Adds Taproot BIP341 signature message and create a unified sighash cache for legacy, segwit and taproot inputs

[RCasatta]

Adds https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki message signature algorithm

The base is taken from bip143::SigHashCache, some code results duplicated but I think it's more clear to keep things separated

Would mark some bullet point on #503

Test vectors are taken by running https://github.com/bitcoin/bitcoin/blob/d1e4c56309aeb73772e3a9d779a9c157024c9e1e/test/functional/feature_taproot.py with a modified TaprootSignatureHash function to print intermediate values that I cannot found in the bip341 test vector json

UPDATE: Latest version includes the suggestion from @sanket1729 to create a unified tool for signature message hash for legacy, segwit, and taproot inputs. In particular, makes sense for mixed segwit v0 and taproot v1 inputs because cached values could be shared

[sanket1729]

Is it worth having a single sighash cache for all output types. It is a breaking change, but it appears to be cleaner and could also be more efficient when we are spending segwitv0 and taproot outputs together(as implemented in bitcoin core).

let cache = SighashCache::new(&tx);
let legacy_hash = cache.sighash_legacy();
let segwitv0_sighash = cache.sighash_segwitv0(amt, script..);
let taphash = cache.sighash_taproot(&prevouts);

[RCasatta]

but it appears to be cleaner and could also be more efficient when we are spending segwitv0 and taproot outputs together

it is surely cleaner especially because it is handier to use (in case of mixed inputs it allows to instantiate only one sighash cache) but in what ways is it more efficient? The hashes are differents (both in order and also single instead of double)

I agree we should do this, I am trying to understand if I am missing something

[sanket1729]

t is surely cleaner especially because it is handier to use (in case of mixed inputs it allows to instantiate only one sighash cache) but in what ways is it more efficient? The hashes are differents (both in order and also single instead of double)

Yes, you can cache one round of sha256 computation. segwitv0 sighash uses double sha256. So, while calculating hashPrevouts for segwitv0 instead of hashing the prevouts again, we hash the taproot prevouts_sha256 hash once to obtain hashprevouts. We can do the same thing for sequence hash and outputs hash.

The code from bitcoin core

    if (uses_bip143_segwit || uses_bip341_taproot) {
        // Computations shared between both sighash schemes.
        m_prevouts_single_hash = GetPrevoutsSHA256(txTo);
        m_sequences_single_hash = GetSequencesSHA256(txTo);
        m_outputs_single_hash = GetOutputsSHA256(txTo);
    }
    if (uses_bip143_segwit) {
        hashPrevouts = SHA256Uint256(m_prevouts_single_hash);
        hashSequence = SHA256Uint256(m_sequences_single_hash);
        hashOutputs = SHA256Uint256(m_outputs_single_hash);
        m_bip143_segwit_ready = true;
    }
    if (uses_bip341_taproot) {
        m_spent_amounts_single_hash = GetSpentAmountsSHA256(m_spent_outputs);
        m_spent_scripts_single_hash = GetSpentScriptsSHA256(m_spent_outputs);
        m_bip341_taproot_ready = true;
    }

[sanket1729]

That being said, I am also okay if we decide that the code complexity of this particular optimization is not worth the benefit.

rust-bitcoin is not a full node that needs to quickly verify the transaction, so keeping things simple and easy to review might have its pros. My vote is towards implementing it, but I am also okay if others don't see the value in it.

[sanket1729]

Thanks for doing this :)
Code review ACK 8098975.

1. My vote is for adding a new SigHashType for Taproot. Initially, it seemed a bit wasteful at first to have a new SigHashType for every new sighash update(we will have another enum for ANYPREVOUT). But I am convinced that this is the correct way to proceed.
2. And a single cache for all signature hashes(legacy, segwitv0, and taproot) with a new name and optionally mark the current bip143::SighashCache as deprecated.

[RCasatta]

Thanks for doing this :)

Thanks for the review!

1. My vote is for adding a new SigHashType for Taproot. Initially, it seemed a bit wasteful at first to have a new SigHashType for every new sighash update(we will have another enum for ANYPREVOUT). But I am convinced that this is the correct way to proceed.

Still TODO

2. And a single cache for all signature hashes(legacy, segwitv0, and taproot) with a new name and optionally mark the current bip143::SighashCache as deprecated.

apart from deprecation, latest commits implement the unified cache with legacy, segwitv0 and taproot

[RCasatta]

The latest changes should include all feedback received (deprecation of bip143::SigHashCache and new SigHashType with Default variant.

