input

func CommitScriptAnchor ¶

func CommitScriptAnchor(key *btcec.PublicKey) ([]byte, error)

CommitScriptAnchor constructs the script for the anchor output spendable by the given key immediately, or by anyone after 16 confirmations.

Possible Input Scripts:

By owner:				<sig>
By anyone (after 16 conf):	<emptyvector>

Output Script:

<funding_pubkey> OP_CHECKSIG OP_IFDUP
OP_NOTIF
  OP_16 OP_CSV
OP_ENDIF

func CommitScriptToRemoteConfirmed ¶

func CommitScriptToRemoteConfirmed(key *btcec.PublicKey) ([]byte, error)

CommitScriptToRemoteConfirmed constructs the script for the output on the commitment transaction paying to the remote party of said commitment transaction. The money can only be spend after one confirmation.

Possible Input Scripts:

SWEEP: <sig>

Output Script:

<key> OP_CHECKSIGVERIFY
1 OP_CHECKSEQUENCEVERIFY

func CommitScriptToSelf ¶

func CommitScriptToSelf(csvTimeout uint32, selfKey, revokeKey *btcec.PublicKey) ([]byte, error)

CommitScriptToSelf constructs the public key script for the output on the commitment transaction paying to the "owner" of said commitment transaction. If the other party learns of the preimage to the revocation hash, then they can claim all the settled funds in the channel, plus the unsettled funds.

Possible Input Scripts:

REVOKE:     <sig> 1
SENDRSWEEP: <sig> <emptyvector>

Output Script:

OP_IF
    <revokeKey>
OP_ELSE
    <numRelativeBlocks> OP_CHECKSEQUENCEVERIFY OP_DROP
    <timeKey>
OP_ENDIF
OP_CHECKSIG

func CommitScriptUnencumbered ¶

func CommitScriptUnencumbered(key *btcec.PublicKey) ([]byte, error)

CommitScriptUnencumbered constructs the public key script on the commitment transaction paying to the "other" party. The constructed output is a normal p2wkh output spendable immediately, requiring no contestation period.

func CommitSpendAnchor ¶

func CommitSpendAnchor(signer Signer, signDesc *SignDescriptor,
	sweepTx *wire.MsgTx) (wire.TxWitness, error)

CommitSpendAnchor constructs a valid witness allowing a node to spend their anchor output on the commitment transaction using their funding key. This is used for the anchor channel type.

func CommitSpendAnchorAnyone ¶

func CommitSpendAnchorAnyone(script []byte) (wire.TxWitness, error)

CommitSpendAnchorAnyone constructs a witness allowing anyone to spend the anchor output after it has gotten 16 confirmations. Since no signing is required, only knowledge of the redeem script is necessary to spend it.

func CommitSpendNoDelay ¶

func CommitSpendNoDelay(signer Signer, signDesc *SignDescriptor,
	sweepTx *wire.MsgTx, tweakless bool) (wire.TxWitness, error)

CommitSpendNoDelay constructs a valid witness allowing a node to spend their settled no-delay output on the counterparty's commitment transaction. If the tweakless field is true, then we'll omit the set where we tweak the pubkey with a random set of bytes, and use it directly in the witness stack.

NOTE: The passed SignDescriptor should include the raw (untweaked) public key of the receiver and also the proper single tweak value based on the current commitment point.

func CommitSpendRevoke ¶

func CommitSpendRevoke(signer Signer, signDesc *SignDescriptor,
	sweepTx *wire.MsgTx) (wire.TxWitness, error)

CommitSpendRevoke constructs a valid witness allowing a node to sweep the settled output of a malicious counterparty who broadcasts a revoked commitment transaction.

NOTE: The passed SignDescriptor should include the raw (untweaked) revocation base public key of the receiver and also the proper double tweak value based on the commitment secret of the revoked commitment.

func CommitSpendTimeout ¶

func CommitSpendTimeout(signer Signer, signDesc *SignDescriptor,
	sweepTx *wire.MsgTx) (wire.TxWitness, error)

CommitSpendTimeout constructs a valid witness allowing the owner of a particular commitment transaction to spend the output returning settled funds back to themselves after a relative block timeout. In order to properly spend the transaction, the target input's sequence number should be set accordingly based off of the target relative block timeout within the redeem script. Additionally, OP_CSV requires that the version of the transaction spending a pkscript with OP_CSV within it *must* be >= 2.

func CommitSpendToRemoteConfirmed ¶

func CommitSpendToRemoteConfirmed(signer Signer, signDesc *SignDescriptor,
	sweepTx *wire.MsgTx) (wire.TxWitness, error)

CommitSpendToRemoteConfirmed constructs a valid witness allowing a node to spend their settled output on the counterparty's commitment transaction when it has one confirmetion. This is used for the anchor channel type. The spending key will always be non-tweaked for this output type.

func ComputeCommitmentPoint ¶

func ComputeCommitmentPoint(commitSecret []byte) *btcec.PublicKey

ComputeCommitmentPoint generates a commitment point given a commitment secret. The commitment point for each state is used to randomize each key in the key-ring and also to used as a tweak to derive new public+private keys for the state.

func DeriveRevocationPrivKey ¶

func DeriveRevocationPrivKey(revokeBasePriv *btcec.PrivateKey,
	commitSecret *btcec.PrivateKey) *btcec.PrivateKey

DeriveRevocationPrivKey derives the revocation private key given a node's commitment private key, and the preimage to a previously seen revocation hash. Using this derived private key, a node is able to claim the output within the commitment transaction of a node in the case that they broadcast a previously revoked commitment transaction.

