bitcoinrb 0.5.0 → 0.9.0

data/lib/bitcoin/secp256k1/native.rb

@@ -4,8 +4,8 @@
 module Bitcoin
   module Secp256k1
 
-    # binding for secp256k1 (https://github.com/bitcoin/bitcoin/tree/v0.14.2/src/secp256k1)
-    # tag: v0.14.2
+    # binding for secp256k1 (https://github.com/bitcoin-core/secp256k1/)
+    # commit: efad3506a8937162e8010f5839fdf3771dfcf516
     # this is not included by default, to enable set shared object path to ENV['SECP256K1_LIB_PATH']
     # for linux, ENV['SECP256K1_LIB_PATH'] = '/usr/local/lib/libsecp256k1.so'
     # for mac,
@@ -50,6 +50,14 @@ module Bitcoin
         attach_function(:secp256k1_ecdsa_signature_parse_der, [:pointer, :pointer, :pointer, :size_t], :int)
         attach_function(:secp256k1_ecdsa_signature_normalize, [:pointer, :pointer, :pointer], :int)
         attach_function(:secp256k1_ecdsa_verify, [:pointer, :pointer, :pointer, :pointer], :int)
+        attach_function(:secp256k1_schnorrsig_sign, [:pointer, :pointer, :pointer, :pointer, :pointer, :pointer], :int)
+        attach_function(:secp256k1_schnorrsig_verify, [:pointer, :pointer, :pointer, :pointer], :int)
+        attach_function(:secp256k1_keypair_create, [:pointer, :pointer, :pointer], :int)
+        attach_function(:secp256k1_xonly_pubkey_parse, [:pointer, :pointer, :pointer], :int)
+        attach_function(:secp256k1_ecdsa_sign_recoverable, [:pointer, :pointer, :pointer, :pointer, :pointer, :pointer], :int)
+        attach_function(:secp256k1_ecdsa_recoverable_signature_serialize_compact, [:pointer, :pointer, :pointer, :pointer], :int)
+        attach_function(:secp256k1_ecdsa_recover, [:pointer, :pointer, :pointer, :pointer], :int)
+        attach_function(:secp256k1_ecdsa_recoverable_signature_parse_compact, [:pointer, :pointer, :pointer, :int], :int)
       end
 
       def with_context(flags: (SECP256K1_CONTEXT_VERIFY | SECP256K1_CONTEXT_SIGN))
@@ -97,13 +105,152 @@ module Bitcoin
 
