Title: Taproot formula Post by: amaclin1 on July 16, 2024, 01:39:00 PM Help me with understanding taproot formulas
Assume the funding transaction sends to a taproot address [OP_1 push_bytes_32 KEY] The spending transaction has the witness part [param] [param] ... [SCRIPT] [CBLOCK] Is there a simple formula between SCRIPT, CBLOCK and KEY? Something like SHA256 ( SCRIPT || CBLOCK ) == KEY? Title: Re: Taproot formula Post by: achow101 on July 16, 2024, 03:00:51 PM The Control Block specifies a key and merkle branch hashes. You hash the script to get a leaf hash which is then combined with the merkle branch hashes until you get the root hash, which is applied as a tweak to the internal key in the control block.
There's no simple formula. It's all specified in BIP 341 in the Script Validation Rules section (https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki#script-validation-rules). Title: Re: Taproot formula Post by: amaclin1 on July 16, 2024, 05:31:59 PM You hash the script OK, let us take the simplest P2TR transaction ever encountered in main/testnet/etc chain0) Take transaction txid which spends output xxxx:0 1) Take the taproot script from witness-part on input, hash it sha256. We got the a1=yyyy 2) ? 3) ? Title: Re: Taproot formula Post by: achow101 on July 16, 2024, 07:59:08 PM OK, let us take the simplest P2TR transaction ever encountered in main/testnet/etc chain 1. Check the control block is 33 + 32m bytes long, in this instance, it should be exactly 33 bytes.2. Set leaf_version to be the first byte of the control block bitwise and with 0xfe 3. Extract p as the 2nd to 33rd bytes of the control block. 4. Set P by interpreting p as the x coordinate for a point on secp256k1 where the y coordinate is even. 4. Compute the hash kof the script as follows: sha256(sha256("TapLeaf") || sha256("TapLeaf") || leaf_version || compact_size(script) || script), where || is concatenation 5. Compute t as sha256(sha256("TapTweak") || sha256("TapTweak") || p || k) and interpret it as an integer. 6. Let Q = P + t * G where G is the generator for secp256k1 7. Check the x coordinate of Q matches the key in the output script 8. Check that the first bit of the first byte of the control block matches the parity of Q's y coordinate: control_block[0] & 1 == y(Q) mod 2 When the script tree has multiple possible scripts, there's more in the control block and hashing steps involving combining a merkle branch to calculate a merkle root. |