Merge BlockstreamResearch#246: update simplicity to 472b2105eacf00eedda0d9cc7c97c9c5edd9e9da

ec10a51 update simplicity to 472b2105eacf00eedda0d9cc7c97c9c5edd9e9da (Andrew Poelstra)

Pull request description:

  .

ACKs for top commit:
  uncomputable:
    ACK ec10a51

Tree-SHA512: aaf8e9f3410c92dd5329e620604d97536b6614f49900c0803bb1e9eb62dbd4593b7037a5e342844fcb1a48882cd234c3714786fde071df07176e26f50e18f743

Author: uncomputable

simplicity-sys/depend/jets_wrapper.c

@@ -22,6 +22,7 @@ WRAP_(asset_amount_hash)
 WRAP_(bip_0340_verify)
 WRAP_(build_tapbranch)
 WRAP_(build_tapleaf_simplicity)
+WRAP_(build_taptweak)
 WRAP_(calculate_asset)
 WRAP_(calculate_confidential_token)
 WRAP_(calculate_explicit_token)
@@ -449,6 +450,7 @@ WRAP_(subtract_64)
 WRAP_(subtract_8)
 WRAP_(swu)
 WRAP_(tap_env_hash)
+WRAP_(tapdata_init)
 WRAP_(tapleaf_hash)
 WRAP_(tapleaf_version)
 WRAP_(tappath)

simplicity-sys/depend/simplicity-HEAD-revision.txt

@@ -1,2 +1,2 @@
 # This file has been automatically generated.
-3daad68dc9e995fefcd5287fa5b15a7bfb13462a
+472b2105eacf00eedda0d9cc7c97c9c5edd9e9da

simplicity-sys/depend/simplicity/jets-secp256k1.c

@@ -1,4 +1,5 @@
 #include "jets.h"
+#include "taptweak.h"
 
 #include "precomputed.h"
 #include "prefix.h"
@@ -713,3 +714,39 @@ bool simplicity_hash_to_curve(frameItem* dst, frameItem src, const txEnv* env) {
   write_ge(dst, &ge);
   return true;
 }
+
+/* THIS IS NOT A JET.  It doesn't have the type signatue of a jet
+ * This is a generic taptweak jet implementation parameterized by the tag used in the hash.
+ * It is designed to be specialized to implement slightly different taptweak operations for Bitcoin and Elements.
+ *
+ * PUBKEY * TWO^256 |- PUBKEY
+ *
+ * Precondition: unsigned char[tagLen] tag
+ */
+bool simplicity_generic_taptweak(frameItem* dst, frameItem *src, const unsigned char *tagName, size_t tagLen) {
+  unsigned char buf[32];
+  secp256k1_xonly_pubkey input_pubkey, output_pubkey;
+  secp256k1_pubkey pubkey;
+  sha256_midstate taptweakTag, input_hash, output_hash;
+  {
+    sha256_context ctx = sha256_init(taptweakTag.s);
+    sha256_uchars(&ctx, tagName, tagLen);
+    sha256_finalize(&ctx);
+  }
+  sha256_context ctx = sha256_init(output_hash.s);
+  sha256_hash(&ctx, &taptweakTag);
+  sha256_hash(&ctx, &taptweakTag);
+
+  read8s(buf, 32, src);
+  sha256_uchars(&ctx, buf, 32);
+  if (!secp256k1_xonly_pubkey_parse(&input_pubkey, buf)) return false;
+  read32s(input_hash.s, 8, src);
+  sha256_hash(&ctx, &input_hash);
+  sha256_finalize(&ctx);
+  sha256_fromMidstate(buf, output_hash.s);
+  if (!secp256k1_xonly_pubkey_tweak_add(&pubkey, &input_pubkey, buf)) return false;
+  if (!secp256k1_xonly_pubkey_from_pubkey(&output_pubkey, NULL, &pubkey)) return false;
+  if (!secp256k1_xonly_pubkey_serialize(buf,&output_pubkey)) return false;
+  write8s(dst, buf, 32);
+  return true;
+}