       # sign data.
       # @param [String] data a data to be signed with binary format
-      # @param [String] privkey a private key using sign
-      # @param [String] extra_entropy a extra entropy for rfc6979
+      # @param [String] privkey a private key with hex format using sign
+      # @param [String] extra_entropy a extra entropy with binary format for rfc6979
+      # @param [Symbol] algo signature algorithm. ecdsa(default) or schnorr.
       # @return [String] signature data with binary format
-      def sign_data(data, privkey, extra_entropy)
+      def sign_data(data, privkey, extra_entropy = nil, algo: :ecdsa)
+        case algo
+        when :ecdsa
+          sign_ecdsa(data, privkey, extra_entropy)
+        when :schnorr
+          sign_schnorr(data, privkey, extra_entropy)
+        else
+          nil
+        end
+      end
+
+      # Sign data with compact format.
+      # @param [String] data a data to be signed with binary format
+      # @param [String] privkey a private key using sign with hex format
+      # @return [Array[signature, recovery id]]
+      def sign_compact(data, privkey)
+        with_context do |context|
+          sig = FFI::MemoryPointer.new(:uchar, 65)
+          hash =FFI::MemoryPointer.new(:uchar, data.bytesize).put_bytes(0, data)
+          priv_key = privkey.htb
+          sec_key = FFI::MemoryPointer.new(:uchar, priv_key.bytesize).put_bytes(0, priv_key)
+          result = secp256k1_ecdsa_sign_recoverable(context, sig, hash, sec_key, nil, nil)
+          raise 'secp256k1_ecdsa_sign_recoverable failed.' if result == 0
+
+          output = FFI::MemoryPointer.new(:uchar, 64)
+          rec = FFI::MemoryPointer.new(:uint64)
+          result = secp256k1_ecdsa_recoverable_signature_serialize_compact(context, output, rec, sig)
+          raise 'secp256k1_ecdsa_recoverable_signature_serialize_compact failed.' unless result == 1
+
+          raw_sig = output.read_string(64)
+          [ECDSA::Signature.new(raw_sig[0...32].bti, raw_sig[32..-1].bti), rec.read(:int)]
+        end
+      end
+
+      # Recover public key from compact signature.
+      # @param [String] data message digest using signature.
+      # @param [String] signature signature with binary format.
+      # @param [Integer] rec recovery id.
+      # @param [Boolean] compressed whether compressed public key or not.
+      # @return [Bitcoin::Key] Recovered public key.
+      def recover_compact(data, signature, rec, compressed)
+        with_context do |context|
+          sig = FFI::MemoryPointer.new(:uchar, 65)
+          input = FFI::MemoryPointer.new(:uchar, 64).put_bytes(0, signature[1..-1])
+          result = secp256k1_ecdsa_recoverable_signature_parse_compact(context, sig, input, rec)
+          raise 'secp256k1_ecdsa_recoverable_signature_parse_compact failed.' unless result == 1
+
+          pubkey = FFI::MemoryPointer.new(:uchar, 64)
+          msg = FFI::MemoryPointer.new(:uchar, data.bytesize).put_bytes(0, data)
+          result = secp256k1_ecdsa_recover(context, pubkey, sig, msg)
+          raise 'secp256k1_ecdsa_recover failed.' unless result == 1
+
+          pubkey = serialize_pubkey_internal(context, pubkey.read_string(64), compressed)
+          Bitcoin::Key.new(pubkey: pubkey, compressed: compressed)
+        end
+      end
+
+      # verify signature
+      # @param [String] data a data with binary format.
+      # @param [String] sig signature data with binary format
+      # @param [String] pubkey a public key with hex format using verify.
+      # # @param [Symbol] algo signature algorithm. ecdsa(default) or schnorr.
+      # @return [Boolean] verification result.
+      def verify_sig(data, sig, pubkey, algo: :ecdsa)
+        case algo
+        when :ecdsa
+          verify_ecdsa(data, sig, pubkey)
+        when :schnorr
+          verify_schnorr(data, sig, pubkey)
+        else
+          false
+        end
+      end
+
+      # # validate whether this is a valid public key (more expensive than IsValid())
+      # @param [String] pub_key public key with hex format.
+      # @param [Boolean] allow_hybrid whether support hybrid public key.
+      # @return [Boolean] If valid public key return true, otherwise false.
+      def parse_ec_pubkey?(pub_key, allow_hybrid = false)
+        pub_key = pub_key.htb
+        return false if !allow_hybrid && ![0x02, 0x03, 0x04].include?(pub_key[0].ord)
+        with_context do |context|
+          pubkey = FFI::MemoryPointer.new(:uchar, pub_key.bytesize).put_bytes(0, pub_key)
+          internal_pubkey = FFI::MemoryPointer.new(:uchar, 64)
+          result = secp256k1_ec_pubkey_parse(context, internal_pubkey, pubkey, pub_key.bytesize)
+          result == 1
+        end
+      end
+
+      # Create key pair data from private key.
+      # @param [String] priv_key with hex format
+      # @return [String] key pair data with hex format. data  = private key(32 bytes) | public key(64 bytes).
+      def create_keypair(priv_key)
+        with_context do |context|
+          priv_key = priv_key.htb
+          secret = FFI::MemoryPointer.new(:uchar, priv_key.bytesize).put_bytes(0, priv_key)
+          raise 'priv_key is invalid.' unless secp256k1_ec_seckey_verify(context, secret)
+          keypair = FFI::MemoryPointer.new(:uchar, 96)
+          raise 'priv_key is invalid.' unless secp256k1_keypair_create(context, keypair, secret) == 1
+          keypair.read_string(96).bth
+        end
+      end
+
+      # Check whether valid x-only public key or not.
+      # @param [String] pub_key x-only public key with hex format(32 bytes).
+      # @return [Boolean] result.
+      def valid_xonly_pubkey?(pub_key)
+        begin
+          full_pubkey_from_xonly_pubkey(pub_key)
+        rescue Exception
+          return false
+        end
+        true
+      end
+
+      private
+
+      # Calculate full public key(64 bytes) from public key(32 bytes).
+      # @param [String] pub_key x-only public key with hex format(32 bytes).
+      # @return [String] x-only public key with hex format(64 bytes).
+      def full_pubkey_from_xonly_pubkey(pub_key)
+        with_context do |context|
+          pubkey = pub_key.htb
+          raise ArgumentError, 'Pubkey size must be 32 bytes.' unless pubkey.bytesize == 32
+          xonly_pubkey = FFI::MemoryPointer.new(:uchar, pubkey.bytesize).put_bytes(0, pubkey)
+          full_pubkey = FFI::MemoryPointer.new(:uchar, 64)
+          raise ArgumentError, 'An invalid public key was specified.' unless secp256k1_xonly_pubkey_parse(context, full_pubkey, xonly_pubkey) == 1
+          full_pubkey.read_string(64).bth
+        end
+      end
+
+      def generate_pubkey_in_context(context, privkey, compressed: true)
+        internal_pubkey = FFI::MemoryPointer.new(:uchar, 64)
+        result = secp256k1_ec_pubkey_create(context, internal_pubkey, privkey.htb)
+        raise 'error creating pubkey' unless result
+        serialize_pubkey_internal(context, internal_pubkey, compressed)
+      end
+
+      def sign_ecdsa(data, privkey, extra_entropy)
         with_context do |context|
           secret = FFI::MemoryPointer.new(:uchar, privkey.htb.bytesize).put_bytes(0, privkey.htb)
-          raise 'priv_key invalid' unless secp256k1_ec_seckey_verify(context, secret)
+          raise 'priv_key is invalid' unless secp256k1_ec_seckey_verify(context, secret)
 
