Add TapCtx

Author: sanket1729

src/descriptor/bare.rs

@@ -339,7 +339,7 @@ impl<Pk: MiniscriptKey> DescriptorTrait<Pk> for Pkh<Pk> {
     }
 
     fn max_satisfaction_weight(&self) -> Result<usize, Error> {
-        Ok(4 * (1 + 73 + self.pk.serialized_len()))
+        Ok(4 * (1 + 73 + self.pk.serialized_len::<BareCtx>()))
     }
 
     fn script_code(&self) -> Script

src/descriptor/segwitv0.rs

@@ -430,7 +430,7 @@ impl<Pk: MiniscriptKey> DescriptorTrait<Pk> for Wpkh<Pk> {
     }
 
     fn max_satisfaction_weight(&self) -> Result<usize, Error> {
-        Ok(4 + 1 + 73 + self.pk.serialized_len())
+        Ok(4 + 1 + 73 + self.pk.serialized_len::<Segwitv0>())
     }
 
     fn script_code(&self) -> Script

src/descriptor/sortedmulti.rs

@@ -178,7 +178,11 @@ impl<Pk: MiniscriptKey, Ctx: ScriptContext> SortedMultiVec<Pk, Ctx> {
         script_num_size(self.k)
             + 1
             + script_num_size(self.pks.len())
-            + self.pks.iter().map(|pk| pk.serialized_len()).sum::<usize>()
+            + self
+                .pks
+                .iter()
+                .map(|pk| pk.serialized_len::<Ctx>())
+                .sum::<usize>()
     }
 
     /// Maximum number of witness elements used to satisfy the Miniscript

src/lib.rs

@@ -145,8 +145,10 @@ pub trait MiniscriptKey: Clone + Eq + Ord + fmt::Debug + fmt::Display + hash::Ha
 
     /// Computes the size of a public key when serialized in a script,
     /// including the length bytes
-    fn serialized_len(&self) -> usize {
-        if self.is_uncompressed() {
+    fn serialized_len<Ctx: ScriptContext>(&self) -> usize {
+        if Ctx::is_tapctx() {
+            33
+        } else if self.is_uncompressed() {
             66
         } else {
             34
@@ -183,6 +185,24 @@ pub trait ToPublicKey: MiniscriptKey {
     /// Converts an object to a public key
     fn to_public_key(&self) -> bitcoin::PublicKey;
 
+    /// Convert an object to x-only pubkey
+    fn to_x_only_pubkey(&self) -> bitcoin::schnorr::PublicKey {
+        let pk = self.to_public_key();
+        bitcoin::schnorr::PublicKey::from(pk.key)
+    }
+
+    /// Serialize the key as bytes based on script context. Used when encoding miniscript into bitcoin script
+    // / - Why do we need both [`MiniscriptKey::is_xonly()`] and [`ScriptContext::Tap`]?
+    // /   Is it possible to have
+    // Named as `serialize_bytes` instead of `serialize` because we already have many functions named serialize
+    fn serialize_bytes<Ctx: ScriptContext>(&self) -> Vec<u8> {
+        if Ctx::is_tapctx() {
+            self.to_x_only_pubkey().serialize().to_vec()
+        } else {
+            self.to_public_key().to_bytes()
+        }
+    }
+
     /// Converts a hashed version of the public key to a `hash160` hash.
     ///
     /// This method must be consistent with `to_public_key`, in the sense

src/miniscript/astelem.rs

@@ -644,7 +644,7 @@ impl<Pk: MiniscriptKey, Ctx: ScriptContext> Terminal<Pk, Ctx> {
         Pk: ToPublicKey,
     {
         match *self {
-            Terminal::PkK(ref pk) => builder.push_key(&pk.to_public_key()),
+            Terminal::PkK(ref pk) => builder.push_slice(&pk.serialize_bytes::<Ctx>()),
             Terminal::PkH(ref hash) => builder
                 .push_opcode(opcodes::all::OP_DUP)
                 .push_opcode(opcodes::all::OP_HASH160)
@@ -750,6 +750,7 @@ impl<Pk: MiniscriptKey, Ctx: ScriptContext> Terminal<Pk, Ctx> {
                     .push_opcode(opcodes::all::OP_EQUAL)
             }
             Terminal::Multi(k, ref keys) => {
+                debug_assert!(!Ctx::is_tapctx());
                 builder = builder.push_int(k as i64);
                 for pk in keys {
                     builder = builder.push_key(&pk.to_public_key());
@@ -770,7 +771,7 @@ impl<Pk: MiniscriptKey, Ctx: ScriptContext> Terminal<Pk, Ctx> {
     /// will handle the segwit/non-segwit technicalities for you.
     pub fn script_size(&self) -> usize {
         match *self {
-            Terminal::PkK(ref pk) => pk.serialized_len(),
+            Terminal::PkK(ref pk) => pk.serialized_len::<Ctx>(),
             Terminal::PkH(..) => 24,
             Terminal::After(n) => script_num_size(n as usize) + 1,
             Terminal::Older(n) => script_num_size(n as usize) + 1,
@@ -810,7 +811,10 @@ impl<Pk: MiniscriptKey, Ctx: ScriptContext> Terminal<Pk, Ctx> {
                 script_num_size(k)
                     + 1
                     + script_num_size(pks.len())
-                    + pks.iter().map(|pk| pk.serialized_len()).sum::<usize>()
+                    + pks
+                        .iter()
+                        .map(|pk| pk.serialized_len::<Ctx>())
+                        .sum::<usize>()
             }
         }
     }