The private key is derived as follows:

revokePriv := (revokeBasePriv * sha256(revocationBase || commitPoint)) +
              (commitSecret * sha256(commitPoint || revocationBase)) mod N

Where N is the order of the sub-group.

func DeriveRevocationPubkey ¶

func DeriveRevocationPubkey(revokeBase,
	commitPoint *btcec.PublicKey) *btcec.PublicKey

DeriveRevocationPubkey derives the revocation public key given the counterparty's commitment key, and revocation preimage derived via a pseudo-random-function. In the event that we (for some reason) broadcast a revoked commitment transaction, then if the other party knows the revocation preimage, then they'll be able to derive the corresponding private key to this private key by exploiting the homomorphism in the elliptic curve group:

• https://en.wikipedia.org/wiki/Group_homomorphism#Homomorphisms_of_abelian_groups

The derivation is performed as follows:

revokeKey := revokeBase * sha256(revocationBase || commitPoint) +
             commitPoint * sha256(commitPoint || revocationBase)

          := G*(revokeBasePriv * sha256(revocationBase || commitPoint)) +
             G*(commitSecret * sha256(commitPoint || revocationBase))

          := G*(revokeBasePriv * sha256(revocationBase || commitPoint) +
                commitSecret * sha256(commitPoint || revocationBase))

Therefore, once we divulge the revocation secret, the remote peer is able to compute the proper private key for the revokeKey by computing:

revokePriv := (revokeBasePriv * sha256(revocationBase || commitPoint)) +
              (commitSecret * sha256(commitPoint || revocationBase)) mod N

Where N is the order of the sub-group.

func DeserializePartialSignature ¶

func DeserializePartialSignature(scalarBytes []byte) (*musig2.PartialSignature,
	error)

DeserializePartialSignature decodes a partial signature from a byte slice.

func EstimateCommitTxWeight ¶

func EstimateCommitTxWeight(count int, prediction bool) int64

EstimateCommitTxWeight estimate commitment transaction weight depending on the precalculated weight of base transaction, witness data, which is needed for paying for funding tx, and htlc weight multiplied by their count.

func FindScriptOutputIndex ¶

func FindScriptOutputIndex(tx *wire.MsgTx, script []byte) (bool, uint32)

FindScriptOutputIndex finds the index of the public key script output matching 'script'. Additionally, a boolean is returned indicating if a matching output was found at all.

NOTE: The search stops after the first matching script is found.

func GenFundingPkScript ¶

func GenFundingPkScript(aPub, bPub []byte, amt int64) ([]byte, *wire.TxOut, error)

GenFundingPkScript creates a redeem script, and its matching p2wsh output for the funding transaction.

func GenMultiSigScript ¶

func GenMultiSigScript(aPub, bPub []byte) ([]byte, error)

GenMultiSigScript generates the non-p2sh'd multisig script for 2 of 2 pubkeys.

func GenTaprootFundingScript ¶

func GenTaprootFundingScript(aPub, bPub *btcec.PublicKey,
	amt int64) ([]byte, *wire.TxOut, error)

GenTaprootFundingScript constructs the taproot-native funding output that uses musig2 to create a single aggregated key to anchor the channel.

func GenerateP2PKH ¶

func GenerateP2PKH(pubkey []byte) ([]byte, error)

GenerateP2PKH generates a pay-to-public-key-hash public key script paying to the passed serialized public key.

func GenerateP2SH ¶

func GenerateP2SH(script []byte) ([]byte, error)

GenerateP2SH generates a pay-to-script-hash public key script paying to the passed redeem script.

func GenerateUnknownWitness ¶

func GenerateUnknownWitness() ([]byte, error)

GenerateUnknownWitness generates the maximum-sized witness public key script consisting of a version push and a 40-byte data push.

func HtlcSecondLevelSpend ¶

func HtlcSecondLevelSpend(signer Signer, signDesc *SignDescriptor,
	sweepTx *wire.MsgTx) (wire.TxWitness, error)

HtlcSecondLevelSpend exposes the public witness generation function for spending an HTLC success transaction, either due to an expiring time lock or having had the payment preimage. This method is able to spend any second-level HTLC transaction, assuming the caller sets the locktime or seqno properly.

NOTE: The caller MUST set the txn version, sequence number, and sign descriptor's sig hash cache before invocation.

func HtlcSpendRevoke ¶

func HtlcSpendRevoke(signer Signer, signDesc *SignDescriptor,
	revokeTx *wire.MsgTx) (wire.TxWitness, error)

HtlcSpendRevoke spends a second-level HTLC output. This function is to be used by the sender or receiver of an HTLC to claim the HTLC after a revoked commitment transaction was broadcast.

func HtlcSpendSuccess ¶

func HtlcSpendSuccess(signer Signer, signDesc *SignDescriptor,
	sweepTx *wire.MsgTx, csvDelay uint32) (wire.TxWitness, error)

HtlcSpendSuccess spends a second-level HTLC output. This function is to be used by the sender of an HTLC to claim the output after a relative timeout or the receiver of the HTLC to claim on-chain with the pre-image.

func IsHtlcSpendRevoke ¶

func IsHtlcSpendRevoke(txIn *wire.TxIn, signDesc *SignDescriptor) (
	bool, error)

IsHtlcSpendRevoke is used to determine if the passed spend is spending a HTLC output using the revocation key.

func LeaseCommitScriptToRemoteConfirmed ¶

func LeaseCommitScriptToRemoteConfirmed(key *btcec.PublicKey,
	leaseExpiry uint32) ([]byte, error)

LeaseCommitScriptToRemoteConfirmed constructs the script for the output on the commitment transaction paying to the remote party of said commitment transaction. The money can only be spend after one confirmation.

