In [29]:
import util
from test_framework.address import program_to_witness
from test_framework.key import generate_key_pair, generate_bip340_key_pair, generate_schnorr_nonce
from test_framework.messages import CTxInWitness, sha256
from test_framework.musig import aggregate_musig_signatures, aggregate_schnorr_nonces, generate_musig_key, sign_musig
from test_framework.script import CScript, CScriptOp, hash160, OP_0, OP_2, OP_CHECKMULTISIG, SegwitV0SignatureHash, SIGHASH_ALL, SIGHASH_ALL_TAPROOT, TaprootSignatureHash

# 2.1 Taproot Outputs

* Part 1 (Example): Sending to and spending from a single-signer segwit v1 output
* Part 2 (Case Study): Migrating from a 2-of-2 P2WSH output to a MuSig segwit v1 output

In this chapter, we introduce segwit v1 outputs, which are defined in [BIP341](https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki). Segwit v1 outputs can be spent in two ways:

* **Key path** spending, which treats the witness program as a public key, and permits spending using a signature from that public key.
* **Script path** spending, which allows a pre-committed script to be used to spend the output. Script path spending will be fully described in chapters 2.2, 2.3 and 2.4.

By using the MuSig pubkey and signature aggregation protocol described in chapter 1.2, key path spending can be used to encumber an output to an n-of-n multisig policy in a way that is indistinguishable from a single-key output and spend.

Part 1 of this chapter is an example of sending funds to a segwit v1 address using the Bitcoin Core wallet, and then manually constructing a transaction that spends that output using the new BIP341 key path spending rules.

Part 2 of this chapter is a case study, showing how using a segwit v1 output with MuSig can provide cost and privacy benefits over using a segwit P2WSH output.

## Part 1 (Example): Single-signer segwit v1 output

Segwit v1 follows the same output script pattern as segwit v0:

* Segwit output: **`[1B Version]` `[segwit program]`**
* Segwit v0 output: **`[00]` `[20-Byte public key digest]`** (P2WPKH) or **`[00]` `[32-Byte script digest]`** (P2WSH)
* Segwit v1 output: **`[01]` `[32-Byte public key]`**

### Spending a segwit v1 output with the key path

Unlike segwit v0 outputs, v1 outputs look the same for script or key paths(unlike v0 which separates into P2WPKH and P2WSH). In this chapter we will focus on spending the key path.

![test](images/segwit_version1_0.jpg)

The output can be spent along the **key path** by providing a valid signature for the pubkey in the output's scriptPubKey. The spending witness is simply **`[sig]`**.

The output can be spent along the **script path** if public key was tweaked with a valid taproot. See chapters 2.2 and 2.3 for further details.

#### 2.1.1 Example: Constructing a segwit v1 output

In this example, we construct segwit v1 output for spending along the key path. We generate a key pair, encode the public key using the BIP340 and BIP341 pubkey encoding rules, and then encode the witness version and witness program to a bech32m address.

In [30]:
# Key pair generation
privkey, pubkey = generate_bip340_key_pair()
print("Pubkey is {}\n".format(pubkey.get_bytes().hex()))

# Create witness program ([32B x-coordinate])
program = pubkey.get_bytes()
print("Witness program is {}\n".format(program.hex()))

# Create (regtest) bech32m address
version = 0x01
address = program_to_witness(version, program)
print("bech32m address is {}".format(address))

Pubkey is 1f1914571339d00d5bea54bd7fa65aed158573639a0cd0bc516f3c452457455e

Witness program is 1f1914571339d00d5bea54bd7fa65aed158573639a0cd0bc516f3c452457455e

bech32m address is bcrt1pruv3g4cn88gq6kl22j7hlfj6a52c2umrngxdp0z3du7y2fzhg40qnxqeea


### Sending funds from the Bitcoin Core wallet

Next, we send funds to the segwit v1 address that we just generated. We'll create send the funds from a Bitcoin Core wallet, which is able to send outputs to segwit v1 addresses.

