Maybe precise that's invalid with regards to consensus. Or at least we enforce this as a policy rule without any tightening with regards to consensus rule.

I don't get `feature_taproot.py` failure for : ``` diff --git a/src/pubkey.cpp b/src/pubkey.cpp index 111f9c10e..0163f61a2 100644 --- a/src/pubkey.cpp +++ b/src/pubkey.cpp @@ -174,7 +174,7 @@ XOnlyPubKey::XOnlyPubKey(Span<const unsigned char> in) } bool XOnlyPubKey::VerifySchnorr(const uint256& msg, Span<const unsigned char> sigbytes) const { - if (sigbytes.size() != 64) return false; + if (sigbytes.size() != 64) return true; if (msg.size() != 32) return false; secp256k1_xonly_pubkey pubkey; if (!secp256k1_xonly_pubkey_parse(secp256k1_context_verify, & ``` And same for next check on message size.

Does this key version is actually the one of defined 32-byte public key or it is an independent versioning ? If it is the first option I think we should add a `m_key_version` to `ScriptExecutionData` and ensure we set it at key type detection in `ExecuteWitnessScript` to avoid hashing and public key validation going out of sync ?

I think BIP341 footnote mentions that TAPSCRIPT's `ext_flag=1` but I don't find where it mandates that TAPROOT's one is actually `ext_flag=0`

Is MINIMALDATA consensus-mandatory for `OP_CHECKSIGADD` or only part of our relay-policy like for other `CScriptNum` operators ? The spec only mentions `All CScriptNum-related behaviours of `OP_ADD` are also applicable to `OP_CHECKSIGADD", it's a bit unclear. In either case flipping it to `true/false` doesn't give me back any test failure.

I think this comment is ambiguous with regards to `EvalChecksigTapscript` and BIP342 requirement. Successful could be interpreted as : * if signature verification is successful * if signature is non-empty AFAICT, the second alternative is actually what is referred by `signature check`. Maybe add `successful non-empty signature check`

Should we assert exclusion of scriptless (?) script versions at a higher-level like `EvalScript` or `ExecuteWitnessScript` to catch witness parsing bug where such a script wouldn't call a sig operation ?

Assert altstack empty ?

Computation of tweaked_pubkey `Q` is guarantee to be non-malleable by a third-party such that any intentional flip of the parity bit of the control block would fail here ? Is this test somewhere, when I try to test it I got some `opsuccess/return` error ?

I tried to tweak serializers to test that `compact_size(size of s)` is well-committed in tapleaf hash. Of course I got failure far earlier, so I was wondering if there is a way to test this in isolation ? I guess that's useless as our script ser is already used at anytime, so any error would be more than obvious.

Technically this should be called `witnessScript` (BIP141) or just `script` (BIP341) ? `scriptPubKey` is a bit confusing as this is fed from the witness?

Again don't get failure in `feature_taproot.py` ? What should be the prefix something like `sighash/keypath_*` ? ``` diff --git a/src/script/interpreter.cpp b/src/script/interpreter.cpp index 053df47a2..24ba2ac41 100644 --- a/src/script/interpreter.cpp +++ b/src/script/interpreter.cpp @@ -1662,7 +1662,7 @@ bool GenericTransactionSignatureChecker<T>::CheckSchnorrSignature(Span<const uns hashtype = SpanPopBack(sig); if (hashtype == SIGHASH_DEFAULT) return false; } - if (sig.size() != 64) return false; + if (sig.size() != 64) return true; uint256 sighash; if (!SignatureHashSchnorr(sighash, execdata, *txTo, nIn, hashtype, sigversion, this->txdata)) return false; return VerifySchnorrSignature(sig, pubkey, sighash); ```