Possible Input Scripts:

SWEEP: <sig>

Output Script:

	<key> OP_CHECKSIGVERIFY
     <lease maturity in blocks> OP_CHECKLOCKTIMEVERIFY OP_DROP
	1 OP_CHECKSEQUENCEVERIFY

func LeaseCommitScriptToSelf ¶

func LeaseCommitScriptToSelf(selfKey, revokeKey *btcec.PublicKey,
	csvTimeout, leaseExpiry uint32) ([]byte, error)

LeaseCommitScriptToSelf constructs the public key script for the output on the commitment transaction paying to the "owner" of said commitment transaction. If the other party learns of the preimage to the revocation hash, then they can claim all the settled funds in the channel, plus the unsettled funds.

Possible Input Scripts:

REVOKE:     <sig> 1
SENDRSWEEP: <sig> <emptyvector>

Output Script:

OP_IF
    <revokeKey>
OP_ELSE
    <absoluteLeaseExpiry> OP_CHECKLOCKTIMEVERIFY OP_DROP
    <numRelativeBlocks> OP_CHECKSEQUENCEVERIFY OP_DROP
    <timeKey>
OP_ENDIF
OP_CHECKSIG

func LeaseSecondLevelHtlcScript ¶

func LeaseSecondLevelHtlcScript(revocationKey, delayKey *btcec.PublicKey,
	csvDelay, cltvExpiry uint32) ([]byte, error)

LeaseSecondLevelHtlcScript is the uniform script that's used as the output for the second-level HTLC transactions. The second level transaction acts as a sort of covenant, ensuring that a 2-of-2 multi-sig output can only be spent in a particular way, and to a particular output.

Possible Input Scripts:

• To revoke an HTLC output that has been transitioned to the claim+delay state: <revoke sig> 1

• To claim an HTLC output, either with a pre-image or due to a timeout: <delay sig> 0

Output Script:

 OP_IF
	<revoke key>
 OP_ELSE
	<lease maturity in blocks>
	OP_CHECKLOCKTIMEVERIFY
	OP_DROP
	<delay in blocks>
	OP_CHECKSEQUENCEVERIFY
	OP_DROP
	<delay key>
 OP_ENDIF
 OP_CHECKSIG.

func LockTimeToSequence ¶

func LockTimeToSequence(isSeconds bool, locktime uint32) uint32

LockTimeToSequence converts the passed relative locktime to a sequence number in accordance to BIP-68. See: https://github.com/bitcoin/bips/blob/master/bip-0068.mediawiki

• (Compatibility)

func MakeTaprootCtrlBlock ¶

func MakeTaprootCtrlBlock(leafScript []byte, internalKey *btcec.PublicKey,
	scriptTree *txscript.IndexedTapScriptTree) txscript.ControlBlock

MakeTaprootSCtrlBlock takes a leaf script, the internal key (usually the revoke key), and a script tree and creates a valid control block for a spend of the leaf.

func MuSig2CombineKeys ¶

func MuSig2CombineKeys(bipVersion MuSig2Version,
	allSignerPubKeys []*btcec.PublicKey, sortKeys bool,
	tweaks *MuSig2Tweaks) (*musig2.AggregateKey, error)

MuSig2CombineKeys combines the given set of public keys into a single combined MuSig2 combined public key, applying the given tweaks.

func MuSig2CombineSig ¶

func MuSig2CombineSig(session MuSig2Session,
	otherPartialSig *musig2.PartialSignature) (bool, error)

MuSig2CombineSig calls the CombineSig() method on the given versioned signing session and returns the result in the most recent version of the MuSig2 API.

func MuSig2CreateContext ¶

func MuSig2CreateContext(bipVersion MuSig2Version, privKey *btcec.PrivateKey,
	allSignerPubKeys []*btcec.PublicKey, tweaks *MuSig2Tweaks,
	localNonces *musig2.Nonces,
) (MuSig2Context, MuSig2Session, error)

MuSig2CreateContext creates a new MuSig2 signing context.

func MuSig2ParsePubKeys ¶

func MuSig2ParsePubKeys(bipVersion MuSig2Version,
	rawPubKeys [][]byte) ([]*btcec.PublicKey, error)

MuSig2ParsePubKeys parses a list of raw public keys as the signing keys of a MuSig2 signing session.

func MuSig2Sign ¶

func MuSig2Sign(session MuSig2Session, msg [32]byte,
	withSortedKeys bool) (*musig2.PartialSignature, error)

MuSig2Sign calls the Sign() method on the given versioned signing session and returns the result in the most recent version of the MuSig2 API.

func MultiPrevOutFetcher ¶

func MultiPrevOutFetcher(inputs []Input) (*txscript.MultiPrevOutFetcher, error)

MultiPrevOutFetcher returns a txscript.MultiPrevOutFetcher for the given set of inputs.

func NewTxSigHashesV0Only ¶

func NewTxSigHashesV0Only(tx *wire.MsgTx) *txscript.TxSigHashes

NewTxSigHashesV0Only returns a new txscript.TxSigHashes instance that will only calculate the sighash midstate values for segwit v0 inputs and can therefore never be used for transactions that want to spend segwit v1 (taproot) inputs.