I am going to wait for @sanket1729 feedback round, if mostly ok, I think I am going to squash the commits for easier review and remove draft state (probably 3 commits: add encodable to sha256::Hash, add sighash, deprecate bip143::sighash)

[sanket1729]

I am not scared of unwraps, but we can avoid it with get_or_insert_with as done in bip143.rs

[sanket1729]

Same comment here and everywhere we call this unwrap() after is_none

[RCasatta]

I changed it for the following reasons:

• the segwit_cache() method is now calling the common_cache() method that takes &self, so it's not possible anymore to borrow and mutable borrow at the same time (before was possible because we were borrowing and mutable borrowing on different struct fields).
• common_cache() and taproot_cache() could indeed use get_or_insert_with() but it requires let bindings before the call that are done even in the cache hit phase, so I think it's a little better to avoid those (unless someone tells me they are optimized away by the compiler).
• since it seems segwit_cache() cannot be implemented with get_or_insert_with(), I thought to be coherent with other methods

Unrelated to the get_or_insert_with() discussion, the method before was returning owned values, copying 32 bytes every time, while now it returns only a borrow

[Kixunil]

I really don't believe there's performance loss. It is also possible to use get_or_insert_with in segwit_cache with some refactoring - see last commit of RCasatta#3

[sanket1729]

We need to keep this as script_code and u64. In p2wsh, the script_code is not the script_pubkey, but the witness_script. So, this code would give incorrect results.

In case, the witness_script contains OP_CODESEP it best for the user to supply the script_code parameter.

This is also consistent with how this is defined in bip141.

[JeremyRubin]

👍 -- note that we could also provide a (version with) a codesep argument if we don't want to have to clone the script, or provide a Script Slice (equivalent).

[RCasatta]

kept segwit method in line with existent in e76e5e1

@JeremyRubin it is already a borrowed Script?

[JeremyRubin]

codesep in segwit requires a script slice -- who owns the script presently? If you don't have a codesep argument OR a script slice (and compute sep ext), then somewhere you're allocating extra.

[JeremyRubin]

BIP-118 doesn;'t commit to the input_index, so this might not be robust?

Maybe make get take an Option index and only check if it's provided

[JeremyRubin]

I think we might as well just always cache everything?

[RCasatta]

As bitcoin core is doing it's more efficient to separate the cache this way so you can compute only what you need and reuse it according to the type of the inputs.

• for legacy: no cache is computed
• for taproot only: no segwit_cache is computed
• for segwit only: no taproot_cache is computed

Even if we don't have the same efficiency requirement as bitcoin core I think it's nice to have (and also @sanket1729 have a preference for that #628 (comment))

[JeremyRubin]

I think this should be a 2 level enum where we have

enum SigHashType {
    Legacy,
    SegwitV0,
    SegwitV1,
}

to make clear contexts where modes do not have/have different meanings.

[sanket1729]

I think we should just have different types of SigHashTypeLegacy, SighashTypeSegwitv0, `SigHashTypeTaproot.

In what use case would you need a level 2 enum?

[JeremyRubin]

I think that's OK -- I mean more that there should not be a "SigHashType" general enum that From coerces into other SigHashType* things. Espeically once we get into BIP-118, it would switch into a TryFrom because certain SigHashTypes would not be proper.

[RCasatta]

I think we should just have different types of SigHashTypeLegacy, SighashTypeSegwitv0, SigHashTypeTaproot.

why different types for legacy and segwit?

Is it a very bad idea to add a RESERVED variant to the sighash::SigHashType introduced in this PR to accommodate SIGHASH_PREVOUT when it's time?
#[non_exhaustive] would be better but it's not in our MSRV

[sanket1729]

Sorry, I think I misread your comment initially for something else. I am not against adding the reserved variant, but I don't know if how effectively it serves the same purpose as #[non-exhaustive].

I will let other contributors comment on this, I am not sure if we should so much forward-thinking about OP_ANYPREVOUT right now. The current spec for BIP118 is itself a major change in PublicKey API because it introduces new key types. Maybe additionally doing this is that not that bad?

[JeremyRubin]

I guess if I can better specify my position, I think that that one should be able to make a "pure" function:

fn get_sighash(tx:&TransactionData, sighash: SigHashType) -> Hash

which computes the correct digest with no additional instructions. Since legacy, segwitv0, and segwitv1 all compute different things, unifying the type as one SigHashType means that we need additional context, so

fn get_sighash_legacy(tx:&TransactionData, sighash: SigHashType) -> Hash
fn get_sighash_v0(tx:&TransactionData, sighash: SigHashType) -> Hash
fn get_sighash_v1(tx:&TransactionData, sighash: SigHashType) -> Hash

This is already sort of the case because v1 requires more context to sign, but I imagine the APIs will converge on having the superset of data available for any case (v1/v0/legacy). I think you in theory could parse what digest version is required from the TxData, but it'd be nice if SigHashType were an explicit & unique digest instruction.

[JeremyRubin]

I do agree this isn't a huge issue for now, just sounding the warning that BIP-118's plans do include diverging sighash types where there will be different things available at different times, and I think it is something we can handle relatively elegantly by being more explicit here.

[dr-orlovsky]

non_exhaustive does not work on current MSRV

[sanket1729]

code review ACK a37de1a.

I will review the tests carefully later, but I am super happy with the current API design. We can squash this and open it up for feedback from other contributors.

[sanket1729]

How about changing segwit_signature_hash() to segwitv0_signature_hash()?

