asset: add new script key type for pedersen unique keys

Author: guggero

address/book.go

@@ -510,7 +510,7 @@ func (b *Book) NewAddressWithKeys(ctx context.Context, addrVersion Version,
 
 	// We might not know the type of script key, if it was given to us
 	// through an RPC call. So we make a guess here.
-	keyType := scriptKey.DetermineType()
+	keyType := scriptKey.DetermineType(fn.Ptr(assetGroup.Genesis.ID()))
 
 	err = b.cfg.Store.InsertScriptKey(ctx, scriptKey, keyType)
 	if err != nil {

asset/asset.go

@@ -150,6 +150,13 @@ const (
 	// Keys related to channels are not shown in asset balances (unless
 	// specifically requested) and are _never_ used for coin selection.
 	ScriptKeyScriptPathChannel ScriptKeyType = 5
+
+	// ScriptKeyUniquePedersen is the script key type used for assets that
+	// use a unique script key, tweaked with a Pedersen commitment key in a
+	// single Tapscript leaf. This is used to avoid collisions in the
+	// universe when there are multiple grouped asset UTXOs within the same
+	// on-chain output.
+	ScriptKeyUniquePedersen ScriptKeyType = 6
 )
 
 var (
@@ -161,6 +168,7 @@ var (
 		ScriptKeyBurn,
 		ScriptKeyTombstone,
 		ScriptKeyScriptPathChannel,
+		ScriptKeyUniquePedersen,
 	}
 
 	// ScriptKeyTypesNoChannel is a slice of all known script key types
@@ -173,18 +181,38 @@ var (
 		ScriptKeyScriptPathExternal,
 		ScriptKeyBurn,
 		ScriptKeyTombstone,
+		ScriptKeyUniquePedersen,
 	}
 )
 
 // ScriptKeyTypeForDatabaseQuery returns a slice of script key types that should
 // be used when querying the database for assets. The returned slice will either
 // contain all script key types or only those that are not related to channels,
-// depending on the `filterChannelRelated` parameter. Unless the user specifies
+// depending on the `excludeChannelRelated` parameter. Unless the user specifies
 // a specific script key type, in which case the returned slice will only
 // contain that specific script key type.
-func ScriptKeyTypeForDatabaseQuery(filterChannelRelated bool,
+func ScriptKeyTypeForDatabaseQuery(excludeChannelRelated bool,
 	userSpecified fn.Option[ScriptKeyType]) []ScriptKeyType {
 
+	// If the user specified a script key type, we use that directly to
+	// filter the results.
+	if userSpecified.IsSome() {
+		specifiedType := userSpecified.UnwrapOr(ScriptKeyUnknown)
+		dbTypes := []ScriptKeyType{
+			specifiedType,
+		}
+
+		// If the user specifically requested BIP-86 script keys, we
+		// also include the Pedersen unique script key type, because
+		// those can be spent the same way as BIP-86 script keys, and
+		// they should be treated the same way as BIP-86 script keys.
+		if specifiedType == ScriptKeyBip86 {
+			dbTypes = append(dbTypes, ScriptKeyUniquePedersen)
+		}
+
+		return dbTypes
+	}
+
 	// For some queries, we want to get all the assets with all possible
 	// script key types. For those, we use the full set of script key types.
 	dbTypes := fn.CopySlice(AllScriptKeyTypes)
@@ -194,16 +222,10 @@ func ScriptKeyTypeForDatabaseQuery(filterChannelRelated bool,
 	// balance of those assets is reported through lnd channel balance.
 	// Those assets are identified by the specific script key type for
 	// channel keys. We exclude them unless explicitly queried for.
-	if filterChannelRelated {
+	if excludeChannelRelated {
 		dbTypes = fn.CopySlice(ScriptKeyTypesNoChannel)
 	}
 
-	// If the user specified a script key type, we use that to filter the
-	// results.
-	userSpecified.WhenSome(func(t ScriptKeyType) {
-		dbTypes = []ScriptKeyType{t}
-	})
-
 	return dbTypes
 }
 
@@ -447,7 +469,7 @@ func NewSpecifierFromGroupKey(groupPubKey btcec.PublicKey) Specifier {
 	}
 }
 
