Add TapCtx

Author: sanket1729

CHANGELOG.md

@@ -1,3 +1,5 @@
+# Taproot updates
+- Changed the ToPublicKey trait to support x-only keys.
 # 6.0.1 - Aug 5, 2021
 
 - The `lift` method on a Miniscript node was fixed. It would previously mix up

src/descriptor/bare.rs

@@ -339,7 +339,7 @@ impl<Pk: MiniscriptKey> DescriptorTrait<Pk> for Pkh<Pk> {
     }
 
     fn max_satisfaction_weight(&self) -> Result<usize, Error> {
-        Ok(4 * (1 + 73 + self.pk.serialized_len()))
+        Ok(4 * (1 + 73 + BareCtx::pk_len(&self.pk)))
     }
 
     fn script_code(&self) -> Script

src/descriptor/segwitv0.rs

@@ -430,7 +430,7 @@ impl<Pk: MiniscriptKey> DescriptorTrait<Pk> for Wpkh<Pk> {
     }
 
     fn max_satisfaction_weight(&self) -> Result<usize, Error> {
-        Ok(4 + 1 + 73 + self.pk.serialized_len())
+        Ok(4 + 1 + 73 + Segwitv0::pk_len(&self.pk))
     }
 
     fn script_code(&self) -> Script

src/descriptor/sortedmulti.rs

@@ -178,7 +178,7 @@ impl<Pk: MiniscriptKey, Ctx: ScriptContext> SortedMultiVec<Pk, Ctx> {
         script_num_size(self.k)
             + 1
             + script_num_size(self.pks.len())
-            + self.pks.iter().map(|pk| pk.serialized_len()).sum::<usize>()
+            + self.pks.iter().map(|pk| Ctx::pk_len(pk)).sum::<usize>()
     }
 
     /// Maximum number of witness elements used to satisfy the Miniscript

src/lib.rs

@@ -141,16 +141,6 @@ pub trait MiniscriptKey: Clone + Eq + Ord + fmt::Debug + fmt::Display + hash::Ha
 
     /// Converts an object to PublicHash
     fn to_pubkeyhash(&self) -> Self::Hash;
-
-    /// Computes the size of a public key when serialized in a script,
-    /// including the length bytes
-    fn serialized_len(&self) -> usize {
-        if self.is_uncompressed() {
-            66
-        } else {
-            34
-        }
-    }
 }
 
 impl MiniscriptKey for bitcoin::PublicKey {
@@ -182,6 +172,21 @@ pub trait ToPublicKey: MiniscriptKey {
     /// Converts an object to a public key
     fn to_public_key(&self) -> bitcoin::PublicKey;
 
+    /// Convert an object to x-only pubkey
+    fn to_x_only_pubkey(&self) -> bitcoin::schnorr::PublicKey {
+        let pk = self.to_public_key();
+        bitcoin::schnorr::PublicKey::from(pk.key)
+    }
+
+    /// Serialize the key as bytes based on script context. Used when encoding miniscript into bitcoin script
+    fn push_to_builder<Ctx: ScriptContext>(&self, builder: script::Builder) -> script::Builder {
+        if Ctx::is_tapctx() {
+            builder.push_slice(&self.to_x_only_pubkey().serialize())
+        } else {
+            builder.push_slice(&self.to_public_key().to_bytes())
+        }
+    }
+
     /// Converts a hashed version of the public key to a `hash160` hash.
     ///
     /// This method must be consistent with `to_public_key`, in the sense

