Develop

apps/btc_family/btc/btc_app.c

@@ -106,6 +106,7 @@ const btc_config_t btc_app = {
     .legacy_xpub_ver = 0x0488b21e,
     .segwit_xpub_ver = 0x049d7cb2,
     .nsegwit_xpub_ver = 0x04b24746,
+    .taproot_xpub_ver = 0x04b24746,
     .bech32_hrp = "bc",
     .lunit_name = "BTC",
     .name = "Bitcoin",

apps/btc_family/btc_context.h

@@ -60,7 +60,7 @@ typedef struct {
   uint32_t legacy_xpub_ver;
   uint32_t segwit_xpub_ver;
   uint32_t nsegwit_xpub_ver;
-
+  uint32_t taproot_xpub_ver;
   /** The human-readable prefix for Bech32 encoded addresses. Applicable for
    * Segwit and Taproot addresses. Ref:
    * https://github.com/bitcoin/bips/blob/master/bip-0173.mediawiki#segwit-address-format

apps/btc_family/btc_helpers.c

@@ -62,10 +62,18 @@
 
 #include "btc_helpers.h"
 
+#include <stdint.h>
+#include <string.h>
+
+#include "bignum.h"
 #include "btc_priv.h"
 #include "coin_utils.h"
+#include "ecdsa.h"
 #include "flash_config.h"
+#include "secp256k1.h"
 #include "segwit_addr.h"
+#include "sha2.h"
+#include "utils.h"
 
 /*****************************************************************************
  * EXTERN VARIABLES
@@ -95,6 +103,74 @@
  * STATIC FUNCTIONS
  *****************************************************************************/
 
