Move fee calculation to Transaction class and enhance coin selection

Author: MatthewLM

coinlib/CHANGELOG.md

@@ -13,8 +13,16 @@ secp256k1-coinlib fork.
 - Adds `Locktime` abstractions for transactions. Transactions have
     `.isUnlocked` to determine if the transaction is available for block
     inclusion.
+- `InputCandidate.defaultSigHash` is moved to `TaprootKeyInput` and
+    `TaprootSingleScriptSigInput` and `defaultSignedSize` is removed from
+    Taproot inputs.
+- The `signedSize` of inputs is made more accurate.
+- Moves fee calculation logic to `Transaction` with `calculateSignedSize`,
+`calculateFee`, `signedSize` and `fee`.
+- Adds `skipSizeCheck` to `Transaction` constructor.
 - Moves to underlying secp256k1-coinlib.
 - Removed dependency to wasm_interop that had a broken js dependency.
+- The efficiency of `CoinSelection` is greatly improved.
 - `Writable.toBytes()` returns a copy of the cached bytes to avoid mutation.
 - Fixes `extraEntropy` being ignored for `Secp256k1Base.schnorrSign`.
 

coinlib/lib/src/crypto/random.dart

@@ -14,7 +14,7 @@ Uint8List generateRandomBytes(int size) {
   return bytes;
 }
 
-List<T> insertRandom<T>(List<T> list, T element) {
+List<T> insertRandom<T>(Iterable<T> list, T element) {
   final newList = List<T>.from(list);
   newList.insert(Random.secure().nextInt(newList.length+1), element);
   return newList;

coinlib/lib/src/tx/coin_selection.dart

@@ -1,10 +1,8 @@
-import 'package:coinlib/src/common/serial.dart';
+import 'package:coinlib/src/common/bigints.dart';
 import 'package:coinlib/src/crypto/random.dart';
 import 'package:coinlib/src/scripts/program.dart';
-import 'package:coinlib/src/tx/inputs/witness_input.dart';
 import 'package:collection/collection.dart';
 import 'inputs/input.dart';
-import 'inputs/taproot_input.dart';
 import 'locktime.dart';
 import 'output.dart';
 import 'transaction.dart';
@@ -18,20 +16,12 @@ class InputCandidate {
   final Input input;
   /// Value of UTXO to be spent
   final BigInt value;
-  /// True if it is known that the default sighash type is being used which
-  /// allows one less byte to be used for Taproot signatures.
-  final bool defaultSigHash;
 
   /// Provides an [input] alongside the [value] being spent that may be
   /// selected.
-  ///
-  /// [defaultSigHash] can be set to true if it is known that a Taproot input
-  /// will definitely be signed with SIGHASH_DEFAULT. The fee calculation will
-  /// be incorrect if this is set for a non-default sighash type.
   InputCandidate({
     required this.input,
     required this.value,
-    this.defaultSigHash = false,
   });
 
 }
@@ -55,31 +45,19 @@ class CoinSelection {
   late final BigInt inputValue;
   /// The total value of all recipient outputs
   late final BigInt recipientValue;
-  /// The fee to be paid by the transaction
-  late final BigInt fee;
   /// The value of the change output. This is 0 for a changeless transaction or
   /// negative if there aren't enough funds.
   late final BigInt changeValue;
   /// The maximum size of the transaction after being fully signed
-  late final int signedSize;
-
-  int _sizeGivenChange(int fixedSize, bool includeChange)
-    => fixedSize
-    + recipients.fold(0, (acc, output) => acc + output.size)
-    + (includeChange ? Output.fromProgram(BigInt.zero, changeProgram).size : 0)
-    + MeasureWriter.varIntSizeOfInt(
-      recipients.length + (includeChange ? 1 : 0),
-    ) as int;
-
-  BigInt _feeForSize(int size) {
-    final feeForSize = feePerKb * BigInt.from(size) ~/ BigInt.from(1000);
-    return feeForSize.compareTo(minFee) > 0 ? feeForSize : minFee;
-  }
+  late int signedSize;
 
   /// Selects all the inputs from [selected] to send to the [recipients] outputs
   /// and provide change to the [changeProgram]. The [feePerKb] specifies the
   /// required fee in sats per KB with a minimum fee specified with
   /// [minFee]. The [minChange] is the minimum allowed change.
+  ///
+  /// Will throw [ArgumentError] if a [selected] input does not have a
+  /// calculable size.
   CoinSelection({
     this.version = Transaction.currentVersion,
     required Iterable<InputCandidate> selected,
@@ -97,63 +75,42 @@ class CoinSelection {
     }
 
