# Creating Commitment Transactions with HTLC

In this section, we'll create the Commitment Transactions with HTLC in transit from scratch using Python. We'll break down each part of the transaction, explain how it's constructed and signed, and detail the messages exchanged between peers to share the necessary information. Finally, we'll test everything using Bitcoin Core in regtest mode.

## Prerequisite knowledge
### For all notebooks
- A high level understanding of the bitcoin e.g. [Mastering Bitcoin](https://github.com/bitcoinbook/bitcoinbook), in particular [Chapter 6](https://github.com/bitcoinbook/bitcoinbook/blob/develop/ch06.asciidoc).
- A conceptual understanding of [hash functions](https://www.thesslstore.com/blog/what-is-a-hash-function-in-cryptography-a-beginners-guide).
- [Hexadecimal notation](https://inst.eecs.berkeley.edu/~cs61bl/r//cur/bits/decimal-binary-hex.html?topic=lab28.topic&step=2&course=) and [endianness](https://www.freecodecamp.org/news/what-is-endianness-big-endian-vs-little-endian/).
- A high level understanding of the lightning e.g. [Mastering Lightning Network](https://github.com/lnbook/lnbook), in particular [Chapter7](https://github.com/lnbook/lnbook/blob/develop/07_payment_channels.asciidoc), [Chapter 8](https://github.com/lnbook/lnbook/blob/develop/08_routing_htlcs.asciidoc) and [Chapter 9](https://github.com/lnbook/lnbook/blob/develop/09_channel_operation.asciidoc).

### Specific to this notebook
- SHA256, HASH256, HASH160 - '[Hash Functions chapter](https://github.com/MPins/lightning-tx-tutorial/blob/main/appendix/hash-functions.ipynb)'
- Bech32 addresses - '[Addresses chapter](https://github.com/MPins/lightning-tx-tutorial/blob/main/appendix/Addresses.ipynb)'
- Bitcoin Script basics - '[Bitcoin Script chapter](https://github.com/MPins/lightning-tx-tutorial/blob/main/appendix/Bitcoin%20Script.ipynb)'
- Lightning Network BOLT #2: '[Peer Protocol for Channel Management](https://github.com/lightning/bolts/blob/master/02-peer-protocol.md#channel-establishment-v1)'
- Lightning Network BOLT #3: '[Commitment Transactions](https://github.com/lightning/bolts/blob/master/03-transactions.md#commitment-transaction)'
- Finite Fields, Elliptic Curves and Serialization e.g. [Programming Bitcoin](https://github.com/jimmysong/programmingbitcoin), in particular [Chapter 1](https://github.com/jimmysong/programmingbitcoin/blob/master/ch01.asciidoc), [Chapter2](https://github.com/jimmysong/programmingbitcoin/blob/master/ch02.asciidoc), [Chapter 3](https://github.com/jimmysong/programmingbitcoin/blob/master/ch03.asciidoc) and [Chapter 4](https://github.com/jimmysong/programmingbitcoin/blob/master/ch04.asciidoc).

## HTLC (Hashed Time Locked Contracts)

Once the channel was stablished, the channel can be used to make payments via HTLCs (Hashed Time Locked Contracts).

Changes are sent in batches: one or more `update_ messages` are sent before a `commitment_signed` message. In the following diagram we are presenting just one `update_message` per `commitment_signed` just to keep it simple:

    +-----------+                            +-----------+
    |           |------ update_add_htlc ---->|           |
    |           |----- commitment_signed --->|           |
    |   Alice   |                            |    Bob    |
    |           |<----- revoke_and_ack ------|           |
    |           |                            |           |
    +-----------+                            +-----------+

The messages are defined in the [BOLT 2](https://github.com/lightning/bolts/blob/master/02-peer-protocol.md#adding-an-htlc-update_add_htlc).

### The `update_add_htlc` Message

Alice sends the `update_add_htlc`  message to Bob:
- channel_id
- id (htlc counter starting in zero)
- amount_msat
- payment_hash
- cltv_expiry
- onion_routing_packet

### The `commitment_signed` Message

Shortly after sending the `update_add_htlc` message, she will commit to the new state of the channel, so that the HTLC can be safely added by Bob. Bob has the HTLC information and has constructed a new commitment but does not yet have this new commitment signed by Alice.