src/miniscript/context.rs

@@ -14,13 +14,16 @@
 
 use std::{fmt, hash};
 
+use bitcoin::blockdata::constants::MAX_BLOCK_WEIGHT;
 use miniscript::limits::{
     MAX_OPS_PER_SCRIPT, MAX_SCRIPTSIG_SIZE, MAX_SCRIPT_ELEMENT_SIZE, MAX_SCRIPT_SIZE,
     MAX_STANDARD_P2WSH_SCRIPT_SIZE, MAX_STANDARD_P2WSH_STACK_ITEMS,
 };
 use miniscript::types;
 use util::witness_to_scriptsig;
 use Error;
+
+use super::limits::MAX_STACK_ITEM_LIMIT;
 use {Miniscript, MiniscriptKey, Terminal};
 
 /// Error for Script Context
@@ -39,6 +42,9 @@ pub enum ScriptContextError {
     /// Only Compressed keys allowed under current descriptor
     /// Segwitv0 fragments do not allow uncompressed pubkeys
     CompressedOnly,
+    /// Tapscript descriptors cannot contain uncompressed keys
+    /// Tap context can contain compressed or xonly
+    UncompressedKeysNotAllowed,
     /// At least one satisfaction path in the Miniscript fragment has more than
     /// `MAX_STANDARD_P2WSH_STACK_ITEMS` (100) witness elements.
     MaxWitnessItemssExceeded,
@@ -55,6 +61,8 @@ pub enum ScriptContextError {
     MaxScriptSigSizeExceeded,
     /// Impossible to satisfy the miniscript under the current context
     ImpossibleSatisfaction,
+    /// No Multi Node in Taproot context
+    TaprootMultiDisabled,
 }
 
 impl fmt::Display for ScriptContextError {
@@ -66,7 +74,17 @@ impl fmt::Display for ScriptContextError {
                 write!(f, "DupIf is malleable under Legacy rules")
             }
             ScriptContextError::CompressedOnly => {
-                write!(f, "Uncompressed pubkeys not allowed in segwit context")
+                write!(
+                    f,
+                    "Only Compressed pubkeys not allowed in segwit context. X-only and uncompressed keys are forbidden"
+                )
+            }
+            ScriptContextError::UncompressedKeysNotAllowed => {
+                write!(
+                    f,
+                    "Only x-only keys are allowed in tapscript checksig. \
+                    Compressed keys maybe specified in descriptor."
+                )
             }
             ScriptContextError::MaxWitnessItemssExceeded => write!(
                 f,
@@ -99,6 +117,9 @@ impl fmt::Display for ScriptContextError {
                     "Impossible to satisfy Miniscript under the current context"
                 )
             }
+            ScriptContextError::TaprootMultiDisabled => {
+                write!(f, "No Multi node in taproot context")
+            }
         }
     }
 }
@@ -243,6 +264,13 @@ pub trait ScriptContext:
         Self::top_level_type_check(ms)?;
         Self::other_top_level_checks(ms)
     }
+
+    /// Reverse lookup to store whether the context is tapscript.
+    /// pk(33-byte key) is a valid under both tapscript context and segwitv0 context
+    /// We need to context decide whether the serialize pk to 33 byte or 32 bytes.
+    fn is_tapctx() -> bool {
+        return false;
+    }
 }
 
 /// Legacy ScriptContext
@@ -353,6 +381,12 @@ impl ScriptContext for Segwitv0 {
                 }
                 Ok(())
             }
+            Terminal::Multi(_k, ref pks) => {
+                if pks.iter().any(|pk| pk.is_uncompressed()) {
+                    return Err(ScriptContextError::CompressedOnly);
+                }
+                Ok(())
+            }
             _ => Ok(()),
         }
     }
@@ -402,6 +436,97 @@ impl ScriptContext for Segwitv0 {
     }
 }
 
