bitcoinjs#1522 bla, bla

Author: motorina0

play/p2tr-witness.js

@@ -1,12 +1,13 @@
 const BN = require('bn.js'); // TODO: remove? see changelog bn.js
+const ecpair = require('../src/ecpair')
+const taggedHash = require('../src/crypto').taggedHash;
 
 const ANNEX_PREFIX = 0x50;
-const EC_P = Buffer.from('fffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f', 'hex');
-const P = new BN(EC_P);
-const P_REDUCTION = BN.red(P);
-const P_QUADRATIC_RESIDUE = P.addn(1).divn(4);
-const BN_3 = new BN(3);
-const BN_7 = new BN(7);
+const EC_N = Buffer.from('0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141', 'hex');
+
+const TAP_LEAF_TAG = Buffer.from('TapLeaf', 'utf8');
+const TAP_BRANCH_TAG = Buffer.from('TapBranch', 'utf8');
+const TAP_TWEAK_TAG = Buffer.from('TapTweak', 'utf8');
 
 const witnessHex = [
     "9675a9982c6398ea9d441cb7a943bcd6ff033cc3a2e01a0178a7d3be4575be863871c6bf3eef5ecd34721c784259385ca9101c3a313e010ac942c99de05aaaa602",
@@ -42,48 +43,42 @@ if (controlBlock.length < 33) {
 if ((controlBlock.length - 33) % 32 !== 0) {
     throw new Error('The control-block length is incorrect!');
 }
-if ((controlBlock.length - 33) / 32 > 128) {
+const m = (controlBlock.length - 33) / 32;
+if (m > 128) {
     throw new Error(`The control-block length is too large. Got ${controlBlock.length}.`);
 }
 const script = witness[witness.length - 2];
 
-const pxxx = controlBlock.slice(1, 33);
-
+const p = controlBlock.slice(1, 33);
+const v = controlBlock[0] & 0xfe; // leaf version
 
-const leafVersion = controlBlock[0] & 0xfe;
+const P = ecpair.liftX(p) // TODO: representation
 
 
+const k = [];
+const e = [];
+const xxx = Buffer.concat(Buffer.from(v), Buffer.from(compactSize(script.length)), script);
+k[0] = taggedHash(TAP_LEAF_TAG, xxx);
 
-function liftX(b) {
-    // check if x instance of buffer and length 32
-    const x = new BN(b).toRed(P_REDUCTION);
-    if (x.gte(P)) return null;
-    const ySq = x.redPow(BN_3).add(BN_7).mod(P);
-    const y = ySq.redPow(P_QUADRATIC_RESIDUE).mod(P);
 
-    console.log('ySq', ySq.toJSON());
-    console.log('y2', y.redPow(new BN(2)).mod(P).toJSON());
-    console.log('y', y.toJSON());
-    return y;
+for (let j = 0; j < m - 1; j++) {
+    e[j] = controlBlock.slice(33 + 32 * j, 65 + 32 * j);
+    if (k[j].compare(e[j]) < 0) {
+        k[j + 1] = taggedHash(TAP_BRANCH_TAG, k[j] || e[j]);
+    } else {
+        k[j + 1] = taggedHash(TAP_BRANCH_TAG, e[j] || k[j]);
+    }
 }
 
+const t = taggedHash(TAP_TWEAK_TAG, k[m + 1]);
+if (t.compare(EC_N) >= 0) {
+    throw new Error('Over the order of secp256k1')
+}
 
-// const p = BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f');
-// const q = (p + 1n) / 4n;
-
-// function liftX(hex) {
-//     console.log('liftX IN');
-
-//     const x = BigInt(hex);
-
-//     if (x >= p) return null;
-//     const yy = (x ** 3n + 7n) % p;
-//     // const y = (yy ** q) % p;
-
-
-//     console.log('liftX OUT');
-//     return yy;
-// }
+//pointFromScalar
+const T = ecpair.pointFromScalar(t);
+const Q = ecpair.addPoints(P, T);
 
