8 files changed, 100 insertions, 110 deletions

diff --git a/bip-0112.mediawiki b/bip-0112.mediawiki
index f3d370a..63a7797 100644
--- a/bip-0112.mediawiki
+++ b/bip-0112.mediawiki
@@ -388,7 +388,7 @@ Thanks to Eric Lombrozo and Anthony Towns for contributing example use cases.
 
 [http://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-August/010396.html Softfork deployment considerations]
 
-[https://gist.github.com/sipa/bf69659f43e763540550 Version bits]
+[https://web.archive.org/web/20210925124425/https://gist.github.com/sipa/bf69659f43e763540550 Version bits]
 
 [https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2013-April/002433.html Jeremy Spilman Micropayment Channels]
 
diff --git a/bip-0119.mediawiki b/bip-0119.mediawiki
index 96df4d9..304f228 100644
--- a/bip-0119.mediawiki
+++ b/bip-0119.mediawiki
@@ -153,7 +153,7 @@ variant where the coins move along the control path.
 
 CHECKTEMPLATEVERIFY makes it much easier to set up trustless CoinJoins than
 previously because participants agree on a single output which pays all
-participants, which will be lower fee than before.  Further Each participant
+participants, which will be lower fee than before.  Further each participant
 doesn't need to know the totality of the outputs committed to by that output,
 they only have to verify their own sub-tree will pay them. These trees can
 then, using a top-level Schnorr key, be interactively updated on a rolling basis
@@ -161,98 +161,88 @@ forming a "Payment Pool".
 
