Bitcoin Forum
July 16, 2024, 11:50:40 PM *
News: Latest Bitcoin Core release: 27.0 [Torrent]
 
   Home   Help Search Login Register More  
Bitcoin Forum > Bitcoin > Development & Technical Discussion > Taproot formula
Pages: [1]
« previous topic next topic »
  Print  
Author Topic: Taproot formula  (Read 40 times)
amaclin1 (OP)
Sr. Member
****
Offline Offline

Activity: 812
Merit: 307


View Profile
Today at 01:39:00 PM
 #1
Help me with understanding taproot formulas

Assume the funding transaction sends to a taproot address [OP_1 push_bytes_32 KEY]
The spending transaction has the witness part
[param]
[param]
...
[SCRIPT]
[CBLOCK]

Is there a simple formula between SCRIPT, CBLOCK and KEY?
Something like SHA256 ( SCRIPT || CBLOCK ) == KEY?
achow101
Moderator
Legendary
*
expert
Offline Offline

Activity: 3458
Merit: 6791


Just writing some code


View Profile WWW
Today at 03:00:51 PM
 #2
The Control Block specifies a key and merkle branch hashes. You hash the script to get a leaf hash which is then combined with the merkle branch hashes until you get the root hash, which is applied as a tweak to the internal key in the control block.

There's no simple formula. It's all specified in BIP 341 in the Script Validation Rules section.
Bitcoin Core contributor | Tip Me! | GitHub | GPG Key Fingerprint 0x17565732E08E5E41
amaclin1 (OP)
Sr. Member
****
Offline Offline

Activity: 812
Merit: 307


View Profile
Today at 05:31:59 PM
 #3
Quote from: achow101 on Today at 03:00:51 PM
You hash the script
OK, let us take the simplest P2TR transaction ever encountered in main/testnet/etc chain

0) Take transaction txid which spends output xxxx:0
1) Take the taproot script from witness-part on input, hash it sha256. We got the a1=yyyy
2) ?
3) ?
achow101
Moderator
Legendary
*
expert
Offline Offline

Activity: 3458
Merit: 6791


Just writing some code


View Profile WWW
Today at 07:59:08 PM
 #4
Quote from: amaclin1 on Today at 05:31:59 PM
OK, let us take the simplest P2TR transaction ever encountered in main/testnet/etc chain
1. Check the control block is 33 + 32m bytes long, in this instance, it should be exactly 33 bytes.
2. Set leaf_version to be the first byte of the control block bitwise and with 0xfe
3. Extract p as the 2nd to 33rd bytes of the control block.
4. Set P by interpreting p as the x coordinate for a point on secp256k1 where the y coordinate is even.
4. Compute the hash kof the script as follows: sha256(sha256("TapLeaf") || sha256("TapLeaf") || leaf_version || compact_size(script) || script), where || is concatenation
5. Compute t as sha256(sha256("TapTweak") || sha256("TapTweak") || p || k) and interpret it as an integer.
6. Let Q = P + t * G where G is the generator for secp256k1
7. Check the x coordinate of Q matches the key in the output script
8. Check that the first bit of the first byte of the control block matches the parity of Q's y coordinate: control_block[0] & 1 == y(Q) mod 2

When the script tree has multiple possible scripts, there's more in the control block and hashing steps involving combining a merkle branch to calculate a merkle root.
Bitcoin Core contributor | Tip Me! | GitHub | GPG Key Fingerprint 0x17565732E08E5E41
Pages: [1]
  Print  
Bitcoin Forum > Bitcoin > Development & Technical Discussion > Taproot formula
 « previous topic next topic »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!