From e0b4e3964c8e451d1e9563412ebf0759b9f2d564 Mon Sep 17 00:00:00 2001
From: Anthony Towns <aj@erisian.com.au>
Date: Mon, 6 Feb 2023 21:04:49 +1000
Subject: [PATCH 1/8] script/interpreter: Add KeyVersion

Introduce `KeyVersion` in preparation for defining new behaviours via
BIP 342's "unknown public key type" upgrade mechanism.
---
 src/script/interpreter.cpp          | 29 +++++++++++++----------------
 src/script/interpreter.h            | 18 +++++++++++-------
 src/script/sign.cpp                 |  4 ++--
 src/test/fuzz/miniscript.cpp        |  2 +-
 src/test/fuzz/signature_checker.cpp |  2 +-
 src/test/miniscript_tests.cpp       |  2 +-
 src/test/script_tests.cpp           |  2 +-
 7 files changed, 30 insertions(+), 29 deletions(-)

diff --git a/src/script/interpreter.cpp b/src/script/interpreter.cpp
index 9ae7164fe83e8..36f501a180c4f 100644
--- a/src/script/interpreter.cpp
+++ b/src/script/interpreter.cpp
@@ -366,7 +366,7 @@ static bool EvalChecksigTapscript(const valtype& sig, const valtype& pubkey, Scr
     if (pubkey.size() == 0) {
         return set_error(serror, SCRIPT_ERR_PUBKEYTYPE);
     } else if (pubkey.size() == 32) {
-        if (success && !checker.CheckSchnorrSignature(sig, pubkey, sigversion, execdata, serror)) {
+        if (success && !checker.CheckSchnorrSignature(sig, KeyVersion::TAPROOT, pubkey, sigversion, execdata, serror)) {
             return false; // serror is set
         }
     } else {
@@ -1583,21 +1583,17 @@ static bool HandleMissingData(MissingDataBehavior mdb)
 }
 
 template<typename T>
-bool SignatureHashSchnorr(uint256& hash_out, ScriptExecutionData& execdata, const T& tx_to, uint32_t in_pos, uint8_t hash_type, SigVersion sigversion, const PrecomputedTransactionData& cache, MissingDataBehavior mdb)
+bool SignatureHashSchnorr(uint256& hash_out, ScriptExecutionData& execdata, const T& tx_to, uint32_t in_pos, uint8_t hash_type, SigVersion sigversion, KeyVersion keyversion, const PrecomputedTransactionData& cache, MissingDataBehavior mdb)
 {
-    uint8_t ext_flag, key_version;
+    uint8_t ext_flag;
+    assert(keyversion == KeyVersion::TAPROOT);
     switch (sigversion) {
     case SigVersion::TAPROOT:
         ext_flag = 0;
-        // key_version is not used and left uninitialized.
+        // keyversion is not used.
         break;
     case SigVersion::TAPSCRIPT:
         ext_flag = 1;
-        // key_version must be 0 for now, representing the current version of
-        // 32-byte public keys in the tapscript signature opcode execution.
-        // An upgradable public key version (with a size not 32-byte) may
-        // request a different key_version with a new sigversion.
-        key_version = 0;
         break;
     default:
         assert(false);
@@ -1663,7 +1659,7 @@ bool SignatureHashSchnorr(uint256& hash_out, ScriptExecutionData& execdata, cons
     if (sigversion == SigVersion::TAPSCRIPT) {
         assert(execdata.m_tapleaf_hash_init);
         ss << execdata.m_tapleaf_hash;
-        ss << key_version;
+        ss << uint8_t(keyversion);
         assert(execdata.m_codeseparator_pos_init);
         ss << execdata.m_codeseparator_pos;
     }
@@ -1778,18 +1774,19 @@ bool GenericTransactionSignatureChecker<T>::CheckECDSASignature(const std::vecto
 }
 
 template <class T>
-bool GenericTransactionSignatureChecker<T>::CheckSchnorrSignature(Span<const unsigned char> sig, Span<const unsigned char> pubkey_in, SigVersion sigversion, ScriptExecutionData& execdata, ScriptError* serror) const
+bool GenericTransactionSignatureChecker<T>::CheckSchnorrSignature(Span<const unsigned char> sig, KeyVersion pubkeyver, Span<const unsigned char> pubkey, SigVersion sigversion, ScriptExecutionData& execdata, ScriptError* serror) const
 {
     assert(sigversion == SigVersion::TAPROOT || sigversion == SigVersion::TAPSCRIPT);
     // Schnorr signatures have 32-byte public keys. The caller is responsible for enforcing this.
-    assert(pubkey_in.size() == 32);
+    assert(pubkey.size() == 32);
+
     // Note that in Tapscript evaluation, empty signatures are treated specially (invalid signature that does not
     // abort script execution). This is implemented in EvalChecksigTapscript, which won't invoke
     // CheckSchnorrSignature in that case. In other contexts, they are invalid like every other signature with
     // size different from 64 or 65.
     if (sig.size() != 64 && sig.size() != 65) return set_error(serror, SCRIPT_ERR_SCHNORR_SIG_SIZE);
 
-    XOnlyPubKey pubkey{pubkey_in};
+    XOnlyPubKey pubkey_xonly{pubkey};
 
     uint8_t hashtype = SIGHASH_DEFAULT;
     if (sig.size() == 65) {
@@ -1798,10 +1795,10 @@ bool GenericTransactionSignatureChecker<T>::CheckSchnorrSignature(Span<const uns
     }
     uint256 sighash;
     if (!this->txdata) return HandleMissingData(m_mdb);
-    if (!SignatureHashSchnorr(sighash, execdata, *txTo, nIn, hashtype, sigversion, *this->txdata, m_mdb)) {
+    if (!SignatureHashSchnorr(sighash, execdata, *txTo, nIn, hashtype, sigversion, pubkeyver, *this->txdata, m_mdb)) {
         return set_error(serror, SCRIPT_ERR_SCHNORR_SIG_HASHTYPE);
     }
-    if (!VerifySchnorrSignature(sig, pubkey, sighash)) return set_error(serror, SCRIPT_ERR_SCHNORR_SIG);
+    if (!VerifySchnorrSignature(sig, pubkey_xonly, sighash)) return set_error(serror, SCRIPT_ERR_SCHNORR_SIG);
     return true;
 }
 
@@ -2039,7 +2036,7 @@ static bool VerifyWitnessProgram(const CScriptWitness& witness, int witversion,
         execdata.m_annex_init = true;
         if (stack.size() == 1) {
             // Key path spending (stack size is 1 after removing optional annex)
-            if (!checker.CheckSchnorrSignature(stack.front(), program, SigVersion::TAPROOT, execdata, serror)) {
+            if (!checker.CheckSchnorrSignature(stack.front(), KeyVersion::TAPROOT, program, SigVersion::TAPROOT, execdata, serror)) {
                 return false; // serror is set
             }
             return set_success(serror);
diff --git a/src/script/interpreter.h b/src/script/interpreter.h
index a067a6c1fd330..199a1aa19e2f7 100644
--- a/src/script/interpreter.h
+++ b/src/script/interpreter.h
@@ -9,6 +9,7 @@
 #include <consensus/amount.h>
 #include <hash.h>
 #include <primitives/transaction.h>
+#include <pubkey.h>
 #include <script/script_error.h> // IWYU pragma: export
 #include <span.h>
 #include <uint256.h>
@@ -18,10 +19,8 @@
 #include <optional>
 #include <vector>
 
-class CPubKey;
 class CScript;
 class CScriptNum;
-class XOnlyPubKey;
 struct CScriptWitness;
 
 /** Signature hash types/flags */
@@ -222,6 +221,11 @@ enum class SigVersion
     TAPSCRIPT = 3,   //!< Witness v1 with 32-byte program, not BIP16 P2SH-wrapped, script path spending, leaf version 0xc0; see BIP 342
 };
 
+enum class KeyVersion
+{
+    TAPROOT = 0,     //!< 32 byte public key
+};
+
 struct ScriptExecutionData
 {
     //! Whether m_tapleaf_hash is initialized.
@@ -277,7 +281,7 @@ class BaseSignatureChecker
         return false;
     }
 
-    virtual bool CheckSchnorrSignature(Span<const unsigned char> sig, Span<const unsigned char> pubkey, SigVersion sigversion, ScriptExecutionData& execdata, ScriptError* serror = nullptr) const
+    virtual bool CheckSchnorrSignature(Span<const unsigned char> sig, KeyVersion pubkeyver, Span<const unsigned char> pubkey, SigVersion sigversion, ScriptExecutionData& execdata, ScriptError* serror = nullptr) const
     {
         return false;
     }
@@ -310,7 +314,7 @@ enum class MissingDataBehavior
 };
 
 template<typename T>
-bool SignatureHashSchnorr(uint256& hash_out, ScriptExecutionData& execdata, const T& tx_to, uint32_t in_pos, uint8_t hash_type, SigVersion sigversion, const PrecomputedTransactionData& cache, MissingDataBehavior mdb);
+bool SignatureHashSchnorr(uint256& hash_out, ScriptExecutionData& execdata, const T& tx_to, uint32_t in_pos, uint8_t hash_type, SigVersion sigversion, KeyVersion keyversion, const PrecomputedTransactionData& cache, MissingDataBehavior mdb);
 
 template <class T>
 class GenericTransactionSignatureChecker : public BaseSignatureChecker
@@ -330,7 +334,7 @@ class GenericTransactionSignatureChecker : public BaseSignatureChecker
     GenericTransactionSignatureChecker(const T* txToIn, unsigned int nInIn, const CAmount& amountIn, MissingDataBehavior mdb) : txTo(txToIn), m_mdb(mdb), nIn(nInIn), amount(amountIn), txdata(nullptr) {}
     GenericTransactionSignatureChecker(const T* txToIn, unsigned int nInIn, const CAmount& amountIn, const PrecomputedTransactionData& txdataIn, MissingDataBehavior mdb) : txTo(txToIn), m_mdb(mdb), nIn(nInIn), amount(amountIn), txdata(&txdataIn) {}
     bool CheckECDSASignature(const std::vector<unsigned char>& scriptSig, const std::vector<unsigned char>& vchPubKey, const CScript& scriptCode, SigVersion sigversion) const override;
-    bool CheckSchnorrSignature(Span<const unsigned char> sig, Span<const unsigned char> pubkey, SigVersion sigversion, ScriptExecutionData& execdata, ScriptError* serror = nullptr) const override;
+    bool CheckSchnorrSignature(Span<const unsigned char> sig, KeyVersion pubkeyver, Span<const unsigned char> pubkey, SigVersion sigversion, ScriptExecutionData& execdata, ScriptError* serror = nullptr) const override;
     bool CheckLockTime(const CScriptNum& nLockTime) const override;
     bool CheckSequence(const CScriptNum& nSequence) const override;
     bool CheckDefaultCheckTemplateVerifyHash(const Span<const unsigned char>& hash) const override;
@@ -352,9 +356,9 @@ class DeferringSignatureChecker : public BaseSignatureChecker
         return m_checker.CheckECDSASignature(scriptSig, vchPubKey, scriptCode, sigversion);
     }
 
-    bool CheckSchnorrSignature(Span<const unsigned char> sig, Span<const unsigned char> pubkey, SigVersion sigversion, ScriptExecutionData& execdata, ScriptError* serror = nullptr) const override
+    bool CheckSchnorrSignature(Span<const unsigned char> sig, KeyVersion pubkeyver, Span<const unsigned char> pubkey, SigVersion sigversion, ScriptExecutionData& execdata, ScriptError* serror = nullptr) const override
     {
-        return m_checker.CheckSchnorrSignature(sig, pubkey, sigversion, execdata, serror);
+        return m_checker.CheckSchnorrSignature(sig, pubkeyver, pubkey, sigversion, execdata, serror);
     }
 
     bool CheckLockTime(const CScriptNum& nLockTime) const override
diff --git a/src/script/sign.cpp b/src/script/sign.cpp
index b6317ceb1974f..b1711caba5da8 100644
--- a/src/script/sign.cpp
+++ b/src/script/sign.cpp
@@ -82,7 +82,7 @@ bool MutableTransactionSignatureCreator::CreateSchnorrSig(const SigningProvider&
         execdata.m_tapleaf_hash = *leaf_hash;
     }
     uint256 hash;
-    if (!SignatureHashSchnorr(hash, execdata, m_txto, nIn, nHashType, sigversion, *m_txdata, MissingDataBehavior::FAIL)) return false;
+    if (!SignatureHashSchnorr(hash, execdata, m_txto, nIn, nHashType, sigversion, KeyVersion::TAPROOT, *m_txdata, MissingDataBehavior::FAIL)) return false;
     sig.resize(64);
     // Use uint256{} as aux_rnd for now.
     if (!key.SignSchnorr(hash, sig, merkle_root, {})) return false;
@@ -720,7 +720,7 @@ class DummySignatureChecker final : public BaseSignatureChecker
 public:
     DummySignatureChecker() = default;
     bool CheckECDSASignature(const std::vector<unsigned char>& sig, const std::vector<unsigned char>& vchPubKey, const CScript& scriptCode, SigVersion sigversion) const override { return sig.size() != 0; }
-    bool CheckSchnorrSignature(Span<const unsigned char> sig, Span<const unsigned char> pubkey, SigVersion sigversion, ScriptExecutionData& execdata, ScriptError* serror) const override { return sig.size() != 0; }
+    bool CheckSchnorrSignature(Span<const unsigned char> sig, KeyVersion pubkeyver, Span<const unsigned char> pubkey, SigVersion sigversion, ScriptExecutionData& execdata, ScriptError* serror) const override { return sig.size() != 0; }
     bool CheckLockTime(const CScriptNum& nLockTime) const override { return true; }
     bool CheckSequence(const CScriptNum& nSequence) const override { return true; }
 };
diff --git a/src/test/fuzz/miniscript.cpp b/src/test/fuzz/miniscript.cpp
index 0d0ee59ab3fec..570ec4bb15389 100644
--- a/src/test/fuzz/miniscript.cpp
+++ b/src/test/fuzz/miniscript.cpp
@@ -288,7 +288,7 @@ const struct CheckerContext: BaseSignatureChecker {
         if (it == TEST_DATA.dummy_sigs.end()) return false;
         return it->second.first == sig;
     }
-    bool CheckSchnorrSignature(Span<const unsigned char> sig, Span<const unsigned char> pubkey, SigVersion,
+    bool CheckSchnorrSignature(Span<const unsigned char> sig, KeyVersion, Span<const unsigned char> pubkey, SigVersion,
                                ScriptExecutionData&, ScriptError*) const override {
         XOnlyPubKey pk{pubkey};
         auto it = TEST_DATA.schnorr_sigs.find(pk);
diff --git a/src/test/fuzz/signature_checker.cpp b/src/test/fuzz/signature_checker.cpp
index 59f4792961ec9..87250460da6de 100644
--- a/src/test/fuzz/signature_checker.cpp
+++ b/src/test/fuzz/signature_checker.cpp
@@ -29,7 +29,7 @@ class FuzzedSignatureChecker : public BaseSignatureChecker
         return m_fuzzed_data_provider.ConsumeBool();
     }
 
-    bool CheckSchnorrSignature(Span<const unsigned char> sig, Span<const unsigned char> pubkey, SigVersion sigversion, ScriptExecutionData& execdata, ScriptError* serror = nullptr) const override
+    bool CheckSchnorrSignature(Span<const unsigned char> sig, KeyVersion pubkeyver, Span<const unsigned char> pubkey, SigVersion sigversion, ScriptExecutionData& execdata, ScriptError* serror = nullptr) const override
     {
         return m_fuzzed_data_provider.ConsumeBool();
     }
diff --git a/src/test/miniscript_tests.cpp b/src/test/miniscript_tests.cpp
index 1f28e61bc915c..51ea47de92186 100644
--- a/src/test/miniscript_tests.cpp
+++ b/src/test/miniscript_tests.cpp
@@ -269,7 +269,7 @@ class TestSignatureChecker : public BaseSignatureChecker {
         return sig == it->second;
     }
 
-    bool CheckSchnorrSignature(Span<const unsigned char> sig, Span<const unsigned char> pubkey, SigVersion,
+    bool CheckSchnorrSignature(Span<const unsigned char> sig, KeyVersion, Span<const unsigned char> pubkey, SigVersion,
                                ScriptExecutionData&, ScriptError*) const override {
         XOnlyPubKey pk{pubkey};
         auto it = g_testdata->schnorr_signatures.find(pk);
diff --git a/src/test/script_tests.cpp b/src/test/script_tests.cpp
index 10fee3e9c63db..c6e5bf64b3895 100644
--- a/src/test/script_tests.cpp
+++ b/src/test/script_tests.cpp
@@ -1649,7 +1649,7 @@ BOOST_AUTO_TEST_CASE(bip341_keypath_test_vectors)
             sed.m_annex_init = true;
             sed.m_annex_present = false;
             uint256 sighash;
-            BOOST_CHECK(SignatureHashSchnorr(sighash, sed, tx, txinpos, hashtype, SigVersion::TAPROOT, txdata, MissingDataBehavior::FAIL));
+            BOOST_CHECK(SignatureHashSchnorr(sighash, sed, tx, txinpos, hashtype, SigVersion::TAPROOT, KeyVersion::TAPROOT, txdata, MissingDataBehavior::FAIL));
             BOOST_CHECK_EQUAL(HexStr(sighash), input["intermediary"]["sigHash"].get_str());
 
             // To verify the sigmsg, hash the expected sigmsg, and compare it with the (expected) sighash.

