Taproot wallet support

.msggen.json

@@ -273,7 +273,8 @@
         "NewaddrAddresstype": {
             "all": 2,
             "bech32": 0,
-            "p2sh-segwit": 1
+            "p2sh-segwit": 1,
+            "p2tr": 3
         },
         "PayStatus": {
             "complete": 0,
@@ -1263,7 +1264,8 @@
         },
         "NewaddrResponse": {
             "NewAddr.bech32": 1,
-            "NewAddr.p2sh-segwit": 2
+            "NewAddr.p2sh-segwit": 2,
+            "NewAddr.p2tr": 3
         },
         "PayRequest": {
             "Pay.amount_msat": 13,
@@ -4643,6 +4645,10 @@
             "added": "pre-v0.10.1",
             "deprecated": "v23.02"
         },
+        "NewAddr.p2tr": {
+            "added": "v23.08",
+            "deprecated": false
+        },
         "Pay": {
             "added": "pre-v0.10.1",
             "deprecated": null

Makefile

@@ -277,7 +277,7 @@ ifeq ($(HAVE_POSTGRES),1)
 LDLIBS += $(POSTGRES_LDLIBS)
 endif
 
-default: show-flags all-programs all-test-programs doc-all default-targets $(PYTHON_GENERATED)
+default: show-flags gen all-programs all-test-programs doc-all default-targets $(PYTHON_GENERATED)
 
 ifneq ($(SUPPRESS_GENERATION),1)
 FORCE = FORCE
@@ -597,6 +597,8 @@ CHECK_GEN_ALL = \
 	.msggen.json \
 	doc/index.rst
 
+gen:  $(CHECK_GEN_ALL)
+
 check-gen-updated:  $(CHECK_GEN_ALL)
 	@echo "Checking for generated files being changed by make"
 	git diff --exit-code HEAD

bitcoin/psbt.c

@@ -211,7 +211,7 @@ void psbt_rm_output(struct wally_psbt *psbt,
 }
 
 void psbt_input_add_pubkey(struct wally_psbt *psbt, size_t in,
-			   const struct pubkey *pubkey)
+			   const struct pubkey *pubkey, bool is_taproot)
 {
 	int wally_err;
 	u32 empty_path[1] = {0};
@@ -233,11 +233,20 @@ void psbt_input_add_pubkey(struct wally_psbt *psbt, size_t in,
 	pubkey_to_der(pk_der, pubkey);
 
 	tal_wally_start();
-	wally_err = wally_psbt_input_keypath_add(&psbt->inputs[in],
-						      pk_der, sizeof(pk_der),
-						      fingerprint, sizeof(fingerprint),
-						      empty_path, ARRAY_SIZE(empty_path));
-	assert(wally_err == WALLY_OK);
+	if (is_taproot) {
+		wally_err = wally_psbt_input_taproot_keypath_add(&psbt->inputs[in],
+								  pk_der + 1, 32,
+								  NULL /* tapleaf_hashes */, 0 /* tapleaf_hashes_len */,
+								  fingerprint, sizeof(fingerprint),
+								  empty_path, ARRAY_SIZE(empty_path));
+		assert(wally_err == WALLY_OK);
+	} else {
+		wally_err = wally_psbt_input_keypath_add(&psbt->inputs[in],
+								  pk_der, sizeof(pk_der),
+								  fingerprint, sizeof(fingerprint),
+								  empty_path, ARRAY_SIZE(empty_path));
+		assert(wally_err == WALLY_OK);
+	}
 	tal_wally_end(psbt);
 }
 

bitcoin/psbt.h

@@ -153,7 +153,7 @@ void psbt_rm_output(struct wally_psbt *psbt,
 		    size_t remove_at);
 
 void psbt_input_add_pubkey(struct wally_psbt *psbt, size_t in,
-			   const struct pubkey *pubkey);
+			   const struct pubkey *pubkey, bool is_taproot);
 
 WARN_UNUSED_RESULT bool psbt_input_set_signature(struct wally_psbt *psbt, size_t in,
 						 const struct pubkey *pubkey,

bitcoin/script.c

@@ -310,6 +310,69 @@ u8 *scriptpubkey_witness_raw(const tal_t *ctx, u8 version,
 	return script;
 }
 