     // Get input and recipient values
-    inputValue = selected
-      .fold(BigInt.zero, (acc, candidate) => acc + candidate.value);
-    recipientValue = recipients
-      .fold(BigInt.zero, (acc, output) => acc + output.value);
-
-    final isWitness = selected.any(
-      (candidate) => candidate.input is WitnessInput,
-    );
-
-    // Get unchanging size
-    final int fixedSize
-      // Version and locktime
-      = 8
-      // Add witness marker and flag
-      + (isWitness ? 2 : 0)
-      // Fully signed inputs
-      + MeasureWriter.varIntSizeOfInt(selected.length)
-      + selected.fold(
-        0,
-        (acc, candidate) {
-          final input = candidate.input;
-          final inputSize = input is TaprootInput && candidate.defaultSigHash
-            ? input.defaultSignedSize
-            : input.signedSize;
-          return acc + inputSize!;
-        }
-      );
-
-    // Determine size and fee with change
-    final sizeWithChange = _sizeGivenChange(fixedSize, true);
-    final feeWithChange = _feeForSize(sizeWithChange);
-    final includedChangeValue = inputValue - recipientValue - feeWithChange;
-
-    // If change is under the required minimum, remove the change output
-    if (includedChangeValue.compareTo(minChange) < 0) {
-
-      final changelessSize = _sizeGivenChange(fixedSize, false);
-      final feeForSize = _feeForSize(changelessSize);
-      final excess = inputValue - recipientValue - feeForSize;
-
-      if (!excess.isNegative) {
-        // Exceeded without change. Fee is the input value minus the recipient
-        // value
-        signedSize = changelessSize;
-        fee = inputValue - recipientValue;
-        changeValue = BigInt.zero;
-        return;
-      }
-      // Else haven't met requirement
-
+    inputValue = addBigInts(selected.map((candidate) => candidate.value));
+    recipientValue = addBigInts(recipients.map((output) => output.value));
+    final inputExcess = inputValue - recipientValue;
+
+    final inputs = selected.map((candidate) => candidate.input).toList();
+    final isWitness = Transaction.inputsHaveWitness(inputs);
+    final outputProgram = Output.fromProgram(BigInt.zero, changeProgram);
+
+    int getSize(bool withChange) => Transaction.calculateSignedSize(
+      inputs: inputs,
+      outputs: [...recipients, if (withChange) outputProgram ],
+      isWitness: isWitness,
+    )!; // Assert null as all inputs will have signedSize as tested above
+
+    BigInt getFeeExcess(int size)
+      => inputExcess - Transaction.calculateFee(size, feePerKb, minFee);
+
+    // Try to create change tranasction first
+    final sizeWithChange = getSize(true);
+    final change = getFeeExcess(sizeWithChange);
+
+    // Transaction with change is successful if the change is above the minimum
+    if (change.compareTo(minChange) >= 0) {
+      signedSize = sizeWithChange;
+      changeValue = change;
+      return;
     }
 
-    // Either haven't met requirement, or have met requirement with change so
-    // provide details of change-containing transaction
-    signedSize = sizeWithChange;
-    fee = feeWithChange;
-    changeValue = includedChangeValue;
+    // Else target the transaction without the change output
+    signedSize = getSize(false);
+    final feeExcess = getFeeExcess(signedSize);
+
+    // Clamp the change value to no more than 0 as it is a changeless
+    // transaction.
+    // If the excess is negative, it is a shortfall.
+    changeValue = feeExcess.isNegative ? feeExcess : BigInt.zero;
 
   }
 
@@ -203,9 +160,11 @@ class CoinSelection {
   /// in the order that they are given until the required amount has been
   /// reached. If there are not enough coins, all shall be selected and
   /// [enoughFunds] shall be false.
+  ///
   /// If [randomise] is set to true, the order of inputs shall be randomised
   /// after being selected. This is useful for candidates that are not already
   /// randomised as it may avoid giving clues to the algorithm being used.
+  ///
   /// The algorithm will only take upto 6800 candidates by default to avoid
   /// taking too long and due to size limitations. This can be changed with
   /// [maxCandidates].
@@ -234,15 +193,29 @@ class CoinSelection {
         locktime: locktime,
       );
 
+    if (candidates.isEmpty) return trySelection([]);
+
     // Restrict number of candidates due to size limitation and for efficiency
     final list = candidates.take(maxCandidates).toList();
 
-    CoinSelection selection = trySelection([]);
-    for (int i = 0; i < list.length; i++) {
-      selection = trySelection(list.take(i+1));
-      if (selection.enoughFunds) break;
+    // Use binary search to find the required amount
+    CoinSelection search(int left, int right, CoinSelection? cacheRight) {
+
+      if (left == right) {
+        return cacheRight ?? trySelection(list.take(left));
+      }
+
+      final middle = (left + right) ~/ 2;
+      final middleSelection = trySelection(list.take(middle));
+
+      return middleSelection.enoughFunds
+        ? search(left, middle, middleSelection)
+        : search(middle+1, right, cacheRight);
+
     }
 
+    final selection = search(1, list.length, null);
+
     return randomise
       ? trySelection(selection.selected.toList()..shuffle())
       : selection;
@@ -303,17 +276,23 @@ class CoinSelection {
   /// value and fee, or [TransactionTooLarge] if the resulting signed
   /// transaction would be too large.
   Transaction get transaction {
+
     if (!enoughFunds) throw InsufficientFunds();
     if (tooLarge) throw TransactionTooLarge();
+
     return Transaction(
       version: version,
       inputs: selected.map((candidate) => candidate.input),
-      outputs: changeless ? recipients : insertRandom(
-        recipients,
-        Output.fromProgram(changeValue, changeProgram),
-      ),
+      outputs: changeless
+        ? recipients
+        : insertRandom(
+          recipients,
+          Output.fromProgram(changeValue, changeProgram),
+        ),
       locktime: locktime,
+      skipSizeCheck: true,
     );
+
   }
 