simplicity-sys/depend/simplicity/jets.c

@@ -1403,3 +1403,23 @@ bool simplicity_parse_sequence(frameItem* dst, frameItem src, const txEnv* env)
   }
   return true;
 }
+
+/* simplicity_tapdata_init : ONE |- CTX8 */
+bool simplicity_tapdata_init(frameItem* dst, frameItem src, const txEnv* env) {
+  (void) env; /* env is unused. */
+  (void) src; /* env is unused. */
+
+  sha256_midstate tapleafTag;
+  {
+    static const unsigned char tagName[] = "TapData";
+    sha256_context ctx = sha256_init(tapleafTag.s);
+    sha256_uchars(&ctx, tagName, sizeof(tagName) - 1);
+    sha256_finalize(&ctx);
+  }
+  uint32_t iv[8];
+  sha256_context ctx = sha256_init(iv);
+  sha256_hash(&ctx, &tapleafTag);
+  sha256_hash(&ctx, &tapleafTag);
+
+  return simplicity_write_sha256_context(dst, &ctx);
+}

simplicity-sys/depend/simplicity/jets.h

@@ -395,5 +395,6 @@ bool simplicity_bip_0340_verify(frameItem* dst, frameItem src, const txEnv* env)
 
 bool simplicity_parse_lock(frameItem* dst, frameItem src, const txEnv* env);
 bool simplicity_parse_sequence(frameItem* dst, frameItem src, const txEnv* env);
+bool simplicity_tapdata_init(frameItem* dst, frameItem src, const txEnv* env);
 
 #endif

simplicity-sys/depend/simplicity/primitive/elements/jets.c

@@ -2,6 +2,7 @@
 
 #include "ops.h"
 #include "primitive.h"
+#include "../../taptweak.h"
 #include "../../simplicity_assert.h"
 
 /* Read a 256-bit hash value from the 'src' frame, advancing the cursor 256 cells.
@@ -862,6 +863,13 @@ bool simplicity_build_tapbranch(frameItem* dst, frameItem src, const txEnv* env)
   return true;
 }
 
+/* build_taptweak : PUBKEY * TWO^256 |- PUBKEY */
+bool simplicity_build_taptweak(frameItem* dst, frameItem src, const txEnv* env) {
+  (void) env; // env is unused.
+  static unsigned char taptweak[] = "TapTweak/elements";
+  return simplicity_generic_taptweak(dst, &src, taptweak, sizeof(taptweak)-1);
+}
+
 /* outpoint_hash : CTX8 * S TWO^256 * TWO^256 * TWO^32 |- CTX8 */
 bool simplicity_outpoint_hash(frameItem* dst, frameItem src, const txEnv* env) {
   (void) env; // env is unused.

simplicity-sys/depend/simplicity/primitive/elements/jets.h

@@ -72,6 +72,7 @@ bool simplicity_calculate_confidential_token(frameItem* dst, frameItem src, cons
 bool simplicity_lbtc_asset(frameItem* dst, frameItem src, const txEnv* env);
 bool simplicity_build_tapleaf_simplicity(frameItem* dst, frameItem src, const txEnv* env);
 bool simplicity_build_tapbranch(frameItem* dst, frameItem src, const txEnv* env);
+bool simplicity_build_taptweak(frameItem* dst, frameItem src, const txEnv* env);
 bool simplicity_outpoint_hash(frameItem* dst, frameItem src, const txEnv* env);
 bool simplicity_asset_amount_hash(frameItem* dst, frameItem src, const txEnv* env);
 bool simplicity_nonce_hash(frameItem* dst, frameItem src, const txEnv* env);