func PayToTaprootScript ¶

func PayToTaprootScript(taprootKey *btcec.PublicKey) ([]byte, error)

PayToTaprootScript creates a new script to pay to a version 1 (taproot) witness program. The passed public key will be serialized as an x-only key to create the witness program.

func ReadSignDescriptor ¶

func ReadSignDescriptor(r io.Reader, sd *SignDescriptor) error

ReadSignDescriptor deserializes a SignDescriptor struct from the passed io.Reader stream.

func ReceiverHTLCScript ¶

func ReceiverHTLCScript(cltvExpiry uint32, senderHtlcKey,
	receiverHtlcKey, revocationKey *btcec.PublicKey,
	paymentHash []byte, confirmedSpend bool) ([]byte, error)

ReceiverHTLCScript constructs the public key script for an incoming HTLC output payment for the receiver's version of the commitment transaction. The possible execution paths from this script include:

• The receiver of the HTLC uses its second level HTLC transaction to advance the state of the HTLC into the delay+claim state.
• The sender of the HTLC sweeps all the funds of the HTLC as a breached commitment was broadcast.
• The sender of the HTLC sweeps the HTLC on-chain after the timeout period of the HTLC has passed.

If confirmedSpend=true, a 1 OP_CSV check will be added to the non-revocation cases, to allow sweeping only after confirmation.

Possible Input Scripts:

RECVR: <0> <sender sig> <recvr sig> <preimage> (spend using HTLC success transaction)
REVOK: <sig> <key>
SENDR: <sig> 0

Received HTLC Output Script:

 OP_DUP OP_HASH160 <revocation key hash160> OP_EQUAL
 OP_IF
 	OP_CHECKSIG
 OP_ELSE
	<sendr htlc key>
	OP_SWAP OP_SIZE 32 OP_EQUAL
	OP_IF
	    OP_HASH160 <ripemd160(payment hash)> OP_EQUALVERIFY
	    2 OP_SWAP <recvr htlc key> 2 OP_CHECKMULTISIG
	OP_ELSE
	    OP_DROP <cltv expiry> OP_CHECKLOCKTIMEVERIFY OP_DROP
	    OP_CHECKSIG
	OP_ENDIF
	[1 OP_CHECKSEQUENCEVERIFY OP_DROP] <- if allowing confirmed
	spend only.
 OP_ENDIF

func ReceiverHTLCScriptTaprootRedeem ¶

func ReceiverHTLCScriptTaprootRedeem(senderSig Signature,
	senderSigHash txscript.SigHashType, paymentPreimage []byte,
	signer Signer, signDesc *SignDescriptor,
	htlcSuccessTx *wire.MsgTx, revokeKey *btcec.PublicKey,
	tapscriptTree *txscript.IndexedTapScriptTree) (wire.TxWitness, error)

ReceiverHTLCScriptTaprootRedeem creates a valid witness needed to redeem a receiver taproot HTLC with the pre-image. The returned witness is valid and includes the control block required to spend the output.

func ReceiverHTLCScriptTaprootRevoke ¶

func ReceiverHTLCScriptTaprootRevoke(signer Signer, signDesc *SignDescriptor,
	sweepTx *wire.MsgTx) (wire.TxWitness, error)

ReceiverHTLCScriptTaprootRevoke creates a valid witness needed to spend the revocation path of the HTLC from the PoV of the sender (offerer) of the HTLC. This uses a plain keyspend using the specified revocation key.

func ReceiverHTLCScriptTaprootTimeout ¶

func ReceiverHTLCScriptTaprootTimeout(signer Signer, signDesc *SignDescriptor,
	sweepTx *wire.MsgTx, cltvExpiry int32, revokeKey *btcec.PublicKey,
	tapscriptTree *txscript.IndexedTapScriptTree) (wire.TxWitness, error)

ReceiverHTLCScriptTaprootTimeout creates a valid witness needed to timeout an HTLC on the receiver's commitment transaction after the timeout has elapsed.

func ReceiverHtlcSpendRedeem ¶

func ReceiverHtlcSpendRedeem(senderSig Signature,
	senderSigHash txscript.SigHashType, paymentPreimage []byte,
	signer Signer, signDesc *SignDescriptor, htlcSuccessTx *wire.MsgTx) (
	wire.TxWitness, error)

ReceiverHtlcSpendRedeem constructs a valid witness allowing the receiver of an HTLC to redeem the conditional payment in the event that their commitment transaction is broadcast. This clause transitions the state of the HLTC output into the delay+claim state by activating the off-chain covenant bound by the 2-of-2 multi-sig output. The HTLC success timeout transaction being signed has a relative timelock delay enforced by its sequence number. This delay give the sender of the HTLC enough time to revoke the output if this is a breach commitment transaction.

func ReceiverHtlcSpendRevoke ¶

func ReceiverHtlcSpendRevoke(signer Signer, signDesc *SignDescriptor,
	sweepTx *wire.MsgTx) (wire.TxWitness, error)

ReceiverHtlcSpendRevoke constructs a valid witness allowing the sender of an HTLC within a previously revoked commitment transaction to re-claim the pending funds in the case that the receiver broadcasts this revoked commitment transaction. This method first derives the appropriate revocation key, and requires that the provided SignDescriptor has a local revocation basepoint and commitment secret in the PubKey and DoubleTweak fields, respectively.

func ReceiverHtlcSpendRevokeWithKey ¶

func ReceiverHtlcSpendRevokeWithKey(signer Signer, signDesc *SignDescriptor,
	revokeKey *btcec.PublicKey, sweepTx *wire.MsgTx) (wire.TxWitness, error)