   /// True when the input value covers the outputs and fee
@@ -324,5 +303,7 @@ class CoinSelection {
   bool get tooLarge => signedSize > Transaction.maxSize;
   /// True if a signable solution has been found
   bool get ready => enoughFunds && !tooLarge;
+  /// The fee to be paid by the transaction
+  BigInt get fee => inputValue - recipientValue - changeValue;
 
 }

coinlib/lib/src/tx/inputs/p2pkh_input.dart

@@ -21,20 +21,25 @@ class P2PKHInput extends LegacyInput with PKHInput {
   final ECPublicKey publicKey;
   @override
   final ECDSAInputSignature? insig;
+
   @override
-  final int? signedSize = 147;
+  /// For an input without a signature, it is assumed the signature will be a
+  /// low-R signature with a size of 71 bytes.
+  final int signedSize;
 
   P2PKHInput({
     required super.prevOut,
     required this.publicKey,
     this.insig,
     super.sequence = InputSequence.enforceLocktime,
-  }) : super(
-    scriptSig: Script([
-      if (insig != null) ScriptPushData(insig.bytes),
-      ScriptPushData(publicKey.data),
-    ]).compiled,
-  );
+  }) :
+    signedSize = PKHInput.signedSizeCalc(publicKey, insig),
+    super(
+      scriptSig: Script([
+        if (insig != null) ScriptPushData(insig.bytes),
+        ScriptPushData(publicKey.data),
+      ]).compiled,
+    );
 
   /// Checks if the [RawInput] matches the expected format for a [P2PKHInput],
   /// with or without a signature. If it does it returns a [P2PKHInput] for the

coinlib/lib/src/tx/inputs/p2sh_multisig_input.dart

@@ -200,12 +200,16 @@ class P2SHMultisigInput extends LegacyInput {
 
   int get _signedScriptSize
     => 1 // Extra 0
-    + program.threshold*73 // Add 73 bytes per signature
+    + sigs.fold(0, (acc, sig) => acc + sig.bytes.length + 1)
+    // For unadded signatures assume 71 bytes plus push data
+    + (program.threshold-sigs.length)*72
     // Determine the length of the program pushdata by actually compiling it.
     // Not the most efficient but the simplest solution.
-    + ScriptPushData(program.script.compiled).compiled.length;
+    + ScriptPushData(program.script.compiled).compiled.length
+    as int;
 
   @override
+  /// Assumes low-R 71-byte signatures by default
   int? get signedSize
     => 40 // Outpoint plus sequence
     + _signedScriptSize

coinlib/lib/src/tx/inputs/p2wpkh_input.dart

@@ -21,20 +21,23 @@ class P2WPKHInput extends LegacyWitnessInput with PKHInput {
   final ECPublicKey publicKey;
   @override
   final ECDSAInputSignature? insig;
+
   @override
-  final int? signedSize = 147;
+  final int signedSize;
 
   P2WPKHInput({
     required super.prevOut,
     required this.publicKey,
     this.insig,
     super.sequence = InputSequence.enforceLocktime,
-  }) : super(
-    witness: [
-      if (insig != null) insig.bytes,
-      publicKey.data,
-    ],
-  );
+  }) :
+    signedSize = PKHInput.signedSizeCalc(publicKey, insig),
+    super(
+      witness: [
+        if (insig != null) insig.bytes,
+        publicKey.data,
+      ],
+    );
 
   /// Checks if the [raw] input and [witness] data match the expected format for
   /// a P2WPKHInput, with or without a signature. If it does it returns a

coinlib/lib/src/tx/inputs/pkh_input.dart

@@ -9,6 +9,16 @@ import 'input_signature.dart';
 /// [ECDSAInputSignature] required in these inputs.
 abstract mixin class PKHInput {
 
+  /// Gives the signed size of a P2PKH or P2WPKH input.
+  static int signedSizeCalc(ECPublicKey publicKey, ECDSAInputSignature? insig)
+    =>
+    // 41 basic size
+    // 2 for pushdata/varint of signature and key
+    41 + 2
+    + publicKey.data.length
+    // Assume signature is 71 with low-R by default
+    + (insig?.bytes.length ?? 71);
+
   ECPublicKey get publicKey;
   ECDSAInputSignature? get insig;
   PKHInput addSignature(ECDSAInputSignature insig);

coinlib/lib/src/tx/inputs/taproot_input.dart

@@ -25,7 +25,4 @@ abstract class TaprootInput extends WitnessInput {
     details.hashType,
   );
 
-  /// The signed size when SIGHASH_DEFAULT is used for all signatures
-  int? get defaultSignedSize => signedSize;
-
 }