feat: Taproot sign txn basic code

Author: muzaffarbhat07

apps/btc_family/btc_priv.h

@@ -34,6 +34,17 @@ typedef struct {
   uint8_t hash_outputs[32];
 } btc_segwit_cache_t;
 
+typedef struct {
+  bool filled;
+  uint8_t sha_prevouts[32];
+  uint8_t sha_amounts[32];
+  uint8_t sha_scriptpubkeys[32];
+  uint8_t sha_sequences[32];
+  uint8_t sha_outputs[32];
+  uint8_t sha_annex[32];
+  uint8_t sha_single_output[32];
+} btc_taproot_cache_t;
+
 typedef struct {
   pb_byte_t prev_txn_hash[32];
   uint32_t prev_output_index;
@@ -69,6 +80,8 @@ typedef struct {
   btc_sign_txn_metadata_t metadata;
   // Populated for segwit transactions
   btc_segwit_cache_t segwit_cache;
+  // Populated for taproot transactions
+  btc_taproot_cache_t taproot_cache;
 
   /**
    * The structure holds the outputs (TxOut) of the transaction. Refer

apps/btc_family/btc_txn.c

@@ -669,6 +669,8 @@ static bool sign_input(scrip_sig_t *signatures) {
 
   // populate hashes cache for segwit transaction types
   btc_segwit_init_cache(btc_txn_context);
+  // populate hashes cache for taproot transaction types
+  btc_taproot_init_cache(btc_txn_context);
   if (!derive_hdnode_from_path(hd_path, 3, SECP256K1_NAME, buffer, &node) ||
       false == validate_change_address(&node)) {
     btc_send_error(ERROR_COMMON_ERROR_CORRUPT_DATA_TAG,
@@ -702,10 +704,15 @@ static bool sign_input(scrip_sig_t *signatures) {
     }
 
     status = btc_digest_input(btc_txn_context, idx, buffer);
-    ecdsa_sign_digest(
-        curve, t_node.private_key, buffer, signatures[idx].bytes, NULL, NULL);
-    signatures[idx].size = btc_sig_to_script_sig(
-        signatures[idx].bytes, t_node.public_key, signatures[idx].bytes);
+    if (TAPROOT_KEY_PATH == hd_path[0]) {
+      schnorrsig_sign32(t_node.private_key, buffer, signatures[idx].bytes, NULL);
+    }
+    else {
+      ecdsa_sign_digest(
+          curve, t_node.private_key, buffer, signatures[idx].bytes, NULL, NULL);
+      signatures[idx].size = btc_sig_to_script_sig(
+          signatures[idx].bytes, t_node.public_key, signatures[idx].bytes);
+    }
     if (0 == signatures[idx].size || false == status) {
       // early exit as digest could not be calculated
       btc_send_error(ERROR_COMMON_ERROR_UNKNOWN_ERROR_TAG, 1);

apps/btc_family/btc_txn_helpers.c

@@ -398,6 +398,77 @@ void btc_segwit_init_cache(btc_txn_context_t *context) {
   memzero(&sha_256_ctx, sizeof(sha_256_ctx));
 }
 
