taproot-assets-core 0.0.2

Core no-std logic and verification primitives for Taproot Assets
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356

//! Anchor transaction verification helpers.

extern crate alloc;

use alloc::vec::Vec;

use bitcoin::block::Header;
use bitcoin::hashes::{Hash, sha256d::Hash as Sha256dHash};
use bitcoin::{OutPoint, Script, Transaction, TxMerkleNode};
use serde::{Deserialize, Serialize};
use taproot_assets_types::asset::SerializedKey;
use taproot_assets_types::proof::{Proof, TxMerkleProof};
use thiserror::Error;

use crate::{OpsError, TaprootOps};

/// Errors returned by anchor transaction verification helpers.
#[derive(Error, Debug, Clone, Copy, PartialEq, Eq)]
pub enum Error {
    /// The anchor transaction does not spend the claimed previous outpoint.
    #[error("anchor tx missing prev out")]
    AnchorTxMissingPrevOut,
    /// The claimed outpoint hash does not match the transaction hash.
    #[error("outpoint hash does not match tx hash")]
    OutpointHashMismatch,
    /// The claimed output index is invalid for the transaction.
    #[error("output index {index} invalid for {output_count} outputs")]
    OutputIndexInvalid {
        /// Claimed output index.
        index: u32,
        /// Total number of outputs in the transaction.
        output_count: usize,
    },
    /// The output script does not match the derived Taproot output key.
    #[error("output script does not match derived taproot output key")]
    OutputScriptMismatch,
    /// The merkle proof node and bit counts do not match.
    #[error("merkle proof shape mismatch: nodes={nodes}, bits={bits}")]
    InvalidMerkleProofShape {
        /// Number of merkle proof nodes.
        nodes: usize,
        /// Number of merkle proof bits.
        bits: usize,
    },
    /// The merkle proof does not match the expected root.
    #[error("invalid transaction merkle proof")]
    InvalidTxMerkleProof,
    /// The block header failed verification.
    #[error("invalid block header")]
    InvalidBlockHeader,
    /// Taproot output key bytes are invalid.
    #[error("invalid taproot output key")]
    InvalidTaprootOutputKey,
    /// Taproot operation failed.
    #[error(transparent)]
    Ops(#[from] OpsError),
}

/// Input for transaction merkle proof verification.
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
pub struct VerifyMerkleProofInput {
    /// The transaction ID which is expected to be committed in the Merkle tree.
    pub txid: [u8; 32],
    /// The list of sibling hashes along the Merkle path from the transaction up to the root.
    pub nodes: Vec<[u8; 32]>,
    /// Direction bits: `false` means the node is on the left, `true` means on the right.
    pub bits: Vec<bool>,
    /// The expected Merkle root which commits to the transaction ID.
    pub merkle_root: [u8; 32],
}

/// Input for anchor claim verification.
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
pub struct AnchorClaimInput {
    /// The anchor transaction.
    pub anchor_tx: Transaction,
    /// The merkle proof for the anchor transaction.
    pub tx_merkle_proof: TxMerkleProof,
    /// The block header committing to the anchor transaction.
    pub block_header: Header,
    /// The block height.
    pub block_height: u32,
    /// The previous outpoint spent by the anchor transaction.
    pub prev_out: OutPoint,
    /// The output index of the anchor transaction carrying the asset.
    pub output_index: u32,
}

/// Output digest for the anchor claim.
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
pub struct AnchorClaimOutput {
    /// The transaction ID of the anchor transaction.
    pub anchor_txid: [u8; 32],
    /// The hash of the block header.
    pub block_hash: [u8; 32],
    /// The block height.
    pub block_height: u32,
    /// The output index.
    pub output_index: u32,
    /// The taproot output key derived from the anchor transaction output.
    pub taproot_output_key: [u8; 32],
    /// All P2TR outputs with their taproot output keys.
    pub p2tr_outputs: Vec<AnchorP2trOutput>,
}

/// Taproot output metadata extracted from the anchor transaction.
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
pub struct AnchorP2trOutput {
    /// Output index in the anchor transaction.
    pub output_index: u32,
    /// The taproot output key for the P2TR output.
    pub taproot_output_key: [u8; 32],
}

