Hacking on taproot, work in progress

Author: bbrtj

lib/Bitcoin/Crypto/Constants.pm

@@ -31,6 +31,7 @@ use constant {
 	locktime_height_threshold => 500_000_000,
 	max_sequence_no => 0xffffffff,
 
+	sighash_default => 0x00,
 	sighash_all => 0x01,
 	sighash_none => 0x02,
 	sighash_single => 0x03,
@@ -44,6 +45,9 @@ use constant {
 	psbt_global_map => 'global',
 	psbt_input_map => 'in',
 	psbt_output_map => 'out',
+
+	signing_algorithm_ecdsa => 'ecdsa',
+	signing_algorithm_schnorr => 'schnorr',
 };
 
 # These constants are environment-specific and internal only

lib/Bitcoin/Crypto/Exception.pm

@@ -143,6 +143,13 @@ sub as_string
 	use parent -norequire, 'Bitcoin::Crypto::Exception';
 }
 
+{
+
+	package Bitcoin::Crypto::Exception::KeyConvert;
+
+	use parent -norequire, 'Bitcoin::Crypto::Exception';
+}
+
 {
 
 	package Bitcoin::Crypto::Exception::MnemonicGenerate;

lib/Bitcoin/Crypto/Key/Public.pm

@@ -13,7 +13,7 @@ use Bitcoin::Crypto::Base58 qw(encode_base58check);
 use Bitcoin::Crypto::Bech32 qw(encode_segwit);
 use Bitcoin::Crypto::Types -types;
 use Bitcoin::Crypto::Constants;
-use Bitcoin::Crypto::Util qw(hash160 get_public_key_compressed tagged_hash);
+use Bitcoin::Crypto::Util qw(hash160 get_public_key_compressed);
 use Bitcoin::Crypto::Helpers qw(ecc);
 
 use namespace::clean;
@@ -25,51 +25,8 @@ has extended 'key_instance' => (
 	predicate => 1,
 );
 
-has field 'taproot_key_instance' => (
-	isa => ByteStr,
-	lazy => 1,
-	writer => -hidden,
-	predicate => 1,
-);
-
 sub _is_private { 0 }
 
-sub _validate_key
-{
-	my ($self) = @_;
-	if ($self->has_key_instance) {
-		$self->SUPER::_validate_key;
-	}
-	elsif (!$self->has_taproot_key_instance) {
-		Bitcoin::Crypto::Exception::KeyCreate->raise(
-			'public key must have either regular or taproot key data'
-		);
-	}
-}
-
-sub _build_taproot_key_instance
-{
-	my ($self) = @_;
-
-	return ecc->xonly_public_key($self->raw_key('public_compressed'));
-}
-
-signature_for raw_key => (
-	method => Object,
-	positional => [Maybe [Enum [qw(public public_compressed public_taproot)]], {default => undef}],
-);
-
-sub raw_key
-{
-	my ($self, $type) = @_;
-
-	if ($type && $type eq 'public_taproot') {
-		return $self->taproot_key_instance;
-	}
-
-	return $self->SUPER::raw_key($type);
-}
-
 signature_for get_hash => (
 	method => Object,
 	positional => [],
@@ -118,11 +75,7 @@ sub witness_program
 			return shift->get_hash;
 		},
 		(Bitcoin::Crypto::Constants::taproot_witness_version) => sub {
-			my $self = shift;
-			my $internal = $self->raw_key('public_taproot');
-			my $tweaked = tagged_hash($internal, 'TapTweak');
-			my $combined = ecc->combine_public_keys(ecc->create_public_key($tweaked), "\x02" . $internal);
-			return ecc->xonly_public_key($combined);
+			return shift->taproot_tweaked_key('public');
 		},
 	};
 
@@ -441,6 +394,8 @@ L<Bitcoin::Crypto::Exception> namespace:
 
 =item * KeyCreate - key couldn't be created correctly
 
+=item * KeyConvert - taproot key couldn't be converted to ecc key
+
 =item * Verify - couldn't verify the message correctly
 
 =item * NetworkConfig - incomplete or corrupted network configuration

lib/Bitcoin/Crypto/Role/Key.pm

@@ -8,7 +8,7 @@ use Types::Common -sigs, -types;
 
 use Bitcoin::Crypto::Types -types;
 use Bitcoin::Crypto::Constants;
-use Bitcoin::Crypto::Util qw(get_key_type);
+use Bitcoin::Crypto::Util qw(get_key_type tagged_hash);
 use Bitcoin::Crypto::Helpers qw(ensure_length ecc);
 use Bitcoin::Crypto::Exception;
 
