Allow trigger/recovery output nValues to exceed the amounts supplied by
constituent vault inputs. This allows future compatibility for e.g.
trigger collateral.
This change makes the amount being revaulted (if any) explicit to avoid
issues surfaced by AJ Towns (e.g. multiple compatible vault inputs
duplicating triggers and revaults to confuse the old deferred check
logic).
Pseudocode is also provided for the deferred checks, and their inline
validation description has been changed to be more faithful to the
implementation - we make mention of queueing deferred checks, and then
later describe the algorithm used to aggregate and perform them.
Instead of implicitly detecting whether or not an OP_VAULT/OP_UNVAULT
spend is a recovery spend by scanning outputs for matching
scriptPubKeys, explicitly indicate recoveries by requiring a witness
stack element that is either -1 in the case of no recovery OR
corresponds to an output index that is the recovery output.
* initial commit
* fix formatting
* add importing section
* clarify csv preference
* tabs to spaces
* add rationale and references, require that rfc4180 is followed
* fix reference links
* show reference links as list
* use self describing json lines format instead of csv
* add bip number and accommodate 65 byte pubkeys
* fix comments uri
Includes:
* Simpler (but equivalent) ElligatorSwift encoding function & spec
* Improved test vectors
* Test vector generation code
* Code for converting test vectors for libsecp256k1 code.
* Code for running test vectors against SwiftEC paper authors' code.
* Miscellaneous reference code improvements (style, comments).
In contrast to taproot_output_script, taproot_sign_key was not able to deal with
a script_tree that is None. This commit fixes taproot_sign_key such that it can
sign for such outputs.
This commit avoids changing the behavior of the functions except
taproot_sign_key at the cost of having some code duplication. Alternatively, one
could let taproot_tree_helper deal with a None script_tree directly.
`lift_x` returns `None` if the input integer is not an X coordinate on the curve
to indicate failure. `point_add`, on the other hand, interprets `None` as the
point at infinity. Therefore, without this commit, if the internal `pubkey` is
not a valid X coordinate, the function will not fail, which contradicts the
specification in the "Script validation rules section". Instead, it sets `Q` to
`t*G`.
The reconciliation protocol assumes using one role consistently. Since
it is irrelevant which one is which, we can imply that the initiator of
the P2P connection will assume the role of reconciliation initiator.
This protocol simplification will seep into the implementation.
