From 91a804773cef936ba2f9999d2129a94ed731713c Mon Sep 17 00:00:00 2001
From: josibake <josibake@protonmail.com>
Date: Tue, 13 Feb 2024 17:41:59 +0100
Subject: [PATCH] crypto: add NUMS_H const

---
 src/pubkey.cpp                                     | 12 ++++++++++++
 src/pubkey.h                                       |  5 +++++
 test/functional/test_framework/crypto/secp256k1.py |  8 ++++++++
 3 files changed, 25 insertions(+)

diff --git a/src/pubkey.cpp b/src/pubkey.cpp
index 11e1b4abb51af..13e3c2dbe07d8 100644
--- a/src/pubkey.cpp
+++ b/src/pubkey.cpp
@@ -13,6 +13,7 @@
 #include <secp256k1_schnorrsig.h>
 #include <span.h>
 #include <uint256.h>
+#include <util/strencodings.h>
 
 #include <algorithm>
 #include <cassert>
@@ -181,6 +182,17 @@ int ecdsa_signature_parse_der_lax(secp256k1_ecdsa_signature* sig, const unsigned
     return 1;
 }
 
+/** Nothing Up My Sleeve (NUMS) point
+ *
+ *  NUMS_H is a point with an unknown discrete logarithm, constructed by taking the sha256 of 'g'
+ *  (uncompressed encoding), which happens to be a point on the curve.
+ *
+ *  For an example script for calculating H, refer to the unit tests in
+ *  ./test/functional/test_framework/crypto/secp256k1.py
+ */
+static const std::vector<unsigned char> NUMS_H_DATA{ParseHex("50929b74c1a04954b78b4b6035e97a5e078a5a0f28ec96d547bfee9ace803ac0")};
+const XOnlyPubKey XOnlyPubKey::NUMS_H{NUMS_H_DATA};
+
 XOnlyPubKey::XOnlyPubKey(Span<const unsigned char> bytes)
 {
     assert(bytes.size() == 32);
diff --git a/src/pubkey.h b/src/pubkey.h
index 15d7e7bc07dbb..ae34ddd0afddc 100644
--- a/src/pubkey.h
+++ b/src/pubkey.h
@@ -233,6 +233,11 @@ class XOnlyPubKey
     uint256 m_keydata;
 
 public:
+    /** Nothing Up My Sleeve point H
+     *  Used as an internal key for provably disabling the key path spend
+     *  see BIP341 for more details */
+    static const XOnlyPubKey NUMS_H;
+
     /** Construct an empty x-only pubkey. */
     XOnlyPubKey() = default;
 
diff --git a/test/functional/test_framework/crypto/secp256k1.py b/test/functional/test_framework/crypto/secp256k1.py
index 2e9e419da5b08..50a46dce37c5d 100644
--- a/test/functional/test_framework/crypto/secp256k1.py
+++ b/test/functional/test_framework/crypto/secp256k1.py
@@ -15,6 +15,8 @@
 * G: the secp256k1 generator point
 """
 
+import unittest
+from hashlib import sha256
 
 class FE:
     """Objects of this class represent elements of the field GF(2**256 - 2**32 - 977).
@@ -344,3 +346,9 @@ def mul(self, a):
 
 # Precomputed table with multiples of G for fast multiplication
 FAST_G = FastGEMul(G)
+
+class TestFrameworkSecp256k1(unittest.TestCase):
+    def test_H(self):
+        H = sha256(G.to_bytes_uncompressed()).digest()
+        assert GE.lift_x(FE.from_bytes(H)) is not None
+        self.assertEqual(H.hex(), "50929b74c1a04954b78b4b6035e97a5e078a5a0f28ec96d547bfee9ace803ac0")