@@ -73,7 +73,7 @@ sub has_purpose
 
 signature_for raw_key => (
 	method => Object,
-	positional => [Maybe [Enum [qw(private public public_compressed)]], {default => undef}],
+	positional => [Maybe [Enum [qw(private public public_compressed public_xonly)]], {default => undef}],
 );
 
 # helpers for raw_key
@@ -99,6 +99,7 @@ sub raw_key
 {
 	my ($self, $type) = @_;
 	my $is_private = $self->_is_private;
+	my $key = $self->key_instance;
 
 	$type //= $is_private ? 'private' : 'public';
 	if ($type eq 'public' && (!$self->does('Bitcoin::Crypto::Role::Compressed') || $self->compressed)) {
@@ -110,17 +111,52 @@ sub raw_key
 			'cannot create private key from a public key'
 		) unless $is_private;
 
-		return $self->__full_private($self->key_instance);
+		return $self->__full_private($key);
+	}
+	elsif ($type eq 'public_xonly') {
+		$key = $self->__private_to_public($key)
+			if $is_private;
+
+		return ecc->xonly_public_key($self->__public_compressed($key, 1));
 	}
 	else {
-		my $key = $self->key_instance;
 		$key = $self->__private_to_public($key)
 			if $is_private;
 
 		return $self->__public_compressed($key, $type eq 'public_compressed');
 	}
+}
+
+signature_for taproot_tweaked_key => (
+	method => Object,
+	head => [Maybe [Enum [qw(private public)]], {default => undef}],
+	named => [
+		tweak_suffix => Maybe [ByteStr],
+		{default => undef},
+	],
+	bless => !!0,
+);
 
-	# no need to check for invalid input, since we have a signature with enum
+sub taproot_tweaked_key
+{
+	my ($self, $type, $args) = @_;
+	$type //= $self->_is_private ? 'private' : 'public';
+
+	if ($type eq 'private') {
+		my $internal = $self->raw_key('private');
+		my $internal_public = ecc->create_public_key($internal);
+		$internal = ecc->negate_private_key($internal)
+			if substr($internal_public, 0, 1) eq "\x03";
+
+		my $tweak = tagged_hash(ecc->xonly_public_key($internal_public) . ($args->{tweak_suffix} // ''), 'TapTweak');
+		return ecc->add_private_key($internal, $tweak);
+	}
+	else {
+		my $internal = $self->raw_key('public_xonly');
+		my $tweak = tagged_hash($internal . ($args->{tweak_suffix} // ''), 'TapTweak');
+		my $combined = ecc->combine_public_keys(ecc->create_public_key($tweak), "\x02" . $internal);
+		return ecc->xonly_public_key($combined);
+	}
 }
 
 1;

lib/Bitcoin/Crypto/Role/SignVerify.pm

@@ -8,8 +8,10 @@ use Types::Common -sigs, -types;
 
 use Bitcoin::Crypto::Types -types;
 use Bitcoin::Crypto::Helpers qw(carp_once ecc);
-use Bitcoin::Crypto::Util qw(hash256);
+use Bitcoin::Crypto::Util qw(hash256 tagged_hash);
+use Crypt::Digest::SHA256 qw(sha256);
 use Bitcoin::Crypto::Transaction::Sign;
+use Bitcoin::Crypto::Constants;
 use Moo::Role;
 
 requires qw(
@@ -19,22 +21,48 @@ requires qw(
 
 signature_for sign_message => (
 	method => Object,
-	positional => [ByteStr],
+	head => [ByteStr],
+	named => [
+		algorithm => SignatureAlgorithm,
+		{default => Bitcoin::Crypto::Constants::signing_algorithm_ecdsa},
+		taproot_tweak_suffix => Maybe [ByteStr],
+		{default => undef},
+	],
+	bless => !!0,
 );
 
 sub sign_message
 {
-	my ($self, $preimage) = @_;
+	my ($self, $preimage, $args) = @_;
 
 	Bitcoin::Crypto::Exception::Sign->raise(
 		'cannot sign a message with a public key'
 	) unless $self->_is_private;
 