#### Example 2.1.2: Start Bitcoin Core node and send coins to the taproot address

Only run setup once, or after a clean shutdown.

In [31]:
# Start node
test = util.TestWrapper()
test.setup()
node = test.nodes[0]

# Generate coins and create an output, in address we define the segwit version 
tx = node.generate_and_send_coins(address)
print("Transaction {}, output 0\nsent to {}\n".format(tx.hash, address))

TestWrapper is already running!

Client version is /Satoshi:25.99.0(testnode0)/

Balance: 5099.00000000

Transaction e7ae5555c402ed7c8ccfffeabf6a7b18c6bd5da8228a89dc05112c4e8e4f238c, output 0
sent to bcrt1pruv3g4cn88gq6kl22j7hlfj6a52c2umrngxdp0z3du7y2fzhg40qnxqeea



### Constructing a transaction to spend the segwit v1 output

We are now going to manually contruct, sign and broadcast a transaction which spends the segwit v1 output.

To do that we create a `CTransaction` object and populate the data members:

 * `nVersion`
 * `nLocktime`  
 * `tx_vin` (list of `CTxIn` objects)
 * `tx_vout` (list of `CTxOut` objects)
 * `tx.wit.vtxinwit` (list of `CTxInWitness` objects)

#### Example 2.1.3: Construct `CTransaction` and populate fields

We use the `create_spending_transaction(node, txid)` convenience function.

In [32]:
# Create a spending transaction
spending_tx = test.create_spending_transaction(tx.hash)
print("Spending transaction:\n{}".format(spending_tx))

Spending transaction:
CTransaction(nVersion=1 vin=[CTxIn(prevout=COutPoint(hash=e7ae5555c402ed7c8ccfffeabf6a7b18c6bd5da8228a89dc05112c4e8e4f238c n=0) scriptSig= nSequence=0)] vout=[CTxOut(nValue=0.50000000 scriptPubKey=0014a8447c850a304bb4336a2eaafda1ba07c831616e)] wit=CTxWitness() nLockTime=0)


#### Example 2.1.4: Sign the transaction with a schnorr signature

BIP341 defines the following sighash flags:
* Legacy sighash flags:
  * `0x01` - **SIGHASH_ALL**
  * `0x02` - **SIGHASH_NONE**
  * `0x03` - **SIGHASH_SINGLE**
  * `0x81` - **SIGHASH_ALL | SIGHASH_ANYONECANPAY**
  * `0x82` - **SIGHASH_NONE | SIGHASH_ANYONECANPAY**
  * `0x83` - **SIGHASH_SINGLE | SIGHASH_ANYONECANPAY**
* New sighash flag:
  * `0x00` - **SIGHASH_ALL_TAPROOT** same semantics `0x01` **SIGHASH_ALL**

Append the sighash flag to the signature `[R_x, s]` with the sighash byte if not `0x00`.

In [33]:
# Generate the taproot signature hash for signing
# SIGHASH_ALL_TAPROOT is 0x00
sighash = TaprootSignatureHash(spending_tx, [tx.vout[0]], SIGHASH_ALL_TAPROOT, input_index=0)
 
# All schnorr sighashes except SIGHASH_ALL_TAPROOT require
# the hash_type appended to the end of signature
sig = privkey.sign_schnorr(sighash)

print("Signature: {}".format(sig.hex()))

Signature: 377c00c36bed6f5f8e37f08af38694cd23d960116d8c54a1f9f02851014dfd9224490e77066bed1f3abceafea80b4fd72d70f3248e2de82960e34a6f4fab8812


#### Example 2.1.5: Add the witness and test acceptance of the transaction

In [34]:
# Construct transaction witness
spending_tx.wit.vtxinwit.append(CTxInWitness([sig]))

print("Spending transaction:\n{}\n".format(spending_tx))
 