+void btc_taproot_init_cache(btc_txn_context_t *context) {
+  btc_taproot_cache_t * taproot_cache = &context->taproot_cache;
+
+  //sha_prevouts
+  uint8_t * prevouts_buf = malloc(36*context->metadata.input_count);
+  memzero(prevouts_buf, 36*context->metadata.input_count);
+
+  for (uint32_t idx = 0, len = 0; idx < context->metadata.input_count; idx++) {
+    memcpy(prevouts_buf+len, context->inputs[idx].prev_txn_hash, 32);
+    len +=32;
+    memcpy(prevouts_buf+len, (uint8_t*)&context->inputs[idx].prev_output_index, 4);
+    len+4;
+  }
+  sha256_Raw(prevouts_buf, 36*context->metadata.input_count, taproot_cache->sha_prevouts);
+  free(prevouts_buf);
+
+  //sha_amounts
+  SHA256_CTX sha_256_ctx = {0};
+  memzero(&sha_256_ctx, sizeof(sha_256_ctx));
+  sha256_Init(&sha_256_ctx);
+
+  for (uint32_t idx = 0; idx < context->metadata.input_count; idx++) {
+    sha256_Update(&sha_256_ctx, (uint8_t*)&context->inputs[idx].value, 8);
+  }
+  sha256_Final(&sha_256_ctx, taproot_cache->sha_amounts);
+
+  //sha_scriptpubkeys
+  uint8_t * script_buf = malloc(35*context->metadata.input_count);
+  memzero(script_buf, 35*context->metadata.input_count);
+
+  for (uint32_t idx = 0, len = 0; idx < context->metadata.input_count; idx++) {
+    memcpy(script_buf + len, context->inputs[idx].script_pub_key.bytes, context->inputs[idx].script_pub_key.size);
+    len += context->inputs[idx].script_pub_key.size;
+  }
+  sha256_Raw(script_buf, 35*context->metadata.input_count, taproot_cache->sha_scriptpubkeys);
+  free(script_buf);
+
+  //sha_sequences
+  sha256_Init(&sha_256_ctx);
+  for (uint32_t idx = 0; idx < context->metadata.input_count; idx++) {
+    sha256_Update(&sha_256_ctx, (uint8_t*)&context->inputs[idx].sequence, 4);
+  }
+
+  sha256_Final(&sha_256_ctx, taproot_cache->sha_sequences);
+
+  //sha_outputs
+  // calculate capacity
+  uint32_t capacity = 0;
+  uint32_t size = 0;
+  while (size < context->metadata.output_count)
+  {
+    capacity +=8;
+    capacity += context->outputs[size].script_pub_key.size;
+    size++;
+  }
+
+  uint8_t * output_buf = malloc(capacity);
+  memzero(output_buf, capacity);
+
+  for (uint32_t idx = 0, len = 0; idx < context->metadata.output_count; idx++) {
+    memcpy( output_buf+len, (uint8_t*)&context->outputs[idx].value, 8);
+    len += 8;
+    memcpy( output_buf+len, context->outputs[idx].script_pub_key.bytes, context->outputs[idx].script_pub_key.size);
+    len += context->outputs[idx].script_pub_key.size;
+  }
+  sha256_Raw(output_buf, capacity, taproot_cache->sha_outputs);
+  free(output_buf);
+
+  taproot_cache->filled = true;
+}
+
 bool btc_digest_input(const btc_txn_context_t *context,
                       const uint32_t index,
                       uint8_t *digest) {
@@ -412,8 +483,258 @@ bool btc_digest_input(const btc_txn_context_t *context,
   } else if (SCRIPT_TYPE_P2PKH == type) {
     // p2pkh digest calculation; has not failure case
     calculate_p2pkh_digest(context, index, digest);
+  }  else if (SCRIPT_TYPE_P2SH == type) {
+    status = calculate_p2wpkh_in_p2sh_digest(context, index, digest);
+  } else if (SCRIPT_TYPE_P2TR == type) {
+    status = calculate_p2tr_digest(context, index, digest);
   } else {
     status = false;
   }
   return status;
 }
+
+#include "ecdsa.h"
+#include "secp256k1.h"
+#include "memzero.h"
+
+typedef struct {
+    uint8_t secret_key[32];    // Private key
+    uint8_t public_key[32];    // X-coordinate of public key (for BIP340)
+    uint8_t has_even_y;        // Whether Y-coordinate is even
+} bip340_keypair_t;
+
+int keypair_create(bip340_keypair_t *keypair, const uint8_t *private_key_bytes) {
+    // 1. Validate private key (must be in range [1, n-1])
