Unify TapLeafHash and TapBranchHash into TapNodeHash while tree construction

[sanket1729]

This does not completely fix #1393 but is a simple starter. Unfortunately, we still need hash_new_type for TapNodeHash because is exported as the Merkle root in taproot psbt. This requires serialization and display/from_str methods.

This also adds a method 1) TapNodeHash::from_script to deal with single leaf case cleanly. As a nice side effect, this removes the ugly uses of sha256::Hash that I had used to represent both TapLeafHash and TapBranchHash

Does not fix

1. Exporting TapTweakHash. This requires some changes to macros we use.
2. Safer usage of TapNodeHash by not making it hash_new_type and having guarded constructors. As mentioned above, this is required for psbts and sharing Merkle roots. Perhaps, we might need a new type while constructing trees that is not hash_new_type, and convert it to another type that represents the final Merkle root.

My overall feeling is that this is best addressed with more examples than changing and complicating existing code.

I don't feel strongly about the rename, so can go back if TapBranchHash instead of TapNodeHash.

[Kixunil]

Oh, yeah, I wanted to open #1481 before but didn't have time and forgot. It should completely resolve the issue you found.

[Kixunil]

Have to run so not a deep review but looks mostly fine.

[Kixunil]

Shouldn't ScriptLeaf::leaf_hash return TapNodeHash? Do we even need TapLeafHash for anything now?

[sanket1729]

We need TapLeafHash in taproot sign APIs. https://docs.rs/bitcoin/latest/bitcoin/util/sighash/struct.SighashCache.html#method.taproot_signature_hash

[Kixunil]

Oh, right, in that case we should also have a trivial impl From<TapLeafhash> for TapNodehash.

[apoelstra]

This is really cool! It's a lot cleaner, both conceptually and code-wise, than I'd feared from the discussion in #1393.

[apoelstra]

In e03b945:

Can you add a comment here highlighting that you're actually casting between two hash types here, since it's maybe hard to see in the from_inner(X.into_inner()) form, explaining that this is because leaves of a taptree use a different hash prefix than the internal nodes, but the Merkle tree logic does not care about the distinction. Maybe also link to the BIP and/or to #1393.

I think a regular comment is fine, no need to doccomment this, since it's an internal implementation detail.

[apoelstra]

Also, I agree with Kix's suggestion below that we add a conversion method from TapLeafHash to TabBranchHash, so this line can be simplified to TapLeafHash::from_script(script, ver).into().

[sanket1729]

Adressed

[Kixunil]

Since there's From now we might as well use it here?

[apoelstra]

In 6609dae:

This doccomment should be updated to say that it might be tagged either with TapBranch or with TapLeaf; or maybe it should not mention this at all and just say "tagged hash used in taproot trees; see BIP-340 for tagging rules"

[sanket1729]

Rebased and ready for review

[Kixunil]

Mostly nits, just one somewhat important thing.

[Kixunil]

Could you try splitting "This hash type..." in these two into a separate paragraph to improve the doc?

[Kixunil]

Since there's From now we might as well use it here?

[Kixunil]

This should accept TapNodeHash. Or am I missing something? (Only this one is blocking.)

[sanket1729]

Duh, I swear all instances of sha256::Hash in this PR, but looks like I screwed up in rebasing somewhere

[sanket1729]

Ready for review again

[sanket1729]

A couple formatting changes got sneaked in here. Don't think it should be an issue

[Kixunil]

ACK f39cd88

[Kixunil]

I think there should be an empty line, but since I'm too tired to check myself, I will ignore this nit. We can fix later.

[tcharding]

ACK f39cd88