-	my $digest = hash256($preimage);
+	my %algorithms = (
+		(Bitcoin::Crypto::Constants::signing_algorithm_ecdsa) => {
+			digest => \&hash256,
+			signing_method => sub { ecc->sign_digest(@_) },
+			raw_key => sub { $self->raw_key },
+		},
+		(Bitcoin::Crypto::Constants::signing_algorithm_schnorr) => {
+			digest => sub { tagged_hash(shift, 'TapSighash') },
+			signing_method => sub { ecc->sign_digest_schnorr(@_) },
+			raw_key => sub {
+				$self->taproot_tweaked_key(
+					'private',
+					tweak_suffix => $args->{taproot_tweak_suffix}
+				);
+			},
+		},
+	);
+
+	my $key = $algorithms{$args->{algorithm}}{raw_key}->();
+	my $digest = $algorithms{$args->{algorithm}}{digest}->($preimage);
 
 	return Bitcoin::Crypto::Exception::Sign->trap_into(
 		sub {
-			return ecc->sign_digest($self->raw_key, $digest);
+			return $algorithms{$args->{algorithm}}{signing_method}->($key, $digest);
 		}
 	);
 }

lib/Bitcoin/Crypto/Script.pm

@@ -465,13 +465,25 @@ signature_for is_native_segwit => (
 sub is_native_segwit
 {
 	my ($self) = @_;
-	my @segwit_types = qw(P2WPKH P2WSH);
+	my @segwit_types = qw(P2WPKH P2WSH P2TR);
 
 	my $script_type = $self->type // '';
 
 	return any { $script_type eq $_ } @segwit_types;
 }
 
+signature_for is_taproot => (
+	method => Object,
+	positional => [],
+);
+
+sub is_taproot
+{
+	my ($self) = @_;
+
+	return ($self->type // '') eq 'P2TR';
+}
+
 sub get_script
 {
 	my ($self) = @_;
@@ -641,12 +653,12 @@ sub get_address
 		return encode_segwit($self->network->segwit_hrp, $version . $address);
 	};
 
-	if ($self->is_native_segwit) {
-		my $version = pack 'C', Bitcoin::Crypto::Constants::segwit_witness_version;
+	if ($self->type eq 'P2TR') {
+		my $version = pack 'C', Bitcoin::Crypto::Constants::taproot_witness_version;
 		return $segwit->($version, $address);
 	}
-	elsif ($self->type eq 'P2TR') {
-		my $version = pack 'C', Bitcoin::Crypto::Constants::taproot_witness_version;
+	elsif ($self->is_native_segwit) {
+		my $version = pack 'C', Bitcoin::Crypto::Constants::segwit_witness_version;
 		return $segwit->($version, $address);
 	}
 	elsif ($self->type eq 'P2PKH') {

lib/Bitcoin/Crypto/Script/Common.pm

@@ -42,6 +42,15 @@ sub _make_WSH
 		->add('OP_EQUAL');
 }
 
+#sub _make_P2TR
+#{
+#	my ($class, $script, $pubkey) = @_;
+#
+#	return $script
+#		->push($pubkey)
+#		->add('OP_CHECKSIG');
+#}
+
 sub _get_method
 {
 	my ($class, $type) = @_;

lib/Bitcoin/Crypto/Transaction.pm

@@ -253,9 +253,21 @@ sub get_digest
 {
 	my ($self, $params) = @_;
 
+	return $self->get_digest_object($params)->get_digest;
+}
+
+signature_for get_digest_object => (
+	method => Object,
+	positional => [HashRef, {slurpy => !!1}],
+);
+
+sub get_digest_object
+{
+	my ($self, $params) = @_;
+
 	$params->{transaction} = $self;
 	my $digest = Bitcoin::Crypto::Transaction::Digest->new($params);
-	return $digest->get_digest;
+	return $digest;
 }
 
 signature_for fee => (
@@ -771,6 +783,14 @@ The sighash which should be used for the digest. By default C<SIGHASH_ALL>.
 
 =back
 
+=head3 get_digest_object
+
+	$digest_object = $object->get_digest_object(%params)
+
+Same as L</get_digest>, but returns an object of
+L<Bitcoin::Crypto::Transaction::Digest> instead of a bytestring. Advanced use
+only.
+
 =head3 fee
 
 	$fee = $object->fee()