-// NewExlusiveSpecifier creates a specifier that may only include one of asset
+// NewExclusiveSpecifier creates a specifier that may only include one of asset
 // ID or group key. If both are set then a specifier over the group key is
 // created.
 func NewExclusiveSpecifier(id *ID,
@@ -1098,6 +1120,65 @@ func EqualKeyDescriptors(a, o keychain.KeyDescriptor) bool {
 	return a.PubKey.IsEqual(o.PubKey)
 }
 
+// ScriptKeyDerivationMethod is the method used to derive the script key of an
+// asset send output from the recipient's internal key and the asset ID of
+// the output. This is used to ensure that the script keys are unique for each
+// asset ID, so that proofs can be fetched from the universe without collisions.
+type ScriptKeyDerivationMethod uint8
+
+const (
+	// ScriptKeyDerivationUniquePedersen means the script key is derived
+	// using the address's recipient ID key and a single leaf that contains
+	// an un-spendable Pedersen commitment key
+	// (OP_CHECKSIG <NUMS_key + asset_id * G>). This can be used to
+	// create unique script keys for each virtual packet in the fragment,
+	// to avoid proof collisions in the universe, where the script keys
+	// should be spendable by a hardware wallet that only supports
+	// miniscript policies for signing P2TR outputs.
+	ScriptKeyDerivationUniquePedersen ScriptKeyDerivationMethod = 0
+)
+
+// DeriveUniqueScriptKey derives a unique script key for the given asset ID
+// using the recipient's internal key and the specified derivation method.
+func DeriveUniqueScriptKey(internalKey btcec.PublicKey, assetID ID,
+	method ScriptKeyDerivationMethod) (ScriptKey, error) {
+
+	switch method {
+	// For the unique Pedersen method, we derive the script key using the
+	// internal key and the asset ID using a Pedersen commitment key in a
+	// single OP_CHECKSIG leaf.
+	case ScriptKeyDerivationUniquePedersen:
+		leaf, err := NewNonSpendableScriptLeaf(
+			PedersenVersion, assetID[:],
+		)
+		if err != nil {
+			return ScriptKey{}, fmt.Errorf("unable to create "+
+				"non-spendable leaf: %w", err)
+		}
+
+		rootHash := leaf.TapHash()
+		scriptPubKey, _ := schnorr.ParsePubKey(schnorr.SerializePubKey(
+			txscript.ComputeTaprootOutputKey(
+				&internalKey, rootHash[:],
+			),
+		))
+		return ScriptKey{
+			PubKey: scriptPubKey,
+			TweakedScriptKey: &TweakedScriptKey{
+				RawKey: keychain.KeyDescriptor{
+					PubKey: &internalKey,
+				},
+				Tweak: rootHash[:],
+				Type:  ScriptKeyUniquePedersen,
+			},
+		}, nil
+
+	default:
+		return ScriptKey{}, fmt.Errorf("unknown script key derivation "+
+			"method: %d", method)
+	}
+}
+
 // TweakedScriptKey is an embedded struct which is primarily used by wallets to
 // be able to keep track of the tweak of a script key alongside the raw key
 // derivation information.
@@ -1197,14 +1278,16 @@ func (s *ScriptKey) HasScriptPath() bool {
 }
 
 // DetermineType attempts to determine the type of the script key based on the
-// information available. This method will only return ScriptKeyUnknown if the
-// following condition is met:
+// information available. This method will only return ScriptKeyUnknown if one
+// of the following conditions is met:
 //   - The script key doesn't have a script path, but the final Taproot output
 //     key doesn't match a BIP-0086 key derived from the internal key. This will
 //     be the case for "foreign" script keys we import from proofs, where we set
 //     the internal key to the same key as the tweaked script key (because we
 //     don't know the internal key, as it's not part of the proof encoding).
-func (s *ScriptKey) DetermineType() ScriptKeyType {
+//   - No asset ID was provided (because it is unavailable in the given
+//     context), and the script key is a unique Pedersen-based key.
+func (s *ScriptKey) DetermineType(id *ID) ScriptKeyType {
 	// If we have an explicit script key type set, we can return that.
 	if s.TweakedScriptKey != nil &&
 		s.TweakedScriptKey.Type != ScriptKeyUnknown {
@@ -1233,6 +1316,24 @@ func (s *ScriptKey) DetermineType() ScriptKeyType {
 		if bip86.PubKey.IsEqual(s.PubKey) {
 			return ScriptKeyBip86
 		}
+
+		// If we have the asset's ID, we can check whether this is a
+		// Pedersen-based key. If we don't have the ID, then we can't
+		// determine the type, so we'll end up in the default return
+		// below.
+		if id != nil {
+			scriptKey, err := DeriveUniqueScriptKey(
+				*s.TweakedScriptKey.RawKey.PubKey, *id,
+				ScriptKeyDerivationUniquePedersen,
+			)
+			if err != nil {
+				return ScriptKeyUnknown
+			}
+
+			if scriptKey.PubKey.IsEqual(s.PubKey) {
+				return ScriptKeyUniquePedersen
+			}
+		}
 	}
 
