# Exercise: Creating the Bob In-Flight HTLC Commitment Transaction

Now as exercise let's create the Bob In-Flight Commitment Transaction.

In [1]:
%run "../chapter 2 - initial commitment transaction/initial commitment transaction.ipynb"

2026-02-12T16:17:49.383000Z TestFramework (INFO): PRNG seed is: 7726572550668457713
2026-02-12T16:17:49.386000Z TestFramework (INFO): Initializing test directory /tmp/bitcoin_func_test_hsjl7qqg
ðŸŸ¢ New TestShell started. Block height: 0
Alice Per Commitment Seed 34b581ec20bf2c6cae3d4d4dcbfddc8a3727a1e9a57c55f3520e770607898c06
Bob Per Commitment Seed 89c994b3ddad4698acee71e42d8bcace48eea739caaba371eb110e77663ec56d
Alice Payment BasePoint:  025f892a06124391e2f38ce35d943cdc09f63e203330dbd9cb6113a903e0738458
Bob Payment BasePoint:  02f98efd3f2b2fbe7bd83c419f5f64f8280798b8a9175fdb77c0091bbb95c79506
To obscure commitment number 0xb433fd43a66f
Alice funding pubkey: ae0320072f127581965ba8e7394e5f75e5485fec6c6e128d1abd962fe2fb612b
Alice funding privkey: 3b804ae3428d35b6f9475eb38f8335030f73985bb89a4de2f5dbbe25f5845850
Alice funding address: bcrt1p4cpjqpe0zf6cr9jm4rnnjnjlwhj5shlvd3hp9rg6hktzlchmvy4sd3a7qs
Alice sweeper pubkey: b0e7283cee62f19bb9cd3530d4d35de905d02976b1b5aa937af184ec57f6cb02
Alic

## The Unsigned Transaction

### The Input

The input is the same.

### The Outputs

Bob transaction will have 4 outputs also:
* local anchor output
* remote anchor output
* accepted htlc output
* to remote output

#### The Accepted HTLC Output

    +------+---------------+
    | OP_1 |       Q       |
    +------+---------------+
                   ^
                   |   +-------------------+
                    ---| P(revocation) + T |
                       +-------------------+
                                         ^
                                         |
                                   +-----------+        
                                   | T = t * G |
                                   +-----------+        
                                         ^
                                         |
     +---+   +-------------------------------------------------------+
     | t | = | TaggedHash ("Taptweak", P(revocation) || script_root) |
     +---+   +-------------------------------------------------------+
                                                             ^
                                                             |
                                                          +-----+
                          ------------------------------> | hAB |<------------------
                         |                                +-----+                   |
                         |                                                          |
                         |                                                          |
                      +----+                                                     +----+
                      | hA |                                                     | hB |
                      +----+                                                     +----+
                         ^                                                          ^
                         |                                                          |
      +----------------------------------------------------+                        |
      | P(remote_htlc) OP_CHECKSIG OP_1 OP_CSV OP_DROP     |                        |
      |                                                    |                        |
      | cltv_expiry OP_CHECKLOCKTIMEVERIFY OP_DROP         |                        |
      +----------------------------------------------------+                        |
      +-------------------------------------------------------------------------------+ 
      | OP_SIZE 32 OP_EQUALVERIFY OP_HASH160 <RIPEMD160(payment_hash)> OP_EQUALVERIFY |
      |                                                                               |
      | P(local_htlc) OP_CHECKSIGVERIFY P(remote_htlc) OP_CHECKSIG                    |
      +-------------------------------------------------------------------------------+


In [2]:
# Create Alice per-commitment
alice_per_commitment = per_commitment(alice_per_commitment_seed, commitment_number)
# Create Bob per-commitment
bob_per_commitment = per_commitment(bob_per_commitment_seed, commitment_number)

# Create Alice Local Public Key which in this case is the P(remote) for Bob
# Use the method 'get_pubkey' from the basepoint opject (alice payment) and the alice per commitment point to derive the alice payment pubkey
alice_payment_pubkey = alice_payment.get_pubkey(alice_per_commitment.get_pub())
print(f"Alice Payment PubKey: {alice_payment_pubkey.get_bytes(bip340=True).hex()}")