/// Trait for hashing Merkle node pairs.
pub trait MerkleHasher {
    /// Hashes a left/right node pair into its parent.
    fn hash_nodes(&self, left: [u8; 32], right: [u8; 32]) -> [u8; 32];
}

/// Bitcoin merkle hasher using double-SHA-256.
#[derive(Debug, Clone, Copy, Default)]
pub struct BitcoinMerkleHasher;

impl MerkleHasher for BitcoinMerkleHasher {
    /// Hashes a node pair with double-SHA-256.
    fn hash_nodes(&self, left: [u8; 32], right: [u8; 32]) -> [u8; 32] {
        let mut buf = [0u8; 64];
        buf[..32].copy_from_slice(&left);
        buf[32..].copy_from_slice(&right);
        Sha256dHash::hash(&buf).to_byte_array()
    }
}

/// Trait for verifying a block header at a given height.
pub trait HeaderVerifier {
    /// Returns true if the header is valid for the provided height.
    fn verify_header(&self, header: &Header, height: u32) -> bool;
}

/// Verifies the anchor transaction against its merkle proof and block header.
pub fn verify_anchor_tx<H: HeaderVerifier>(proof: &Proof, verifier: &H) -> Result<(), Error> {
    if !tx_spends_prev_out(&proof.anchor_tx, &proof.prev_out) {
        return Err(Error::AnchorTxMissingPrevOut);
    }

    verify_tx_merkle_proof(
        &proof.anchor_tx,
        &proof.tx_merkle_proof,
        proof.block_header.merkle_root,
    )?;

    if !verifier.verify_header(&proof.block_header, proof.block_height) {
        return Err(Error::InvalidBlockHeader);
    }

    Ok(())
}

/// Verifies the anchor claim and returns the output digest.
pub fn verify_anchor_claim_with_hasher<H: MerkleHasher>(
    input: &AnchorClaimInput,
    hasher: &H,
) -> Result<AnchorClaimOutput, Error> {
    if !tx_spends_prev_out(&input.anchor_tx, &input.prev_out) {
        return Err(Error::AnchorTxMissingPrevOut);
    }

    let nodes: Vec<[u8; 32]> = input
        .tx_merkle_proof
        .nodes
        .iter()
        .map(|node| node.to_byte_array())
        .collect();

    verify_tx_merkle_proof_with_hasher(
        input.anchor_tx.compute_txid().to_byte_array(),
        &nodes,
        &input.tx_merkle_proof.bits,
        input.block_header.merkle_root.to_byte_array(),
        hasher,
    )?;

    if input.output_index as usize >= input.anchor_tx.output.len() {
        return Err(Error::OutputIndexInvalid {
            index: input.output_index,
            output_count: input.anchor_tx.output.len(),
        });
    }

    let output = &input.anchor_tx.output[input.output_index as usize];
    let taproot_output_key = extract_taproot_output_key(output.script_pubkey.as_script())?;
    let mut p2tr_outputs = Vec::new();
    for (idx, output) in input.anchor_tx.output.iter().enumerate() {
        if output.script_pubkey.is_p2tr() {
            let taproot_output_key = extract_taproot_output_key(output.script_pubkey.as_script())?;
            p2tr_outputs.push(AnchorP2trOutput {
                output_index: idx as u32,
                taproot_output_key,
            });
        }
    }

    Ok(AnchorClaimOutput {
        anchor_txid: input.anchor_tx.compute_txid().to_byte_array(),
        block_hash: input.block_header.block_hash().to_byte_array(),
        block_height: input.block_height,
        output_index: input.output_index,
        taproot_output_key,
        p2tr_outputs,
    })
}

/// Verifies that a claimed outpoint matches a transaction and Taproot output.
pub fn verify_tx_outpoint<O: TaprootOps>(
    ops: &O,
    tx: &Transaction,
    outpoint: &OutPoint,
    internal_key: &SerializedKey,
    tapscript_root: Option<[u8; 32]>,
) -> Result<(), Error> {
    if outpoint.txid != tx.compute_txid() {
        return Err(Error::OutpointHashMismatch);
    }

    if outpoint.vout as usize >= tx.output.len() {
        return Err(Error::OutputIndexInvalid {
            index: outpoint.vout,
            output_count: tx.output.len(),
        });
    }

    let output = &tx.output[outpoint.vout as usize];
    let expected_key = derive_taproot_output_key(ops, internal_key, tapscript_root)?;
    let expected_xonly = xonly_from_serialized_key(&expected_key)?;
    let claimed_xonly = extract_taproot_output_key(output.script_pubkey.as_script())?;

    if expected_xonly == claimed_xonly {
        Ok(())
    } else {
        Err(Error::OutputScriptMismatch)
    }
}

