tr: Spend Simplicity descriptors

uncomputable · uncomputable · commit b84258ed4de3 · 2023-08-03T22:11:59.000+02:00
The max weight calculations seem to be for convenience and not important
for spending, so we will leave the Simplicity implementation for later.
diff --git a/src/descriptor/tr.rs b/src/descriptor/tr.rs
@@ -374,6 +374,8 @@ impl<Pk: MiniscriptKey, Ext: Extension> Tr<Pk, Ext> {
             Some(tree) => tree,
         };
 
+        // TODO: Max weight calculation for Simplicity policies
+
         tree.iter()
             .filter_map(|(depth, ms)| {
                 let script_size = ms.script_size();
@@ -820,54 +822,102 @@ where
     S: Satisfier<Pk>,
     Ext: ParseableExt,
 {
-    let spend_info = desc.spend_info();
     // First try the key spend path
     if let Some(sig) = satisfier.lookup_tap_key_spend_sig() {
         Ok((vec![sig.to_vec()], Script::new()))
     } else {
-        // Since we have the complete descriptor we can ignore the satisfier. We don't use the control block
-        // map (lookup_control_block) from the satisfier here.
-        let (mut min_wit, mut min_wit_len) = (None, None);
-        for (depth, ms) in desc.iter_scripts() {
-            let mut wit = if allow_mall {
-                match ms.satisfy_malleable(&satisfier) {
-                    Ok(wit) => wit,
-                    Err(..) => continue, // No witness for this script in tr descriptor, look for next one
-                }
-            } else {
-                match ms.satisfy(&satisfier) {
-                    Ok(wit) => wit,
-                    Err(..) => continue, // No witness for this script in tr descriptor, look for next one
-                }
-            };
-            // Compute the final witness size
-            // Control block len + script len + witnesssize + varint(wit.len + 2)
-            // The extra +2 elements are control block and script itself
-            let wit_size = witness_size(&wit)
-                + control_block_len(depth)
-                + ms.script_size()
-                + varint_len(ms.script_size());
-            if min_wit_len.is_some() && Some(wit_size) > min_wit_len {
-                continue;
-            } else {
-                let leaf_script = (ms.encode(), LeafVersion::default());
-                let control_block = spend_info
-                    .control_block(&leaf_script)
-                    .expect("Control block must exist in script map for every known leaf");
-                wit.push(leaf_script.0.into_bytes()); // Push the leaf script
-                                                      // There can be multiple control blocks for a (script, ver) pair
-                                                      // Find the smallest one amongst those
-                wit.push(control_block.serialize());
-                // Finally, save the minimum
-                min_wit = Some(wit);
-                min_wit_len = Some(wit_size);
-            }
+        if desc.get_simplicity().is_some() {
+            best_simplicity_spend(desc, satisfier)
+        } else {
+            best_miniscript_spend(desc, satisfier, allow_mall)
         }
-        match min_wit {
-            Some(wit) => Ok((wit, Script::new())),
-            None => Err(Error::CouldNotSatisfy), // Could not satisfy all miniscripts inside Tr
+    }
+}
+
+fn best_miniscript_spend<Pk, S, Ext>(
+    desc: &Tr<Pk, Ext>,
+    satisfier: S,
+    allow_mall: bool,
+) -> Result<(Vec<Vec<u8>>, Script), Error>
+where
+    Pk: ToPublicKey,
+    S: Satisfier<Pk>,
+    Ext: ParseableExt,
+{
+    // Since we have the complete descriptor we can ignore the satisfier. We don't use the control block
+    // map (lookup_control_block) from the satisfier here.
+    let (mut min_wit, mut min_wit_len) = (None, None);
+    for (depth, ms) in desc.iter_scripts() {
+        let mut wit = if allow_mall {
+            match ms.satisfy_malleable(&satisfier) {
+                Ok(wit) => wit,
+                Err(..) => continue, // No witness for this script in tr descriptor, look for next one
+            }
+        } else {
+            match ms.satisfy(&satisfier) {
+                Ok(wit) => wit,
+                Err(..) => continue, // No witness for this script in tr descriptor, look for next one
+            }
+        };
+        // Compute the final witness size
+        // Control block len + script len + witnesssize + varint(wit.len + 2)
+        // The extra +2 elements are control block and script itself
+        let wit_size = witness_size(&wit)
+            + control_block_len(depth)
+            + ms.script_size()
+            + varint_len(ms.script_size());
+        if min_wit_len.is_some() && Some(wit_size) > min_wit_len {
+            continue;
+        } else {
+            let leaf_script = (ms.encode(), LeafVersion::default());
+            let control_block = desc
+                .spend_info()
+                .control_block(&leaf_script)
+                .expect("Control block must exist in script map for every known leaf");
+            wit.push(leaf_script.0.into_bytes()); // Push the leaf script
+            // There can be multiple control blocks for a (script, ver) pair
+            // Find the smallest one amongst those
+            wit.push(control_block.serialize());
+            // Finally, save the minimum
+            min_wit = Some(wit);
+            min_wit_len = Some(wit_size);
         }
     }
+    match min_wit {
+        Some(wit) => Ok((wit, Script::new())),
+        None => Err(Error::CouldNotSatisfy), // Could not satisfy all miniscripts inside Tr
+    }
+}
+
+fn best_simplicity_spend<Pk, S, Ext>(
+    desc: &Tr<Pk, Ext>,
+    satisfier: S,
+) -> Result<(Vec<Vec<u8>>, Script), Error>
+where
+    Pk: ToPublicKey,
+    S: Satisfier<Pk>,
+    Ext: ParseableExt,
+{
+    let policy = desc.get_simplicity().ok_or(Error::CouldNotSatisfy)?;
+    let satisfier = crate::simplicity::SatisfierWrapper::new(satisfier);
+    let program = policy.satisfy(&satisfier).map_err(|_| Error::CouldNotSatisfy)?;
+
+    let program_and_witness_bytes = program.encode_to_vec();
+    let cmr_bytes = Vec::from(program.cmr().as_ref());
+
+    let script = elements::Script::from(program.cmr().as_ref().to_vec());
+    let script_ver = (script, simplicity::leaf_version());
+    let control_block = desc
+        .spend_info()
+        .control_block(&script_ver)
+        .expect("Control block must exist in script map for every known leaf");
+
+    let witness = vec![
+        program_and_witness_bytes,
+        cmr_bytes,
+        control_block.serialize(),
+    ];
+    Ok((witness, Script::new()))
 }
 