From 70872f38a6aba3971d8eced42c9f25554fdb8f72 Mon Sep 17 00:00:00 2001
From: Anthony Towns <aj@erisian.com.au>
Date: Mon, 6 Feb 2023 21:05:06 +1000
Subject: [PATCH 2/8] Implement BIP 118 (SIGHASH_ANYPREVOUT)

---
 src/deploymentinfo.cpp      |  2 ++
 src/policy/policy.h         |  4 ++-
 src/script/interpreter.cpp  | 53 ++++++++++++++++++++++++++++++++-----
 src/script/interpreter.h    | 16 ++++++++++-
 src/script/script_error.cpp |  2 ++
 src/script/script_error.h   |  1 +
 6 files changed, 70 insertions(+), 8 deletions(-)

diff --git a/src/deploymentinfo.cpp b/src/deploymentinfo.cpp
index f5492ac3bdef6..17e5cf8a0bcda 100644
--- a/src/deploymentinfo.cpp
+++ b/src/deploymentinfo.cpp
@@ -83,6 +83,8 @@ const std::map<std::string, uint32_t> g_verify_flag_names{
     FLAG_NAME(DEFAULT_CHECK_TEMPLATE_VERIFY_HASH),
     FLAG_NAME(DISCOURAGE_UPGRADABLE_CHECK_TEMPLATE_VERIFY_HASH),
     FLAG_NAME(DISCOURAGE_CHECK_TEMPLATE_VERIFY_HASH),
+    FLAG_NAME(ANYPREVOUT),
+    FLAG_NAME(DISCOURAGE_ANYPREVOUT),
 };
 #undef FLAG_NAME
 
diff --git a/src/policy/policy.h b/src/policy/policy.h
index 6b253639e3de6..494c8d65c3e64 100644
--- a/src/policy/policy.h
+++ b/src/policy/policy.h
@@ -115,7 +115,9 @@ static constexpr unsigned int STANDARD_SCRIPT_VERIFY_FLAGS{MANDATORY_SCRIPT_VERI
                                                              SCRIPT_VERIFY_DISCOURAGE_OP_SUCCESS |
                                                              SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_PUBKEYTYPE |
                                                              SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_CHECK_TEMPLATE_VERIFY_HASH |
-                                                             SCRIPT_VERIFY_DEFAULT_CHECK_TEMPLATE_VERIFY_HASH};
+                                                             SCRIPT_VERIFY_DEFAULT_CHECK_TEMPLATE_VERIFY_HASH |
+                                                             SCRIPT_VERIFY_ANYPREVOUT |
+                                                             SCRIPT_VERIFY_DISCOURAGE_ANYPREVOUT};
 
 /** For convenience, standard but not mandatory verify flags. */
 static constexpr unsigned int STANDARD_NOT_MANDATORY_VERIFY_FLAGS{STANDARD_SCRIPT_VERIFY_FLAGS & ~MANDATORY_SCRIPT_VERIFY_FLAGS};
diff --git a/src/script/interpreter.cpp b/src/script/interpreter.cpp
index 36f501a180c4f..53df4248a841b 100644
--- a/src/script/interpreter.cpp
+++ b/src/script/interpreter.cpp
@@ -346,6 +346,7 @@ static bool EvalChecksigPreTapscript(const valtype& vchSig, const valtype& vchPu
 static bool EvalChecksigTapscript(const valtype& sig, const valtype& pubkey, ScriptExecutionData& execdata, unsigned int flags, const BaseSignatureChecker& checker, SigVersion sigversion, ScriptError* serror, bool& success)
 {
     assert(sigversion == SigVersion::TAPSCRIPT);
+    assert(execdata.m_internal_key); // caller must provide the internal key
 
     /*
      *  The following validation sequence is consensus critical. Please note how --
@@ -363,12 +364,27 @@ static bool EvalChecksigTapscript(const valtype& sig, const valtype& pubkey, Scr
             return set_error(serror, SCRIPT_ERR_TAPSCRIPT_VALIDATION_WEIGHT);
         }
     }
+
     if (pubkey.size() == 0) {
         return set_error(serror, SCRIPT_ERR_PUBKEYTYPE);
     } else if (pubkey.size() == 32) {
         if (success && !checker.CheckSchnorrSignature(sig, KeyVersion::TAPROOT, pubkey, sigversion, execdata, serror)) {
             return false; // serror is set
         }
+    } else if ((pubkey.size() == 1 || pubkey.size() == 33) && pubkey[0] == BIP118_PUBKEY_PREFIX) {
+        if ((flags & SCRIPT_VERIFY_DISCOURAGE_ANYPREVOUT) != 0) {
+            return set_error(serror, SCRIPT_ERR_DISCOURAGE_ANYPREVOUT);
+        } else if ((flags & SCRIPT_VERIFY_ANYPREVOUT) == 0) {
+            return true;
+        } else if (pubkey.size() == 1) {
+            if (success && !checker.CheckSchnorrSignature(sig, KeyVersion::ANYPREVOUT, *execdata.m_internal_key, sigversion, execdata, serror)) {
+                return false; // serror is set
+            }
+        } else { // pubkey.size() == 33
+            if (success && !checker.CheckSchnorrSignature(sig, KeyVersion::ANYPREVOUT, Span(pubkey).subspan(1), sigversion, execdata, serror)) {
+                return false; // serror is set
+            }
+        }
     } else {
         /*
          *  New public key version softforks should be defined before this `else` block.
@@ -1586,7 +1602,10 @@ template<typename T>
 bool SignatureHashSchnorr(uint256& hash_out, ScriptExecutionData& execdata, const T& tx_to, uint32_t in_pos, uint8_t hash_type, SigVersion sigversion, KeyVersion keyversion, const PrecomputedTransactionData& cache, MissingDataBehavior mdb)
 {
     uint8_t ext_flag;
-    assert(keyversion == KeyVersion::TAPROOT);
+    assert(
+      (keyversion == KeyVersion::TAPROOT) ||
+      (keyversion == KeyVersion::ANYPREVOUT && sigversion == SigVersion::TAPSCRIPT)
+    );
     switch (sigversion) {
     case SigVersion::TAPROOT:
         ext_flag = 0;
@@ -1612,13 +1631,27 @@ bool SignatureHashSchnorr(uint256& hash_out, ScriptExecutionData& execdata, cons
     // Hash type
     const uint8_t output_type = (hash_type == SIGHASH_DEFAULT) ? SIGHASH_ALL : (hash_type & SIGHASH_OUTPUT_MASK); // Default (no sighash byte) is equivalent to SIGHASH_ALL
     const uint8_t input_type = hash_type & SIGHASH_INPUT_MASK;
-    if (!(hash_type <= 0x03 || (hash_type >= 0x81 && hash_type <= 0x83))) return false;
+
+    switch(hash_type) {
+        case 0: case 1: case 2: case 3:
+        case 0x81: case 0x82: case 0x83:
+            break;
+        case 0x41: case 0x42: case 0x43:
+        case 0xc1: case 0xc2: case 0xc3:
+            if (keyversion == KeyVersion::ANYPREVOUT) {
+                break;
+            } else {
+                return false;
+            }
+        default:
+            return false;
+    }
     ss << hash_type;
 
     // Transaction level data
     ss << tx_to.nVersion;
     ss << tx_to.nLockTime;
-    if (input_type != SIGHASH_ANYONECANPAY) {
+    if (input_type != SIGHASH_ANYONECANPAY && input_type != SIGHASH_ANYPREVOUT && input_type != SIGHASH_ANYPREVOUTANYSCRIPT) {
         ss << cache.m_prevouts_single_hash;
         ss << cache.m_spent_amounts_single_hash;
         ss << cache.m_spent_scripts_single_hash;
@@ -1637,6 +1670,11 @@ bool SignatureHashSchnorr(uint256& hash_out, ScriptExecutionData& execdata, cons
         ss << tx_to.vin[in_pos].prevout;
         ss << cache.m_spent_outputs[in_pos];
         ss << tx_to.vin[in_pos].nSequence;
+    } else if (input_type == SIGHASH_ANYPREVOUT) {
+        ss << cache.m_spent_outputs[in_pos];
+        ss << tx_to.vin[in_pos].nSequence;
+    } else if (input_type == SIGHASH_ANYPREVOUTANYSCRIPT) {
+        ss << tx_to.vin[in_pos].nSequence;
     } else {
         ss << in_pos;
     }
@@ -1658,7 +1696,9 @@ bool SignatureHashSchnorr(uint256& hash_out, ScriptExecutionData& execdata, cons
     // Additional data for BIP 342 signatures
     if (sigversion == SigVersion::TAPSCRIPT) {
         assert(execdata.m_tapleaf_hash_init);
-        ss << execdata.m_tapleaf_hash;
+        if (input_type != SIGHASH_ANYPREVOUTANYSCRIPT) {
+            ss << execdata.m_tapleaf_hash;
+        }
         ss << uint8_t(keyversion);
         assert(execdata.m_codeseparator_pos_init);
         ss << execdata.m_codeseparator_pos;
@@ -1977,12 +2017,13 @@ uint256 ComputeTaprootMerkleRoot(Span<const unsigned char> control, const uint25
     return k;
 }
 
-static bool VerifyTaprootCommitment(const std::vector<unsigned char>& control, const std::vector<unsigned char>& program, const uint256& tapleaf_hash)
+static bool VerifyTaprootCommitment(const std::vector<unsigned char>& control, const std::vector<unsigned char>& program, const uint256& tapleaf_hash, std::optional<XOnlyPubKey>& internal_key)
 {
     assert(control.size() >= TAPROOT_CONTROL_BASE_SIZE);
     assert(program.size() >= uint256::size());
     //! The internal pubkey (x-only, so no Y coordinate parity).
     const XOnlyPubKey p{Span{control}.subspan(1, TAPROOT_CONTROL_BASE_SIZE - 1)};
+    internal_key = p;
     //! The output pubkey (taken from the scriptPubKey).
     const XOnlyPubKey q{program};
     // Compute the Merkle root from the leaf and the provided path.
@@ -2048,7 +2089,7 @@ static bool VerifyWitnessProgram(const CScriptWitness& witness, int witversion,
                 return set_error(serror, SCRIPT_ERR_TAPROOT_WRONG_CONTROL_SIZE);
             }
             execdata.m_tapleaf_hash = ComputeTapleafHash(control[0] & TAPROOT_LEAF_MASK, script);
-            if (!VerifyTaprootCommitment(control, program, execdata.m_tapleaf_hash)) {
+            if (!VerifyTaprootCommitment(control, program, execdata.m_tapleaf_hash, execdata.m_internal_key)) {
                 return set_error(serror, SCRIPT_ERR_WITNESS_PROGRAM_MISMATCH);
             }
             execdata.m_tapleaf_hash_init = true;
diff --git a/src/script/interpreter.h b/src/script/interpreter.h
index 199a1aa19e2f7..493b52af3f894 100644
--- a/src/script/interpreter.h
+++ b/src/script/interpreter.h
@@ -30,10 +30,12 @@ enum
     SIGHASH_NONE = 2,
     SIGHASH_SINGLE = 3,
     SIGHASH_ANYONECANPAY = 0x80,
+    SIGHASH_ANYPREVOUT = 0x40,
+    SIGHASH_ANYPREVOUTANYSCRIPT = 0xc0,
 
     SIGHASH_DEFAULT = 0, //!< Taproot only; implied when sighash byte is missing, and equivalent to SIGHASH_ALL
     SIGHASH_OUTPUT_MASK = 3,
-    SIGHASH_INPUT_MASK = 0x80,
+    SIGHASH_INPUT_MASK = 0xc0,
 };
 
 /** Script verification flags.
@@ -151,6 +153,12 @@ enum : uint32_t {
     // discourage OP_CHECKTEMPLATEVERIFY
     SCRIPT_VERIFY_DISCOURAGE_CHECK_TEMPLATE_VERIFY_HASH = (1U << 23),
 
+    // Validating ANYPREVOUT public keys
+    SCRIPT_VERIFY_ANYPREVOUT = (1U << 24),
+
+    // Making ANYPREVOUT public key versions (in BIP 342 scripts) non-standard
+    SCRIPT_VERIFY_DISCOURAGE_ANYPREVOUT = (1U << 25),
+
     // Constants to point to the highest flag in use. Add new flags above this line.
     //
     SCRIPT_VERIFY_END_MARKER
@@ -224,6 +232,7 @@ enum class SigVersion
 enum class KeyVersion
 {
     TAPROOT = 0,     //!< 32 byte public key
+    ANYPREVOUT = 1,  //!< 1 or 33 byte public key, first byte is 0x01
 };
 
 struct ScriptExecutionData
@@ -252,6 +261,9 @@ struct ScriptExecutionData
 
     //! The hash of the corresponding output
     std::optional<uint256> m_output_hash;
+
+    //! The taproot internal key. */
+    std::optional<XOnlyPubKey> m_internal_key = std::nullopt;
 };
 
 /** Signature hash sizes */
@@ -266,6 +278,8 @@ static constexpr size_t TAPROOT_CONTROL_NODE_SIZE = 32;
 static constexpr size_t TAPROOT_CONTROL_MAX_NODE_COUNT = 128;
 static constexpr size_t TAPROOT_CONTROL_MAX_SIZE = TAPROOT_CONTROL_BASE_SIZE + TAPROOT_CONTROL_NODE_SIZE * TAPROOT_CONTROL_MAX_NODE_COUNT;
 