ReceiverHtlcSpendRevokeWithKey constructs a valid witness allowing the sender of an HTLC within a previously revoked commitment transaction to re-claim the pending funds in the case that the receiver broadcasts this revoked commitment transaction.

func ReceiverHtlcSpendTimeout ¶

func ReceiverHtlcSpendTimeout(signer Signer, signDesc *SignDescriptor,
	sweepTx *wire.MsgTx, cltvExpiry int32) (wire.TxWitness, error)

ReceiverHtlcSpendTimeout constructs a valid witness allowing the sender of an HTLC to recover the pending funds after an absolute timeout in the scenario that the receiver of the HTLC broadcasts their version of the commitment transaction. If the caller has already set the lock time on the spending transaction, than a value of -1 can be passed for the cltvExpiry value.

NOTE: The target input of the passed transaction MUST NOT have a final sequence number. Otherwise, the OP_CHECKLOCKTIMEVERIFY check will fail.

func ReceiverHtlcTapLeafSuccess ¶

func ReceiverHtlcTapLeafSuccess(receiverHtlcKey *btcec.PublicKey,
	senderHtlcKey *btcec.PublicKey,
	paymentHash []byte) (txscript.TapLeaf, error)

ReceiverHtlcTapLeafSuccess returns the full tapscript leaf for the success path for an HTLC on the receiver's commitment transaction. This script allows the receiver to redeem an HTLC with knowledge of the preimage:

OP_SIZE 32 OP_EQUALVERIFY OP_HASH160
<RIPEMD160(payment_hash)> OP_EQUALVERIFY
<receiver_htlcpubkey> OP_CHECKSIGVERIFY
<sender_htlcpubkey> OP_CHECKSIG

func ReceiverHtlcTapLeafTimeout ¶

func ReceiverHtlcTapLeafTimeout(senderHtlcKey *btcec.PublicKey,
	cltvExpiry uint32) (txscript.TapLeaf, error)

ReceiverHtlcTapLeafTimeout returns the full tapscript leaf for the timeout path of the sender HTLC. This is a small script that allows the sender timeout the HTLC after expiry:

<sender_htlcpubkey> OP_CHECKSIG
1 OP_CHECKSEQUENCEVERIFY OP_DROP
<cltv_expiry> OP_CHECKLOCKTIMEVERIFY OP_DROP

func Ripemd160H ¶

func Ripemd160H(d []byte) []byte

Ripemd160H calculates the ripemd160 of the passed byte slice. This is used to calculate the intermediate hash for payment pre-images. Payment hashes are the result of ripemd160(sha256(paymentPreimage)). As a result, the value passed in should be the sha256 of the payment hash.

func SecondLevelHtlcScript ¶

func SecondLevelHtlcScript(revocationKey, delayKey *btcec.PublicKey,
	csvDelay uint32) ([]byte, error)

SecondLevelHtlcScript is the uniform script that's used as the output for the second-level HTLC transactions. The second level transaction act as a sort of covenant, ensuring that a 2-of-2 multi-sig output can only be spent in a particular way, and to a particular output.

Possible Input Scripts:

• To revoke an HTLC output that has been transitioned to the claim+delay state: <revoke sig> 1

• To claim and HTLC output, either with a pre-image or due to a timeout: <delay sig> 0

Output Script:

 OP_IF
	<revoke key>
 OP_ELSE
	<delay in blocks>
	OP_CHECKSEQUENCEVERIFY
	OP_DROP
	<delay key>
 OP_ENDIF
 OP_CHECKSIG

TODO(roasbeef): possible renames for second-level

• transition?
• covenant output

func SecondLevelHtlcTapscriptTree ¶

func SecondLevelHtlcTapscriptTree(delayKey *btcec.PublicKey,
	csvDelay uint32) (*txscript.IndexedTapScriptTree, error)

SecondLevelHtlcTapscriptTree construct the indexed tapscript tree needed to generate the taptweak to create the final output and also control block.

func SenderHTLCScript ¶

func SenderHTLCScript(senderHtlcKey, receiverHtlcKey,
	revocationKey *btcec.PublicKey, paymentHash []byte,
	confirmedSpend bool) ([]byte, error)

SenderHTLCScript constructs the public key script for an outgoing HTLC output payment for the sender's version of the commitment transaction. The possible script paths from this output include:

• The sender timing out the HTLC using the second level HTLC timeout transaction.
• The receiver of the HTLC claiming the output on-chain with the payment preimage.
• The receiver of the HTLC sweeping all the funds in the case that a revoked commitment transaction bearing this HTLC was broadcast.

If confirmedSpend=true, a 1 OP_CSV check will be added to the non-revocation cases, to allow sweeping only after confirmation.

