|
| 1 | +// Rust Bitcoin Library |
| 2 | +// Written in 2019 by |
| 3 | +// The rust-bitcoin developers. |
| 4 | +// To the extent possible under law, the author(s) have dedicated all |
| 5 | +// copyright and related and neighboring rights to this software to |
| 6 | +// the public domain worldwide. This software is distributed without |
| 7 | +// any warranty. |
| 8 | +// |
| 9 | +// You should have received a copy of the CC0 Public Domain Dedication |
| 10 | +// along with this software. |
| 11 | +// If not, see <http://creativecommons.org/publicdomain/zero/1.0/>. |
| 12 | +// |
| 13 | + |
| 14 | +//! Taproot |
| 15 | +//! |
| 16 | +
|
| 17 | +use hashes::{sha256, sha256t, Hash}; |
| 18 | + |
| 19 | +/// The SHA-256 midstate value for the TapLeaf hash. |
| 20 | +const MIDSTATE_TAPLEAF: [u8; 32] = [ |
| 21 | + 156, 224, 228, 230, 124, 17, 108, 57, 56, 179, 202, 242, 195, 15, 80, 137, 211, 243, 147, 108, |
| 22 | + 71, 99, 110, 96, 125, 179, 62, 234, 221, 198, 240, 201, |
| 23 | +]; |
| 24 | +// 9ce0e4e67c116c3938b3caf2c30f5089d3f3936c47636e607db33eeaddc6f0c9 |
| 25 | + |
| 26 | +/// The SHA-256 midstate value for the TapBranch hash. |
| 27 | +const MIDSTATE_TAPBRANCH: [u8; 32] = [ |
| 28 | + 35, 168, 101, 169, 184, 164, 13, 167, 151, 124, 30, 4, 196, 158, 36, 111, 181, 190, 19, 118, |
| 29 | + 157, 36, 201, 183, 181, 131, 181, 212, 168, 210, 38, 210, |
| 30 | +]; |
| 31 | +// 23a865a9b8a40da7977c1e04c49e246fb5be13769d24c9b7b583b5d4a8d226d2 |
| 32 | + |
| 33 | +/// The SHA-256 midstate value for the TapTweak hash. |
| 34 | +const MIDSTATE_TAPTWEAK: [u8; 32] = [ |
| 35 | + 209, 41, 162, 243, 112, 28, 101, 93, 101, 131, 182, 195, 185, 65, 151, 39, 149, 244, 226, 50, |
| 36 | + 148, 253, 84, 244, 162, 174, 141, 133, 71, 202, 89, 11, |
| 37 | +]; |
| 38 | +// d129a2f3701c655d6583b6c3b941972795f4e23294fd54f4a2ae8d8547ca590b |
| 39 | + |
| 40 | +/// The SHA-256 midstate value for the TapSigHash hash. |
| 41 | +const MIDSTATE_TAPSIGHASH: [u8; 32] = [ |
| 42 | + 245, 4, 164, 37, 215, 248, 120, 59, 19, 99, 134, 138, 227, 229, 86, 88, 110, 238, 148, 93, 188, |
| 43 | + 120, 136, 221, 2, 166, 226, 195, 24, 115, 254, 159, |
| 44 | +]; |
| 45 | +// f504a425d7f8783b1363868ae3e556586eee945dbc7888dd02a6e2c31873fe9f |
| 46 | + |
| 47 | +/// Internal macro to speficy the different taproot tagged hashes. |
| 48 | +macro_rules! sha256t_hash_newtype { |
| 49 | + ($newtype:ident, $tag:ident, $midstate:ident, $midstate_len:expr, $docs:meta, $reverse: expr) => { |
| 50 | + /// The tag used for [$newtype]. |
| 51 | + pub struct $tag; |
| 52 | + |
| 53 | + impl sha256t::Tag for $tag { |
| 54 | + fn engine() -> sha256::HashEngine { |
| 55 | + let midstate = sha256::Midstate::from_inner($midstate); |
| 56 | + sha256::HashEngine::from_midstate(midstate, $midstate_len) |
| 57 | + } |
| 58 | + } |
| 59 | + |
| 60 | + hash_newtype!($newtype, sha256t::Hash<$tag>, 32, $docs, $reverse); |
| 61 | + }; |
| 62 | +} |
| 63 | + |
| 64 | +// Currently all taproot hashes are defined as being displayed backwards, |
| 65 | +// but that can be specified individually per hash. |
| 66 | +sha256t_hash_newtype!(TapLeafHash, TapLeafTag, MIDSTATE_TAPLEAF, 64, |
| 67 | + doc="Taproot-tagged hash for tapscript Merkle tree leafs", true |
| 68 | +); |
| 69 | +sha256t_hash_newtype!(TapBranchHash, TapBranchTag, MIDSTATE_TAPBRANCH, 64, |
| 70 | + doc="Taproot-tagged hash for tapscript Merkle tree branches", true |
| 71 | +); |
| 72 | +sha256t_hash_newtype!(TapTweakHash, TapTweakTag, MIDSTATE_TAPTWEAK, 64, |
| 73 | + doc="Taproot-tagged hash for public key tweaks", true |
| 74 | +); |
| 75 | +sha256t_hash_newtype!(TapSighashHash, TapSighashTag, MIDSTATE_TAPSIGHASH, 64, |
| 76 | + doc="Taproot-tagged hash for the taproot signature hash", true |
| 77 | +); |
| 78 | + |
| 79 | +#[cfg(test)] |
| 80 | +mod test { |
| 81 | + use super::*; |
| 82 | + use hashes::hex::ToHex; |
| 83 | + use hashes::sha256t::Tag; |