src/miniscript/astelem.rs

@@ -644,7 +644,7 @@ impl<Pk: MiniscriptKey, Ctx: ScriptContext> Terminal<Pk, Ctx> {
         Pk: ToPublicKey,
     {
         match *self {
-            Terminal::PkK(ref pk) => builder.push_key(&pk.to_public_key()),
+            Terminal::PkK(ref pk) => pk.push_to_builder::<Ctx>(builder),
             Terminal::PkH(ref hash) => builder
                 .push_opcode(opcodes::all::OP_DUP)
                 .push_opcode(opcodes::all::OP_HASH160)
@@ -750,6 +750,7 @@ impl<Pk: MiniscriptKey, Ctx: ScriptContext> Terminal<Pk, Ctx> {
                     .push_opcode(opcodes::all::OP_EQUAL)
             }
             Terminal::Multi(k, ref keys) => {
+                debug_assert!(!Ctx::is_tapctx());
                 builder = builder.push_int(k as i64);
                 for pk in keys {
                     builder = builder.push_key(&pk.to_public_key());
@@ -770,7 +771,7 @@ impl<Pk: MiniscriptKey, Ctx: ScriptContext> Terminal<Pk, Ctx> {
     /// will handle the segwit/non-segwit technicalities for you.
     pub fn script_size(&self) -> usize {
         match *self {
-            Terminal::PkK(ref pk) => pk.serialized_len(),
+            Terminal::PkK(ref pk) => Ctx::pk_len(pk),
             Terminal::PkH(..) => 24,
             Terminal::After(n) => script_num_size(n as usize) + 1,
             Terminal::Older(n) => script_num_size(n as usize) + 1,
@@ -810,7 +811,7 @@ impl<Pk: MiniscriptKey, Ctx: ScriptContext> Terminal<Pk, Ctx> {
                 script_num_size(k)
                     + 1
                     + script_num_size(pks.len())
-                    + pks.iter().map(|pk| pk.serialized_len()).sum::<usize>()
+                    + pks.iter().map(|pk| Ctx::pk_len(pk)).sum::<usize>()
             }
         }
     }

src/miniscript/context.rs

@@ -14,13 +14,15 @@
 
 use std::{fmt, hash};
 
+use bitcoin::blockdata::constants::MAX_BLOCK_WEIGHT;
 use miniscript::limits::{
     MAX_OPS_PER_SCRIPT, MAX_SCRIPTSIG_SIZE, MAX_SCRIPT_ELEMENT_SIZE, MAX_SCRIPT_SIZE,
-    MAX_STANDARD_P2WSH_SCRIPT_SIZE, MAX_STANDARD_P2WSH_STACK_ITEMS,
+    MAX_STACK_SIZE, MAX_STANDARD_P2WSH_SCRIPT_SIZE, MAX_STANDARD_P2WSH_STACK_ITEMS,
 };
 use miniscript::types;
 use util::witness_to_scriptsig;
 use Error;
+
 use {Miniscript, MiniscriptKey, Terminal};
 
 /// Error for Script Context
@@ -39,6 +41,9 @@ pub enum ScriptContextError {
     /// Only Compressed keys allowed under current descriptor
     /// Segwitv0 fragments do not allow uncompressed pubkeys
     CompressedOnly,
+    /// Tapscript descriptors cannot contain uncompressed keys
+    /// Tap context can contain compressed or xonly
+    UncompressedKeysNotAllowed,
     /// At least one satisfaction path in the Miniscript fragment has more than
     /// `MAX_STANDARD_P2WSH_STACK_ITEMS` (100) witness elements.
     MaxWitnessItemssExceeded,
@@ -55,6 +60,8 @@ pub enum ScriptContextError {
     MaxScriptSigSizeExceeded,
     /// Impossible to satisfy the miniscript under the current context
     ImpossibleSatisfaction,
+    /// No Multi Node in Taproot context
+    TaprootMultiDisabled,
 }
 
 impl fmt::Display for ScriptContextError {
@@ -66,7 +73,17 @@ impl fmt::Display for ScriptContextError {
                 write!(f, "DupIf is malleable under Legacy rules")
             }
             ScriptContextError::CompressedOnly => {
-                write!(f, "Uncompressed pubkeys not allowed in segwit context")
+                write!(
+                    f,
+                    "Only Compressed pubkeys not allowed in segwit context. X-only and uncompressed keys are forbidden"
+                )
+            }
+            ScriptContextError::UncompressedKeysNotAllowed => {
+                write!(
+                    f,
+                    "Only x-only keys are allowed in tapscript checksig. \
+                    Compressed keys maybe specified in descriptor."
+                )
             }
             ScriptContextError::MaxWitnessItemssExceeded => write!(
                 f,
@@ -99,6 +116,9 @@ impl fmt::Display for ScriptContextError {
                     "Impossible to satisfy Miniscript under the current context"
                 )
             }
+            ScriptContextError::TaprootMultiDisabled => {
+                write!(f, "No Multi node in taproot context")
+            }
         }
     }
 }
@@ -243,6 +263,19 @@ pub trait ScriptContext:
         Self::top_level_type_check(ms)?;
         Self::other_top_level_checks(ms)
     }
+
+    /// Reverse lookup to store whether the context is tapscript.
+    /// pk(33-byte key) is a valid under both tapscript context and segwitv0 context
+    /// We need to context decide whether the serialize pk to 33 byte or 32 bytes.
+    fn is_tapctx() -> bool {
+        return false;
+    }
+
+    /// Get the len of public key when serialized based on context
+    /// Note that this includes the serialization prefix. Returns
+    /// 34/66 for Bare/Legacy based on key compressedness
+    /// 34 for Segwitv0, 33 for Tap
+    fn pk_len<Pk: MiniscriptKey>(pk: &Pk) -> usize;
 }
 
