History for Taproot PR #19953 #19997

1. 
   sipa commented at 9:01 pm on September 22, 2020: member

   I’m opening this PR to give a convenient way to see the history #19953 goes through, as review comments get addressed.

   The intent is to only add commits here, and use merge commit when the real PR undergoes a rebase.

   It is marked draft as this branch isn’t expected to be merged.

   PREV="$(git rev-parse HEAD)"; git log --oneline upstream/master..HEAD | while read C L; do if [ "d${L:0:14}" == "d--- [TAPROOT] " ]; then if [ "d$PREV" != "" ]; then git diff --shortstat $C..$PREV | (read _ _ _ ADD _ DEL _; echo "### ${L:14:-4} (https://github.com/sipa/bitcoin/compare/$C...$PREV) [+$ADD -$DEL]:"); echo; fi; PREV=$C; PREVL=$L; else echo -n " * $C **${L}**: "; git show "$C" --format="%b" -s | awk '/^$/{exit} 1' | tr $'\n' ' '; echo; fi; done | tac

   Initial version (2020-09-20) [+2730 -118]

   • 0daa3708e2 scripted-diff: put ECDSA in name of signature functions: In preparation for adding Schnorr versions of CheckSig, VerifySignature, and ComputeEntry, give them an ECDSA specific name.
   • 135f12ad38 refactor: rename scriptPubKey in VerifyWitnessProgram to exec_script: The old name is confusing, as it doesn’t store a scriptPubKey, but the actually executed script.
   • f4d16cf644 refactor: keep spent outputs in PrecomputedTransactionData: A BIP-341 signature message may commit to the scriptPubKeys and amounts of all spent outputs (including other ones than the input being signed for spends), so keep them available to signature hashing code.
   • 60ce12334f Add TaggedHash function (BIP 340): This adds the TaggedHash function as defined by BIP340 to the hash module, which is used in BIP340 and BIP341 to produce domain-separated hashes.
   • 34da219826 Implement Taproot signature hashing (BIP 341): This implements the new sighashing scheme from BIP341, with all relevant whole-transaction values precomputed once and cached.
   • 52ddb42100 Support for Schnorr signatures and integration in SignatureCheckers (BIP 340): This enables the schnorrsig module in libsecp256k1, adds the relevant types and functions to src/pubkey, as well as in higher-level SignatureChecker classes. The (verification side of the) BIP340 test vectors is also added.
   • 828aed0abd Implement Taproot validation (BIP 341): This includes key path spending and script path spending, but not the Tapscript execution implementation (leaf 0xc0 remains unemcumbered in this commit).
   • a39a7ec822 Use ScriptExecutionData to pass through annex hash: Instead of recomputing the annex hash every time a signature is verified, compute it once and cache it in a new ScriptExecutionData structure.
   • ebce9826f9 Implement Tapscript script validation rules (BIP 342): This adds a new SigVersion::TAPSCRIPT, makes the necessary interpreter changes to make it implement BIP342, and uses them for leaf version 0xc0 in Taproot script path spends.
   • 812c85615c Make Taproot spends standard + policy limits: This adds a TxoutType::WITNESS_V1_TAPROOT for P2TR outputs, and permits spending them in standardness rules. No corresponding CTxDestination is added for it, as that isn’t needed until we want wallet integration. The taproot validation flags are also enabled for mempool transactions, and standardness rules are added (stack item size limit, no annexes).
   • 5ee49fd3b8 Activate Taproot/Tapscript on regtest (BIP 341, BIP 342): Define a versionbits-based activation for the new consensus rules on regtest. No activation or activation mechanism is defined for testnet or mainnet.
   • 697d461682 [TESTS] Add BIP340 Schnorr signature support to test framework: Add a pure Python implementation of BIP340 signing and verification, tested against the BIP’s test vectors.
   • fd6e288349 [TESTS] Functional tests for Schnorr/Taproot/Tapscript: A large functional test is added that automatically generates random transactions which exercise various aspects of the new rules, and verifies they are accepted into the mempool (when appropriate), and correctly accepted/rejected in (Python-constructed) blocks.
   • 64030b1152 [TESTS] Add minimized test vector as unit test: This adds a relatively small set of test cases for the BIP341/BIP342 script validation rules as a unit test. The tests were generated by modifying the feature_taproot.py randomized tester to dump the constructed transactions and witnesses used, and using the fuzzing framework to minimize it.