+// Computes sha256(tap_tweak_hash + tap_tweak_hash + x_only_public_key +
+// root_hash) and stores the result in tweak_key_hash.
+static bool bip340_tweak_key_hash(const uint8_t *x_only_public_key,
+                                  const uint8_t *root_hash,
+                                  uint8_t tweak_key_hash[32]) {
+  if (NULL == x_only_public_key || NULL == tweak_key_hash) {
+    return false;
+  }
+
+  size_t payload_size = 32;    // x_only_public_key
+  if (root_hash != NULL) {
+    payload_size += 32;
+  }
+
+  uint8_t payload[payload_size];
+  memzero(payload, payload_size);
+  // Prepare the data for hashing
+  memcpy(payload, x_only_public_key, 32);
+  if (root_hash != NULL) {
+    memcpy(payload + 32, root_hash, 32);
+  }
+
+  bip340_tagged_hash("TapTweak", tweak_key_hash, payload, payload_size);
+  return true;
+}
+
+// Calculates result = (public_key_point + tweak_key_hash * G).x
+static bool bip340_point_add_tweak(const ecdsa_curve *curve,
+                                   const uint8_t *public_key,
+                                   const uint8_t *tweak_key_hash,
+                                   uint8_t result[32]) {
+  if (NULL == public_key || NULL == tweak_key_hash || NULL == result) {
+    return false;
+  }
+
+  curve_point public_key_point = {0};
+  if (!ecdsa_read_pubkey(curve, public_key, &public_key_point)) {
+    return false;
+  }
+
+  // Negate y-coordinate if it's odd
+  if (bn_is_odd(&public_key_point.y)) {
+    bn_subtract(&curve->prime, &public_key_point.y, &public_key_point.y);
+    bn_mod(&public_key_point.y, &curve->prime);
+  }
+
+  bignum256 tweak_hash_bn = {0};
+  bn_read_be(tweak_key_hash, &tweak_hash_bn);
+  bn_mod(&tweak_hash_bn, &curve->order);
+
+  if (bn_is_zero(&tweak_hash_bn)) {
+    return false;
+  }
+
+  curve_point result_point = {0};
+  point_multiply(curve,
+                 &tweak_hash_bn,
+                 &curve->G,
+                 &result_point);    // result_point = tweak_hash_bn * G
+  point_add(curve,
+            &public_key_point,
+            &result_point);    // result_point = public_key_point + result_point
+
+  // take the x-coordinate of the result point
+  bn_write_be(&result_point.x, result);
+  return true;
+}
+
 /*****************************************************************************
  * GLOBAL FUNCTIONS
  *****************************************************************************/
@@ -162,6 +238,9 @@ bool btc_get_version(uint32_t purpose_index, uint32_t *xpub_ver) {
     case PURPOSE_NSEGWIT:
       *xpub_ver = g_btc_app->nsegwit_xpub_ver;
       break;
+    case PURPOSE_TAPROOT:
+      *xpub_ver = g_btc_app->taproot_xpub_ver;
+      break;
     default:
       status = false;
   }
@@ -208,3 +287,108 @@ void format_value(const uint64_t value_in_sat,
   snprintf(
       msg, msg_len, "%0.*f %s", precision, fee_in_btc, g_btc_app->lunit_name);
 }
+
+// BIP340 tagged hash implementation
+void bip340_tagged_hash(const char *tag,
+                        uint8_t *out,
+                        const uint8_t *data,
+                        size_t data_len) {
+  uint8_t tag_hash[32];
+  Hasher hasher;
+
+  // Hash the tag
+  hasher_Init(&hasher, HASHER_SHA2);
+  hasher_Update(&hasher, (const uint8_t *)tag, strlen(tag));
+  hasher_Final(&hasher, tag_hash);
+
+  // tagged_hash = SHA256(SHA256(tag) || SHA256(tag) || data)
+  hasher_Init(&hasher, HASHER_SHA2);
+  hasher_Update(&hasher, tag_hash, 32);
+  hasher_Update(&hasher, tag_hash, 32);
+  hasher_Update(&hasher, data, data_len);
+  hasher_Final(&hasher, out);
+}
+
+// implementation of BIP-340 tweak public key for taproot without using
+// secp256k1 library
+bool bip340_tweak_public_key(const uint8_t *public_key,
+                             const uint8_t *root_hash,
+                             uint8_t *tweaked_public_key) {
+  if (NULL == public_key || NULL == tweaked_public_key) {
+    return false;
+  }
+
+  uint8_t tweak_key_hash[32] = {0};
+  if (!bip340_tweak_key_hash(public_key + 1, root_hash, tweak_key_hash)) {
+    return false;
+  }
+
+  if (!bip340_point_add_tweak(
+          &secp256k1, public_key, tweak_key_hash, tweaked_public_key)) {
+    return false;
+  }
+
+  return true;
+}
+
+// BIP341 private key tweaking for Taproot
+bool bip340_tweak_private_key(const uint8_t *private_key,
+                              const uint8_t *public_key,
+                              const uint8_t *root_hash,
+                              uint8_t *tweaked_private_key) {
+  if (NULL == private_key || NULL == tweaked_private_key) {
+    return false;
+  }
+
+  // Compute the tweak hash
+  uint8_t tweak_hash[32] = {0};
+  if (!bip340_tweak_key_hash(public_key + 1, root_hash, tweak_hash)) {
+    return false;
+  }
+
+  bignum256 sk = {0}, t = {0}, result = {0};
+  bn_read_be(private_key, &sk);
+  const ecdsa_curve *curve = &secp256k1;
+  curve_point public_key_point = {0};
+  if (!ecdsa_read_pubkey(curve, public_key, &public_key_point)) {
+    return false;
+  }
+
+  // Negate private key if public key y is odd
+  if (bn_is_odd(&public_key_point.y)) {
+    bn_subtract(&curve->order, &sk, &sk);
+    bn_mod(&sk, &curve->order);
+  }
+
+  // Compute tweaked private key: sk' = sk + t (mod n)
+  bn_read_be(tweak_hash, &t);
+  bn_mod(&t, &curve->order);
+  bn_copy(&sk, &result);
+  bn_add(&result, &t);
+  bn_mod(&result, &curve->order);
+
+  bn_write_be(&result, tweaked_private_key);
+
+  // Clear sensitive data
+  memzero(&sk, sizeof(sk));
+  memzero(&t, sizeof(t));
+  memzero(&result, sizeof(result));
+  memzero(tweak_hash, sizeof(tweak_hash));
+
+  return true;
+}
+
+int btc_get_taproot_address(uint8_t *public_key,
+                            const char *hrp,
+                            char *address) {
+  if (NULL == public_key || NULL == hrp || NULL == address) {
+    return 0;
+  }
+
+  uint8_t tweaked_public_key[32] = {0};
+  if (!bip340_tweak_public_key(public_key, NULL, tweaked_public_key)) {
+    return 0;
+  }
+
+  return segwit_addr_encode(address, hrp, 1, tweaked_public_key, 32);
+}

apps/btc_family/btc_helpers.h

@@ -137,4 +137,73 @@ bool btc_derivation_path_guard(const uint32_t *path, uint32_t depth);
  */
 void format_value(uint64_t value_in_sat, char *msg, size_t msg_len);
 
