Saturday, November 2, 2024

taproot – Musig signature validation mismatch

I am making an attempt to know the primitives of Taproot and Musig2 so I can implement them into my software. I am utilizing the rust-bitcoin library and have written a script to create a Taproot handle from an aggregated Musig2 public key (i’ve funded it with sats on mutinynet), create a tx spending from it & signal it, confirm the signature, after which spend the tx. Nevertheless, I am getting the error mandatory-script-verify-flag-failed (Invalid Schnorr signature) when I attempt to spend the tx. The odd factor is that the in-script sig validation throws no points.

Right here is the related code:


use bitcoin::consensus::Encodable;

use bitcoin::hashes::Hash;
use bitcoin::key::{Keypair, UntweakedPublicKey};
use bitcoin::locktime::absolute;

use bitcoin::secp256k1::{rand, Message, Secp256k1, SecretKey, Verification};
use bitcoin::sighash::{Prevouts, SighashCache, TapSighashType};
use bitcoin::{
    transaction, Tackle, Quantity, Community, OutPoint, PublicKey, ScriptBuf, Sequence, Transaction,
    TxIn, TxOut, Txid, Witness, XOnlyPublicKey,
};
use musig2::secp::Level;
use musig2::{
    aggregate_partial_signatures, sign_partial, verify_single, AggNonce, BinaryEncoding,
    KeyAggContext, PubNonce, SecNonce,
};
use rand::thread_rng;

use std::str::FromStr;

const DUMMY_UTXO_AMOUNT: u64 = 100000;
const SPEND_AMOUNT: u64 = 90000;
const SK: &str = "e504905952697837ac0f0dc9e46deb0340ae6468b185ba79e4fa96ebda3964c2";
const SK2: &str = "6bb7bc5dd0c9db0ca8bdba4616ee92afceb432551e0f23b32ea7bcada18da696";
const SK3: &str = "57d44ecb8812680e871732233ed8e4d4e11a25f22aef6c81dbe35a424ad8db41";
const TXID: &str = "726499fb478422087e7a89a04f25de5ed98e87c9881e4a264e8f31143cdee17b";
const VOUT: u32 = 1;

fn essential() {
    let keypair_array = vec![
        Keypair::from_secret_key(&Secp256k1::new(), &SecretKey::from_str(SK).unwrap()),
        Keypair::from_secret_key(&Secp256k1::new(), &SecretKey::from_str(SK2).unwrap()),
        Keypair::from_secret_key(&Secp256k1::new(), &SecretKey::from_str(SK3).unwrap()),
    ];

    let begin = std::time::On the spot::now();
    let tx = construct_refund_transaction(
        TXID,
        VOUT,
        DUMMY_UTXO_AMOUNT,
        SPEND_AMOUNT,
        "tb1p6e4q26tvyc7dmxfnk5zzhkux9d6pqpn0k5qxlw4gvc90unc0m3rq93a0tl",
        keypair_array,
    );
    let length = begin.elapsed();

    println!("Time taken to assemble refund transaction: {:?}", length);

    match tx {
        Okay(hex) => {
            post_tx(hex);
        }
        Err(e) => {
            println!("Error developing transaction: {:?}", e);
        }
    }
}

pub fn construct_refund_transaction(
    from_txid: &str,
    from_vout: u32,
    from_amount: u64,
    spend_amount: u64,
    to_address: &str,
    keypair_array: Vec<Keypair>,
) -> Outcome<String, Field<dyn std::error::Error>> {
    // Step 1: Convert public keys to factors for MuSig2
    let points_vec: Vec<Level> = keypair_array
        .iter()
        .map(|keypair| Level::from_hex(&keypair.public_key().to_string()).unwrap())
        .gather();

    // Step 2: Create a KeyAggContext for MuSig2
    let context = KeyAggContext::new(points_vec).unwrap();

    // Step 3: Get the aggregated public key
    let agg_pubkey: [u8; 33] = context.aggregated_pubkey();
    // println!("Combination pubkey: {:?}", hex::encode(agg_pubkey));

    // Step 4: Create a P2TR handle from the aggregated public key
    let pubkey = PublicKey::from_slice(&agg_pubkey).unwrap();
    let xonly_pubkey = XOnlyPublicKey::from(pubkey);
    let secp = Secp256k1::new();
    // let handle = Tackle::p2tr(&secp, xonly_pubkey, None, Community::Signet);
    // println!("P2TR handle: {}", handle);

    // Step 5: Get the unspent transaction output (UTXO)
    let (out_point, utxo) = unspent_transaction_output(
        &secp,
        xonly_pubkey,
        Txid::from_str(from_txid).unwrap(),
        from_vout,
        from_amount,
    );

    // Step 6: Get the receiver's handle
    let handle = receivers_address(to_address);

    // Step 7: Create the transaction enter
    let enter = TxIn {
        previous_output: out_point,
        script_sig: ScriptBuf::default(), // Empty for P2TR
        sequence: Sequence::ENABLE_RBF_NO_LOCKTIME,
        witness: Witness::default(), // Will probably be crammed after signing
    };