-const x = '0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798';
-const y = liftX(x);
+if (q !== x(Q) || (c[0] & 1) !== (y(Q) % 2)) {
+    throw new Error('xxxxxx')
+}

play/play.js

@@ -1,11 +1,14 @@
 const bscript = require('../src/script');
-const {
-    Transaction
-} = require('../src/transaction')
 
-const hex = '4da5fbaa000000002251206d1cb3f7811934f57a680ce8cabda34527cbcebf218a0fdc833b7a8e7df361ee';
+const hex = '7520c7b5db9562078049719228db2ac80cb9643ec96c8055aa3b29c2c03d4d99edb0ac';
 const prevout = Buffer.from(hex, 'hex');
-const prevsScriptOut = prevout.slice(9)
+const prevsScriptOut = prevout; //.slice(9)
 
 const asm = bscript.toASM(prevsScriptOut)
-console.log('######## asm: ', asm)
+console.log('######## asm: ', asm)
+
+const taggedHash = require('../src/crypto').taggedHash;
+
+const tag = Buffer.from('TapBranch', 'utf8')
+const hash = taggedHash(tag, prevout)
+console.log('hash', hash.toString('hex'));

src/crypto.js

@@ -33,3 +33,8 @@ function hash256(buffer) {
   return sha256(sha256(buffer));
 }
 exports.hash256 = hash256;
+function taggedHash(tag, buffer) {
+  const tagHash = sha256(tag);
+  return sha256(Buffer.concat([tagHash, tagHash, buffer]));
+}
+exports.taggedHash = taggedHash;

src/ecpair.js

@@ -87,8 +87,8 @@ function liftX(buffer) {
   typeforce(types.Buffer256bit, buffer);
   const x = new BN(buffer);
   if (x.gte(EC_P)) return null;
-  const xRed = x.toRed(EC_P_REDUCTION);
-  const ySq = xRed
+  const x1 = x.toRed(EC_P_REDUCTION);
+  const ySq = x1
     .redPow(BN_3)
     .add(BN_7)
     .mod(EC_P);
@@ -97,8 +97,9 @@ function liftX(buffer) {
     return null;
   }
   const y1 = (y & 1) === 0 ? y : EC_P.sub(y);
+  // TODO: which is the best format to return the coordinates?
   return Buffer.concat([
-    Buffer.from(x.toBuffer('be')),
+    Buffer.from(x1.toBuffer('be')),
     Buffer.from(y1.toBuffer('be')),
   ]);
 }

ts_src/crypto.ts

@@ -31,3 +31,8 @@ export function hash160(buffer: Buffer): Buffer {
 export function hash256(buffer: Buffer): Buffer {
   return sha256(sha256(buffer));
 }
+
+export function taggedHash(tag: Buffer, buffer: Buffer): Buffer {
+  const tagHash = sha256(tag);
+  return sha256(Buffer.concat([tagHash, tagHash, buffer]));
+}

ts_src/ecpair.ts

@@ -194,4 +194,7 @@ function makeRandom(options?: ECPairOptions): ECPair {
   return fromPrivateKey(d, options);
 }
 
-export { makeRandom, fromPrivateKey, fromPublicKey, fromWIF, liftX };
+const pointFromScalar = ecc.pointFromScalar; // could use the fromPrivateKey...
+const pointAdd = ecc.pointAdd;
+
+export { makeRandom, fromPrivateKey, fromPublicKey, fromWIF, liftX, pointFromScalar, pointAdd };

types/crypto.d.ts

@@ -3,3 +3,4 @@ export declare function sha1(buffer: Buffer): Buffer;
 export declare function sha256(buffer: Buffer): Buffer;
 export declare function hash160(buffer: Buffer): Buffer;
 export declare function hash256(buffer: Buffer): Buffer;
+export declare function taggedHash(tag: Buffer, buffer: Buffer): Buffer;