Alice sends `commitment_signed` to Bob, with the signature for the new commitment and for the HTLC within: 

- channel_id
- signature
- num_htlcs
- htlc_signature

### The `revoke_and_ack` Message

Now that Bob has a new signed commitment, he needs to acknowledge it and revoke the old commitment. He does so by sending the `revoke_and_ack message`:

- channel_id
- per_commitment_secret
- next_per_commitment_point

## Setup
### Requirements

For this exercise we'll run the previous notebook to create the channel funding transaction beetween Alice and Bob.

**You'll need to edit these next line for your local setup.**

In [1]:
# run notebook
%run "/home/pins-dev/Projects/lightning-tx-tutorial/Chapter 2 - Commitment Transactions/First Commitment Transactions.ipynb"

Alice Per Commitment Seed 34b581ec20bf2c6cae3d4d4dcbfddc8a3727a1e9a57c55f3520e770607898c06
Bob Per Commitment Seed 89c994b3ddad4698acee71e42d8bcace48eea739caaba371eb110e77663ec56d
Alice Revocation Basepoint Private Key: c17ac3952ca414190074d1e59ea03fbae253196173908dc8b131af6bd2cc8161
Alice Revocation Basepoint Public Key: 03649c4f865bec74b0a186deef4defad51cfdc141443e38074ea05a7835a953a49
Alice HTLC Basepoint Private Key: 763ae49a20e6668c88602c782716dd83ba6c4cc0333b38810e2bcd7b22c871ac
Alice HTLC Basepoint Public Key: 02816fde4150e4dfcac94eff0b821448fb70f57a56148ba2206cd9b2fd0cc20bdf
Alice Payment Basepoint Private Key: 72d8c12971b58076a1f27eb7938ca442f0b210762b23637443ac2e99dac352a6
Alice Payment Basepoint Public Key: 025f892a06124391e2f38ce35d943cdc09f63e203330dbd9cb6113a903e0738458
Alice Delayed Payment Basepoint Private Key: 7cafce00c54e7241894dcc7c3beaca29dd354139fdb6182198d6c5f1063bfe8d
Alice Delayed Payment Basepoint Public Key: 034aa35219136bb238e072341b20a4bf8fb44a83cdb73dd2bd9

## Transaction Inputs

Now we can start creating Alice and Bob second commitment transactions. As they are spending the same channel funding transaction, the inputs for all the commitment transactions are almost the same. There only difference comes from the obscured commitment number, remember that to more easily allow both sides to keep track of the commitment numbers, each commitment actually encodes the number of the commitment within the lock time and sequence fields of the commitment transaction. 

In [4]:
# Third Commitment number
commitment_number = 3 

# Obscured commitment number is result of xor operation 
commitment_number_obscured = to_obscure_int_lower48 ^ commitment_number
print("Commitment Number Obscured: " + hex(commitment_number_obscured))

# Combine the upper 8 bits (0x80) with the lower 24 bits (upper 24 of obscured number)
sequence = (0x80 << 24) | upper_24_bits
# Convert to bytes (1 byte, big-endian)
sequence = sequence.to_bytes(4, byteorder='big')
sequence = sequence[::-1]
inputs = (
    channel_funding_txid
    + channel_funding_txindex
    + varint_len(scriptsig)
    + scriptsig
    + sequence
)
print("Inputs: " + inputs.hex())

Commitment Number Obscured: 0xb433fd43a66e
Inputs: bf78b4ba1b702c271a068ed338bebb74ba4a498f60675e073ca2e5292dee2d410100000000fd33b480


## Transaction Outputs

The Basis of Lightning Technology ([BOLT 3](https://github.com/lightning/bolts/blob/master/03-transactions.md)) defines the outputs as following:

* For every offered HTLC, if it is not trimmed, add an offered HTLC output.
* For every received HTLC, if it is not trimmed, add an received HTLC output.
* If the to_local amount is greater or equal to dust_limit_satoshis, add a to_local output.
* If the to_remote amount is greater or equal to dust_limit_satoshis, add a to_remote output.
* If option_anchors applies to the commitment transaction:
    * if to_local exists or there are untrimmed HTLCs, add a to_local_anchor output
    * if to_remote exists or there are untrimmed HTLCs, add a to_remote_anchor output

Let's assume that Alice had sent Bob 1M of Satohis already and that HTLC was already fullfilled, and now he is sending 0,5M of Satoshis.