# Test mempool acceptance
node.test_transaction(spending_tx)
print("Success!")

Spending transaction:
CTransaction(nVersion=1 vin=[CTxIn(prevout=COutPoint(hash=e7ae5555c402ed7c8ccfffeabf6a7b18c6bd5da8228a89dc05112c4e8e4f238c n=0) scriptSig= nSequence=0)] vout=[CTxOut(nValue=0.50000000 scriptPubKey=0014a8447c850a304bb4336a2eaafda1ba07c831616e)] wit=CTxWitness(CScriptWitness(377c00c36bed6f5f8e37f08af38694cd23d960116d8c54a1f9f02851014dfd9224490e77066bed1f3abceafea80b4fd72d70f3248e2de82960e34a6f4fab8812)) nLockTime=0)

{'txid': '65492e1f81b18c351eeaa4672fe1eb757113e9983290a149366f5a1a49a61a2f', 'wtxid': '1126c6c3c3606587447bbf3f8037ab8d7b374c9a2e2cb5c34bb85c99b9aee4c4', 'allowed': True, 'vsize': 99, 'fees': {'base': Decimal('0.50000000'), 'effective-feerate': Decimal('5.05050505'), 'effective-includes': ['1126c6c3c3606587447bbf3f8037ab8d7b374c9a2e2cb5c34bb85c99b9aee4c4']}}
Success!


#### Example 2.1.6: Shutdown the TestWrapper (and all bitcoind instances)

In [35]:
test.shutdown()

2023-05-01T06:38:37.183000Z TestFramework./tmp/bitcoin_func_test_nnm46ihq (INFO): Stopping nodes
2023-05-01T06:38:37.285000Z TestFramework./tmp/bitcoin_func_test_nnm46ihq (INFO): Cleaning up /tmp/bitcoin_func_test_nnm46ihq on exit
2023-05-01T06:38:37.286000Z TestFramework./tmp/bitcoin_func_test_nnm46ihq (INFO): Tests successful


## Part 2 (Case Study): 2-of-2 multisig

Alice stores her bitcoin using a combination of an offline hardware wallet and online wallet. She currently uses P2WSH 2-of-2 multisig, which has some drawbacks:

- spending a P2WSH multisig output is more expensive than spending a single signature P2WPKH output, since multiple pubkeys and signatures need to be included in the witness
- spending from the P2WSH output reveals that the coins were encumbered using a multisig setup. Anyone who transacted with Alice (paid or was paid by) can see this easily, and even entities who do not transact directly with Alice can discover this with some chain analysis. Revealing her wallet setup may be bad for Alice's privacy and safety.

In this chapter, we'll show how Alice can move to using a MuSig aggregated public key, eventually saving her transaction fees and protecting her privacy.

### Spending a segwit v0 P2SH 2-of-2 multisig

We'll first show Alice's current setup: P2WSH 2-of-2 multisig.

#### Example 2.1.7: Construct a 2-of-2 P2WSH output

In this example, we'll construct a 2-of-2 P2WSH output and address

In [36]:
# Generate individual key pairs
privkey1, pubkey1 = generate_key_pair()
privkey2, pubkey2 = generate_key_pair()

# Create the spending script
# OP_2 <pubkey1> <pubkey2> OP_2 OP_CHECKMULTISIG (segwit v0)
multisig_script = CScript([CScriptOp(OP_2), pubkey1.get_bytes(bip340=False), pubkey2.get_bytes(bip340=False), CScriptOp(OP_2), CScriptOp(OP_CHECKMULTISIG)])

# Hash the spending script
script_hash = sha256(multisig_script)

# Generate the address
version = 0
address = program_to_witness(version, script_hash)
print("bech32 address is {}".format(address))

bech32 address is bcrt1q0qu3lr5ek5rc8zj2ytn3r4gwz5j3uzt6azc664q7hy5glpmhvgfsrgrnft


#### Example 2.1.8: Start a Bitcoind node and send funds to the segwit v0 address

We'll use the `generate_and_send_coins()` function.