+/**
+ * @brief Returns the taproot key path address string (Bech32M encoding)
+ * @details The functions assumes public key is compressed
+ *
+ * @param [in] public_key    33 Byte array representation of public key.
+ * @param [in] hrp           HRP value for bech32M encoding "bc" for mainnet and
+ * "tb" for testnet.
+ * @param [out] address  char array to store taproot address.
+ *
+ * @return 1 if successful and 0 if failure.
+ */
+int btc_get_taproot_address(uint8_t *public_key,
+                            const char *hrp,
+                            char *address);
+
+/**
+ * @brief Tweaks a private key for Taproot key path spending.
+ * @details This function implements BIP341 private key tweaking for Taproot.
+ * The tweaked private key is computed as sk' = sk + t (mod n) where t is the
+ * tweak hash.
+ *
+ * @param private_key The internal private key (32 bytes)
+ * @param root_hash The Merkle root hash (32 bytes, can be NULL for key path
+ * only)
+ * @param public_key The public key (33 bytes, compressed format)
+ * @param tweaked_private_key Output buffer for the tweaked private key (32
+ * bytes)
+ *
+ * @return bool Status code
+ * @retval true Success
+ * @retval false Error (invalid inputs, tweaking failed)
+ */
+bool bip340_tweak_private_key(const uint8_t *private_key,
+                              const uint8_t *public_key,
+                              const uint8_t *root_hash,
+                              uint8_t *tweaked_private_key);
+
+/**
+ * @brief Tweaks a public key for Taproot key path spending.
+ * @details This function implements BIP341 public key tweaking for Taproot.
+ * The tweaked public key is computed as P' = P + t*G where t is the tweak hash.
+ *
+ * @param public_key The internal public key (33 bytes, compressed format)
+ * @param root_hash The Merkle root hash (32 bytes, can be NULL for key path
+ * only)
+ * @param tweaked_public_key Output buffer for the tweaked public key
+ * x-coordinate (32 bytes)
+ *
+ * @return bool Status code
+ * @retval true Success
+ * @retval false Error (invalid inputs, tweaking failed)
+ */
+bool bip340_tweak_public_key(const uint8_t *public_key,
+                             const uint8_t *root_hash,
+                             uint8_t *tweaked_public_key);
+
+/**
+ * @brief BIP340 tagged hash implementation
+ * @details This function implements BIP340 tagged hash for Taproot.
+ *
+ * @param tag The tag to be hashed
+ * @param out The output buffer for the hashed data
+ * @param data The data to be hashed
+ * @param data_len The length of the data
+ */
+void bip340_tagged_hash(const char *tag,
+                        uint8_t *out,
+                        const uint8_t *data,
+                        size_t data_len);
 #endif

apps/btc_family/btc_priv.h

@@ -34,6 +34,17 @@ typedef struct {
   uint8_t hash_outputs[32];
 } btc_segwit_cache_t;
 
+typedef struct {
+  bool filled;
+  uint8_t sha_prevouts[32];
+  uint8_t sha_amounts[32];
+  uint8_t sha_scriptpubkeys[32];
+  uint8_t sha_sequences[32];
+  uint8_t sha_outputs[32];
+  uint8_t sha_annex[32];
+  uint8_t sha_single_output[32];
+} btc_taproot_cache_t;
+
 typedef struct {
   pb_byte_t prev_txn_hash[32];
   uint32_t prev_output_index;
@@ -69,6 +80,8 @@ typedef struct {
   btc_sign_txn_metadata_t metadata;
   // Populated for segwit transactions
   btc_segwit_cache_t segwit_cache;
+  // Populated for taproot transactions
+  btc_taproot_cache_t taproot_cache;
 
   /**
    * The structure holds the outputs (TxOut) of the transaction. Refer

apps/btc_family/btc_pub_key.c

@@ -199,7 +199,7 @@ static size_t btc_get_address(const uint8_t *seed,
                               uint8_t *public_key,
                               char *address) {
   HDNode node = {0};
-  char addr[50] = "";
+  char addr[70] = "";
   size_t address_length = 0;
 
   if (!derive_hdnode_from_path(
@@ -230,7 +230,9 @@ static size_t btc_get_address(const uint8_t *seed,
                                     36);
       break;
 
-    // TODO: add support for taproot
+    case PURPOSE_TAPROOT:
+      btc_get_taproot_address(node.public_key, g_btc_app->bech32_hrp, addr);
+      break;
     default:
       break;
   }

apps/btc_family/btc_script.c

@@ -64,6 +64,7 @@
 
 #include "base58.h"
 #include "bip32.h"
+#include "btc_helpers.h"
 #include "btc_priv.h"
 #include "memzero.h"
 #include "ripemd160.h"
@@ -240,12 +241,21 @@ bool btc_check_script_address(const uint8_t *script,
   uint8_t digest[HASHER_DIGEST_LENGTH] = {0};
   btc_script_type_e type = btc_get_script_type(script, script_len);
   if (SCRIPT_TYPE_P2PKH != type && SCRIPT_TYPE_P2WPKH != type &&
-      SCRIPT_TYPE_P2SH != type) {
+      SCRIPT_TYPE_P2SH != type && SCRIPT_TYPE_P2TR != type) {
     // allow only p2pkh and p2wpkh and p2sh-p2wpkh for change output
     return false;
   }
   uint8_t offset = (SCRIPT_TYPE_P2PKH == type) ? 3 : 2;
 
+  if (SCRIPT_TYPE_P2TR == type) {
+    offset = 2;
+    uint8_t tweaked_public_key[32] = {0};
+    if (!bip340_tweak_public_key(public_key, NULL, tweaked_public_key)) {
+      return false;
+    }
+    return memcmp(tweaked_public_key, script + offset, 32) == 0;
+  }
+
   hasher_Raw(HASHER_SHA2_RIPEMD, public_key, BTC_SHORT_PUB_KEY_SIZE, digest);
 
   if (SCRIPT_TYPE_P2SH == type) {