/// Verifies a merkle proof for the given transaction and merkle root.
pub fn verify_tx_merkle_proof(
    tx: &Transaction,
    proof: &TxMerkleProof,
    merkle_root: TxMerkleNode,
) -> Result<(), Error> {
    let nodes: Vec<[u8; 32]> = proof
        .nodes
        .iter()
        .map(|node| node.to_byte_array())
        .collect();
    verify_tx_merkle_proof_with_hasher(
        tx.compute_txid().to_byte_array(),
        &nodes,
        &proof.bits,
        merkle_root.to_byte_array(),
        &BitcoinMerkleHasher,
    )
}

/// Verifies a merkle proof described by a minimal input payload.
pub fn verify_tx_merkle_proof_input(input: &VerifyMerkleProofInput) -> Result<(), Error> {
    verify_tx_merkle_proof_input_with_hasher(input, &BitcoinMerkleHasher)
}

/// Verifies a merkle proof input using a caller-provided node hasher.
pub fn verify_tx_merkle_proof_input_with_hasher<H: MerkleHasher>(
    input: &VerifyMerkleProofInput,
    hasher: &H,
) -> Result<(), Error> {
    verify_tx_merkle_proof_with_hasher(
        input.txid,
        &input.nodes,
        &input.bits,
        input.merkle_root,
        hasher,
    )
}

/// Verifies a merkle proof using a caller-provided node hasher.
pub fn verify_tx_merkle_proof_with_hasher<H: MerkleHasher>(
    txid: [u8; 32],
    nodes: &[[u8; 32]],
    bits: &[bool],
    merkle_root: [u8; 32],
    hasher: &H,
) -> Result<(), Error> {
    if nodes.len() != bits.len() {
        return Err(Error::InvalidMerkleProofShape {
            nodes: nodes.len(),
            bits: bits.len(),
        });
    }

    let mut current = txid;
    for (node, is_right) in nodes.iter().zip(bits.iter()) {
        let (left, right) = if *is_right {
            (current, *node)
        } else {
            (*node, current)
        };
        current = hasher.hash_nodes(left, right);
    }

    if current == merkle_root {
        Ok(())
    } else {
        Err(Error::InvalidTxMerkleProof)
    }
}

/// Returns true if the transaction spends the specified outpoint.
pub fn tx_spends_prev_out(tx: &Transaction, prev_out: &OutPoint) -> bool {
    tx.input
        .iter()
        .any(|input| input.previous_output == *prev_out)
}

/// Derives a Taproot output key from an internal key and tapscript root.
fn derive_taproot_output_key<O: TaprootOps>(
    ops: &O,
    internal_key: &SerializedKey,
    tapscript_root: Option<[u8; 32]>,
) -> Result<SerializedKey, Error> {
    let internal = ops.parse_internal_key(internal_key)?;
    ops.taproot_output_key(&internal, tapscript_root)
        .map_err(Error::from)
}

/// Extracts the x-only taproot output key from a P2TR script.
fn extract_taproot_output_key(script: &Script) -> Result<[u8; 32], Error> {
    if !script.is_p2tr() {
        return Err(Error::OutputScriptMismatch);
    }

    let bytes = script.as_bytes();
    let mut key_bytes = [0u8; 32];
    key_bytes.copy_from_slice(&bytes[2..34]);
    Ok(key_bytes)
}

/// Extracts an x-only key from a serialized compressed public key.
fn xonly_from_serialized_key(key: &SerializedKey) -> Result<[u8; 32], Error> {
    match key.bytes[0] {
        0x02 | 0x03 => {
            let mut xonly = [0u8; 32];
            xonly.copy_from_slice(&key.bytes[1..]);
            Ok(xonly)
        }
        _ => Err(Error::InvalidTaprootOutputKey),
    }
}