In [37]:
test = util.TestWrapper()
test.setup()
node = test.nodes[0]

# Generate coins and create an output
tx = node.generate_and_send_coins(address)
print("Transaction {}, output 0\nsent to {}\n".format(tx.hash, address))

2023-05-01T06:38:37.410000Z TestFramework./tmp/bitcoin_func_test_104lec5n (INFO): Initializing test directory /tmp/bitcoin_func_test_104lec5n

Client version is /Satoshi:25.99.0(testnode0)/

Balance: 50.00000000

Transaction 7272dd71e1f56496bef65d47a2d323c73d3d14cdeaf2e498b3a891213acf72b3, output 0
sent to bcrt1q0qu3lr5ek5rc8zj2ytn3r4gwz5j3uzt6azc664q7hy5glpmhvgfsrgrnft



#### Example 2.1.9 : Construct CTransaction, sign and check validity

In this example we:
- create a `CTransaction` object
- create signatures for both public keys
- create a valid witness using those signatures and add it to the transaction
- test transaction validity

In [38]:
# Create a spending transaction
spending_tx = test.create_spending_transaction(tx.hash)

# Generate the segwit v0 signature hash for signing
# hash of the multisig_scripts and the amount
sighash = SegwitV0SignatureHash(script=multisig_script,
                                txTo=spending_tx,
                                inIdx=0,
                                hashtype=SIGHASH_ALL,
                                amount=100_000_000)

# Sign using ECDSA and append the SIGHASH byte
sig1 = privkey1.sign_ecdsa(sighash) + chr(SIGHASH_ALL).encode('latin-1')
sig2 = privkey2.sign_ecdsa(sighash) + chr(SIGHASH_ALL).encode('latin-1')

print("Signatures:\n- {},\n- {}\n".format(sig1.hex(), sig2.hex()))

# Construct witness and add it to the script.
# For a multisig P2WSH input, the script witness is the signatures and the scipt
# sig1, sig2, (Op_2 <pubkey1> <pubkey2> Op_2 Op_Checkmultisig)
witness_elements = [b'', sig1, sig2, multisig_script]
spending_tx.wit.vtxinwit.append(CTxInWitness(witness_elements))

print("Spending transaction:\n{}\n".format(spending_tx))

print("Transaction weight: {}\n".format(node.decoderawtransaction(spending_tx.serialize().hex())['weight']))

# Test mempool acceptance
assert node.test_transaction(spending_tx)
print("Success!")

Signatures:
- 3045022100e12521ffb9fa0681ab533077d59ccf62961e9b9b068a05b3dd72c0b840de8e9e022054ea0afa72e46f67ce1ec90c24a9914f4ae9f3f6fc577ad059c36a31840fde7e01,
- 3045022100e552828e86ce915e22389ed373199cbbfe7db93b463ac365a7743c77e46c0f9e022064360001e4ce1d1c473cca867edb26824405d0e534a8a9b9d7a2ca9e479873ff01

Spending transaction:
CTransaction(nVersion=1 vin=[CTxIn(prevout=COutPoint(hash=7272dd71e1f56496bef65d47a2d323c73d3d14cdeaf2e498b3a891213acf72b3 n=0) scriptSig= nSequence=0)] vout=[CTxOut(nValue=0.50000000 scriptPubKey=001442220f0634660b945a1517af54750a7425f82b06)] wit=CTxWitness(CScriptWitness(,3045022100e12521ffb9fa0681ab533077d59ccf62961e9b9b068a05b3dd72c0b840de8e9e022054ea0afa72e46f67ce1ec90c24a9914f4ae9f3f6fc577ad059c36a31840fde7e01,3045022100e552828e86ce915e22389ed373199cbbfe7db93b463ac365a7743c77e46c0f9e022064360001e4ce1d1c473cca867edb26824405d0e534a8a9b9d7a2ca9e479873ff01,522102bf0f219b6bfa1c20150f6c92fbf3a632361d723a628c95286837a630dfa923c721022b9a6319f6f9abdf986a01854950e92

