Merge #159: Tap tweak

apoelstra · apoelstra · commit 6606a0da18cd · 2023-04-14T13:31:36.000Z
7b3f081 Add From implementations (Christian Lewe) d58610e Add from_keypair (Christian Lewe) 4eed656 Add TweakedKeyPair methods (Christian Lewe) 19ff852 Add TweakedKeyPair (Christian Lewe) 063a8f5 Update TapTweak (Christian Lewe) Pull request description: Updates `TapTweak` to [latest rust-bitcoin](https://docs.rs/bitcoin/latest/bitcoin/key/trait.TapTweak.html) and adds `TweakedKeyPair`. ACKs for top commit: apoelstra: ACK 7b3f081 Tree-SHA512: 6a842533ce9a4483b3618b8a395b223f6943cd3ba79588805d65ad4ddbd04fac17f03a1eadaaecef267035d8a6dac8ac075e4c2ecee8e27134929c6073728ef5
diff --git a/src/schnorr.rs b/src/schnorr.rs
@@ -19,12 +19,10 @@
 
 use std::fmt;
 
-use secp256k1_zkp::Scalar;
-pub use secp256k1_zkp::{XOnlyPublicKey, KeyPair};
-use secp256k1_zkp::{self, Secp256k1, Verification, constants::SCHNORR_SIGNATURE_SIZE};
-use crate::hashes::{Hash, HashEngine};
 use crate::taproot::{TapBranchHash, TapTweakHash};
 use crate::SchnorrSigHashType;
+use secp256k1_zkp::{self, constants::SCHNORR_SIGNATURE_SIZE, Secp256k1, Verification};
+pub use secp256k1_zkp::{KeyPair, XOnlyPublicKey};
 
 /// Untweaked Schnorr public key
 pub type UntweakedPublicKey = XOnlyPublicKey;
@@ -33,38 +31,70 @@ pub type UntweakedPublicKey = XOnlyPublicKey;
 #[derive(Clone, Copy, PartialEq, Eq, PartialOrd, Ord, Hash, Debug)]
 pub struct TweakedPublicKey(XOnlyPublicKey);
 
-/// A trait for tweaking Schnorr public keys
+/// Untweaked Schnorr key pair
+pub type UntweakedKeyPair = KeyPair;
+
+/// Tweaked Schnorr key pair
+#[derive(Copy, Clone, PartialEq, Eq, PartialOrd, Ord, Hash, Debug)]
+pub struct TweakedKeyPair(KeyPair);
+
+/// A trait for tweaking Schnorr key types (x-only public keys and key pairs).
 pub trait TapTweak {
-    /// Tweaks an untweaked public key given an untweaked key and optional script tree merkle root.
+    /// Tweaked key type with optional auxiliary information
+    type TweakedAux;
+    /// Tweaked key type
+    type TweakedKey;
+
+    /// Tweaks an untweaked key with corresponding public key value and optional script tree merkle
+    /// root. For the [`KeyPair`] type this also tweaks the private key in the pair.
     ///
     /// This is done by using the equation Q = P + H(P|c)G, where
-    ///  * Q is the tweaked key
-    ///  * P is the internal key
+    ///  * Q is the tweaked public key
+    ///  * P is the internal public key
     ///  * H is the hash function
     ///  * c is the commitment data
     ///  * G is the generator point
-    fn tap_tweak<C: Verification>(self, secp: &Secp256k1<C>, merkle_root: Option<TapBranchHash>) -> (TweakedPublicKey, secp256k1_zkp::Parity);
+    ///
+    /// # Returns
+    /// The tweaked key and its parity.
+    fn tap_tweak<C: Verification>(
+        self,
+        secp: &Secp256k1<C>,
+        merkle_root: Option<TapBranchHash>,
+    ) -> Self::TweakedAux;
 