| 84 | + use hashes::{sha256, Hash, HashEngine}; |
| 85 | + |
| 86 | + fn tag_engine(tag_name: &str) -> sha256::HashEngine { |
| 87 | + let mut engine = sha256::Hash::engine(); |
| 88 | + let tag_hash = sha256::Hash::hash(tag_name.as_bytes()); |
| 89 | + engine.input(&tag_hash[..]); |
| 90 | + engine.input(&tag_hash[..]); |
| 91 | + engine |
| 92 | + } |
| 93 | + |
| 94 | + #[test] |
| 95 | + fn test_midstates() { |
| 96 | + // check midstate against hard-coded values |
| 97 | + assert_eq!(MIDSTATE_TAPLEAF, tag_engine("TapLeaf").midstate().into_inner()); |
| 98 | + assert_eq!(MIDSTATE_TAPBRANCH, tag_engine("TapBranch").midstate().into_inner()); |
| 99 | + assert_eq!(MIDSTATE_TAPTWEAK, tag_engine("TapTweak").midstate().into_inner()); |
| 100 | + assert_eq!(MIDSTATE_TAPSIGHASH, tag_engine("TapSighash").midstate().into_inner()); |
| 101 | + |
| 102 | + // test that engine creation roundtrips |
| 103 | + assert_eq!(tag_engine("TapLeaf").midstate(), TapLeafTag::engine().midstate()); |
| 104 | + assert_eq!(tag_engine("TapBranch").midstate(), TapBranchTag::engine().midstate()); |
| 105 | + assert_eq!(tag_engine("TapTweak").midstate(), TapTweakTag::engine().midstate()); |
| 106 | + assert_eq!(tag_engine("TapSighash").midstate(), TapSighashTag::engine().midstate()); |
| 107 | + |
| 108 | + // check that hash creation is the same as building into the same engine |
| 109 | + fn empty_hash(tag_name: &str) -> [u8; 32] { |
| 110 | + let mut e = tag_engine(tag_name); |
| 111 | + e.input(&[]); |
| 112 | + sha256::Hash::from_engine(e).into_inner() |
| 113 | + } |
| 114 | + assert_eq!(empty_hash("TapLeaf"), TapLeafHash::hash(&[]).into_inner()); |
| 115 | + assert_eq!(empty_hash("TapBranch"), TapBranchHash::hash(&[]).into_inner()); |
| 116 | + assert_eq!(empty_hash("TapTweak"), TapTweakHash::hash(&[]).into_inner()); |
| 117 | + assert_eq!(empty_hash("TapSighash"), TapSighashHash::hash(&[]).into_inner()); |
| 118 | + } |
| 119 | + |
| 120 | + #[test] |
| 121 | + fn test_vectors_core() { |
| 122 | + //! Test vectors taken from Core |
| 123 | +
|
| 124 | + // uninitialized writers |
| 125 | + // CHashWriter writer = HasherTapLeaf; |
| 126 | + // writer.GetSHA256().GetHex() |
| 127 | + assert_eq!( |
| 128 | + TapLeafHash::from_engine(TapLeafTag::engine()).to_hex(), |
| 129 | + "cbfa0621df37662ca57697e5847b6abaf92934a1a5624916f8d177a388c21252" |
| 130 | + ); |
| 131 | + assert_eq!( |
| 132 | + TapBranchHash::from_engine(TapBranchTag::engine()).to_hex(), |
| 133 | + "dffd9fbe4c21c893fa934f8774eda0e1efdc06f52ffbf5c1533c6f4dec73c353" |
| 134 | + ); |
| 135 | + assert_eq!( |
| 136 | + TapTweakHash::from_engine(TapTweakTag::engine()).to_hex(), |
| 137 | + "e4156b45ff9b277dd92a042af9eed8c91f1d037f68f0d6b20001ab749422a48a" |
| 138 | + ); |
| 139 | + assert_eq!( |
| 140 | + TapSighashHash::from_engine(TapSighashTag::engine()).to_hex(), |
| 141 | + "03c8b9d47cdb5f7bf924e282ce99ba8d2fe581262a04002907d8bc4a9111bcda" |
| 142 | + ); |
| 143 | + |
| 144 | + // 0-byte |
| 145 | + // CHashWriter writer = HasherTapLeaf; |
| 146 | + // writer << std::vector<unsigned char>{}; |
| 147 | + // writer.GetSHA256().GetHex() |
| 148 | + // Note that Core writes the 0 length prefix when an empty vector is written. |
| 149 | + assert_eq!( |
| 150 | + TapLeafHash::hash(&[0]).to_hex(), |
| 151 | + "29589d5122ec666ab5b4695070b6debc63881a4f85d88d93ddc90078038213ed" |
| 152 | + ); |
| 153 | + assert_eq!( |
| 154 | + TapBranchHash::hash(&[0]).to_hex(), |
| 155 | + "1deb45569eb6b2da88b5c2ab46d6a64ab08d58a2fdd5f75a24e6c760194b5392" |
| 156 | + ); |
| 157 | + assert_eq!( |
| 158 | + TapTweakHash::hash(&[0]).to_hex(), |
| 159 | + "1eea90d42a359c89bbf702ddf6bde140349e95b9e8036ff1c37f04e6b53787cd" |
| 160 | + ); |
| 161 | + assert_eq!( |
| 162 | + TapSighashHash::hash(&[0]).to_hex(), |
| 163 | + "cd10c023c300fb9a507dff136370fba1d8a0566667cfafc4099a8803e00dfdc2" |
| 164 | + ); |
| 165 | + } |
| 166 | +} |
0 commit comments