ElementsProject · apoelstra · Jul 6, 2021 · Mar 3, 2021 · Oct 2, 2019 · Oct 2, 2019
diff --git a/doc/pset.mediawiki b/doc/pset.mediawiki
@@ -1,5 +1,3 @@
-Note that this format is not yet implemented by Elements.
-
 <pre>
   BIP: PSET
   Layer: Applications

diff --git a/src/Makefile.am b/src/Makefile.am
@@ -115,6 +115,7 @@ BITCOIN_CORE_H = \
   bech32.h \
   blech32.h \
   blind.h \
+  blindpsbt.h \
   blockencodings.h \
   blockfilter.h \
   block_proof.h \
@@ -523,6 +524,7 @@ libbitcoin_common_a_SOURCES = \
   bech32.cpp \
   blech32.cpp \
   blind.cpp \
+  blindpsbt.cpp \
   block_proof.cpp \
   bloom.cpp \
   chainparams.cpp \

diff --git a/src/blind.cpp b/src/blind.cpp
@@ -11,7 +11,7 @@
 #include <random.h>
 #include <util/system.h>
 
-static secp256k1_context* secp256k1_blind_context = NULL;
+secp256k1_context* secp256k1_blind_context = NULL;
 
 class Blind_ECC_Init {
 public:
@@ -192,7 +192,7 @@ bool SurjectOutput(CTxOutWitness& txoutwit, const std::vector<secp256k1_fixed_as
 {
     int ret;
     // 1 to 3 targets
-    size_t nInputsToSelect = std::min((size_t)3, surjection_targets.size());
+    size_t nInputsToSelect = std::min(MAX_SURJECTION_TARGETS, surjection_targets.size());
     unsigned char randseed[32];
     GetStrongRandBytes(randseed, 32);
     size_t input_index;

diff --git a/src/blind.h b/src/blind.h
@@ -23,6 +23,11 @@ static const size_t MAX_RANGEPROOF_SIZE = 5126;
 static const size_t DEFAULT_SURJECTIONPROOF_SIZE = 135;
 // 32 bytes of asset type, 32 bytes of asset blinding factor in sidechannel
 static const size_t SIDECHANNEL_MSG_SIZE = 64;
+// Maximum number of inputs to select for surjection proof
+static const size_t MAX_SURJECTION_TARGETS = 3;
+
+// Blinding context
+extern secp256k1_context* secp256k1_blind_context;
 
 /*
  * Verify a pair of confidential asset and value, given the blinding factors for both.

