Taproot for elements #479
Merged
Taproot for elements #479
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
jgriffiths
commented
Feb 21, 2025
jgriffiths
commented
- Add Elements support for bip341 signature hashing/signing (keyspend only)
- Add support for signing Elements p2tr PSETs (keyspend only)
- Rework bip341 signing to be cleaner/faster/use less memory/support caching
- Disable Elements descriptor address generation until its implemented
jgriffiths
force-pushed
the
taproot_elements
branch
3 times, most recently
from
f330fda to
cecb078
Compare
Taproot signing is extremely inefficient without several levels of caching (e.g. pre-computing tagged hashes, and caching sub-hashes when signing). This is especially true for Elements which adds much more data to the signature hash. Wally's initial hash generation relied on creating the entire preimage and then hashing it in one call. Since segwit and particularly taproot, this approach has not aged well, and is not compatible with efficient tagged hashing. For bip341 Elements signing, this change implements a new approach which hashes the data piecemeal rather than concatenating it first. This uses much less cpu, memory and stack, and eliminates the need to pre-compute the final allocation length of the preimage before generating it, leading to less, more readable code. Additionally, we implement an on-demand cache for preimage data when signing. By passing in a wally_map to hold the cached data, callers can greatly decrease the time required to sign. We replace the existing BTC taproot implementation with this new one, and fix several bugs that were found as a result: - The sub-length calculation for tapscripts was incorrect - The sighash mask for taproot was incorrect - ANYONECANPAY required all input data when only the given inputs data was used.
Use the new signature hash function for both btc and elements. For signing via PSBT input instead of via the PSBT, this requires that EC_FLAG_ELEMENTS is passed in flags, in order to correctly use the Elements-specific tagged hashes. This is because the input alone does not know if it belongs to a PSET.
This test case was generated from Elements with extra processing to work around Elements bugs and lack of ELIP-0101 support there.
Having the cache as part of the PSBT is not ideal, but it allows us to support caching without having to modify a bunch of psbt calls in an incompatible fashion. Also includes a drive-by fix to add genesis_blockhash to the tests ctypes wrapper, as it was missed previously.
jgriffiths
force-pushed
the
taproot_elements
branch
from
cecb078 to
9e49e1e
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.