+static constexpr uint8_t BIP118_PUBKEY_PREFIX = 0x01;
+
 extern const HashWriter HASHER_TAPSIGHASH; //!< Hasher with tag "TapSighash" pre-fed to it.
 extern const HashWriter HASHER_TAPLEAF;    //!< Hasher with tag "TapLeaf" pre-fed to it.
 extern const HashWriter HASHER_TAPBRANCH;  //!< Hasher with tag "TapBranch" pre-fed to it.
diff --git a/src/script/script_error.cpp b/src/script/script_error.cpp
index f33994d0b3b43..29f2179aafb1b 100644
--- a/src/script/script_error.cpp
+++ b/src/script/script_error.cpp
@@ -81,6 +81,8 @@ std::string ScriptErrorString(const ScriptError serror)
             return "OP_SUCCESSx reserved for soft-fork upgrades";
         case SCRIPT_ERR_DISCOURAGE_UPGRADABLE_PUBKEYTYPE:
             return "Public key version reserved for soft-fork upgrades";
+        case SCRIPT_ERR_DISCOURAGE_ANYPREVOUT:
+            return "ANYPREVOUT public key version reserved for soft-fork upgrade";
         case SCRIPT_ERR_PUBKEYTYPE:
             return "Public key is neither compressed or uncompressed";
         case SCRIPT_ERR_CLEANSTACK:
diff --git a/src/script/script_error.h b/src/script/script_error.h
index 74d7041533d24..73d98f224da0d 100644
--- a/src/script/script_error.h
+++ b/src/script/script_error.h
@@ -60,6 +60,7 @@ typedef enum ScriptError_t
     SCRIPT_ERR_DISCOURAGE_UPGRADABLE_TAPROOT_VERSION,
     SCRIPT_ERR_DISCOURAGE_OP_SUCCESS,
     SCRIPT_ERR_DISCOURAGE_UPGRADABLE_PUBKEYTYPE,
+    SCRIPT_ERR_DISCOURAGE_ANYPREVOUT,
 
     /* segregated witness */
     SCRIPT_ERR_WITNESS_PROGRAM_WRONG_LENGTH,

From d1d7106fc32fe5befa35031bfb4556bbe9f282ab Mon Sep 17 00:00:00 2001
From: Anthony Towns <aj@erisian.com.au>
Date: Mon, 6 Feb 2023 23:15:56 +1000
Subject: [PATCH 3/8] tests: Add unit tests for ANYPREVOUT

---
 src/test/script_tests.cpp  |   5 +-
 src/test/sighash_tests.cpp | 383 +++++++++++++++++++++++++++++++++++++
 2 files changed, 387 insertions(+), 1 deletion(-)

diff --git a/src/test/script_tests.cpp b/src/test/script_tests.cpp
index c6e5bf64b3895..8d5c4f19a677d 100644
--- a/src/test/script_tests.cpp
+++ b/src/test/script_tests.cpp
@@ -1485,7 +1485,7 @@ static std::vector<unsigned int> AllConsensusFlags()
 {
     std::vector<unsigned int> ret;
 
-    for (unsigned int i = 0; i < 128; ++i) {
+    for (unsigned int i = 0; i < 256; ++i) {
         unsigned int flag = 0;
         if (i & 1) flag |= SCRIPT_VERIFY_P2SH;
         if (i & 2) flag |= SCRIPT_VERIFY_DERSIG;
@@ -1494,11 +1494,14 @@ static std::vector<unsigned int> AllConsensusFlags()
         if (i & 16) flag |= SCRIPT_VERIFY_CHECKSEQUENCEVERIFY;
         if (i & 32) flag |= SCRIPT_VERIFY_WITNESS;
         if (i & 64) flag |= SCRIPT_VERIFY_TAPROOT;
+        if (i & 128) flag |= SCRIPT_VERIFY_ANYPREVOUT;
 
         // SCRIPT_VERIFY_WITNESS requires SCRIPT_VERIFY_P2SH
         if (flag & SCRIPT_VERIFY_WITNESS && !(flag & SCRIPT_VERIFY_P2SH)) continue;
         // SCRIPT_VERIFY_TAPROOT requires SCRIPT_VERIFY_WITNESS
         if (flag & SCRIPT_VERIFY_TAPROOT && !(flag & SCRIPT_VERIFY_WITNESS)) continue;
+        // SCRIPT_VERIFY_ANYPREVOUT requires SCRIPT_VERIFY_TAPROOT
+        if ((flag & SCRIPT_VERIFY_ANYPREVOUT) && !(flag & SCRIPT_VERIFY_TAPROOT)) continue;
 
         ret.push_back(flag);
     }
diff --git a/src/test/sighash_tests.cpp b/src/test/sighash_tests.cpp
index d08d5519a1493..df591736fc339 100644
--- a/src/test/sighash_tests.cpp
+++ b/src/test/sighash_tests.cpp
@@ -114,6 +114,44 @@ void static RandomTransaction(CMutableTransaction& tx, bool fSingle)
     }
 }
 
+void static MutateInputs(CMutableTransaction &tx, const bool inPrevout, const bool inInputSequence) {
+
+    // mutate previous input
+    for (std::size_t in = 0; in < tx.vin.size(); in++) {
+        CTxIn &txin = tx.vin[in];
+
+        if (inPrevout) {
+            txin.prevout.hash = Txid::FromUint256(InsecureRand256());
+            txin.prevout.n = InsecureRandBits(2);
+        }
+
+        // mutate input sequences
+        if (inInputSequence) {
+            txin.nSequence = InsecureRand32();
+        }
+    }
+}
+
+static std::vector<CTxOut> MutateSpentOutputs(const size_t inNumOutputs, const bool inInputScripts, const bool inValue) {
+    FastRandomContext context(InsecureRand256());
+
+    // default to nValue of 0 and witness script with address of all zeros
+    std::vector<CTxOut> spent_outputs(inNumOutputs, CTxOut(0, CScript() << OP_1 << std::vector<unsigned char>(WITNESS_V1_TAPROOT_SIZE, 0)));
+
+    for (std::size_t in = 0; in < spent_outputs.size(); in++) {
+
+        if (inInputScripts) {
+            spent_outputs[in].scriptPubKey = CScript() << OP_1 << context.randbytes(WITNESS_V1_TAPROOT_SIZE);
+        }
+
+        if (inValue) {
+            // random, but not default nValue of 0
+            spent_outputs[in].nValue = InsecureRandRange(99999999)+1;
+        }
+    }
+    return spent_outputs;
+}
+
 BOOST_FIXTURE_TEST_SUITE(sighash_tests, BasicTestingSetup)
 