diff --git a/src/blindpsbt.cpp b/src/blindpsbt.cpp
diff --git a/src/blindpsbt.h b/src/blindpsbt.h
@@ -0,0 +1,40 @@
+// Copyright (c) 2020 The Elements Core developers
+// // Distributed under the MIT software license, see the accompanying
+// // file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#ifndef BITCOIN_BLINDPSBT_H
+#define BITCOIN_BLINDPSBT_H
+
+#include <blind.h>
+#include <key.h>
+#include <pubkey.h>
+#include <primitives/transaction.h>
+#include <primitives/confidential.h>
+
+#include <secp256k1.h>
+#include <secp256k1_rangeproof.h>
+#include <secp256k1_surjectionproof.h>
+
+struct PartiallySignedTransaction;
+
+enum class BlindingStatus
+{
+    OK, //!< No error
+    NEEDS_UTXOS,
+    INVALID_ASSET,
+    INVALID_ASSET_COMMITMENT,
+    SCALAR_UNABLE,
+    INVALID_BLINDER,
+    ASP_UNABLE,
+};
+
+std::string GetBlindingStatusError(const BlindingStatus& status);
+
+bool CreateAssetSurjectionProof(std::vector<unsigned char>& output_proof, const std::vector<secp256k1_fixed_asset_tag>& fixed_input_tags, const std::vector<secp256k1_generator>& ephemeral_input_tags, const std::vector<uint256>& input_asset_blinders, const uint256& output_asset_blinder, const secp256k1_generator& output_asset_tag, const CAsset& asset);
+uint256 GenerateRangeproofECDHKey(CPubKey& ephemeral_pubkey, const CPubKey blinding_pubkey);
+bool CreateValueRangeProof(std::vector<unsigned char>& rangeproof, const uint256& value_blinder, const uint256& nonce, const CAmount amount, const CScript& scriptPubKey, const secp256k1_pedersen_commitment& value_commit, const secp256k1_generator& gen, const CAsset& asset, const uint256& asset_blinder);
+void CreateAssetCommitment(CConfidentialAsset& conf_asset, secp256k1_generator& asset_gen, const CAsset& asset, const uint256& asset_blinder);
+void CreateValueCommitment(CConfidentialValue& conf_value, secp256k1_pedersen_commitment& value_commit, const uint256& value_blinder, const secp256k1_generator& asset_gen, const CAmount amount);
+BlindingStatus BlindPSBT(PartiallySignedTransaction& psbt, std::map<uint32_t, std::tuple<CAmount, CAsset, uint256, uint256>> our_input_data, std::map<uint32_t, std::pair<CKey, CKey>> our_issuances_to_blind);
+
+#endif //BITCOIN_BLINDPSBT_H
diff --git a/src/core_read.cpp b/src/core_read.cpp
@@ -214,10 +214,16 @@ int ParseSighashString(const UniValue& sighash)
         static std::map<std::string, int> map_sighash_values = {
             {std::string("ALL"), int(SIGHASH_ALL)},
             {std::string("ALL|ANYONECANPAY"), int(SIGHASH_ALL|SIGHASH_ANYONECANPAY)},
+            {std::string("ALL|RANGEPROOF"), int(SIGHASH_ALL|SIGHASH_RANGEPROOF)},
+            {std::string("ALL|ANYONECANPAY|RANGEPROOF"), int(SIGHASH_ALL|SIGHASH_ANYONECANPAY|SIGHASH_RANGEPROOF)},
             {std::string("NONE"), int(SIGHASH_NONE)},
             {std::string("NONE|ANYONECANPAY"), int(SIGHASH_NONE|SIGHASH_ANYONECANPAY)},
+            {std::string("NONE|RANGEPROOF"), int(SIGHASH_NONE|SIGHASH_RANGEPROOF)},
+            {std::string("NONE|ANYONECANPAY|RANGEPROOF"), int(SIGHASH_NONE|SIGHASH_ANYONECANPAY|SIGHASH_RANGEPROOF)},
             {std::string("SINGLE"), int(SIGHASH_SINGLE)},
             {std::string("SINGLE|ANYONECANPAY"), int(SIGHASH_SINGLE|SIGHASH_ANYONECANPAY)},
+            {std::string("SINGLE|RANGEPROOF"), int(SIGHASH_SINGLE|SIGHASH_RANGEPROOF)},
+            {std::string("SINGLE|ANYONECANPAY|RANGEPROOF"), int(SIGHASH_SINGLE|SIGHASH_ANYONECANPAY|SIGHASH_RANGEPROOF)},
         };
         std::string strHashType = sighash.get_str();
         const auto& it = map_sighash_values.find(strHashType);

diff --git a/src/node/psbt.cpp b/src/node/psbt.cpp
@@ -17,12 +17,13 @@ PSBTAnalysis AnalyzePSBT(PartiallySignedTransaction psbtx)
     // Go through each input and build status
     PSBTAnalysis result;
 
-    bool calc_fee = true;
-    CAmountMap in_amts;
+    // Elements things
+    bool needs_blinded_outputs = false;
+    bool has_blinded_outputs = false;
 
-    result.inputs.resize(psbtx.tx->vin.size());
+    result.inputs.resize(psbtx.inputs.size());
 
-    for (unsigned int i = 0; i < psbtx.tx->vin.size(); ++i) {
+    for (unsigned int i = 0; i < psbtx.inputs.size(); ++i) {
         PSBTInput& input = psbtx.inputs[i];
         PSBTInputAnalysis& input_analysis = result.inputs[i];
 
@@ -31,23 +32,24 @@ PSBTAnalysis AnalyzePSBT(PartiallySignedTransaction psbtx)
 