           internal_signature = FFI::MemoryPointer.new(:uchar, 64)
           msg32 = FFI::MemoryPointer.new(:uchar, 32).put_bytes(0, data)
@@ -126,11 +273,23 @@ module Bitcoin
         end
       end
 
-      def verify_sig(data, sig, pub_key)
+      def sign_schnorr(data, privkey, aux_rand = nil)
         with_context do |context|
-          return false if data.bytesize == 0
+          keypair = create_keypair(privkey).htb
+          keypair = FFI::MemoryPointer.new(:uchar, 96).put_bytes(0, keypair)
+          signature = FFI::MemoryPointer.new(:uchar, 64)
+          msg32 = FFI::MemoryPointer.new(:uchar, 32).put_bytes(0, data)
+          aux_rand = FFI::MemoryPointer.new(:uchar, 32).put_bytes(0, aux_rand) if aux_rand
+          raise 'Failed to generate schnorr signature.' unless secp256k1_schnorrsig_sign(context, signature, msg32, keypair, nil, aux_rand) == 1
+          signature.read_string(64)
+        end
+      end
 
-          pubkey = FFI::MemoryPointer.new(:uchar, pub_key.htb.bytesize).put_bytes(0, pub_key.htb)
+      def verify_ecdsa(data, sig, pubkey)
+        with_context do |context|
+          return false if data.bytesize == 0
+          pubkey = pubkey.htb
+          pubkey = FFI::MemoryPointer.new(:uchar, pubkey.bytesize).put_bytes(0, pubkey)
           internal_pubkey = FFI::MemoryPointer.new(:uchar, 64)
           result = secp256k1_ec_pubkey_parse(context, internal_pubkey, pubkey, pubkey.size)
           return false unless result
@@ -150,25 +309,33 @@ module Bitcoin
         end
       end
 
-      private
-
-      def generate_pubkey_in_context(context, privkey, compressed: true)
-        internal_pubkey = FFI::MemoryPointer.new(:uchar, 64)
-        result = secp256k1_ec_pubkey_create(context, internal_pubkey, privkey.htb)
-        raise 'error creating pubkey' unless result
+      def verify_schnorr(data, sig, pubkey)
+        with_context do |context|
+          return false if data.bytesize == 0
+          pubkey = full_pubkey_from_xonly_pubkey(pubkey).htb
+          xonly_pubkey = FFI::MemoryPointer.new(:uchar, pubkey.bytesize).put_bytes(0, pubkey)
+          signature = FFI::MemoryPointer.new(:uchar, sig.bytesize).put_bytes(0, sig)
+          msg32 = FFI::MemoryPointer.new(:uchar, 32).put_bytes(0, data)
+          result = secp256k1_schnorrsig_verify(context, signature, msg32, xonly_pubkey)
+          result == 1
+        end
+      end
 
