P2TR address from untweaked key

[nlanson]

Addressing issue #687.

Changes:

• New method Address::dangerous_p2tr that creates an address given an untweaked internal key and optional merkle root of a script tree. The method utilizes existing hash methods from within the library and key tweaking from the rust-secp256k1 library.
• Added a test to create a P2TR address from an internal key without a script tree. Test was taken from BIP-86.

Questions:

• Should key tweaking be a seperate function in it self? Since the secp256k1 key tweaking method does not hash the data, there could be a method that does the tweaking and commitment part of the Address::dangerous_p2tr method.
• What error should Address::dangerous_p2tr return if an error occurs while tweaking the internal key?

I would love feedback as this is my first PR to this repository.

See updated changes below

[Kixunil]

Alternative API idea:

• Have TweakedPublicKey and UntweakedPublicKey
• UntweakedPublicKey can be created from shnorrsig::PublicKey or is a type alias of shnorrsig::PublicKey
• Allow conversion between them by calling tweak() method.
• Allow direct conversion with dangerous_assume_tweaked() method

[nlanson]

Having a tweaked and untweaked type alias sounds like a good idea since it is ambiguous.

Something like this might work? It is my first time using type aliases so not sure what the convention is surrounding them.

type UntweakedPublicKey = PublicKey;
type TweakedPublicKey = PublicKey;

trait KeyTweaking {
    /// Tweaks an untweaked public key.
    fn tweak<C: Verification>(&self, secp: Secp256k1<C>, merkle_root: Option<TapBranchHash>) -> TweakedPublicKey;

    /// Directly convert an UntweakedPublicKey to a TweakedPublicKey 
    fn dangerous_assume_tweaked(&self) -> TweakedPublicKey;
}

impl KeyTweaking for UntweakedPublicKey {
    fn tweak<C: Verification>(&self, secp: Secp256k1<C>, merkle_root: Option<TapBranchHash>) -> TweakedPublicKey {
        // Applies the tweak to self
    }

    fn dangerous_assume_tweaked(&self) -> TweakedPublicKey {
        // Direct converstion
    }
}

and Address::p2tr can be update to take in an untweaked key:

/// Tweaks the internal key
pub fn p2tr<C: Verification>(
    secp: Secp256k1<C>, 
    internal_key: UntweakedPublicKey, 
    merkle_root: Option<TapBranchHash>, 
    network: Network
) -> Address {
    Address {
        network: network,
        payload: Payload::WitnessProgram {
            version: WitnessVersion::V1,
            program: internal_key.tweak(secp, merkle_root).serialize().to_vec()
        }
    }
}

/// Does not tweak the given key assuming it has already been tweaked
pub fn dangerous_p2tr<C: Verification>(
    internal_key: TweakedPublicKey, 
    network: Network
 ) -> Address {
    Address {
        network: network,
        payload: Payload::WitnessProgram {
            version: WitnessVersion::V1,
            program: internal_key.serialize().to_vec()
        }
    }
}

[Kixunil]

TweakedPublicKey should not be a type alias but a newtype: struct TweakedPublicKey(PublicKey);

Also I don't see why trait is useful and consuming self seems to make more sense.

pub type UntweakedPublicKey = PublicKey;
pub struct TweakedPublicKey(PublicKey);

impl UntweakedPublicKey {
    /// Tweaks an untweaked public key.
    pub fn tweak<C: Verification>(self, secp: Secp256k1<C>, merkle_root: Option<TapBranchHash>) -> TweakedPublicKey {
        // Applies the tweak to self
    }

    /// Directly convert an UntweakedPublicKey to a TweakedPublicKey 
    fn dangerous_assume_tweaked(self) -> TweakedPublicKey {
        TweakedPublicKey(self)
    }
}

impl TweakedPublicKey {
    fn into_raw(self) -> PublicKey {
        self.0
    }
}

[sanket1729]

+1 for the current suggestion from @Kixunil .

[nlanson]

Most recent commits include changes to reflect suggestions from @Kixunil and @sanket1729.