         // Check for a UTXO
         CTxOut utxo;
-        if (psbtx.GetInputUTXO(utxo, i)) {
-            //TODO(gwillen) do PSBT inputs always have explicit assets & amounts?
-            if (!MoneyRange(utxo.nValue.GetAmount()) || !MoneyRange(in_amts[utxo.nAsset.GetAsset()] + utxo.nValue.GetAmount())) {
-                result.SetInvalid(strprintf("PSBT is not valid. Input %u has invalid value", i));
-                return result;
+        if (input.GetUTXO(utxo)) {
+            if (utxo.nValue.IsExplicit()) {
+                if (!MoneyRange(utxo.nValue.GetAmount())) {
+                    result.SetInvalid(strprintf("PSBT is not valid. Input %u has invalid value", i));
+                    return result;
+                }
+            } else {
+                needs_blinded_outputs = true;
             }
-            in_amts[utxo.nAsset.GetAsset()] += utxo.nValue.GetAmount();
             input_analysis.has_utxo = true;
         } else {
-            if (input.non_witness_utxo && psbtx.tx->vin[i].prevout.n >= input.non_witness_utxo->vout.size()) {
+            if (input.non_witness_utxo && *input.prev_out >= input.non_witness_utxo->vout.size()) {
                 result.SetInvalid(strprintf("PSBT is not valid. Input %u specifies invalid prevout", i));
                 return result;
             }
             input_analysis.has_utxo = false;
             input_analysis.is_final = false;
             input_analysis.next = PSBTRole::UPDATER;
-            calc_fee = false;
         }
 
         if (!utxo.IsNull() && utxo.scriptPubKey.IsUnspendable()) {
@@ -84,71 +86,77 @@ PSBTAnalysis AnalyzePSBT(PartiallySignedTransaction psbtx)
         }
     }
 
-    // Calculate next role for PSBT by grabbing "minimum" PSBTInput next role
-    result.next = PSBTRole::EXTRACTOR;
-    for (unsigned int i = 0; i < psbtx.tx->vin.size(); ++i) {
-        PSBTInputAnalysis& input_analysis = result.inputs[i];
-        result.next = std::min(result.next, input_analysis.next);
-    }
-    assert(result.next > PSBTRole::CREATOR);
-
-    if (calc_fee) {
-        // Get the output amount
-        CAmountMap out_amts = std::accumulate(psbtx.tx->vout.begin(), psbtx.tx->vout.end(), CAmountMap(),
-            [](CAmountMap a, const CTxOut& b) {
-                CAmount acc = a[b.nAsset.GetAsset()];
-                CAmount add = b.nValue.GetAmount();
-
-                if (!MoneyRange(acc) || !MoneyRange(add) || !MoneyRange(acc + add)) {
-                    CAmountMap invalid;
-                    invalid[::policyAsset] = CAmount(-1);
-                    return invalid;
+    for (const PSBTOutput& output : psbtx.outputs) {
+        CTxOut txout = output.GetTxOut();
+        if (output.IsBlinded()) {
+            has_blinded_outputs = true;
+            if (!output.IsFullyBlinded()) {
+                result.next = PSBTRole::BLINDER;
+            }
+        } else {
+            // Find the fee output
+            if (txout.IsFee()) {
+                if (result.fee != nullopt) {
+                    result.SetInvalid("There is more than one fee output");
+                    return result;
                 }
-                a[b.nAsset.GetAsset()] += add;
-                return a;
+                result.fee = output.amount;
             }
-        );
-        if (!MoneyRange(out_amts)) {
-            result.SetInvalid(strprintf("PSBT is not valid. Output amount invalid"));
+        }
+        if (txout.nValue.IsExplicit() && !MoneyRange(txout.nValue.GetAmount())) {
+            result.SetInvalid("PSBT is not valid. Output amount invalid");
             return result;
         }
+    }
 
-        // Get the fee
-        CAmountMap fee = in_amts - out_amts;
-        result.fee = fee;
+    if (result.fee == nullopt) {
+        result.SetInvalid("PSBT missing required fee output");
+        return result;
+    }
 
-        // Estimate the size
-        CMutableTransaction mtx(*psbtx.tx);
-        CCoinsView view_dummy;
-        CCoinsViewCache view(&view_dummy);
-        bool success = true;
+    if (needs_blinded_outputs && !has_blinded_outputs) {
+        result.SetInvalid("PSBT has blinded inputs but no blinded outputs. Must have at least one blinded output to balance with the inputs");
+        return result;
+    }
 