+      # Serialize public key.
+      def serialize_pubkey_internal(context, pubkey_input, compressed)
         pubkey = FFI::MemoryPointer.new(:uchar, 65)
         pubkey_len = FFI::MemoryPointer.new(:uint64)
         result = if compressed
                    pubkey_len.put_uint64(0, 33)
-                   secp256k1_ec_pubkey_serialize(context, pubkey, pubkey_len, internal_pubkey, SECP256K1_EC_COMPRESSED)
+                   secp256k1_ec_pubkey_serialize(context, pubkey, pubkey_len, pubkey_input, SECP256K1_EC_COMPRESSED)
                  else
                    pubkey_len.put_uint64(0, 65)
-                   secp256k1_ec_pubkey_serialize(context, pubkey, pubkey_len, internal_pubkey, SECP256K1_EC_UNCOMPRESSED)
+                   secp256k1_ec_pubkey_serialize(context, pubkey, pubkey_len, pubkey_input, SECP256K1_EC_UNCOMPRESSED)
                  end
         raise 'error serialize pubkey' unless result || pubkey_len.read_uint64 > 0
         pubkey.read_string(pubkey_len.read_uint64).bth
       end
+
     end
   end
 end

data/lib/bitcoin/secp256k1/ruby.rb

@@ -27,11 +27,105 @@ module Bitcoin
         public_key.to_hex(compressed)
       end
 
+      # Check whether valid x-only public key or not.
+      # @param [String] pub_key x-only public key with hex format(32 bytes).
+      # @return [Boolean] result.
+      def valid_xonly_pubkey?(pub_key)
+        pubkey = pub_key.htb
+        return false unless pubkey.bytesize == 32
+        begin
+          ECDSA::Format::PointOctetString.decode(pubkey, ECDSA::Group::Secp256k1)
+        rescue Exception
+          return false
+        end
+        true
+      end
+
       # sign data.
       # @param [String] data a data to be signed with binary format
-      # @param [String] privkey a private key using sign
+      # @param [String] privkey a private key using sign with hex format
+      # @param [String] extra_entropy a extra entropy with binary format for rfc6979
+      # @param [Symbol] algo signature algorithm. ecdsa(default) or schnorr.
       # @return [String] signature data with binary format
-      def sign_data(data, privkey, extra_entropy)
+      def sign_data(data, privkey, extra_entropy = nil, algo: :ecdsa)
+        case algo
+        when :ecdsa
+          sign_ecdsa(data, privkey, extra_entropy)&.first
+        when :schnorr
+          sign_schnorr(data, privkey, extra_entropy)
+        else
+          nil
+        end
+      end
+
+      # Sign data with compact format.
+      # @param [String] data a data to be signed with binary format
+      # @param [String] privkey a private key using sign with hex format
+      # @return [Array[signature, recovery id]]
+      def sign_compact(data, privkey)
+        sig, rec = sign_ecdsa(data, privkey, nil)
+        [ECDSA::Format::SignatureDerString.decode(sig), rec]
+      end
+
+      # Recover public key from compact signature.
+      # @param [String] data message digest using signature.
+      # @param [String] signature signature with binary format.
+      # @param [Integer] rec recovery id.
+      # @param [Boolean] compressed whether compressed public key or not.
+      # @return [Bitcoin::Key] Recovered public key.
+      def recover_compact(data, signature, rec, compressed)
+        r = ECDSA::Format::IntegerOctetString.decode(signature[1...33])
+        s = ECDSA::Format::IntegerOctetString.decode(signature[33..-1])
+        ECDSA.recover_public_key(Bitcoin::Secp256k1::GROUP, data, ECDSA::Signature.new(r, s)).each do |p|
+          if p.y & 1 == rec
+            return Bitcoin::Key.from_point(p, compressed: compressed)
+          end
+        end
+      end
+
+      # verify signature using public key
+      # @param [String] data a SHA-256 message digest with binary format
+      # @param [String] sig a signature for +data+ with binary format
+      # @param [String] pubkey a public key with hex format.
+      # @return [Boolean] verify result
+      def verify_sig(data, sig, pubkey, algo: :ecdsa)
+        case algo
+        when :ecdsa
+          verify_ecdsa(data, sig, pubkey)
+        when :schnorr
+          verify_schnorr(data, sig, pubkey)
+        else
+          false
+        end
+      end
+
+      # if +pubkey+ is hybrid public key format, it convert uncompressed format.
+      # https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2012-June/001578.html
+      def repack_pubkey(pubkey)
+        p = pubkey.htb
+        case p[0]
+          when "\x06", "\x07"
+            p[0] = "\x04"
+            p
+          else
+            pubkey.htb
+        end
+      end
+
+      # validate whether this is a valid public key (more expensive than IsValid())
+      # @param [String] pubkey public key with hex format.
+      # @param [Boolean] allow_hybrid whether support hybrid public key.
+      # @return [Boolean] If valid public key return true, otherwise false.
+      def parse_ec_pubkey?(pubkey, allow_hybrid = false)
+        begin
+          point = ECDSA::Format::PointOctetString.decode(pubkey.htb, ECDSA::Group::Secp256k1, allow_hybrid: allow_hybrid)
+          ECDSA::Group::Secp256k1.valid_public_key?(point)
+        rescue ECDSA::Format::DecodeError
+          false
+        end
+      end
+
+      def sign_ecdsa(data, privkey, extra_entropy)
         privkey = privkey.htb
         private_key = ECDSA::Format::IntegerOctetString.decode(privkey)
         extra_entropy ||= ''
@@ -44,11 +138,14 @@ module Bitcoin
         r = point_field.mod(r_point.x)
         return nil if r.zero?
 