+    bignum256 sk;
+    bn_read_be(private_key_bytes, &sk);
+    
+    // Check if sk is valid (not zero and less than curve order)
+    if (bn_is_zero(&sk)) {
+        return -1;
+    }
+    
+    if (!bn_is_less(&sk, &secp256k1.order)) {
+        return -1;
+    }
+    
+    // 2. Copy private key
+    memcpy(keypair->secret_key, private_key_bytes, 32);
+    
+    // 3. Calculate public key: P = sk * G
+    curve_point pub;
+    scalar_multiply(&secp256k1, &sk, &pub);
+    
+    // 4. Convert to affine coordinates and get x-coordinate
+    bignum256 x, y;
+    bn_inverse(&pub.z, &secp256k1.prime);
+    bignum256 z_squared;
+    bn_multiply(&pub.z, &pub.z, &secp256k1.prime);
+    bn_multiply(&pub.x, &z_squared, &secp256k1.prime);
+    bn_mod(&pub.x, &secp256k1.prime);
+    
+    // Store x-coordinate
+    bn_write_be(&pub.x, keypair->public_key);
+    
+    // 5. Check if Y is even (needed for BIP340)
+    bn_multiply(&pub.z, &z_squared, &secp256k1.prime);
+    bn_multiply(&pub.y, &pub.z, &secp256k1.prime);
+    bn_mod(&pub.y, &secp256k1.prime);
+    keypair->has_even_y = !bn_is_odd(&pub.y);
+    
+    // Clear sensitive data
+    memzero(&sk, sizeof(sk));
+    memzero(&pub, sizeof(pub));
+    
+    return 0;
+}
+
+#include "hasher.h"
+#include "hmac.h"
+
+// BIP340 tagged hash implementation
+void bip340_tagged_hash(const char *tag, uint8_t *out, 
+                        const uint8_t *data, size_t data_len) {
+    uint8_t tag_hash[32];
+    Hasher hasher;
+    
+    // Hash the tag
+    hasher_Init(&hasher, HASHER_SHA2);
+    hasher_Update(&hasher, (const uint8_t*)tag, strlen(tag));
+    hasher_Final(&hasher, tag_hash);
+    
+    // tagged_hash = SHA256(SHA256(tag) || SHA256(tag) || data)
+    hasher_Init(&hasher, HASHER_SHA2);
+    hasher_Update(&hasher, tag_hash, 32);
+    hasher_Update(&hasher, tag_hash, 32);
+    hasher_Update(&hasher, data, data_len);
+    hasher_Final(&hasher, out);
+}
+
+int schnorrsig_sign32(uint8_t *signature_bytes,
+                             const uint8_t *digest,
+                             const bip340_keypair_t *keypair,
+                             const uint8_t *auxiliary_data) {
+  bignum256 sk, e, k, r_x;
+  curve_point R;
+  uint8_t aux[32];
+  uint8_t nonce_data[32 + 32 + 32 + 32];    // sk || P.x || msg || aux
+  uint8_t nonce_hash[32];
+
+  // 1. Load private key
+  bn_read_be(keypair->secret_key, &sk);
+
+  // 2. Adjust private key if public key has odd Y
+  // BIP340 requires: if has_odd_y(P), then sk = n - sk
+  if (!keypair->has_even_y) {
+    bn_subtract(&secp256k1.order, &sk, &sk);
+    bn_mod(&sk, &secp256k1.order);
+  }
+
+  // 3. Prepare auxiliary data (use zeros if NULL)
+  if (auxiliary_data == NULL) {
+    memzero(aux, 32);
+  } else {
+    memcpy(aux, auxiliary_data, 32);
+  }
+
+  // 4. Generate deterministic nonce k (BIP340)
+  // k = tagged_hash("BIP0340/nonce", sk || P.x || msg || aux)
+
+  // First, XOR auxiliary data with private key for additional randomness
+  uint8_t sk_bytes[32];
+  bn_write_be(&sk, sk_bytes);
+  for (int i = 0; i < 32; i++) {
+    sk_bytes[i] ^= aux[i];
+  }
+
+  // Build nonce input: sk || P.x || msg || aux
+  memcpy(nonce_data, sk_bytes, 32);
+  memcpy(nonce_data + 32, keypair->public_key, 32);
+  memcpy(nonce_data + 64, digest, 32);
+  memcpy(nonce_data + 96, aux, 32);
+
+  // Generate nonce
+  bip340_tagged_hash("BIP0340/nonce", nonce_hash, nonce_data, 128);
+  bn_read_be(nonce_hash, &k);
+  bn_mod(&k, &secp256k1.order);
+
+  // Ensure k != 0
+  if (bn_is_zero(&k)) {
+    return -1;
+  }
+
+  // 5. Calculate R = k*G
+  scalar_multiply(&secp256k1, &k, &R);
+
+  // 6. Convert R to affine coordinates and get x-coordinate