+u8 *scriptpubkey_raw_p2tr(const tal_t *ctx, const struct pubkey *output_pubkey)
+{
+	int ok;
+	secp256k1_xonly_pubkey x_key;
+	unsigned char x_key_bytes[32];
+	u8 *script = tal_arr(ctx, u8, 0);
+
+	add_op(&script, OP_1);
+
+	ok = secp256k1_xonly_pubkey_from_pubkey(secp256k1_ctx,
+		&x_key,
+		/* pk_parity */ NULL,
+		&(output_pubkey->pubkey));
+	assert(ok);
+
+	ok = secp256k1_xonly_pubkey_serialize(secp256k1_ctx,
+		x_key_bytes,
+		&x_key);
+	assert(ok);
+
+	script_push_bytes(&script, x_key_bytes, sizeof(x_key_bytes));
+	assert(tal_count(script) == BITCOIN_SCRIPTPUBKEY_P2TR_LEN);
+	return script;
+}
+
+u8 *scriptpubkey_raw_p2tr_derkey(const tal_t *ctx, const u8 output_der[33])
+{
+	struct pubkey tr_key;
+	if (!pubkey_from_der(output_der, 33, &tr_key)) {
+		abort();
+	}
+	return scriptpubkey_raw_p2tr(ctx, &tr_key);
+}
+
+u8 *scriptpubkey_p2tr(const tal_t *ctx, const struct pubkey *inner_pubkey)
+{
+	unsigned char key_bytes[33];
+	unsigned char tweaked_key_bytes[33];
+	size_t out_len = sizeof(key_bytes);
+	u8 *script = tal_arr(ctx, u8, 0);
+
+	add_op(&script, OP_1);
+
+	secp256k1_ec_pubkey_serialize(secp256k1_ctx, key_bytes, &out_len, &inner_pubkey->pubkey, SECP256K1_EC_COMPRESSED);
+	/* Only commit to inner pubkey in tweak */
+	if (wally_ec_public_key_bip341_tweak(key_bytes, 33, /* merkle_root*/ NULL, 0, 0 /* flags */, tweaked_key_bytes, sizeof(tweaked_key_bytes)) != WALLY_OK)
+		abort();
+
+	/* Cut off the first byte from the serialized compressed key */
+	script_push_bytes(&script, tweaked_key_bytes + 1, sizeof(tweaked_key_bytes) - 1);
+	assert(tal_count(script) == BITCOIN_SCRIPTPUBKEY_P2TR_LEN);
+	return script;
+}
+
+u8 *scriptpubkey_p2tr_derkey(const tal_t *ctx, const u8 inner_der[33])
+{
+	struct pubkey tr_key;
+	if (!pubkey_from_der(inner_der, 33, &tr_key)) {
+		abort();
+	}
+	return scriptpubkey_p2tr(ctx, &tr_key);
+}
+
 /* BOLT #3:
  *
  * #### `to_remote` Output
@@ -481,10 +544,33 @@ bool is_p2wpkh(const u8 *script, struct bitcoin_address *addr)
 	return true;
 }
 
+bool is_p2tr(const u8 *script, u8 xonly_pubkey[32])
+{
+	size_t script_len = tal_count(script);
+
+	if (script_len != BITCOIN_SCRIPTPUBKEY_P2TR_LEN)
+		return false;
+	if (script[0] != OP_1)
+		return false;
+	/* x-only pubkey */
+	if (script[1] != OP_PUSHBYTES(32))
+		return false;
+	if (xonly_pubkey)
+		memcpy(xonly_pubkey, script+2, 32);
+	return true;
+}
+
 bool is_known_scripttype(const u8 *script)
 {
 	return is_p2wpkh(script, NULL) || is_p2wsh(script, NULL)
-		|| is_p2sh(script, NULL) || is_p2pkh(script, NULL);
+		|| is_p2sh(script, NULL) || is_p2pkh(script, NULL)
+		|| is_p2tr(script, NULL);
+}
+
+bool is_known_segwit_scripttype(const u8 *script)
+{
+	return is_p2wpkh(script, NULL) || is_p2wsh(script, NULL)
+		|| is_p2tr(script, NULL);
 }
 
 u8 **bitcoin_witness_sig_and_element(const tal_t *ctx,

bitcoin/script.h

@@ -63,6 +63,19 @@ u8 *scriptpubkey_p2wpkh_derkey(const tal_t *ctx, const u8 der[33]);
 u8 *scriptpubkey_witness_raw(const tal_t *ctx, u8 version,
 			     const u8 *wprog, size_t wprog_size);
 
