Merge pull request #1678 from evoskuil/master

Incorporate tapleaf hash into signature hashing.

Author: evoskuil

Makefile.am

@@ -50,6 +50,7 @@ src_libbitcoin_system_la_SOURCES = \
     src/chain/point.cpp \
     src/chain/script.cpp \
     src/chain/script_extract.cpp \
+    src/chain/taproot.cpp \
     src/chain/transaction.cpp \
     src/chain/transaction_cache.cpp \
     src/chain/transaction_sighash.cpp \
@@ -234,6 +235,7 @@ test_libbitcoin_system_test_SOURCES = \
     test/chain/script.cpp \
     test/chain/script.hpp \
     test/chain/stripper.cpp \
+    test/chain/taproot.cpp \
     test/chain/transaction.cpp \
     test/chain/witness.cpp \
     test/chain/enums/opcode.cpp \
@@ -465,6 +467,7 @@ include_bitcoin_system_chain_HEADERS = \
     include/bitcoin/system/chain/prevout.hpp \
     include/bitcoin/system/chain/script.hpp \
     include/bitcoin/system/chain/stripper.hpp \
+    include/bitcoin/system/chain/taproot.hpp \
     include/bitcoin/system/chain/transaction.hpp \
     include/bitcoin/system/chain/witness.hpp
 

builds/cmake/CMakeLists.txt

@@ -491,6 +491,7 @@ add_library( ${CANONICAL_LIB_NAME}
     "../../src/chain/point.cpp"
     "../../src/chain/script.cpp"
     "../../src/chain/script_extract.cpp"
+    "../../src/chain/taproot.cpp"
     "../../src/chain/transaction.cpp"
     "../../src/chain/transaction_cache.cpp"
     "../../src/chain/transaction_sighash.cpp"
@@ -723,6 +724,7 @@ if (with-tests)
         "../../test/chain/script.cpp"
         "../../test/chain/script.hpp"
         "../../test/chain/stripper.cpp"
+        "../../test/chain/taproot.cpp"
         "../../test/chain/transaction.cpp"
         "../../test/chain/witness.cpp"
         "../../test/chain/enums/opcode.cpp"

builds/msvc/vs2022/libbitcoin-system-test/libbitcoin-system-test.vcxproj

@@ -92,6 +92,7 @@
     <ClCompile Include="..\..\..\..\test\chain\satoshi_words.cpp" />
     <ClCompile Include="..\..\..\..\test\chain\script.cpp" />
     <ClCompile Include="..\..\..\..\test\chain\stripper.cpp" />
+    <ClCompile Include="..\..\..\..\test\chain\taproot.cpp" />
     <ClCompile Include="..\..\..\..\test\chain\transaction.cpp" />
     <ClCompile Include="..\..\..\..\test\chain\witness.cpp" />
     <ClCompile Include="..\..\..\..\test\config\base16.cpp" />

builds/msvc/vs2022/libbitcoin-system-test/libbitcoin-system-test.vcxproj.filters

@@ -162,6 +162,9 @@
     <ClCompile Include="..\..\..\..\test\chain\stripper.cpp">
       <Filter>src\chain</Filter>
     </ClCompile>
+    <ClCompile Include="..\..\..\..\test\chain\taproot.cpp">
+      <Filter>src\chain</Filter>
+    </ClCompile>
     <ClCompile Include="..\..\..\..\test\chain\transaction.cpp">
       <Filter>src\chain</Filter>
     </ClCompile>

