Understanding Taproot Formulas

3 replies 387 views
the_bearMember
Posts: 24 · Reputation: 187
#1Feb 27, 2024, 06:23 AM
Can someone help me get a grip on taproot formulas? So, if we have a funding transaction that sends to a taproot address like [OP_1 push_bytes_32 KEY], and then a spending transaction that includes the witness part with [param] [param] ... [SCRIPT] [CBLOCK] Is there an easy way to connect SCRIPT, CBLOCK, and KEY? Like, would it be something along the lines of SHA256(SCRIPT || CBLOCK) == KEY?
3 Reply Quote Share
ryan_nodeSenior Member
Posts: 204 · Reputation: 859
#2Feb 29, 2024, 07:17 AM
The Control Block specifies a key and merkle branch hashes. You hash the script to get a leaf hash which is then combined with the merkle branch hashes until you get the root hash, which is applied as a tweak to the internal key in the control block. There's no simple formula. It's all specified in BIP 341 in the Script Validation Rules section.
3 Reply Quote Share
the_bearMember
Posts: 24 · Reputation: 187
#3Feb 29, 2024, 09:15 AM
OK, let us take the simplest P2TR transaction ever encountered in main/testnet/etc chain 0) Take transaction txid which spends output xxxx:0 1) Take the taproot script from witness-part on input, hash it sha256. We got the a1=yyyy 2) ? 3) ?
4 Reply Quote Share
ryan_nodeSenior Member
Posts: 204 · Reputation: 859
#4Feb 29, 2024, 10:48 AM
1. Check the control block is 33 + 32m bytes long, in this instance, it should be exactly 33 bytes. 2. Set leaf_version to be the first byte of the control block bitwise and with 0xfe 3. Extract p as the 2nd to 33rd bytes of the control block. 4. Set P by interpreting p as the x coordinate for a point on secp256k1 where the y coordinate is even. 4. Compute the hash kof the script as follows: sha256(sha256("TapLeaf") || sha256("TapLeaf") || leaf_version || compact_size(script) || script), where || is concatenation 5. Compute t as sha256(sha256("TapTweak") || sha256("TapTweak") || p || k) and interpret it as an integer. 6. Let Q = P + t * G where G is the generator for secp256k1 7. Check the x coordinate of Q matches the key in the output script 8. Check that the first bit of the first byte of the control block matches the parity of Q's y coordinate: control_block[0] & 1 == y(Q) mod 2 When the script tree has multiple possible scripts, there's more in the control block and hashing steps involving combining a merkle branch to calculate a merkle root.
3 Reply Quote Share

Related topics