+/* Create an output script for a "raw"(perhaps already tweaked) taproot output pubkey */
+u8 *scriptpubkey_raw_p2tr(const tal_t *ctx, const struct pubkey *output_pubkey);
+
+/* Same as above, but compressed key is DER-encoded. */
+u8 *scriptpubkey_raw_p2tr_derkey(const tal_t *ctx, const u8 output_der[33]);
+
+/* Create an output script for an internal taproot pubkey. Results in different script than
+ * scriptpubkey_raw_p2tr! TODO support merkle root tweaking */
+u8 *scriptpubkey_p2tr(const tal_t *ctx, const struct pubkey *inner_pubkey);
+
+/* Same as above, but compressed key is DER-encoded. TODO support merkle root tweaking */
+u8 *scriptpubkey_p2tr_derkey(const tal_t *ctx, const u8 inner_der[33]);
+
 /* To-remotekey with csv max(lease_expiry - blockheight, 1) delay. */
 u8 *bitcoin_wscript_to_remote_anchored(const tal_t *ctx,
 				       const struct pubkey *remote_key,
@@ -157,9 +170,15 @@ bool is_p2wsh(const u8 *script, struct sha256 *addr);
 /* Is this (version 0) pay to witness pubkey hash? (extract addr if not NULL) */
 bool is_p2wpkh(const u8 *script, struct bitcoin_address *addr);
 
-/* Is this one of the four above script types? */
+/* Is this a taproot output? (extract xonly_pubkey bytes if not NULL) */
+bool is_p2tr(const u8 *script, u8 xonly_pubkey[32]);
+
+/* Is this one of the above script types? */
 bool is_known_scripttype(const u8 *script);
 
+/* Is this a witness script type? */
+bool is_known_segwit_scripttype(const u8 *script);
+
 /* Is this a to-remote witness script (used for option_anchor_outputs)? */
 bool is_to_remote_anchored_witness_script(const u8 *script, size_t script_len);
 
@@ -184,4 +203,7 @@ void script_push_bytes(u8 **scriptp, const void *mem, size_t len);
 /* OP_0 + PUSH(32-byte-hash) */
 #define BITCOIN_SCRIPTPUBKEY_P2WSH_LEN (1 + 1 + 32)
 
+/* OP_1 + PUSH(32-byte-key) */
+#define BITCOIN_SCRIPTPUBKEY_P2TR_LEN (1 + 1 + 32)
+
 #endif /* LIGHTNING_BITCOIN_SCRIPT_H */

bitcoin/tx.c

@@ -972,7 +972,7 @@ struct amount_sat change_fee(u32 feerate_perkw,	size_t total_weight)
 	struct amount_sat fee;
 
 	/* Must be able to pay for its own additional weight */
-	outweight = bitcoin_tx_output_weight(BITCOIN_SCRIPTPUBKEY_P2WPKH_LEN);
+	outweight = bitcoin_tx_output_weight(chainparams->is_elements ? BITCOIN_SCRIPTPUBKEY_P2WPKH_LEN : BITCOIN_SCRIPTPUBKEY_P2TR_LEN);
 
 	/* Rounding can cause off by one errors, so we do this */
 	if (!amount_sat_sub(&fee,

bitcoin/tx.h

@@ -330,11 +330,13 @@ size_t bitcoin_tx_2of2_input_witness_weight(void);
 struct amount_sat change_fee(u32 feerate_perkw,	size_t total_weight);
 