#### Example 2.1.10: Shutdown the TestWrapper (and all bitcoind instances)

In [39]:
test.shutdown()

2023-05-01T06:38:37.929000Z TestFramework./tmp/bitcoin_func_test_104lec5n (INFO): Stopping nodes
2023-05-01T06:38:38.082000Z TestFramework./tmp/bitcoin_func_test_104lec5n (INFO): Cleaning up /tmp/bitcoin_func_test_104lec5n on exit
2023-05-01T06:38:38.085000Z TestFramework./tmp/bitcoin_func_test_104lec5n (INFO): Tests successful


### Spending a segwit v1 output with a MuSig public key

Now, we'll use Alice's same keys to create a MuSig aggregate key, and spend a segwit v1 output using that aggregate key.

#### 2.1.11 _Programming Exercise:_ Generate segwit v1 addresses for a 2-of-2 MuSig aggregate pubkey

In this exercise, we create a 2-of-2 aggregate MuSig public key

In [40]:
# Generate a 2-of-2 aggregate MuSig key using the same pubkeys as before
# Method: generate_musig_key(ECPubKey_list)
c_map, agg_pubkey =  generate_musig_key([pubkey1, pubkey2])

# Multiply individual keys with challenges
privkey1_c =  privkey1 * c_map[pubkey1]
privkey2_c =  privkey2 * c_map[pubkey2]
pubkey1_c =  pubkey1 * c_map[pubkey1]
pubkey2_c =  pubkey2 * c_map[pubkey2]

# Negate the private and public keys if needed
if agg_pubkey.get_y() % 2 == 1: 
    privkey1_c.negate()
    privkey2_c.negate()
    pubkey1_c.negate()
    pubkey2_c.negate()
    agg_pubkey.negate()
    
# Create a segwit v1 address for the MuSig aggregate pubkey
# Method: address = program_to_witness(version_int, program_bytes)
program_musig =  agg_pubkey.get_bytes()
address_musig =  program_to_witness(1, program_musig)
print("2-of-2 musig: ", address_musig)

2-of-2 musig:  bcrt1pzkh3d5p09r5qu8266zhc7lgvuwut4jr9npp9clg9ykm490034rvsc07e7c


#### Example 2.1.12: Create a transaction in the Bitcoin Core wallet sending an output to the segwit v1 addresses

In [41]:
test = util.TestWrapper()
test.setup()
node = test.nodes[0]

# Generate coins and create an output
tx = node.generate_and_send_coins(address_musig)
print("Transaction {}, output 0\nsent to {}\n".format(tx.hash, address_musig))

2023-05-01T06:38:38.244000Z TestFramework./tmp/bitcoin_func_test_gwycce7q (INFO): Initializing test directory /tmp/bitcoin_func_test_gwycce7q

Client version is /Satoshi:25.99.0(testnode0)/

Balance: 50.00000000

Transaction 051fde5f01f7de15c74ce72d694782588689a310250c0692a7081239c6bc3567, output 0
sent to bcrt1pzkh3d5p09r5qu8266zhc7lgvuwut4jr9npp9clg9ykm490034rvsc07e7c



#### Example 2.1.13 : Construct CTransaction and populate fields

In [42]:
# Create a spending transaction
spending_tx = test.create_spending_transaction(tx.hash)
print("Spending transaction:\n{}".format(spending_tx))

Spending transaction:
CTransaction(nVersion=1 vin=[CTxIn(prevout=COutPoint(hash=051fde5f01f7de15c74ce72d694782588689a310250c0692a7081239c6bc3567 n=0) scriptSig= nSequence=0)] vout=[CTxOut(nValue=0.50000000 scriptPubKey=00147864176612f6dc4ac64d263f452f9b724e35bcdb)] wit=CTxWitness() nLockTime=0)


#### 2.1.14 _Programming Exercise:_ Create a valid BIP340 signature for the MuSig aggregate pubkey

In this exercise, we create a signature for the aggregate pubkey, add it to the witness, and then test that the transaction is accepted by the mempool.