   Updates 2020-09-22 (https://github.com/sipa/bitcoin/compare/33b6a13c86...076dfd97a37678fb7fe818f94e37ede6b5d6048d) [+38 -38]:

   • 4f5272cf5c Document length assumption in XOnlyPubKey::VerifySchnorr correctly:
   • 672b1af9c2 Make IsOpSuccess match BIP text more closely:
   • c22d75b702 Use OP_SUCCESSx instead of SUCCESSx in error message:
   • 550edc05e5 Simplify/clarify tweak_add_{priv,pub}_key in tests:
   • 076dfd97a3 Python assert does not need parens:

   Update: test vectors in qa-assets (https://github.com/sipa/bitcoin/compare/388928824e...9dfcd363a9) [+98 -43]:

   • 00d8575ffc Always clone qa-assets repo in CI, but shallowly:
   • 35fc47be36 Improve script unit test and use qa-assets JSON:

   Updates 2020/09/23 (https://github.com/sipa/bitcoin/compare/9dfcd363a9...7d694f8f7606de64d864ed87d8fe1d2037a46ec6) [+6 -110]:

   • cdc57baa72 Script interpreter nits:
   • 2612d16422 Document implicit CLEANSTACK/MINIMALIF in witv0/tapscript execution:
   • 7d694f8f76 Remove script_taproot_tests (moved to qa-assets):

   Updates 2020/09/24 (https://github.com/sipa/bitcoin/compare/b5d2f3bab8...1ec9ce2ed7a8c95228f0c3ee473531eb8ab6119d) [+28 -13]:

   • 4181a0c1d6 Exit bip143/341 checking loop early:
   • 4e6c2005f4 Make SignatureHashCache take cache reference instead of pointer:
   • 29bf92a5b0 Use separate script error for tapscript MINIMALIF:
   • 1ec9ce2ed7 Add a test for consensus CLEANSTACK in tapscript:

   Updates 2020/10/01 (https://github.com/sipa/bitcoin/compare/8e8b45868b...99c50a691a) [+294 -27]:

   • ba4ac3e832 Improve some code comments:
   • c634f7ecdb Compute witnesses only once for each input in feature_taproot.py: Instead of re-evaluating the entire signing logic for every input, for every attempt, compute them once and reuse them.
   • 9e963a0ffb Run legacy tests with both compressed and uncompressed keys:
   • 687c91ae54 Use a separate prefix for legacy tests that need taproot validation tests:
   • 6d23fd6a09 Add support for dumping generated test cases:
   • 7d5fd3c1d9 Add fuzz ’test’ to minimize script_assets_test.json:

   Merge with master 2020/10/02 (https://github.com/sipa/bitcoin/compare/99c50a691a...6cf077da50e9a2a3fdeaac9e96be5312d3cb8d76) [+21666 -4524]:

   • 31031361c3 Merge remote-tracking branch ‘upstream/master’ into taproot-history:
   • 6cf077da50 Fix expected error message in feature_taproot.py:

   Updates 2020/10/06 (https://github.com/sipa/bitcoin/compare/490b974364...10b9a4836a3bf57ce59d741ae5dfab5cdf0186e6) [+11 -7]:

   • 4ade5781b4 Avoid a ScriptExecutionData copy in EvalScript:
   • 10b9a4836a Remove inadvertantly added newlines:

   Updates 2020/10/07 (https://github.com/sipa/bitcoin/compare/68ebf4a2de...836232441c41788c720a7858c0521c9ea405c5b7) [+21 -17]:

