multi: implement BIP 341 and 342 a.k.a complete taproot and tapscript consensus verification logic #1787

Add the WitnessV1TaprootTy script class and return it from GetScriptClass / typeOfScript. Bump the btcutil dep to leverage new taproot address type.

Add taproot address handling in PayToAddrScript. Adds a test and also some missing tests for p2wsh and p2wpkh addresses.

In this commit, we implement the new BIP 341+342 taproot sighash digest computation. The digest is similar, but re-orders some fragments and also starts to commit to the input values of all the transactions in the SIGHASH_ALL case. A new implicit sighash flag, SIGHASH_DEFAULT has been added that allows signatures to always be 64-bytes for the common case. The hashcache has been updated as well to store both the v0 and v1 mid state hashes. The v0 hashes are a double-sha of the contents, while the v1 hash is a single sha. As a result, if a transaction spends both v0 and v1 inputs, then we 're able to re-use all the intermediate hashes. As the sighash computation needs the input values and scripts, we create an abstraction: the PrevOutFetcher to give the caller flexibility w.r.t how this is done. We also create a `CannedPrevOutputFetcher` that holds the information in a map for a single input. A series of function options are also added to allow re-use of the same base sig hash calculation for both BIP 341 and 342.

In this commit, we make the sigCache slightly more general in order to be able to cache both ECDSA and Schnorr signatures. The cache is now based off of byte slices (the values) rather than the direct objects. We rely on the fact that the sighash for ecdsa and the schnorr types are distinct, so we can keep using the same top-level sighash key. In the future with Go type params, we can use a type param here instead as they all have an `IsEqual` method.

…schnorr/ecdsa In this commit, we add a new signatureVerifier interface that will allow us to consolidate a lot of code as we'll now have 4 distinct sig+sighash types to verify: 1. pre-segwit 2. segwit v0 3. segwit v1 (taproot key spend) 4. tapscript spends We'll need to be able to handle 3 of the cases for the modified OP_CHECKSIG operator. This new abstraction allows us to keep the implementation of the function somewhat succinct. In this commit we implement a verifier for #3 which is needed to verify the top-level taproot keyspend. We expose the verifier using a new VerifyTaprootKeySpend function.

In this commit, we use the recently added checksig verifiers to validate signatures for pre-segwit, and segwit v0 scripts.

In this commit, we add two new functions: one for signing a raw top-level taproot keyspend, and another for generating a valid witness for a keyspend.

In this commit, we add the initial verification logic for top-level taproot keyspends. Keyspends use the base BIP 341 sighash digest and don't require any tapscript level functionality for validation.

We'll use this to examine if a script has any OP_SUCCESS op codes during pre-processing before we attempt full tapscript execution.

In this commit, we add a new struct to represent the ControlBlock structure used to feed in the tapscript leaf inclusion proof into the witness tack. The `ParseControlBlock` parses a would-be control block and returns an error if it's incorrectly formatted.

In this commit, we add a new function to verify the taproot merkle commitment of a given tapscript leaf. Along the way we add some helper functions which can be used to construct a taproot output given the raw script root.

In this commit, we add a new function `RawTxInTapscriptSignature` that will be used to generate signatures in the _tapscript_ context. Note that this differs from top-level taproot as a distinct sighash is used, and we _always_ accept a root hash to perform the proper tweak.

…sses In this commit, we add a new AssembleTaprootScriptTree function that given a list of tapscript leaves, generates a valid tapscript root, along with the auxiliary proof data needed to spend each output.

In this commit, we use the recently added control block and script tree verification+generation routines to implement full script path verification within the VM. This includes verifying the script reveal commitment, and recursing one layer deeper to execute the revealed witness script as specified by BIP 342.

…script

… position We'll need this to properly generate the sighash during tapscript validation later

In this commit, we implement the new checksig semantics as part of tapscript validation. Namely: * OP_CHECKSIGVERIFY no longer pops the OP_TRUE off the stack (TODO(roasbeef): verify)) * the new sig ops semantics are added where each sig deducts 50 from a starting budget of 50+the weight of the witness * NULLFAIL is always enforced, meaning invalid sigs MUST be an empty sig array

In this commit, we implement OP_CHECKSIGADD which replaces OP_CHECKMULTISIG* in the tapscript execution environment.

In this commit, we add a total of 2760 taproot reference tests generated by the bitcoind functional tests located at: https://github.com/bitcoin/bitcoin/blob/master/test/functional/feature_taproot.py. The tests aren't deterministic (fresh private keys are generated), so we time we go to update the set of tests, we'll end up with fresh hashes (the file name is the sha1 of the raw json test) and tests.

In this commit, we add the deployment parameters of taproot as specified in the deployment section of BIp 341: https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki#deployment. Take note of the custom activation threshold, as well as the specified min activation heights for mainnet only.

This PR includes some changes to them, so we'll need to use a temporary replace directives to ensure the build passes.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

multi: implement BIP 341 and 342 a.k.a complete taproot and tapscript consensus verification logic #1787

multi: implement BIP 341 and 342 a.k.a complete taproot and tapscript consensus verification logic #1787

Commits on Mar 16, 2022