-    /// Directly convert an UntweakedPublicKey to a TweakedPublicKey
+    /// Directly converts to a `TweakedKey`
     ///
     /// This method is dangerous and can lead to loss of funds if used incorrectly.
     /// Specifically, in multi-party protocols a peer can provide a value that allows them to steal.
-    fn dangerous_assume_tweaked(self) -> TweakedPublicKey;
+    fn dangerous_assume_tweaked(self) -> Self::TweakedKey;
 }
 
 impl TapTweak for UntweakedPublicKey {
-    fn tap_tweak<C: Verification>(self, secp: &Secp256k1<C>, merkle_root: Option<TapBranchHash>) -> (TweakedPublicKey, secp256k1_zkp::Parity) {
-        // Compute the tweak
-        let mut engine = TapTweakHash::engine();
-        engine.input(&self.serialize());
-        merkle_root.map(|hash| engine.input(&hash));
-        let tweak_value: [u8; 32] = TapTweakHash::from_engine(engine).into_inner();
-        let tweak_value = Scalar::from_be_bytes(tweak_value).expect("hash value greater than curve order");
-
-        //Tweak the internal key by the tweak value
-        let (output_key, parity) = self.clone().add_tweak(secp, &tweak_value).expect("Tap tweak failed");
-        debug_assert!(self.tweak_add_check(&secp, &output_key, parity, tweak_value));
+    type TweakedAux = (TweakedPublicKey, secp256k1_zkp::Parity);
+    type TweakedKey = TweakedPublicKey;
+
+    /// Tweaks an untweaked public key with corresponding public key value and optional script tree
+    /// merkle root.
+    ///
+    /// This is done by using the equation Q = P + H(P|c)G, where
+    ///  * Q is the tweaked public key
+    ///  * P is the internal public key
+    ///  * H is the hash function
+    ///  * c is the commitment data
+    ///  * G is the generator point
+    ///
+    /// # Returns
+    /// The tweaked key and its parity.
+    fn tap_tweak<C: Verification>(
+        self,
+        secp: &Secp256k1<C>,
+        merkle_root: Option<TapBranchHash>,
+    ) -> (TweakedPublicKey, secp256k1_zkp::Parity) {
+        let tweak = TapTweakHash::from_key_and_tweak(self, merkle_root).to_scalar();
+        let (output_key, parity) = self.add_tweak(secp, &tweak).expect("Tap tweak failed");
 
+        debug_assert!(self.tweak_add_check(secp, &output_key, parity, tweak));
         (TweakedPublicKey(output_key), parity)
     }
 
@@ -74,8 +104,42 @@ impl TapTweak for UntweakedPublicKey {
     }
 }
 
+impl TapTweak for UntweakedKeyPair {
+    type TweakedAux = TweakedKeyPair;
+    type TweakedKey = TweakedKeyPair;
+
+    /// Tweaks private and public keys within an untweaked [`KeyPair`] with corresponding public key
+    /// value and optional script tree merkle root.
+    ///
+    /// This is done by tweaking private key within the pair using the equation q = p + H(P|c), where
+    ///  * q is the tweaked private key
+    ///  * p is the internal private key
+    ///  * H is the hash function
+    ///  * c is the commitment data
+    /// The public key is generated from a private key by multiplying with generator point, Q = qG.
+    ///
+    /// # Returns
+    /// The tweaked key and its parity.
+    fn tap_tweak<C: Verification>(self, secp: &Secp256k1<C>, merkle_root: Option<TapBranchHash>) -> TweakedKeyPair {
+        let (pubkey, _parity) = XOnlyPublicKey::from_keypair(&self);
+        let tweak = TapTweakHash::from_key_and_tweak(pubkey, merkle_root).to_scalar();
+        let tweaked = self.add_xonly_tweak(secp, &tweak).expect("Tap tweak failed");
+        TweakedKeyPair(tweaked)
+    }
+
+    fn dangerous_assume_tweaked(self) -> TweakedKeyPair {
+        TweakedKeyPair(self)
+    }
+}
 