Idem, is this part of the code tested non-deterministically ? ``` diff --git a/src/script/interpreter.cpp b/src/script/interpreter.cpp index 053df47a2..fcaacc152 100644 --- a/src/script/interpreter.cpp +++ b/src/script/interpreter.cpp @@ -1653,7 +1653,7 @@ template <class T> bool GenericTransactionSignatureChecker<T>::CheckSchnorrSignature(Span<const unsigned char> sig, Span<const unsigned char> pubkey_in, SigVersion sigversion, const ScriptExecutionData& execdata) const { if (sig.empty()) return false; - if (pubkey_in.size() != 32) return false; + if (pubkey_in.size() != 32) return true; XOnlyPubKey pubkey{pubkey_in}; ```

I don't get a `feature_taproot.py` failure for this ? ``` diff --git a/src/script/interpreter.cpp b/src/script/interpreter.cpp index 053df47a2..02de07bc5 100644 --- a/src/script/interpreter.cpp +++ b/src/script/interpreter.cpp @@ -1652,7 +1652,7 @@ bool GenericTransactionSignatureChecker<T>::CheckECDSASignature(const std::vecto template <class T> bool GenericTransactionSignatureChecker<T>::CheckSchnorrSignature(Span<const unsigned char> sig, Span<const unsigned char> pubkey_in, SigVersion sigversion, const ScriptExecutionData& execdata) const { - if (sig.empty()) return false; + if (sig.empty()) return true; if (pubkey_in.size() != 32) return false; XOnlyPubKey pubkey{pubkey_in}; ```

Should be referenced in `CTxDestination` typedef.

Why not BIP8?

This is different from BIP114 which says the max size of path must be below 1024, however `32 * 128 == 4096` Is this correct? I suppose BIP114 limit is superseded by BIP341 (which I find reasonable) but asking to be sure. (Perhaps BIP114 should be updated?)

(renaming suggested to be consistent with the name in the implementation) ```suggestion bool CheckPayToContract(const XOnlyPubKey& base, const uint256& hash, const bool negated) const; ```

nit if you retouch ```suggestion const int path_len = (control.size() - TAPROOT_CONTROL_BASE_SIZE) / TAPROOT_CONTROL_NODE_SIZE; const XOnlyPubKey p{uint256(std::vector<unsigned char>(control.begin() + 1, control.begin() + TAPROOT_CONTROL_BASE_SIZE))}; const XOnlyPubKey q{uint256(program)}; uint256 k = (CHashWriter(HASHER_TAPLEAF) << uint8_t(control[0] & TAPROOT_LEAF_MASK) << script).GetSHA256(); for (int i = 0; i < path_len; ++i) { CHashWriter ss_branch{HASHER_TAPBRANCH}; ```

Since these names look so similar (made me confused), maybe use names without numbers to distinguish them better? Or something like `uses_bip341_taproot`?

`for k in range(len(pubs)):` ?

`r = random.randrange(len(pubs))` ?

We should probably policy-reject annex here for now?

If we ever had a `continue`, this would get skipped. Seems like a code footgun. We could replace `while (pc < pend)` with `for ( ; pc < pend; ++opcode_pos)` perhaps?

Probable premature optimisation: Copy `m_salted_hasher_ecdsa` before adding the padding?

Inaccuracy in previous comment aside, seems like it would be best to correct the new one (with 31 null bytes after E/S)

Suggest moving the size check and uint256 cast into `XOnlyPubKey` construction & `IsValid`, like `CheckECDSASignature` does

nit: "is not *exactly* 64 bytes"

Suggest moving `CheckSig` -> `CheckECDSASignature` rename to a dedicated commit

Technically, Tapscript itself is a form of P2SH, just not BIP16 P2SH. The comment here confused me. Perhaps "non-BIP16-wrapped"?