 /// Legacy ScriptContext
@@ -317,6 +350,14 @@ impl ScriptContext for Legacy {
         // The scriptSig cost is the second element of the tuple
         ms.ext.max_sat_size.map(|x| x.1)
     }
+
+    fn pk_len<Pk: MiniscriptKey>(pk: &Pk) -> usize {
+        if pk.is_uncompressed() {
+            66
+        } else {
+            34
+        }
+    }
 }
 
 /// Segwitv0 ScriptContext
@@ -353,6 +394,12 @@ impl ScriptContext for Segwitv0 {
                 }
                 Ok(())
             }
+            Terminal::Multi(_k, ref pks) => {
+                if pks.iter().any(|pk| pk.is_uncompressed()) {
+                    return Err(ScriptContextError::CompressedOnly);
+                }
+                Ok(())
+            }
             _ => Ok(()),
         }
     }
@@ -400,6 +447,105 @@ impl ScriptContext for Segwitv0 {
         // The witness stack cost is the first element of the tuple
         ms.ext.max_sat_size.map(|x| x.0)
     }
+
+    fn pk_len<Pk: MiniscriptKey>(_pk: &Pk) -> usize {
+        34
+    }
+}
+
+/// Tap ScriptContext
+#[derive(Debug, Clone, Eq, PartialEq, Ord, PartialOrd, Hash)]
+pub enum Tap {}
+
+impl ScriptContext for Tap {
+    fn check_terminal_non_malleable<Pk: MiniscriptKey, Ctx: ScriptContext>(
+        _frag: &Terminal<Pk, Ctx>,
+    ) -> Result<(), ScriptContextError> {
+        // No fragment is malleable in tapscript context.
+        // Certain fragments like Multi are invalid, but are not malleable
+        Ok(())
+    }
+
+    fn check_witness<Pk: MiniscriptKey, Ctx: ScriptContext>(
+        witness: &[Vec<u8>],
+    ) -> Result<(), ScriptContextError> {
+        if witness.len() > MAX_STACK_SIZE {
+            return Err(ScriptContextError::MaxWitnessItemssExceeded);
+        }
+        Ok(())
+    }
+
+    fn check_global_consensus_validity<Pk: MiniscriptKey, Ctx: ScriptContext>(
+        ms: &Miniscript<Pk, Ctx>,
+    ) -> Result<(), ScriptContextError> {
+        // No script size checks for global consensus rules
+        // Should we really check for block limits here.
+        // When the transaction sizes get close to block limits,
+        // some guarantees are not easy to satisfy because of knapsack
+        // constraints
+        if ms.ext.pk_cost > MAX_BLOCK_WEIGHT as usize {
+            return Err(ScriptContextError::MaxWitnessScriptSizeExceeded);
+        }
+
+        match ms.node {
+            Terminal::PkK(ref pk) => {
+                if pk.is_uncompressed() {
+                    return Err(ScriptContextError::UncompressedKeysNotAllowed);
+                }
+                Ok(())
+            }
+            Terminal::Multi(..) => {
+                return Err(ScriptContextError::TaprootMultiDisabled);
+            }
+            // What happens to the Multi node in tapscript? Do we use it, create
+            // a new fragment?
+            _ => Ok(()),
+        }
+    }
+
+    fn check_local_consensus_validity<Pk: MiniscriptKey, Ctx: ScriptContext>(
+        _ms: &Miniscript<Pk, Ctx>,
+    ) -> Result<(), ScriptContextError> {
+        // Taproot introduces the concept of sigops budget.
+        // In all possible valid miniscripts satisfy the given sigops constraint
+        // Whenever we add new fragment that uses pk(pk() or multi based on checksigadd)
+        // miniscript typing rules ensure that pk when executed successfully has it's
+        // own unique signature. That is there is no way to re-use signatures for another
+        // checksig. Therefore, for each successfully executed checksig, we will have
+        // 64 bytes signature and thus sigops budget is always covered.
+        // There is overall limit of consensus
+        // TODO: track height during execution
+        Ok(())
+    }
+
+    fn check_global_policy_validity<Pk: MiniscriptKey, Ctx: ScriptContext>(
+        _ms: &Miniscript<Pk, Ctx>,
+    ) -> Result<(), ScriptContextError> {
+        // No script rules, rules are subject to entire tx rules
+        Ok(())
+    }
+
+    fn check_local_policy_validity<Pk: MiniscriptKey, Ctx: ScriptContext>(
+        _ms: &Miniscript<Pk, Ctx>,
+    ) -> Result<(), ScriptContextError> {
+        // TODO: check for policy execution.
+        Ok(())
+    }
+
+    fn max_satisfaction_size<Pk: MiniscriptKey, Ctx: ScriptContext>(
+        ms: &Miniscript<Pk, Ctx>,
+    ) -> Option<usize> {
+        // The witness stack cost is the first element of the tuple
+        ms.ext.max_sat_size.map(|x| x.0)
+    }
+
+    fn is_tapctx() -> bool {
+        true
+    }
+
+    fn pk_len<Pk: MiniscriptKey>(_pk: &Pk) -> usize {
+        33
+    }
 }
 