+/// Tap ScriptContext
+#[derive(Debug, Clone, Eq, PartialEq, Ord, PartialOrd, Hash)]
+pub enum Tap {}
+
+impl ScriptContext for Tap {
+    fn check_terminal_non_malleable<Pk: MiniscriptKey, Ctx: ScriptContext>(
+        _frag: &Terminal<Pk, Ctx>,
+    ) -> Result<(), ScriptContextError> {
+        // No fragment is malleable in tapscript context.
+        // Certain fragments like Multi are invalid, but are not malleable
+        Ok(())
+    }
+
+    fn check_witness<Pk: MiniscriptKey, Ctx: ScriptContext>(
+        witness: &[Vec<u8>],
+    ) -> Result<(), ScriptContextError> {
+        if witness.len() > MAX_STACK_ITEM_LIMIT {
+            return Err(ScriptContextError::MaxWitnessItemssExceeded);
+        }
+        Ok(())
+    }
+
+    fn check_global_consensus_validity<Pk: MiniscriptKey, Ctx: ScriptContext>(
+        ms: &Miniscript<Pk, Ctx>,
+    ) -> Result<(), ScriptContextError> {
+        // No script size checks for global consensus rules
+        // Should we really check for block limits here.
+        // When the transaction sizes get close to block limits,
+        // some guarantees are not easy to satisfy because of knapsack
+        // constraints
+        if ms.ext.pk_cost > MAX_BLOCK_WEIGHT as usize {
+            return Err(ScriptContextError::MaxWitnessScriptSizeExceeded);
+        }
+
+        match ms.node {
+            Terminal::PkK(ref pk) => {
+                if pk.is_uncompressed() {
+                    return Err(ScriptContextError::UncompressedKeysNotAllowed);
+                }
+                Ok(())
+            }
+            Terminal::Multi(..) => {
+                return Err(ScriptContextError::TaprootMultiDisabled);
+            }
+            // What happens to the Multi node in tapscript? Do we use it, create
+            // a new fragment?
+            _ => Ok(()),
+        }
+    }
+
+    fn check_local_consensus_validity<Pk: MiniscriptKey, Ctx: ScriptContext>(
+        _ms: &Miniscript<Pk, Ctx>,
+    ) -> Result<(), ScriptContextError> {
+        // Taproot introduces the concept of sigops budget.
+        // In all possible valid miniscripts satisfy the given sigops constraint
+        // Whenever we add new fragment that uses pk(pk() or multi based on checksigadd)
+        // miniscript typing rules ensure that pk when executed successfully has it's
+        // own unique signature. That is there is no way to re-use signatures for another
+        // checksig. Therefore, for each successfully executed checksig, we will have
+        // 64 bytes signature and thus sigops budget is always covered.
+        // There is overall limit of consensus
+        // TODO: track height during execution
+        Ok(())
+    }
+
+    fn check_global_policy_validity<Pk: MiniscriptKey, Ctx: ScriptContext>(
+        _ms: &Miniscript<Pk, Ctx>,
+    ) -> Result<(), ScriptContextError> {
+        // No script rules, rules are subject to entire tx rules
+        Ok(())
+    }
+
+    fn check_local_policy_validity<Pk: MiniscriptKey, Ctx: ScriptContext>(
+        _ms: &Miniscript<Pk, Ctx>,
+    ) -> Result<(), ScriptContextError> {
+        // TODO: check for policy execution.
+        Ok(())
+    }
+
+    fn max_satisfaction_size<Pk: MiniscriptKey, Ctx: ScriptContext>(
+        ms: &Miniscript<Pk, Ctx>,
+    ) -> Option<usize> {
+        // The witness stack cost is the first element of the tuple
+        ms.ext.max_sat_size.map(|x| x.0)
+    }
+
+    fn is_tapctx() -> bool {
+        true
+    }
+}
+
 /// Bare ScriptContext
 /// To be used as raw script pubkeys
 /// In general, it is not recommended to use Bare descriptors
@@ -510,13 +635,14 @@ impl ScriptContext for NoChecks {
 
 /// Private Mod to prevent downstream from implementing this public trait
 mod private {
-    use super::{BareCtx, Legacy, NoChecks, Segwitv0};
+    use super::{BareCtx, Legacy, NoChecks, Segwitv0, Tap};
 
     pub trait Sealed {}
 
     // Implement for those same types, but no others.
     impl Sealed for BareCtx {}
     impl Sealed for Legacy {}
     impl Sealed for Segwitv0 {}
+    impl Sealed for Tap {}
     impl Sealed for NoChecks {}
 }

src/miniscript/limits.rs

@@ -40,3 +40,9 @@ pub const MAX_SCRIPT_ELEMENT_SIZE: usize = 520;
 /// Maximum script sig size allowed by standardness rules
 // https://github.com/bitcoin/bitcoin/blob/42b66a6b814bca130a9ccf0a3f747cf33d628232/src/policy/policy.cpp#L102
 pub const MAX_SCRIPTSIG_SIZE: usize = 1650;
+/// Maximum items during stack execution
+// This limits also applies for initial stack satisfaction
+// TODO: Refer to online url
+pub const MAX_STACK_ITEM_LIMIT: usize = 1000;
+/** The maximum allowed weight for a block, see BIP 141 (network rule) */
+pub const MAX_BLOCK_WEIGHT: usize = 4000000;