 BOOST_AUTO_TEST_CASE(sighash_test)
@@ -205,4 +243,349 @@ BOOST_AUTO_TEST_CASE(sighash_from_data)
         BOOST_CHECK_MESSAGE(sh.GetHex() == sigHashHex, strTest);
     }
 }
+
+// Goal: check that SignatureHashOld and SignatureHash ignore sighash flags SIGHASH_ANYPREVOUT and SIGHASH_ANYPREVOUTANYSCRIPT
+BOOST_AUTO_TEST_CASE(sighash_anyprevout_legacy)
+{
+    #if defined(PRINT_SIGHASH_JSON)
+    std::cout << "[\n";
+    std::cout << "\t[\"raw_transaction, script, input_index, hashType, signature_hash (result)\"],\n";
+    int nRandomTests = 500;
+    #else
+    int nRandomTests = 50000;
+    #endif
+
+    for (int i=0; i<nRandomTests; i++) {
+
+        // random sighashs, with and without ANYPREVOUT*
+        int nHashType = static_cast<int32_t>(InsecureRand32()) & ~SIGHASH_INPUT_MASK;
+        int nHashTypeApo = nHashType | SIGHASH_ANYPREVOUT;
+        int nHashTypeApoas = nHashType | SIGHASH_ANYPREVOUTANYSCRIPT;
+
+        CMutableTransaction tx;
+        RandomTransaction(tx, (nHashType & SIGHASH_OUTPUT_MASK) == SIGHASH_SINGLE);
+        CScript scriptCode, mut_scriptCode;
+        RandomScript(scriptCode);
+        RandomScript(mut_scriptCode);
+
+        // remove code separators from old scripts because they are not serialized
+        CScript old_scriptCode(scriptCode), old_mut_scriptCode(mut_scriptCode);
+        FindAndDelete(old_scriptCode, CScript(OP_CODESEPARATOR));
+        FindAndDelete(old_mut_scriptCode, CScript(OP_CODESEPARATOR));
+
+        int nIn = InsecureRandRange(tx.vin.size());
+
+        CMutableTransaction tx_mut_prevout(tx);
+        MutateInputs(tx_mut_prevout, true, false);
+
+        CMutableTransaction tx_mut_sequence(tx);
+        MutateInputs(tx_mut_sequence, false, true);
+
+        // test OLD signature hash ignores SIGHASH_ANYPREVOUT and SIGHASH_ANYPREVOUTANYSCRIPT
+        uint256 sho = SignatureHashOld(old_scriptCode, CTransaction(tx), nIn, nHashType);
+        uint256 sho_apo = SignatureHashOld(old_scriptCode, CTransaction(tx), nIn, nHashTypeApo);
+        uint256 sho_apoas = SignatureHashOld(old_scriptCode, CTransaction(tx), nIn, nHashTypeApoas);
+
+        // mutate the previous output transaction
+        uint256 sho_mut_prevout = SignatureHashOld(old_scriptCode, CTransaction(tx_mut_prevout), nIn, nHashType);
+        uint256 sho_mut_prevout_apo = SignatureHashOld(old_scriptCode, CTransaction(tx_mut_prevout), nIn, nHashTypeApo);
+        uint256 sho_mut_prevout_apoas = SignatureHashOld(old_scriptCode, CTransaction(tx_mut_prevout), nIn, nHashTypeApoas);
+
+        // mutate the previous input script
+        uint256 sho_mut_script = SignatureHashOld(old_mut_scriptCode, CTransaction(tx), nIn, nHashType);
+        uint256 sho_mut_script_apo = SignatureHashOld(old_mut_scriptCode, CTransaction(tx), nIn, nHashTypeApo);
+        uint256 sho_mut_script_apoas = SignatureHashOld(old_mut_scriptCode, CTransaction(tx), nIn, nHashTypeApoas);
+
+        // mutate the input sequence
+        uint256 sho_mut_sequence = SignatureHashOld(old_scriptCode, CTransaction(tx_mut_sequence), nIn, nHashType);
+        uint256 sho_mut_sequence_apo = SignatureHashOld(old_scriptCode, CTransaction(tx_mut_sequence), nIn, nHashTypeApo);
+        uint256 sho_mut_sequence_apoas = SignatureHashOld(old_scriptCode, CTransaction(tx_mut_sequence), nIn, nHashTypeApoas);
+
+        // test BASE signature hash ignores SIGHASH_ANYPREVOUT and SIGHASH_ANYPREVOUTANYSCRIPT
+        uint256 shb = SignatureHash(old_scriptCode, tx, nIn, nHashType, 0, SigVersion::BASE);
+        uint256 shb_apo = SignatureHash(old_scriptCode, tx, nIn, nHashTypeApo, 0, SigVersion::BASE);
+        uint256 shb_apoas = SignatureHash(old_scriptCode, tx, nIn, nHashTypeApoas, 0, SigVersion::BASE);
+
+        // mutate the previous output transaction
+        uint256 shb_mut_prevout = SignatureHash(old_scriptCode, tx_mut_prevout, nIn, nHashType, 0, SigVersion::BASE);
+        uint256 shb_mut_prevout_apo = SignatureHash(old_scriptCode, tx_mut_prevout, nIn, nHashTypeApo, 0, SigVersion::BASE);
+        uint256 shb_mut_prevout_apoas = SignatureHash(old_scriptCode, tx_mut_prevout, nIn, nHashTypeApoas, 0, SigVersion::BASE);
+
+        // mutate the previous input script
+        uint256 shb_mut_script = SignatureHash(old_mut_scriptCode, tx, nIn, nHashType, 0, SigVersion::BASE);
+        uint256 shb_mut_script_apo = SignatureHash(old_mut_scriptCode, tx, nIn, nHashTypeApo, 0, SigVersion::BASE);
+        uint256 shb_mut_script_apoas = SignatureHash(old_mut_scriptCode, tx, nIn, nHashTypeApoas, 0, SigVersion::BASE);
+
+        // mutate the input sequence
+        uint256 shb_mut_sequence = SignatureHash(old_scriptCode, tx_mut_sequence, nIn, nHashType, 0, SigVersion::BASE);
+        uint256 shb_mut_sequence_apo = SignatureHash(old_scriptCode, tx_mut_sequence, nIn, nHashTypeApo, 0, SigVersion::BASE);
+        uint256 shb_mut_sequence_apoas = SignatureHash(old_scriptCode, tx_mut_sequence, nIn, nHashTypeApoas, 0, SigVersion::BASE);
+
+        // test v0 signature hash ignores SIGHASH_ANYPREVOUT and SIGHASH_ANYPREVOUTANYSCRIPT
+        uint256 shv0 = SignatureHash(scriptCode, tx, nIn, nHashType, 0, SigVersion::WITNESS_V0);
+        uint256 shv0_apo = SignatureHash(scriptCode, tx, nIn, nHashTypeApo, 0, SigVersion::WITNESS_V0);
+        uint256 shv0_apoas = SignatureHash(scriptCode, tx, nIn, nHashTypeApoas, 0, SigVersion::WITNESS_V0);
+
+        // mutate the previous output transaction
+        uint256 shv0_mut_prevout = SignatureHash(scriptCode, tx_mut_prevout, nIn, nHashType, 0, SigVersion::WITNESS_V0);
+        uint256 shv0_mut_prevout_apo = SignatureHash(scriptCode, tx_mut_prevout, nIn, nHashTypeApo, 0, SigVersion::WITNESS_V0);
+        uint256 shv0_mut_prevout_apoas = SignatureHash(scriptCode, tx_mut_prevout, nIn, nHashTypeApoas, 0, SigVersion::WITNESS_V0);
+
+        // mutate the previous input script
+        uint256 shv0_mut_script = SignatureHash(mut_scriptCode, tx, nIn, nHashType, 0, SigVersion::WITNESS_V0);
+        uint256 shv0_mut_script_apo = SignatureHash(mut_scriptCode, tx, nIn, nHashTypeApo, 0, SigVersion::WITNESS_V0);
+        uint256 shv0_mut_script_apoas = SignatureHash(mut_scriptCode, tx, nIn, nHashTypeApoas, 0, SigVersion::WITNESS_V0);
+
+        // mutate the input sequence
+        uint256 shv0_mut_sequence = SignatureHash(scriptCode, tx_mut_sequence, nIn, nHashType, 0, SigVersion::BASE);
+        uint256 shv0_mut_sequence_apo = SignatureHash(scriptCode, tx_mut_sequence, nIn, nHashTypeApo, 0, SigVersion::BASE);
+        uint256 shv0_mut_sequence_apoas = SignatureHash(scriptCode, tx_mut_sequence, nIn, nHashTypeApoas, 0, SigVersion::BASE);
+
+        #if defined(PRINT_SIGHASH_JSON)
+        CDataStream ss(SER_NETWORK, PROTOCOL_VERSION);
+        ss << tx;
+
+        std::cout << "\t[\"" ;
+        std::cout << HexStr(ss.begin(), ss.end()) << "\", \"";
+        std::cout << HexStr(scriptCode) << "\", ";
+        std::cout << nIn << ", ";
+        std::cout << nHashType << ", \"";
+        std::cout << sho.GetHex() << "\"]";
+        if (i+1 != nRandomTests) {
+          std::cout << ",";
+        }
+        std::cout << "\n";
+        #endif
+
+        // check that legacy, base and v0/SEGWIT transactions ignore SIGHASH_ANYPREVOUT and SIGHASH_ANYPREVOUTANYSCRIPT
+
+        // check maleated previous input transaction creates different digests
+        BOOST_CHECK(sho != sho_mut_prevout);
+        BOOST_CHECK(sho_apo != sho_mut_prevout_apo);
+        BOOST_CHECK(sho_apoas != sho_mut_prevout_apoas);
+        BOOST_CHECK(shb != shb_mut_prevout);
+        BOOST_CHECK(shb_apo != shb_mut_prevout_apo);
+        BOOST_CHECK(shb_apoas != shb_mut_prevout_apoas);
+        BOOST_CHECK(shv0 != shv0_mut_prevout);
+        BOOST_CHECK(shv0_apo != shv0_mut_prevout_apo);
+        BOOST_CHECK(shv0_apoas != shv0_mut_prevout_apoas);
+
+        // check maleated input script creates different digests
+        if (old_scriptCode != old_mut_scriptCode) {
+            BOOST_CHECK(sho != sho_mut_script);
+            BOOST_CHECK(sho_apo != sho_mut_script_apo);
+            BOOST_CHECK(sho_apoas != sho_mut_script_apoas);
+            BOOST_CHECK(shb != shb_mut_script);
+            BOOST_CHECK(shb_apo != shb_mut_script_apo);
+            BOOST_CHECK(shb_apoas != shb_mut_script_apoas);
+            BOOST_CHECK(shv0 != shv0_mut_script);
+            BOOST_CHECK(shv0_apo != shv0_mut_script_apo);
+            BOOST_CHECK(shv0_apoas != shv0_mut_script_apoas);
+        }
+
+        // check maleated sequence creates different digests
+        BOOST_CHECK(sho != sho_mut_sequence);
+        BOOST_CHECK(sho_apo != sho_mut_sequence_apo);
+        BOOST_CHECK(sho_apoas != sho_mut_sequence_apoas);
+        BOOST_CHECK(shb != shb_mut_sequence);
+        BOOST_CHECK(shb_apo != shb_mut_sequence_apo);
+        BOOST_CHECK(shb_apoas != shb_mut_sequence_apoas);
+        BOOST_CHECK(shv0 != shv0_mut_sequence);
+        BOOST_CHECK(shv0_apo != shv0_mut_sequence_apo);
+        BOOST_CHECK(shv0_apoas != shv0_mut_sequence_apoas);
+    }
+
+    #if defined(PRINT_SIGHASH_JSON)
+    std::cout << "]\n";
+    #endif
+}
+
+// Goal: check that SignatureHashSchnorr generates the proper hash when inputs are maleated with SIGHASH_ANYPREVOUT and SIGHASH_ANYPREVOUTANYSCRIPT
+BOOST_AUTO_TEST_CASE(sighash_anyprevout_taproot)
+{
+    #if defined(PRINT_SIGHASH_JSON)
+    std::cout << "[\n";
+    std::cout << "\t[\"raw_transaction, script, input_index, hashType, signature_hash (result)\"],\n";
+    int nRandomTests = 500;
+    #else
+    int nRandomTests = 50000;
+    #endif
+
+    for (int i=0; i<nRandomTests; i++) {
+
+        // Test random sighash, excluding sighash input flags
+        int nHashType = static_cast<int32_t>(InsecureRand32()) & ~SIGHASH_INPUT_MASK;
+
+        CMutableTransaction tx;
+        RandomTransaction(tx, (nHashType & SIGHASH_OUTPUT_MASK) == SIGHASH_SINGLE);
+        std::for_each(tx.vin.begin(), tx.vin.end(), [](CTxIn& vin){ vin.scriptWitness.stack.push_back({OP_TRUE}); });
+        PrecomputedTransactionData txdata(tx);
+        txdata.Init(tx, MutateSpentOutputs(tx.vin.size(), false, false));
+
+        // test random transaction input
+        int nIn = InsecureRandRange(tx.vin.size());
+
+        // mutate the previous output transaction
+        CMutableTransaction tx_mut_prevout(tx);
+        MutateInputs(tx_mut_prevout, true, false);
+        PrecomputedTransactionData txdata_mut_prevout(tx_mut_prevout);
+        txdata_mut_prevout.Init(tx_mut_prevout, MutateSpentOutputs(tx_mut_prevout.vin.size(), false, false));
+
+        // mutate the previous input script
+        CMutableTransaction tx_mut_script(tx);
+        PrecomputedTransactionData txdata_mut_script(tx_mut_script);
+        txdata_mut_script.Init(tx_mut_script, MutateSpentOutputs(tx_mut_script.vin.size(), true, false));
+
+        // mutate the input sequence
+        CMutableTransaction tx_mut_sequence(tx);
+        MutateInputs(tx_mut_sequence, false, true);
+        PrecomputedTransactionData txdata_mut_sequence(tx_mut_sequence);
+        txdata_mut_sequence.Init(tx_mut_sequence, MutateSpentOutputs(tx_mut_sequence.vin.size(), false, false));
+
+        // mutate only the output values of the spent output
+        CMutableTransaction tx_mut_spent_value(tx);
+        PrecomputedTransactionData txdata_mut_spent_value(tx_mut_spent_value);
+        txdata_mut_spent_value.Init(tx_mut_spent_value, MutateSpentOutputs(tx_mut_spent_value.vin.size(), false, true));
+
+        // only check signature version of v1/TAPSCRIPT (0x3) because EvalChecksig will not allow execution of v1/TAPROOT (0x2) transactions
+        SigVersion sigversion = SigVersion::TAPSCRIPT;
+
+        ScriptExecutionData execdata;
+        execdata.m_annex_init = true;
+        execdata.m_annex_present = InsecureRandBool();
+        execdata.m_annex_hash = InsecureRand256();
+        execdata.m_tapleaf_hash_init = true;
+        execdata.m_tapleaf_hash = InsecureRand256();
+        execdata.m_codeseparator_pos_init = true;
+        execdata.m_codeseparator_pos = InsecureRand32();
+
+        int nHashType_outmask = nHashType & SIGHASH_OUTPUT_MASK;
+        int nHashType_inoutmask = nHashType & (SIGHASH_INPUT_MASK | SIGHASH_OUTPUT_MASK);
+
+        // any sighash that sets undefined input or output flags should fail
+        if (nHashType_inoutmask != nHashType_outmask && nHashType_inoutmask != nHashType) {
+            uint256 tmp;
+            BOOST_CHECK(false == SignatureHashSchnorr(tmp, execdata, tx, nIn, nHashType, sigversion, KeyVersion::TAPROOT, txdata, MissingDataBehavior::ASSERT_FAIL));
+            BOOST_CHECK(false == SignatureHashSchnorr(tmp, execdata, tx, nIn, nHashType, sigversion, KeyVersion::ANYPREVOUT, txdata, MissingDataBehavior::ASSERT_FAIL));
+        }
+
+        // check transactions using the TAPROOT key version reject ANYPREVOUT
+        {
+            // should fail all sighash input flags if no output flag is set
+            uint256 tmp;
+            if (nHashType_outmask == 0x0) {
+                BOOST_CHECK(false == SignatureHashSchnorr(tmp, execdata, tx, nIn, nHashType_outmask | SIGHASH_ANYONECANPAY, sigversion, KeyVersion::TAPROOT, txdata, MissingDataBehavior::ASSERT_FAIL));
+                BOOST_CHECK(false == SignatureHashSchnorr(tmp, execdata, tx, nIn, nHashType_outmask | SIGHASH_ANYPREVOUT, sigversion, KeyVersion::TAPROOT, txdata, MissingDataBehavior::ASSERT_FAIL));
+                BOOST_CHECK(false == SignatureHashSchnorr(tmp, execdata, tx, nIn, nHashType_outmask | SIGHASH_ANYPREVOUTANYSCRIPT, sigversion, KeyVersion::TAPROOT, txdata, MissingDataBehavior::ASSERT_FAIL));
+            }
+            // otherwise all other output sighash flags should fail when any input sighash flags are set except SIGHASH_ANYONECANPAY
+            else {
+                BOOST_CHECK(SignatureHashSchnorr(tmp, execdata, tx, nIn, nHashType_outmask | SIGHASH_ANYONECANPAY, sigversion, KeyVersion::TAPROOT, txdata, MissingDataBehavior::ASSERT_FAIL));
+                BOOST_CHECK(false == SignatureHashSchnorr(tmp, execdata, tx, nIn, nHashType_outmask | SIGHASH_ANYPREVOUT, sigversion, KeyVersion::TAPROOT, txdata, MissingDataBehavior::ASSERT_FAIL));
+                BOOST_CHECK(false == SignatureHashSchnorr(tmp, execdata, tx, nIn, nHashType_outmask | SIGHASH_ANYPREVOUTANYSCRIPT, sigversion, KeyVersion::TAPROOT, txdata, MissingDataBehavior::ASSERT_FAIL));
+            }
+        }
+
+        // check transactions using the ANYPREVOUT key version
+        {
+            // compute base sighash without any input sighash flags
+            uint256 shts;
+            BOOST_CHECK(SignatureHashSchnorr(shts, execdata, tx, nIn, nHashType_outmask, sigversion, KeyVersion::ANYPREVOUT, txdata, MissingDataBehavior::ASSERT_FAIL));
+
+            // should fail when no output sighash is set, if any input sighash is set
+            if (nHashType_outmask == 0x0) {
+                uint256 tmp;
+                BOOST_CHECK(false == SignatureHashSchnorr(tmp, execdata, tx, nIn, nHashType_outmask | SIGHASH_ANYONECANPAY, sigversion, KeyVersion::ANYPREVOUT, txdata, MissingDataBehavior::ASSERT_FAIL));
+                BOOST_CHECK(false == SignatureHashSchnorr(tmp, execdata, tx, nIn, nHashType_outmask | SIGHASH_ANYPREVOUT, sigversion, KeyVersion::ANYPREVOUT, txdata, MissingDataBehavior::ASSERT_FAIL));
+                BOOST_CHECK(false == SignatureHashSchnorr(tmp, execdata, tx, nIn, nHashType_outmask | SIGHASH_ANYPREVOUTANYSCRIPT, sigversion, KeyVersion::ANYPREVOUT, txdata, MissingDataBehavior::ASSERT_FAIL));
+            }
+
+            // otherwise any output sighash flags should succeed with any input sighash flags
+            else {
+                uint256 shts_acp, shts_apo, shts_apoas;
+                BOOST_CHECK(SignatureHashSchnorr(shts_acp, execdata, tx, nIn, nHashType_outmask | SIGHASH_ANYONECANPAY, sigversion, KeyVersion::ANYPREVOUT, txdata, MissingDataBehavior::ASSERT_FAIL));
+                BOOST_CHECK(SignatureHashSchnorr(shts_apo, execdata, tx, nIn, nHashType_outmask | SIGHASH_ANYPREVOUT, sigversion, KeyVersion::ANYPREVOUT, txdata, MissingDataBehavior::ASSERT_FAIL));
+                BOOST_CHECK(SignatureHashSchnorr(shts_apoas, execdata, tx, nIn, nHashType_outmask | SIGHASH_ANYPREVOUTANYSCRIPT, sigversion, KeyVersion::ANYPREVOUT, txdata, MissingDataBehavior::ASSERT_FAIL));
+
+                uint256 shts_mut_prevout_acp, shts_mut_prevout_apo, shts_mut_prevout_apoas;
+                BOOST_CHECK(SignatureHashSchnorr(shts_mut_prevout_acp, execdata, tx_mut_prevout, nIn, nHashType_outmask | SIGHASH_ANYONECANPAY, sigversion, KeyVersion::ANYPREVOUT, txdata_mut_prevout, MissingDataBehavior::ASSERT_FAIL));
+                BOOST_CHECK(SignatureHashSchnorr(shts_mut_prevout_apo, execdata, tx_mut_prevout, nIn, nHashType_outmask | SIGHASH_ANYPREVOUT, sigversion, KeyVersion::ANYPREVOUT, txdata_mut_prevout, MissingDataBehavior::ASSERT_FAIL));
+                BOOST_CHECK(SignatureHashSchnorr(shts_mut_prevout_apoas, execdata, tx_mut_prevout, nIn, nHashType_outmask | SIGHASH_ANYPREVOUTANYSCRIPT, sigversion, KeyVersion::ANYPREVOUT, txdata_mut_prevout, MissingDataBehavior::ASSERT_FAIL));
+
+                uint256 shts_mut_script_acp, shts_mut_script_apo, shts_mut_script_apoas;
+                BOOST_CHECK(SignatureHashSchnorr(shts_mut_script_acp, execdata, tx_mut_script, nIn, nHashType_outmask | SIGHASH_ANYONECANPAY, sigversion, KeyVersion::ANYPREVOUT, txdata_mut_script, MissingDataBehavior::ASSERT_FAIL));
+                BOOST_CHECK(SignatureHashSchnorr(shts_mut_script_apo, execdata, tx_mut_script, nIn, nHashType_outmask | SIGHASH_ANYPREVOUT, sigversion, KeyVersion::ANYPREVOUT, txdata_mut_script, MissingDataBehavior::ASSERT_FAIL));
+                BOOST_CHECK(SignatureHashSchnorr(shts_mut_script_apoas, execdata, tx_mut_script, nIn, nHashType_outmask | SIGHASH_ANYPREVOUTANYSCRIPT, sigversion, KeyVersion::ANYPREVOUT, txdata_mut_script, MissingDataBehavior::ASSERT_FAIL));
+
+                uint256 shts_mut_sequence_acp, shts_mut_sequence_apo, shts_mut_sequence_apoas;
+                BOOST_CHECK(SignatureHashSchnorr(shts_mut_sequence_acp, execdata, tx_mut_sequence, nIn, nHashType_outmask | SIGHASH_ANYONECANPAY, sigversion, KeyVersion::ANYPREVOUT, txdata_mut_sequence, MissingDataBehavior::ASSERT_FAIL));
+                BOOST_CHECK(SignatureHashSchnorr(shts_mut_sequence_apo, execdata, tx_mut_sequence, nIn, nHashType_outmask | SIGHASH_ANYPREVOUT, sigversion, KeyVersion::ANYPREVOUT, txdata_mut_sequence, MissingDataBehavior::ASSERT_FAIL));
+                BOOST_CHECK(SignatureHashSchnorr(shts_mut_sequence_apoas, execdata, tx_mut_sequence, nIn, nHashType_outmask | SIGHASH_ANYPREVOUTANYSCRIPT, sigversion, KeyVersion::ANYPREVOUT, txdata_mut_sequence, MissingDataBehavior::ASSERT_FAIL));
+
+                uint256 shts_mut_spent_value_acp, shts_mut_spent_value_apo, shts_mut_spent_value_apoas;
+                BOOST_CHECK(SignatureHashSchnorr(shts_mut_spent_value_acp, execdata, tx_mut_spent_value, nIn, nHashType_outmask | SIGHASH_ANYONECANPAY, sigversion, KeyVersion::ANYPREVOUT, txdata_mut_spent_value, MissingDataBehavior::ASSERT_FAIL));
+                BOOST_CHECK(SignatureHashSchnorr(shts_mut_spent_value_apo, execdata, tx_mut_spent_value, nIn, nHashType_outmask | SIGHASH_ANYPREVOUT, sigversion, KeyVersion::ANYPREVOUT, txdata_mut_spent_value, MissingDataBehavior::ASSERT_FAIL));
+                BOOST_CHECK(SignatureHashSchnorr(shts_mut_spent_value_apoas, execdata, tx_mut_spent_value, nIn, nHashType_outmask | SIGHASH_ANYPREVOUTANYSCRIPT, sigversion, KeyVersion::ANYPREVOUT, txdata_mut_spent_value, MissingDataBehavior::ASSERT_FAIL));
+
+                // both transactions must be signed with the SIGHASH_ANYPREVOUT input flag to create identical sighashes if previous input or output information changes
+                BOOST_CHECK(shts != shts_mut_prevout_apo);
+                BOOST_CHECK(shts != shts_mut_script_apo);
+                BOOST_CHECK(shts != shts_mut_sequence_apo);
+                BOOST_CHECK(shts != shts_mut_spent_value_apo);
+                BOOST_CHECK(shts_acp != shts_mut_prevout_apo);
+                BOOST_CHECK(shts_acp != shts_mut_script_apo);
+                BOOST_CHECK(shts_acp != shts_mut_sequence_apo);
+                BOOST_CHECK(shts_acp != shts_mut_spent_value_apo);
+
+                // only when prevout hashes differ does SIGHASH_ANYPREVOUT create identical sighashes
+                BOOST_CHECK(shts_apo == shts_mut_prevout_apo);
+                BOOST_CHECK(shts_apo != shts_mut_script_apo);
+                if (tx.vin[nIn].nSequence != tx_mut_sequence.vin[nIn].nSequence) {
+                    BOOST_CHECK(shts_apo != shts_mut_sequence_apo);
+                }
+                BOOST_CHECK(shts_apo != shts_mut_spent_value_apo);
+                BOOST_CHECK(shts_apo != shts_mut_sequence_apo);
+
+                // both transactions must be signed with the SIGHASH_ANYPREVOUTANYSCRIPT input flag to create identical sighashes
+                BOOST_CHECK(shts != shts_mut_prevout_apoas);
+                BOOST_CHECK(shts != shts_mut_script_apoas);
+                BOOST_CHECK(shts != shts_mut_sequence_apoas);
+                BOOST_CHECK(shts != shts_mut_spent_value_apoas);
+                BOOST_CHECK(shts_acp != shts_mut_prevout_apoas);
+                BOOST_CHECK(shts_acp != shts_mut_script_apoas);
+                BOOST_CHECK(shts_acp != shts_mut_sequence_apoas);
+                BOOST_CHECK(shts_acp != shts_mut_spent_value_apoas);
+
+                // only when the prevout hashes or input scripts are different does SIGHASH_ANYPREVOUTANYSCRIPT create identical sighashes
+                BOOST_CHECK(shts_apoas == shts_mut_prevout_apoas);
+                BOOST_CHECK(shts_apoas == shts_mut_script_apoas);
+                if (tx.vin[nIn].nSequence != tx_mut_sequence.vin[nIn].nSequence) {
+                    BOOST_CHECK(shts_apoas != shts_mut_sequence_apoas);
+                }
+                BOOST_CHECK(shts_apoas == shts_mut_spent_value_apoas);
+                BOOST_CHECK(shts_apoas != shts_mut_sequence_apoas);
+            }
+        }
+
+        #if defined(PRINT_SIGHASH_JSON)
+        CDataStream ss(SER_NETWORK, PROTOCOL_VERSION);
+        ss << tx;
+
+        std::cout << "\t[\"" ;
+        std::cout << HexStr(ss.begin(), ss.end()) << "\", \"";
+        std::cout << HexStr(scriptCode) << "\", ";
+        std::cout << nIn << ", ";
+        std::cout << nHashType << ", \"";
+        std::cout << sho.GetHex() << "\"]";
+        if (i+1 != nRandomTests) {
+          std::cout << ",";
+        }
+        std::cout << "\n";
+        #endif
+    }
+    #if defined(PRINT_SIGHASH_JSON)
+    std::cout << "]\n";
+    #endif
+}
+
 BOOST_AUTO_TEST_SUITE_END()

