aboutsummaryrefslogtreecommitdiff
path: root/src/script
diff options
context:
space:
mode:
authorPieter Wuille <pieter@wuille.net>2020-10-20 15:17:52 -0700
committerPieter Wuille <pieter@wuille.net>2020-11-26 14:56:25 -0800
commit8dbb7de67ce0a71f5fc54289c0ff048ac8dd0acc (patch)
treec6823bcead3b4ae8d0770a96caae385260e574e0 /src/script
parentcdf900cbf26db05c7edb398ea645f1d23049d810 (diff)
Add comments to VerifyTaprootCommitment
Diffstat (limited to 'src/script')
-rw-r--r--src/script/interpreter.cpp6
1 files changed, 6 insertions, 0 deletions
diff --git a/src/script/interpreter.cpp b/src/script/interpreter.cpp
index 5735e7df66..bb5a7158a5 100644
--- a/src/script/interpreter.cpp
+++ b/src/script/interpreter.cpp
@@ -1834,9 +1834,13 @@ static bool ExecuteWitnessScript(const Span<const valtype>& stack_span, const CS
static bool VerifyTaprootCommitment(const std::vector<unsigned char>& control, const std::vector<unsigned char>& program, const CScript& script, uint256& tapleaf_hash)
{
const int path_len = (control.size() - TAPROOT_CONTROL_BASE_SIZE) / TAPROOT_CONTROL_NODE_SIZE;
+ //! The inner pubkey (x-only, so no Y coordinate parity).
const XOnlyPubKey p{uint256(std::vector<unsigned char>(control.begin() + 1, control.begin() + TAPROOT_CONTROL_BASE_SIZE))};
+ //! The output pubkey (taken from the scriptPubKey).
const XOnlyPubKey q{uint256(program)};
+ // Compute the tapleaf hash.
tapleaf_hash = (CHashWriter(HASHER_TAPLEAF) << uint8_t(control[0] & TAPROOT_LEAF_MASK) << script).GetSHA256();
+ // Compute the Merkle root from the leaf and the provided path.
uint256 k = tapleaf_hash;
for (int i = 0; i < path_len; ++i) {
CHashWriter ss_branch{HASHER_TAPBRANCH};
@@ -1848,7 +1852,9 @@ static bool VerifyTaprootCommitment(const std::vector<unsigned char>& control, c
}
k = ss_branch.GetSHA256();
}
+ // Compute the tweak from the Merkle root and the inner pubkey.
k = (CHashWriter(HASHER_TAPTWEAK) << MakeSpan(p) << k).GetSHA256();
+ // Verify that the output pubkey matches the tweaked inner pubkey, after correcting for parity.
return q.CheckPayToContract(p, k, control[0] & 1);
}