 #[cfg(test)]
diff --git a/src/simplicity.rs b/src/simplicity.rs
@@ -1,9 +1,13 @@
 // SPDX-License-Identifier: CC0-1.0
 use std::fmt;
+use std::marker::PhantomData;
 use std::str::FromStr;
 use std::sync::Arc;
 
-use simplicity::{Policy, FailEntropy};
+use bitcoin_miniscript::ToPublicKey;
+use elements::{LockTime, SchnorrSig, Sequence};
+use elements::taproot::TapLeafHash;
+use simplicity::{Policy, FailEntropy, Preimage32};
 
 use crate::policy::concrete::PolicyError;
 use crate::{expression, Error, MiniscriptKey};
@@ -121,6 +125,37 @@ where
     true
 }
 
+// We could make crate::Satisfier a subtrait of simplicity::Satisfier,
+// but then we would have to implement simplicity::Satisfier for all the blanket implementations
+// of crate::Satisfier, such as HashMap<Pk, ElementsSig>, which is annoying
+// We might choose to do so in the future, but for now a crate-local wrapper is easier
+// This wrapper is internally used by `Tr` and is never encountered by users
+pub(crate) struct SatisfierWrapper<Pk: ToPublicKey, S: crate::Satisfier<Pk>>(S, PhantomData<Pk>);
+
+impl<Pk: ToPublicKey, S: crate::Satisfier<Pk>> SatisfierWrapper<Pk, S> {
+    pub fn new(satisfier: S) -> Self {
+        Self(satisfier, PhantomData)
+    }
+}
+
+impl<Pk: ToPublicKey, S: crate::Satisfier<Pk>> simplicity::Satisfier<Pk> for SatisfierWrapper<Pk, S> {
+    fn lookup_tap_leaf_script_sig(&self, pk: &Pk, hash: &TapLeafHash) -> Option<SchnorrSig> {
+        self.0.lookup_tap_leaf_script_sig(pk, hash)
+    }
+
+    fn lookup_sha256(&self, hash: &Pk::Sha256) -> Option<Preimage32> {
+        self.0.lookup_sha256(hash)
+    }
+
+    fn check_older(&self, sequence: Sequence) -> bool {
+        self.0.check_older(sequence)
+    }
+
+    fn check_after(&self, locktime: LockTime) -> bool {
+        self.0.check_after(locktime)
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use secp256k1::XOnlyPublicKey;