    // Step 8: Create the transaction output
    let spend = TxOut {
        worth: Quantity::from_sat(spend_amount),
        script_pubkey: handle.script_pubkey(),
    };

    // Step 9: Assemble the unsigned transaction
    let mut unsigned_tx = Transaction {
        model: transaction::Model::TWO,
        lock_time: absolute::LockTime::ZERO,
        enter: vec![input],
        output: vec![spend],
    };
    let input_index = 0;

    // Step 10: Put together for signing
    let sighash_type = TapSighashType::Default;
    let prevouts = vec![utxo];
    let prevouts = Prevouts::All(&prevouts);

    // Step 11: Calculate the sighash
    let mut sighasher = SighashCache::new(&mut unsigned_tx);
    let sighash = sighasher
        .taproot_key_spend_signature_hash(input_index, &prevouts, sighash_type)
        .anticipate("did not assemble sighash");

    // Step 12: Put together the message to be signed
    let msg = Message::from_digest(sighash.to_byte_array());

    // Step 13: Generate random nonces for MuSig2
    let mut rng = thread_rng();
    let n = keypair_array.len();
    let secret_nonces: Vec<SecNonce> = (0..n).map(|_| SecNonce::random(&mut rng)).gather();
    let public_nonces: Vec<PubNonce> = secret_nonces.iter().map(|sn| sn.public_nonce()).gather();

    // Step 14: Combination nonces
    let agg_nonce = AggNonce::sum(&public_nonces);

    // Step 15: Generate partial signatures
    let mut partial_sigs = Vec::new();
    for (i, keypair) in keypair_array.iter().enumerate() {
        let seckey =
            musig2::secp::Scalar::from_slice(&keypair.secret_key().secret_bytes()).unwrap();
        let partial_sig: musig2::PartialSignature = sign_partial(
            &context,
            seckey,
            secret_nonces[i].clone(),
            &agg_nonce,
            msg.as_ref(),
        )
        .unwrap();
        partial_sigs.push(partial_sig);
        // println!("Partial signature {}: {:?}", i, partial_sig);
    }

    // Step 16: Combination partial signatures
    let aggregated_signature: musig2::CompactSignature =
        aggregate_partial_signatures(&context, &agg_nonce, partial_sigs, msg.as_ref()).unwrap();
    // println!("Aggregated signature: {:?}", aggregated_signature);

    // Step 17: Confirm the aggregated signature
    let verification_result = verify_single(
        Level::from_slice(&agg_pubkey).unwrap(),
        aggregated_signature,
        msg.as_ref(),
    );

    match verification_result {
        Okay(()) => println!("Signature is legitimate"),
        Err(e) => println!("Signature verification failed: {:?}", e),
    }

    // Step 18: Add the signature to the transaction witness
    sighasher
        .witness_mut(input_index)
        .unwrap()
        .push(&aggregated_signature.to_bytes());

    // Step 19: Finalize the signed transaction
    let tx = sighasher.into_transaction();

    // Step 20: Serialize and print the signed transaction
    let mut serialized = Vec::new();
    tx.consensus_encode(&mut serialized).unwrap();
    let hex = serialized.as_hex();
    // println!("Transaction hex: {}", hex);

    Okay(hex.to_string())
}

// Helper operate to parse and validate the receiver's handle
fn receivers_address(handle: &str) -> Tackle {
    handle
        .parse::<Tackle<_>>()
        .anticipate("a sound handle")
        .require_network(Community::Signet)
        .anticipate("legitimate handle for signet")
}

// Helper operate to create an unspent transaction output (UTXO)
fn unspent_transaction_output<C: Verification>(
    secp: &Secp256k1<C>,
    internal_key: UntweakedPublicKey,
    txid: Txid,
    vout: u32,
    quantity: u64,
) -> (OutPoint, TxOut) {
    let script_pubkey = ScriptBuf::new_p2tr(secp, internal_key, None);
    let out_point = OutPoint { txid, vout };
    let utxo = TxOut {
        worth: Quantity::from_sat(quantity),
        script_pubkey,
    };
    (out_point, utxo)
}

fn post_tx(hex: String) {
    let shopper = reqwest::blocking::Shopper::new();
    let res = shopper.publish("https://mutinynet.com/api/tx").physique(hex).ship();

    match res {
        Okay(res) => {
            if res.standing().is_success() {
                println!("Response: {:?}", res.textual content());
            } else {
                let error_text = res.textual content().unwrap_or_default();
                if let Some(message) = error_text.cut up("message":"").nth(1) {
                    if let Some(error_message) = message.cut up(""").subsequent() {
                        println!("Error: {}", error_message);
                    } else {
                        println!("Error: {}", error_text);
                    }
                } else {
                    println!("Error: {}", error_text);
                }
            }
        }
        Err(e) => {
            println!("Error sending request: {:?}", e);
        }
    }
}

Am I doing something blatantly fallacious?

(these are dummy SKs I generated for the aim of this check)

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles