BIP341/342: Implementation clarifications #1224
Conversation
bip-0341.mediawiki
Outdated
| *** ''sha_prevouts'' (32): the SHA256 of the serialization of all input outpoints. | ||
| *** ''sha_amounts'' (32): the SHA256 of the serialization of all spent output amounts. | ||
| *** ''sha_scriptpubkeys'' (32): the SHA256 of the serialization of all spent output ''scriptPubKey''s. | ||
| *** ''sha_scriptpubkeys'' (32): the SHA256 of the serialization of all spent output ''(compact_size(size of scriptPubKey) || scriptPubKey)''s. |
There was a problem hiding this comment.
sha_scriptpubkeys is the hash of the serializations of all spent scriptPubKeys. The serialization of a scriptPubKey is already (compact_size(size of scriptPubKey) || scriptPubKey). I know it may not be super clear but I don't think we should modify it. If it is necessary we should rather put a note somewhere to remember what the serialization of a scriptPubKey
There was a problem hiding this comment.
True, I'll adjust the wording to be correct. The reason this part was confusing as written is that later in the description of SigMsg the annex is specifically called out as having its compact_size prepended to it. I think there should be consistency between this and that.
There was a problem hiding this comment.
In the description below for scriptPubKey it says "serialized as script inside CTxOut". This is identical to your suggestion but it would be better to be consistent.
There was a problem hiding this comment.
Thanks. Changed to use the common wording.
| The total length of ''SigMsg()'' is at most ''206'' bytes<ref>'''What is the output length of ''SigMsg()''?''' The total length of ''SigMsg()'' can be computed using the following formula: ''174 - is_anyonecanpay * 49 - is_none * 32 + has_annex * 32''.</ref>. Note that this does not include the size of sub-hashes such as ''sha_prevouts'', which may be cached across signatures of the same transaction. | ||
| The total length of ''SigMsg()'' (without extensions) is at most ''206'' bytes<ref>'''What is the output length of ''SigMsg()''?''' The total length of ''SigMsg()'' can be computed using the following formula: ''174 - is_anyonecanpay * 49 - is_none * 32 + has_annex * 32''.</ref>. Note that this does not include the size of sub-hashes such as ''sha_prevouts'', which may be cached across signatures of the same transaction. | ||
|
|
There was a problem hiding this comment.
This is false. The total length of SigMsg is in fact at most 206 bytes. The message extension is appended to the output of SigMsg but it is not in itself part of SigMsg. In BIP 341 and 342 is clearly specified that what is hashed is not the output of SigMsg but rather 0x00 || SigMsg() || ext (if ext is present)
There was a problem hiding this comment.
I don't think what you've said and this addition are at odds. As someone who is not a core developer reading this BIP, I would be inclined to allocate exactly 206 bytes for the data to be hashed as input to my signing function. Adding the parenthetical puts me on notice that there may be cases where I need a larger buffer.
There was a problem hiding this comment.
Ok I understand your point. But the wording of the BIP is very precise, 206 bytes is the maximum total length of SigMsg(). We may clarify that what is signed is not the output SigMsg() but its output plus additional data; so the maximum total length of what is signed is not 206 bytes but 1 (version) + 206(SigMsg()) + 37(ext) = 244 bytes
There was a problem hiding this comment.
I agree with @giacomocaironi on this one. This change makes me thing "if extensions are included, SigMsg() can exceed 206 bytes."
There was a problem hiding this comment.
The message extension is appended to the output of SigMsg but it is not in itself part of SigMsg.
Agree. It's simpler if SigMsg remains independent of extensions. Your suggested change could be misunderstood as appending ext twice. First as an Extension inside SigMsg and then again due to the || operator.
There was a problem hiding this comment.
I've changed the commit relating to SigMsg / extensions to avoid this confusion by adding a Taproot script path spending signature validation section.
|
Hi @brandonblack. I am working on some test vectors for these two BIP's because I too spent a lot of time trying to implement them. I think if the tests would have prevented your errors. The pull request is #1191. Your feedback is very welcome! |
brandonblack
force-pushed
the
master
branch
2 times, most recently
from
a81124f to
869b6a0
Compare
|
Yes, those test vectors would have been helpful (although we generated our own by patching bitcoin-core, probably similar to how you did). |
jonasnick
left a comment
jonasnick
left a comment
There was a problem hiding this comment.