Possible Input Scripts:

SENDR: <0> <sendr sig>  <recvr sig> <0> (spend using HTLC timeout transaction)
RECVR: <recvr sig>  <preimage>
REVOK: <revoke sig> <revoke key>
 * receiver revoke

Offered HTLC Output Script:

 OP_DUP OP_HASH160 <revocation key hash160> OP_EQUAL
 OP_IF
	OP_CHECKSIG
 OP_ELSE
	<recv htlc key>
	OP_SWAP OP_SIZE 32 OP_EQUAL
	OP_NOTIF
	    OP_DROP 2 OP_SWAP <sender htlc key> 2 OP_CHECKMULTISIG
	OP_ELSE
	    OP_HASH160 <ripemd160(payment hash)> OP_EQUALVERIFY
	    OP_CHECKSIG
	OP_ENDIF
	[1 OP_CHECKSEQUENCEVERIFY OP_DROP] <- if allowing confirmed
	spend only.
 OP_ENDIF

func SenderHTLCScriptTaprootRedeem ¶

func SenderHTLCScriptTaprootRedeem(signer Signer, signDesc *SignDescriptor,
	sweepTx *wire.MsgTx, preimage []byte, revokeKey *btcec.PublicKey,
	tapscriptTree *txscript.IndexedTapScriptTree) (wire.TxWitness, error)

SenderHTLCScriptTaprootRedeem creates a valid witness needed to redeem a sender taproot HTLC with the pre-image. The returned witness is valid and includes the control block required to spend the output. This is the offered HTLC claimed by the remote party.

func SenderHTLCScriptTaprootRevoke ¶

func SenderHTLCScriptTaprootRevoke(signer Signer, signDesc *SignDescriptor,
	sweepTx *wire.MsgTx) (wire.TxWitness, error)

SenderHTLCScriptTaprootRevoke creates a valid witness needed to spend the revocation path of the HTLC. This uses a plain keyspend using the specified revocation key.

func SenderHTLCScriptTaprootTimeout ¶

func SenderHTLCScriptTaprootTimeout(receiverSig Signature,
	receiverSigHash txscript.SigHashType, signer Signer,
	signDesc *SignDescriptor, htlcTimeoutTx *wire.MsgTx,
	revokeKey *btcec.PublicKey,
	tapscriptTree *txscript.IndexedTapScriptTree) (wire.TxWitness, error)

SenderHTLCScriptTaprootTimeout creates a valid witness needed to timeout an HTLC on the sender's commitment transaction. The returned witness is valid and includes the control block required to spend the output. This is a timeout of the offered HTLC by the sender.

func SenderHTLCTapLeafSuccess ¶

func SenderHTLCTapLeafSuccess(receiverHtlcKey *btcec.PublicKey,
	paymentHash []byte) (txscript.TapLeaf, error)

SenderHTLCTapLeafSuccess returns the full tapscript leaf for the success path of the sender HTLC. This is a small script that allows the receiver to redeem the HTLC with a pre-image:

OP_SIZE 32 OP_EQUALVERIFY OP_HASH160
<RIPEMD160(payment_hash)> OP_EQUALVERIFY
<remote_htlcpubkey> OP_CHECKSIG
1 OP_CHECKSEQUENCEVERIFY OP_DROP

func SenderHTLCTapLeafTimeout ¶

func SenderHTLCTapLeafTimeout(senderHtlcKey,
	receiverHtlcKey *btcec.PublicKey) (txscript.TapLeaf, error)

SenderHTLCTapLeafTimeout returns the full tapscript leaf for the timeout path of the sender HTLC. This is a small script that allows the sender to timeout the HTLC after a period of time:

<local_key> OP_CHECKSIGVERIFY
<remote_key> OP_CHECKSIG

func SenderHtlcSpendRedeem ¶

func SenderHtlcSpendRedeem(signer Signer, signDesc *SignDescriptor,
	sweepTx *wire.MsgTx, paymentPreimage []byte) (wire.TxWitness, error)

SenderHtlcSpendRedeem constructs a valid witness allowing the receiver of an HTLC to redeem the pending output in the scenario that the sender broadcasts their version of the commitment transaction. A valid spend requires knowledge of the payment preimage, and a valid signature under the receivers public key.

func SenderHtlcSpendRevoke ¶

func SenderHtlcSpendRevoke(signer Signer, signDesc *SignDescriptor,
	sweepTx *wire.MsgTx) (wire.TxWitness, error)

SenderHtlcSpendRevoke constructs a valid witness allowing the receiver of an HTLC to claim the output with knowledge of the revocation private key in the scenario that the sender of the HTLC broadcasts a previously revoked commitment transaction. This method first derives the appropriate revocation key, and requires that the provided SignDescriptor has a local revocation basepoint and commitment secret in the PubKey and DoubleTweak fields, respectively.

func SenderHtlcSpendRevokeWithKey ¶

func SenderHtlcSpendRevokeWithKey(signer Signer, signDesc *SignDescriptor,
	revokeKey *btcec.PublicKey, sweepTx *wire.MsgTx) (wire.TxWitness, error)

SenderHtlcSpendRevokeWithKey constructs a valid witness allowing the receiver of an HTLC to claim the output with knowledge of the revocation private key in the scenario that the sender of the HTLC broadcasts a previously revoked commitment transaction. A valid spend requires knowledge of the private key that corresponds to their revocation base point and also the private key from the per commitment point, and a valid signature under the combined public key.

func SenderHtlcSpendTimeout ¶

func SenderHtlcSpendTimeout(receiverSig Signature,
	receiverSigHash txscript.SigHashType, signer Signer,
	signDesc *SignDescriptor, htlcTimeoutTx *wire.MsgTx) (
	wire.TxWitness, error)

SenderHtlcSpendTimeout constructs a valid witness allowing the sender of an HTLC to activate the time locked covenant clause of a soon to be expired HTLC. This script simply spends the multi-sig output using the pre-generated HTLC timeout transaction.

func SerializePartialSignature ¶

func SerializePartialSignature(
	sig *musig2.PartialSignature) ([MuSig2PartialSigSize]byte, error)

SerializePartialSignature encodes the partial signature to a fixed size byte array.