Alice Commitment Transaction will have  outputs:
* to_local_anchor_output ****** TODO ****** Comparar lexigrafically to decid wich anchors come first
* to_remote_anchor_output
* offered_htlc_output
* to_remote_output
* to_local_output

Bob first Commitment Transaction will have two outputs:
* to_local_anchor_output
* to_remote_anchor_output
* received_htlc_output
* to_local_output
* to_remote_output


The Basis of Lightning Technology ([BOLT 3](https://github.com/lightning/bolts/blob/master/03-transactions.md))  defines that outputs in transactions are always sorted first according to their value, smallest first, this way the to_local_anchor_outuputs come first, as its amount output is fixed at 330 sats, the default dust limit for P2WSH. Them followed by scriptpubkey, comparing the common-length prefix lexicographically as if by memcmp, then selecting the shorter script (if they differ in length).


## The Per Commitment Point
As we saw on Chapter 0, the I'th per commitment secret must match the output of this algorithm:
```
generate_from_seed(seed, I):
    P = seed
    for B in 47 down to 0:
        if B set in I:
            flip(B) in P
            P = SHA256(P)
    return P
```
Where "flip(B)" alternates the (B mod 8) bit of the (B div 8) byte of the value. The first secret used must be index 281474976710655 (0xFFFFFFFFFFFF), and from there, the index is decremented.

The per_commitment_point is generated using elliptic-curve multiplication:

```
per_commitment_point = per_commitment_secret * G
```

Alice and Bob create their first per-commitment point and exchange it using the `open_channel` and `accept_channel` messages.

In [None]:
alice_per_commitment_secret = generate_from_seed(alice_per_commitment_seed, 281474976710653)
alice_per_commitment_point_uncompressed = int.from_bytes(alice_per_commitment_secret, byteorder="big") * G
alice_per_commitment_point = compress_pubkey(alice_per_commitment_point_uncompressed)

print(f"Alice Per Commitment Secret: {alice_per_commitment_secret.hex()}")
print(f"Alice Per Commitment Point: {alice_per_commitment_point}")


bob_per_commitment_secret = generate_from_seed(bob_per_commitment_seed, 281474976710653)
bob_per_commitment_point_uncompressed = int.from_bytes(bob_per_commitment_secret, byteorder="big") * G
bob_per_commitment_point = compress_pubkey(bob_per_commitment_point_uncompressed)

print(f"Bob Per Commitment Secret: {bob_per_commitment_secret.hex()}")
print(f"Bob Per Commitment Point: {bob_per_commitment_point}")


## Key Derivations

Each commitment transaction uses a unique localpubkey, local_htlcpubkey, remote_htlcpubkey, local_delayedpubkey,and remote_delayedpubkey pubkeys. The derivation of these pubkeys are simply generated by addition from their base points.

The **localpubkey, local_htlcpubkey, remote_htlcpubkey, local_delayedpubkey and remote_delayedpubkey** pubkeys are simply generated by addition from their base points. As defined at Basis of Lightning Technology ([BOLT 3](https://github.com/lightning/bolts/blob/master/03-transactions.md#key-derivation)):

```
pubkey = basepoint + SHA256(per_commitment_point || basepoint) * G

```

- The localpubkey uses the local node's payment_basepoint;
- The local_htlcpubkey uses the local node's htlc_basepoint;
- The remote_htlcpubkey uses the remote node's htlc_basepoint;
- The local_delayedpubkey uses the local node's delayed_payment_basepoint;
- The remote_delayedpubkey uses the remote node's delayed_payment_basepoint.


