bitcoin/util/
taproot.rs

1// Rust Bitcoin Library
2// Written in 2019 by
3//     The rust-bitcoin developers.
4// To the extent possible under law, the author(s) have dedicated all
5// copyright and related and neighboring rights to this software to
6// the public domain worldwide. This software is distributed without
7// any warranty.
8//
9// You should have received a copy of the CC0 Public Domain Dedication
10// along with this software.
11// If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
12//
13
14//! Taproot
15//!
16
17use hashes::{sha256, sha256t, Hash};
18
19/// The SHA-256 midstate value for the TapLeaf hash.
20const MIDSTATE_TAPLEAF: [u8; 32] = [
21    156, 224, 228, 230, 124, 17, 108, 57, 56, 179, 202, 242, 195, 15, 80, 137, 211, 243, 147, 108,
22    71, 99, 110, 96, 125, 179, 62, 234, 221, 198, 240, 201,
23];
24// 9ce0e4e67c116c3938b3caf2c30f5089d3f3936c47636e607db33eeaddc6f0c9
25
26/// The SHA-256 midstate value for the TapBranch hash.
27const MIDSTATE_TAPBRANCH: [u8; 32] = [
28    35, 168, 101, 169, 184, 164, 13, 167, 151, 124, 30, 4, 196, 158, 36, 111, 181, 190, 19, 118,
29    157, 36, 201, 183, 181, 131, 181, 212, 168, 210, 38, 210,
30];
31// 23a865a9b8a40da7977c1e04c49e246fb5be13769d24c9b7b583b5d4a8d226d2
32
33/// The SHA-256 midstate value for the TapTweak hash.
34const MIDSTATE_TAPTWEAK: [u8; 32] = [
35    209, 41, 162, 243, 112, 28, 101, 93, 101, 131, 182, 195, 185, 65, 151, 39, 149, 244, 226, 50,
36    148, 253, 84, 244, 162, 174, 141, 133, 71, 202, 89, 11,
37];
38// d129a2f3701c655d6583b6c3b941972795f4e23294fd54f4a2ae8d8547ca590b
39
40/// The SHA-256 midstate value for the TapSigHash hash.
41const MIDSTATE_TAPSIGHASH: [u8; 32] = [
42    245, 4, 164, 37, 215, 248, 120, 59, 19, 99, 134, 138, 227, 229, 86, 88, 110, 238, 148, 93, 188,
43    120, 136, 221, 2, 166, 226, 195, 24, 115, 254, 159,
44];
45// f504a425d7f8783b1363868ae3e556586eee945dbc7888dd02a6e2c31873fe9f
46
47/// Internal macro to speficy the different taproot tagged hashes.
48macro_rules! sha256t_hash_newtype {
49    ($newtype:ident, $tag:ident, $midstate:ident, $midstate_len:expr, $docs:meta, $reverse: expr) => {
50        /// The tag used for [$newtype].
51        pub struct $tag;
52
53        impl sha256t::Tag for $tag {
54            fn engine() -> sha256::HashEngine {
55                let midstate = sha256::Midstate::from_inner($midstate);
56                sha256::HashEngine::from_midstate(midstate, $midstate_len)
57            }
58        }
59
60        hash_newtype!($newtype, sha256t::Hash<$tag>, 32, $docs, $reverse);
61    };
62}
63
64// Currently all taproot hashes are defined as being displayed backwards,
65// but that can be specified individually per hash.