From 3e43df02093d06501f05722f1b6125a3ccab1c7f Mon Sep 17 00:00:00 2001
From: Anthony Towns <aj@erisian.com.au>
Date: Mon, 2 Mar 2020 18:35:34 +1000
Subject: [PATCH 4/8] tests: Update test framework for ANYPREVOUT

---
 test/functional/feature_taproot.py       | 10 +++---
 test/functional/test_framework/script.py | 40 +++++++++++++++++++-----
 2 files changed, 38 insertions(+), 12 deletions(-)

diff --git a/test/functional/feature_taproot.py b/test/functional/feature_taproot.py
index e85541d0ec258..c688ef97872c7 100755
--- a/test/functional/feature_taproot.py
+++ b/test/functional/feature_taproot.py
@@ -951,11 +951,11 @@ def big_spend_inputs(ctx):
         # 15) OP_CHECKSIGADD with empty key that needs invalid signature
         ("t15", CScript([pubs[1], OP_CHECKSIGVERIFY, OP_0, OP_0, OP_CHECKSIGADD, OP_NOT])),
         # 16) OP_CHECKSIG with unknown pubkey type
-        ("t16", CScript([OP_1, OP_CHECKSIG])),
+        ("t16", CScript([OP_2, OP_CHECKSIG])),
         # 17) OP_CHECKSIGADD with unknown pubkey type
-        ("t17", CScript([OP_0, OP_1, OP_CHECKSIGADD])),
+        ("t17", CScript([OP_0, OP_2, OP_CHECKSIGADD])),
         # 18) OP_CHECKSIGVERIFY with unknown pubkey type
-        ("t18", CScript([OP_1, OP_CHECKSIGVERIFY, OP_1])),
+        ("t18", CScript([OP_2, OP_CHECKSIGVERIFY, OP_1])),
         # 19) script longer than 10000 bytes and over 201 non-push opcodes
         ("t19", CScript([OP_0, OP_0, OP_2DROP] * 10001 + [pubs[1], OP_CHECKSIG])),
         # 20) OP_CHECKSIGVERIFY with empty key
@@ -1015,11 +1015,11 @@ def big_spend_inputs(ctx):
     add_spender(spenders, "tapscript/minimalnotif", leaf="t6", **common, inputs=[getter("sign"), b'\x01'], failure={"inputs": [getter("sign"), b'\x03']}, **ERR_MINIMALIF)
     add_spender(spenders, "tapscript/minimalif", leaf="t5", **common, inputs=[getter("sign"), b'\x01'], failure={"inputs": [getter("sign"), b'\x0001']}, **ERR_MINIMALIF)
     add_spender(spenders, "tapscript/minimalnotif", leaf="t6", **common, inputs=[getter("sign"), b'\x01'], failure={"inputs": [getter("sign"), b'\x0100']}, **ERR_MINIMALIF)
-    # Test that 1-byte public keys (which are unknown) are acceptable but nonstandard with unrelated signatures, but 0-byte public keys are not valid.
+    # Test that 1-byte OP_2 public keys (which are unknown) are acceptable but nonstandard with unrelated signatures, but 0-byte public keys are not valid.
     add_spender(spenders, "tapscript/unkpk/checksig", leaf="t16", standard=False, **common, **SINGLE_SIG, failure={"leaf": "t7"}, **ERR_UNKNOWN_PUBKEY)
     add_spender(spenders, "tapscript/unkpk/checksigadd", leaf="t17", standard=False, **common, **SINGLE_SIG, failure={"leaf": "t10"}, **ERR_UNKNOWN_PUBKEY)
     add_spender(spenders, "tapscript/unkpk/checksigverify", leaf="t18", standard=False, **common, **SINGLE_SIG, failure={"leaf": "t8"}, **ERR_UNKNOWN_PUBKEY)
-    # Test that 33-byte public keys (which are unknown) are acceptable but nonstandard with valid signatures, but normal pubkeys are not valid in that case.
+    # Test that 33-byte public keys beginning with 0x02 or 0x03 (which are unknown) are acceptable but nonstandard with valid signatures, but normal pubkeys are not valid in that case.
     add_spender(spenders, "tapscript/oldpk/checksig", leaf="t30", standard=False, **common, **SINGLE_SIG, sighash=bitflipper(default_sighash), failure={"leaf": "t1"}, **ERR_SIG_SCHNORR)
     add_spender(spenders, "tapscript/oldpk/checksigadd", leaf="t31", standard=False, **common, **SINGLE_SIG, sighash=bitflipper(default_sighash), failure={"leaf": "t2"}, **ERR_SIG_SCHNORR)
     add_spender(spenders, "tapscript/oldpk/checksigverify", leaf="t32", standard=False, **common, **SINGLE_SIG, sighash=bitflipper(default_sighash), failure={"leaf": "t28"}, **ERR_SIG_SCHNORR)
diff --git a/test/functional/test_framework/script.py b/test/functional/test_framework/script.py
index 80227d6d47640..133127fda5628 100644
--- a/test/functional/test_framework/script.py
+++ b/test/functional/test_framework/script.py
@@ -31,6 +31,9 @@
 ANNEX_TAG = 0x50
 
 LEAF_VERSION_TAPSCRIPT = 0xc0
+KEY_VERSION_TAPROOT = 0x00
+KEY_VERSION_ANYPREVOUT = 0x01
+
 
 def hash160(s):
     return ripemd160(sha256(s))
@@ -609,6 +612,11 @@ def IsWitnessProgram(self):
 SIGHASH_NONE = 2
 SIGHASH_SINGLE = 3
 SIGHASH_ANYONECANPAY = 0x80
+SIGHASH_ANYPREVOUT = 0x40
+SIGHASH_ANYPREVOUTANYSCRIPT = 0xc0
+
+SIGHASH_INMASK = 0xc0
+SIGHASH_OUTMASK = 0x03
 
 def FindAndDelete(script, sig):
     """Consensus critical, see FindAndDelete() in Satoshi codebase"""
@@ -797,16 +805,20 @@ def BIP341_sha_sequences(txTo):
 def BIP341_sha_outputs(txTo):
     return sha256(b"".join(o.serialize() for o in txTo.vout))
 
-def TaprootSignatureMsg(txTo, spent_utxos, hash_type, input_index = 0, scriptpath = False, script = CScript(), codeseparator_pos = -1, annex = None, leaf_ver = LEAF_VERSION_TAPSCRIPT):
+def TaprootSignatureMsg(txTo, spent_utxos, hash_type, input_index = 0, scriptpath = False, script = CScript(), codeseparator_pos = -1, annex = None, leaf_ver = LEAF_VERSION_TAPSCRIPT, key_ver = KEY_VERSION_TAPROOT):
     assert (len(txTo.vin) == len(spent_utxos))
+    assert key_ver == KEY_VERSION_TAPROOT or key_ver == KEY_VERSION_ANYPREVOUT
+    assert key_ver != KEY_VERSION_ANYPREVOUT or scriptpath
     assert (input_index < len(txTo.vin))
-    out_type = SIGHASH_ALL if hash_type == 0 else hash_type & 3
-    in_type = hash_type & SIGHASH_ANYONECANPAY
+    out_type = SIGHASH_ALL if hash_type == SIGHASH_DEFAULT else hash_type & SIGHASH_OUTMASK
+    in_type = hash_type & SIGHASH_INMASK
     spk = spent_utxos[input_index].scriptPubKey
+
     ss = bytes([0, hash_type]) # epoch, hash_type
     ss += struct.pack("<i", txTo.nVersion)
     ss += struct.pack("<I", txTo.nLockTime)
-    if in_type != SIGHASH_ANYONECANPAY:
+
+    if in_type != SIGHASH_ANYONECANPAY and in_type != SIGHASH_ANYPREVOUT and in_type != SIGHASH_ANYPREVOUTANYSCRIPT:
         ss += BIP341_sha_prevouts(txTo)
         ss += BIP341_sha_amounts(spent_utxos)
         ss += BIP341_sha_scriptpubkeys(spent_utxos)
@@ -824,6 +836,12 @@ def TaprootSignatureMsg(txTo, spent_utxos, hash_type, input_index = 0, scriptpat
         ss += struct.pack("<q", spent_utxos[input_index].nValue)
         ss += ser_string(spk)
         ss += struct.pack("<I", txTo.vin[input_index].nSequence)
+    elif in_type == SIGHASH_ANYPREVOUT:
+        ss += struct.pack("<q", spent_utxos[input_index].nValue)
+        ss += ser_string(spk)
+        ss += struct.pack("<I", txTo.vin[input_index].nSequence)
+    elif in_type == SIGHASH_ANYPREVOUTANYSCRIPT:
+        ss += struct.pack("<I", txTo.vin[input_index].nSequence)
     else:
         ss += struct.pack("<I", input_index)
     if (spend_type & 1):
@@ -834,10 +852,18 @@ def TaprootSignatureMsg(txTo, spent_utxos, hash_type, input_index = 0, scriptpat
         else:
             ss += bytes(0 for _ in range(32))
     if (scriptpath):
-        ss += TaggedHash("TapLeaf", bytes([leaf_ver]) + ser_string(script))
-        ss += bytes([0])
+        if in_type != SIGHASH_ANYPREVOUTANYSCRIPT:
+            ss += TaggedHash("TapLeaf", bytes([leaf_ver]) + ser_string(script))
+        ss += bytes([key_ver])
         ss += struct.pack("<i", codeseparator_pos)
-    assert len(ss) ==  175 - (in_type == SIGHASH_ANYONECANPAY) * 49 - (out_type != SIGHASH_ALL and out_type != SIGHASH_SINGLE) * 32 + (annex is not None) * 32 + scriptpath * 37
+
+    assert len(ss) == (175 - (in_type == SIGHASH_ANYONECANPAY) * 49
+                           - (in_type == SIGHASH_ANYPREVOUT) * 85
+                           - (in_type == SIGHASH_ANYPREVOUTANYSCRIPT) * 128
+                           - (out_type != SIGHASH_ALL and out_type != SIGHASH_SINGLE) * 32
+                           + (annex is not None) * 32
+                           + scriptpath * 37
+                           - (scriptpath and in_type == SIGHASH_ANYPREVOUTANYSCRIPT) * 32)
     return ss
 
 def TaprootSignatureHash(*args, **kwargs):

From 79a113dc0d3c3de9221f6fa03bfd870652058b36 Mon Sep 17 00:00:00 2001
From: Anthony Towns <aj@erisian.com.au>
Date: Wed, 30 Aug 2023 20:15:10 +1000
Subject: [PATCH 5/8] Add ANYPREVOUT deployment

