API improvements suggestions

[panicfarm]

We used miniscript to identify which M of N PubKeys correspond to the M signatures in a spent M of N multisig output, for the P2SH, P2WSH and P2TR (script path) outputs.

I wanted to make two suggestions about potential Miniscript API improvements:

1. The interpreter.verify_sig() function requires prevouts argument, that is a vector of all outpoints corresponding to all the transaction’s inputs. Only in the case of Taproot the signed message commits to the scriptPubKeys of all outputs spent by the transaction, per BIP 341. Even for the Witness case per BIP 143, only the amount from a single outpoint corresponding to the input being verified is required (and not the whole vector). For the legacy P2SH or bare script cases, no outpoints are required. Preparing this prevouts Vec for all legacy cases is an unnecessary computation in the program that is using the miniscript API.
   We suggest either:

   • making the prevouts argument an enum with three variants: ALL(& [T]) (for taproot), ONE(T) (for witness) or NONE (for legacy)
   • or replacing the interpreter.verify_sig function with three functions interpreter.verify_sig_taproot(), interpreter.verify_sig_witness(), interpreter.verify_sig_legacy().

2. interpreter.verify_sig() returns false instead of a concrete error. For example, we mistakenly passed a prevouts vector that did not correspond to inputs length. The Error::PrevoutsSize that cache.taproot_script_spend_signature_hash() returned was transformed into false here, and returned.
   It would be desirable to return a Result<bool, sighash::Error> from interpreter.verify_sig(), instead of bool.

[apoelstra]

Definitely ACK your second suggestion.

For the first, I don't really see a sensible way to distinguish between taproot and non-taproot descriptors. In your suggestion, what would happen if the user calls verify_sig_witness on a non-witness descriptor? If the user doesn't know the type of the descriptor, what function should she call?

[panicfarm]

I don't really see a sensible way to distinguish between taproot and non-taproot descriptors.

Perhaps making the interpreter.verify_sig(..., prevouts, ..) argument an enum with three variants: Prevouts::ALL(& [T]) (for taproot), Prevouts::ONE(T) (for witness) or Prevouts::NONE (for legacy) togeter with returning Result from it is a better option.

spk from the outpoint, being the first argument of Interpreter::from_txdata(spk: &Script, ...) tells the Interpreter what kind of input it was created for. Since you ACK that interpreter.verify_sig() should return a Result, if a wrong (or an insufficient) variant of Prevouts is passed into verify_sig(), it should return an Error. For example, inside verify_sig(), when self.is_taproot_v1_script_spend() is true, but ONE(T) or NONE is passed as prevouts, it could return Error::WrongPrevoutsType.
This change would require a minor change of logic here, asserting that the right variant is passed.
In theory one can get by with two existing sighash::Prevouts variants without adding NONE, tolerating ONE for legacy inputs (instead of NONE), but that seems a bit hacky.

The rationale for this suggestion is that there are transactions each with several hundreds of non-taproot inputs. If the program using miniscript API needs to call verify_sig() on many of these transactions, it needs to find 100s of unnecessary outpoints for other inputs of the transaction for each input of interest, that are not needed for sighash for these legacy inputs anyway. That's a lot of unnecessary compute.

[apoelstra]

That's a great point about the extra compute to build a Vec that is totally unnecessary.

I think your API makes sense. I'd also like to change the existing verify_sig to then be a wrapper around the specific ones, which automatically does the self.is_taproot_v1_script_spend etc checks for you.