bip-taro+assets+vm: remove group key duplication, add explicit verification #91
Description
The original intent of the group key is to allow other assets to be nested under similar assets in the SMT itself. To ensure that this key doesn't collide with other assets we tweak the "plain" group key with some information unique to the asset and it's location in the chain.
However today in the code, we encode this tweaked key in the final TLV leaf. This means that verifiers aren't able to verify that the key was the result of a valid tweak. Instead, we should be encoding the plain group key (called just RawKey today). Then the verifiers should take that key, apply the tweak, and validate the final signature against this key.
I can think of two ways we can do this:
- Encode the raw key above, then have all verifiers re-compute the tweaked key to use that properly everywhere
- Have the genesis asset place the plain key in the witness itself
I personally like the second option as it has less downstream impact. One other bonus is that we'll be able to get rid of duplication across transfers: today we always encode the group key sig, but don't really need to. Instead, this only needs to be verified at the genesis asset (once again the sig can be passed in as witness).
With the above changes, for a new asset that has a group key, the witness will be: <plain_fam_pubkey> <sig>. Which kinda looks like a p2wkh output. If the group key is present on the genesis asset (the tweaked key field), then verifiers should: verify the tweaked derivation, verify the msg sig against that key.