Merge #170: Policy fixes

d64e3b2 policy: Iterator over fragments and keys (Christian Lewe)
1bdedd1 policy: Add sighash cache (Christian Lewe)
67dfb83 elements: Environment with generic transaction ref (Christian Lewe)
9182897 policy: Export satisfy structs (Christian Lewe)
36b4ad9 Add accessor to Simplicity's leaf version (Christian Lewe)
dfa267e policy: Implement Hash for Policy (Christian Lewe)
3fcf2f7 policy: Implement Simplicity key traits for Miniscript equivalents (Christian Lewe)

Pull request description:

  Adds fixes to make Policy work with Miniscript, descriptors and the Simplicity wallet.

  The only controversial change should be the implementation of Simplicity key traits for every Miniscript key. This introduces a diamond pattern: rust-miniscript → rust-simplicity → elements-miniscript and rust-miniscript → elements-miniscript. The situation is not ideal, but it avoids violating the orphan rule that caused us so much trouble.

  In particular we need to convert `elements_miniscript::Satisfier` (with Miniscript keys) into `simplicity::Satisfier` (with Simplicity keys). We could make `elements_miniscript::Satisfier` a subtrait of simplicity::Satisfier, but we would have to do that for every generic implementation of `elements_miniscript::Satisfier`. We would need to copy code to rust-simplicity and implement `simplicity::Satisfier` for nonsensical types such as `HashMap<Pk, ElementsSig>`.

  The diamond pattern seems like a good solution that will work until we have a better architecture. It allows us to use Miniscript and Simplicity keys interchangeably, while all the messy Simplicity details stay inside rust-simplicity.

ACKs for top commit:
  apoelstra:
    ACK d64e3b2

Tree-SHA512: 16a84a2dc6eadef0bd714ab8bacbac7b29a4d5813121028ff04bd290380f24e82093cd71db291a9431501cccfce4895e36727cf0af635a29413e387f98e2b752

Author: apoelstra

Cargo.toml

@@ -17,6 +17,7 @@ path = "src/lib.rs"
 
 [dependencies]
 bitcoin = { version = "0.30.0", optional = true }
+bitcoin-miniscript = { package = "miniscript", version = "10.0" }
 byteorder = "1.3"
 elements = { version = "0.22.0", optional = true }
 hashes = { package = "bitcoin_hashes", version = "0.12" }

jets-bench/benches/elements/env.rs

@@ -28,12 +28,12 @@ pub enum EnvSampling {
 
 impl EnvSampling {
     /// Obtain a random environment without any annex
-    pub fn env(&self) -> ElementsEnv {
+    pub fn env(&self) -> ElementsEnv<Arc<Transaction>> {
         self.env_with_annex(None)
     }
 
     /// Obtains a env with annex
-    pub fn env_with_annex(&self, annex: Option<Vec<u8>>) -> ElementsEnv {
+    pub fn env_with_annex(&self, annex: Option<Vec<u8>>) -> ElementsEnv<Arc<Transaction>> {
         let ((txin, spent_utxo), n_in, n_out) = match self {
             EnvSampling::Null => return null_env(),
             EnvSampling::Issuance(n_in, n_out) => (txin_utils::issuance(), n_in, n_out),
@@ -81,7 +81,7 @@ fn env_with_spent_utxos(
     tx: Transaction,
     utxos: Vec<ElementsUtxo>,
     annex: Option<Vec<u8>>,
-) -> ElementsEnv {
+) -> ElementsEnv<Arc<Transaction>> {
     let ctrl_blk: [u8; 33] = [
         0xc0, 0xeb, 0x04, 0xb6, 0x8e, 0x9a, 0x26, 0xd1, 0x16, 0x04, 0x6c, 0x76, 0xe8, 0xff, 0x47,
         0x33, 0x2f, 0xb7, 0x1d, 0xda, 0x90, 0xff, 0x4b, 0xef, 0x53, 0x70, 0xf2, 0x52, 0x26, 0xd3,
@@ -98,7 +98,7 @@ fn env_with_spent_utxos(
     )
 }
 
-fn null_env() -> ElementsEnv {
+fn null_env() -> ElementsEnv<Arc<Transaction>> {
     let tx = Transaction {
         version: u32::default(),
         lock_time: LockTime::ZERO,

jets-bench/benches/elements/main.rs

@@ -59,7 +59,7 @@ enum ElementsBenchEnvType {
 }
 
 impl ElementsBenchEnvType {
-    fn env(&self) -> ElementsEnv {
+    fn env(&self) -> ElementsEnv<Arc<elements::Transaction>> {
         let n_in = NUM_TX_INPUTS;
         let n_out = NUM_TX_OUTPUTS;
         let env_sampler = match self {

src/jet/elements/environment.rs

@@ -16,7 +16,7 @@ use crate::merkle::cmr::Cmr;
 use elements::confidential;
 use elements::taproot::ControlBlock;
 use simplicity_sys::c_jets::c_env::CElementsTxEnv;
-use std::sync::Arc;
+use std::ops::Deref;
 
 use super::c_env;
 