   • 3265f14e39 Variable naming/typing/calling improvements:
   • c1710042e5 Use more constexpr:
   • 2ea6a0a3c2 Consistent comment style:
   • 836232441c Add comments referencing the BIPs:

   Updates 2020/10/08 (https://github.com/sipa/bitcoin/compare/5a7897645a...67750a3e1ed1696c09a998d7f5758394d896f99d) [+85 -72]:

   • fb6bc8a099 Decide key_version based on sigversion instead of passing through:
   • 67750a3e1e Report more detailed signature validation errors:

   Updates 2020/10/11 (https://github.com/sipa/bitcoin/compare/ce24bbba4b...7029ff57025a5e3fcc755b5da288ff70e2f2d2d7) [+13 -15]:

   • 2127387e30 Add extra assertion on spent_outputs size:
   • 11c05b47d7 Rename fSuccess -> success in comments:
   • 1a464c6c4c Small fixes to feature_taproot.py:
   • 7029ff5702 Some style fixes:

   Updates 2020/10/12 (https://github.com/sipa/bitcoin/compare/36f4fa5ef9...4e2ac63b16a0764f903c639712cee86d8eacc96c) [+5 -5]:

   • 34a93d775a Really rename fuccess -> success in comments:
   • 4e2ac63b16 Pass tapleaf_hash by reference to VerifyTaprootCommitment:
2. --- [TAPROOT] Refactors --- 1d94d90a3b
3. scripted-diff: put ECDSA in name of signature functions

   In preparation for adding Schnorr versions of `CheckSig`, `VerifySignature`, and
   `ComputeEntry`, give them an ECDSA specific name.
   
   -BEGIN VERIFY SCRIPT-
   sed -i 's/CheckSig(/CheckECDSASignature(/g' $(git grep -l CheckSig ./src)
   sed -i 's/VerifySignature(/VerifyECDSASignature(/g' $(git grep -l VerifySignature ./src)
   sed -i 's/ComputeEntry(/ComputeEntryECDSA(/g' $(git grep -l ComputeEntry ./src)
   -END VERIFY SCRIPT-

   0daa3708e2
4. refactor: rename scriptPubKey in VerifyWitnessProgram to exec_script

   The old name is confusing, as it doesn't store a scriptPubKey, but the
   actually executed script.

   135f12ad38
5. refactor: keep spent outputs in PrecomputedTransactionData

   A BIP-341 signature message may commit to the scriptPubKeys and amounts
   of all spent outputs (including other ones than the input being signed
   for spends), so keep them available to signature hashing code.

   f4d16cf644
6. --- [TAPROOT] BIP340/341/342 consensus rules --- d6ea44640e
7. Add TaggedHash function (BIP 340)

   This adds the TaggedHash function as defined by BIP340 to the hash module, which
   is used in BIP340 and BIP341 to produce domain-separated hashes.

   60ce12334f
8. Implement Taproot signature hashing (BIP 341)

   This implements the new sighashing scheme from BIP341, with all relevant
   whole-transaction values precomputed once and cached.
   
   Includes changes to PrecomputedTransactionData by Pieter Wuille.

   34da219826
9. Support for Schnorr signatures and integration in SignatureCheckers (BIP 340)

   This enables the schnorrsig module in libsecp256k1, adds the relevant types
   and functions to src/pubkey, as well as in higher-level `SignatureChecker`
   classes. The (verification side of the) BIP340 test vectors is also added.

   52ddb42100
10. Implement Taproot validation (BIP 341)

    This includes key path spending and script path spending, but not the
    Tapscript execution implementation (leaf 0xc0 remains unemcumbered in
    this commit).
    
    Includes constants for various aspects of the consensus rules suggested
    by Jeremy Rubin.