The **revocationpubkey** is a blinded key, when the local node wishes to create a new commitment for the remote node, it uses its own `revocation_basepoint` and the remote node's `per_commitment_point` to derive a new `revocationpubkey` for the commitment. After the remote node reveals the `per_commitment_secret` used (thereby revoking that commitment), the local node can then derive the `revocationprivkey`, as it now knows the two secrets necessary to derive the key (`revocation_basepoint_secret` and `per_commitment_secret`). As defined at Basis of Lightning Technology ([BOLT](https://github.com/lightning/bolts/blob/master/03-transactions.md#revocationpubkey-derivation)):

```
revocationpubkey = revocation_basepoint * SHA256(revocation_basepoint || per_commitment_point) + per_commitment_point * SHA256(per_commitment_point || revocation_basepoint)
```

This construction ensures that neither the node providing the `basepoint` nor the node providing the `per_commitment_point` can know the private key without the other node's secret.

The corresponding private key can be derived once the `per_commitment_secret` is known:

```
revocationprivkey = revocation_basepoint_secret * SHA256(revocation_basepoint || per_commitment_point) + per_commitment_secret * SHA256(per_commitment_point || revocation_basepoint)
```

In [1]:
# ALICE DELAYED PUBKEY
# alice_delayed_pubkey = alice_delayed_payment_basepoint + SHA256(per_commitment_point || alice_delayed_payment_basepoint) * G
# alice_delayed_payment_basepoint is generate by alice and sent into the `open_channel` message
# per_commitment_point is generated by alice and sent into the `open_channel` message
# Compute SHA256(per_commitment_point || basepoint)
sha_output = sha256(bytes.fromhex(alice_per_commitment_point) + bytes.fromhex(alice_delayed_payment_basepoint_pubkey))
sha_int = int.from_bytes(sha_output, 'big') % n
# do the math to get the alice_delayed_pubkey
alice_delayed_pubkey_point = decompress_point(alice_delayed_payment_basepoint_pubkey) + sha_int * G
alice_delayed_pubkey = compress_pubkey(alice_delayed_pubkey_point)
print(f"Alice Delayed Pubkey: {alice_delayed_pubkey }")

# BOB DELAYED PUBKEY
# bob_delayed_pubkey = bob_delayed_payment_basepoint + SHA256(bob_per_commitment_point || bob_delayed_payment_basepoint) * G
# bob_delayed_payment_basepoint is generate by bob and sent into the `accept_channel` message
# per_commitment_point is generated by bob and sent into the `revoke_and_ack` message
# Compute SHA256(per_commitment_point || basepoint)
sha_output = sha256(bytes.fromhex(bob_per_commitment_point) + bytes.fromhex(bob_delayed_payment_basepoint_pubkey))
sha_int = int.from_bytes(sha_output, 'big') % n
# do the math to get the bob_delayed_pubkey
bob_delayed_pubkey_point = decompress_point(bob_delayed_payment_basepoint_pubkey) + sha_int * G
bob_delayed_pubkey = compress_pubkey(bob_delayed_pubkey_point)
print(f"Bob Delayed Pubkey: {bob_delayed_pubkey }")

# ALICE HTLC PUBKEY
# alice_htlc_pubkey = alice_htlc_basepoint + SHA256(alice_per_commitment_point || alice_htlc_basepoint) * G
# alice_htlc_basepoint is generate by alice and sent into the `open_channel` message
# per_commitment_point is generated by alice and sent into the `revoke_and_ack` message
# Compute SHA256(per_commitment_point || basepoint)
sha_output = sha256(bytes.fromhex(alice_per_commitment_point) + bytes.fromhex(alice_htlc_basepoint_pubkey))
sha_int = int.from_bytes(sha_output, 'big') % n
# do the math to get the alice_htlc_pubkey
alice_htlc_pubkey_point = decompress_point(alice_htlc_basepoint_pubkey) + sha_int * G
alice_htlc_pubkey = compress_pubkey(alice_htlc_pubkey_point)
print(f"Alice HTLC Pubkey: {alice_htlc_pubkey }")

