In [None]:
from functions import *
import json

# Script level timelocks (OP_CLTV and OP_CSV)

In this section we'll cover how to create a transaction level timelocks with `OP_CHECKLOCKTIMEVERIFY` (`OP_CTLV`) and `OP_CHECKSEQUENCEVERIFY` (`OP_CSV`).

Script level timelocks are an essential part of many layer 2 protocols such lightning HTLC transactions and cross chain atomic swaps. They build off `nLocktime` and `nSequence` by allowing the script verification to check that the spending transaction has those fields set to specific values. 

## Prerequisite knowledge
- For all notebooks:
    - A high level understanding of the bitcoin. e.g. [Mastering Bitcoin](https://github.com/bitcoinbook/bitcoinbook) by Andreas Antonopoulos UTXO model, in particular [Chapter 6](https://github.com/bitcoinbook/bitcoinbook/blob/develop/ch06.asciidoc).
    - A conceptual understanding of [hash functions](https://www.thesslstore.com/blog/what-is-a-hash-function-in-cryptography-a-beginners-guide).
    - [Hexadecimal notation](https://inst.eecs.berkeley.edu/~cs61bl/r//cur/bits/decimal-binary-hex.html?topic=lab28.topic&step=2&course=) and [endianness](https://www.freecodecamp.org/news/what-is-endianness-big-endian-vs-little-endian/).

- Specific to this notebook:
    - SHA256, HASH256, HASH160 - '[Hash Functions chapter](https://github.com/DariusParvin/bitcoin-tx-tutorial/blob/main/appendix/hash-functions.ipynb)'
    - Base58 addresses - '[Addresses chapter](https://github.com/DariusParvin/bitcoin-tx-tutorial/blob/main/appendix/Addresses.ipynb)'
    - Bitcoin Script basics - '[Bitcoin Script chapter](https://github.com/DariusParvin/bitcoin-tx-tutorial/blob/main/appendix/Bitcoin%20Script.ipynb)'
    - TestShell setup - '[P2PKH chapter](https://github.com/DariusParvin/bitcoin-tx-tutorial/blob/main/chapter1-legacy/p2pkh.ipynb)'


### Further Reading
- https://medium.com/summa-technology/bitcoins-time-locks-27e0c362d7a1


### Scenario
We will use the same scenario as with the transaction-level timelock example:

> Kim is an old grandmother who wants to pass some of her wealth (0.1 btc) on to her grandson, Peter. However, Peter is still a child and Kim doesn't trust Peter to spend his bitcoin wisely. Kim would rather wait until Peter turns 18 before he's able to spend his bitcoin. Kim doesn't know how much longer she'll be around for, and she doesn't trust anyone else to handle her money. To give Peter bitcoin in a way which will only allow him to spend it once he's 18, Kim will do this by giving Peter a signed transaction for 0.1 btc with an absolute timelock set to expire on his 18th birthday.

> Note that 1 year corresponds to about 50,000 blocks. To save us having to mine tens of thousands of regtest blocks (which may take a few minutes), we'll instead suppose Peter's 18th birthday is happening much sooner, at block 500.

In the previous notebook we achieved this by using transaction-level timelocks. There were a some potential downsides of this solution however:
- Although Peter has a valid signed transaction from Kim, it is possible that she, or someone with access to her private key, may spend the input before Peter is able to broadcast his transaction. 
- Since the timelocks were on a transaction level, any additional outputs would be encumbered by the same timelock. 
- Peter has to safely store the signed transaction until it can be broadcast.

A better solution in this case would be to use script-level timelocks. The OP_CODES `OP_CHECKLOCKTIMEVERIFY`  
and `OP_CHECKSEQUENCEVERIFY` are included in the redeemScript and can enforce that the spending transaction uses a specific value for `nLocktime` or `nSequence` respectively. 

### Create a script using OP_CHECKLOCKTIMEVERIFY

We'll create the script that Kim and Peter will agree on to send the bitcoin to. Peter wants to ensure that his public key is included in the script, so that he can create the signature for it, and Kim wants to be sure that the script has a timelock on it. 

