis_block)
+ : m_tapsighash_hasher(CHashWriter(HASHER_TAPSIGHASH_ELEMENTS) << hash_genesis_block << hash_genesis_block) {}
 
 template<typename T>
 bool SignatureHashSchnorr(uint256& hash_out, const ScriptExecutionData& execdata, const T& tx_to, uint32_t in_pos, uint8_t hash_type, SigVersion sigversion, const PrecomputedTransactionData& cache)
@@ -1934,11 +1985,11 @@ bool SignatureHashSchnorr(uint256& hash_out, const ScriptExecutionData& execdata
  assert(in_pos < tx_to.vin.size());
  assert(cache.m_bip341_taproot_ready && cache.m_spent_outputs_ready);
 
- CHashWriter ss = HASHER_TAPSIGHASH;
+ CHashWriter ss = cache.m_tapsighash_hasher;
 
- // Epoch
- static constexpr uint8_t EPOCH = 0;
- ss << EPOCH;
+ // no epoch in elements taphash
+ // static constexpr uint8_t EPOCH = 0;
+ // ss << EPOCH;
 
  // Hash type
  const uint8_t output_type = (hash_type == SIGHASH_DEFAULT) ? SIGHASH_ALL : (hash_type & SIGHASH_OUTPUT_MASK); // Default (no sighash byte) is equivalent to SIGHASH_ALL
@@ -1950,37 +2001,56 @@ bool SignatureHashSchnorr(uint256& hash_out, const ScriptExecutionData& execdata
  ss << tx_to.nVersion;
  ss << tx_to.nLockTime;
  if (input_type != SIGHASH_ANYONECANPAY) {
+ ss << cache.m_outpoints_flag_single_hash;
  ss << cache.m_prevouts_single_hash;
- ss << cache.m_spent_amounts_single_hash;
+ ss << cache.m_spent_asset_amounts_single_hash;
  ss << cache.m_spent_scripts_single_hash;
  ss << cache.m_sequences_single_hash;
+ ss << cache.m_issuances_single_hash;
+ ss << cache.m_issuance_rangeproofs_single_hash;
  }
  if (output_type == SIGHASH_ALL) {
  ss << cache.m_outputs_single_hash;
+ ss << cache.m_output_witnesses_single_hash;
  }
-
  // Data about the input/prevout being spent
  assert(execdata.m_annex_init);
  const bool have_annex = execdata.m_annex_present;
  const uint8_t spend_type = (ext_flag << 1) + (have_annex ? 1 : 0); // The low bit indicates whether an annex is present.
  ss << spend_type;
  if (input_type == SIGHASH_ANYONECANPAY) {
+ ss << (unsigned char) ((!tx_to.vin[in_pos].assetIssuance.IsNull() << 7) + (tx_to.vin[in_pos].m_is_pegin << 6));
  ss << tx_to.vin[in_pos].prevout;
- ss << cache.m_spent_outputs[in_pos];
+ ss << cache.m_spent_outputs[in_pos].nAsset;
+ ss << cache.m_spent_outputs[in_pos].nValue;
+ ss << cache.m_spent_outputs[in_pos].scriptPubKey;
  ss << tx_to.vin[in_pos].nSequence;
+ if (tx_to.vin[in_pos].assetIssuance.IsNull()) {
+ ss << (unsigned char)0;
+ } else {
+ ss << tx_to.vin[in_pos].assetIssuance;
+
+ CHashWriter sha_single_input_issuance_witness(SER_GETHASH, 0);
+ sha_single_input_issuance_witness << tx_to.witness.vtxinwit[in_pos].vchIssuanceAmountRangeproof;
+ sha_single_input_issuance_witness << tx_to.witness.vtxinwit[in_pos].vchInflationKeysRangeproof;
+ ss << sha_single_input_issuance_witness.GetSHA256();
+ }
  } else {
  ss << in_pos;
  }
  if (have_annex) {
  ss << execdata.m_annex_hash;
  }
-
  // Data about the output (if only one).
  if (output_type == SIGHASH_SINGLE) {
  if (in_pos >= tx_to.vout.size()) return false;
  CHashWriter sha_single_output(SER_GETHASH, 0);
  sha_single_output << tx_to.vout[in_pos];
  ss << sha_single_output.GetSHA256();
+
+ CHashWriter sha_single_output_witness(SER_GETHASH, 0);
+ sha_single_output_witness << tx_to.witness.vtxoutwit[in_pos];
+ ss << sha_single_output_witness.GetSHA256();
  }
 