Please rename things that change meaning. eg, `GetPrevoutSHA256`

nice script for this check

take-or-leave-nit: just do `[b''] * 1001`

take-or-leave-nit: just do `[b''] * 1001`

suggestion: `"sighash/scriptpath_unk_hashtype_{}".format(invalid_hashtype)`

suggestion: `"sighash/keypath_unk_hashtype_{}".format(invalid_hashtype)`

suggestion: `"sighash/scriptpath_{}".format(hashtype)`

suggestion: `"sighash/keypath_{}".format(hashtype)`

`s/followed by a dummy/followed by a dummy push of bytes that are to be dropped/`

for `leafversion` anything other than `0xc0` should fail it, maybe just flip a bit of this too

expression

Is there any disadvantage to combining these two lines and eliminating the temporary return value: ```suggestion if !(SignatureHashSchnorr(sighash, execdata, *txTo, nIn, hashtype, sigversion, this->txdata) return false; ```

There's a naming inconsistency here. `VerifySignature` changed to `VerifyECDSASignature`/`VerifySchnorrSignature`, but `CheckSig` has changed to `CheckSigSchnorr`/`CheckSig`. Would it be better to name them `CheckSchnorrSig`/`CheckECDSASig`?

Any reason not to do a range-based for loop here? ```suggestion for (const CTxIn& txin : tx.vin) { const COutPoint &prevout = txin.prevout; ```

don't we use these caches for any non taproot signature? Not just segwit?

//! Entries are SHA256(nonce || 'E' or 'S' || 0x00 * 32 || signature hash || public key || signature)

But only if `OP_SUCCESSx` occurred earlier? Is it worth the effort to check the whole script for `OP_SUCCESSx` before and then do second pass for other conditions?

``` /** Helper for OP_CHECKSIG, OP_CHECKSIGVERIFY and OP_CHECKSIGADD ```

I would find it marginally more readable to use `!sig.empty()` in the `if` statements below and move `success = !sig.empty();` all the way to the bottom.

styleguide nit: ```suggestion for (unsigned int i = 0; i < tx.vin.size(); ++i) { ```

I think these runtime constants tend to be formatted like normal variables in the rest of the code base, i.e. snake case. But there does not seem to be a particular rule on these in the style guide.

cbcaab9a66f82fa5bcc2711a5fee2adc47004cc8 nit: `m_annex_hash` is only initialized if `m_annex_present` is `true`, though I doubt it will confuse anyone. Alternate wordings: ```cpp //! Whether m_annex_present is initialized ``` Or: ```cpp //! Whether m_annex_present and (when needed) m_annex_hash are initialized. ```

b7a7f6ab2ccc30e323a5396c27cb82ffd613550b nit: these comments could be introduced in 41d08f5d77f52bec0e31bb081d85fff2d67d0467 (which adds `TAPROOT = 2`)

nit: I would prefer the `execdata` before `serror`. Would also be more consistent with `ExecuteWitnessScript`.

nit: sort :)

I agree with @Sjors (https://github.com/bitcoin/bitcoin/pull/17977#discussion_r459527853) that these should be renamed. `m_prevouts_hash` and `hashPrevouts` doesn't communicate that one of these members is the SHA256 digest and the other is the dSHA256 digest. I'd propose `m_prevouts_sha256` and `m_prevouts_double_sha256`, but anything that communicates what these are would be an improvement.

`hash` is the wrong name for this param. It should be `input` to match the header declaration (although I think `preimage` would be better still).

Hate to do this: capitalisation. Tagged hash

41d08f5d77f52bec0e31bb081d85fff2d67d0467 : isn't this missing a `compact_size(size of annex)` prefix?

41d08f5: The BIP (still?) says `0x50` (I see this completely changes in a later commit, so will revisit then)

41d08f5: this could lead to confusion if a later upgrade adds and permits a new SIGHASH type, given that the BIP specifies this as a negative: "If `hash_type & 3` does not equal `SIGHASH_NONE` or `SIGHASH_SINGLE`".

41d08f5d77f52bec0e31bb081d85fff2d67d0467 : `TapSighash` is written in camel case (`TapSigHash`) most of the time in BIP 341 (which would be my preference too).

41d08f5d77f52bec0e31bb081d85fff2d67d0467: maybe rename to `m_prevouts_hash_v0` or `m_prevouts_double_hash`? In addition, shouldn't we skip calculating hashes we don't need depending on the witness version? Or is that negligible for validation performance (sorry, too lazy to bench this myself)?

41d08f5d77f52bec0e31bb081d85fff2d67d0467: let's document that `uint256 GetPrevoutHash` and `GetSequenceHash` (now) return a single SHA256 hash. Perhaps we should rename them to GetPrevout**s**Hash and GetSequence**s**Hash, consistent with `GetSpentAmountsHash` and `GetSpentScriptsHash`. In BIP-341 the phrasing is slightly ambiguous: "sha_prevouts (32): the SHA256 of the serialization of all input outpoints." It could be more clear that this means concatenate all previous and then hash them, rather than to concatenate the hashes. Changing the variable name helps with that clarity too.

FYI nonstandard txns are rejected by default in regtest now ( I don't mind explicit args in tests so meh)

Should mention/rename it to show it's "add" not "mult"

Should mention/rename it to show it's "add" not "mult"

Currently this only enforces `MAX_STANDARD_TAPSCRIPT_STACK_ITEM_SIZE` on top of consensus checks, yes?

I think it'd be cleaner to just make the `Span` here, then use it for next 4 lines?

this would be easy/nice to split out for unit tests

The various peppering of `sigversion == SigVersion::BASE || sigversion == SigVersion::WITNESS_V0` and `sigversion != SigVersion::TAPSCRIPT` makes me a little uneasy. Synchronize these checks?

N.B.: Let's make sure there's a test that catches the >4 bytes rule for addition

> The following validation sequence is consensus critical. You don't say

did I miss why the const is dropped here?

please annotate `/* is_p2sh */`

please annotate `/* is_p2sh */`

`s/32/m_keydata.size()/`

Is this for simply catching assertion condition?

`s/32/hash.size()/` if you don't mind