# Create Bob Delayed Public Key
bob_delayed_pubkey = derivate_key(bob_node_seed, family=4, channel_index=0).get_pubkey(bob_per_commitment.get_pub())
print(f"Bob Delayed PubKey: {bob_delayed_pubkey.get_bytes(bip340=True).hex()}")

# Create Alice Revocation Public Key
alice_revocation_pubkey = derivate_revocation_key(alice_node_seed, channel_index=0).get_pubkey(alice_per_commitment.get_pub())
print(f"Alice Revocation PubKey: {alice_revocation_pubkey.get_bytes(bip340=True).hex()}")

# Create Alice HTLC Public Key
alice_htlc_pubkey = derivate_key(alice_node_seed, family=2, channel_index=0).get_pubkey(alice_per_commitment.get_pub())
print(f"Alice HTLC PubKey: {alice_htlc_pubkey.get_bytes(bip340=True).hex()}")

# Create Bob HTLC Public Key
bob_htlc_pubkey = derivate_key(bob_node_seed, family=2, channel_index=0).get_pubkey(bob_per_commitment.get_pub())
print(f"Bob HTLC PubKey: {bob_htlc_pubkey.get_bytes(bip340=True).hex()}")

# Outputs for Bob In-Flight Commitment Transaction
# 0x04 outputs
output_count = bytes.fromhex("04")

# ANCHOR OUTPUTS
# Anchor output amount (we use the same amount as before)

# OP_16 OP_CSV
script = CScript([OP_16, OP_CHECKSEQUENCEVERIFY])

# Method: ser_string(data) is a function which adds compactsize to input data.
hash_input = TAPSCRIPT_VER + ser_string(script)

# Anchor Output script_root
script_root = tagged_hash("TapBranch", hash_input)

# Alice Anchor Output Tagged Hash (remote anchor for Bob)
taptweak = tagged_hash("TapTweak", alice_payment_pubkey.get_bytes() + script_root)
alice_payment_pubkey_tweaked = alice_payment_pubkey.tweak_add(taptweak)
# scriptPubKey P2TR: OP_1 (0x51) + PUSH32 (0x20) + xonly(32B)
alice_anchor_spk = bytes.fromhex("51") + varint_len(alice_payment_pubkey_tweaked.get_bytes()) + alice_payment_pubkey_tweaked.get_bytes()

# Bob Anchor Output Tagged Hash (local anchor for Bob)
taptweak = tagged_hash("TapTweak", bob_delayed_pubkey.get_bytes() + script_root)
bob_delayed_pubkey_tweaked = bob_delayed_pubkey.tweak_add(taptweak)
# scriptPubKey P2TR: OP_1 (0x51) + PUSH32 (0x20) + xonly(32B)
bob_anchor_spk = bytes.fromhex("51") + varint_len(bob_delayed_pubkey_tweaked.get_bytes()) + bob_delayed_pubkey_tweaked.get_bytes()

# Sort by scriptPubKey (lexicographic order)
anchors = [
    (alice_anchor_spk, "alice_anchor"),
    (bob_anchor_spk,   "bob_anchor"),
]

anchors_sorted = sorted(anchors, key=lambda x: x[0])

# ACCEPTED HTLC OUTPUT
# HTLC output amount
htlc_output_value_satoshis = 500000
htlc_output_value = htlc_output_value_satoshis.to_bytes(8, byteorder="little", signed=False)

# Create the leaf scripts A and B
# script A: P(remote_htlc) OP_CHECKSIG OP_1 OP_CSV OP_DROP cltv_expiry OP_CHECKLOCKTIMEVERIFY OP_DROP
# Add cltv_delta (40 blocks) to current block height
cltv_expiry = node.getblockcount() + 40
scriptA = CScript([alice_htlc_pubkey.get_bytes(bip340=True), OP_CHECKSIG, OP_1, OP_CHECKSEQUENCEVERIFY, cltv_expiry, OP_CHECKLOCKTIMEVERIFY, OP_DROP])