+        rec = r_point.y & 1
+
         e = ECDSA.normalize_digest(data, GROUP.bit_length)
         s = point_field.mod(point_field.inverse(nonce) * (e + r * private_key))
 
         if s > (GROUP.order / 2) # convert low-s
           s = GROUP.order - s
+          rec ^= 1
         end
 
         return nil if s.zero?
@@ -56,35 +153,25 @@ module Bitcoin
         signature = ECDSA::Signature.new(r, s).to_der
         public_key = Bitcoin::Key.new(priv_key: privkey.bth).pubkey
         raise 'Creation of signature failed.' unless Bitcoin::Secp256k1::Ruby.verify_sig(data, signature, public_key)
-        signature
+        [signature, rec]
       end
 
-      # verify signature using public key
-      # @param [String] digest a SHA-256 message digest with binary format
-      # @param [String] sig a signature for +data+ with binary format
-      # @param [String] pubkey a public key corresponding to the private key used for sign
-      # @return [Boolean] verify result
-      def verify_sig(digest, sig, pubkey)
+      def sign_schnorr(data, privkey, aux_rand)
+        aux_rand ? Schnorr.sign(data, privkey.htb, aux_rand).encode : Schnorr.sign(data, privkey.htb).encode
+      end
+
+      def verify_ecdsa(data, sig, pubkey)
         begin
           k = ECDSA::Format::PointOctetString.decode(repack_pubkey(pubkey), GROUP)
           signature = ECDSA::Format::SignatureDerString.decode(sig)
-          ECDSA.valid_signature?(k, digest, signature)
+          ECDSA.valid_signature?(k, data, signature)
         rescue Exception
           false
         end
       end
 
