multi: stxo inclusion proof verification

This commit adds v2 inclusion proof verification.

Author: gijswijs

asset/asset.go

@@ -2070,7 +2070,7 @@ func CollectSTXO(outAsset *Asset) ([]AltLeaf[Asset], error) {
 	// Genesis assets have no input asset, so they should have an empty
 	// STXO tree. Split leaves will also have a zero PrevID; we will use
 	// an empty STXO tree for them as well.
-	if outAsset.IsGenesisAsset() || outAsset.HasSplitCommitmentWitness() {
+	if !outAsset.IsTransferRoot() {
 		return nil, nil
 	}
 

proof/append.go

@@ -171,10 +171,14 @@ func CreateTransitionProof(prevOut wire.OutPoint,
 					"prevID", wit)
 			}
 
-			spentAsset := &asset.Asset{
-				ScriptKey: asset.NewScriptKey(
-					asset.DeriveBurnKey(*wit.PrevID),
-				),
+			prevIdKey := asset.DeriveBurnKey(*wit.PrevID)
+			scriptKey := asset.NewScriptKey(prevIdKey)
+			spentAsset, err := asset.NewAltLeaf(
+				scriptKey, asset.ScriptV0, nil,
+			)
+			if err != nil {
+				return nil, fmt.Errorf("error creating "+
+					"altLeaf: %w", err)
 			}
 
 			// Generate an STXO inclusion proof for each prev

proof/append_test.go

@@ -71,7 +71,7 @@ func TestAppendTransition(t *testing.T) {
 			withBip86Change: true,
 		},
 		{
-			name:      "normal with change",
+			name:      "normal with change (with split)",
 			assetType: asset.Normal,
 			amt:       100,
 			withSplit: true,
@@ -135,6 +135,17 @@ func runAppendTransitionTest(t *testing.T, assetType asset.Type, amt uint64,
 
 	// Add some alt leaves to the commitment anchoring the asset transfer.
 	altLeaves := asset.ToAltLeaves(asset.RandAltLeaves(t, true))
+
+	// Commit to the stxo of the previous asset. Otherwise the inclusion
+	// proofs will fail.
+	prevIdKey := asset.DeriveBurnKey(*newAsset.PrevWitnesses[0].PrevID)
+	scriptKey := asset.NewScriptKey(prevIdKey)
+	stxoAsset, err := asset.NewAltLeaf(
+		scriptKey, asset.ScriptV0, nil,
+	)
+	require.NoError(t, err)
+	stxoLeaf := asset.ToAltLeaves([]*asset.Asset{stxoAsset})
+	altLeaves = append(altLeaves, stxoLeaf...)
 	err = tapCommitment.MergeAltLeaves(altLeaves)
 	require.NoError(t, err)
 
@@ -293,8 +304,20 @@ func runAppendTransitionTest(t *testing.T, assetType asset.Type, amt uint64,
 		nil, split1Commitment,
 	)
 	require.NoError(t, err)
+
+	// Commit to the stxo of the previous asset. Otherwise the inclusion
+	// proofs will fail. With splits this is only needed for the root asset.
+	prevIdKey1 := asset.DeriveBurnKey(*split1Asset.PrevWitnesses[0].PrevID)
+	scriptKey1 := asset.NewScriptKey(prevIdKey1)
+	stxoAsset1, err := asset.NewAltLeaf(
+		scriptKey1, asset.ScriptV0, nil,
+	)
+	require.NoError(t, err)
+	stxoLeaf1 := asset.ToAltLeaves([]*asset.Asset{stxoAsset1})
+	split1AltLeaves = append(split1AltLeaves, stxoLeaf1...)
 	err = tap1Commitment.MergeAltLeaves(split1AltLeaves)
 	require.NoError(t, err)
+
 	tap2Commitment, err := commitment.NewTapCommitment(
 		nil, split2Commitment,
 	)

proof/verifier.go

@@ -165,6 +165,51 @@ func verifyTaprootProof(anchor *wire.MsgTx, proof *TaprootProof,
 
 // verifyInclusionProof verifies the InclusionProof is valid.
 func (p *Proof) verifyInclusionProof() (*commitment.TapCommitment, error) {
+
+	// Determine if we're dealing with v1 or v2 proofs.
+	hasV2Proofs := p.InclusionProof.CommitmentProof != nil &&
+		len(p.InclusionProof.CommitmentProof.STXOProofs) > 0
+
+	if hasV2Proofs {
+		commitVersions := make(
+			map[uint32][]commitment.TapCommitmentVersion,
+		)
+		p2trOutputs := make(map[uint32]fn.Set[asset.SerializedKey])
+		outIdx := p.InclusionProof.OutputIndex
+		p2trOutputs[outIdx] = make(fn.Set[asset.SerializedKey])
+
+		// Collect the STXOs from the new asset.
+		stxoAssets, err := asset.CollectSTXO(&p.Asset)
+		if err != nil {
+			return nil, fmt.Errorf("error collecting STXO "+
+				"assets: %w", err)
+		}
+
+		// Map STXOs by serialized key.
+		assetMap := make(map[asset.SerializedKey]*asset.Asset)
+		for idx := range stxoAssets {
+			stxoAsset := stxoAssets[idx].(*asset.Asset)
+			key := asset.ToSerialized(stxoAsset.ScriptKey.PubKey)
+			assetMap[key] = stxoAsset
+			p2trOutputs[outIdx].Add(key)
+		}
+
+		baseProof := p.InclusionProof
+
+		commitment, err := p.verifySTXOProofSet(baseProof, assetMap,
+			p2trOutputs, commitVersions, true)
+		if err != nil {
+			return nil, err
+		}
+
+		err = p.verifyRemainingOutputs(p2trOutputs)
+		if err != nil {
+			return nil, err
+		}
+
+		return commitment, nil
+	}
+
 	return verifyTaprootProof(
 		&p.AnchorTx, &p.InclusionProof, &p.Asset, true,
 	)
@@ -283,8 +328,8 @@ func (p *Proof) verifyV2ExclusionProofs(
 			continue
 		}
 
