Add price_oracle1 and price_oracle1_w

Arith becomes ArithInner. ArithInner does not check any rules on
placement on price_oracle1 or price_oracle1_w. Arith is the checked
version that we use the API. Even though it is ugly for the user to
write corresponding oracle1 and oracle1_w versions, atleast the type
system will test if it is incorrect

Author: sanket1729

bitcoind-tests/tests/setup/test_util.rs

@@ -51,6 +51,10 @@ pub struct PubData {
     pub values: HashMap<String, confidential::Value>,
     pub assets: HashMap<String, confidential::Asset>,
     pub spks: HashMap<String, elements::Script>,
+
+    // price oracle test data
+    pub timestamp: u64,
+    pub price: i64,
 }
 
 #[derive(Debug, Clone)]
@@ -134,6 +138,8 @@ impl TestData {
             values: HashMap::new(),
             assets: HashMap::new(),
             spks: HashMap::new(),
+            timestamp: 414315315u64, // Some dummy time
+            price: 50_000i64, // Some dummy price
         };
         let secretdata = SecretData {
             sks,

bitcoind-tests/tests/test_csfs.rs

@@ -3,7 +3,8 @@
 //! CheckSigFromStack integration tests
 //!
 
-use miniscript::{elements, bitcoin};
+use miniscript::extensions::{sighash_msg_price_oracle_1, check_sig_price_oracle_1};
+use miniscript::{elements, bitcoin, TxEnv};
 use elements::pset::PartiallySignedTransaction as Psbt;
 use elements::sighash::SigHashCache;
 use elements::taproot::{LeafVersion, TapLeafHash};
@@ -178,16 +179,48 @@ pub fn test_desc_satisfy(cl: &ElementsD, testdata: &TestData, desc: &str) -> Vec
             let sig = secp.sign_schnorr_with_aux_rand(&msg, keypair, &aux_rand);
             Some(sig)
         }
+
+        fn lookup_price_oracle_sig(
+                &self,
+                pk: &bitcoin::XOnlyPublicKey,
+                time: u64,
+            ) -> Option<(secp256k1::schnorr::Signature, i64, u64)> {
+            let xpk = pk.to_x_only_pubkey();
+            let known_xpks = &self.0.pubdata.x_only_pks;
+            let i = known_xpks.iter().position(|&x| x == xpk).unwrap();
+
+            // select a time ahead of the current test time
+            let time_signed = time + 1;
+            let price = self.0.pubdata.price as u64;
+            let sighash_msg = sighash_msg_price_oracle_1(time_signed, price);
+            let keypair = &self.0.secretdata.x_only_keypairs[i];
+            let mut aux_rand = [0u8; 32];
+            rand::thread_rng().fill_bytes(&mut aux_rand);
+
+            let secp = secp256k1::Secp256k1::new();
+            let sig = secp.sign_schnorr_with_aux_rand(&sighash_msg, keypair, &aux_rand);
+            assert!(check_sig_price_oracle_1(&secp, &sig, &xpk, time_signed, price));
+            Some((sig, self.0.pubdata.price, time_signed))
+        }
     }
 
     let psbt_sat = PsbtInputSatisfier::new(&psbt, 0);
     let csfs_sat = CsfsSatisfier(&testdata);
 
     let mut tx = psbt.extract_tx().unwrap();
+    let txouts = vec![psbt.inputs()[0].witness_utxo.clone().unwrap()];
+    let extracted_tx = tx.clone(); // Possible to optimize this, but we don't care for this
+    // Env requires reference of tx, while satisfaction requires mutable access to inputs.
+    let cov_sat = TxEnv::new(&extracted_tx, &txouts, 0).unwrap();
     derived_desc
-        .satisfy(&mut tx.input[0], (psbt_sat, csfs_sat))
+        .satisfy(&mut tx.input[0], (psbt_sat, csfs_sat, cov_sat))
         .expect("Satisfaction error");
 