Thanks @brandonblack for your valuable feedback.
bip-0341.mediawiki
Outdated
| The function ''SigMsg(hash_type, ext_flag)'' computes the message being signed as a byte array. It is implicitly also a function of the spending transaction and the outputs it spends, but these are not listed to keep notation simple. | ||
|
|
||
| The parameter ''hash_type'' is an 8-bit unsigned value. The <code>SIGHASH</code> encodings from the legacy script system are reused, including <code>SIGHASH_ALL</code>, <code>SIGHASH_NONE</code>, <code>SIGHASH_SINGLE</code>, and <code>SIGHASH_ANYONECANPAY</code>, plus the default ''hash_type'' value ''0x00'' which results in signing over the whole transaction just as for <code>SIGHASH_ALL</code>. The following restrictions apply, which cause validation failure if violated: | ||
| The parameter ''hash_type'' is an 8-bit unsigned value. The <code>SIGHASH</code> encodings from the legacy script system are reused, including <code>SIGHASH_ALL</code>, <code>SIGHASH_NONE</code>, <code>SIGHASH_SINGLE</code>, and <code>SIGHASH_ANYONECANPAY</code>, plus <code>SIGHASH_DEFAULT</code> (value ''0x00'') which results in signing over the whole transaction just as for <code>SIGHASH_ALL</code>. The following restrictions apply, which cause validation failure if violated: |
There was a problem hiding this comment.
Since Core apparently gives this a name, it seems like a good idea to have a standardized name for this. How about rephrasing this so it's more clear that this is a new hashtype?
The SIGHASH encodings from the legacy script system are reused, including SIGHASH_ALL, SIGHASH_NONE, SIGHASH_SINGLE, and SIGHASH_ANYONECANPAY.
We define a new ''hashtype'' SIGHASH_DEFAULT (value ''0x00'') which results in signing over the whole transaction just as for SIGHASH_ALL.
There was a problem hiding this comment.
Thanks, changed the wording.
| The total length of ''SigMsg()'' is at most ''206'' bytes<ref>'''What is the output length of ''SigMsg()''?''' The total length of ''SigMsg()'' can be computed using the following formula: ''174 - is_anyonecanpay * 49 - is_none * 32 + has_annex * 32''.</ref>. Note that this does not include the size of sub-hashes such as ''sha_prevouts'', which may be cached across signatures of the same transaction. | ||
| The total length of ''SigMsg()'' (without extensions) is at most ''206'' bytes<ref>'''What is the output length of ''SigMsg()''?''' The total length of ''SigMsg()'' can be computed using the following formula: ''174 - is_anyonecanpay * 49 - is_none * 32 + has_annex * 32''.</ref>. Note that this does not include the size of sub-hashes such as ''sha_prevouts'', which may be cached across signatures of the same transaction. | ||
|
|
There was a problem hiding this comment.
The message extension is appended to the output of SigMsg but it is not in itself part of SigMsg.
Agree. It's simpler if SigMsg remains independent of extensions. Your suggested change could be misunderstood as appending ext twice. First as an Extension inside SigMsg and then again due to the || operator.
bip-0341.mediawiki
Outdated
| In order to allow spending with the key path, we define <code>taproot_tweak_seckey</code> to compute the secret key for a tweaked public key. | ||
| For any byte string <code>h</code> it holds that <code>taproot_tweak_pubkey(pubkey_gen(seckey), h)[1] == pubkey_gen(taproot_tweak_seckey(seckey, h))</code>. | ||
|
|
||
| Note that the secret key must be negated, if necessary, to produce an even-y pubkey before applying the tweak. |
There was a problem hiding this comment.
This could be misunderstood as an instruction to negate the secret key before calling taproot_tweak_seckey. Also, public keys are 32 byte arrays and therefore don't have even- or odd-Y (and the corresponding points are always even-Y).
How about something like this:
"Note that because tweaks are applied to 32-byte public keys, taproot_tweak_seckey may need to negate the secret key before applying the tweak."
There was a problem hiding this comment.
Thank you. Changed the wording.
|
Thanks for all the quick feedback! I don't seem to be able to re-request review, but I think I've addressed them. |
bip-0341.mediawiki
Outdated
| ==== Taproot script path spending signature validation ==== | ||
|
|
||
| Validation is identical to ''key path validation'' except that the input to hash<sub>TapSighash</sub> is ''(0x00 || SigMsg(hash_type, ext_flag) || ext)''. | ||
|
|
||
| The value of ''ext'' is computed as specified in the BIP corresponding a particular value of ''ext_flag''. | ||
|
|
There was a problem hiding this comment.
That's a semantic change of the BIP and precludes new leaf versions from computing the signature message hash differently. There's no reason to do that.
Also the beginning of the section Signature validation rules mentions that it only applies to key spending.
There was a problem hiding this comment.
Mmm. Right, will remove.
* Pull the definition of the extension in BIP342 to its own section * Add a section to BIP341 on validating script path signatures * Clarify that SigMsg does not produce the message being signed, but a common portion of it
|
ACK 6222dc4, conditional on @jonasnick feeling his comments have been addressed. |
|
ACK 6222dc4 |
9 participants
These clarifications would each have prevented an error in our initial implementation of these BIPs.