-		err := p.verifySTXOProofSet(baseProof, assetMap,
-			p2trOutputs, commitVersions)
+		_, err := p.verifySTXOProofSet(baseProof, assetMap,
+			p2trOutputs, commitVersions, false)
 		if err != nil {
 			return nil, err
 		}
@@ -334,21 +379,26 @@ func (p *Proof) handleBasicExclusionProof(baseProof *TaprootProof,
 func (p *Proof) verifySTXOProofSet(baseProof TaprootProof,
 	assetMap map[asset.SerializedKey]*asset.Asset,
 	p2trOutputs map[uint32]fn.Set[asset.SerializedKey],
-	commitVersions map[uint32][]commitment.TapCommitmentVersion) error {
+	commitVersions map[uint32][]commitment.TapCommitmentVersion,
+	inclusion bool,
+) (*commitment.TapCommitment, error) {
 
+	var commitment *commitment.TapCommitment
 	for key := range baseProof.CommitmentProof.STXOProofs {
 		stxoProof := baseProof.CommitmentProof.STXOProofs[key]
 		stxoAsset := assetMap[key]
-		stxoExclProof := p.makeSTXOExclusionProof(baseProof, &stxoProof)
+		stxoCombinedProof := p.makeSTXOProof(baseProof, &stxoProof)
 
-		commitment, err := verifyTaprootProof(
-			&p.AnchorTx, &stxoExclProof, stxoAsset, false,
+		var err error
+		commitment, err = verifyTaprootProof(
+			&p.AnchorTx, &stxoCombinedProof, stxoAsset, inclusion,
 		)
 		if err != nil {
-			return fmt.Errorf("error verifying STXO proof: %w", err)
+			return nil, fmt.Errorf("error verifying STXO "+
+				"proof: %w", err)
 		}
 
-		outIdx := stxoExclProof.OutputIndex
+		outIdx := stxoCombinedProof.OutputIndex
 		delete(p2trOutputs[outIdx], key)
 		if len(p2trOutputs[outIdx]) == 0 {
 			delete(p2trOutputs, outIdx)
@@ -359,11 +409,12 @@ func (p *Proof) verifySTXOProofSet(baseProof TaprootProof,
 		)
 	}
 
-	return nil
+	return commitment, nil
 }
 
-// makeSTXOExclusionProof creates a new exclusion proof for an STXO.
-func (p *Proof) makeSTXOExclusionProof(baseProof TaprootProof,
+// makeSTXOProof creates a new proof for an STXO reusing the base proof while
+// replacing commitmentProof bu the stxoProof.
+func (p *Proof) makeSTXOProof(baseProof TaprootProof,
 	stxoProof *commitment.Proof) TaprootProof {
 
 	return TaprootProof{

tapsend/proof_test.go

@@ -222,27 +222,38 @@ func addOutputCommitment(t *testing.T, anchorTx *AnchorTransaction,
 		}
 	}
 
-	for idx, assets := range assetsByOutput {
-		for idx := range assets {
-			if !assets[idx].HasSplitCommitmentWitness() {
+	stxoAssetsByOutput := make(map[uint32][]asset.AltLeaf[asset.Asset])
+	for idx1, assets := range assetsByOutput {
+		for idx2 := range assets {
+			if assets[idx2].IsTransferRoot() {
+				stxoAssets, err := asset.CollectSTXO(
+					assets[idx2],
+				)
+				stxoAssetsByOutput[idx1] = append(
+					stxoAssetsByOutput[idx1], stxoAssets...,
+				)
+				require.NoError(t, err)
+			}
+			if !assets[idx2].HasSplitCommitmentWitness() {
 				continue
 			}
-			assets[idx] = assets[idx].Copy()
-			assets[idx].PrevWitnesses[0].SplitCommitment = nil
+			assets[idx2] = assets[idx2].Copy()
+			assets[idx2].PrevWitnesses[0].SplitCommitment = nil
 		}
 
 		c, err := commitment.FromAssets(nil, assets...)
 		require.NoError(t, err)
+		err = c.MergeAltLeaves(stxoAssetsByOutput[idx1])
+		require.NoError(t, err)
 
-		internalKey := keyByOutput[idx]
+		internalKey := keyByOutput[idx1]
 		script, err := tapscript.PayToAddrScript(*internalKey, nil, *c)
 		require.NoError(t, err)
 
-		packet.UnsignedTx.TxOut[idx].PkScript = script
-		packet.Outputs[idx].TaprootInternalKey = schnorr.SerializePubKey(
-			internalKey,
-		)
-		outputCommitments[idx] = c
+		packet.UnsignedTx.TxOut[idx1].PkScript = script
+		packet.Outputs[idx1].TaprootInternalKey = schnorr.
+			SerializePubKey(internalKey)
+		outputCommitments[idx1] = c
 	}
 }