 	return ScriptKeyUnknown

itest/script_key_type_test.go

@@ -0,0 +1,161 @@
+package itest
+
+import (
+	"context"
+	"testing"
+
+	"github.com/lightninglabs/taproot-assets/asset"
+	"github.com/lightninglabs/taproot-assets/rpcutils"
+	"github.com/lightninglabs/taproot-assets/tappsbt"
+	"github.com/lightninglabs/taproot-assets/taprpc"
+	wrpc "github.com/lightninglabs/taproot-assets/taprpc/assetwalletrpc"
+	"github.com/lightninglabs/taproot-assets/taprpc/mintrpc"
+	"github.com/stretchr/testify/require"
+)
+
+// testScriptKeyTypePedersenUnique tests that we can declare a script key with
+// the Pedersen unique tweak type, which is used for assets that are sent using
+// the future address V2 scheme.
+func testScriptKeyTypePedersenUnique(t *harnessTest) {
+	ctxb := context.Background()
+	ctxt, cancel := context.WithTimeout(ctxb, defaultWaitTimeout)
+	defer cancel()
+
+	rpcAssets := MintAssetsConfirmBatch(
+		t.t, t.lndHarness.Miner().Client, t.tapd,
+		[]*mintrpc.MintAssetRequest{
+			simpleAssets[0],
+			// Our "passive" asset.
+			{
+				Asset: &mintrpc.MintAsset{
+					AssetType: taprpc.AssetType_NORMAL,
+					Name:      "itestbuxx-passive",
+					AssetMeta: &taprpc.AssetMeta{
+						Data: []byte("some metadata"),
+					},
+					Amount: 123,
+				},
+			},
+		},
+	)
+	activeAsset := rpcAssets[0]
+	passiveAsset := rpcAssets[1]
+
+	var (
+		activeID, passiveID asset.ID
+	)
+	copy(activeID[:], activeAsset.AssetGenesis.AssetId)
+	copy(passiveID[:], passiveAsset.AssetGenesis.AssetId)
+
+	// We need to derive two sets of keys, one for the new script key and
+	// one for the internal key each.
+	activeScriptKey, activeAnchorIntKeyDesc1 := DeriveKeys(t.t, t.tapd)
+	activeScriptKey = declarePedersenUniqueScriptKey(
+		t.t, t.tapd, activeScriptKey, activeID,
+	)
+	passiveScriptKey, _ := DeriveKeys(t.t, t.tapd)
+	passiveScriptKey = declarePedersenUniqueScriptKey(
+		t.t, t.tapd, passiveScriptKey, passiveID,
+	)
+
+	// We create the output at anchor index 0 for the first address.
+	outputAmounts := []uint64{300, 4700, 123}
+	vPkt := tappsbt.ForInteractiveSend(
+		activeID, outputAmounts[1], activeScriptKey, 0, 0, 0,
+		activeAnchorIntKeyDesc1, asset.V0, chainParams,
+	)
+
+	// We now fund the packet, so we get the passive assets as well.
+	fundResp := fundPacket(t, t.tapd, vPkt)
+	require.Len(t.t, fundResp.PassiveAssetPsbts, 1)
+
+	// We now replace the script key of the passive packet with the Pedersen
+	// key that we declared above, then sign the packet.
+	passiveAssetPkt, err := tappsbt.Decode(fundResp.PassiveAssetPsbts[0])
+	require.NoError(t.t, err)
+	require.Len(t.t, passiveAssetPkt.Outputs, 1)
+
+	passiveAssetPkt.Outputs[0].ScriptKey = passiveScriptKey
+	if passiveAssetPkt.Outputs[0].Asset != nil {
+		passiveAssetPkt.Outputs[0].Asset.ScriptKey = passiveScriptKey
+	}
+	passiveAssetPkt = signVirtualPacket(t.t, t.tapd, passiveAssetPkt)
+
+	// We now also sign the active asset packet.
+	activeAssetPkt, err := tappsbt.Decode(fundResp.FundedPsbt)
+	require.NoError(t.t, err)
+