+  bignum256 z_inv, z_inv_squared;
+  bn_inverse(&R.z, &secp256k1.prime);
+  bn_multiply(&z_inv, &z_inv, &secp256k1.prime);
+  bn_multiply(&R.x, &z_inv, &secp256k1.prime);
+  bn_mod(&R.x, &secp256k1.prime);
+
+  // Also get R.y for parity check
+  bn_multiply(&z_inv, &z_inv_squared, &secp256k1.prime);
+  bn_multiply(&R.y, &z_inv, &secp256k1.prime);
+  bn_mod(&R.y, &secp256k1.prime);
+
+  // 7. If R.y is odd, negate k
+  if (bn_is_odd(&R.y)) {
+    bn_subtract(&secp256k1.order, &k, &k);
+    bn_mod(&k, &secp256k1.order);
+  }
+
+  // 8. Store R.x in signature (first 32 bytes)
+  bn_write_be(&R.x, signature_bytes);
+
+  // 9. Calculate e = tagged_hash("BIP0340/challenge", R.x || P.x || m)
+  uint8_t challenge_data[32 + 32 + 32];    // R.x || P.x || msg
+  uint8_t challenge_hash[32];
+
+  // Build challenge input: R.x || P.x || msg
+  memcpy(challenge_data, signature_bytes, 32);    // R.x (already stored)
+  memcpy(challenge_data + 32, keypair->public_key, 32);    // P.x
+  memcpy(challenge_data + 64, digest, 32);                 // message
+
+  // Generate challenge e
+  bip340_tagged_hash("BIP0340/challenge", challenge_hash, challenge_data, 96);
+  bn_read_be(challenge_hash, &e);
+  bn_mod(&e, &secp256k1.order);
+
+  // 10. Calculate s = k + e*sk mod n
+  bignum256 s, temp;
+  bn_multiply(&e, &sk, &secp256k1.order);    // temp = e*sk mod n
+  bn_copy(&e, &temp);
+  bn_addmod(&k, &temp, &secp256k1.order);    // s = k + e*sk mod n
+  bn_copy(&k, &s);
+
+  // 11. Store s in signature (second 32 bytes)
+  bn_write_be(&s, signature_bytes + 32);
+
+  // 12. Verify signature is valid (optional but recommended)
+  // This catches any implementation errors
+  uint8_t verify_result[32];
+  if (manual_schnorrsig_verify(signature_bytes, digest, keypair->public_key) !=
+      0) {
+    memzero(signature_bytes, 64);
+    return -1;
+  }
+
+  // Clear all sensitive data
+  memzero(&sk, sizeof(sk));
+  memzero(&k, sizeof(k));
+  memzero(&e, sizeof(e));
+  memzero(&s, sizeof(s));
+  memzero(&R, sizeof(R));
+  memzero(sk_bytes, sizeof(sk_bytes));
+  memzero(nonce_data, sizeof(nonce_data));
+  memzero(nonce_hash, sizeof(nonce_hash));
+  memzero(challenge_data, sizeof(challenge_data));
+  memzero(challenge_hash, sizeof(challenge_hash));
+
+  return 0;
+}
+
+// Helper function for verification (optional)
+int manual_schnorrsig_verify(const uint8_t *signature,
+                             const uint8_t *digest,
+                             const uint8_t *public_key_x) {
+  bignum256 r, s, e, x;
+  curve_point R, P, sG, eP;
+
+  // Load r and s from signature
+  bn_read_be(signature, &r);
+  bn_read_be(signature + 32, &s);
+
+  // Check r and s are in valid range
+  if (!bn_is_less(&r, &secp256k1.prime) || !bn_is_less(&s, &secp256k1.order)) {
+    return -1;
+  }
+
+  // Load public key x-coordinate
+  bn_read_be(public_key_x, &x);
+
+  // Compute e = tagged_hash("BIP0340/challenge", r || P.x || m)
+  uint8_t challenge_data[96];
+  uint8_t challenge_hash[32];
+  memcpy(challenge_data, signature, 32);            // r
+  memcpy(challenge_data + 32, public_key_x, 32);    // P.x
+  memcpy(challenge_data + 64, digest, 32);          // message
+
+  bip340_tagged_hash("BIP0340/challenge", challenge_hash, challenge_data, 96);
+  bn_read_be(challenge_hash, &e);
+  bn_mod(&e, &secp256k1.order);
+
+  // Recover P from x-coordinate (lift_x)
+  if (point_lift_x(&secp256k1, &P, &x) != 0) {
+    return -1;
+  }
+
+  // Compute R = s*G - e*P
+  scalar_multiply(&secp256k1, &s, &sG);    // s*G
+  scalar_multiply(&secp256k1, &e, &eP);    // e*P (using recovered P)
+  point_multiply(&secp256k1, &e, &P, &eP);
+
+  // Negate eP
+  // bn_subtract(&secp256k1)
+}