``` test/functional/test_framework/address.py:10:1: F401 '.script.hash256' imported but unused

Is this just a duplicate of `WITNESS_V1_TAPROOT_SIZE`? It's only used once in `VerifyWitnessProgram()`. Can we replace that usage with `WITNESS_V1_TAPROOT_SIZE`?

nit: could these two bools be replaced with an `Optional<bool>`? Optional is std from c++17 but currently implemented using boost::optional. Do we prefer to keep that out of consensus code?

should `stack.front()` be preferred over `stack[0]`?

nit: I'm not 100% clear on our`include` guidelines - `string` is included via `hash.h`, so if that's sufficient this line is unnecessary, if that's not sufficient, then we should also include `uint256.h`, etc here.

Is the P2SH check necessary here? There is a test for `prevScript.IsWitnessProgram()` a few lines up, is there anyway the script could still be P2SH at this point? Or should this actually test `prev.scriptPubKey.IsPayToScriptHash()` which is the actual previous TX output script, defined before `prevScript` is updated to the redeem script.

I believe this should be called `SignatureHashSchnorr` and be `<typename T>` to match `interpreter.cpp` v.

If someone does `txdata = PrecomputedTransactionData(tx);` and then later tries to do `txdata.Init(tx, spent_outputs);` this line will terminate, despite `m_amounts_spent_ready` not being updated based on the new spent_outputs. Perhaps ```C++ if (ready && spent_outputs.empty()) return; ``` Edit: maybe even split into `if !ready, make hashes` and `if !m_amounts_spend_ready`, do spent stuff. (also fixed description; m_spent_outputs is updated, but the bool is not)

This assertion will be hit, because `cache` is null when using the below constructor: https://github.com/bitcoin/bitcoin/blob/b8048b814821913b1f4c1c2070ec68b0c9001ec8/src/script/interpreter.h#L258 Maybe checking if txdata is non-null and complain if it isn't, at https://github.com/bitcoin/bitcoin/blob/b8048b814821913b1f4c1c2070ec68b0c9001ec8/src/script/interpreter.cpp#L1638

I believe "If the this nonce function ..." should be "If this nonce function ...".