func SingleTweakBytes ¶

func SingleTweakBytes(commitPoint, basePoint *btcec.PublicKey) []byte

SingleTweakBytes computes set of bytes we call the single tweak. The purpose of the single tweak is to randomize all regular delay and payment base points. To do this, we generate a hash that binds the commitment point to the pay/delay base point. The end end results is that the basePoint is tweaked as follows:

• key = basePoint + sha256(commitPoint || basePoint)*G

func SpendMultiSig ¶

func SpendMultiSig(witnessScript, pubA []byte, sigA Signature,
	pubB []byte, sigB Signature) [][]byte

SpendMultiSig generates the witness stack required to redeem the 2-of-2 p2wsh multi-sig output.

func TaprootAnchorSpend ¶

func TaprootAnchorSpend(signer Signer, signDesc *SignDescriptor,
	sweepTx *wire.MsgTx) (wire.TxWitness, error)

TaprootAnchorSpend constructs a valid witness allowing a node to sweep their anchor output.

func TaprootAnchorSpendAny ¶

func TaprootAnchorSpendAny(anchorKey *btcec.PublicKey) (wire.TxWitness, error)

TaprootAnchorSpendAny constructs a valid witness allowing anyone to sweep the anchor output after 16 blocks.

func TaprootCommitRemoteSpend ¶

func TaprootCommitRemoteSpend(signer Signer, signDesc *SignDescriptor,
	sweepTx *wire.MsgTx,
	scriptTree *txscript.IndexedTapScriptTree) (wire.TxWitness, error)

TaprootCommitRemoteSpend allows the remote party to sweep their output into their wallet after an enforced 1 block delay.

func TaprootCommitScriptToRemote ¶

func TaprootCommitScriptToRemote(remoteKey *btcec.PublicKey,
) (*btcec.PublicKey, error)

TaprootCommitScriptToRemote constructs a taproot witness program for the output on the commitment transaction for the remote party. For the top level key spend, we'll use a NUMs key to ensure that only the script path can be taken. Using a set NUMs key here also means that recovery solutions can scan the chain given knowledge of the public key for the remote party. We then commit to a single tapscript leaf that holds the normal CSV 1 delay script.

Our single tapleaf will use the following script:

<remotepubkey> OP_CHECKSIG
1 OP_CHECKSEQUENCEVERIFY OP_DROP

func TaprootCommitScriptToSelf ¶

func TaprootCommitScriptToSelf(csvTimeout uint32,
	selfKey, revokeKey *btcec.PublicKey) (*btcec.PublicKey, error)

TaprootCommitScriptToSelf creates the taproot witness program that commits to the revocation (script path) and delay path (script path) in a single taproot output key. Both the delay script and the revocation script are part of the tapscript tree to ensure that the internal key (the local delay key) is always revealed. This ensures that a 3rd party can always sweep the set of anchor outputs.

For the delay path we have the following tapscript leaf script:

<local_delayedpubkey> OP_CHECKSIG
<to_self_delay> OP_CHECKSEQUENCEVERIFY OP_DROP

This can then be spent with just:

<local_delayedsig> <to_delay_script> <delay_control_block>

Where the to_delay_script is listed above, and the delay_control_block computed as:

delay_control_block = (output_key_y_parity | 0xc0) || taproot_nums_key

The revocation path is simply:

<local_delayedpubkey> OP_DROP
<revocationkey> OP_CHECKSIG

The revocation path can be spent with a control block similar to the above (but contains the hash of the other script), and with the following witness:

<revocation_sig>

We use a noop data push to ensure that the local public key is also revealed on chain, which enables the anchor output to be swept.

func TaprootCommitSpendRevoke ¶

func TaprootCommitSpendRevoke(signer Signer, signDesc *SignDescriptor,
	revokeTx *wire.MsgTx,
	scriptTree *txscript.IndexedTapScriptTree) (wire.TxWitness, error)

TaprootCommitSpendRevoke constructs a valid witness allowing a node to sweep the revoked taproot output of a malicious peer.

func TaprootCommitSpendSuccess ¶

func TaprootCommitSpendSuccess(signer Signer, signDesc *SignDescriptor,
	sweepTx *wire.MsgTx,
	scriptTree *txscript.IndexedTapScriptTree) (wire.TxWitness, error)

TaprootCommitSpendSuccess constructs a valid witness allowing a node to sweep the settled taproot output after the delay has passed for a force close.

func TaprootHtlcSpendRevoke ¶

func TaprootHtlcSpendRevoke(signer Signer, signDesc *SignDescriptor,
	revokeTx *wire.MsgTx) (wire.TxWitness, error)

TaprootHtlcSpendRevoke spends a second-level HTLC output via the revocation path. This uses the top level keyspend path to redeem the contested output.

The passed SignDescriptor MUST have the proper witness script and also the proper top-level tweak derived from the tapscript tree for the second level output.

func TaprootHtlcSpendSuccess ¶

func TaprootHtlcSpendSuccess(signer Signer, signDesc *SignDescriptor,
	sweepTx *wire.MsgTx, revokeKey *btcec.PublicKey,
	tapscriptTree *txscript.IndexedTapScriptTree) (wire.TxWitness, error)

TaprootHtlcSpendSuccess spends a second-level HTLC output via the redemption path. This should be used to sweep funds after the pre-image is known.

NOTE: The caller MUST set the txn version, sequence number, and sign descriptor's sig hash cache before invocation.

func TaprootOutputKeyAnchor ¶

func TaprootOutputKeyAnchor(key *btcec.PublicKey) (*btcec.PublicKey, error)

TaprootOutputKeyAnchor returns the segwit v1 (taproot) witness program that encodes the anchor output spending conditions: the passed key can be used for keyspend, with the OP_CSV 16 clause living within an internal tapscript leaf.