 /// Bare ScriptContext
@@ -461,6 +607,14 @@ impl ScriptContext for BareCtx {
         // The witness stack cost is the first element of the tuple
         ms.ext.max_sat_size.map(|x| x.1)
     }
+
+    fn pk_len<Pk: MiniscriptKey>(pk: &Pk) -> usize {
+        if pk.is_uncompressed() {
+            65
+        } else {
+            33
+        }
+    }
 }
 
 /// "No Checks" Context
@@ -506,17 +660,22 @@ impl ScriptContext for NoChecks {
     ) -> Option<usize> {
         panic!("Tried to compute a satisfaction size bound on a no-checks miniscript")
     }
+
+    fn pk_len<Pk: MiniscriptKey>(_pk: &Pk) -> usize {
+        panic!("Tried to compute a pk len bound on a no-checks miniscript")
+    }
 }
 
 /// Private Mod to prevent downstream from implementing this public trait
 mod private {
-    use super::{BareCtx, Legacy, NoChecks, Segwitv0};
+    use super::{BareCtx, Legacy, NoChecks, Segwitv0, Tap};
 
     pub trait Sealed {}
 
     // Implement for those same types, but no others.
     impl Sealed for BareCtx {}
     impl Sealed for Legacy {}
     impl Sealed for Segwitv0 {}
+    impl Sealed for Tap {}
     impl Sealed for NoChecks {}
 }

src/miniscript/limits.rs

@@ -40,3 +40,9 @@ pub const MAX_SCRIPT_ELEMENT_SIZE: usize = 520;
 /// Maximum script sig size allowed by standardness rules
 // https://github.com/bitcoin/bitcoin/blob/42b66a6b814bca130a9ccf0a3f747cf33d628232/src/policy/policy.cpp#L102
 pub const MAX_SCRIPTSIG_SIZE: usize = 1650;
+/// Maximum items during stack execution
+// This limits also applies for initial stack satisfaction
+// https://github.com/bitcoin/bitcoin/blob/3af495d6972379b07530a5fcc2665aa626d01621/src/script/script.h#L35
+pub const MAX_STACK_SIZE: usize = 1000;
+/** The maximum allowed weight for a block, see BIP 141 (network rule) */
+pub const MAX_BLOCK_WEIGHT: usize = 4000000;