-        for (unsigned int i = 0; i < psbtx.tx->vin.size(); ++i) {
-            PSBTInput& input = psbtx.inputs[i];
-            Coin newcoin;
+    // Estimate the size
+    CMutableTransaction mtx(psbtx.GetUnsignedTx());
+    CCoinsView view_dummy;
+    CCoinsViewCache view(&view_dummy);
+    bool success = true;
 
-            if (!SignPSBTInput(DUMMY_SIGNING_PROVIDER, psbtx, i, 1, nullptr, true) || !psbtx.GetInputUTXO(newcoin.out, i)) {
-                success = false;
-                break;
-            } else {
-                mtx.vin[i].scriptSig = input.final_script_sig;
-                mtx.witness.vtxinwit[i].scriptWitness = input.final_script_witness;
-                newcoin.nHeight = 1;
-                view.AddCoin(psbtx.tx->vin[i].prevout, std::move(newcoin), true);
-            }
-        }
+    for (unsigned int i = 0; i < psbtx.inputs.size(); ++i) {
+        PSBTInput& input = psbtx.inputs[i];
+        Coin newcoin;
 
-        if (success) {
-            CTransaction ctx = CTransaction(mtx);
-            size_t size = GetVirtualTransactionSize(ctx, GetTransactionSigOpCost(ctx, view, STANDARD_SCRIPT_VERIFY_FLAGS));
-            result.estimated_vsize = size;
-            // Estimate fee rate
-            CFeeRate feerate(fee[::policyAsset], size);
-            result.estimated_feerate = feerate;
+        if (!SignPSBTInput(DUMMY_SIGNING_PROVIDER, psbtx, i, 1, nullptr, true) || !input.GetUTXO(newcoin.out)) {
+            success = false;
+            break;
+        } else {
+            mtx.vin[i].scriptSig = input.final_script_sig;
+            mtx.witness.vtxinwit[i].scriptWitness = input.final_script_witness;
+            newcoin.nHeight = 1;
+            view.AddCoin(input.GetOutPoint(), std::move(newcoin), true);
         }
+    }
 
+    if (success) {
+        CTransaction ctx = CTransaction(mtx);
+        size_t size = GetVirtualTransactionSize(ctx, GetTransactionSigOpCost(ctx, view, STANDARD_SCRIPT_VERIFY_FLAGS));
+        result.estimated_vsize = size;
+        // Estimate fee rate
+        CFeeRate feerate(*result.fee, size);
+        result.estimated_feerate = feerate;
     }
 
+    // Calculate next role for PSBT by grabbing "minimum" PSBTInput next role
+    result.next = PSBTRole::EXTRACTOR;
+    for (unsigned int i = 0; i < psbtx.inputs.size(); ++i) {
+        PSBTInputAnalysis& input_analysis = result.inputs[i];
+        result.next = std::min(result.next, input_analysis.next);
+    }
+    assert(result.next > PSBTRole::CREATOR);
+
     return result;
 }
 
diff --git a/src/node/psbt.h b/src/node/psbt.h
@@ -27,7 +27,7 @@ struct PSBTInputAnalysis {
 struct PSBTAnalysis {
     Optional<size_t> estimated_vsize;      //!< Estimated weight of the transaction
     Optional<CFeeRate> estimated_feerate;  //!< Estimated feerate (fee / weight) of the transaction
-    Optional<CAmountMap> fee;              //!< Amount of fee being paid by the transaction
+    Optional<CAmount> fee;              //!< Amount of fee being paid by the transaction
     std::vector<PSBTInputAnalysis> inputs; //!< More information about the individual inputs of the transaction
     PSBTRole next;                         //!< Which of the BIP 174 roles needs to handle the transaction next
     std::string error;                     //!< Error message