In [43]:
# Create sighash for ALL (0x00)
sighash_musig = TaprootSignatureHash(spending_tx, [tx.vout[0]], SIGHASH_ALL_TAPROOT, input_index=0)

# Generate individual nonces for participants and an aggregate nonce point
# Remember to negate the individual nonces if necessary
# Method: generate_schnorr_nonce()
# Method: aggregate_schnorr_nonces(nonce_list)
nonce1 = generate_schnorr_nonce()
nonce2 = generate_schnorr_nonce()
R_agg, negated =  aggregate_schnorr_nonces([nonce1.get_pubkey(), nonce2.get_pubkey()])

# make R_agg even: 
if negated:
    nounce1.negate()
    nounce2.negate()

# Create an aggregate signature
# Method: sign_musig(privkey, nonce, R_agg, agg_pubkey, sighash_musig)
# Method: aggregate_musig_signatures(partial_signature_list, R_agg)
s1 = sign_musig(privkey1_c, nonce1, R_agg, agg_pubkey, sighash_musig)
s2 = sign_musig(privkey2_c, nonce2, R_agg, agg_pubkey, sighash_musig)
sig_agg =  aggregate_musig_signatures([s1, s2], R_agg)
print("Aggregate signature is {}\n".format(sig_agg.hex()))

# Add witness to transaction
spending_tx.wit.vtxinwit.append(CTxInWitness([sig_agg]))

# Get transaction weight
print("Transaction weight: {}\n".format(node.decoderawtransaction(spending_tx.serialize().hex())['weight']))

# Test mempool acceptance
assert node.test_transaction(spending_tx)
print("Success!")

Aggregate signature is cfea89ed0bc7ab02a8c7d18ec8efdc9cd22cefa9455487e3d5a840db780562125948dd1c4fde87cb3767c8d4a401e8d80d3b68eeef1dd5e369b68e8df4941077

Transaction weight: 396

{'txid': '1d18f25efbe22a149d8a7fdb5ca599c58502569f62d49684b8af605ff1573ad4', 'wtxid': '85ef46f0e1aa9c9691dcba00c17d7bc099cba4a4d9b7bc721392be45876a90e6', 'allowed': True, 'vsize': 99, 'fees': {'base': Decimal('0.50000000'), 'effective-feerate': Decimal('5.05050505'), 'effective-includes': ['85ef46f0e1aa9c9691dcba00c17d7bc099cba4a4d9b7bc721392be45876a90e6']}}
Success!


### Benefits of using segwit v1 MuSig over segwit v0 P2WSH

You can see that the transaction weight of the transaction spending the v1 MuSig output is about 30% lower than the transaction spending the v0 P2WSH output. For larger n-of-n multisig, the weight savings is even larger. Since transaction fees are based on the transaction weight, these weight savings translate directly to fee savings.

In addition, by using a MuSig aggregate key and signature, Alice does not reveal that she is using a multisignature scheme, which is good for her privacy and security.

#### Example 2.1.15: Shutdown the TestWrapper (and all bitcoind instances)

In [45]:
test.shutdown()

TestWrapper is not running!


**Congratulations!** In this chapter, you have:

- Learned how to create a segwit v1 output and derive its bech32m address.
- Sent bitcoin to a segwit v1 address, and then constructed a transaction that spends the segwit v1 output back to the wallet using the key path.
- Shown how using a segwit v1 MuSig output saves fees and improves privacy over using P2WSH multisig.