+    for wit in tx.input[0].witness.script_witness.iter() {
+        println!("Witness: {} {:x?}", wit.len(), wit);
+    }
+
+
     // Send the transactions to bitcoin node for mining.
     // Regtest mode has standardness checks
     // Check whether the node accepts the transactions
@@ -222,6 +255,19 @@ fn test_descs(cl: &ElementsD, testdata: &TestData) {
     // test combining with other miniscript fragments
     let wit = test_desc_satisfy(cl, testdata, "tr(X!,and_b(pk(X2),a:csfs(X1,msg4)))");
     assert!(wit.len() == 4);
+
+    // test price oracle 1
+    let price = testdata.pubdata.price;
+    let wit = test_desc_satisfy(cl, testdata, &format!("tr(X!,and_v(v:pk(X2),num64_eq(price_oracle1(X1,123213),{})))", price));
+    assert_eq!(wit.len(), 4 + 2); // 4 witness elements + 1 for price oracle + 1 for time
+
+    // More complex tests
+    test_desc_satisfy(cl, testdata, "tr(X!,and_v(v:pk(X1),num64_eq(price_oracle1(X2,1),price_oracle1_w(X3,2))))");
+    test_desc_satisfy(cl, testdata, &format!("tr(X!,and_v(v:pk(X1),num64_eq({},price_oracle1_w(X3,2))))", price));
+    // Different keys and different times
+    test_desc_satisfy(cl, testdata, "tr(X!,and_v(v:pk(X2),num64_eq(price_oracle1(X3,1),price_oracle1_w(X4,23))))");
+    // Combination with other arith fragments
+    test_desc_satisfy(cl, testdata, "tr(X!,and_v(v:pk(X2),num64_eq(div(add(price_oracle1(X3,1),price_oracle1_w(X4,2)),2),price_oracle1_w(X5,2))))");
 }
 
 #[test]

doc/extension_spec.md

@@ -47,20 +47,26 @@ mod(x,y)                | `[X] [Y] DIV64 <1> EQUALVERIFY DROP`
 bitand(x,y)             | `[X] [Y] AND`
 bitor(x,y)              | `[X] [Y] OR (cannot fail)`
 bitxor(x,y)             | `[X] [Y] XOR (cannot fail)`
-price_oracle_1(K,T)     | `2DUP TOALTSTACK <T> OP_GREATERTHANEQ VERIFY CAT SHA256 <K> CHECKSIGFROMSTACKVERIFY OP_FROMATLSTACK`
+price_oracle1(K,T)      | `2DUP TOALTSTACK <T> OP_GREATERTHANEQ VERIFY CAT SHA256 <K> CHECKSIGFROMSTACKVERIFY OP_FROMATLSTACK`
+price_oracle1_w(K,T)    | `TOALTSTACK 2DUP TOALTSTACK <T> OP_GREATERTHANEQ VERIFY CAT SHA256 <K> CHECKSIGFROMSTACKVERIFY OP_FROMATLSTACK FROMALTSTACK SWAP`
 
 - The division operation pushes the quotient(a//b) such that the remainder a%b (must be non-negative and less than |b|).
 - neg(a) returns -a, whereas bitinv(a) returns ~a.
-- `price_oracle_1(K,T)` pushes a 64 bit LE integer(price) of signed with key K. It checks whether the price is signed
+- `price_oracle1(K,T)` pushes a 64 bit LE integer(price) of signed with key K. It checks whether the price is signed
 with at a timestamp greater than T. Roughly spea
     - K can be any `KEY` expression in descriptor format, but it not allowed to be uncompressed key.
     - T is a 64 byte LE UXIX timestamp.
-    - `_1` is the version of the oracle. There can be multiple versions of the
-oracle with different fragments. `price_oracle_1` creates a schnorr signature with given key `K` on a message that is
+    - `1` is the version of the oracle. There can be multiple versions of the
+oracle with different fragments. `price_oracle1` creates a schnorr signature with given key `K` on a message that is
 computed as: `sha256(T1||K)`
     - The fragment consumes three inputs from stack top: [`signature`, `timestamp`, `price`] where `price` is the
     stack top.
-
+    - `price_oracle1_w` must be used when the price_oracle is not the first leaf fragment. When price_oracle is the first
+    argument in fragment, use `price_oracle1`. For example,
+        - `num64_eq(price_oracle1_(K,T),10))` is valid, but `num64_eq(10,price_oracle1_(K,T))` is not.
+        - `num64_eq(price_oracle1_w(K,T),10))` is not valid, but `num64_eq(10,price_oracle1_w(K,T))` is also valid.
+        - `num64_eq(add(10,price_oracle1(K,T)),price_oracle1_w(K,T))` is not valid because `10` is the first leaf terminal.
+        - `num64_eq(add(price_oracle1(K,T),10),price_oracle1_w(K,T))` is valid because `price_oracle1` is the first leaf terminal.
 ## Comparison extensions
 
 As mentioned earlier, `NumExpr` directly does not fit in the miniscript model as it pushes a 8 byte computation result.