# BOB HTLC PUBKEY
# bob_htlc_pubkey = bob_htlc_basepoint + SHA256(bob_per_commitment_point || bob_htlc_basepoint) * G
# bob_htlc_basepoint is generate by bob and sent into the `accept_channel` message
# per_commitment_point is generated by bob and sent into the `revoke_and_ack` message
# Compute SHA256(per_commitment_point || basepoint)
sha_output = sha256(bytes.fromhex(bob_per_commitment_point) + bytes.fromhex(bob_htlc_basepoint_pubkey))
sha_int = int.from_bytes(sha_output, 'big') % n
# do the math to get the alice_htlc_pubkey
bob_htlc_pubkey_point = decompress_point(bob_htlc_basepoint_pubkey) + sha_int * G
bob_htlc_pubkey = compress_pubkey(bob_htlc_pubkey_point)
print(f"Bob HTLC Pubkey: {bob_htlc_pubkey }")


# BOB REVOCATION PUBKEY
# revocationpubkey = revocation_basepoint * SHA256(revocation_basepoint || per_commitment_point) + per_commitment_point * SHA256(per_commitment_point || revocation_basepoint)
# bob_revocation_basepoint is generate by bob and sent into the `accept_channel` message
# per_commitment_point is generated by bob and sent into the `revoke_and_ack` message
# Compute SHA256(revocation_basepoint || per_commitment_point)
sha_output = sha256(bytes.fromhex(bob_revocation_basepoint_pubkey) + bytes.fromhex(bob_per_commitment_point))
sha_int = int.from_bytes(sha_output, 'big') % n
# now multiply it by revocation_basepoint
part1 = decompress_point(bob_revocation_basepoint_pubkey) * sha_int
# Compute SHA256(per_commitment_point || revocation_basepoint)
sha_output = sha256(bytes.fromhex(bob_per_commitment_point) + bytes.fromhex(bob_revocation_basepoint_pubkey))
sha_int = int.from_bytes(sha_output, 'big') % n
# multiply it by per_commitment_point
part2 = decompress_point(bob_per_commitment_point) * sha_int
# sum the results
bob_revocation_pubkey_point = part1 + part2
bob_revocation_pubkey = compress_pubkey(bob_revocation_pubkey_point)
print(f"Bob Revocation Pubkey: {bob_revocation_pubkey }")

# ALICE REVOCATION PUBKEY
# revocationpubkey = revocation_basepoint * SHA256(revocation_basepoint || per_commitment_point) + per_commitment_point * SHA256(per_commitment_point || revocation_basepoint)
# alice_revocation_basepoint is generate by alice and sent into the `open_channel` message
# per_commitment_point is generated by alice and sent into the `revoke_and_ack` message
# Compute SHA256(revocation_basepoint || per_commitment_point)
sha_output = sha256(bytes.fromhex(alice_revocation_basepoint_pubkey) + bytes.fromhex(alice_per_commitment_point))
sha_int = int.from_bytes(sha_output, 'big') % n
# now multiply it by revocation_basepoint
part1 = decompress_point(alice_revocation_basepoint_pubkey) * sha_int
# Compute SHA256(per_commitment_point || revocation_basepoint)
sha_output = sha256(bytes.fromhex(alice_per_commitment_point) + bytes.fromhex(alice_revocation_basepoint_pubkey))
sha_int = int.from_bytes(sha_output, 'big') % n
# multiply it by per_commitment_point
part2 = decompress_point(alice_per_commitment_point) * sha_int
# sum the results
alice_revocation_pubkey_point = part1 + part2
alice_revocation_pubkey = compress_pubkey(alice_revocation_pubkey_point)
print(f"Alice Revocation Pubkey: {alice_revocation_pubkey }")



NameError: name 'sha256' is not defined

In [None]:
# OUTPUTS FOR ALICE COMMITMENT TRANSACTION
# 0x05 outputs
output_count = bytes.fromhex("05")