I'm generally not a fan of these Data interfaces which have all the bool x_init fields. As an alternative, we could use an optional type wrapper. However, optional types depend on boost until c++17, which we shouldn't introduce consensus dependencies on. My proposal would be to copy the definition of c++17 optional into https://github.com/bitcoin/bitcoin/blob/99813a9745fe10a58bedd7a4cb721faf14f907a4/src/optional.h and drop the boost dependency, and then use this here. This can be done as a PR separate from Taproot so as not to further burden this PR. Here, optionals express both the nothing set and not initialized state (hence dual-wrapped options) but perhaps we'd be OK in collapsing the wrapped ones to represent (not initialized or not set) OR value. ```c++ struct ScriptExecutionData { //! The tapleaf hash. Option<uint256> m_tapleaf_hash; Option<Option<uint32_t>> m_codeseparator_pos; //! Hash of the annex data, if any Option<Option<uint256>> m_annex_hash; /** How much validation weight is left (decremented for every successful signature check). */ Option<int64_t> m_validation_weight_left; }; ``` This would seem, to me, to make the interface quite a bit safer and eliminates a bunch of initialization logic & prevents UB from cropping up. It would also be, in my opinion, a larger project (perhaps worthwhile) to generally rethink this state object to be accessed through an interface that guarantees the fields are accessed correctly -- e.g., once a m_validation_weight_left is set it can only be read or decreased, and the function to decrease can set error if the condition isn't met on underflow. Maybe not worth that large of a refactor though, I think optionals would already be an improvement.

UB nit: while this is safe, I believe, as it is used, it would be better to initialize this to either true or false should there be a bug, it would at least not invoke UB.

documentation nit: preference to not use -1 to indicate a sentinel for a unsigned type.

Nit: indentation (here and L1781).

```suggestion from test_framework.script import ( ANNEX_TAG, CScript, CScriptOp, LEAF_VERSION_TAPSCRIPT, LOCKTIME_THRESHOLD, MAX_SCRIPT_ELEMENT_SIZE, OP_0, OP_1, OP_1SUB, OP_1NEGATE, OP_2DROP, OP_2DUP, OP_CHECKMULTISIG, OP_CHECKMULTISIGVERIFY, OP_CHECKSIG, OP_CHECKSIGADD, OP_CHECKSIGVERIFY, OP_CODESEPARATOR, OP_DROP, OP_DUP, OP_ELSE, OP_ENDIF, OP_EQUAL, OP_IF, OP_NOT, OP_NOTIF, OP_RETURN, OP_SWAP, OP_VERIF, SIGHASH_SINGLE, TaprootSignatureHash, is_op_success, taproot_construct, ) ```

nit: This function (VerifyECDSASignature) is formatted different than VerifySchnorrSignature which have the single line if-statements on one line. Maybe use same formatting for consistency since the functions are very similar in layout. I guess it's because this function already existed and don't want to make unrelated formatting changes. New here so not sure if this is a valid remark. Please excuse me if so.

Should these be updated to be BIP schnorr pubkeys (32-byte arrays)?

Why not check against opcode defines?

Use taproot instead of tap? SIGHASH_TAPROOT_DEFAULT TAPROOT like other instances, e.g. TAPROOT_PROGRAM_SIZE. Also, SignatureHashTap() renamed to SignatureHashTaproot()? Similar to VerifyTaprootCommitment.

This seems weird to me. How can we verify a signature for a point which does not have a square Y? Such public keys are not defined in bip-schnorr. I think it'd be clearer to assert that the pubkey has a square Y before verifying. I'd also suggest adding a `get_xonly_pubkey()` method to `ECKey` so we can directly get the valid bip-schnorr pubkey.

nit: a `NONE_EXECUTED` constant would be expressive

nit: how about `!= sizeof(((secp256k1_schnorrsig){0}).data)`, a `static_assert`, or similar?

~~nit: `stack.back()`~~ Neglected to examine the full context.