66sha256t_hash_newtype!(TapLeafHash, TapLeafTag, MIDSTATE_TAPLEAF, 64,
67    doc="Taproot-tagged hash for tapscript Merkle tree leafs", true
68);
69sha256t_hash_newtype!(TapBranchHash, TapBranchTag, MIDSTATE_TAPBRANCH, 64,
70    doc="Taproot-tagged hash for tapscript Merkle tree branches", true
71);
72sha256t_hash_newtype!(TapTweakHash, TapTweakTag, MIDSTATE_TAPTWEAK, 64,
73    doc="Taproot-tagged hash for public key tweaks", true
74);
75sha256t_hash_newtype!(TapSighashHash, TapSighashTag, MIDSTATE_TAPSIGHASH, 64,
76    doc="Taproot-tagged hash for the taproot signature hash", true
77);
78
79#[cfg(test)]
80mod test {
81    use super::*;
82    use hashes::hex::ToHex;
83    use hashes::sha256t::Tag;
84    use hashes::{sha256, Hash, HashEngine};
85
86    fn tag_engine(tag_name: &str) -> sha256::HashEngine {
87        let mut engine = sha256::Hash::engine();
88        let tag_hash = sha256::Hash::hash(tag_name.as_bytes());
89        engine.input(&tag_hash[..]);
90        engine.input(&tag_hash[..]);
91        engine
92    }
93
94    #[test]
95    fn test_midstates() {
96        // check midstate against hard-coded values
97        assert_eq!(MIDSTATE_TAPLEAF, tag_engine("TapLeaf").midstate().into_inner());
98        assert_eq!(MIDSTATE_TAPBRANCH, tag_engine("TapBranch").midstate().into_inner());
99        assert_eq!(MIDSTATE_TAPTWEAK, tag_engine("TapTweak").midstate().into_inner());
100        assert_eq!(MIDSTATE_TAPSIGHASH, tag_engine("TapSighash").midstate().into_inner());
101
102        // test that engine creation roundtrips
103        assert_eq!(tag_engine("TapLeaf").midstate(), TapLeafTag::engine().midstate());
104        assert_eq!(tag_engine("TapBranch").midstate(), TapBranchTag::engine().midstate());
105        assert_eq!(tag_engine("TapTweak").midstate(), TapTweakTag::engine().midstate());
106        assert_eq!(tag_engine("TapSighash").midstate(), TapSighashTag::engine().midstate());
107
108        // check that hash creation is the same as building into the same engine
109        fn empty_hash(tag_name: &str) -> [u8; 32] {
110            let mut e = tag_engine(tag_name);
111            e.input(&[]);
112            sha256::Hash::from_engine(e).into_inner()
113        }
114        assert_eq!(empty_hash("TapLeaf"), TapLeafHash::hash(&[]).into_inner());
115        assert_eq!(empty_hash("TapBranch"), TapBranchHash::hash(&[]).into_inner());
116        assert_eq!(empty_hash("TapTweak"), TapTweakHash::hash(&[]).into_inner());
117        assert_eq!(empty_hash("TapSighash"), TapSighashHash::hash(&[]).into_inner());
118    }
119
120    #[test]
121    fn test_vectors_core() {
122        //! Test vectors taken from Core
123
124        // uninitialized writers
125        //   CHashWriter writer = HasherTapLeaf;
126        //   writer.GetSHA256().GetHex()
127        assert_eq!(
128            TapLeafHash::from_engine(TapLeafTag::engine()).to_hex(),
129            "cbfa0621df37662ca57697e5847b6abaf92934a1a5624916f8d177a388c21252"
130        );
131        assert_eq!(
132            TapBranchHash::from_engine(TapBranchTag::engine()).to_hex(),
133            "dffd9fbe4c21c893fa934f8774eda0e1efdc06f52ffbf5c1533c6f4dec73c353"
134        );
135        assert_eq!(
136            TapTweakHash::from_engine(TapTweakTag::engine()).to_hex(),
137            "e4156b45ff9b277dd92a042af9eed8c91f1d037f68f0d6b20001ab749422a48a"
138        );
139        assert_eq!(
140            TapSighashHash::from_engine(TapSighashTag::engine()).to_hex(),
141            "03c8b9d47cdb5f7bf924e282ce99ba8d2fe581262a04002907d8bc4a9111bcda"
142        );
143
144        // 0-byte
145        //   CHashWriter writer = HasherTapLeaf;
146        //   writer << std::vector<unsigned char>{};
147        //   writer.GetSHA256().GetHex()
148        // Note that Core writes the 0 length prefix when an empty vector is written.
149        assert_eq!(
150            TapLeafHash::hash(&[0]).to_hex(),
151            "29589d5122ec666ab5b4695070b6debc63881a4f85d88d93ddc90078038213ed"
152        );
153        assert_eq!(
154            TapBranchHash::hash(&[0]).to_hex(),
155            "1deb45569eb6b2da88b5c2ab46d6a64ab08d58a2fdd5f75a24e6c760194b5392"
156        );
157        assert_eq!(
158            TapTweakHash::hash(&[0]).to_hex(),
159            "1eea90d42a359c89bbf702ddf6bde140349e95b9e8036ff1c37f04e6b53787cd"
160        );
161        assert_eq!(
162            TapSighashHash::hash(&[0]).to_hex(),
163            "cd10c023c300fb9a507dff136370fba1d8a0566667cfafc4099a8803e00dfdc2"
164        );
165    }
166}
bitcoin/util/taproot.rs

bitcoin/util/
taproot.rs