Spend paths:

• Key spend: <key_signature>
• Script spend: OP_16 CSV <control_block>

func TaprootSecondLevelHtlcScript ¶

func TaprootSecondLevelHtlcScript(revokeKey, delayKey *btcec.PublicKey,
	csvDelay uint32) (*btcec.PublicKey, error)

TaprootSecondLevelHtlcScript is the uniform script that's used as the output for the second-level HTLC transaction. The second level transaction acts as an off-chain 2-of-2 covenant that can only be spent a particular way and to a particular output.

Possible Input Scripts:

• revocation sig
• <local_delay_sig>

The script main script lets the broadcaster spend after a delay the script path:

<local_delay_key> OP_CHECKSIG
<to_self_delay> OP_CHECKSEQUENCEVERIFY OP_DROP

The keyspend path require knowledge of the top level revocation private key.

func TaprootSecondLevelTapLeaf ¶

func TaprootSecondLevelTapLeaf(delayKey *btcec.PublicKey,
	csvDelay uint32) (txscript.TapLeaf, error)

TaprootSecondLevelTapLeaf constructs the tap leaf used as the sole script path for a second level HTLC spend.

The final script used is:

<local_delay_key> OP_CHECKSIG
<to_self_delay> OP_CHECKSEQUENCEVERIFY OP_DROP

func TapscriptFullKeyOnly ¶

func TapscriptFullKeyOnly(taprootKey *btcec.PublicKey) *waddrmgr.Tapscript

TapscriptFullKeyOnly creates a waddrmgr.Tapscript for the given full Taproot key.

func TapscriptFullTree ¶

func TapscriptFullTree(internalKey *btcec.PublicKey,
	allTreeLeaves ...txscript.TapLeaf) *waddrmgr.Tapscript

TapscriptFullTree creates a waddrmgr.Tapscript for the given internal key and tree leaves.

func TapscriptPartialReveal ¶

func TapscriptPartialReveal(internalKey *btcec.PublicKey,
	revealedLeaf txscript.TapLeaf,
	inclusionProof []byte) *waddrmgr.Tapscript

TapscriptPartialReveal creates a waddrmgr.Tapscript for the given internal key and revealed script.

func TapscriptRootHashOnly ¶

func TapscriptRootHashOnly(internalKey *btcec.PublicKey,
	rootHash []byte) *waddrmgr.Tapscript

TapscriptRootHashOnly creates a waddrmgr.Tapscript for the given internal key and root hash.

func TweakPrivKey ¶

func TweakPrivKey(basePriv *btcec.PrivateKey,
	commitTweak []byte) *btcec.PrivateKey

TweakPrivKey tweaks the private key of a public base point given a per commitment point. The per commitment secret is the revealed revocation secret for the commitment state in question. This private key will only need to be generated in the case that a channel counter party broadcasts a revoked state. Precisely, the following operation is used to derive a tweaked private key:

• tweakPriv := basePriv + sha256(commitment || basePub) mod N

Where N is the order of the sub-group.

func TweakPubKey ¶

func TweakPubKey(basePoint, commitPoint *btcec.PublicKey) *btcec.PublicKey

TweakPubKey tweaks a public base point given a per commitment point. The per commitment point is a unique point on our target curve for each commitment transaction. When tweaking a local base point for use in a remote commitment transaction, the remote party's current per commitment point is to be used. The opposite applies for when tweaking remote keys. Precisely, the following operation is used to "tweak" public keys:

tweakPub := basePoint + sha256(commitPoint || basePoint) * G
         := G*k + sha256(commitPoint || basePoint)*G
         := G*(k + sha256(commitPoint || basePoint))

Therefore, if a party possess the value k, the private key of the base point, then they are able to derive the proper private key for the revokeKey by computing:

revokePriv := k + sha256(commitPoint || basePoint) mod N

Where N is the order of the sub-group.

The rationale for tweaking all public keys used within the commitment contracts is to ensure that all keys are properly delinearized to avoid any funny business when jointly collaborating to compute public and private keys. Additionally, the use of the per commitment point ensures that each commitment state houses a unique set of keys which is useful when creating blinded channel outsourcing protocols.

TODO(roasbeef): should be using double-scalar mult here

func TweakPubKeyWithTweak ¶

func TweakPubKeyWithTweak(pubKey *btcec.PublicKey,
	tweakBytes []byte) *btcec.PublicKey

TweakPubKeyWithTweak is the exact same as the TweakPubKey function, however it accepts the raw tweak bytes directly rather than the commitment point.

func WitnessPubKeyHash ¶

func WitnessPubKeyHash(pubkey []byte) ([]byte, error)

WitnessPubKeyHash generates a pay-to-witness-pubkey-hash public key script paying to a version 0 witness program containing the passed serialized public key.

func WitnessScriptHash ¶

func WitnessScriptHash(witnessScript []byte) ([]byte, error)

WitnessScriptHash generates a pay-to-witness-script-hash public key script paying to a version 0 witness program paying to the passed redeem script.

func WriteSignDescriptor ¶

func WriteSignDescriptor(w io.Writer, sd *SignDescriptor) error

WriteSignDescriptor serializes a SignDescriptor struct into the passed io.Writer stream.

NOTE: We assume the SigHashes and InputIndex fields haven't been assigned yet, since that is usually done just before broadcast by the witness generator.