In [None]:
# Set a public key for the receiver (Peter)
receiver_privkey = bytes.fromhex("2222222222222222222222222222222222222222222222222222222222222222")
receiver_pubkey = privkey_to_pubkey(receiver_privkey)

# let's suppose Peter's 18th birthday is estimated to happen at block 500
locktime_int = 500
locktime = locktime_int.to_bytes(4, byteorder="little", signed=False)
locktime_val = locktime_int.to_bytes(2, byteorder="little", signed=False)

sequence = bytes.fromhex("ffff fffe")
print("sequence: ", sequence.hex())

redeemScript = (
    varint_len(locktime_val)
    + locktime_val
    + bytes.fromhex("b1") # OP_CLTV
    + bytes.fromhex("75") # OP_DROP
    + pushbytes(receiver_pubkey)
    + bytes.fromhex("ac"))

print(redeemScript.hex())

#### Convert the redeemScript to a P2WSH address

For more on this step, review the 'Addresses' notebook.

In [None]:
address_to_spend = script_to_p2wsh(redeemScript, "regtest")
print(address_to_spend)

#### Create Peter's utxo with 0.1 btc
Now that we have the address, we'll fund it using the `TestShell` commands. For more on these steps you can view the [function definitions](https://github.com/DariusParvin/bitcoin-tx-tutorial/blob/main/functions/setup_testshell.py) or look at the first [P2PKH notebook](https://github.com/DariusParvin/bitcoin-tx-tutorial/blob/main/chapter1-legacy/p2pkh.ipynb) example.

In [None]:
node = setup_testshell()
txid_to_spend, index_to_spend = fund_address(node, address_to_spend, 0.1)
print(f"txid: {txid_to_spend}, {index_to_spend}")

## Spending a P2WSH time-locked UTXO

Now that we have some funds locked up in a P2WSH utxo with a timelock, we can create a transaction spending from it. Let's say Peter wants to send 0.099 btc to the address `mkxwE7XtVYJKepoD2hbHnDjftuMQ1k6deE`.

From our previous examples we know this corresponds to a scriptPubkey of `76a9143bc28d6d92d9073fb5e3adf481795eaf446bceed88ac`.

In [None]:
output1_spk = bytes.fromhex("76a9143bc28d6d92d9073fb5e3adf481795eaf446bceed88ac")
output1_value_sat = int(float("0.099") * 100000000)

### Create an unsigned transaction

Using the values for `nLocktime` that we set above `nSequence`, we'll create the unsigned transaction and sign it in the same way we did when creating a regular P2WSH transaction. Note that the value for `nLocktime` must be a 4 byte integer, whereas the value preceeding `OP_CHECKLOCKTIMEVERIFY` must be a variable length integer.

In [None]:
# VERSION
# version '2' indicates that we may use relative timelocks (BIP68)
version = bytes.fromhex("0200 0000")

# MARKER (new to segwit)
marker = bytes.fromhex("00")

# FLAG (new to segwit)
flag = bytes.fromhex("01")

# INPUTS
# We have just 1 input
input_count = bytes.fromhex("01")

# Convert txid and index to bytes (little endian)
txid = (bytes.fromhex(txid_to_spend))[::-1]
index = index_to_spend.to_bytes(4, byteorder="little", signed=False)

# For the unsigned transaction we use an empty scriptSig
scriptsig = bytes.fromhex("")

# SEQUENCE
# set above

inputs = (
    txid
    + index
    + varint_len(scriptsig)
    + scriptsig
    + sequence
)

# OUTPUTS
output_count = bytes.fromhex("01")

# OUTPUT 1 
output1_value = output1_value_sat.to_bytes(8, byteorder="little", signed=True)
# 'output1_spk' already defined at the start of the script

outputs = (
    output1_value
    + varint_len(output1_spk)
    + output1_spk
)

# LOCKTIME
# set above

unsigned_tx = (
    version
    + input_count
    + inputs
    + output_count
    + outputs
    + locktime
)
print("unsigned_tx: ", unsigned_tx.hex())

### Signing the transaction

Segwit transaction signing scheme described in [BIP143](https://github.com/bitcoin/bips/blob/master/bip-0143.mediawiki)


In [None]:
input_amount_sat = int(0.1 * 100_000_000)
value = input_amount_sat.to_bytes(8, byteorder="little", signed=False)

hashPrevOuts = hash256(txid + index)
hashSequence = hash256(sequence)
hashOutputs = hash256(outputs)
sighash_type = bytes.fromhex("0100 0000") # SIGHASH_ALL

tx_digest_preimage = (
    version
    + hashPrevOuts
    + hashSequence
    + txid
    + index
    + varint_len(redeemScript)
    + redeemScript
    + value
    + sequence
    + hashOutputs
    + locktime
    + sighash_type
)
print(tx_digest_preimage.hex())

Hash this transaction and produce an ecdsa signature on it. 