---
 src/consensus/params.h            |  1 +
 src/deploymentinfo.cpp            |  4 ++++
 src/kernel/chainparams.cpp        |  9 +++++++++
 src/rpc/blockchain.cpp            |  1 +
 src/validation.cpp                |  5 +++++
 test/functional/rpc_blockchain.py | 18 ++++++++++++++++--
 6 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/src/consensus/params.h b/src/consensus/params.h
index 6cb3ab6123e60..4566a47d7a8d8 100644
--- a/src/consensus/params.h
+++ b/src/consensus/params.h
@@ -33,6 +33,7 @@ constexpr bool ValidDeployment(BuriedDeployment dep) { return dep <= DEPLOYMENT_
 enum DeploymentPos : uint16_t {
     DEPLOYMENT_TESTDUMMY,
     DEPLOYMENT_CHECKTEMPLATEVERIFY, // Deployment of CTV (BIP 119)
+    DEPLOYMENT_ANYPREVOUT,
     // NOTE: Also add new deployments to VersionBitsDeploymentInfo in deploymentinfo.cpp
     MAX_VERSION_BITS_DEPLOYMENTS
 };
diff --git a/src/deploymentinfo.cpp b/src/deploymentinfo.cpp
index 17e5cf8a0bcda..e75425ab7f028 100644
--- a/src/deploymentinfo.cpp
+++ b/src/deploymentinfo.cpp
@@ -19,6 +19,10 @@ const struct VBDeploymentInfo VersionBitsDeploymentInfo[Consensus::MAX_VERSION_B
         /*.name =*/ "checktemplateverify",
         /*.gbt_force =*/ true,
     },
+    {
+        /*.name =*/ "anyprevout",
+        /*.gbt_force =*/ true,
+    },
 };
 
 std::string DeploymentName(Consensus::BuriedDeployment dep)
diff --git a/src/kernel/chainparams.cpp b/src/kernel/chainparams.cpp
index 4f60a2979ba8a..9b874e8cbab80 100644
--- a/src/kernel/chainparams.cpp
+++ b/src/kernel/chainparams.cpp
@@ -132,6 +132,7 @@ class CMainParams : public CChainParams {
         consensus.nMinerConfirmationWindow = 2016; // nPowTargetTimespan / nPowTargetSpacing
         consensus.vDeployments[Consensus::DEPLOYMENT_TESTDUMMY] = SetupDeployment{.activate = 0x30000000, .abandon = 0, .never = true};
         consensus.vDeployments[Consensus::DEPLOYMENT_CHECKTEMPLATEVERIFY] = SetupDeployment{.activate = 0x60007700, .abandon = 0x40007700, .never = true};
+        consensus.vDeployments[Consensus::DEPLOYMENT_ANYPREVOUT] = SetupDeployment{.activate = 0x60007600, .abandon = 0x40007600, .never = true};
 
         consensus.nMinimumChainWork = uint256S("0x000000000000000000000000000000000000000063c4ebd298db40af57541800");
         consensus.defaultAssumeValid = uint256S("0x000000000000000000026811d149d4d261995ec5b3f64f439a0a10e1a464af9a"); // 824000
@@ -243,6 +244,7 @@ class CTestNetParams : public CChainParams {
         consensus.nMinerConfirmationWindow = 2016; // nPowTargetTimespan / nPowTargetSpacing
         consensus.vDeployments[Consensus::DEPLOYMENT_TESTDUMMY] = SetupDeployment{.activate = 0x30000000, .abandon = 0, .never = true};
         consensus.vDeployments[Consensus::DEPLOYMENT_CHECKTEMPLATEVERIFY] = SetupDeployment{.activate = 0x60007700, .abandon = 0x40007700, .never = true};
+        consensus.vDeployments[Consensus::DEPLOYMENT_ANYPREVOUT] = SetupDeployment{.activate = 0x60007600, .abandon = 0x40007600, .never = true};
 
         consensus.nMinimumChainWork = uint256S("0x000000000000000000000000000000000000000000000c59b14e264ba6c15db9");
         consensus.defaultAssumeValid = uint256S("0x000000000001323071f38f21ea5aae529ece491eadaccce506a59bcc2d968917"); // 2550000
@@ -378,6 +380,12 @@ class SigNetParams : public CChainParams {
             .activate = 0x60007700,
             .abandon = 0x40007700,
         };
+        consensus.vDeployments[Consensus::DEPLOYMENT_ANYPREVOUT] = SetupDeployment{
+            .start = 1625875200, // 2021-07-10
+            .timeout = 1941408000, // 2031-07-10
+            .activate = 0x60007600,
+            .abandon = 0x40007600,
+        };
 
         RenounceDeployments(options.renounce, consensus.vDeployments);
 
@@ -451,6 +459,7 @@ class CRegTestParams : public CChainParams
         // 0x3000_0000 = bit 28 plus versionbits signalling; 0x5000_0000 = bit 38 plus VERSIONBITS_TOP_ABANDON
         consensus.vDeployments[Consensus::DEPLOYMENT_TESTDUMMY] = SetupDeployment{.start = 0, .timeout = Consensus::HereticalDeployment::NO_TIMEOUT, .activate = 0x30000000, .abandon = 0x50000000};
         consensus.vDeployments[Consensus::DEPLOYMENT_CHECKTEMPLATEVERIFY] = SetupDeployment{.activate = 0x60007700, .abandon = 0x40007700, .always = true};
+        consensus.vDeployments[Consensus::DEPLOYMENT_ANYPREVOUT] = SetupDeployment{.activate = 0x60007600, .abandon = 0x40007600, .always = true};
 
         consensus.nMinimumChainWork = uint256{};
         consensus.defaultAssumeValid = uint256{};
diff --git a/src/rpc/blockchain.cpp b/src/rpc/blockchain.cpp
index 02048c2a59ae2..1295ff26101db 100644
--- a/src/rpc/blockchain.cpp
+++ b/src/rpc/blockchain.cpp
@@ -1332,6 +1332,7 @@ UniValue DeploymentInfo(const CBlockIndex* blockindex, const ChainstateManager&
     SoftForkDescPushBack(blockindex, softforks, chainman, Consensus::DEPLOYMENT_TESTDUMMY);
     SoftForkDescPushBack(blockindex, softforks, chainman, Consensus::DEPLOYMENT_TAPROOT);
     SoftForkDescPushBack(blockindex, softforks, chainman, Consensus::DEPLOYMENT_CHECKTEMPLATEVERIFY);
+    SoftForkDescPushBack(blockindex, softforks, chainman, Consensus::DEPLOYMENT_ANYPREVOUT);
     return softforks;
 }
 } // anon namespace
diff --git a/src/validation.cpp b/src/validation.cpp
index f9f685326390f..0263edf66e829 100644
--- a/src/validation.cpp
+++ b/src/validation.cpp
@@ -2147,6 +2147,11 @@ unsigned int GetBlockScriptFlags(const CBlockIndex& block_index, const Chainstat
         flags |= SCRIPT_VERIFY_DEFAULT_CHECK_TEMPLATE_VERIFY_HASH;
     }
 
+    // Enforce ANYPREVOUT (BIP118)
+    if ((flags & SCRIPT_VERIFY_TAPROOT) && DeploymentActiveAt(block_index, chainman, Consensus::DEPLOYMENT_ANYPREVOUT)) {
+        flags |= SCRIPT_VERIFY_ANYPREVOUT;
+    }
+
     return flags;
 }
 
diff --git a/test/functional/rpc_blockchain.py b/test/functional/rpc_blockchain.py
index bf26a7a747178..0b22d87727fe5 100755
--- a/test/functional/rpc_blockchain.py
+++ b/test/functional/rpc_blockchain.py
@@ -197,7 +197,7 @@ def check_signalling_deploymentinfo_result(self, gdi_result, height, blockhash):
         assert_equal(gdi_result, {
           "hash": blockhash,
           "height": height,
-          "script_flags": ["CHECKLOCKTIMEVERIFY","CHECKSEQUENCEVERIFY","DEFAULT_CHECK_TEMPLATE_VERIFY_HASH","DERSIG","NULLDUMMY","P2SH","TAPROOT","WITNESS"],
+          "script_flags": ["ANYPREVOUT","CHECKLOCKTIMEVERIFY","CHECKSEQUENCEVERIFY","DEFAULT_CHECK_TEMPLATE_VERIFY_HASH","DERSIG","NULLDUMMY","P2SH","TAPROOT","WITNESS"],
           "deployments": {
             'bip34': {'type': 'buried', 'active': True, 'height': 2},
             'bip66': {'type': 'buried', 'active': True, 'height': 3},
@@ -233,7 +233,21 @@ def check_signalling_deploymentinfo_result(self, gdi_result, height, blockhash):
                 },
                 'height': 0,
                 'active': True
-             },
+            },
+            'anyprevout': {
+                'type': 'heretical',
+                'heretical': {
+                    'binana-id': 'BIN-2016-0118-000',
+                    'start_time': -1,
+                    'timeout': 0x7fffffffffffffff,  # testdummy does not have a timeout so is set to the max int64 value
+                    'period': 144,
+                    'status': 'active',
+                    'status_next': 'active',
+                    'since': 0,
+                },
+                'active': True,
+                'height': 0,
+            },
           }
         })
 

From 999f9fbd83d4144f627e818b1dbbe7197883656d Mon Sep 17 00:00:00 2001
From: Anthony Towns <aj@erisian.com.au>
Date: Mon, 6 Feb 2023 22:50:04 +1000
Subject: [PATCH 6/8] Make ANYPREVOUT transactions standard after activation

---
 src/policy/policy.h | 3 +--
 src/validation.cpp  | 5 ++++-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/policy/policy.h b/src/policy/policy.h
index 494c8d65c3e64..2b047ae9d208b 100644
--- a/src/policy/policy.h
+++ b/src/policy/policy.h
@@ -116,8 +116,7 @@ static constexpr unsigned int STANDARD_SCRIPT_VERIFY_FLAGS{MANDATORY_SCRIPT_VERI
                                                              SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_PUBKEYTYPE |
                                                              SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_CHECK_TEMPLATE_VERIFY_HASH |
                                                              SCRIPT_VERIFY_DEFAULT_CHECK_TEMPLATE_VERIFY_HASH |
-                                                             SCRIPT_VERIFY_ANYPREVOUT |
-                                                             SCRIPT_VERIFY_DISCOURAGE_ANYPREVOUT};
+                                                             SCRIPT_VERIFY_ANYPREVOUT};
 
 /** For convenience, standard but not mandatory verify flags. */
 static constexpr unsigned int STANDARD_NOT_MANDATORY_VERIFY_FLAGS{STANDARD_SCRIPT_VERIFY_FLAGS & ~MANDATORY_SCRIPT_VERIFY_FLAGS};
diff --git a/src/validation.cpp b/src/validation.cpp
index 0263edf66e829..29a6b57390fc8 100644
--- a/src/validation.cpp
+++ b/src/validation.cpp
@@ -1052,7 +1052,10 @@ bool MemPoolAccept::PolicyScriptChecks(const ATMPArgs& args, Workspace& ws)
     TxValidationState& state = ws.m_state;
 
     const bool ctv_active = DeploymentActiveAfter(m_active_chainstate.m_chain.Tip(), m_active_chainstate.m_chainman, Consensus::DEPLOYMENT_CHECKTEMPLATEVERIFY);
-    const unsigned int scriptVerifyFlags = STANDARD_SCRIPT_VERIFY_FLAGS | (ctv_active ? SCRIPT_VERIFY_NONE : SCRIPT_VERIFY_DISCOURAGE_CHECK_TEMPLATE_VERIFY_HASH);
+    const bool apo_active = DeploymentActiveAfter(m_active_chainstate.m_chain.Tip(), m_active_chainstate.m_chainman, Consensus::DEPLOYMENT_ANYPREVOUT);
+    const unsigned int scriptVerifyFlags = STANDARD_SCRIPT_VERIFY_FLAGS
+        | (ctv_active ? SCRIPT_VERIFY_NONE : SCRIPT_VERIFY_DISCOURAGE_CHECK_TEMPLATE_VERIFY_HASH)
+        | (apo_active ? SCRIPT_VERIFY_NONE : SCRIPT_VERIFY_DISCOURAGE_ANYPREVOUT);
 
     // Check input scripts and signatures.
     // This is done last to help prevent CPU exhaustion denial-of-service attacks.

From f8f671f27a029baa5cfa06550bf3c2df623e2cc5 Mon Sep 17 00:00:00 2001
From: Anthony Towns <aj@erisian.com.au>
Date: Fri, 9 Sep 2022 16:17:44 +1000
Subject: [PATCH 7/8] tests: Add ANYPREVOUT testing to feature_taproot

---
 .../fuzz/script_assets_test_minimizer.cpp     |  1 +
 test/functional/feature_taproot.py            | 99 ++++++++++++-------
 test/functional/test_framework/script.py      |  9 +-
 3 files changed, 70 insertions(+), 39 deletions(-)

diff --git a/src/test/fuzz/script_assets_test_minimizer.cpp b/src/test/fuzz/script_assets_test_minimizer.cpp
index 511b581f60639..a803ad37542fc 100644
--- a/src/test/fuzz/script_assets_test_minimizer.cpp
+++ b/src/test/fuzz/script_assets_test_minimizer.cpp
@@ -96,6 +96,7 @@ const std::map<std::string, unsigned int> FLAG_NAMES = {
     {std::string("CHECKSEQUENCEVERIFY"), (unsigned int)SCRIPT_VERIFY_CHECKSEQUENCEVERIFY},
     {std::string("WITNESS"), (unsigned int)SCRIPT_VERIFY_WITNESS},
     {std::string("TAPROOT"), (unsigned int)SCRIPT_VERIFY_TAPROOT},
+    {std::string("ANYPREVOUT"), (unsigned int)SCRIPT_VERIFY_ANYPREVOUT},
 };
 
 std::vector<unsigned int> AllFlags()
diff --git a/test/functional/feature_taproot.py b/test/functional/feature_taproot.py
index c688ef97872c7..9e44ec68dfbb5 100755
--- a/test/functional/feature_taproot.py
+++ b/test/functional/feature_taproot.py
@@ -77,6 +77,8 @@
     SIGHASH_NONE,
     SIGHASH_SINGLE,
     SIGHASH_ANYONECANPAY,
+    SIGHASH_ANYPREVOUT,
+    SIGHASH_ANYPREVOUTANYSCRIPT,
     SegwitV0SignatureMsg,
     TaggedHash,
     TaprootSignatureMsg,
@@ -189,6 +191,10 @@ def default_hashtype(ctx):
     else:
         return SIGHASH_ALL
 
+def default_keyver(ctx):
+    """Default expression for "keyver": 0 (bip341/bip342)"""
+    return get(ctx, "tap").keyver
+
 def default_tapleaf(ctx):
     """Default expression for "tapleaf": looking up leaf in tap[2]."""
     return get(ctx, "tap").leaves[get(ctx, "leaf")]
@@ -231,7 +237,8 @@ def default_sigmsg(ctx):
             codeseppos = get(ctx, "codeseppos")
             leaf_ver = get(ctx, "leafversion")
             script = get(ctx, "script_taproot")
-            return TaprootSignatureMsg(tx, utxos, hashtype, idx, scriptpath=True, script=script, leaf_ver=leaf_ver, codeseparator_pos=codeseppos, annex=annex)
+            keyver = get(ctx, "keyver")
+            return TaprootSignatureMsg(tx, utxos, hashtype, idx, scriptpath=True, script=script, leaf_ver=leaf_ver, codeseparator_pos=codeseppos, annex=annex, key_ver=keyver)
         else:
             return TaprootSignatureMsg(tx, utxos, hashtype, idx, scriptpath=False, annex=annex)
     elif mode == "witv0":
@@ -393,6 +400,8 @@ def default_scriptsig(ctx):
     "negflag": default_negflag,
     # The leaf version to include in the sighash (this does not affect the one in the control block).
     "leafversion": default_leafversion,
+    # The key version to include in the sighash.
+    "keyver": default_keyver,
     # The Merkle path to include in the control block for a script path spend.
     "merklebranch": default_merklebranch,
     # The control block to push for a taproot script path spend.
@@ -625,6 +634,14 @@ def byte_popper(expr):
 ]
 