 ==Detailed Specification==
 
-The below code is the main logic for verifying CHECKTEMPLATEVERIFY, and is the canonical
-specification for the semantics of OP_CHECKTEMPLATEVERIFY.
-
-    case OP_CHECKTEMPLATEVERIFY:
-    {
-        // if flags not enabled; treat as a NOP4
-        if (!(flags & SCRIPT_VERIFY_DEFAULT_CHECK_TEMPLATE_VERIFY_HASH)) {
-            if (flags & SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_NOPS)
-                return set_error(serror, SCRIPT_ERR_DISCOURAGE_UPGRADABLE_NOPS);
-            break;
-        }
-
-        if (stack.size() < 1)
-            return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
-
-        // If the argument was not 32 bytes, treat as OP_NOP4:
-        switch (stack.back().size()) {
-            case 32:
-                if (!checker.CheckDefaultCheckTemplateVerifyHash(stack.back())) {
-                    return set_error(serror, SCRIPT_ERR_TEMPLATE_MISMATCH);
-                }
-                break;
-            default:
-                // future upgrade can add semantics for this opcode with different length args
-                // so discourage use when applicable
-                if (flags & SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_NOPS) {
-                    return set_error(serror, SCRIPT_ERR_DISCOURAGE_UPGRADABLE_NOPS);
-                }
-        }
-    }
-    break;
-
-Where
-
-    bool CheckDefaultCheckTemplateVerifyHash(const std::vector<unsigned char>& hash) {
-        // note: for anti-DoS, a real implementation *must* cache parts of this computation
-        // to avoid quadratic hashing DoS all variable length computations must be precomputed
-        // including hashes of the scriptsigs, sequences, and outputs. See the section
-        // "Denial of Service and Validation Costs" below.
-        return GetDefaultCheckTemplateVerifyHash(current_tx, current_input_index) == uint256(hash);
-    }
-
-The hash is computed as follows:
-    // not DoS safe, for reference/testing!
-    uint256 GetDefaultCheckTemplateVerifyHash(const CTransaction& tx, uint32_t input_index) {
-        return GetDefaultCheckTemplateVerifyHash(tx, GetOutputsSHA256(tx), GetSequenceSHA256(tx), input_index);
-    }
-    // not DoS safe for reference/testing!
-    uint256 GetDefaultCheckTemplateVerifyHash(const CTransaction& tx, const uint256& outputs_hash, const uint256& sequences_hash,
-                                    const uint32_t input_index) {
-        bool skip_scriptSigs = std::find_if(tx.vin.begin(), tx.vin.end(),
-                [](const CTxIn& c) { return c.scriptSig != CScript(); }) == tx.vin.end();
-        return skip_scriptSigs ? GetDefaultCheckTemplateVerifyHashEmptyScript(tx, outputs_hash, sequences_hash, input_index) :
-            GetDefaultCheckTemplateVerifyHashWithScript(tx, outputs_hash, sequences_hash, GetScriptSigsSHA256(tx), input_index);
-    }
-    // DoS safe, fixed length hash!
-    uint256 GetDefaultCheckTemplateVerifyHashWithScript(const CTransaction& tx, const uint256& outputs_hash, const uint256& sequences_hash,
-                                    const uint256& scriptSig_hash, const uint32_t input_index) {
-        auto h =  CHashWriter(SER_GETHASH, 0)
-            << tx.nVersion
-            << tx.nLockTime
-            << scriptSig_hash
-            << uint32_t(tx.vin.size())
-            << sequences_hash
-            << uint32_t(tx.vout.size())
-            << outputs_hash
-            << input_index;
-        return h.GetSHA256();
-    }
-    // DoS safe, fixed length hash!
-    uint256 GetDefaultCheckTemplateVerifyHashEmptyScript(const CTransaction& tx, const uint256& outputs_hash, const uint256& sequences_hash,
-                                    const uint32_t input_index) {
-        auto h =  CHashWriter(SER_GETHASH, 0)
-            << tx.nVersion
-            << tx.nLockTime
-            << uint32_t(tx.vin.size())
-            << sequences_hash
-            << uint32_t(tx.vout.size())
-            << outputs_hash
-            << input_index;
-        return h.GetSHA256();
-    }
+The below code is the main logic for verifying CHECKTEMPLATEVERIFY, described
+in pythonic pseduocode. The canonical specification for the semantics of
+OP_CHECKTEMPLATEVERIFY as implemented in C++ in the context of Bitcoin Core can
+be seen in the reference implementation.
+
+The execution of the opcode is as follows:
+    def execute_bip_119(self):
+        # Before soft-fork activation / failed activation
+        if not self.flags.script_verify_default_check_template_verify_hash:
+            # Potentially set for node-local policy to discourage premature use
+            if self.flags.script_verify_discourage_upgradable_nops:
+                return self.errors_with(errors.script_err_discourage_upgradable_nops)
+            return self.return_as_nop()
+        # CTV always requires at least one stack argument
+        if len(self.stack) < 1:
+            return self.errors_with(errors.script_err_invalid_stack_operation)
+        # CTV only verifies the hash against a 32 byte argument
+        if len(self.stack[-1]) == 32:
+            # Ensure the precomputed data required for anti-DoS is available,
+            # or cache it on first use
+            if self.context.precomputed_ctv_data == None:
+                self.context.precomputed_ctv_data = self.context.tx.get_default_check_template_precomputed_data()
+            if stack[-1] != self.context.tx.get_default_check_template_hash(self.context.nIn, self.context.precomputed_ctv_data)
+                return self.errors_with(errors.script_err_template_mismatch)
+            return self.return_as_nop()
+        # future upgrade can add semantics for this opcode with different length args
+        # so discourage use when applicable
+        if self.flags.script_verify_discourage_upgradable_nops:
+            return self.errors_with(errors.script_err_discourage_upgradable_nops)
+        else:
+            return self.return_as_nop()
+
+The computation of this hash can be implemented as specified below (where self
+is the transaction type). Care must be taken that in any validation context,
+the precomputed data must be initialized to prevent Denial-of-Service attacks.
+Any implementation *must* cache these parts of the hash computation to avoid
+quadratic hashing DoS. All variable length computations must be precomputed
+including hashes of the scriptsigs, sequences, and outputs. See the section
+"Denial of Service and Validation Costs" below. This is not a performance
+optimization.
+
+    def get_default_check_template_precomputed_data(self):
+        result = {}
+        # If there are no scriptSigs we do not need to precompute a hash
+        if any(inp.scriptSig for inp in self.vin):
+            result["scriptSigs"] = sha256(b"".join(ser_string(inp.scriptSig) for inp in self.vin))
+        # The same value is also pre-computed for and defined in BIP-341 and can be shared
+        result["sequences"] = sha256(b"".join(struct.pack("<I", inp.nSequence) for inp in self.vin))
+        # The same value is also pre-computed for and defined in BIP-341 and can be shared
+        result["outputs"] = sha256(b"".join(out.serialize() for out in self.vout))
+        return result
+
+    # parameter precomputed must be passed in for DoS resistance
+    def get_default_check_template_hash(self, nIn, precomputed = None):
+        if precomputed == None:
+            precomputed = self.get_default_check_template_precomputed_data()
+        r = b""
+        # pack as 4 byte signed integer
+        r += struct.pack("<i", self.nVersion)
+        # pack as 4 byte unsigned integer
+        r += struct.pack("<I", self.nLockTime)
+        # we do not include the hash in the case where there is no
+        # scriptSigs
+        if "scriptSigs" in precomputed:
+            r += precomputed["scriptSigs"]
+        # pack as 4 byte unsigned integer
+        r += struct.pack("<I", len(self.vin))
+        r += precomputed["sequences"]
+        # pack as 4 byte unsigned integer
+        r += struct.pack("<I", len(self.vout))
+        r += precomputed["outputs"]
+        # pack as 4 byte unsigned integer
+        r += struct.pack("<I", nIn)
+        return sha256(r)
+
 