simplicity-sys/depend/simplicity/primitive/elements/primitive.c

@@ -1032,6 +1032,7 @@ static simplicity_err decodePrimitive(jetName* result, bitstream* stream) {
       switch (code) {
        case 1: *result = PARSE_LOCK; return SIMPLICITY_NO_ERROR;
        case 2: *result = PARSE_SEQUENCE; return SIMPLICITY_NO_ERROR;
+       case 3: *result = TAPDATA_INIT; return SIMPLICITY_NO_ERROR;
       }
       break;
     }
@@ -1079,6 +1080,7 @@ static simplicity_err decodePrimitive(jetName* result, bitstream* stream) {
        case 32: *result = ANNEX_HASH; return SIMPLICITY_NO_ERROR;
        case 33: *result = BUILD_TAPLEAF_SIMPLICITY; return SIMPLICITY_NO_ERROR;
        case 34: *result = BUILD_TAPBRANCH; return SIMPLICITY_NO_ERROR;
+       case 35: *result = BUILD_TAPTWEAK; return SIMPLICITY_NO_ERROR;
       }
       break;
      case 2: /* Timelock jets chapter */

simplicity-sys/depend/simplicity/primitive/elements/primitiveEnumJet.inc

@@ -17,6 +17,7 @@ ASSET_AMOUNT_HASH,
 BIP_0340_VERIFY,
 BUILD_TAPBRANCH,
 BUILD_TAPLEAF_SIMPLICITY,
+BUILD_TAPTWEAK,
 CALCULATE_ASSET,
 CALCULATE_CONFIDENTIAL_TOKEN,
 CALCULATE_EXPLICIT_TOKEN,
@@ -444,6 +445,7 @@ SUBTRACT_64,
 SUBTRACT_8,
 SWU,
 TAP_ENV_HASH,
+TAPDATA_INIT,
 TAPLEAF_HASH,
 TAPLEAF_VERSION,
 TAPPATH,

simplicity-sys/depend/simplicity/primitive/elements/primitiveJetNode.inc

@@ -143,6 +143,14 @@
 , .targetIx = ty_w256
 , .cost = 1843 /* milli weight units */
 }
+,[BUILD_TAPTWEAK] =
+{ .tag = JET
+, .jet = simplicity_build_taptweak
+, .cmr = {{0xa3234771u, 0xe7acebbfu, 0x7005eb3fu, 0xab4cb27au, 0x8ac253aau, 0x08918e75u, 0x1ec74c2eu, 0xf2a4354fu}}
+, .sourceIx = ty_w512
+, .targetIx = ty_w256
+, .cost = 92813 /* milli weight units */
+}
 ,[CALCULATE_ASSET] =
 { .tag = JET
 , .jet = simplicity_calculate_asset
@@ -3559,6 +3567,14 @@
 , .targetIx = ty_w256
 , .cost = 162 /* milli weight units */
 }
+,[TAPDATA_INIT] =
+{ .tag = JET
+, .jet = simplicity_tapdata_init
+, .cmr = {{0x1c17e3ecu, 0x888848f9u, 0xcc86fed1u, 0xa90714f0u, 0x5c7395a2u, 0x2764f8adu, 0x619729eeu, 0x52a6db05u}}
+, .sourceIx = ty_u
+, .targetIx = ty_ppmw256pmw128pmw64pmw32pmw16mw8pw64w256
+, .cost = 1178 /* milli weight units */
+}
 ,[TAPLEAF_HASH] =
 { .tag = JET
 , .jet = simplicity_tapleaf_hash

simplicity-sys/depend/simplicity/secp256k1/eckey.h

@@ -0,0 +1,29 @@
+/***********************************************************************
+ * Copyright (c) 2013, 2014 Pieter Wuille                              *
+ * Distributed under the MIT software license, see the accompanying    *
+ * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
+ ***********************************************************************/
+
+#ifndef SECP256K1_ECKEY_H
+#define SECP256K1_ECKEY_H
+
+#include <stddef.h>
+
+#include "group.h"
+#include "scalar.h"
+#if 0
+#include "ecmult.h"
+#include "ecmult_gen.h"
+
+static int secp256k1_eckey_pubkey_parse(secp256k1_ge *elem, const unsigned char *pub, size_t size);
+static int secp256k1_eckey_pubkey_serialize(secp256k1_ge *elem, unsigned char *pub, size_t *size, int compressed);
+
+static int secp256k1_eckey_privkey_tweak_add(secp256k1_scalar *key, const secp256k1_scalar *tweak);
+#endif
+static int secp256k1_eckey_pubkey_tweak_add(secp256k1_ge *key, const secp256k1_scalar *tweak);
+#if 0
+static int secp256k1_eckey_privkey_tweak_mul(secp256k1_scalar *key, const secp256k1_scalar *tweak);
+static int secp256k1_eckey_pubkey_tweak_mul(secp256k1_ge *key, const secp256k1_scalar *tweak);
+#endif
+
+#endif /* SECP256K1_ECKEY_H */