# ANCHOR AMOUNT OUTPUT
anchor_output_value = 330

# ALICE ANCHOR OUTPUT  
alice_anchor_output_value = anchor_output_value.to_bytes(8, byteorder="little", signed=True)
# ANCHOR P2WSH
# <local_funding_pubkey/remote_funding_pubkey> OP_CHECKSIG OP_IFDUP
# OP_NOTIF
#     OP_16 OP_CHECKSEQUENCEVERIFY
# OP_ENDIF
to_alice_anchor_redeemScript = bytes.fromhex(
    "21"
    + alice_funding_pubkey
    + "ac"  # OP_CHECKSIG
    + "73"  # OP_IFDUP
    + "64"  # OP_NOTIF
    + "60"  # OP_16
    + "B2"  # OP_CHECKSEQUENCEVERIFY
    + "68") # OP_ENDIF

to_alice_anchor_script_hash = sha256(to_alice_anchor_redeemScript)
to_alice_anchor_output_spk = bytes.fromhex("0020") + to_alice_anchor_script_hash
print(f"Alice Anchor Output SPK: {to_alice_anchor_output_spk.hex()}")

# BOB ANCHOR OUTPUT  
bob_anchor_output_value = anchor_output_value.to_bytes(8, byteorder="little", signed=True)
# ANCHOR P2WSH
# <local_funding_pubkey/remote_funding_pubkey> OP_CHECKSIG OP_IFDUP
# OP_NOTIF
#     OP_16 OP_CHECKSEQUENCEVERIFY
# OP_ENDIF
to_bob_anchor_redeemScript = bytes.fromhex(
    "21"
    + bob_funding_pubkey
    + "ac"  # OP_CHECKSIG
    + "73"  # OP_IFDUP
    + "64"  # OP_NOTIF
    + "60"  # OP_16
    + "b2"  # OP_CHECKSEQUENCEVERIFY
    + "68") # OP_ENDIF

to_bob_anchor_script_hash = sha256(to_bob_anchor_redeemScript)
to_bob_anchor_output_spk = bytes.fromhex("0020") + to_bob_anchor_script_hash
print(f"Bob Anchor Output SPK: {to_bob_anchor_output_spk.hex()}")

# OFFERED HTLC OUTPUT
# To remote node with revocation key
# OP_DUP OP_HASH160 <RIPEMD160(SHA256(revocationpubkey))> OP_EQUAL
# OP_IF
#    OP_CHECKSIG
# OP_ELSE
#    <remote_htlcpubkey> OP_SWAP OP_SIZE 32 OP_EQUAL
#    OP_NOTIF
#        # To local node via HTLC-timeout transaction (timelocked).
#        OP_DROP 2 OP_SWAP <local_htlcpubkey> 2 OP_CHECKMULTISIG
#    OP_ELSE
#        To remote node with preimage.
#        OP_HASH160 <RIPEMD160(payment_hash)> OP_EQUALVERIFY
#        OP_CHECKSIG
#    OP_ENDIF
#    1 OP_CHECKSEQUENCEVERIFY OP_DROP
# OP_ENDIF

hash160_bob_revocation_pubkey = hash160(bob_revocation_pubkey)
payment_hash = hash160("")

alice_offered_htlc_redeemScript = bytes.fromhex(
    "76"    # OP_DUP
    + "a9"  # OP_HASH160
    + "14"  # OP_PUSHDATA
    + hash160_bob_revocation_pubkey
    + "87"  # OP_EQUAL
    + "63"  # OP_IF
    + "ac"  # OP_CHECKSIG
    + "67"  # OP_ELSE
    + "21"  # OP_PUSHDATA
    + bob_htlc_pubkey
    + "7c"  # OP_SWAP
    + "82"  # OP_SIZE
    + "01"  # OP_PUSHDATA
    + "20"  # 32
    + "87"  # OP_EQUAL
    + "64"  # OP_NOTIF
    + "75"  # OP_DROP
    + "52"  # OP_2
    + "7c"  # OP_SWAP
    + "21"  # OP_PUSHDATA
    + alice_htlc_pubkey
    + "52"  # OP_2
    + "ae"  # OP_CHECKMULTISIG
    + "67"  # OP_ELSE
    + "a9"  # OP_HASH160
    + "14"  # OP_PUSHDATA
    + payment_hash
    + "88"  # OP_EQUALVERIFY
    + "ac"  # OP_CHECKSIG
    + "68"  # OP_ENDIF
    + "51"  # OP_1
    + "b2"  # OP_CHECKSEQUENCEVERIFY
    + "75"  # OP_DROP
    + "68") # OP_ENDIF