 A PayToBareDefaultCheckTemplateVerifyHash output matches the following template:
 
-    bool CScript::IsPayToBareDefaultCheckTemplateVerifyHash() const
-    {
-     // Extra-fast test for pay-to-basic-standard-template CScripts:
-     return (this->size() == 34 &&
-             (*this)[0] == 0x20 &&
-             (*this)[33] == OP_CHECKTEMPLATEVERIFY);
-    }
+    # Extra-fast test for pay-to-basic-standard-template CScripts:
+    def is_pay_to_bare_default_check_template_verify_hash(self):
+        return len(self) == 34 and self[0] == 0x20 and self[-1] == OP_CHECKTEMPLATEVERIFY
+
 
 ==Deployment==
 
@@ -541,9 +531,7 @@ is O(T) (the size of the transaction).
 
 An example of a script that could experience an DoS issue without caching is:
 
-```
-<H> CTV CTV CTV... CTV
-```
+    <H> CTV CTV CTV... CTV
 
 Such a script would cause the intepreter to compute hashes (supposing N CTV's) over O(N*T) data.
 If the scriptSigs non-nullity is not cached, then the O(T) transaction could be scanned over O(N)
diff --git a/bip-0125.mediawiki b/bip-0125.mediawiki
index e43ddb1..8cd7649 100644
--- a/bip-0125.mediawiki
+++ b/bip-0125.mediawiki
@@ -132,7 +132,7 @@ confirmed, and so some users advocated that replacement should be
 disallowed.
 