# We use a dummy payment_hash here. In a real scenario, this would be the hash of the preimage for the HTLC.
# And would be sent in the message update_add_htlc.
payment_preimage = sha256(b'payment_secret').digest()
sha = sha256(payment_preimage).digest()
payment_hash = hashlib.new("ripemd160", sha).digest()

# Leaf script B: OP_SIZE 32 OP_EQUALVERIFY OP_HASH160 <RIPEMD160(payment_hash)> OP_EQUALVERIFY P(local_htlc) OP_CHECKSIGVERIFY P(remote_htlc) OP_CHECKSIG
# We use the same dummy payment hash as before.
scriptB = CScript([OP_SIZE, bytes.fromhex("20"), OP_EQUALVERIFY, OP_HASH160, payment_hash, OP_EQUALVERIFY, bob_htlc_pubkey.get_bytes(bip340=True), OP_CHECKSIGVERIFY, alice_htlc_pubkey.get_bytes(bip340=True), OP_CHECKSIG])

# Compute TapLeaves A and B
# Method: ser_string(data) is a function which adds compactsize to input data.
hash_inputA = TAPSCRIPT_VER + ser_string(scriptA)
hash_inputB = TAPSCRIPT_VER + ser_string(scriptB)

# Use the tagged_hash function to compute TapLeaf A and B
htlc_taggedhash_leafA = tagged_hash("TapLeaf", hash_inputA)
taggedhash_leafB = tagged_hash("TapLeaf", hash_inputB)

# Method: Returns tapbranch hash. Child hashes are lexographically sorted and then concatenated.
# l: tagged hash of left child
# r: tagged hash of right child
def tapbranch_hash(l, r):
    return tagged_hash("TapBranch", b''.join(sorted([l,r])))

# Compute Internal node TapBranch AB
root_ab = tapbranch_hash(htlc_taggedhash_leafA, taggedhash_leafB)

# Compute TapTweak
taptweak = tagged_hash("TapTweak", alice_revocation_pubkey.get_bytes(bip340=True) + root_ab)

# Tweak the alice revocation pubkey
alice_revocation_pubkey_tweaked = alice_revocation_pubkey.tweak_add(taptweak)

# scriptPubKey P2TR: OP_1 (0x51) + PUSH32 (0x20) + xonly(32B)
bob_accepted_htlc_spk = bytes.fromhex("51") + varint_len(alice_revocation_pubkey_tweaked.get_bytes(bip340=True)) + alice_revocation_pubkey_tweaked.get_bytes(bip340=True)

# Second commitment expected weight 
commitment_weight = taproot_commit_weight(NumTapOut=2, NumAnchorOut=2)
print("Commitment Transaction Expected Weight:", commitment_weight)

# From open_channel and update_feerate messages (1 sat/vb = 250 sat/kw)
feerate_per_kw = 250

# Calculate the fee for the second commitment transaction
commitment_fee = int(commitment_weight * feerate_per_kw / 1000)

# TO REMOTE OUTPUT
# to remote output amount
# As we have no to_local output in this case, the to_remote value pay the fees
# Using the same fee as before
to_remote_value_sat =  channel_value_sat - anchor_output_value_satoshis * 2 - htlc_output_value_satoshis - commitment_fee
to_remote_value = to_remote_value_sat.to_bytes(8, byteorder="little", signed=False)
print("channel_value_sat, anchor_output_value_satoshis * 2, commitment_fee: ", channel_value_sat, anchor_output_value_satoshis, commitment_fee)

# P(remote) OP_CHECKSIG OP_1 OP_CSV OP_DROP
# Use CScript to create the to remote script
script = CScript([alice_payment_pubkey.get_bytes(), OP_CHECKSIG, OP_1, OP_CHECKSEQUENCEVERIFY, OP_DROP])

# Method: ser_string(data) is a function which adds compactsize to input data.
hash_input = TAPSCRIPT_VER + ser_string(script)

# To Remote Output script_root
# Use the tagged_hash function to compute the script root
script_root = tagged_hash("TapLeaf", hash_input)

