tr: Spend Simplicity desctriptors

uncomputable · uncomputable · commit 9e60cbcb8045 · 2023-08-15T22:26:11.000+02:00
TapLeafScript is extended to handle everything that is required for
spending in a generic way. The witness for Simplicity looks familiar:
The "witness stack", the "script_pubkey" and the control block.
What these are is slighly different:

"Witness stack" is one large byte blob that deserializes to the
Simplicity program plus its witness data. There is always exactly one
item on the witness stack, unlike Miniscript where there are often
multiple items.

"Script_pubkey" is a Bitcoin Script that contains the CMR.

The control block is as usual. Even though there are these differences,
the code for computing the "witness size" should be general enough to
work for both Miniscript and Simplicity.
diff --git a/src/descriptor/tr.rs b/src/descriptor/tr.rs
@@ -461,7 +461,7 @@ impl<'a, Pk: MiniscriptKey, Ext: Extension> TapLeafScript<'a, Pk, Ext> {
 }
 
 impl<'a, Pk: ToPublicKey, Ext: ParseableExt> TapLeafScript<'a, Pk, Ext> {
-    /// Encode as Bitcoin Script.
+    /// Encode the leaf script as Bitcoin script (script-pubkey).
     pub fn encode(&self) -> Script {
         match self {
             TapLeafScript::Miniscript(ms) => ms.encode(),
@@ -471,6 +471,46 @@ impl<'a, Pk: ToPublicKey, Ext: ParseableExt> TapLeafScript<'a, Pk, Ext> {
             }
         }
     }
+
+    /// Return the byte size of the encoded leaf script (script-pubkey).
+    pub fn script_size(&self) -> usize {
+        match self {
+            TapLeafScript::Miniscript(ms) => ms.script_size(),
+            // Simplicity's script-pubkey is always a 32-byte CMR
+            TapLeafScript::Simplicity(..) => 32,
+        }
+    }
+
+    /// Return the version of the leaf.
+    pub fn version(&self) -> LeafVersion {
+        match self {
+            TapLeafScript::Miniscript(..) => LeafVersion::default(),
+            TapLeafScript::Simplicity(..) => simplicity::leaf_version(),
+        }
+    }
+
+    /// Attempt to produce malleable satisfying witness for the leaf script.
+    pub fn satisfy_malleable<S: Satisfier<Pk>>(&self, satisfier: S) -> Result<Vec<Vec<u8>>, Error> {
+        match self {
+            TapLeafScript::Miniscript(ms) => ms.satisfy_malleable(satisfier),
+            // There doesn't (yet?) exist a malleable satisfaction of Simplicity policy
+            TapLeafScript::Simplicity(..) => self.satisfy(satisfier),
+        }
+    }
+
+    /// Attempt to produce non-malleable satisfying witness for the leaf script.
+    pub fn satisfy<S: Satisfier<Pk>>(&self, satisfier: S) -> Result<Vec<Vec<u8>>, Error> {
+        match self {
+            TapLeafScript::Miniscript(ms) => ms.satisfy(satisfier),
+            // There doesn't (yet?) exist a malleable satisfaction of Simplicity policy
+            TapLeafScript::Simplicity(sim) => {
+                let satisfier = crate::simplicity::SatisfierWrapper::new(satisfier);
+                let program = sim.satisfy(&satisfier).map_err(|_| Error::CouldNotSatisfy)?;
+                let program_and_witness_bytes = program.encode_to_vec();
+                Ok(vec![program_and_witness_bytes])
+            },
+        }
+    }
 }
 
 /// Iterator over the leaves of a tap tree.
@@ -815,15 +855,14 @@ where
         // Since we have the complete descriptor we can ignore the satisfier. We don't use the control block
         // map (lookup_control_block) from the satisfier here.
         let (mut min_wit, mut min_wit_len) = (None, None);
-        for (depth, ms) in desc.iter_scripts() {
-            let ms = ms.as_miniscript().unwrap();
+        for (depth, script) in desc.iter_scripts() {
             let mut wit = if allow_mall {
-                match ms.satisfy_malleable(&satisfier) {
+                match script.satisfy_malleable(&satisfier) {
                     Ok(wit) => wit,
                     Err(..) => continue, // No witness for this script in tr descriptor, look for next one
                 }
             } else {
-                match ms.satisfy(&satisfier) {
+                match script.satisfy(&satisfier) {
                     Ok(wit) => wit,
                     Err(..) => continue, // No witness for this script in tr descriptor, look for next one
                 }
@@ -833,12 +872,13 @@ where
             // The extra +2 elements are control block and script itself
             let wit_size = witness_size(&wit)
                 + control_block_len(depth)
-                + ms.script_size()
-                + varint_len(ms.script_size());
+                + script.script_size()
+                + varint_len(script.script_size());
+
             if min_wit_len.is_some() && Some(wit_size) > min_wit_len {
                 continue;
             } else {
-                let leaf_script = (ms.encode(), LeafVersion::default());
+                let leaf_script = (script.encode(), script.version());
                 let control_block = spend_info
                     .control_block(&leaf_script)
                     .expect("Control block must exist in script map for every known leaf");
diff --git a/src/simplicity.rs b/src/simplicity.rs
@@ -1,9 +1,13 @@
 // SPDX-License-Identifier: CC0-1.0
 use std::fmt;
+use std::marker::PhantomData;
 use std::str::FromStr;
 use std::sync::Arc;
 
-use simplicity::{Policy, FailEntropy};
+use bitcoin_miniscript::ToPublicKey;
+use elements::{LockTime, SchnorrSig, Sequence};
+use elements::taproot::TapLeafHash;
+use simplicity::{Policy, FailEntropy, Preimage32};
 
 use crate::policy::concrete::PolicyError;
 use crate::{expression, Error, MiniscriptKey};
@@ -121,6 +125,37 @@ where
     true
 }
 
+// We could make crate::Satisfier a subtrait of simplicity::Satisfier,
+// but then we would have to implement simplicity::Satisfier for all the blanket implementations
+// of crate::Satisfier, such as HashMap<Pk, ElementsSig>, which is annoying
+// We might choose to do so in the future, but for now a crate-local wrapper is easier
+// This wrapper is internally used by `Tr` and is never encountered by users
+pub(crate) struct SatisfierWrapper<Pk: ToPublicKey, S: crate::Satisfier<Pk>>(S, PhantomData<Pk>);
+
+impl<Pk: ToPublicKey, S: crate::Satisfier<Pk>> SatisfierWrapper<Pk, S> {
+    pub fn new(satisfier: S) -> Self {
+        Self(satisfier, PhantomData)
+    }
+}
+
+impl<Pk: ToPublicKey, S: crate::Satisfier<Pk>> simplicity::Satisfier<Pk> for SatisfierWrapper<Pk, S> {
+    fn lookup_tap_leaf_script_sig(&self, pk: &Pk, hash: &TapLeafHash) -> Option<SchnorrSig> {
+        self.0.lookup_tap_leaf_script_sig(pk, hash)
+    }
+
+    fn lookup_sha256(&self, hash: &Pk::Sha256) -> Option<Preimage32> {
+        self.0.lookup_sha256(hash)
+    }
+
+    fn check_older(&self, sequence: Sequence) -> bool {
+        self.0.check_older(sequence)
+    }
+
+    fn check_after(&self, locktime: LockTime) -> bool {
+        self.0.check_after(locktime)
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use secp256k1::XOnlyPublicKey;