alice_offered_htlc_script_hash = sha256(alice_offered_htlc_redeemScript)
alice_offered_htlc_output_spk = bytes.fromhex("0020") + alice_offered_htlc_script_hash
print(f"Alice Offered htlc Output SPK: {alice_offered_output_spk.hex()}")    

# TO REMOTE OUTPUT
# <remotepubkey> OP_CHECKSIGVERIFY 1 OP_CHECKSEQUENCEVERIFY
to_bob_remote_redeemScript = byter.fromhex(
    "21"   # OP_PUSHDATA
    + bob_payment_basepoint_pubkey
    "ad"   # OP_CHECKSIGVERIFY
    "51"   # OP_1
    "b2")  # OP_CHECKSEQUENCEVERIFY

to_bob_remote_script_hash = sha256(to_bob_remote_redeemScript)
to_bob_remote_output_spk = bytes.fromhex("0020") + to_bob_remote_script_hash
print(f"Bob Remote Output SPK: {to_bob_remote_output_spk.hex()}") 
                             
# TO_LOCAL OUTPUT
# This output sends funds back to the owner of this commitment transaction and thus must be timelocked
# using OP_CHECKSEQUENCEVERIFY. It can be claimed, without delay, by the other party if they know the
# revocation private key. The output is a version-0 P2WSH, with the witness script below:
# OP_IF
    # Penalty transaction
#    <revocationpubkey>
# OP_ELSE
#    `to_self_delay`
#    OP_CHECKSEQUENCEVERIFY
#    OP_DROP
#    <local_delayedpubkey>
# OP_ENDIF
# OP_CHECKSIG
to_alice_delayed_redeemScript = bytes.fromhex(
    "63"   # OP_IF
    + "21"
    + bob_revocation_pubkey
    + "67"   # OP_ELSE
    + "02"   
    + "9000" # to_self_delay of 144 blocks
    + "b2"   # OP_CHECKSEQUENCEVERIFY
    + "75"   # OP_DROP
    + "21"
    + alice_delayed_pubkey
    + "68"  # OP_ENDIF
    + "ac") # OP_CHECKSIG

to_alice_delayed_script_hash = sha256(to_alice_delayed_redeemScript)
to_alice_delayed_output_spk = bytes.fromhex("0020") + to_alice_delayed_script_hash
print(f"Alice Delayed Output SPK: {to_alice_delayed_output_spk.hex()}")


In [None]:
# OUTPUTS FOR BOB COMMITMENT TRANSACTION
# The number of outputs are the same
# The anchors outputs are the same

# RECEIVED HTLC OUTPUT
# To remote node with revocation key
# OP_DUP OP_HASH160 <RIPEMD160(SHA256(revocationpubkey))> OP_EQUAL
# OP_IF
#    OP_CHECKSIG
# OP_ELSE
#    <remote_htlcpubkey> OP_SWAP OP_SIZE 32 OP_EQUAL
#    OP_IF
#       To local node via HTLC-success transaction.
#       OP_HASH160 <RIPEMD160(payment_hash)> OP_EQUALVERIFY
#       2 OP_SWAP <local_htlcpubkey> 2 OP_CHECKMULTISIG
#    OP_ELSE
#       To remote node after timeout.
#       OP_DROP <cltv_expiry> OP_CHECKLOCKTIMEVERIFY OP_DROP
#       OP_CHECKSIG
#    OP_ENDIF
#    1 OP_CHECKSEQUENCEVERIFY OP_DROP
# OP_ENDIF
hash160_alice_revocation_pubkey = hash160(alice_revocation_pubkey)
payment_hash = hash160("")

