Merge bitcoin#24149: Signing support for Miniscript Descriptors

6c7a17a psbt: support externally provided preimages for Miniscript satisfaction (Antoine Poinsot)
840a396 qa: add a "smart" Miniscript fuzz target (Antoine Poinsot)
17e3547 qa: add a fuzz target generating random nodes from a binary encoding (Antoine Poinsot)
611e125 qa: functional test Miniscript signing with key and timelocks (Antoine Poinsot)
d57b7f2 refactor: make descriptors in Miniscript functional test more readable (Antoine Poinsot)
0a8fc9e wallet: check solvability using descriptor in AvailableCoins (Antoine Poinsot)
560e62b script/sign: signing support for Miniscripts with hash preimage challenges (Antoine Poinsot)
a2f81b6 script/sign: signing support for Miniscript with timelocks (Antoine Poinsot)
61c6d1a script/sign: basic signing support for Miniscript descriptors (Antoine Poinsot)
4242c1c Align 'e' property of or_d and andor with website spec (Pieter Wuille)
f5deb41 Various additional explanations of the satisfaction logic from Pieter (Pieter Wuille)
22c5b00 miniscript: satisfaction support (Antoine Poinsot)

Pull request description:

  This makes the Miniscript descriptors solvable.

  Note this introduces signing support for much more complex scripts than the wallet was previously able to solve, and the whole tooling isn't provided for a complete Miniscript integration in the wallet. Particularly, the PSBT<->Miniscript integration isn't entirely covered in this PR.

ACKs for top commit:
  achow101:
    ACK 6c7a17a
  sipa:
    utACK 6c7a17a (to the extent that it's not my own code).

Tree-SHA512: a71ec002aaf66bd429012caa338fc58384067bcd2f453a46e21d381ed1bacc8e57afb9db57c0fb4bf40de43b30808815e9ebc0ae1fbd9e61df0e7b91a17771cc

Author: fanquake

src/psbt.cpp

@@ -132,6 +132,18 @@ void PSBTInput::FillSignatureData(SignatureData& sigdata) const
     for (const auto& [pubkey, leaf_origin] : m_tap_bip32_paths) {
         sigdata.taproot_misc_pubkeys.emplace(pubkey, leaf_origin);
     }
+    for (const auto& [hash, preimage] : ripemd160_preimages) {
+        sigdata.ripemd160_preimages.emplace(std::vector<unsigned char>(hash.begin(), hash.end()), preimage);
+    }
+    for (const auto& [hash, preimage] : sha256_preimages) {
+        sigdata.sha256_preimages.emplace(std::vector<unsigned char>(hash.begin(), hash.end()), preimage);
+    }
+    for (const auto& [hash, preimage] : hash160_preimages) {
+        sigdata.hash160_preimages.emplace(std::vector<unsigned char>(hash.begin(), hash.end()), preimage);
+    }
+    for (const auto& [hash, preimage] : hash256_preimages) {
+        sigdata.hash256_preimages.emplace(std::vector<unsigned char>(hash.begin(), hash.end()), preimage);
+    }
 }
 
 void PSBTInput::FromSignatureData(const SignatureData& sigdata)

src/script/descriptor.cpp

@@ -1014,7 +1014,7 @@ class MiniscriptDescriptor final : public DescriptorImpl
         return false;
     }
 
-    bool IsSolvable() const override { return false; } // For now, mark these descriptors as non-solvable (as we don't have signing logic for them).
+    bool IsSolvable() const override { return true; }
     bool IsSingleType() const final { return true; }
 };
 