 To address those concerns, a variation on RBF was created that
-required that the replacement transaction pay all of same outputs as
+required that the replacement transaction pay all of the same outputs as
 the original transaction in equal or greater amount.  This was called
 RBF First Seen Safe (RBF-FSS), and the original RBF became known as
 full-RBF.  Although agreeable to recipients who relied on the
diff --git a/bip-0174.mediawiki b/bip-0174.mediawiki
index bf33145..f1decfd 100644
--- a/bip-0174.mediawiki
+++ b/bip-0174.mediawiki
@@ -101,7 +101,7 @@ The currently defined global types are as follows:
 | <tt><transaction></tt>
 | The transaction in network serialization. The scriptSigs and witnesses for each input must be empty. The transaction must be in the old serialization format (without witnesses).
 | 0
-|
+| 2
 | 0
 | 174
 |-
@@ -444,7 +444,7 @@ The currently defined per-input types are defined as follows:
 | <tt><control block></tt>
 | The control block for this leaf as specified in BIP 341. The control block contains the merkle tree path to this leaf.
 | <tt><script> <8-bit uint></tt>
-| The script for this leaf as would be provided in the witness stack followed by the single byte leaf version. Note that the leaves included in this field should be those that the signers of this input are expected to be able to sign for. Finalizers should remove this field after <tt>PSBT_IN_FINAL_SCRIPTWITNESS</tt> is constructed. Finalizers should remove this field after <tt>PSBT_IN_FINAL_SCRIPTWITNESS</tt> is constructed.
+| The script for this leaf as would be provided in the witness stack followed by the single byte leaf version. Note that the leaves included in this field should be those that the signers of this input are expected to be able to sign for. Finalizers should remove this field after <tt>PSBT_IN_FINAL_SCRIPTWITNESS</tt> is constructed.
 |
 |
 | 0, 2
@@ -465,7 +465,7 @@ The currently defined per-input types are defined as follows:
 | <tt>PSBT_IN_TAP_INTERNAL_KEY = 0x17</tt>
 | None
 | No key data
-| <tt><pubkey></tt>
+| <tt><xonlypubkey></tt>
 | The X-only pubkey used as the internal key in this output. Finalizers should remove this field after <tt>PSBT_IN_FINAL_SCRIPTWITNESS</tt> is constructed.
 |
 |
@@ -476,7 +476,7 @@ The currently defined per-input types are defined as follows:
 | <tt>PSBT_IN_TAP_MERKLE_ROOT = 0x18</tt>
 | None
 | No key data
-| <tt><pubkey></tt>
+| <tt><32-byte hash></tt>
 | The 32 byte Merkle root hash. Finalizers should remove this field after <tt>PSBT_IN_FINAL_SCRIPTWITNESS</tt> is constructed.
 |
 |
@@ -570,7 +570,7 @@ determine which outputs are change outputs and verify that the change is returni
 | <tt>PSBT_OUT_TAP_INTERNAL_KEY = 0x05</tt>
 | None
 | No key data
-| <tt><pubkey></tt>
+| <tt><xonlypubkey></tt>
 | The X-only pubkey used as the internal key in this output.
 |
 |
diff --git a/bip-0174/coinjoin-workflow.svg b/bip-0174/coinjoin-workflow.svg
index 67a0aad..4c2a041 100644
--- a/bip-0174/coinjoin-workflow.svg
+++ b/bip-0174/coinjoin-workflow.svg
@@ -1,5 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="420.819pt" height="118.266pt" viewBox="0 0 420.819 118.266" version="1.1">
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="420.819pt" height="118.266pt"
+     viewBox="0 0 420.819 118.266" style="background-color:white" version="1.1">
 <defs>
 <g>
 <symbol overflow="visible" id="glyph0-0">
diff --git a/bip-0174/multisig-workflow.svg b/bip-0174/multisig-workflow.svg
index 951b49e..8abe4c5 100644
--- a/bip-0174/multisig-workflow.svg
+++ b/bip-0174/multisig-workflow.svg
@@ -1,5 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="375.988pt" height="411.906pt" viewBox="0 0 375.988 411.906" version="1.1">
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="375.988pt" height="411.906pt"
+     viewBox="0 0 375.988 411.906" style="background-color:white" version="1.1">
 <defs>
 <g>
 <symbol overflow="visible" id="glyph0-0">
diff --git a/bip-0340.mediawiki b/bip-0340.mediawiki
index b5a47d3..9573846 100644
--- a/bip-0340.mediawiki
+++ b/bip-0340.mediawiki
@@ -233,7 +233,7 @@ Adaptor signatures, beyond the efficiency and privacy benefits of encoding scrip
 
 === Blind Signatures ===
 
-A blind signature protocol is an interactive protocol that enables a signer to sign a message at the behest of another party without learning any information about the signed message or the signature. Schnorr signatures admit a very [https://www.math.uni-frankfurt.de/~dmst/research/papers/schnorr.blind_sigs_attack.2001.pdf simple blind signature scheme] which is however insecure because it's vulnerable to [https://www.iacr.org/archive/crypto2002/24420288/24420288.pdf Wagner's attack]. A known mitigation is to let the signer abort a signing session with a certain probability, and the resulting scheme can be [https://eprint.iacr.org/2019/877 proven secure under non-standard cryptographic assumptions].
+A blind signature protocol is an interactive protocol that enables a signer to sign a message at the behest of another party without learning any information about the signed message or the signature. Schnorr signatures admit a very [http://publikationen.ub.uni-frankfurt.de/files/4292/schnorr.blind_sigs_attack.2001.pdf simple blind signature scheme] which is however insecure because it's vulnerable to [https://www.iacr.org/archive/crypto2002/24420288/24420288.pdf Wagner's attack]. A known mitigation is to let the signer abort a signing session with a certain probability, and the resulting scheme can be [https://eprint.iacr.org/2019/877 proven secure under non-standard cryptographic assumptions].
 