builds/msvc/vs2022/libbitcoin-system/libbitcoin-system.vcxproj

@@ -100,6 +100,7 @@
       <ObjectFileName>$(IntDir)src_chain_script.obj</ObjectFileName>
     </ClCompile>
     <ClCompile Include="..\..\..\..\src\chain\script_extract.cpp" />
+    <ClCompile Include="..\..\..\..\src\chain\taproot.cpp" />
     <ClCompile Include="..\..\..\..\src\chain\transaction.cpp">
       <ObjectFileName>$(IntDir)src_chain_transaction.obj</ObjectFileName>
     </ClCompile>
@@ -275,6 +276,7 @@
     <ClInclude Include="..\..\..\..\include\bitcoin\system\chain\prevout.hpp" />
     <ClInclude Include="..\..\..\..\include\bitcoin\system\chain\script.hpp" />
     <ClInclude Include="..\..\..\..\include\bitcoin\system\chain\stripper.hpp" />
+    <ClInclude Include="..\..\..\..\include\bitcoin\system\chain\taproot.hpp" />
     <ClInclude Include="..\..\..\..\include\bitcoin\system\chain\transaction.hpp" />
     <ClInclude Include="..\..\..\..\include\bitcoin\system\chain\witness.hpp" />
     <ClInclude Include="..\..\..\..\include\bitcoin\system\config\base16.hpp" />
@@ -366,7 +368,6 @@
     <ClInclude Include="..\..\..\..\include\bitcoin\system\hash\sha\sha512.hpp" />
     <ClInclude Include="..\..\..\..\include\bitcoin\system\hash\siphash.hpp" />
     <ClInclude Include="..\..\..\..\include\bitcoin\system\have.hpp" />
-    <ClInclude Include="..\..\..\..\include\bitcoin\system\impl\chain\transaction_patterns.ipp" />
     <ClInclude Include="..\..\..\..\include\bitcoin\system\intrinsics\arm\arm.hpp" />
     <ClInclude Include="..\..\..\..\include\bitcoin\system\intrinsics\arm\functional.hpp" />
     <ClInclude Include="..\..\..\..\include\bitcoin\system\intrinsics\arm\sha.hpp" />
@@ -532,6 +533,7 @@
     <None Include="..\..\..\..\include\bitcoin\system\impl\chain\compact.ipp" />
     <None Include="..\..\..\..\include\bitcoin\system\impl\chain\operation_patterns.ipp" />
     <None Include="..\..\..\..\include\bitcoin\system\impl\chain\script_patterns.ipp" />
+    <None Include="..\..\..\..\include\bitcoin\system\impl\chain\transaction_patterns.ipp" />
     <None Include="..\..\..\..\include\bitcoin\system\impl\chain\witness_patterns.ipp" />
     <None Include="..\..\..\..\include\bitcoin\system\impl\data\array_cast.ipp" />
     <None Include="..\..\..\..\include\bitcoin\system\impl\data\byte_cast.ipp" />
@@ -656,4 +658,4 @@
   <ItemGroup>
     <Natvis Include="..\..\debug.natvis" />
   </ItemGroup>
-</Project>
+</Project>

builds/msvc/vs2022/libbitcoin-system/libbitcoin-system.vcxproj.filters

@@ -279,6 +279,9 @@
     <ClCompile Include="..\..\..\..\src\chain\script_extract.cpp">
       <Filter>src\chain</Filter>
     </ClCompile>
+    <ClCompile Include="..\..\..\..\src\chain\taproot.cpp">
+      <Filter>src\chain</Filter>
+    </ClCompile>
     <ClCompile Include="..\..\..\..\src\chain\transaction.cpp">
       <Filter>src\chain</Filter>
     </ClCompile>
@@ -710,6 +713,9 @@
     <ClInclude Include="..\..\..\..\include\bitcoin\system\chain\stripper.hpp">
       <Filter>include\bitcoin\system\chain</Filter>
     </ClInclude>
+    <ClInclude Include="..\..\..\..\include\bitcoin\system\chain\taproot.hpp">
+      <Filter>include\bitcoin\system\chain</Filter>
+    </ClInclude>
     <ClInclude Include="..\..\..\..\include\bitcoin\system\chain\transaction.hpp">
       <Filter>include\bitcoin\system\chain</Filter>
     </ClInclude>
@@ -1460,9 +1466,6 @@
     <ClInclude Include="..\..\resource.h">
       <Filter>resource</Filter>
     </ClInclude>
-    <ClInclude Include="..\..\..\..\include\bitcoin\system\impl\chain\transaction_patterns.ipp">
-      <Filter>include\bitcoin\system\impl\chain</Filter>
-    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <None Include="..\..\..\..\include\bitcoin\system\impl\chain\annex.ipp">
@@ -1477,6 +1480,9 @@
     <None Include="..\..\..\..\include\bitcoin\system\impl\chain\script_patterns.ipp">
       <Filter>include\bitcoin\system\impl\chain</Filter>
     </None>
+    <None Include="..\..\..\..\include\bitcoin\system\impl\chain\transaction_patterns.ipp">
+      <Filter>include\bitcoin\system\impl\chain</Filter>
+    </None>
     <None Include="..\..\..\..\include\bitcoin\system\impl\chain\witness_patterns.ipp">
       <Filter>include\bitcoin\system\impl\chain</Filter>
     </None>
@@ -1748,4 +1754,4 @@
       <Filter>resource</Filter>
     </ResourceCompile>
   </ItemGroup>
-</Project>
+</Project>