 impl TweakedPublicKey {
+    /// Returns the [`TweakedPublicKey`] for `keypair`.
+    #[inline]
+    pub fn from_keypair(keypair: TweakedKeyPair) -> Self {
+        let (xonly, _parity) = keypair.0.x_only_public_key();
+        TweakedPublicKey(xonly)
+    }
+
     /// Create a new [TweakedPublicKey] from a [PublicKey]. No tweak is applied.
     pub fn new(key: XOnlyPublicKey) -> TweakedPublicKey {
         TweakedPublicKey(key)
@@ -92,6 +156,52 @@ impl TweakedPublicKey {
     }
 }
 
+impl TweakedKeyPair {
+    /// Creates a new [`TweakedKeyPair`] from a [`KeyPair`]. No tweak is applied, consider
+    /// calling `tap_tweak` on an [`UntweakedKeyPair`] instead of using this constructor.
+    ///
+    /// This method is dangerous and can lead to loss of funds if used incorrectly.
+    /// Specifically, in multi-party protocols a peer can provide a value that allows them to steal.
+    #[inline]
+    pub fn dangerous_assume_tweaked(pair: KeyPair) -> TweakedKeyPair {
+        TweakedKeyPair(pair)
+    }
+
+    /// Returns the underlying key pair.
+    #[inline]
+    pub fn to_inner(self) -> KeyPair {
+        self.0
+    }
+
+    /// Returns the [`TweakedPublicKey`] and its [`Parity`] for this [`TweakedKeyPair`].
+    #[inline]
+    pub fn public_parts(&self) -> (TweakedPublicKey, secp256k1_zkp::Parity) {
+        let (xonly, parity) = self.0.x_only_public_key();
+        (TweakedPublicKey(xonly), parity)
+    }
+}
+
+impl From<TweakedPublicKey> for XOnlyPublicKey {
+    #[inline]
+    fn from(pair: TweakedPublicKey) -> Self {
+        pair.0
+    }
+}
+
+impl From<TweakedKeyPair> for KeyPair {
+    #[inline]
+    fn from(pair: TweakedKeyPair) -> Self {
+        pair.0
+    }
+}
+
+impl From<TweakedKeyPair> for TweakedPublicKey {
+    #[inline]
+    fn from(pair: TweakedKeyPair) -> Self {
+        TweakedPublicKey::from_keypair(pair)
+    }
+}
+
 /// A BIP340-341 serialized schnorr signature with the corresponding hash type.
 #[derive(Debug, Copy, Clone, PartialEq, Eq)]
 #[cfg_attr(feature = "serde", derive(Serialize, Deserialize), serde(crate = "actual_serde"))]
diff --git a/src/taproot.rs b/src/taproot.rs
@@ -107,6 +107,12 @@ impl TapTweakHash {
         }
         TapTweakHash::from_engine(eng)
     }
+
+    /// Converts a `TapTweakHash` into a `Scalar` ready for use with key tweaking API.
+    pub fn to_scalar(self) -> Scalar {
+        // This is statistically extremely unlikely to panic.
+        Scalar::from_be_bytes(self.into_inner()).expect("hash value greater than curve order")
+    }
 }
 
 impl TapLeafHash {

Original file line number	Diff line number	Diff line change
`@@ -107,6 +107,12 @@ impl TapTweakHash {`
`107`	`107`	`}`
`108`	`108`	`TapTweakHash::from_engine(eng)`
`109`	`109`	`}`
	`110`	`+`
	`111`	+ /// Converts a `TapTweakHash` into a `Scalar` ready for use with key tweaking API.
	`112`	`+ pub fn to_scalar(self) -> Scalar {`
	`113`	`+ // This is statistically extremely unlikely to panic.`
	`114`	`+ Scalar::from_be_bytes(self.into_inner()).expect("hash value greater than curve order")`
	`115`	`+ }`
`110`	`116`	`}`
`111`	`117`
`112`	`118`	`impl TapLeafHash {`