 VALID_SIGHASHES_TAPROOT = [SIGHASH_DEFAULT] + VALID_SIGHASHES_ECDSA
+VALID_SIGHASHES_ANYPREVOUT = [SIGHASH_DEFAULT] + VALID_SIGHASHES_ECDSA + [
+    SIGHASH_ANYPREVOUT + SIGHASH_ALL,
+    SIGHASH_ANYPREVOUT + SIGHASH_NONE,
+    SIGHASH_ANYPREVOUT + SIGHASH_SINGLE,
+    SIGHASH_ANYPREVOUTANYSCRIPT + SIGHASH_ALL,
+    SIGHASH_ANYPREVOUTANYSCRIPT + SIGHASH_NONE,
+    SIGHASH_ANYPREVOUTANYSCRIPT + SIGHASH_SINGLE,
+]
 
 VALID_SIGHASHES_TAPROOT_SINGLE = [
     SIGHASH_SINGLE,
@@ -775,41 +792,48 @@ def spenders_taproot_active():
     add_spender(spenders, "sighash/hashtype1to0_keypath", tap=tap, key=secs[0], hashtype=SIGHASH_ALL, failure={"bytes_hashtype": b''}, **ERR_SIG_SCHNORR)
     add_spender(spenders, "sighash/hashtype1to0_scriptpath", tap=tap, leaf="pk_codesep", key=secs[1], **SINGLE_SIG, hashtype=SIGHASH_ALL, failure={"bytes_hashtype": b''}, **ERR_SIG_SCHNORR)
 
-    # Test aspects of signatures with unusual lengths
-    for hashtype in [SIGHASH_DEFAULT, random.choice(VALID_SIGHASHES_TAPROOT)]:
-        scripts = [
-            ("csv", CScript([pubs[2], OP_CHECKSIGVERIFY, OP_1])),
-            ("cs_pos", CScript([pubs[2], OP_CHECKSIG])),
-            ("csa_pos", CScript([OP_0, pubs[2], OP_CHECKSIGADD, OP_1, OP_EQUAL])),
-            ("cs_neg", CScript([pubs[2], OP_CHECKSIG, OP_NOT])),
-            ("csa_neg", CScript([OP_2, pubs[2], OP_CHECKSIGADD, OP_2, OP_EQUAL]))
-        ]
-        random.shuffle(scripts)
-        tap = taproot_construct(pubs[3], scripts)
-        # Empty signatures
-        add_spender(spenders, "siglen/empty_keypath", tap=tap, key=secs[3], hashtype=hashtype, failure={"sign": b""}, **ERR_SIG_SIZE)
-        add_spender(spenders, "siglen/empty_csv", tap=tap, key=secs[2], leaf="csv", hashtype=hashtype, **SINGLE_SIG, failure={"sign": b""}, **ERR_CHECKSIGVERIFY)
-        add_spender(spenders, "siglen/empty_cs", tap=tap, key=secs[2], leaf="cs_pos", hashtype=hashtype, **SINGLE_SIG, failure={"sign": b""}, **ERR_NO_SUCCESS)
-        add_spender(spenders, "siglen/empty_csa", tap=tap, key=secs[2], leaf="csa_pos", hashtype=hashtype, **SINGLE_SIG, failure={"sign": b""}, **ERR_NO_SUCCESS)
-        add_spender(spenders, "siglen/empty_cs_neg", tap=tap, key=secs[2], leaf="cs_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", failure={"sign": lambda _: random.randbytes(random.randrange(1, 63))}, **ERR_SIG_SIZE)
-        add_spender(spenders, "siglen/empty_csa_neg", tap=tap, key=secs[2], leaf="csa_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", failure={"sign": lambda _: random.randbytes(random.randrange(66, 100))}, **ERR_SIG_SIZE)
-        # Appending a zero byte to signatures invalidates them
-        add_spender(spenders, "siglen/padzero_keypath", tap=tap, key=secs[3], hashtype=hashtype, **SIG_ADD_ZERO, **(ERR_SIG_HASHTYPE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SIZE))
-        add_spender(spenders, "siglen/padzero_csv", tap=tap, key=secs[2], leaf="csv", hashtype=hashtype, **SINGLE_SIG, **SIG_ADD_ZERO, **(ERR_SIG_HASHTYPE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SIZE))
-        add_spender(spenders, "siglen/padzero_cs", tap=tap, key=secs[2], leaf="cs_pos", hashtype=hashtype, **SINGLE_SIG, **SIG_ADD_ZERO, **(ERR_SIG_HASHTYPE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SIZE))
-        add_spender(spenders, "siglen/padzero_csa", tap=tap, key=secs[2], leaf="csa_pos", hashtype=hashtype, **SINGLE_SIG, **SIG_ADD_ZERO, **(ERR_SIG_HASHTYPE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SIZE))
-        add_spender(spenders, "siglen/padzero_cs_neg", tap=tap, key=secs[2], leaf="cs_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", **SIG_ADD_ZERO, **(ERR_SIG_HASHTYPE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SIZE))
-        add_spender(spenders, "siglen/padzero_csa_neg", tap=tap, key=secs[2], leaf="csa_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", **SIG_ADD_ZERO, **(ERR_SIG_HASHTYPE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SIZE))
-        # Removing the last byte from signatures invalidates them
-        add_spender(spenders, "siglen/popbyte_keypath", tap=tap, key=secs[3], hashtype=hashtype, **SIG_POP_BYTE, **(ERR_SIG_SIZE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SCHNORR))
-        add_spender(spenders, "siglen/popbyte_csv", tap=tap, key=secs[2], leaf="csv", hashtype=hashtype, **SINGLE_SIG, **SIG_POP_BYTE, **(ERR_SIG_SIZE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SCHNORR))
-        add_spender(spenders, "siglen/popbyte_cs", tap=tap, key=secs[2], leaf="cs_pos", hashtype=hashtype, **SINGLE_SIG, **SIG_POP_BYTE, **(ERR_SIG_SIZE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SCHNORR))
-        add_spender(spenders, "siglen/popbyte_csa", tap=tap, key=secs[2], leaf="csa_pos", hashtype=hashtype, **SINGLE_SIG, **SIG_POP_BYTE, **(ERR_SIG_SIZE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SCHNORR))
-        add_spender(spenders, "siglen/popbyte_cs_neg", tap=tap, key=secs[2], leaf="cs_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", **SIG_POP_BYTE, **(ERR_SIG_SIZE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SCHNORR))
-        add_spender(spenders, "siglen/popbyte_csa_neg", tap=tap, key=secs[2], leaf="csa_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", **SIG_POP_BYTE, **(ERR_SIG_SIZE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SCHNORR))
-        # Verify that an invalid signature is not allowed, not even when the CHECKSIG* is expected to fail.
-        add_spender(spenders, "siglen/invalid_cs_neg", tap=tap, key=secs[2], leaf="cs_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", failure={"sign": default_sign, "sighash": bitflipper(default_sighash)}, **ERR_SIG_SCHNORR)
-        add_spender(spenders, "siglen/invalid_csa_neg", tap=tap, key=secs[2], leaf="csa_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", failure={"sign": default_sign, "sighash": bitflipper(default_sighash)}, **ERR_SIG_SCHNORR)
+    def spenders_taproot_active_script_path(prefix, valid_sighashes, keyver=1, cmt=""):
+        # Test aspects of signatures with unusual lengths
+        for hashtype in [SIGHASH_DEFAULT, random.choice(valid_sighashes)]:
+            scripts = [
+                ("csv", CScript([prefix+pubs[2], OP_CHECKSIGVERIFY, OP_1])),
+                ("cs_pos", CScript([prefix+pubs[2], OP_CHECKSIG])),
+                ("csa_pos", CScript([OP_0, prefix+pubs[2], OP_CHECKSIGADD, OP_1, OP_EQUAL])),
+                ("cs_neg", CScript([prefix+pubs[2], OP_CHECKSIG, OP_NOT])),
+                ("csa_neg", CScript([OP_2, prefix+pubs[2], OP_CHECKSIGADD, OP_2, OP_EQUAL]))
+            ]
+            random.shuffle(scripts)
+            tap = taproot_construct(pubs[3], scripts, keyver=keyver)
+            # key path
+            if keyver == 0:
+                add_spender(spenders, cmt+"siglen/empty_keypath", tap=tap, key=secs[3], hashtype=hashtype, failure={"sign": b""}, **ERR_SIG_SIZE)
+                add_spender(spenders, cmt+"siglen/padzero_keypath", tap=tap, key=secs[3], hashtype=hashtype, **SIG_ADD_ZERO, **(ERR_SIG_HASHTYPE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SIZE))
+                add_spender(spenders, cmt+"siglen/popbyte_keypath", tap=tap, key=secs[3], hashtype=hashtype, **SIG_POP_BYTE, **(ERR_SIG_SIZE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SCHNORR))
+
+            # Empty signatures
+            add_spender(spenders, cmt+"siglen/empty_csv", tap=tap, key=secs[2], leaf="csv", hashtype=hashtype, **SINGLE_SIG, failure={"sign": b""}, **ERR_CHECKSIGVERIFY)
+            add_spender(spenders, cmt+"siglen/empty_cs", tap=tap, key=secs[2], leaf="cs_pos", hashtype=hashtype, **SINGLE_SIG, failure={"sign": b""}, **ERR_NO_SUCCESS)
+            add_spender(spenders, cmt+"siglen/empty_csa", tap=tap, key=secs[2], leaf="csa_pos", hashtype=hashtype, **SINGLE_SIG, failure={"sign": b""}, **ERR_NO_SUCCESS)
+            add_spender(spenders, cmt+"siglen/empty_cs_neg", tap=tap, key=secs[2], leaf="cs_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", failure={"sign": lambda _: random.randbytes(random.randrange(1, 63))}, **ERR_SIG_SIZE)
+            add_spender(spenders, cmt+"siglen/empty_csa_neg", tap=tap, key=secs[2], leaf="csa_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", failure={"sign": lambda _: random.randbytes(random.randrange(66, 100))}, **ERR_SIG_SIZE)
+            # Appending a zero byte to signatures invalidates them
+            add_spender(spenders, cmt+"siglen/padzero_csv", tap=tap, key=secs[2], leaf="csv", hashtype=hashtype, **SINGLE_SIG, **SIG_ADD_ZERO, **(ERR_SIG_HASHTYPE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SIZE))
+            add_spender(spenders, cmt+"siglen/padzero_cs", tap=tap, key=secs[2], leaf="cs_pos", hashtype=hashtype, **SINGLE_SIG, **SIG_ADD_ZERO, **(ERR_SIG_HASHTYPE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SIZE))
+            add_spender(spenders, cmt+"siglen/padzero_csa", tap=tap, key=secs[2], leaf="csa_pos", hashtype=hashtype, **SINGLE_SIG, **SIG_ADD_ZERO, **(ERR_SIG_HASHTYPE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SIZE))
+            add_spender(spenders, cmt+"siglen/padzero_cs_neg", tap=tap, key=secs[2], leaf="cs_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", **SIG_ADD_ZERO, **(ERR_SIG_HASHTYPE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SIZE))
+            add_spender(spenders, cmt+"siglen/padzero_csa_neg", tap=tap, key=secs[2], leaf="csa_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", **SIG_ADD_ZERO, **(ERR_SIG_HASHTYPE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SIZE))
+            # Removing the last byte from signatures invalidates them
+            add_spender(spenders, cmt+"siglen/popbyte_csv", tap=tap, key=secs[2], leaf="csv", hashtype=hashtype, **SINGLE_SIG, **SIG_POP_BYTE, **(ERR_SIG_SIZE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SCHNORR))
+            add_spender(spenders, cmt+"siglen/popbyte_cs", tap=tap, key=secs[2], leaf="cs_pos", hashtype=hashtype, **SINGLE_SIG, **SIG_POP_BYTE, **(ERR_SIG_SIZE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SCHNORR))
+            add_spender(spenders, cmt+"siglen/popbyte_csa", tap=tap, key=secs[2], leaf="csa_pos", hashtype=hashtype, **SINGLE_SIG, **SIG_POP_BYTE, **(ERR_SIG_SIZE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SCHNORR))
+            add_spender(spenders, cmt+"siglen/popbyte_cs_neg", tap=tap, key=secs[2], leaf="cs_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", **SIG_POP_BYTE, **(ERR_SIG_SIZE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SCHNORR))
+            add_spender(spenders, cmt+"siglen/popbyte_csa_neg", tap=tap, key=secs[2], leaf="csa_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", **SIG_POP_BYTE, **(ERR_SIG_SIZE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SCHNORR))
+            # Verify that an invalid signature is not allowed, not even when the CHECKSIG* is expected to fail.
+            add_spender(spenders, cmt+"siglen/invalid_cs_neg", tap=tap, key=secs[2], leaf="cs_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", failure={"sign": default_sign, "sighash": bitflipper(default_sighash)}, **ERR_SIG_SCHNORR)
+            add_spender(spenders, cmt+"siglen/invalid_csa_neg", tap=tap, key=secs[2], leaf="csa_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", failure={"sign": default_sign, "sighash": bitflipper(default_sighash)}, **ERR_SIG_SCHNORR)
+
+    spenders_taproot_active_script_path(b'', VALID_SIGHASHES_TAPROOT, keyver=0)
+    spenders_taproot_active_script_path(b'\x01', VALID_SIGHASHES_ANYPREVOUT, keyver=1, cmt="apo/")
 
     # == Test that BIP341 spending only applies to witness version 1, program length 32, no P2SH ==
 
@@ -1234,11 +1258,14 @@ def spenders_taproot_nonstandard():
 LEGACY_FLAGS = "P2SH,DERSIG,CHECKLOCKTIMEVERIFY,CHECKSEQUENCEVERIFY,WITNESS,NULLDUMMY"
 # Consensus validation flags to use in dumps for all other tests.
 TAPROOT_FLAGS = "P2SH,DERSIG,CHECKLOCKTIMEVERIFY,CHECKSEQUENCEVERIFY,WITNESS,NULLDUMMY,TAPROOT"
+APO_FLAGS = "P2SH,DERSIG,CHECKLOCKTIMEVERIFY,CHECKSEQUENCEVERIFY,WITNESS,NULLDUMMY,TAPROOT,ANYPREVOUT"
 
 def dump_json_test(tx, input_utxos, idx, success, failure):
     spender = input_utxos[idx].spender
     # Determine flags to dump
     flags = LEGACY_FLAGS if spender.comment.startswith("legacy/") or spender.comment.startswith("inactive/") else TAPROOT_FLAGS
+    if spender.comment.startswith("apo/"):
+        flags = APO_FLAGS
 
     fields = [
         ("tx", tx.serialize().hex()),
diff --git a/test/functional/test_framework/script.py b/test/functional/test_framework/script.py
index 133127fda5628..99abb47686a72 100644
--- a/test/functional/test_framework/script.py
+++ b/test/functional/test_framework/script.py
@@ -915,7 +915,7 @@ def taproot_tree_helper(scripts):
 # - tweak: the tweak (32 bytes)
 # - leaves: a dict of name -> TaprootLeafInfo objects for all known leaves
 # - merkle_root: the script tree's Merkle root, or bytes() if no leaves are present
-TaprootInfo = namedtuple("TaprootInfo", "scriptPubKey,internal_pubkey,negflag,tweak,leaves,merkle_root,output_pubkey")
+TaprootInfo = namedtuple("TaprootInfo", "scriptPubKey,internal_pubkey,negflag,tweak,leaves,merkle_root,output_pubkey,keyver")
 