 Blind Schnorr signatures could for example be used in [https://github.com/ElementsProject/scriptless-scripts/blob/master/md/partially-blind-swap.md Partially Blind Atomic Swaps], a construction to enable transferring of coins, mediated by an untrusted escrow agent, without connecting the transactors in the public blockchain transaction graph.
 
diff --git a/bip-0371.mediawiki b/bip-0371.mediawiki
index 189c36f..665a97b 100644
--- a/bip-0371.mediawiki
+++ b/bip-0371.mediawiki
@@ -70,7 +70,7 @@ The new per-input types are defined as follows:
 | <tt><control block></tt>
 | The control block for this leaf as specified in BIP 341. The control block contains the merkle tree path to this leaf.
 | <tt><script> <8-bit uint></tt>
-| The script for this leaf as would be provided in the witness stack followed by the single byte leaf version. Note that the leaves included in this field should be those that the signers of this input are expected to be able to sign for. Finalizers should remove this field after <tt>PSBT_IN_FINAL_SCRIPTWITNESS</tt> is constructed. Finalizers should remove this field after <tt>PSBT_IN_FINAL_SCRIPTWITNESS</tt> is constructed.
+| The script for this leaf as would be provided in the witness stack followed by the single byte leaf version. Note that the leaves included in this field should be those that the signers of this input are expected to be able to sign for. Finalizers should remove this field after <tt>PSBT_IN_FINAL_SCRIPTWITNESS</tt> is constructed.
 |
 |
 | 0, 2
@@ -89,7 +89,7 @@ The new per-input types are defined as follows:
 | <tt>PSBT_IN_TAP_INTERNAL_KEY = 0x17</tt>
 | None
 | No key data
-| <tt><pubkey></tt>
+| <tt><xonlypubkey></tt>
 | The X-only pubkey used as the internal key in this output.<ref>'''Why is the internal key provided?'''The internal key is not necessarily the same key as in the Taproot output script. BIP 341 recommends tweaking the key with the hash of itself. It may be necessary for signers to know what the internal key actually is so that they are able to determine whether an input can be signed by it.</ref> Finalizers should remove this field after <tt>PSBT_IN_FINAL_SCRIPTWITNESS</tt> is constructed.
 |
 |
@@ -99,7 +99,7 @@ The new per-input types are defined as follows:
 | <tt>PSBT_IN_TAP_MERKLE_ROOT = 0x18</tt>
 | None
 | No key data
-| <tt><pubkey></tt>
+| <tt><32-byte hash></tt>
 | The 32 byte Merkle root hash. Finalizers should remove this field after <tt>PSBT_IN_FINAL_SCRIPTWITNESS</tt> is constructed.
 |
 |
@@ -123,7 +123,7 @@ The new per-output types are defined as follows:
 | <tt>PSBT_OUT_TAP_INTERNAL_KEY = 0x05</tt>
 | None
 | No key data
-| <tt><pubkey></tt>
+| <tt><xonlypubkey></tt>
 | The X-only pubkey used as the internal key in this output.
 |
 |
@@ -196,12 +196,12 @@ The following are invalid PSBTs:
 ** Base64 String: <pre>cHNidP8BAF4CAAAAAZvUh2UjC/mnLmYgAflyVW5U8Mb5f+tWvLVgDYF/aZUmAQAAAAD/////AUjmBSoBAAAAIlEgAw2k/OT32yjCyylRYx4ANxOFZZf+ljiCy1AOaBEsymMAAAAAAAEBKwDyBSoBAAAAIlEgwiR++/2SrEf29AuNQtFpF1oZ+p+hDkol1/NetN2FtpJCFAIssTrGgkjegGqmo2Wc88A+toIdCcgRSk6Gj+vehlu20s2XDhX1P8DIL5UP1WD/qRm3YXK+AXNoqJkTrwdPQAsJQIl1aqNznMxonsD886NgvjLMC1mxbpOh6LtGBXJrLKej/3BsQXZkljKyzGjh+RK4pXjjcZzncQiFx6lm9JvNQ8sAAA==</pre>
 
