bip-taproot: Internal pubkey construction seems to be inconsistent.

[rajarshimaitra]

In the implementation of taproot_tweak_pubkey() :

def taproot_tweak_pubkey(pubkey, h):
    t = int_from_bytes(tagged_hash("TapTweak", pubkey + h))
    if t >= SECP256K1_ORDER:
        raise ValueError
    Q = point_mul(point(pubkey), t)
    return bytes_from_int(x(Q)), has_square_y(Q)

Internal pubkey is calculated as Q=point_mul(point(pubkey), t).
Which feels (at least to me) like point multiplication, and that would be Q = (t * P).

But Script Validation Rule is stating :

If Q ≠ P + int(t)G, fail.

This is same as Q = P + (t * G)

And these are two distinct operation and gives distinct results, and can be a source of confusion.

Assuming the protocol document to be correct.

I suggest changing the implementation as:

Q= point(pubkey) + point_mul(G, t)

[sipa]

This seems like a mistake, indeed.

[rajarshimaitra]

Is the suggested change acceptable? I would open pr then.

[sipa]

It should be point_add(point(pubkey), point_mul(G, t)), I think.