diff --git a/src/pegins.cpp b/src/pegins.cpp
@@ -533,3 +533,46 @@ CScriptWitness CreatePeginWitness(const CAmount& value, const CAsset& asset, con
 {
     return CreatePeginWitnessInner(value, asset, genesis_hash, claim_script, tx_ref, merkle_block);
 }
+
+bool DecomposePeginWitness(const CScriptWitness& witness, CAmount& value, CAsset& asset, uint256& genesis_hash, CScript& claim_script, boost::variant<boost::blank, Sidechain::Bitcoin::CTransactionRef, CTransactionRef>& tx, boost::variant<boost::blank, Sidechain::Bitcoin::CMerkleBlock, CMerkleBlock>& merkle_block)
+{
+    const auto& stack = witness.stack;
+
+    if (stack.size() < 5) return false;
+
+    CDataStream stream(stack[0], SER_NETWORK, PROTOCOL_VERSION);
+    stream >> value;
+
+    CAsset tmp_asset(stack[1]);
+    asset = tmp_asset;
+
+    uint256 gh(stack[2]);
+    genesis_hash = gh;
+
+    CScript s(stack[3].begin(), stack[3].end());
+    claim_script = s;
+
+    CDataStream ss_tx(stack[4], SER_NETWORK, PROTOCOL_VERSION);
+    if (Params().GetConsensus().ParentChainHasPow()) {
+        Sidechain::Bitcoin::CTransactionRef btc_tx;
+        ss_tx >> btc_tx;
+        tx = btc_tx;
+    } else {
+        CTransactionRef elem_tx;
+        ss_tx >> elem_tx;
+        tx = elem_tx;
+    }
+
+    CDataStream ss_proof(stack[5], SER_NETWORK, PROTOCOL_VERSION);
+    if (Params().GetConsensus().ParentChainHasPow()) {
+        Sidechain::Bitcoin::CMerkleBlock tx_proof;
+        ss_proof >> tx_proof;
+        merkle_block = tx_proof;
+    } else {
+        CMerkleBlock tx_proof;
+        ss_proof >> tx_proof;
+        merkle_block = tx_proof;
+    }
+
+    return true;
+}
diff --git a/src/pegins.h b/src/pegins.h
@@ -14,6 +14,8 @@
 #include <script/script.h>
 #include <chain.h>
 
+#include <boost/variant.hpp>
+
 /** Calculates script necessary for p2ch peg-in transactions */
 CScript calculate_contract(const CScript& federationRedeemScript, const CScript& witnessProgram);
 bool GetAmountFromParentChainPegin(CAmount& amount, const Sidechain::Bitcoin::CTransaction& txBTC, unsigned int nOut);
@@ -42,5 +44,7 @@ std::vector<std::pair<CScript, CScript>> GetValidFedpegScripts(const CBlockIndex
 CScriptWitness CreatePeginWitness(const CAmount& value, const CAsset& asset, const uint256& genesis_hash, const CScript& claim_script, const CTransactionRef& tx_ref, const CMerkleBlock& merkle_block);
 CScriptWitness CreatePeginWitness(const CAmount& value, const CAsset& asset, const uint256& genesis_hash, const CScript& claim_script, const Sidechain::Bitcoin::CTransactionRef& tx_ref, const Sidechain::Bitcoin::CMerkleBlock& merkle_block);
 
+/** Break out the individual parts of the peg-in witness stack */
+bool DecomposePeginWitness(const CScriptWitness& witness, CAmount& value, CAsset& asset, uint256& genesis_hash, CScript& claim_script, boost::variant<boost::blank, Sidechain::Bitcoin::CTransactionRef, CTransactionRef>& tx, boost::variant<boost::blank, Sidechain::Bitcoin::CMerkleBlock, CMerkleBlock>& merkle_block);
 
 #endif // BITCOIN_PEGINS_H
diff --git a/src/primitives/transaction.cpp b/src/primitives/transaction.cpp
@@ -13,6 +13,8 @@
 
 bool g_con_elementsmode = false;
 
+const int32_t CTransaction::CURRENT_VERSION = 2;
+
 std::string COutPoint::ToString() const
 {
     return strprintf("COutPoint(%s, %u)", hash.ToString().substr(0,10), n);

diff --git a/src/primitives/transaction.h b/src/primitives/transaction.h
@@ -320,6 +320,11 @@ class CTxOut
     }
 
     std::string ToString() const;
+
+    friend bool operator<(const CTxOut& a, const CTxOut& b)
+    {
+        return a.scriptPubKey < b.scriptPubKey;
+    }
 };
 
 struct CMutableTransaction;
@@ -477,7 +482,7 @@ class CTransaction
 {
 public:
     // Default transaction version.
-    static const int32_t CURRENT_VERSION=2;
+    static const int32_t CURRENT_VERSION;
 
     // Changing the default transaction version requires a two step process: first
     // adapting relay policy by bumping MAX_STANDARD_VERSION, and then later date