-      # if +pubkey+ is hybrid public key format, it convert uncompressed format.
-      # https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2012-June/001578.html
-      def repack_pubkey(pubkey)
-        p = pubkey.htb
-        case p[0]
-          when "\x06", "\x07"
-            p[0] = "\x04"
-            p
-          else
-            pubkey.htb
-        end
+      def verify_schnorr(data, sig, pubkey)
+        Schnorr.valid_sig?(data, pubkey.htb, sig)
       end
 
     end

data/lib/bitcoin/sighash_generator.rb

@@ -0,0 +1,157 @@
+module Bitcoin
+
+  module SigHashGenerator
+
+    def self.load(sig_ver)
+      case sig_ver
+      when :base
+        LegacySigHashGenerator.new
+      when :witness_v0
+        SegwitSigHashGenerator.new
+      when :taproot, :tapscript
+        SchnorrSigHashGenerator.new
+      else
+        raise ArgumentError, "Unsupported sig version specified. #{sig_ver}"
+      end
+    end
+
+    # Legacy SigHash Generator
+    class LegacySigHashGenerator
+
+      def generate(tx, input_index, hash_type, opts)
+        output_script = opts[:script_code]
+        ins = tx.inputs.map.with_index do |i, idx|
+          if idx == input_index
+            i.to_payload(output_script.delete_opcode(Bitcoin::Opcodes::OP_CODESEPARATOR))
+          else
+            case hash_type & 0x1f
+            when SIGHASH_TYPE[:none], SIGHASH_TYPE[:single]
+              i.to_payload(Bitcoin::Script.new, 0)
+            else
+              i.to_payload(Bitcoin::Script.new)
+            end
+          end
+        end
+
+        outs = tx.outputs.map(&:to_payload)
+        out_size = Bitcoin.pack_var_int(tx.outputs.size)
+
+        case hash_type & 0x1f
+        when SIGHASH_TYPE[:none]
+          outs = ''
+          out_size = Bitcoin.pack_var_int(0)
+        when SIGHASH_TYPE[:single]
+          return "\x01".ljust(32, "\x00") if input_index >= tx.outputs.size
+          outs = tx.outputs[0...(input_index + 1)].map.with_index { |o, idx| (idx == input_index) ? o.to_payload : o.to_empty_payload }.join
+          out_size = Bitcoin.pack_var_int(input_index + 1)
+        end
+
+        ins = [ins[input_index]] unless hash_type & SIGHASH_TYPE[:anyonecanpay] == 0
+
+        buf = [[tx.version].pack('V'), Bitcoin.pack_var_int(ins.size),
+               ins, out_size, outs, [tx.lock_time, hash_type].pack('VV')].join
+
+        Bitcoin.double_sha256(buf)
+      end
+
+    end
+
+    # V0 witness sighash generator.
+    # see: https://github.com/bitcoin/bips/blob/master/bip-0143.mediawiki
+    class SegwitSigHashGenerator
+
+      def generate(tx, input_index, hash_type, opts)
+        amount = opts[:amount]
+        raise ArgumentError, 'segwit sighash requires amount.' unless amount
+        output_script = opts[:script_code]
+        skip_separator_index = opts[:skip_separator_index]
+        hash_prevouts = Bitcoin.double_sha256(tx.inputs.map{|i|i.out_point.to_payload}.join)
+        hash_sequence = Bitcoin.double_sha256(tx.inputs.map{|i|[i.sequence].pack('V')}.join)
+        outpoint = tx.inputs[input_index].out_point.to_payload
+        amount = [amount].pack('Q')
+        nsequence = [tx.inputs[input_index].sequence].pack('V')
+        hash_outputs = Bitcoin.double_sha256(tx.outputs.map{|o|o.to_payload}.join)
+
+        script_code = output_script.to_script_code(skip_separator_index)
+
+        case (hash_type & 0x1f)
+        when SIGHASH_TYPE[:single]
+          hash_outputs = input_index >= tx.outputs.size ? "\x00".ljust(32, "\x00") : Bitcoin.double_sha256(tx.outputs[input_index].to_payload)
+          hash_sequence = "\x00".ljust(32, "\x00")
+        when SIGHASH_TYPE[:none]
+          hash_sequence = hash_outputs = "\x00".ljust(32, "\x00")
+        end
+
+        unless (hash_type & SIGHASH_TYPE[:anyonecanpay]) == 0
+          hash_prevouts = hash_sequence ="\x00".ljust(32, "\x00")