include/bitcoin/system.hpp

@@ -47,6 +47,7 @@
 #include <bitcoin/system/chain/prevout.hpp>
 #include <bitcoin/system/chain/script.hpp>
 #include <bitcoin/system/chain/stripper.hpp>
+#include <bitcoin/system/chain/taproot.hpp>
 #include <bitcoin/system/chain/transaction.hpp>
 #include <bitcoin/system/chain/witness.hpp>
 #include <bitcoin/system/chain/enums/coverage.hpp>

include/bitcoin/system/chain/chain.hpp

@@ -45,6 +45,7 @@
 #include <bitcoin/system/chain/prevout.hpp>
 #include <bitcoin/system/chain/script.hpp>
 #include <bitcoin/system/chain/stripper.hpp>
+#include <bitcoin/system/chain/taproot.hpp>
 #include <bitcoin/system/chain/transaction.hpp>
 #include <bitcoin/system/chain/witness.hpp>
 

include/bitcoin/system/chain/enums/magic_numbers.hpp

@@ -90,8 +90,8 @@ constexpr uint8_t witness_enabled = 0x01;
 constexpr size_t signature_cost = 50;
 constexpr size_t taproot_max_keys = 128;
 constexpr uint8_t taproot_annex_prefix = 0x50;
-constexpr uint8_t tapleaf_tapscript = 0b1100'0000; // 0xc0
-constexpr uint8_t tapleaf_root_mask = 0b1111'1110; // 0xfe
+constexpr uint8_t tapscript_mask = 0b1111'1110; // 0xfe
+constexpr uint8_t tapscript_version = 0b1100'0000; // 0xc0
 
 /// Policy constants.
 /// ---------------------------------------------------------------------------

include/bitcoin/system/chain/taproot.hpp

@@ -0,0 +1,68 @@
+/**
+ * Copyright (c) 2011-2025 libbitcoin developers (see AUTHORS)
+ *
+ * This file is part of libbitcoin.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+#ifndef LIBBITCOIN_SYSTEM_CHAIN_TAPROOT_HPP
+#define LIBBITCOIN_SYSTEM_CHAIN_TAPROOT_HPP
+
+#include <bitcoin/system/chain/script.hpp>
+#include <bitcoin/system/crypto/crypto.hpp>
+#include <bitcoin/system/data/data.hpp>
+#include <bitcoin/system/define.hpp>
+#include <bitcoin/system/hash/hash.hpp>
+
+namespace libbitcoin {
+namespace system {
+namespace chain {
+
+class BC_API taproot
+{
+public:
+    struct tap
+    {
+        INLINE operator bool() const NOEXCEPT
+        {
+            return version == tapscript_version;
+        }
+
+        uint8_t version;
+        bool parity;
+    };
+
+    static tap parse(const data_chunk& control) NOEXCEPT;
+    static bool is_valid_control_block(const data_chunk& control) NOEXCEPT;
+    static hash_digest leaf_hash(uint8_t version,
+        const script& script) NOEXCEPT;
+
+    static bool verify_commitment(const data_chunk& control,
+        const data_chunk& program, const hash_digest& hash,
+        bool parity) NOEXCEPT;
+
+protected:
+    static hash_digest merkle_root(const data_chunk& control,
+        const hash_digest& tapleaf_hash) NOEXCEPT;
+    static hash_digest branch_hash(const hash_digest& left,
+        const hash_digest& right) NOEXCEPT;
+    static hash_digest tweak_hash(const ec_xonly& key,
+        const hash_digest& merkle) NOEXCEPT;
+};
+} // namespace chain
+} // namespace system
+} // namespace libbitcoin
+
+
+#endif

include/bitcoin/system/chain/transaction.hpp

@@ -142,8 +142,9 @@ class BC_API transaction
 
     /// signature_hash exposed for op_check_multisig caching.
     bool signature_hash(hash_digest& out, const input_iterator& input,
-        const script& sub, uint64_t value, uint8_t sighash_flags,
-        script_version version, bool bip143, bool bip341) const NOEXCEPT;
+        const script& subscript, uint64_t value, const hash_cptr& tapleaf,
+        script_version version, uint8_t sighash_flags,
+        uint32_t flags) const NOEXCEPT;
 
     /// Not used internally.
     bool check_signature(const ec_signature& signature,
@@ -319,7 +320,7 @@ class BC_API transaction
         const script& subscript, uint64_t value,
         uint8_t sighash_flags) const NOEXCEPT;
     bool version1_sighash(hash_digest& out, const input_iterator& input,
-        const script& script, uint64_t value,
+        const script& script, uint64_t value, const hash_cptr& tapleaf,
         uint8_t sighash_flags) const NOEXCEPT;
 