    828aed0abd
11. Use ScriptExecutionData to pass through annex hash

    Instead of recomputing the annex hash every time a signature is verified, compute it
    once and cache it in a new ScriptExecutionData structure.

    a39a7ec822
12. Implement Tapscript script validation rules (BIP 342)

    This adds a new `SigVersion::TAPSCRIPT`, makes the necessary interpreter
    changes to make it implement BIP342, and uses them for leaf version 0xc0
    in Taproot script path spends.

    ebce9826f9
13. --- [TAPROOT] Regtest activation and policy --- 7b7d98123a
14. Make Taproot spends standard + policy limits

    This adds a `TxoutType::WITNESS_V1_TAPROOT` for P2TR outputs, and permits spending
    them in standardness rules. No corresponding `CTxDestination` is added for it,
    as that isn't needed until we want wallet integration. The taproot validation flags
    are also enabled for mempool transactions, and standardness rules are added
    (stack item size limit, no annexes).

    812c85615c
15. Activate Taproot/Tapscript on regtest (BIP 341, BIP 342)

    Define a versionbits-based activation for the new consensus rules on regtest.
    No activation or activation mechanism is defined for testnet or mainnet.

    5ee49fd3b8
16. --- [TAPROOT] Tests --- 7c9e623cde
17. [TESTS] Add BIP340 Schnorr signature support to test framework

    Add a pure Python implementation of BIP340 signing and verification, tested against
    the BIP's test vectors.

    697d461682
18. [TESTS] Functional tests for Schnorr/Taproot/Tapscript

    A large functional test is added that automatically generates random transactions which
    exercise various aspects of the new rules, and verifies they are accepted into the mempool
    (when appropriate), and correctly accepted/rejected in (Python-constructed) blocks.
    
    Includes sighashing code and many tests by Johnson Lau.
    Includes a test by Matthew Zipkin.
    Includes several tests and improvements by Greg Sanders.

    fd6e288349
19. [TESTS] Add minimized test vector as unit test

    This adds a relatively small set of test cases for the BIP341/BIP342
    script validation rules as a unit test. The tests were generated by
    modifying the feature_taproot.py randomized tester to dump the
    constructed transactions and witnesses used, and using the fuzzing
    framework to minimize it.

    64030b1152
20. DrahtBot added the label Build system on Sep 22, 2020
21. DrahtBot added the label Consensus on Sep 22, 2020
22. DrahtBot added the label RPC/REST/ZMQ on Sep 22, 2020
23. DrahtBot added the label TX fees and policy on Sep 22, 2020
24. DrahtBot added the label Validation on Sep 22, 2020
25. DrahtBot added the label Wallet on Sep 22, 2020
26. --- [TAPROOT] Updates 2020-09-22 --- 33b6a13c86
27. Document length assumption in XOnlyPubKey::VerifySchnorr correctly 4f5272cf5c
28. Make IsOpSuccess match BIP text more closely 672b1af9c2
29. Use OP_SUCCESSx instead of SUCCESSx in error message c22d75b702
30. Simplify/clarify tweak_add_{priv,pub}_key in tests 550edc05e5
31. Python assert does not need parens 076dfd97a3
32. sipa removed the label Build system on Sep 22, 2020
33. sipa removed the label RPC/REST/ZMQ on Sep 22, 2020
34. sipa removed the label TX fees and policy on Sep 22, 2020
35. sipa removed the label Validation on Sep 22, 2020
36. sipa removed the label Wallet on Sep 22, 2020
37. --- [TAPROOT] Update: test vectors in qa-assets --- 388928824e
38. sipa force-pushed on Sep 23, 2020
39. sipa force-pushed on Sep 23, 2020
40. 
    DrahtBot commented at 5:20 am on September 23, 2020: member

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    Conflicts

    Reviewers, this pull request conflicts with the following ones:

    • #20121 (configure: Allow users to explicitly enable libsecp256k1’s GMP bignum support by luke-jr)
    • #20100 (Script: split policy/error consensus codes for CLEANSTACK, MINIMALIF by sanket1729)
    • #20035 (signet: Fix uninitialized read in validation by MarcoFalke)
    • #19935 (Move SaltedHashers to separate file and add some new ones by achow101)
    • #19792 (rpc: Add dumpcoinstats by fjahr)
    • #19602 (wallet: Migrate legacy wallets to descriptor wallets by achow101)
    • #19521 (Coinstats Index (without UTXO set hash) by fjahr)
    • #19438 (Introduce deploymentstatus by ajtowns)
    • #18788 (tests: Update more tests to work with descriptor wallets by achow101)
    • #16546 (External signer support - Wallet Box edition by Sjors)
    • #13533 ([tests] Reduced number of validations in tx_validationcache_tests by lucash-dev)
    • #13062 (Make script interpreter independent from storage type CScript by sipa)