simplicity-sys/depend/simplicity/secp256k1/eckey_impl.h

@@ -0,0 +1,100 @@
+/***********************************************************************
+ * Copyright (c) 2013, 2014 Pieter Wuille                              *
+ * Distributed under the MIT software license, see the accompanying    *
+ * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
+ ***********************************************************************/
+
+#ifndef SECP256K1_ECKEY_IMPL_H
+#define SECP256K1_ECKEY_IMPL_H
+
+#include "eckey.h"
+
+#include "scalar.h"
+#include "field.h"
+#include "group.h"
+#if 0
+#include "ecmult_gen.h"
+
+static int secp256k1_eckey_pubkey_parse(secp256k1_ge *elem, const unsigned char *pub, size_t size) {
+    if (size == 33 && (pub[0] == SECP256K1_TAG_PUBKEY_EVEN || pub[0] == SECP256K1_TAG_PUBKEY_ODD)) {
+        secp256k1_fe x;
+        return secp256k1_fe_set_b32(&x, pub+1) && secp256k1_ge_set_xo_var(elem, &x, pub[0] == SECP256K1_TAG_PUBKEY_ODD);
+    } else if (size == 65 && (pub[0] == SECP256K1_TAG_PUBKEY_UNCOMPRESSED || pub[0] == SECP256K1_TAG_PUBKEY_HYBRID_EVEN || pub[0] == SECP256K1_TAG_PUBKEY_HYBRID_ODD)) {
+        secp256k1_fe x, y;
+        if (!secp256k1_fe_set_b32(&x, pub+1) || !secp256k1_fe_set_b32(&y, pub+33)) {
+            return 0;
+        }
+        secp256k1_ge_set_xy(elem, &x, &y);
+        if ((pub[0] == SECP256K1_TAG_PUBKEY_HYBRID_EVEN || pub[0] == SECP256K1_TAG_PUBKEY_HYBRID_ODD) &&
+            secp256k1_fe_is_odd(&y) != (pub[0] == SECP256K1_TAG_PUBKEY_HYBRID_ODD)) {
+            return 0;
+        }
+        return secp256k1_ge_is_valid_var(elem);
+    } else {
+        return 0;
+    }
+}
+
+static int secp256k1_eckey_pubkey_serialize(secp256k1_ge *elem, unsigned char *pub, size_t *size, int compressed) {
+    if (secp256k1_ge_is_infinity(elem)) {
+        return 0;
+    }
+    secp256k1_fe_normalize_var(&elem->x);
+    secp256k1_fe_normalize_var(&elem->y);
+    secp256k1_fe_get_b32(&pub[1], &elem->x);
+    if (compressed) {
+        *size = 33;
+        pub[0] = secp256k1_fe_is_odd(&elem->y) ? SECP256K1_TAG_PUBKEY_ODD : SECP256K1_TAG_PUBKEY_EVEN;
+    } else {
+        *size = 65;
+        pub[0] = SECP256K1_TAG_PUBKEY_UNCOMPRESSED;
+        secp256k1_fe_get_b32(&pub[33], &elem->y);
+    }
+    return 1;
+}
+
+static int secp256k1_eckey_privkey_tweak_add(secp256k1_scalar *key, const secp256k1_scalar *tweak) {
+    secp256k1_scalar_add(key, key, tweak);
+    return !secp256k1_scalar_is_zero(key);
+}
+#endif
+
+static int secp256k1_eckey_pubkey_tweak_add(secp256k1_ge *key, const secp256k1_scalar *tweak) {
+    secp256k1_gej pt;
+    secp256k1_scalar one;
+    secp256k1_gej_set_ge(&pt, key);
+    secp256k1_scalar_set_int(&one, 1);
+    secp256k1_ecmult(&pt, &pt, &one, tweak);
+
+    if (secp256k1_gej_is_infinity(&pt)) {
+        return 0;
+    }
+    secp256k1_ge_set_gej_var(key, &pt);
+    return 1;
+}
+
+#if 0
+static int secp256k1_eckey_privkey_tweak_mul(secp256k1_scalar *key, const secp256k1_scalar *tweak) {
+    int ret;
+    ret = !secp256k1_scalar_is_zero(tweak);
+
+    secp256k1_scalar_mul(key, key, tweak);
+    return ret;
+}
+
+static int secp256k1_eckey_pubkey_tweak_mul(secp256k1_ge *key, const secp256k1_scalar *tweak) {
+    secp256k1_scalar zero;
+    secp256k1_gej pt;
+    if (secp256k1_scalar_is_zero(tweak)) {
+        return 0;
+    }
+
+    secp256k1_scalar_set_int(&zero, 0);
+    secp256k1_gej_set_ge(&pt, key);
+    secp256k1_ecmult(&pt, &pt, tweak, &zero);
+    secp256k1_ge_set_gej(key, &pt);
+    return 1;
+}
+#endif
+
+#endif /* SECP256K1_ECKEY_IMPL_H */