 /**
- * change_amount - Is it worth making a P2WPKH change output at this feerate?
+ * change_amount - Is it worth making a change output at this feerate?
  * @excess: input amount we have above the tx fee and other outputs.
  * @feerate_perkw: feerate.
  * @total_weight: current weight of tx.
  *
+ * Change script is P2TR for Bitcoin, P2WPKH for Elements
+ *
  * If it's not worth (or possible) to make change, returns AMOUNT_SAT(0).
  * Otherwise returns the amount of the change output to add (@excess minus
  * the change_fee()).

channeld/full_channel.c

@@ -349,9 +349,9 @@ struct bitcoin_tx **channel_txs(const tal_t *ctx,
 
 	/* Set the remote/local pubkeys on the commitment tx psbt */
 	psbt_input_add_pubkey(txs[0]->psbt, 0,
-			      &channel->funding_pubkey[side]);
+			      &channel->funding_pubkey[side], false /* is_taproot */);
 	psbt_input_add_pubkey(txs[0]->psbt, 0,
-			      &channel->funding_pubkey[!side]);
+			      &channel->funding_pubkey[!side], false /* is_taproot */);
 
 	add_htlcs(&txs, *htlcmap, channel, &keyset, side);
 

channeld/watchtower.c

@@ -81,7 +81,7 @@ penalty_tx_create(const tal_t *ctx,
 	bitcoin_tx_add_output(tx, final_scriptpubkey, NULL, to_them_sats);
 	assert((final_index == NULL) == (final_ext_key == NULL));
 	if (final_index)
-		psbt_add_keypath_to_last_output(tx, *final_index, final_ext_key);
+		psbt_add_keypath_to_last_output(tx, *final_index, final_ext_key, is_p2tr(final_scriptpubkey, NULL));
 
 	/* Worst-case sig is 73 bytes */
 	weight = bitcoin_tx_weight(tx) + 1 + 3 + 73 + 0 + tal_count(wscript);

common/addr.c

@@ -13,6 +13,7 @@ char *encode_scriptpubkey_to_addr(const tal_t *ctx,
 	size_t scriptLen = tal_bytelen(scriptPubkey);
 	struct bitcoin_address pkh;
 	struct ripemd160 sh;
+	int witver;
 
 	if (is_p2pkh(scriptPubkey, &pkh))
 		return bitcoin_to_base58(ctx, chainparams, &pkh);
@@ -21,7 +22,14 @@ char *encode_scriptpubkey_to_addr(const tal_t *ctx,
 		return p2sh_to_base58(ctx, chainparams, &sh);
 
 	out = tal_arr(ctx, char, 73 + strlen(chainparams->onchain_hrp));
-	if (!segwit_addr_encode(out, chainparams->onchain_hrp, 0,
+	if (is_p2tr(scriptPubkey, NULL))
+		witver = 1;
+	else if (is_p2wpkh(scriptPubkey, NULL) || is_p2wsh(scriptPubkey, NULL))
+		witver = 0;
+	else {
+		return tal_free(out);
+	}
+	if (!segwit_addr_encode(out, chainparams->onchain_hrp, witver,
 				scriptPubkey + 2, scriptLen - 2))
 		return tal_free(out);
 

common/addr.h

@@ -3,7 +3,7 @@
 #include "config.h"
 #include <bitcoin/chainparams.h>
 
-/* Given a scriptPubkey, return an encoded address */
+/* Given a scriptPubkey, return an encoded address for p2pkh/p2w{pkh,sh}/p2tr */
 char *encode_scriptpubkey_to_addr(const tal_t *ctx,
 				  const struct chainparams *chainparams,
 				  const u8 *scriptPubkey);

common/close_tx.c

@@ -52,7 +52,7 @@ struct bitcoin_tx *create_close_tx(const tal_t *ctx,
 		assert((local_wallet_index == NULL) == (local_wallet_ext_key == NULL));
 		if (local_wallet_index)
 			psbt_add_keypath_to_last_output(
-				tx, *local_wallet_index, local_wallet_ext_key);
+				tx, *local_wallet_index, local_wallet_ext_key, is_p2tr(script, NULL));
 		num_outputs++;
 	}