Changes

-Added two new structs in src/util/schnorr.rs to represent Tweaked and Untweaked public keys. The UntweakedPublicKey struct has methods to convert to a TweakedPublicKey with or without tweaking the underlying key.
-The dangerous API in Address is now the method that operates on tweaked keys. The non dangerous api is the method that operates on untweaked keys.

Please let me know if there is anything is wrong or missing.

[Kixunil]

The dangerous API in Address is now the method that operates on tweaked keys. The non dangerous api is the method that operates on untweaked keys.

I believe it should be the other way around? Or rather, only have non-dangerous API?

[nlanson]

The dangerous API in Address is now the method that operates on tweaked keys. The non dangerous api is the method that operates on untweaked keys.

I believe it should be the other way around? Or rather, only have non-dangerous API?

#687 points out that operating on tweaked keys is discouraged so I believe it is correct that Address::dangerous_p2tr() operates on tweaked keys and the regular Address::p2tr() operates on untweaked keys.

[Kixunil]

The API I suggested should remove the danger but maybe I'm missing something?

[dr-orlovsky]

Just to note that we still need API working on keys assumed to be tweaked (dangerous) for supporting pay-to-contract schemes with taproot, which will not follow exact BIP-341 recommendation and will tweak internal key not with its hash, but with some contract (non-script) hash.

[dr-orlovsky]

I think this is not needed

[sanket1729]

Better to have internal panic than incorrect results?

[dr-orlovsky]

How we can have an incorrect result if it is checked in line 58 already and this check adds nothing to that?

[dpc]

https://doc.rust-lang.org/std/macro.unreachable.html ?

[sanket1729]

The API I suggested should remove the danger but maybe I'm missing something?

Yes, it should. my bad! I would still prefer the regular p2tr() to operate on untweaked keys because that is how it is defined in the bitcoin descriptor spec. And maybe we can have p2tr_tweaked() as an additional API?

[nlanson]

Most recent commits include changes requested by @dr-orlovsky

Changes

• Rename tweak() method to tap_tweak() for ambiguity.
• Rename into_raw() method to into_inner().
• Renamed internal_key parameter to output_key to conform with BIP-341.
• Removes unnecessary allocation when computing tap tweak.

[nlanson]

I am still stuck on deciding whether UntweakedPublicKey should it's own new type or just a type alias. At the moment, it is it is a new type.

If it is going to be a type alias it will need to implement a trait as I cannot directly implement to PublicKey outside of the secp256k1 library.

I am leaning towards using a type alias though as it will make using the Address::p2tr() API easier.

[dr-orlovsky]

@nlanson I am up to have a type alias since it will simplify API usage overall (it's easier to use trait than to wrap/extract newtype inner value each time)

[dr-orlovsky]

LGTM. Will ACK once we will have a final code with type alias (if everyone agree upon that) and old code comments removed

[Kixunil]

We could also add TweakedPublicKey::new(...) so that the extension trait doesn't have to be used (but methods are nicer so the trait is still useful).

[nlanson]

Most recent commits now use a type alias instead of a new type for UntweakedPublicKey.

Changes

• Type alias and trait for UntweakedPublicKey
• Rename dangerous_p2tr(...) to p2tr_tweaked(...)
• Add TweakedPublicKey::new(...) method

[dr-orlovsky]

utACK 1a990b9b126ce8cf0b1f26b419cabc1d8621979c modulo several nets

But we need commits to be squashed before merging

[sanket1729]

This looks great, left a couple of nits. I agree with the overall API, I think commits can be squashed and we are good to go.

[nlanson]

Managed to squash the commits after battling with git for a good hour.

[dr-orlovsky]

utACK

[sanket1729]

Ack 803b5fe. Thanks @nlanson, this is an excellent firs time contribution.

[rebeccahermanreedroe-cpu]

What is this ?Is this done

[nlanson]

What is this ?Is this done

This PR was merged years ago.

[tcharding]

@nlanson they have internet in the mountains huh?

[nlanson]

Yep. And it's fast.

[tcharding]

Now you winding me up.