    If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

41. Always clone qa-assets repo in CI, but shallowly 00d8575ffc
42. Improve script unit test and use qa-assets JSON 35fc47be36
43. sipa force-pushed on Sep 23, 2020
44. --- [TAPROOT] Updates 2020/09/23 --- 9dfcd363a9
45. Script interpreter nits cdc57baa72
46. Document implicit CLEANSTACK/MINIMALIF in witv0/tapscript execution 2612d16422
47. Remove script_taproot_tests (moved to qa-assets) 7d694f8f76
48. --- [TAPROOT] Updates 2020/09/24 --- b5d2f3bab8
49. Exit bip143/341 checking loop early 4181a0c1d6
50. Make SignatureHashCache take cache reference instead of pointer 4e6c2005f4
51. Use separate script error for tapscript MINIMALIF 29bf92a5b0
52. Add a test for consensus CLEANSTACK in tapscript 1ec9ce2ed7
53. --- [TAPROOT] Updates 2020/10/01 --- 8e8b45868b
54. Improve some code comments ba4ac3e832
55. Compute witnesses only once for each input in feature_taproot.py

    Instead of re-evaluating the entire signing logic for every input, for every
    attempt, compute them once and reuse them.

    c634f7ecdb
56. Run legacy tests with both compressed and uncompressed keys 9e963a0ffb
57. Use a separate prefix for legacy tests that need taproot validation tests 687c91ae54
58. Add support for dumping generated test cases 6d23fd6a09
59. Add fuzz 'test' to minimize script_assets_test.json 7d5fd3c1d9
60. sipa force-pushed on Oct 2, 2020
61. --- [TAPROOT] Merge with master 2020/10/02 --- 99c50a691a
62. Merge remote-tracking branch 'upstream/master' into taproot-history 31031361c3
63. Fix expected error message in feature_taproot.py 6cf077da50
64. sipa force-pushed on Oct 2, 2020
65. --- [TAPROOT] Updates 2020/10/06 --- 490b974364
66. Avoid a ScriptExecutionData copy in EvalScript 4ade5781b4
67. Remove inadvertantly added newlines 10b9a4836a
68. --- [TAPROOT] Updates 2020/10/07 --- 68ebf4a2de
69. Variable naming/typing/calling improvements 3265f14e39
70. Use more constexpr c1710042e5
71. Consistent comment style 2ea6a0a3c2
72. Add comments referencing the BIPs 836232441c
73. --- [TAPROOT] Updates 2020/10/08 --- 5a7897645a
74. Decide key_version based on sigversion instead of passing through fb6bc8a099
75. Report more detailed signature validation errors 67750a3e1e
76. --- [TAPROOT] Updates 2020/10/11 --- ce24bbba4b
77. Add extra assertion on spent_outputs size 2127387e30
78. Rename fSuccess -> success in comments 11c05b47d7
79. Small fixes to feature_taproot.py 1a464c6c4c
80. Some style fixes 7029ff5702
81. --- [TAPROOT] Updates 2020/10/12 --- 36f4fa5ef9
82. Really rename fuccess -> success in comments 34a93d775a
83. Pass tapleaf_hash by reference to VerifyTaprootCommitment 4e2ac63b16
84. laanwj referenced this in commit 3caee16946 on Oct 15, 2020
85. sipa closed this on Oct 15, 2020

    ---

86. sidhujag referenced this in commit ca9eeb33df on Oct 16, 2020
87. DrahtBot locked this on Feb 15, 2022

Contributors
sipa DrahtBot

Labels
Consensus