+	activeAssetPkt = signVirtualPacket(t.t, t.tapd, activeAssetPkt)
+
+	activeBytes, err := tappsbt.Encode(activeAssetPkt)
+	require.NoError(t.t, err)
+	passiveBytes, err := tappsbt.Encode(passiveAssetPkt)
+	require.NoError(t.t, err)
+
+	// Now we'll attempt to complete the transfer.
+	sendResp, err := t.tapd.AnchorVirtualPsbts(
+		ctxt, &wrpc.AnchorVirtualPsbtsRequest{
+			VirtualPsbts: [][]byte{
+				activeBytes,
+				passiveBytes,
+			},
+		},
+	)
+	require.NoError(t.t, err)
+
+	ConfirmAndAssertOutboundTransferWithOutputs(
+		t.t, t.lndHarness.Miner().Client, t.tapd, sendResp, activeID[:],
+		outputAmounts, 0, 1, 3,
+	)
+
+	AssertBalances(
+		t.t, t.tapd, 4700, WithAssetID(activeID[:]), WithNumUtxos(1),
+		WithScriptKeyType(asset.ScriptKeyUniquePedersen),
+	)
+	AssertBalances(
+		t.t, t.tapd, 5000, WithAssetID(activeID[:]), WithNumUtxos(2),
+		WithScriptKeyType(asset.ScriptKeyBip86),
+	)
+	AssertBalances(
+		t.t, t.tapd, 123, WithAssetID(passiveID[:]), WithNumUtxos(1),
+		WithScriptKeyType(asset.ScriptKeyUniquePedersen),
+	)
+
+	aliceAssets, err := t.tapd.ListAssets(ctxb, &taprpc.ListAssetRequest{})
+	require.NoError(t.t, err)
+
+	assetsJSON, err := formatProtoJSON(aliceAssets)
+	require.NoError(t.t, err)
+	t.Logf("Got assets: %s", assetsJSON)
+
+	// We should now be able to spend all the outputs, the Pedersen keys
+	// should be signed correctly both in the active and passive assets.
+	sendAssetAndAssert(
+		ctxt, t, t.tapd, t.tapd, 4900, 100, activeAsset.AssetGenesis,
+		activeAsset, 1, 2, 1,
+	)
+}
+
+func declarePedersenUniqueScriptKey(t *testing.T, node tapClient,
+	sk asset.ScriptKey, assetID asset.ID) asset.ScriptKey {
+
+	pedersenKey, err := asset.DeriveUniqueScriptKey(
+		*sk.RawKey.PubKey, assetID,
+		asset.ScriptKeyDerivationUniquePedersen,
+	)
+	require.NoError(t, err)
+
+	// We need to let the wallet of Bob know that we're going to use a
+	// script key with a custom root.
+	ctxt, cancel := context.WithTimeout(
+		context.Background(), defaultTimeout,
+	)
+	defer cancel()
+
+	_, err = node.DeclareScriptKey(ctxt, &wrpc.DeclareScriptKeyRequest{
+		ScriptKey: rpcutils.MarshalScriptKey(pedersenKey),
+	})
+	require.NoError(t, err)
+
+	return pedersenKey
+}

itest/test_list_on_test.go

@@ -351,6 +351,10 @@ var testCases = []*testCase{
 		name: "auth mailbox message store and fetch",
 		test: testAuthMailboxStoreAndFetchMessage,
 	},
+	{
+		name: "script key type pedersen unique",
+		test: testScriptKeyTypePedersenUnique,
+	},
 }
 
 var optionalTestCases = []*testCase{

rpcserver.go

@@ -8508,7 +8508,7 @@ func (r *rpcServer) DeclareScriptKey(ctx context.Context,
 	// 100% sure of the type, if it wasn't declared. But we can make a
 	// best-effort guess based on the fields the user has set. This is a
 	// no-op if the type is already set.
-	scriptKey.Type = scriptKey.DetermineType()
+	scriptKey.Type = scriptKey.DetermineType(nil)
 
 	// The user is declaring the key, so they should know what type it is.
 	// So if they didn't set it, and it wasn't an obvious one, we'll require