Basic Taproot derivation support for descriptors by sipa · Pull Request #22051 · bitcoin/bitcoin

sipa · 2021-05-24T21:52:36Z

This is a subset of #21365, to aide review.

This adds support tr(KEY) or tr(KEY,SCRIPT) or tr(KEY,{{S1,{{S2,S3},...}},...}) descriptors, describing Taproot outputs with specified internal key, and optionally any number of scripts, in nested groups of 2 inside {/} if there are more than one. While it permits importing tr(KEY), anything beyond that is just laying foundations for more features later.

Missing:

Signing support (see Basic Taproot signing support for descriptor wallets #21365)
Support for more interesting scripts inside the tree (only pk(KEY) is supported for now). In particular, a multisig policy based on the new OP_CHECKSIGADD opcode would be very useful.
Inferring tr() descriptors from outputs (given sufficient information).
getaddressinfo support.
MuSig support. Standardizing that is still an ongoing effort, and is generally kind of useless without corresponding PSBT support.
Convenient ways of constructing descriptors without spendable internal key (especially ones that arent't trivially recognizable as such).

This is just a small simplification to prepare for the follow-up instruction of a CTxDestination variant for taproot outputs. In the old code, WITNESS_V1_TAPROOT and WITNESS_UNKNOWN both produced {version, program} as Solver() output. Change this so that WITNESS_V1_TAPROOT produces just {program}, like WITNESS_V0_* do.

That results in a much safer interface (making the tweak commit to the key implicitly using a fixed tag means it can't be used for unrelated tweaking).

This class functions as a utility for building taproot outputs, from internal key and script leaves.

This adds a new descriptor with syntax e.g. tr(KEY,{S1,{{S2,S3},S4}) where KEY is a key expression for the internal key and S_i are script expression for the leaves. They have to be organized in nested {A,B} groups, with exactly two elements. tr() only exists at the top level, and inside the script expressions only pk() scripts are allowed for now.

Sjors · 2021-05-25T09:10:02Z

utACK 2667366 (based on #21365 (comment) review, plus the new functional test)

lsilva01

Tested ACK 2667366

meshcollider

This is so exciting 🎉

utACK 2667366

Will test

src/script/standard.cpp

achow101 · 2021-06-02T21:01:52Z

Code Review ACK 2667366

fjahr

utACK 2667366

fjahr · 2021-06-06T09:55:24Z

src/script/descriptor.cpp

+        std::holds_alternative<WitnessUnknown>(dest)) {
+        return OutputType::BECH32;
+    }
+    return std::nullopt;


nit: could add a comment that this is for CNoDestination.

fjahr · 2021-06-06T10:21:20Z

src/wallet/rpcwallet.cpp

        return obj;
    }

+    UniValue operator()(const WitnessV1Taproot& id) const { return UniValue(UniValue::VOBJ); }


nit: param seems to be named tap everywhere else

jnewbery · 2021-06-08T12:21:04Z

test/functional/wallet_taproot.py

+    @staticmethod
+    def rand_keys(n):
+        ret = []
+        idxes = set()
+        for _ in range(n):
+            while True:
+                i = random.randrange(len(KEYS))
+                if not i in idxes:
+                    break
+            idxes.add(i)
+            ret.append(KEYS[i])
+        return ret


I think this can be replaced with set(random.sample(KEYS, k=n))

I think you're right.

458a345 Add support for SIGHASH_DEFAULT in RPCs, and make it default (Pieter Wuille) c0f0c8e tests: check spending of P2TR (Pieter Wuille) a238012 Basic Taproot signing logic in script/sign.cpp (Pieter Wuille) 49487bc Make GetInputUTXO safer: verify non-witness UTXO match (Pieter Wuille) fd3f689 Construct and use PrecomputedTransactionData in PSBT signing (Pieter Wuille) 5cb6502 Construct and use PrecomputedTransactionData in SignTransaction (Pieter Wuille) 5d2e224 Don't nuke witness data when signing fails (Pieter Wuille) ce93531 Permit full precomputation in PrecomputedTransactionData (Pieter Wuille) e841fb5 Add precomputed txdata support to MutableTransactionSignatureCreator (Pieter Wuille) a91d532 Add CKey::SignSchnorr function for BIP 340/341 signing (Pieter Wuille) e77a283 Use HandleMissingData also in CheckSchnorrSignature (Pieter Wuille) dbb0ce9 Add TaprootSpendData data structure, equivalent to script map for P2[W]SH (Pieter Wuille) Pull request description: Builds on top of #22051, adding signing support after derivation support. Nothing is changed in descriptor features. Signing works for key path and script path spending, through the normal sending functions, and PSBT-based RPCs. However, PSBT usability is rather low as no extensions have been defined to convey Taproot-specific information, so all script information must be known to the signing wallet. ACKs for top commit: achow101: re-ACK 458a345 fjahr: Code review ACK 458a345 Sjors: ACK 458a345 Tree-SHA512: 30ed212cf7754763a4a81624ebc084c51727b8322711ac0b390369213c1a891d367ed8b123882ac08c99595320c11ec57ee42304ff22a69afdc3d1a0d55cc711

bitcoin/bitcoin#22051 (1/9)