In [None]:
# Create sigHash to be signed
sighash = hash256(tx_digest_preimage)

# Sign the sigHash with the input private key
signing_key = ecdsa.SigningKey.from_string(receiver_privkey, curve=ecdsa.SECP256k1) 
signature = signing_key.sign_digest(sighash, sigencode=ecdsa.util.sigencode_der_canonize)

# Append SIGHASH_ALL to the signature
signature = signature + bytes.fromhex("01")

# Witness field
witness = (
    # indicate the number of stack items
    bytes.fromhex("02")
    + pushbytes(signature)
    + pushbytes(redeemScript)
)

# tx_in with our new sigScript containing the signature we just created
inputs_signed = (
    txid
    + index
    + varint_len(scriptsig)
    + scriptsig
    + sequence
)

# the final signed transaction
signed_tx = (
    version
    + marker
    + flag
    + input_count
    + inputs_signed
    + output_count
    + outputs
    + witness
    + locktime
)

print("signed transaction: ",signed_tx.hex())

### Scenario
The `OP_CHECKLOCKTIMEVERIFY` OP_CODE in the script is essentially forcing the transaction spending from it (Peter's transaction) to have `nLocktime` (and `nSequence` not set to `0xffffffff`) set in the transaction spending from it. Therefore Peter's transaction will behave as we expect for a transaction that has a transaction-level timelock.

If he were to try broadcasting the transaction at the current height (102), it would result in the following `non-final` error.

In [None]:
height = node.getblockcount()
print("Blockchain height: ", height)

result = node.testmempoolaccept(rawtxs=[signed_tx.hex()])
print(result)

Now we'll simulate 398 blocks passing (to reach block 500), and see what happens if Peter tries to broadcast his transaction again.

In [None]:
node.generate(398, invalid_call=False)
height = node.getblockcount()
print("Blockchain height: ", height)

result = node.testmempoolaccept(rawtxs=[signed_tx.hex()])
print(result)

This time the transaction is successfully broadcasted and Peter has successfully spent his script-level, time-locked output. 

To view the decoded transaction, uncomment the lines below.

In [None]:
decoded = node.decoderawtransaction(signed_tx.hex())
print(json.dumps(decoded, indent=2, default=str))

## Script-level relative timelocks (OP_CHECKSEQUENCEVERIFY)

Similar to how `OP_CHECKLOCKTIMEVERIFY` enforces the transaction spending that output to set an absolute locktime with `nLocktime`, `OP_CHECKSEQUENCEVERIFY` enforces the transaction spending that output to set a relative timelock with `nSequence`.

In the scenario we just covered, Kim could have achieved the same outcome but using a relative timelock instead. The only difference would be that the delay would be specified relative to when the input was confirmed, rather than the absolute block height. 

Note that `version` must be set to **`2`** for relative timelocks to be enabled.

### Exercise
Repeat the scenario above, but using `OP_CHECKSEQUENCEVERIFY` to enforce the delay.

Hint: the block chain starts off at block 102, so the relative timelock should be set to 398 blocks for the transaction to be broadcastable at block 500.

Hint 2: nSequence is a 32 bit unsigned integer, so you can use the same `.to_bytes` method used to convert `locktime_int` to `locktime` in the previous example.


#### Solution for running with nSequence
```
locktime_int = 0
locktime = locktime_int.to_bytes(4, byteorder="little", signed=False)

sequence_int = 398
sequence = sequence_int.to_bytes(4, byteorder="little", signed=False)
sequence_val = sequence_int.to_bytes(2, byteorder="little", signed=False)

redeemScript = (
    varint_len(sequence_val)
    + sequence_val
    + bytes.fromhex("b2") # OP_CSV
    + bytes.fromhex("75") # OP_DROP
    + pushbytes(receiver_pubkey)
    + bytes.fromhex("ac"))

```

## Quiz

- 1. Earlier we learned that setting `nSequence` to `0xffffffff` disables `nLocktime`, so what would happen if you tried setting `nSequence` to `0xffffffff` when spending from an input that uses `OP_CLTV`?
- 2. What information does Peter need to hold on to in order to spend from the outputs in these examples?

## Answers
- 1. The transaction would be invalid as `OP_CLTV` checks that `nSequence` in the spending transaction is not set to `0xffffffff`.
- 2. He needs his private key to sign the transaction, and the redeem script.