```suggestion # Tapscript ```

```suggestion // How much weight budget is added to the witness size (Tapscript only). ```

```suggestion // Validation weight per passing signature (Tapscript only). ```

```suggestion // Making unknown public key versions in Tapscript non-standard ```

```suggestion /** The maximum size of each witness stack item in a standard Tapscript */ ```

```suggestion // Leaf version 0xc0 (aka Tapscript, see BIP 342) ```

nit: is it clearer to use or comment e.g. `WITNESS_V0`, and `TAPROOT` below?

nit: Perhaps more readable if we avoid magic numbers with something like: ```c++ static_assert(SIGHASH_TAPOUTPUTMASK < SIGHASH_TAPINPUTMASK); if ((hash_type > SIGHASH_TAPOUTPUTMASK) && (hash_type <= SIGHASH_TAPINPUTMASK || hash_type > (SIGHASH_TAPINPUTMASK | SIGHASH_TAPOUTPUTMASK))) return false; ``` Alternatively, a comment could be helpful.

Unify Taproot capitalization in comments. ```suggestion # Test Taproot softfork. ```

Unify Taproot capitalization in comments. ```suggestion # Don't use 32-byte v1 witness (used by Taproot) ```

Unify Taproot capitalization in comments. ```suggestion // Taproot ```

Unify Taproot capitalization in comments. ```suggestion // Taproot ```

Unify Taproot capitalization in comments. ```suggestion // Making unknown Taproot leaf versions non-standard ```

Unify Taproot capitalization in comments. ```suggestion DEPLOYMENT_TAPROOT, // Deployment of Taproot (BIPs 340-342) ```

nit: `reinterpret_cast<unsigned char*>(const_cast<char*>(`? The `const_cast` could be removed with C++17 and a switch to rvalue references.

taghash is written twice. Is this intentional?

why nested conditional here, but not nested above (line 240)? both branches have "stack_size >= 2" as well. without understanding what any of this means, would it be clearer to write like this, removing the duplication and nesting? ``` // precondition for taproot (?) if (stack_size < 2) { return } if (!stack[stack_size - 1].empty() && stack[stack_size - 1][0] == ANNEX_TAG) { // whatever this is } else if ((stack[stack_size - 1][0] & 0xfe) == 0xc0)) { // script path spend } ```

Is there a name for this condition that can be explained with a function name or at least a comment?

```suggestion if (!noncefp(buf, msg32, seckey_tmp, (unsigned char *) "BIP340Derive", (void*)ndata, 0)) { ``` Not sure if this breaks anything :confused:

```suggestion noncefp = secp256k1_nonce_function_bip-340; ``` Not sure if this breaks anything :confused:

```suggestion * noncefp: pointer to a nonce generation function. If NULL, secp256k1_nonce_function_bip340 is used ``` Not sure if this breaks anything? :confused:

```suggestion * (https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki). ``` This link is broken until the [BIP PR](https://github.com/bitcoin/bips/pull/876/) is merged.

```suggestion """Construct a BIP-340 compatible Schnorr signature with this key.""" ```

```suggestion * BIP-340 ```

```suggestion /** Return a CHashWriter primed for computing BIP-340 compatible tagged hashes. ```

```suggestion DEPLOYMENT_TAPROOT, // Deployment of BIP-340/BIP-341/BIP-342 ```

`s/TESTDUMMY/TAPROOT/` here and in testnet (regtest is fine). Also think you want to set timeout to something less expired.

Slightly confusing name... `HashAgainSHA256`? I understand why it exists, and I can't think of a much better name... but having something in the name to denote we're hashing with SHA256 might make it a tiny bit more readable.