 # A TaprootLeafInfo object has the following fields:
 # - script: the leaf script (CScript or bytes)
@@ -923,7 +923,7 @@ def taproot_tree_helper(scripts):
 # - merklebranch: the merkle branch to use for this leaf (32*N bytes)
 TaprootLeafInfo = namedtuple("TaprootLeafInfo", "script,version,merklebranch,leaf_hash")
 
-def taproot_construct(pubkey, scripts=None, treat_internal_as_infinity=False):
+def taproot_construct(pubkey, scripts=None, *, keyver=None, treat_internal_as_infinity=False):
     """Construct a tree of Taproot spending conditions
 
     pubkey: a 32-byte xonly pubkey for the internal pubkey (bytes)
@@ -940,6 +940,9 @@ def taproot_construct(pubkey, scripts=None, treat_internal_as_infinity=False):
     if scripts is None:
         scripts = []
 
+    if keyver is None:
+        keyver = 0
+
     ret, h = taproot_tree_helper(scripts)
     tweak = TaggedHash("TapTweak", pubkey + h)
     if treat_internal_as_infinity:
@@ -947,7 +950,7 @@ def taproot_construct(pubkey, scripts=None, treat_internal_as_infinity=False):
     else:
         tweaked, negated = tweak_add_pubkey(pubkey, tweak)
     leaves = dict((name, TaprootLeafInfo(script, version, merklebranch, leaf)) for name, version, script, merklebranch, leaf in ret)
-    return TaprootInfo(CScript([OP_1, tweaked]), pubkey, negated + 0, tweak, leaves, h, tweaked)
+    return TaprootInfo(CScript([OP_1, tweaked]), pubkey, negated + 0, tweak, leaves, h, tweaked, keyver)
 
 def is_op_success(o):
     return o == 0x50 or o == 0x62 or o == 0x89 or o == 0x8a or o == 0x8d or o == 0x8e or (o >= 0x7e and o <= 0x81) or (o >= 0x83 and o <= 0x86) or (o >= 0x95 and o <= 0x99) or (o >= 0xbb and o <= 0xfe)

From cf1ed618a34df1a02e416c6d515294398b89d687 Mon Sep 17 00:00:00 2001
From: Antoine Poinsot <darosior@protonmail.com>
Date: Sun, 9 Oct 2022 15:50:27 +0200
Subject: [PATCH 8/8] qa: add a fuzz target ensuring the sighash behaviour for
 non APO keys was conserved

This fuzz targets copied the SignatureHashSchnorr function for Bitcoin
Core 23.0 and checks the output of the APO-ready SignatureHashSchnorr
from this branch against it.

This is to make sure the behaviour of the function was not changed for
non ANYPREVOUT keys, which would make some previously valid signatures
invalid and, even worse, some previously invalid signatures valid.
---
 src/Makefile.test.include    |   1 +
 src/script/interpreter.cpp   |   4 +
 src/test/fuzz/anyprevout.cpp | 187 +++++++++++++++++++++++++++++++++++
 3 files changed, 192 insertions(+)
 create mode 100644 src/test/fuzz/anyprevout.cpp

diff --git a/src/Makefile.test.include b/src/Makefile.test.include
index 2fe48c88b4e78..ae5622101814d 100644
--- a/src/Makefile.test.include
+++ b/src/Makefile.test.include
@@ -283,6 +283,7 @@ test_fuzz_fuzz_SOURCES = \
  $(FUZZ_WALLET_SRC) \
  test/fuzz/addition_overflow.cpp \
  test/fuzz/addrman.cpp \
+ test/fuzz/anyprevout.cpp \
  test/fuzz/asmap.cpp \
  test/fuzz/asmap_direct.cpp \
  test/fuzz/autofile.cpp \
diff --git a/src/script/interpreter.cpp b/src/script/interpreter.cpp
index 53df4248a841b..7497ae8df10ae 100644
--- a/src/script/interpreter.cpp
+++ b/src/script/interpreter.cpp
@@ -1671,9 +1671,11 @@ bool SignatureHashSchnorr(uint256& hash_out, ScriptExecutionData& execdata, cons
         ss << cache.m_spent_outputs[in_pos];
         ss << tx_to.vin[in_pos].nSequence;
     } else if (input_type == SIGHASH_ANYPREVOUT) {
+        assert(keyversion == KeyVersion::ANYPREVOUT);
         ss << cache.m_spent_outputs[in_pos];
         ss << tx_to.vin[in_pos].nSequence;
     } else if (input_type == SIGHASH_ANYPREVOUTANYSCRIPT) {
+        assert(keyversion == KeyVersion::ANYPREVOUT);
         ss << tx_to.vin[in_pos].nSequence;
     } else {
         ss << in_pos;
@@ -1698,6 +1700,8 @@ bool SignatureHashSchnorr(uint256& hash_out, ScriptExecutionData& execdata, cons
         assert(execdata.m_tapleaf_hash_init);
         if (input_type != SIGHASH_ANYPREVOUTANYSCRIPT) {
             ss << execdata.m_tapleaf_hash;
+        } else {
+            assert(keyversion == KeyVersion::ANYPREVOUT);
         }
         ss << uint8_t(keyversion);
         assert(execdata.m_codeseparator_pos_init);
diff --git a/src/test/fuzz/anyprevout.cpp b/src/test/fuzz/anyprevout.cpp
new file mode 100644
index 0000000000000..a38a344ecb200
--- /dev/null
+++ b/src/test/fuzz/anyprevout.cpp
@@ -0,0 +1,187 @@
+// Copyright (c) 2020 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <hash.h>
+#include <primitives/transaction.h>
+#include <script/interpreter.h>
+#include <test/fuzz/FuzzedDataProvider.h>
+#include <test/fuzz/fuzz.h>
+#include <test/fuzz/util.h>
+
+#include <cstdint>
+#include <optional>
+#include <string>
+#include <vector>
+
+/**
+ * SignatureHashSchnorr from Bitcoin Core 23.0.
+ *
+ * Only change is using an assert directly instead of HandleMissingData.
+ */
+template<typename T>
+bool OldSignatureHashSchnorr(uint256& hash_out, ScriptExecutionData& execdata, const T& tx_to, uint32_t in_pos, uint8_t hash_type, SigVersion sigversion, const PrecomputedTransactionData& cache, MissingDataBehavior mdb)
+{
+    uint8_t ext_flag, key_version;
+    switch (sigversion) {
+    case SigVersion::TAPROOT:
+        ext_flag = 0;
+        // key_version is not used and left uninitialized.
+        break;
+    case SigVersion::TAPSCRIPT:
+        ext_flag = 1;
+        // key_version must be 0 for now, representing the current version of
+        // 32-byte public keys in the tapscript signature opcode execution.
+        // An upgradable public key version (with a size not 32-byte) may
+        // request a different key_version with a new sigversion.
+        key_version = 0;
+        break;
+    default:
+        assert(false);
+    }
+    assert(in_pos < tx_to.vin.size());
+    assert(cache.m_bip341_taproot_ready && cache.m_spent_outputs_ready);
+
+    HashWriter ss = HASHER_TAPSIGHASH;
+
+    // Epoch
+    static constexpr uint8_t EPOCH = 0;
+    ss << EPOCH;
+
+    // Hash type
+    const uint8_t output_type = (hash_type == SIGHASH_DEFAULT) ? SIGHASH_ALL : (hash_type & SIGHASH_OUTPUT_MASK); // Default (no sighash byte) is equivalent to SIGHASH_ALL
+    const uint8_t input_type = hash_type & SIGHASH_INPUT_MASK;
+    if (!(hash_type <= 0x03 || (hash_type >= 0x81 && hash_type <= 0x83))) return false;
+    ss << hash_type;
+
+    // Transaction level data
+    ss << tx_to.nVersion;
+    ss << tx_to.nLockTime;
+    if (input_type != SIGHASH_ANYONECANPAY) {
+        ss << cache.m_prevouts_single_hash;
+        ss << cache.m_spent_amounts_single_hash;
+        ss << cache.m_spent_scripts_single_hash;
+        ss << cache.m_sequences_single_hash;
+    }
+    if (output_type == SIGHASH_ALL) {
+        ss << cache.m_outputs_single_hash;
+    }
+
+    // Data about the input/prevout being spent
+    assert(execdata.m_annex_init);
+    const bool have_annex = execdata.m_annex_present;
+    const uint8_t spend_type = (ext_flag << 1) + (have_annex ? 1 : 0); // The low bit indicates whether an annex is present.
+    ss << spend_type;
+    if (input_type == SIGHASH_ANYONECANPAY) {
+        ss << tx_to.vin[in_pos].prevout;
+        ss << cache.m_spent_outputs[in_pos];
+        ss << tx_to.vin[in_pos].nSequence;
+    } else {
+        ss << in_pos;
+    }
+    if (have_annex) {
+        ss << execdata.m_annex_hash;
+    }
+
+    // Data about the output (if only one).
+    if (output_type == SIGHASH_SINGLE) {
+        if (in_pos >= tx_to.vout.size()) return false;
+        if (!execdata.m_output_hash) {
+            HashWriter sha_single_output{};
+            sha_single_output << tx_to.vout[in_pos];
+            execdata.m_output_hash = sha_single_output.GetSHA256();
+        }
+        ss << execdata.m_output_hash.value();
+    }
+
+    // Additional data for BIP 342 signatures
+    if (sigversion == SigVersion::TAPSCRIPT) {
+        assert(execdata.m_tapleaf_hash_init);
+        ss << execdata.m_tapleaf_hash;
+        ss << key_version;
+        assert(execdata.m_codeseparator_pos_init);
+        ss << execdata.m_codeseparator_pos;
+    }
+
+    hash_out = ss.GetSHA256();
+    return true;
+}
+
+/** Test APO's SignatureHashSchnorr against Bitcoin 23.0's SignatureHashSchnorr.
+ *
+ * This makes sure the behaviour for non-APO keys was conserved with the introduction of the APO logic.
+ */
+FUZZ_TARGET(anyprevout_old_new_sighash)
+{
+    FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
+    {
+        // Get a transaction and pick the input we'll generate the sighash for from the fuzzer output.
+        std::optional<CMutableTransaction> mtx = ConsumeDeserializable<CMutableTransaction>(fuzzed_data_provider, TX_WITH_WITNESS);
+        if (!mtx) return;
+        const uint32_t in_pos = fuzzed_data_provider.ConsumeIntegral<uint32_t>();
+        if (in_pos >= mtx->vin.size()) return;
+
+        // Make sure at least one of the transaction's inputs has a non-empty witness, as cache.Init()
+        // below needs it. Then take a script code (we don't need it to be valid), a signature version
+        // (which must be anything but APO), and a hash type to use from the fuzzer's output.
+        if (mtx->vin[0].scriptWitness.IsNull()) mtx->vin[0].scriptWitness.stack.push_back({0});
+        const CTransaction tx_to{*mtx};
+        const CScript script_code = ConsumeScript(fuzzed_data_provider);
+        const SigVersion sig_version{fuzzed_data_provider.PickValueInArray({SigVersion::TAPROOT, SigVersion::TAPSCRIPT})};
+        const uint8_t hash_type{fuzzed_data_provider.ConsumeIntegral<uint8_t>()};
+
+        // Populate the transaction cache with the transaction and dummy spent outputs. The scriptPubkKey
+        // must match the Taproot template for Init() to populate the right fields.
+        PrecomputedTransactionData cache;
+        std::vector<CTxOut> spent_outputs;
+        spent_outputs.reserve(tx_to.vin.size());
+        for (unsigned i = 0; i < tx_to.vin.size(); ++i) {
+            CScript script_pubkey;
+            script_pubkey << OP_1 << fuzzed_data_provider.ConsumeBytes<uint8_t>(WITNESS_V1_TAPROOT_SIZE);
+            if (script_pubkey.size() != 2 + WITNESS_V1_TAPROOT_SIZE) return;
+            const CAmount value{fuzzed_data_provider.ConsumeIntegral<int64_t>()};
+            spent_outputs.emplace_back(value, std::move(script_pubkey));
+        }
+        cache.Init(tx_to, std::move(spent_outputs));
+        assert(cache.m_spent_outputs_ready);
+        assert(cache.m_bip341_taproot_ready);
+
+        // Now populate the Script execution data. Annex needs always be populated and tapleaf hash
+        // is only need for Script-path spends.
+        ScriptExecutionData exec_data;
+        exec_data.m_annex_present = false;
+        if (fuzzed_data_provider.ConsumeBool()) {
+            if (const auto annex_hash = ConsumeDeserializable<uint256>(fuzzed_data_provider)) {
+                exec_data.m_annex_hash = *annex_hash;
+                exec_data.m_annex_present = true;
+            }
+        }
+        exec_data.m_annex_init = true;
+        if (sig_version == SigVersion::TAPSCRIPT) {
+            if (const auto tapleaf_hash = ConsumeDeserializable<uint256>(fuzzed_data_provider)) {
+                exec_data.m_tapleaf_hash = *tapleaf_hash;
+                exec_data.m_tapleaf_hash_init = true;
+            } else {
+                return;
+            }
+            exec_data.m_codeseparator_pos = fuzzed_data_provider.ConsumeIntegral<uint32_t>();
+            exec_data.m_codeseparator_pos_init = true;
+        }
+
+        // Assert the existing behaviour was conserved with the introduction of the APO logic for
+        // the fully pseudo-random hashtype.
+        uint256 old_sighash, new_sighash;
+        const auto new_res = SignatureHashSchnorr(new_sighash, exec_data, tx_to, in_pos, hash_type, sig_version,
+                                                  KeyVersion::TAPROOT, cache, MissingDataBehavior::ASSERT_FAIL);
+        const auto old_res = OldSignatureHashSchnorr(old_sighash, exec_data, tx_to, in_pos, hash_type, sig_version,
+                                                     cache, MissingDataBehavior::ASSERT_FAIL);
+        assert(new_res == old_res);
+        assert(new_sighash == old_sighash);
+        const auto new_res_h = SignatureHashSchnorr(new_sighash, exec_data, tx_to, in_pos, hash_type, sig_version,
+                                                    KeyVersion::TAPROOT, cache, MissingDataBehavior::ASSERT_FAIL);
+        const auto old_res_h = OldSignatureHashSchnorr(old_sighash, exec_data, tx_to, in_pos, hash_type, sig_version,
+                                                       cache, MissingDataBehavior::ASSERT_FAIL);
+        assert(new_res_h == old_res_h);
+        assert(new_sighash == old_sighash);
+    }
+}