  // Additional data for BIP 342 signatures
@@ -2297,10 +2367,10 @@ static bool VerifyTaprootCommitment(const std::vector<unsigned char>& control, c
  const int path_len = (control.size() - TAPROOT_CONTROL_BASE_SIZE) / TAPROOT_CONTROL_NODE_SIZE;
  const XOnlyPubKey p{uint256(std::vector<unsigned char>(control.begin() + 1, control.begin() + TAPROOT_CONTROL_BASE_SIZE))};
  const XOnlyPubKey q{uint256(program)};
- tapleaf_hash = (CHashWriter(HASHER_TAPLEAF) << uint8_t(control[0] & TAPROOT_LEAF_MASK) << script).GetSHA256();
+ tapleaf_hash = (CHashWriter(HASHER_TAPLEAF_ELEMENTS) << uint8_t(control[0] & TAPROOT_LEAF_MASK) << script).GetSHA256();
  uint256 k = tapleaf_hash;
  for (int i = 0; i < path_len; ++i) {
- CHashWriter ss_branch{HASHER_TAPBRANCH};
+ CHashWriter ss_branch = CHashWriter{HASHER_TAPBRANCH_ELEMENTS};
  Span<const unsigned char> node(control.data() + TAPROOT_CONTROL_BASE_SIZE + TAPROOT_CONTROL_NODE_SIZE * i, TAPROOT_CONTROL_NODE_SIZE);
  if (std::lexicographical_compare(k.begin(), k.end(), node.begin(), node.end())) {
  ss_branch << k << node;
@@ -2309,7 +2379,7 @@ static bool VerifyTaprootCommitment(const std::vector<unsigned char>& control, c
  }
  k = ss_branch.GetSHA256();
  }
- k = (CHashWriter(HASHER_TAPTWEAK) << MakeSpan(p) << k).GetSHA256();
+ k = (CHashWriter(HASHER_TAPTWEAK_ELEMENTS) << MakeSpan(p) << k).GetSHA256();
  return q.CheckPayToContract(p, k, control[0] & 1);
 }
 

src/script/interpreter.h

@@ -6,6 +6,7 @@
 #ifndef BITCOIN_SCRIPT_INTERPRETER_H
 #define BITCOIN_SCRIPT_INTERPRETER_H
 
+#include <hash.h>
 #include <script/script_error.h>
 #include <span.h>
 #include <primitives/transaction.h>
@@ -166,19 +167,29 @@ struct PrecomputedTransactionData
  uint256 m_outputs_single_hash;
  uint256 m_spent_amounts_single_hash;
  uint256 m_spent_scripts_single_hash;
- //! Whether the 5 fields above are initialized.
+ // Elements
+ uint256 m_outpoints_flag_single_hash;
+ uint256 m_spent_asset_amounts_single_hash;
+ uint256 m_issuances_single_hash;
+ uint256 m_output_witnesses_single_hash;
+ uint256 m_issuance_rangeproofs_single_hash;
+ //! Whether the 10 fields above are initialized.
  bool m_bip341_taproot_ready = false;
 
  // BIP143 precomputed data (double-SHA256).
  uint256 hashPrevouts, hashSequence, hashOutputs, hashIssuance, hashRangeproofs;
- //! Whether the 3 fields above are initialized.
+ //! Whether the 5 fields above are initialized.
  bool m_bip143_segwit_ready = false;
 
  std::vector<CTxOut> m_spent_outputs;
  //! Whether m_spent_outputs is initialized.
  bool m_spent_outputs_ready = false;
 
- PrecomputedTransactionData() = default;
+ //! ELEMENTS: parent genesis hash
+ CHashWriter m_tapsighash_hasher;
+
+ explicit PrecomputedTransactionData(const uint256& hash_genesis_block);
+ explicit PrecomputedTransactionData() : PrecomputedTransactionData(uint256{}) {}
 
  template <class T>
  void Init(const T& tx, std::vector<CTxOut>&& spent_outputs);

src/script/script.cpp

@@ -411,8 +411,10 @@ bool GetScriptOp(CScriptBase::const_iterator& pc, CScriptBase::const_iterator en
 
 bool IsOpSuccess(const opcodetype& opcode)
 {
- return opcode == 80 || opcode == 98 || (opcode >= 126 && opcode <= 129) ||
- (opcode >= 131 && opcode <= 134) || (opcode >= 137 && opcode <= 138) ||
- (opcode >= 141 && opcode <= 142) || (opcode >= 149 && opcode <= 153) ||
- (opcode >= 187 && opcode <= 254);
+ // ELEMENTS: Don't mark opcodes (OP_CAT, OP_SUBSTR, OP_LEFT, OP_RIGHT) as OP_SUCCESS
+ return opcode == 80 || opcode == 98 || (opcode >= 137 && opcode <= 138) ||
+ // ELEMENTS: Don't mark OP_INVERT , OP_AND, OP_OR, OP_XOR. OP_LSHIFT, OP_RSHIFT as success
+ (opcode >= 141 && opcode <= 142) || (opcode >= 149 && opcode <= 151) ||
+ // ELEMENTS: Exclude OP_DETERMINISTICRANDOM, OP_CHECKSIGFROMSTACK(VERIFY), OP_SUBSTRLAZY
+ (opcode >= 187 && opcode <= 191) || (opcode >= 196 && opcode <= 254);
 }