bob_received_htlc_redeemScript = bytes.fromhex(
    "76"    # OP_DUP
    + "a9"  # OP_HASH160
    + "14"  # OP_PUSHDATA
    + hash160_alice_revocation_pubkey
    + "87"  # OP_EQUAL
    + "63"  # OP_IF
    + "ac"  # OP_CHECKSIG
    + "67"  # OP_ELSE
    + "21"  # OP_PUSHDATA
    + alice_htlc_pubkey
    + "7c"  # OP_SWAP
    + "82"  # OP_SIZE
    + "01"  # OP_PUSHDATA
    + "20"  # 32
    + "87"  # OP_EQUAL
    + "63"  # OP_IF
    + "a9"  # OP_HASH160
    + payment_hash
    + "88"  # OP_EQUALVERIFY
    + "52"  # OP_2
    + "7c"  # OP_SWAP
    + "21"  # OP_PUSHDATA
    + bob_htlc_pubkey
    + "52"  # OP_2
    + "ae"  # OP_CHECKMULTISIG
    + "67"  # OP_ELSE
    + "75"  # OP_DROP
    + "02"  # OP_PUSHDATA 
    + "f401"# htlc expiry
    + "b1"  # OP_CHECKLOCKTIMEVERIFY
    + "75"  # OP_DROP
    + "ac"  # OP_CHECKSIG
    + "68"  # OP_ENDIF
    + "51"  # OP_1
    + "b2"  # OP_CHECKSEQUENCEVERIFY
    + "75"  # OP_DROP
    + "68") # OP_ENDIF

bob_received_htlc_script_hash = sha256(bob_received_htlc_redeemScript)
bob_received_htlc_output_spk = bytes.fromhex("0020") + bob_received_htlc_script_hash
print(f"Bob Received htlc Output SPK: {bob_received_output_spk.hex()}")    


# ******************** AQUI


# TO REMOTE OUTPUT
# <remotepubkey> OP_CHECKSIGVERIFY 1 OP_CHECKSEQUENCEVERIFY
to_bob_remote_redeemScript = byter.fromhex(
    "21"   # OP_PUSHDATA
    + bob_payment_basepoint_pubkey
    "ad"   # OP_CHECKSIGVERIFY
    "51"   # OP_1
    "b2")  # OP_CHECKSEQUENCEVERIFY

to_bob_remote_script_hash = sha256(to_bob_remote_redeemScript)
to_bob_remote_output_spk = bytes.fromhex("0020") + to_bob_remote_script_hash
print(f"Bob Remote Output SPK: {to_bob_remote_output_spk.hex()}") 
                             
# TO_LOCAL OUTPUT
# This output sends funds back to the owner of this commitment transaction and thus must be timelocked
# using OP_CHECKSEQUENCEVERIFY. It can be claimed, without delay, by the other party if they know the
# revocation private key. The output is a version-0 P2WSH, with the witness script below:
# OP_IF
    # Penalty transaction
#    <revocationpubkey>
# OP_ELSE
#    `to_self_delay`
#    OP_CHECKSEQUENCEVERIFY
#    OP_DROP
#    <local_delayedpubkey>
# OP_ENDIF
# OP_CHECKSIG
to_alice_delayed_redeemScript = bytes.fromhex(
    "63"   # OP_IF
    + "21"
    + bob_revocation_pubkey
    + "67"   # OP_ELSE
    + "02"   
    + "9000" # to_self_delay of 144 blocks
    + "b2"   # OP_CHECKSEQUENCEVERIFY
    + "75"   # OP_DROP
    + "21"
    + alice_delayed_pubkey
    + "68"  # OP_ENDIF
    + "ac") # OP_CHECKSIG

to_alice_delayed_script_hash = sha256(to_alice_delayed_redeemScript)
to_alice_delayed_output_spk = bytes.fromhex("0020") + to_alice_delayed_script_hash
print(f"Alice Delayed Output SPK: {to_alice_delayed_output_spk.hex()}")