simplicity-sys/depend/simplicity/secp256k1/extrakeys.h

@@ -33,4 +33,55 @@ static SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_parse(
     const unsigned char *input32
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2);
 
+/** Serialize an xonly_pubkey object into a 32-byte sequence.
+ *
+ *  Returns: 1 always.
+ *
+ *  Out: output32: a pointer to a 32-byte array to place the serialized key in.
+ *  In:    pubkey: a pointer to a secp256k1_xonly_pubkey containing an initialized public key.
+ */
+static int secp256k1_xonly_pubkey_serialize(
+    unsigned char *output32,
+    const secp256k1_xonly_pubkey* pubkey
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2);
+/** Converts a secp256k1_pubkey into a secp256k1_xonly_pubkey.
+ *
+ *  Returns: 1 always.
+ *
+ *  Out: xonly_pubkey: pointer to an x-only public key object for placing the converted public key.
+ *          pk_parity: Ignored if NULL. Otherwise, pointer to an integer that
+ *                     will be set to 1 if the point encoded by xonly_pubkey is
+ *                     the negation of the pubkey and set to 0 otherwise.
+ *  In:        pubkey: pointer to a public key that is converted.
+ */
+static SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_from_pubkey(
+    secp256k1_xonly_pubkey *xonly_pubkey,
+    int *pk_parity,
+    const secp256k1_pubkey *pubkey
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3);
+
+/** Tweak an x-only public key by adding the generator multiplied with tweak32
+ *  to it.
+ *
+ *  Note that the resulting point can not in general be represented by an x-only
+ *  pubkey because it may have an odd Y coordinate. Instead, the output_pubkey
+ *  is a normal secp256k1_pubkey.
+ *
+ *  Returns: 0 if the arguments are invalid or the resulting public key would be
+ *           invalid (only when the tweak is the negation of the corresponding
+ *           secret key). 1 otherwise.
+ *
+ *  Out:  output_pubkey: pointer to a public key to store the result. Will be set
+ *                       to an invalid value if this function returns 0.
+ *  In: internal_pubkey: pointer to an x-only pubkey to apply the tweak to.
+ *              tweak32: pointer to a 32-byte tweak. If the tweak is invalid
+ *                       according to secp256k1_ec_seckey_verify, this function
+ *                       returns 0. For uniformly random 32-byte arrays the
+ *                       chance of being invalid is negligible (around 1 in 2^128).
+ */
+static SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_tweak_add(
+    secp256k1_pubkey *output_pubkey,
+    const secp256k1_xonly_pubkey *internal_pubkey,
+    const unsigned char *tweak32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
 #endif /* SECP256K1_EXTRAKEYS_H */