# To Remote Output Tagged Hash
# Use the tagged_hash function to compute the taptweak
taptweak = tagged_hash("TapTweak", NUMS.get_bytes() + script_root)
# Use the tweak_add to tweak the NUMS key
NUMS_tweaked = NUMS.tweak_add(taptweak)
# Create the scriptPubKey P2TR: OP_1 (0x51) + PUSH32 (0x20) + xonly(32B)
bob_to_remote_spk = bytes.fromhex("51") + varint_len(NUMS_tweaked.get_bytes()) + NUMS_tweaked.get_bytes()

outputs = (
    anchor_output_value
    + varint_len(anchors_sorted[0][0])
    + anchors_sorted[0][0]
    + anchor_output_value
    + varint_len(anchors_sorted[1][0])
    + anchors_sorted[1][0]
    + htlc_output_value
    + varint_len(bob_accepted_htlc_spk)
    + bob_accepted_htlc_spk
    + to_remote_value
    + varint_len(bob_to_remote_spk)
    + bob_to_remote_spk
)

# Locktime is the same

unsigned_tx = (
    version
    + input_count
    + inputs
    + output_count
    + outputs
    + locktime
)
print("unsigned_tx: ", unsigned_tx.hex())

# Decode the unsigned transaction to verify it looks correct
decoded = node.decoderawtransaction(unsigned_tx.hex())
print(json.dumps(decoded, indent=2, default=str))


Alice Payment PubKey: ec0c46eb5a839e990bd19609fa66d1054d302fa96e5d8109df7c37b554abe55b
Bob Delayed PubKey: dfade961b691e6e209a5551f5586a0072a57bc405545662becd42e0a66099d49
Alice Revocation PubKey: 41bc0c38213998fe4fcb7e51c88e960af93ea1124890803a206ff666953ec6ba
Alice HTLC PubKey: 944498722736a4218102c8c2a98a563c353b34a2ff07d9202242e9ef0a9b95bb
Bob HTLC PubKey: 3a3664f76f36ce607028a0534fb097e3d38da182158e89b80f76d25423c81d2d
Commitment Transaction Expected Weight: 968
channel_value_sat, anchor_output_value_satoshis * 2, commitment_fee:  1000000 330 242
unsigned_tx:  020000000115a833bec9e0b395d1b4c57c2ada44eaa1b8bed7ebe2f3b5178c856eff4806490000000000fd33b480044a010000000000002251201253ca67731a88ae0fa82bd8156dfcdc5e94ca22573df4e5f7bd075013cdf35b4a01000000000000225120e6c498aca19ee1ae30b3f980e32f6c4894c63a11e845326cb1eecc0f0bdc1b2520a107000000000022512029b6f7c1d448235c73d6d4b7f1e5c60ff164cca77b38a034781dcd1929592cff9a9d070000000000225120e1696d4c15b185bfe8058b600099dfe5ca740917543e4876fcbc19

## The sighash for the key path spend

In [3]:
index_of_this_input = bytes.fromhex("0000 0000")

# SIGHASH for key path spend
# See BIP-341 for details
sighash_epoch = bytes.fromhex("00")

# Control
hash_type = bytes.fromhex("00") # SIGHASH_DEFAULT (a new sighash type meaning implied SIGHASH_ALL)

# Transaction data
sha_prevouts = sha256(txid + index).digest()

sha_amounts = sha256(channel_value).digest()

# scriptPubKey P2TR: OP_1 (0x51) + PUSH32 (0x20) + xonly(32B)
sha_scriptpubkeys = sha256(
    varint_len(channel_spk)
    + channel_spk
).digest()

sha_sequences = sha256(sequence).digest()

sha_outputs = sha256(outputs).digest()

# Data about this input
spend_type = bytes.fromhex("00") # no annex present

sig_msg = (
    sighash_epoch
    + hash_type
    + version
    + locktime
    + sha_prevouts
    + sha_amounts
    + sha_scriptpubkeys
    + sha_sequences
    + sha_outputs
    + spend_type
    + index_of_this_input
)

tag_hash = sha256("TapSighash".encode()).digest()
sighash = sha256(tag_hash + tag_hash + sig_msg).digest()