     // ------------------------------------------------------------------------

include/bitcoin/system/chain/witness.hpp

@@ -126,6 +126,8 @@ class BC_API witness
     /// Script for witness validation.
     code extract_script(script::cptr& out_script, chunk_cptrs_ptr& out_stack,
         const script& program_script) const NOEXCEPT;
+    code extract_script(hash_cptr& out_leaf, script::cptr& out_script,
+        chunk_cptrs_ptr& out_stack, const script& program_script) const NOEXCEPT;
 
 protected:
     witness(chunk_cptrs&& stack, bool valid) NOEXCEPT;

include/bitcoin/system/funclets.hpp

@@ -19,6 +19,7 @@
 #ifndef LIBBITCOIN_SYSTEM_FUNCLETS_HPP
 #define LIBBITCOIN_SYSTEM_FUNCLETS_HPP
 
+#include <memory>
 #include <type_traits>
 #include <bitcoin/system/literals.hpp>
 
@@ -164,6 +165,13 @@ constexpr bool to_bool(Type value) noexcept
     return is_nonzero(value);
 }
 
+template <typename Type>
+constexpr bool as_bool(const std::shared_ptr<Type>& ptr) noexcept
+{
+    // Use as_bool(ptr) because shared_ptr bool overload is explicit.
+    return ptr.operator bool();
+}
+
 template <typename Enum>
 constexpr auto to_value(Enum value) noexcept
 {

include/bitcoin/system/impl/chain/annex.ipp

@@ -57,7 +57,7 @@ inline const data_chunk& annex::empty_annex() NOEXCEPT
 
 inline annex::operator bool() const NOEXCEPT
 {
-    return data_.operator bool();
+    return as_bool(data_);
 }
 
 inline size_t annex::size() const NOEXCEPT

include/bitcoin/system/impl/machine/interpreter_connect.ipp

@@ -188,15 +188,14 @@ code CLASS::connect_witness(const chain::context& state,
             if (!bip341 || embedded)
                 return error::script_success;
 
+            hash_cptr tapleaf{};
             script::cptr script;
             chunk_cptrs_ptr stack;
-
-            // TODO: extract tapleaf_hash, nullable.
-            if ((ec = input.witness().extract_script(script, stack, prevout)))
+            if ((ec = input.witness().extract_script(tapleaf, script, stack,
+                prevout)))
                 return ec;
 
-            // TODO: pass tapleaf_hash in last parameter, nullable.
-            interpreter program(tx, it, script, flags, version, stack, {});
+            interpreter program(tx, it, script, flags, version, stack, tapleaf);
 
             // TODO: capture tapleaf_hash in program construct and use to
             // TODO: obtain both tapscript boolean and tapleaf_hash values.

include/bitcoin/system/impl/machine/program_construct.ipp

@@ -106,22 +106,24 @@ program(const transaction& tx, const input_iterator& input,
 }
 
 // Taproot script run (witness-initialized stack).
-// Same as segwit but with with budget and unstripped bip342 flag.
+// Same as segwit but with tapleaf, budget, and unstripped bip342 flag.
 // Sigop budget is 50 plus size of prefixed serialized witness [bip342].
 // Budget is initialized add1(50) to make it zero-based, avoiding signed type.
 // This program is never used to construct another, so masked flags_ never mix.
 TEMPLATE
 inline CLASS::
 program(const transaction& tx, const input_iterator& input,
     const script::cptr& script, uint32_t active_flags,
-    script_version version, const chunk_cptrs_ptr& witness, bool) NOEXCEPT
+    script_version version, const chunk_cptrs_ptr& witness,
+    const hash_cptr& tapleaf) NOEXCEPT
   : transaction_(tx),
     input_(input),
     script_(script),
     flags_(active_flags),
     value_((*input)->prevout->value()),
     version_(version),
     witness_(witness),
+    tapleaf_(tapleaf),
     primary_(projection<Stack>(*witness)),
     budget_(ceilinged_add(
         add1(chain::signature_cost),

include/bitcoin/system/impl/machine/program_sign.ipp

@@ -214,13 +214,8 @@ INLINE bool CLASS::
 signature_hash(hash_digest& out, const script& subscript,
     uint8_t sighash_flags) const NOEXCEPT
 {
-    // bip143: the method of signature hashing is changed for v0 scripts.
-    // bip342: the method of signature hashing is changed for v1 scripts.
-    const auto bip143 = is_enabled(flags::bip143_rule);
-    const auto bip342 = is_enabled(flags::bip342_rule);
-
     return transaction_.signature_hash(out, input_, subscript, value_,
-        sighash_flags, version_, bip143, bip342);
+        tapleaf_, version_, sighash_flags, flags_);
 }
 
 // Multisig signature hash caching.