Exercises [A, -A, A] input key pattern where the intermediate sum
hits zero after the first two keys, but the final sum is non-zero.
Implementations that validate after each pairwise addition (rather
than summing all keys first) will incorrectly reject this case.
Before this commit it was not clear that non-native SegWit outputs
(e.g. P2PKH or P2SH-P2WPKH) only work if the correct scriptSig is
provided.
This then also makes it more clear why P2SH-P2WPKH outputs are NOT
supported by the "simple" variant.
This commit adds a table that clarifies what script types are compatible
with what signing variant and also makes more clear what the exact
format for the signatures of the different variants are.
Test vectors with labels now use big-endian byte order instead of little-endian, matching BIP-352 specification
Summary of test vector changes:
- psbt structure: missing PSBT_OUT_SP_V0_INFO field when PSBT_OUT_SP_V0_LABEL set
- can finalize: one P2WPKH input / two mixed outputs - labeled sp output and BIP 32 change
- can finalize: two sp outputs - output 0 uses label=3 / output 1 uses label=1
Adds a warning to the "if no matches are found, stop" scanning
step. Without it, wallet developers may be tempted to apply policy
filtering (e.g. dust) before deciding to continue,
causing subsequent outputs for the same sender to be missed.
* Varops: Two BIPs for Script Restoration: varops calculations and tapleaf version (0xc2).
Special thanks to Murch for teaching me mediawiki, and so much great
formatting and clarity advice.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
* script restoration: fix MUL cost to account to round up B to word boundary.
Julian points out that the implementation does this, which improves accuracy
for the case of small B (since the term is multiplied: for normal OP_ADD etc
we don't bother, since the difference is very bounded).
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
* BIP 440, 441: official numbers, into README.mediawiki and renamed.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
---------
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
add fake ecdh share and dleq proof to P2SH input for valid test: two inputs using per-input ECDH shares - only eligible inputs contribute shares (P2SH excluded)
remove unused return string from is_input_eligible
correctly label witness_utxo vs non_witness_utxo key in supplementary inputs
Summary of test vector changes:
removed test:
- psbt structure: empty PSBT_OUT_SCRIPT field when sending to non-sp output
modified test:
- ecdh coverage: only one ineligible P2SH multisig input when PSBT_OUT_SCRIPT set for sp output
- can finalize: one P2PKH input single-signer
- can finalize: two inputs using per-input ECDH shares - only eligible inputs contribute shares (P2SH excluded)
added test:
- can finalize: two inputs using global ECDH share - only eligible inputs contribute shares (P2SH excluded)
Add support for computing bip352 output scripts
Extract ECDH shares and public key from PSBT and aggregate both if necessary
Refactor validate_ecdh_coverage to use collect_input_ecdh_and_pubkey
Julian points out that the implementation does this, which improves accuracy
for the case of small B (since the term is multiplied: for normal OP_ADD etc
we don't bother, since the difference is very bounded).
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Special thanks to Murch for teaching me mediawiki, and so much great
formatting and clarity advice.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
