Taproot keys implementation strategy

[dr-orlovsky]

After #561 (comment) and #561 (comment)

1. Leave bitcoin::PublicKey as is, probably adding bitcoin::util::ecdsa::PublicKey alias to it (the same for private keys).
2. Re-export Taproot keys under bitcoin::util::schnorr
3. Change ExtendedP(ub/priv)Key to hold secp256k1::Key rather than bitcoin equivalents. It is a necessary change anyway, since BIP32 does not support uncompressed keys and using type with compression flag is a mistake
4. Introduce to Extended*key* functions to_ecdsa (returning always compressed ECDSA key) and to_shchnorr.
   ... and that's all for the first non-API breaking release.

Next, more invasive change will be:

1. Remove bitcoin::PublicKey type
2. Create UncompressedKey types (for legacy purposes) and
3. Introduce PublicKey enum with just Compressed and Taproot variants (such that it can be used in SegWit miniscript/descriptor context without the need for errors/panics).

The first phase is implemented with the following PRs:

• Non-API breaking changes for 0.26.1 Non-API breaking introduction of Schnorr keys #589
• API-breaking changes to Extended keys internal key representation: Taproot: BIP32 extended keys using Scep256k1 keys instead of bitcoin ECDSA #590
• API-breaking changes to PSBT internal BIP32 key representation: PSBT BIP32 keys using to Secp256k1 keys instead of bitcoin ECDSA #591
• Minimally-invasive separation of bitcoin keys from ECDSA signature types #757

[apoelstra]

What type would Script::push_key take?

[apoelstra]

I also don't think ecdsa::PublicKey is the right name for 33-byte pubkeys, because 33-byte pubkeys are not only used for ECDSA. You also need full keys when doing Taproot derivtaions or when working wtih bip32, even if you are ultimately deriving x-only keys.

[dr-orlovsky]

What type would Script::push_key take?

It looks like the script must become witness-version aware (move context from miniscript?)...

[apoelstra]

Then what would the type of TxOut::script_pubkey be?

[JeremyRubin]

personally, i don't think it makes sense to have a separate type of key for taproot since the keys are technically compatible, right? if there is such a need, the keys could be e.g. backed by some underlying type?

this might become an issue when it comes to BIP-118 though...

[sanket1729]

I am a bit late for the party. But I don't like mixing Public Keys with signature algorithms. Keys are always full, and should not be associated with any signature algorithm.

My vote is for having separate modules for keys and signature checking. For most users, keys are just for signature checking, so it does make some sense. But the cryptographer inside me just wants to highlight this difference.
I would propose changing

• ecdsa to ec for the keys.
• changing schnorr::Keypair to ec::XonlyKeyPair
• moving all the signature-related stuff to ecdsa and schnorr modules.

This also matches how it is implemented in secp256k1 and IMO makes more conceptual sense if you consider applications for keys beyond signature checking.

[Kixunil]

While I agree with @sanket1729 maybe it'd be sensible to define newtypes around PublicKey similar to newtypes around hashes?

Also nit: I think XOnlyKeyPair is more appropriate casing.

[dr-orlovsky]

My vote is for having separate modules for keys and signature checking.
moving all the signature-related stuff to ecdsa and schnorr modules.

Agree. Just for consistency, the same should be applied to secp256k1 lib

Regarding the rest, I will try to re-cap what key type restrictions are we having in post-SegWitV1 world?

1. ScriptPubkey can take any key type, however this is context-dependent. Currently, script context can't be addressed in rust-bitcoin (and is addressed in rust-miniscript), which creates a lot of exceptions and error handling there (and pain). Ideally, we can have a refactored script::Builder in rust-bitcoin, which will be context-aware and will fail on improper key type usage, and remove Script::push_key completely (in favor of the builder). Then, Script type should continue to be backed just by a byte sequence, thus no propagation of the problem to the level of TxOut/Transaction. I think this addresses @apoelstra concern above.

   If removing Script::push_key and re-doing Builder considered too invasive, (while I think this is a good API practice preventing from pushing random data into random script), we may have more key-specific functions on Script, one for each of pubkey types we will agree upon.

2. Witness is anyway just a vec of bytestrings, so keys story does not affect it - they are all get there via length-independent slice representation anyway.

3. BIP32/PSBTs should rely on secp256k1-provided types, like currently proposed in Taproot: BIP32 extended keys using Scep256k1 keys instead of bitcoin ECDSA #590 and PSBT BIP32 keys using to Secp256k1 keys instead of bitcoin ECDSA #591

Thus, all use-cases inside rust-bitcoin itself are independent from the selected key type system. For external use (miniscript, wallets, block explorers), I propose to have dedicated key type per each format, since they will like to differentiate between their usage in different contexts. Thus, we will end up with having:

• introduce a newtype UncompressedPubkey over secp256k1::PublicKey
• do a newtype ec::CompressedPubkey over secp256k1::PublicKey for SegWit v0 contexts (like in miniscript)
• PublicKey remains as is (may be we can rename it into FullPubkey), representing either compressed or uncompressed key (for pre-SegWit world)
• re-export secp256k1::schnorrsig::PublicKey as ec::XOnlyPubkey to disambiguate the naming

[dr-orlovsky]

Closed with #757 merged