 * Case: PSBT With <tt>PSBT_IN_TAP_SCRIPT_SIG</tt> signature that is too long
-** Bytes in Hex: <pre><0736274ff01005e02000000019bd48765230bf9a72e662001f972556e54f0c6f97feb56bcb5600d817f6995260100000000ffffffff0148e6052a01000000225120030da4fce4f7db28c2cb2951631e003713856597fe963882cb500e68112cca63000000000001012b00f2052a01000000225120c2247efbfd92ac47f6f40b8d42d169175a19fa9fa10e4a25d7f35eb4dd85b69241142cb13ac68248de806aa6a3659cf3c03eb6821d09c8114a4e868febde865bb6d2cd970e15f53fc0c82f950fd560ffa919b76172be017368a89913af074f400b094289756aa3739ccc689ec0fcf3a360be32cc0b59b16e93a1e8bb4605726b2ca7a3ff706c4176649632b2cc68e1f912b8a578e3719ce7710885c7a966f49bcd43cb01010000</pre>
+** Bytes in Hex: <pre>0736274ff01005e02000000019bd48765230bf9a72e662001f972556e54f0c6f97feb56bcb5600d817f6995260100000000ffffffff0148e6052a01000000225120030da4fce4f7db28c2cb2951631e003713856597fe963882cb500e68112cca63000000000001012b00f2052a01000000225120c2247efbfd92ac47f6f40b8d42d169175a19fa9fa10e4a25d7f35eb4dd85b69241142cb13ac68248de806aa6a3659cf3c03eb6821d09c8114a4e868febde865bb6d2cd970e15f53fc0c82f950fd560ffa919b76172be017368a89913af074f400b094289756aa3739ccc689ec0fcf3a360be32cc0b59b16e93a1e8bb4605726b2ca7a3ff706c4176649632b2cc68e1f912b8a578e3719ce7710885c7a966f49bcd43cb01010000</pre>
 ** Base64 String: <pre>cHNidP8BAF4CAAAAAZvUh2UjC/mnLmYgAflyVW5U8Mb5f+tWvLVgDYF/aZUmAQAAAAD/////AUjmBSoBAAAAIlEgAw2k/OT32yjCyylRYx4ANxOFZZf+ljiCy1AOaBEsymMAAAAAAAEBKwDyBSoBAAAAIlEgwiR++/2SrEf29AuNQtFpF1oZ+p+hDkol1/NetN2FtpJBFCyxOsaCSN6AaqajZZzzwD62gh0JyBFKToaP696GW7bSzZcOFfU/wMgvlQ/VYP+pGbdhcr4Bc2iomROvB09ACwlCiXVqo3OczGiewPzzo2C+MswLWbFuk6Hou0YFcmssp6P/cGxBdmSWMrLMaOH5ErileONxnOdxCIXHqWb0m81DywEBAAA=</pre>
 