+        end
+
+        buf = [ [tx.version].pack('V'), hash_prevouts, hash_sequence, outpoint,
+                script_code ,amount, nsequence, hash_outputs, [tx.lock_time, hash_type].pack('VV')].join
+        Bitcoin.double_sha256(buf)
+      end
+
+    end
+
+    # v1 witness sighash generator
+    # see: https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki
+    class SchnorrSigHashGenerator
+
+      # generate signature hash for taproot and tapscript
+      # @param [Hash] opts some data using signature. This class requires following key params:
+      # - sig_version: sig version. :taproot or :tapscript
+      # - prevouts: array of all prevout[Txout]
+      # - annex: annex value with binary format if annex exist.
+      # - leaf_hash: leaf hash with binary format if sig_version is :tapscript, it required
+      # - last_code_separator_pos: the position of last code separator
+      # @return [String] signature hash with binary format.
+      def generate(tx, input_index, hash_type, opts)
+        raise ArgumentError, 'Invalid sig_version was specified.' unless [:taproot, :tapscript].include?(opts[:sig_version])
+
+        ext_flag = opts[:sig_version] == :taproot ? 0 : 1
+        key_version = 0
+        output_ype = hash_type == SIGHASH_TYPE[:default] ? SIGHASH_TYPE[:all] : (hash_type & 0x03)
+        input_type = hash_type & 0x80
+        epoc = '00'.htb
+
+        buf = epoc # EPOC
+        buf << [hash_type, tx.version, tx.lock_time].pack('CVV')
+        unless input_type == SIGHASH_TYPE[:anyonecanpay]
+          buf << Bitcoin.sha256(tx.in.map{|i|i.out_point.to_payload}.join) # sha_prevouts
+          buf << Bitcoin.sha256(opts[:prevouts].map(&:value).pack('Q*'))# sha_amounts
+          buf << Bitcoin.sha256(opts[:prevouts].map{|o|o.script_pubkey.to_payload(true)}.join) # sha_scriptpubkeys
+          buf << Bitcoin.sha256(tx.in.map(&:sequence).pack('V*')) # sha_sequences
+        end
+
+        buf << Bitcoin.sha256(tx.out.map(&:to_payload).join) if output_ype == SIGHASH_TYPE[:all]
+
+        spend_type = (ext_flag << 1) + (opts[:annex] ? 1 : 0)
+        buf << [spend_type].pack('C')
+        if input_type == SIGHASH_TYPE[:anyonecanpay]
+          buf << tx.in[input_index].out_point.to_payload
+          buf << opts[:prevouts][input_index].to_payload
+          buf << [tx.in[input_index].sequence].pack('V')
+        else
+          buf << [input_index].pack('V')
+        end
+
+        buf << Bitcoin.sha256(Bitcoin.pack_var_string(opts[:annex])) if opts[:annex]
+
+        if output_ype == SIGHASH_TYPE[:single]
+          raise ArgumentError, "Tx does not have #{input_index} th output." if input_index >= tx.out.size
+          buf << Bitcoin.sha256(tx.out[input_index].to_payload)
+        end
+
+        if opts[:sig_version] == :tapscript
+          buf << opts[:leaf_hash]
+          buf << [key_version, opts[:last_code_separator_pos]].pack("CV")
+        end
+
+        Bitcoin.tagged_hash('TapSighash', buf)
+      end
+
+    end
+
+  end
+
+end

data/lib/bitcoin/taproot/leaf_node.rb

@@ -0,0 +1,23 @@
+module Bitcoin
+  module Taproot
+    class LeafNode
+
+      attr_reader :script, :leaf_ver
+
+      # Initialize
+      # @param [Bitcoin::Script] script Locking script
+      # @param [Integer] leaf_ver The leaf version of this script.
+      def initialize(script, leaf_ver = Bitcoin::TAPROOT_LEAF_TAPSCRIPT)
+        raise Taproot::Error, 'script must be Bitcoin::Script object' unless script.is_a?(Bitcoin::Script)
+        @script = script
+        @leaf_ver = leaf_ver
+      end
+
+      # Calculate leaf hash.
+      # @return [String] leaf hash.
+      def leaf_hash
+        @hash_value ||= Bitcoin.tagged_hash('TapLeaf', [leaf_ver].pack('C') + Bitcoin.pack_var_string(script.to_payload))
+      end
+    end
+  end
+end