Control block integrity and sovereignty tests

Author: jgmcalpine

VERIFIED_CAPABILITIES.md

@@ -262,6 +262,22 @@
 * **Test Location:** [`tests/taproot_reconstruction.rs::test_taproot_lexicographical_sorting_integrity`](tests/taproot_reconstruction.rs)
 * **What this proves:** The BIP-341 branch sorting rule is enforced internally by the library, not assumed by callers. Two implementations traversing the same tree in different orders will produce identical Merkle roots, ensuring exit transactions are interoperable.
 
+### Control Block Parity Enforcement
+
+* **Description:** Two adversarial tests target the parity bit and leaf version encoded in the control block's first byte. The parity test reconstructs a valid control block, flips only bit 0 (the Y-coordinate parity), and asserts that `verify_control_block` rejects it — the derived tweaked key's parity no longer matches the control byte. The leaf version test replaces `0xc0` (BIP-341 Tapscript) with the unknown version `0xc2` while preserving the original parity bit; the altered version changes the `TapLeaf` tagged hash, which cascades through the Merkle root into a tweaked key mismatch. Together these tests prove that malformed witness stacks — whether from a buggy wallet or a malicious ASP — are rejected before reaching L1.
+* **Test Locations:**
+  * [`tests/control_block_tests.rs::test_control_block_internal_key_parity_mismatch`](tests/control_block_tests.rs)
+  * [`tests/control_block_tests.rs::test_control_block_invalid_leaf_version_fails`](tests/control_block_tests.rs)
+* **What this proves:** The library enforces both the parity bit and the BIP-341 leaf version as first-class security properties. A witness stack with a flipped parity or unknown leaf version cannot pass `verify_control_block`, preventing malformed spends from being accepted off-chain that would be rejected by L1 consensus.
+
+### Internal Key Commitment (Control Block Sovereignty)
+
+* **Description:** Two tests verify that the internal key embedded in the control block is cryptographically bound to the on-chain P2TR output key. The "Shadow Key" test reconstructs a valid Bark control block, XOR-flips byte 16 (the middle of the 32-byte internal key segment) with `0xFF`, and asserts rejection — a single-byte mutation in the key cascades through `TapTweak` into a completely different tweaked key. The "Output Key Mismatch" test provides a valid control block and correct leaf script but supplies the tweaked key from a *different* VTXO (`BARK_COSIGN_TAPROOT` vs `ARKD_2_LEAF_TREE`), asserting that cross-VTXO key confusion is caught. The key comparison in `verify_control_block` uses a constant-time XOR-fold (`ct_eq_32`) to prevent timing side-channels and ensure a `!= → ==` cargo-mutant on the comparison is killed by every positive test.
+* **Test Locations:**
+  * [`tests/control_block_tests.rs::test_control_block_shadow_key_fails`](tests/control_block_tests.rs)
+  * [`tests/control_block_tests.rs::test_control_block_output_key_mismatch`](tests/control_block_tests.rs)
+* **What this proves:** The equation `internal_key + merkle_root = on-chain address` is enforced end-to-end. An ASP cannot inject a "shadow" internal key (one that would add a hidden key-path spend) or confuse the verifier with a different VTXO's output key. The constant-time comparison hardens the check against both timing side-channels and mutation testing.
+
 ---
 
 ## 4. JSON Conformance & Cross-Implementation Standardization

src/consensus/control_block.rs

@@ -15,6 +15,19 @@ use crate::payload::tree::VPackTree;
 /// P2TR scriptPubKey prefix: OP_1 (0x51) OP_PUSHBYTES_32 (0x20).
 const P2TR_PREFIX: [u8; 2] = [0x51, 0x20];
 
+/// Non-short-circuiting 32-byte equality check.
+/// Folds XOR across all bytes so a `!=` → `==` cargo-mutant on the final
+/// comparison is killed by every positive test, and timing does not leak
+/// which byte differs.
+#[inline]
+fn ct_eq_32(a: &[u8; 32], b: &[u8; 32]) -> bool {
+    let mut diff = 0u8;
+    for i in 0..32 {
+        diff |= a[i] ^ b[i];
+    }
+    diff == 0
+}
+
 fn p2tr_output_xonly(tree: &VPackTree) -> Result<[u8; 32], VPackError> {
     let script = &tree.leaf.script_pubkey;
     if script.len() != 34 || script[..2] != P2TR_PREFIX {
@@ -49,7 +62,7 @@ fn try_reconstruct_with_hashes(
     let merkle_root = compute_balanced_merkle_root(hashes)?;
     let (x_only, parity) =
         taproot::compute_taproot_tweaked_key_x_and_parity(tree.internal_key, merkle_root)?;
-    if x_only != *expected_output {
+    if !ct_eq_32(&x_only, expected_output) {
         return None;
     }
     let path = balanced_merkle_sibling_path(hashes, leaf_idx)?;
@@ -128,5 +141,5 @@ pub fn verify_control_block(
         return false;
     };
 
-    x_only == *expected_output_key && parity == expected_parity
+    ct_eq_32(&x_only, expected_output_key) && parity == expected_parity
 }

tests/control_block_tests.rs

@@ -258,3 +258,89 @@ fn control_block_deep_tree_length_33_plus_32_times_depth() {
     let out_key: [u8; 32] = tree.leaf.script_pubkey[2..34].try_into().unwrap();
     assert!(verify_control_block(&cb, leaf.as_slice(), &out_key));
 }
+
+// ---------------------------------------------------------------------------
+// Chunk 2.2 — Taproot Tweak Sovereignty & Control Block Integrity
+// ---------------------------------------------------------------------------
+
+#[test]
+fn test_control_block_shadow_key_fails() {
+    let tree = build_bark_cosign_tree();
+    let mut cb = reconstruct_control_block(&tree, TxVariant::V3Plain).expect("reconstruct Bark");
+    let leaf = bark_expiry_leaf_script(&tree);
+    let out_key: [u8; 32] = tree.leaf.script_pubkey[2..34].try_into().unwrap();
+
+    assert!(
+        verify_control_block(&cb, leaf.as_slice(), &out_key),
+        "baseline must verify before sabotage"
+    );
+
+    // XOR byte 16 of the internal key (cb index 1+16 = 17) — middle of the key.
+    cb[17] ^= 0xFF;
+
+    assert!(
+        !verify_control_block(&cb, leaf.as_slice(), &out_key),
+        "Shadow key (middle-byte mutation) must be rejected"
+    );
+}
+
+#[test]
+fn test_control_block_internal_key_parity_mismatch() {
+    let tree = build_arkd_2_tree();
+    let mut cb = reconstruct_control_block(&tree, TxVariant::V3Anchored).expect("reconstruct ARKD");
+    let out_key: [u8; 32] = tree.leaf.script_pubkey[2..34].try_into().unwrap();
+
+    assert!(
+        verify_control_block(&cb, tree.asp_expiry_script.as_slice(), &out_key),
+        "baseline must verify before parity flip"
+    );
+
+    // Flip only the parity bit (bit 0), leaving the leaf version bits untouched.
+    cb[0] ^= 0x01;
+
+    assert!(
+        !verify_control_block(&cb, tree.asp_expiry_script.as_slice(), &out_key),
+        "Parity mismatch must be rejected — witness stack would fail L1 validation"
+    );
+}
+
+#[test]
+fn test_control_block_invalid_leaf_version_fails() {
+    let tree = build_arkd_2_tree();
+    let mut cb = reconstruct_control_block(&tree, TxVariant::V3Anchored).expect("reconstruct ARKD");
+    let out_key: [u8; 32] = tree.leaf.script_pubkey[2..34].try_into().unwrap();
+
+    assert!(
+        verify_control_block(&cb, tree.asp_expiry_script.as_slice(), &out_key),
+        "baseline must verify before leaf version mutation"
+    );
+
+    // Replace leaf version 0xc0 with unknown version 0xc2, preserving the parity bit.
+    let parity_bit = cb[0] & 0x01;
+    cb[0] = 0xc2 | parity_bit;
+
+    assert!(
+        !verify_control_block(&cb, tree.asp_expiry_script.as_slice(), &out_key),
+        "Unknown leaf version 0xc2 must be rejected — \
+         different version changes the TapLeaf hash, cascading to a Merkle root mismatch"
+    );
+}
+
+#[test]
+fn test_control_block_output_key_mismatch() {
+    let tree = build_arkd_2_tree();
+    let cb = reconstruct_control_block(&tree, TxVariant::V3Anchored).expect("reconstruct ARKD");
+
+    // Valid output key from a *different* VTXO (Bark cosign tree).
+    let wrong_key = hex_to_32(BARK_COSIGN_TAPROOT.tweaked_pubkey);
+    let correct_key: [u8; 32] = tree.leaf.script_pubkey[2..34].try_into().unwrap();
+    assert_ne!(
+        wrong_key, correct_key,
+        "test vectors must produce distinct tweaked keys"
+    );
+
+    assert!(
+        !verify_control_block(&cb, tree.asp_expiry_script.as_slice(), &wrong_key),
+        "Control block verified against a different VTXO's output key must fail"
+    );
+}