@@ -58,11 +58,11 @@ impl From<elements::TxOut> for ElementsUtxo {
 // Similar story if we tried to use a &'a elements::Transaction rather than
 // an Arc: we'd have a lifetime parameter <'a> that would cause us trouble.
 #[allow(dead_code)]
-pub struct ElementsEnv {
+pub struct ElementsEnv<T: Deref<Target = elements::Transaction>> {
     /// The CTxEnv struct
     c_tx_env: CElementsTxEnv,
     /// The elements transaction
-    tx: Arc<elements::Transaction>,
+    tx: T,
     /// the current index of the input
     ix: u32,
     /// Control block used to spend this leaf script
@@ -73,9 +73,12 @@ pub struct ElementsEnv {
     genesis_hash: elements::BlockHash,
 }
 
-impl ElementsEnv {
+impl<T> ElementsEnv<T>
+where
+    T: Deref<Target = elements::Transaction>,
+{
     pub fn new(
-        tx: Arc<elements::Transaction>,
+        tx: T,
         utxos: Vec<ElementsUtxo>,
         ix: u32,
         script_cmr: Cmr,
@@ -128,7 +131,7 @@ impl ElementsEnv {
 }
 
 #[cfg(test)]
-impl ElementsEnv {
+impl ElementsEnv<std::sync::Arc<elements::Transaction>> {
     /// Return a dummy Elements environment
     pub fn dummy() -> Self {
         Self::dummy_with(elements::LockTime::ZERO, elements::Sequence::MAX)
@@ -146,7 +149,7 @@ impl ElementsEnv {
         ];
 
         ElementsEnv::new(
-            Arc::new(elements::Transaction {
+            std::sync::Arc::new(elements::Transaction {
                 version: 2,
                 lock_time,
                 // Enable locktime in dummy txin

src/jet/init/elements.rs

@@ -12,6 +12,7 @@ use std::io::Write;
 use std::{fmt, str};
 use crate::jet::elements::ElementsEnv;
 use simplicity_sys::CElementsTxEnv;
+use std::sync::Arc;
 
 /// Elements jet family
 #[derive(Copy, Clone, PartialEq, Eq, PartialOrd, Ord, Debug, Hash)]
@@ -313,7 +314,7 @@ pub enum Elements {
 
 impl Jet for Elements {
 
-    type Environment = ElementsEnv;
+    type Environment = ElementsEnv<Arc<elements::Transaction>>;
     type CJetEnvironment = CElementsTxEnv;
 
     fn c_jet_env<'env>(&self, env: &'env Self::Environment) -> &'env Self::CJetEnvironment {

src/lib.rs

@@ -55,7 +55,9 @@ pub use bit_encoding::BitWriter;
 pub use bit_encoding::{BitIter, EarlyEndOfStreamError};
 
 #[cfg(feature = "elements")]
-pub use crate::policy::{Policy, SimplicityKey, ToXOnlyPubkey, Translator};
+pub use crate::policy::{
+    sighash, Policy, Preimage32, Satisfier, SimplicityKey, ToXOnlyPubkey, Translator,
+};
 
 pub use crate::bit_machine::BitMachine;
 pub use crate::encode::{encode_natural, encode_value, encode_witness};
@@ -71,6 +73,12 @@ pub use crate::value::Value;
 pub use simplicity_sys as ffi;
 use std::fmt;
 
+/// Return the version of Simplicity leaves inside a tap tree.
+#[cfg(feature = "elements")]
+pub fn leaf_version() -> elements::taproot::LeafVersion {
+    elements::taproot::LeafVersion::from_u8(0xbe).expect("constant leaf version")
+}
+
 /// Error type for simplicity
 #[non_exhaustive]
 #[derive(Debug)]

src/policy/ast.rs

@@ -37,7 +37,7 @@ use super::serialize;
 /// given a witness.
 ///
 /// Furthermore, the policy can be normalized and is amenable to semantic analysis.
-#[derive(Clone, PartialEq, Eq, PartialOrd, Ord)]
+#[derive(Clone, PartialEq, Eq, PartialOrd, Ord, Hash)]
 pub enum Policy<Pk: SimplicityKey> {
     /// Unsatisfiable
     Unsatisfiable(FailEntropy),
@@ -215,6 +215,19 @@ impl<Pk: SimplicityKey> Policy<Pk> {
             _ => {}
         }
     }
+
+    /// Return an iterator over the fragments of the policy.
+    pub fn iter(&self) -> PolicyIter<'_, Pk> {
+        PolicyIter::new(self)
+    }
+
+    /// Return an iterator over the public keys of the policy.
+    pub fn iter_pk(&self) -> impl Iterator<Item = Pk> + '_ {
+        self.iter().filter_map(|fragment| match fragment {
+            Policy::Key(key) => Some(key.clone()),
+            _ => None,
+        })
+    }
 }
 