 * Case: PSBT With <tt>PSBT_IN_TAP_SCRIPT_SIG</tt> signature that is too short
-** Bytes in Hex: <pre><70736274ff01005e02000000019bd48765230bf9a72e662001f972556e54f0c6f97feb56bcb5600d817f6995260100000000ffffffff0148e6052a01000000225120030da4fce4f7db28c2cb2951631e003713856597fe963882cb500e68112cca63000000000001012b00f2052a01000000225120c2247efbfd92ac47f6f40b8d42d169175a19fa9fa10e4a25d7f35eb4dd85b69241142cb13ac68248de806aa6a3659cf3c03eb6821d09c8114a4e868febde865bb6d2cd970e15f53fc0c82f950fd560ffa919b76172be017368a89913af074f400b093989756aa3739ccc689ec0fcf3a360be32cc0b59b16e93a1e8bb4605726b2ca7a3ff706c4176649632b2cc68e1f912b8a578e3719ce7710885c7a966f49bcd43cb0000</pre>
-** Base64 String: <pre>cHNidP8BAF4CAAAAAZvUh2UjC/mnLmYgAflyVW5U8Mb5f+tWvLVgDYF/aZUmAQAAAAD/////AUjmBSoBAAAAIlEgAw2k/OT32yjCyylRYx4ANxOFZZf+ljiCy1AOaBEsymMAAAAAAAEBKwDyBSoBAAAAIlEgwiR++/2SrEf29AuNQtFpF1oZ+p+hDkol1/NetN2FtpJBFCyxOsaCSN6AaqajZZzzwD62gh0JyBFKToaP696GW7bSzZcOFfU/wMgvlQ/VYP+pGbdhcr4Bc2iomROvB09ACwk5iXVqo3OczGiewPzzo2C+MswLWbFuk6Hou0YFcmssp6P/cGxBdmSWMrLMaOH5ErileONxnOdxCIXHqWb0m81DywAA</pre>
+** Bytes in Hex: <pre>70736274ff01005e02000000019bd48765230bf9a72e662001f972556e54f0c6f97feb56bcb5600d817f6995260100000000ffffffff0148e6052a01000000225120030da4fce4f7db28c2cb2951631e003713856597fe963882cb500e68112cca63000000000001012b00f2052a01000000225120c2247efbfd92ac47f6f40b8d42d169175a19fa9fa10e4a25d7f35eb4dd85b69241142cb13ac68248de806aa6a3659cf3c03eb6821d09c8114a4e868febde865bb6d2cd970e15f53fc0c82f950fd560ffa919b76172be017368a89913af074f400b093f89756aa3739ccc689ec0fcf3a360be32cc0b59b16e93a1e8bb4605726b2ca7a3ff706c4176649632b2cc68e1f912b8a578e3719ce7710885c7a966f49bcd430000</pre>
+** Base64 String: <pre>cHNidP8BAF4CAAAAAZvUh2UjC/mnLmYgAflyVW5U8Mb5f+tWvLVgDYF/aZUmAQAAAAD/////AUjmBSoBAAAAIlEgAw2k/OT32yjCyylRYx4ANxOFZZf+ljiCy1AOaBEsymMAAAAAAAEBKwDyBSoBAAAAIlEgwiR++/2SrEf29AuNQtFpF1oZ+p+hDkol1/NetN2FtpJBFCyxOsaCSN6AaqajZZzzwD62gh0JyBFKToaP696GW7bSzZcOFfU/wMgvlQ/VYP+pGbdhcr4Bc2iomROvB09ACwk/iXVqo3OczGiewPzzo2C+MswLWbFuk6Hou0YFcmssp6P/cGxBdmSWMrLMaOH5ErileONxnOdxCIXHqWb0m81DAAA=</pre>
 
 * Case: PSBT With <tt>PSBT_IN_TAP_LEAF_SCRIPT</tt> Control block that is too long
 ** Bytes in Hex: <pre>70736274ff01005e02000000019bd48765230bf9a72e662001f972556e54f0c6f97feb56bcb5600d817f6995260100000000ffffffff0148e6052a01000000225120030da4fce4f7db28c2cb2951631e003713856597fe963882cb500e68112cca63000000000001012b00f2052a01000000225120c2247efbfd92ac47f6f40b8d42d169175a19fa9fa10e4a25d7f35eb4dd85b6926315c150929b74c1a04954b78b4b6035e97a5e078a5a0f28ec96d547bfee9ace803ac06f7d62059e9497a1a4a267569d9876da60101aff38e3529b9b939ce7f91ae970115f2e490af7cc45c4f78511f36057ce5c5a5c56325a29fb44dfc203f356e1f80023202cb13ac68248de806aa6a3659cf3c03eb6821d09c8114a4e868febde865bb6d2acc00000</pre>