[RCasatta]

I squashed the commits, in comparison to the pre-squash situation I left legacy and tests in their place with a trick for legacy tests to tests also the new API code paths (while the segwit tests are left there since the bip143::SigHashCache impl is provided by sighash::SigHashCache)

I also added the proposed RESERVED variant in the last commit but I am not super sure about it

How about changing segwit_signature_hash() to segwitv0_signature_hash()?

I am not super in love with segwitv0 (it should be taprootv1 for the other?) but let's see what others think about it

[sanket1729]

tACK 877dc47. Ran tests, checked that tests have covered all paths of interest, all sighash types, annex, scriptpaths.

The only thing I am unsure about is the effectiveness of the Reserved variant.

[sgeisler]

I left some nits, but generally utACK 877dc47

[RCasatta]

Sorry @dr-orlovsky , @sgeisler , @sanket1729 for another dismissed review but the change proposed by @Kixunil is superior (especially since there were too many comments on why unwrapping before) and also the access_witness make sense for me (and potentially a breaking change to do it afterward).

Since I think the above two changes were important I fixed also documentations

[sanket1729]

ACK c704ee7. Reviewed the diff from a37de1a which I previously ACKed

[dr-orlovsky]

utACK c704ee7 by diffing it to 6e06a32 having my ACK before.

Three nits: two doc related and one related to improvement of private method signature

[dr-orlovsky]

Nit:

Suggested change

	/// [`std::io::Write`] trait.
	/// [`io::Write`] trait.

as was specified above (to support no_std)

[dr-orlovsky]

Ibid

[dr-orlovsky]

Why are we passing these two arguments when we can just use self?

[Kixunil]

We can't because self.segwit_cache may be borrowed during call to this function which prevents us from borrowing self mutably. The name of the function is supposed to indicate it but maybe it's not clear enough? Have an idea for a better one?

[dr-orlovsky]

Right, I see. Yes, I do not know any other workaround

[dr-orlovsky]

Nit: I think it will be better to have an expect here

[dr-orlovsky]

Ibid

[dr-orlovsky]

Ibid

[dr-orlovsky]

Right, I see. Yes, I do not know any other workaround

[dr-orlovsky]

@apoelstra we already have to ACKs here, but taking into account the importance of the code, probably it will be up to you to add the third ACK and merge the PR

[JeremyRubin]

nit: comment belongs above line 163

[JeremyRubin]

nit: maybe you can just define an empty vec in the Self type that gets returned if input_index is out of bound. It's better than the unchecked access, and perhaps better than adding an unwrap / panic.

definitely a nit though, as this is deprecated code anyways.

[JeremyRubin]

nit: the same comment is true for prevouts/sequences with ANYONECANPAY, no?

[JeremyRubin]

nit: SegwitV0Cache, taproot is a segwit too?

[JeremyRubin]

nit: in theory usize is redundant with &'u TxOut + Transaction as you can do the pointer math to compute where the TxOut lives in the out vector.

[apoelstra]

I don't understand this, what vector are you talkng about?

[JeremyRubin]

I guess i'm (incorrectly?) assuming that there is some backing &'u [TxOut] that this txout is resident from which the lifetime derives, (where ones we don't have are default() nulls), but i suppose that we might just have a single TxOut fetched in some contexts and not want a whole array, or that having a ref to the array would prevent some clever uses of splits and whatnot on that storage to hand out mutable and immutable references simultaneously...

[JeremyRubin]

nit: a slice is the wrong type, we want a reference to the underlying storage to ensure we have the whole slice, not just partial.

[apoelstra]

I strongly disagree

[JeremyRubin]

Another way to make this API safe would be via a smart constructor. E.g.

pub enum Prevouts<'u> {
//...
All(SafeSliceAll<'u>)
}
use private::SafeSliceAll;
mod private {
// self.0 not pub so can only be constructed locally.
pub struct SafeSliceAll<'u>(&'u [TxOut]);
impl<'u> From<&'u Vec<TxOut>> for SafeSliceAll<'u> {
//....
}
}

Allowing to construct an All from a arbitrary slice is error prone IMO since you can't guarantee it's actually all.

[JeremyRubin]

we need to use such a smart constructor type because pub enums require all fields of variants are pub iirc.

[apoelstra]

I don't understand why the user would be required to have the txouts all in a Vec like this.

[JeremyRubin]

nit: as noted earlier, a non-slice type would eliminate this check.

[apoelstra]

This isn't a check, it's a destructuring.

[JeremyRubin]

Ah the check is the line below

[JeremyRubin]

CR-ack; some nits nothing needing fixing IMO

[apoelstra]

Nit: we should update ths comment to say that this is only true for legacy input. For segwit (v0 and taproot), if you try to SINGLE-sign an output that doesn't exist it'll just fail.

[apoelstra]

Need to bounds-check this, either here or in check_index above.

[apoelstra]

Ah this is fixed in a later commit.

[apoelstra]

Should add an else if sighash == LegacySigHashType::Single && input_index >= self.tx.output.len() which encodes the one hash

[apoelstra]

Never mind.

[apoelstra]

ACK c704ee7

This is really great!

Not going to hold up merging for nits about comments etc