 impl<Pk: SimplicityKey> fmt::Debug for Policy<Pk> {
@@ -244,3 +257,39 @@ impl<Pk: SimplicityKey> fmt::Display for Policy<Pk> {
         fmt::Debug::fmt(self, f)
     }
 }
+
+/// Iterator over the fragments of a Simplicity policy.
+///
+/// The fragments are visited in preorder:
+/// We first visit the parent, then the left subtree, then the right subtree.
+pub struct PolicyIter<'a, Pk: SimplicityKey> {
+    stack: Vec<&'a Policy<Pk>>,
+}
+
+impl<'a, Pk: SimplicityKey> PolicyIter<'a, Pk> {
+    /// Create an iterator for the given policy.
+    pub fn new(policy: &'a Policy<Pk>) -> Self {
+        Self {
+            stack: vec![policy],
+        }
+    }
+}
+
+impl<'a, Pk: SimplicityKey> Iterator for PolicyIter<'a, Pk> {
+    type Item = &'a Policy<Pk>;
+
+    fn next(&mut self) -> Option<Self::Item> {
+        let top = self.stack.pop()?;
+        match top {
+            Policy::And { left, right } | Policy::Or { left, right } => {
+                self.stack.push(right);
+                self.stack.push(left);
+            }
+            Policy::Threshold(_, children) => {
+                self.stack.extend(children.iter().rev());
+            }
+            _ => {}
+        }
+        Some(top)
+    }
+}

src/policy/key.rs

@@ -1,3 +1,4 @@
+use bitcoin_miniscript::{MiniscriptKey, ToPublicKey};
 use elements::bitcoin::key::XOnlyPublicKey;
 use hashes::sha256;
 use std::fmt::{Debug, Display};
@@ -8,8 +9,8 @@ pub trait SimplicityKey: Clone + Eq + Ord + Debug + Display + std::hash::Hash {
     type Sha256: Clone + Eq + Ord + Display + Debug + std::hash::Hash;
 }
 
-impl SimplicityKey for XOnlyPublicKey {
-    type Sha256 = sha256::Hash;
+impl<Pk: MiniscriptKey> SimplicityKey for Pk {
+    type Sha256 = <Pk as MiniscriptKey>::Sha256;
 }
 
 /// Public key which can be converted to a (x-only) public key which can be used in Simplicity.
@@ -21,13 +22,13 @@ pub trait ToXOnlyPubkey: SimplicityKey {
     fn to_sha256(hash: &Self::Sha256) -> sha256::Hash;
 }
 
-impl ToXOnlyPubkey for XOnlyPublicKey {
+impl<Pk: ToPublicKey> ToXOnlyPubkey for Pk {
     fn to_x_only_pubkey(&self) -> XOnlyPublicKey {
-        *self
+        <Pk as ToPublicKey>::to_x_only_pubkey(self)
     }
 
     fn to_sha256(hash: &Self::Sha256) -> sha256::Hash {
-        *hash
+        <Pk as ToPublicKey>::to_sha256(hash)
     }
 }
 

src/policy/mod.rs

@@ -28,9 +28,11 @@
 mod ast;
 mod error;
 mod key;
-pub mod satisfy;
+mod satisfy;
 mod serialize;
+pub mod sighash;
 
 pub use ast::Policy;
 pub use error::Error;
 pub use key::{SimplicityKey, ToXOnlyPubkey, Translator};
+pub use satisfy::{Preimage32, Satisfier};

src/policy/satisfy.rs

@@ -249,7 +249,9 @@ mod tests {
         }
     }
 
-    fn get_satisfier(env: &ElementsEnv) -> PolicySatisfier<XOnlyPublicKey> {
+    fn get_satisfier(
+        env: &ElementsEnv<Arc<elements::Transaction>>,
+    ) -> PolicySatisfier<XOnlyPublicKey> {
         let mut preimages = HashMap::new();
 
         for i in 0..3 {
@@ -283,7 +285,10 @@ mod tests {
         }
     }
 
-    fn execute_successful(program: Arc<RedeemNode<Elements>>, env: &ElementsEnv) {
+    fn execute_successful(
+        program: Arc<RedeemNode<Elements>>,
+        env: &ElementsEnv<Arc<elements::Transaction>>,
+    ) {
         let mut mac = BitMachine::for_program(&program);
         assert!(mac.exec(&program, env).is_ok());
     }

src/policy/serialize.rs

@@ -255,7 +255,12 @@ mod tests {
     use hashes::{sha256, Hash};
     use std::sync::Arc;
 
-    fn compile(policy: Policy<XOnlyPublicKey>) -> (Arc<ConstructNode<Elements>>, ElementsEnv) {
+    fn compile(
+        policy: Policy<XOnlyPublicKey>,
+    ) -> (
+        Arc<ConstructNode<Elements>>,
+        ElementsEnv<Arc<elements::Transaction>>,
+    ) {
         let commit = policy.serialize_no_witness();
         let env = ElementsEnv::dummy();
 
@@ -265,7 +270,7 @@ mod tests {
     fn execute_successful(
         commit: &ConstructNode<Elements>,
         witness: Vec<Value>,
-        env: &ElementsEnv,
+        env: &ElementsEnv<Arc<elements::Transaction>>,
     ) -> bool {
         let finalized = commit
             .finalize_types()