Bitcoin Forum>Bitcoin>Development & Technical Discussion
Author

Topic: Taproot formula (Read 127 times)

amaclin1
sr. member
Activity: 770
Merit: 305
Taproot formula
July 17, 2024, 01:52:26 PM
#5
Thank you very much!
This is 90% of needed me answer.
Unfortunately, I can not reproduce all the steps  Undecided
I was able to rewrite code from https://github.com/bitcoin/bips/blob/master/bip-0340/test-vectors.py for my project and finally got something like
Code:
const QByteArray Schnorr::sign ( const QByteArray& msg, const QByteArray& priv, const QByteArray& aux ) const
{
  [...]
}

bool Schnorr::verify ( const QByteArray& msg, const QByteArray& pub, const QByteArray& sig ) const
{
  [...]
  return res.x ( ) == r;
}
Is there a piece of runnable code (python for example) with test vectors for checking and debugging step-by-step all calculations for checking TapRoot inputs?
achow101
staff
Activity: 3458
Merit: 6793
Just writing some code
Re: Taproot formula
July 16, 2024, 03:59:08 PM
#4
Quote from: amaclin1 on July 16, 2024, 01:31:59 PM
OK, let us take the simplest P2TR transaction ever encountered in main/testnet/etc chain
1. Check the control block is 33 + 32m bytes long, in this instance, it should be exactly 33 bytes.
2. Set leaf_version to be the first byte of the control block bitwise and with 0xfe
3. Extract p as the 2nd to 33rd bytes of the control block.
4. Set P by interpreting p as the x coordinate for a point on secp256k1 where the y coordinate is even.
4. Compute the hash kof the script as follows: sha256(sha256("TapLeaf") || sha256("TapLeaf") || leaf_version || compact_size(script) || script), where || is concatenation
5. Compute t as sha256(sha256("TapTweak") || sha256("TapTweak") || p || k) and interpret it as an integer.
6. Let Q = P + t * G where G is the generator for secp256k1
7. Check the x coordinate of Q matches the key in the output script
8. Check that the first bit of the first byte of the control block matches the parity of Q's y coordinate: control_block[0] & 1 == y(Q) mod 2

When the script tree has multiple possible scripts, there's more in the control block and hashing steps involving combining a merkle branch to calculate a merkle root.
amaclin1
sr. member
Activity: 770
Merit: 305
Re: Taproot formula
July 16, 2024, 01:31:59 PM
#3
Quote from: achow101 on July 16, 2024, 11:00:51 AM
You hash the script
OK, let us take the simplest P2TR transaction ever encountered in main/testnet/etc chain

0) Take transaction txid which spends output xxxx:0
1) Take the taproot script from witness-part on input, hash it sha256. We got the a1=yyyy
2) ?
3) ?
achow101
staff
Activity: 3458
Merit: 6793
Just writing some code
Re: Taproot formula
July 16, 2024, 11:00:51 AM
#2
The Control Block specifies a key and merkle branch hashes. You hash the script to get a leaf hash which is then combined with the merkle branch hashes until you get the root hash, which is applied as a tweak to the internal key in the control block.

There's no simple formula. It's all specified in BIP 341 in the Script Validation Rules section.
amaclin1
sr. member
Activity: 770
Merit: 305
Re: Taproot formula
July 16, 2024, 09:39:00 AM
#1
Help me with understanding taproot formulas

Assume the funding transaction sends to a taproot address [OP_1 push_bytes_32 KEY]
The spending transaction has the witness part
[param]
[param]
...
[SCRIPT]
[CBLOCK]

Is there a simple formula between SCRIPT, CBLOCK and KEY?
Something like SHA256 ( SCRIPT || CBLOCK ) == KEY?
Bitcoin Forum>Bitcoin>Development & Technical Discussion
Jump to: