crypto: add NUMS_H const

src/pubkey.cpp

@@ -13,6 +13,7 @@
 #include <secp256k1_schnorrsig.h>
 #include <span.h>
 #include <uint256.h>
+#include <util/strencodings.h>
 
 #include <algorithm>
 #include <cassert>
@@ -181,6 +182,17 @@ int ecdsa_signature_parse_der_lax(secp256k1_ecdsa_signature* sig, const unsigned
     return 1;
 }
 
+/** Nothing Up My Sleeve (NUMS) point
+ *
+ *  NUMS_H is a point with an unknown discrete logarithm, constructed by taking the sha256 of 'g'
+ *  (uncompressed encoding), which happens to be a point on the curve.
+ *
+ *  For an example script for calculating H, refer to the unit tests in
+ *  ./test/functional/test_framework/crypto/secp256k1.py
+ */
+static const std::vector<unsigned char> NUMS_H_DATA{ParseHex("50929b74c1a04954b78b4b6035e97a5e078a5a0f28ec96d547bfee9ace803ac0")};
+const XOnlyPubKey XOnlyPubKey::NUMS_H{NUMS_H_DATA};
+
 XOnlyPubKey::XOnlyPubKey(Span<const unsigned char> bytes)
 {
     assert(bytes.size() == 32);

src/pubkey.h

@@ -233,6 +233,11 @@ class XOnlyPubKey
     uint256 m_keydata;
 
 public:
+    /** Nothing Up My Sleeve point H
+     *  Used as an internal key for provably disabling the key path spend
+     *  see BIP341 for more details */
+    static const XOnlyPubKey NUMS_H;
+
     /** Construct an empty x-only pubkey. */
     XOnlyPubKey() = default;
 

test/functional/test_framework/crypto/secp256k1.py

@@ -15,6 +15,8 @@
 * G: the secp256k1 generator point
 """
 
+import unittest
+from hashlib import sha256
 
 class FE:
     """Objects of this class represent elements of the field GF(2**256 - 2**32 - 977).
@@ -344,3 +346,9 @@ def mul(self, a):
 
 # Precomputed table with multiples of G for fast multiplication
 FAST_G = FastGEMul(G)
+
+class TestFrameworkSecp256k1(unittest.TestCase):
+    def test_H(self):
+        H = sha256(G.to_bytes_uncompressed()).digest()
+        assert GE.lift_x(FE.from_bytes(H)) is not None
+        self.assertEqual(H.hex(), "50929b74c1a04954b78b4b6035e97a5e078a5a0f28ec96d547bfee9ace803ac0")