src/script/miniscript.cpp

@@ -172,8 +172,8 @@ Type ComputeType(Fragment fragment, Type x, Type y, Type z, const std::vector<Ty
             (y & "B"_mst).If(x << "Bdu"_mst) | // B=B_y*B_x*d_x*u_x
             (x & "o"_mst).If(y << "z"_mst) | // o=o_x*z_y
             (x & y & "m"_mst).If(x << "e"_mst && (x | y) << "s"_mst) | // m=m_x*m_y*e_x*(s_x+s_y)
-            (x & y & "zes"_mst) | // z=z_x*z_y, e=e_x*e_y, s=s_x*s_y
-            (y & "ufd"_mst) | // u=u_y, f=f_y, d=d_y
+            (x & y & "zs"_mst) | // z=z_x*z_y, s=s_x*s_y
+            (y & "ufde"_mst) | // u=u_y, f=f_y, d=d_y, e=e_y
             "x"_mst | // x
             ((x | y) & "ghij"_mst) | // g=g_x+g_y, h=h_x+h_y, i=i_x+i_y, j=j_x+j_y
             (x & y & "k"_mst); // k=k_x*k_y
@@ -201,7 +201,7 @@ Type ComputeType(Fragment fragment, Type x, Type y, Type z, const std::vector<Ty
             (y & z & "u"_mst) | // u=u_y*u_z
             (z & "f"_mst).If((x << "s"_mst) || (y << "f"_mst)) | // f=(s_x+f_y)*f_z
             (z & "d"_mst) | // d=d_z
-            (x & z & "e"_mst).If(x << "s"_mst || y << "f"_mst) | // e=e_x*e_z*(s_x+f_y)
+            (z & "e"_mst).If(x << "s"_mst || y << "f"_mst) | // e=e_z*(s_x+f_y)
             (x & y & z & "m"_mst).If(x << "e"_mst && (x | y | z) << "s"_mst) | // m=m_x*m_y*m_z*e_x*(s_x+s_y+s_z)
             (z & (x | y) & "s"_mst) | // s=s_z*(s_x+s_y)
             "x"_mst | // x
@@ -279,6 +279,76 @@ size_t ComputeScriptLen(Fragment fragment, Type sub0typ, size_t subsize, uint32_
     assert(false);
 }
 
+InputStack& InputStack::SetAvailable(Availability avail) {
+    available = avail;
+    if (avail == Availability::NO) {
+        stack.clear();
+        size = std::numeric_limits<size_t>::max();
+        has_sig = false;
+        malleable = false;
+        non_canon = false;
+    }
+    return *this;
+}
+
+InputStack& InputStack::SetWithSig() {
+    has_sig = true;
+    return *this;
+}
+
+InputStack& InputStack::SetNonCanon() {
+    non_canon = true;
+    return *this;
+}
+
+InputStack& InputStack::SetMalleable(bool x) {
+    malleable = x;
+    return *this;
+}
+
+InputStack operator+(InputStack a, InputStack b) {
+    a.stack = Cat(std::move(a.stack), std::move(b.stack));
+    if (a.available != Availability::NO && b.available != Availability::NO) a.size += b.size;
+    a.has_sig |= b.has_sig;
+    a.malleable |= b.malleable;
+    a.non_canon |= b.non_canon;
+    if (a.available == Availability::NO || b.available == Availability::NO) {
+        a.SetAvailable(Availability::NO);
+    } else if (a.available == Availability::MAYBE || b.available == Availability::MAYBE) {
+        a.SetAvailable(Availability::MAYBE);
+    }
+    return a;
+}
+
+InputStack operator|(InputStack a, InputStack b) {
+    // If only one is invalid, pick the other one. If both are invalid, pick an arbitrary one.
+    if (a.available == Availability::NO) return b;
+    if (b.available == Availability::NO) return a;
+    // If only one of the solutions has a signature, we must pick the other one.
+    if (!a.has_sig && b.has_sig) return a;
+    if (!b.has_sig && a.has_sig) return b;
+    if (!a.has_sig && !b.has_sig) {
+        // If neither solution requires a signature, the result is inevitably malleable.
+        a.malleable = true;
+        b.malleable = true;
+    } else {
+        // If both options require a signature, prefer the non-malleable one.
+        if (b.malleable && !a.malleable) return a;
+        if (a.malleable && !b.malleable) return b;
+    }
+    // Between two malleable or two non-malleable solutions, pick the smaller one between
+    // YESes, and the bigger ones between MAYBEs. Prefer YES over MAYBE.
+    if (a.available == Availability::YES && b.available == Availability::YES) {
+        return std::move(a.size <= b.size ? a : b);
+    } else if (a.available == Availability::MAYBE && b.available == Availability::MAYBE) {
+        return std::move(a.size >= b.size ? a : b);
+    } else if (a.available == Availability::YES) {
+        return a;
+    } else {
+        return b;
+    }
+}
+
 std::optional<std::vector<Opcode>> DecomposeScript(const CScript& script)
 {
     std::vector<Opcode> out;