## Signing the sighash

In [4]:
# Reusing the reordered participants to match the sorted pubkeys

# Alice and Bob generates its own nonce pair (secnonce, pubnonce)
secnonces, pubnonces = [], []
for pk, sk, pcs in participants:
    # Use per-commitment nonce for bob to get deterministic results and nonce_gen for Alice jit nonce
    if pk == pubkey_bob_musig2.get_bytes(bip340=False):
        sec, pub = nonce_per_commitment(pcs, commitment_number, sk, pk, agg_pubkey_tweaked, sighash)
    else:
        sec, pub = nonce_gen(sk, pk, agg_pubkey_tweaked, sighash, None)
    secnonces.append(sec)
    pubnonces.append(pub)

# Alice and Bob has exchanged already the pubnonces, so they can agregate them and create the session context
# Use nonce_agg to aggregate the pubnonces
agg_nonce = nonce_agg(pubnonces)
# Use the SessionContext to create the gignature session
session = SessionContext(agg_nonce, sorted_pubkeys, [bip86_tweak], [True], sighash)

# Alice and Bob produces their partial signatures
# Use sign function to produce the partial signatures
psigs = [sign(sec, sk, session) for sec, (_, sk, _) in zip(secnonces, participants)]

# Each side verify the otherâ€™s partial signature before proceeding
for i, psig in enumerate(psigs):
    assert partial_sig_verify(psig, pubnonces, sorted_pubkeys, [bip86_tweak], [True], sighash, i)

# Each side combines partial signatures into the final Schnorr signature
# Use the function partial_sig_agg to aggregate the partial signatures
agg_sig = partial_sig_agg(psigs, session)

# Sanity check: verify with BIP340 against the *tweaked* x-only key ---
ok = schnorr_verify(sighash, agg_pubkey_tweaked, agg_sig)
print("aggregated Schnorr verifies?", ok)


aggregated Schnorr verifies? True


## The signed transaction

In [5]:
witness = (
    bytes.fromhex("01") # one stack item in the witness
    + varint_len(agg_sig)
    + agg_sig
)

# the final signed transaction
signed_bob_commitment_tx = (
    version
    + marker
    + flag
    + input_count
    + inputs
    + output_count
    + outputs
    + witness
    + locktime
)

print("signed tx: ",signed_bob_commitment_tx.hex())
# Decode the unsigned transaction to verify it looks correct
decoded = node.decoderawtransaction(signed_bob_commitment_tx.hex())
print(json.dumps(decoded, indent=2, default=str))

print(node.testmempoolaccept(rawtxs=[signed_bob_commitment_tx.hex()]))

signed tx:  0200000000010115a833bec9e0b395d1b4c57c2ada44eaa1b8bed7ebe2f3b5178c856eff4806490000000000fd33b480044a010000000000002251201253ca67731a88ae0fa82bd8156dfcdc5e94ca22573df4e5f7bd075013cdf35b4a01000000000000225120e6c498aca19ee1ae30b3f980e32f6c4894c63a11e845326cb1eecc0f0bdc1b2520a107000000000022512029b6f7c1d448235c73d6d4b7f1e5c60ff164cca77b38a034781dcd1929592cff9a9d070000000000225120e1696d4c15b185bfe8058b600099dfe5ca740917543e4876fcbc191ca792fce00140c52bb935e53f4d50cbcd83e297bb6f00d1377bf25233bcfd3061fc94054b548f23cb42996e528431c1c7b1263cdbd8de91aef4f681231831f4c8de3962943d4a6fa64320
{
  "txid": "c8ff1a9c1ca13b5dacae8a2d083806aa231e621e7e7b8b3095e554a62b0b6afb",
  "hash": "0648e6a5c2ae02ee535d6e9803cf7c82212304d50c31421f1bcda17d1b3f77d1",
  "version": 2,
  "size": 291,
  "vsize": 240,
  "weight": 960,
  "locktime": 541304431,
  "vin": [
    {
      "txid": "490648ff6e858c17b5f3e2ebd7beb8a1ea44da2a7cc5b4d195b3e0c9be33a815",
      "vout": 0,
      "scriptSig": {
        "asm": "",
  