In [50]:
import util
from test_framework.address import program_to_witness
from test_framework.key import generate_key_pair, generate_bip340_key_pair, generate_schnorr_nonce
from test_framework.messages import CTxInWitness, sha256
from test_framework.musig import aggregate_musig_signatures, aggregate_schnorr_nonces, generate_musig_key, sign_musig
from test_framework.script import CScript, CScriptOp, hash160, OP_0, OP_2, OP_CHECKMULTISIG, SegwitV0SignatureHash, SIGHASH_ALL, SIGHASH_ALL_TAPROOT, TaprootSignatureHash

# 2.1 Taproot Outputs

* Part 1 (Example): Sending to and spending from a single-signer segwit v1 output
* Part 2 (Case Study): Migrating from a 2-of-2 P2WSH output to a MuSig segwit v1 output

In this chapter, we introduce segwit v1 outputs, which are defined in [BIP341](https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki). Segwit v1 outputs can be spent in two ways:

* **Key path** spending, which treats the witness program as a public key, and permits spending using a signature from that public key.
* **Script path** spending, which allows a pre-committed script to be used to spend the output. Script path spending will be fully described in chapters 2.2, 2.3 and 2.4.

By using the MuSig pubkey and signature aggregation protocol described in chapter 1.2, key path spending can be used to encumber an output to an n-of-n multisig policy in a way that is indistinguishable from a single-key output and spend.

Part 1 of this chapter is an example of sending funds to a segwit v1 address using the Bitcoin Core wallet, and then manually constructing a transaction that spends that output using the new BIP341 key path spending rules.

Part 2 of this chapter is a case study, showing how using a segwit v1 output with MuSig can provide cost and privacy benefits over using a segwit P2WSH output.

## Part 1 (Example): Single-signer segwit v1 output

Segwit v1 follows the same output script pattern as segwit v0:

* Segwit output: **`[1B Version]` `[segwit program]`**
* Segwit v0 output: **`[00]` `[20-Byte public key digest]`** (P2WPKH) or **`[00]` `[32-Byte script digest]`** (P2WSH)
* Segwit v1 output: **`[01]` `[32-Byte public key]`**

### Spending a segwit v1 output with the key path

Unlike segwit v0 outputs, v1 outputs look the same for script or key paths(unlike v0 which separates into P2WPKH and P2WSH). In this chapter we will focus on spending the key path.

![test](images/segwit_version1_0.jpg)

The output can be spent along the **key path** by providing a valid signature for the pubkey in the output's scriptPubKey. The spending witness is simply **`[sig]`**.

The output can be spent along the **script path** if public key was tweaked with a valid taproot. See chapters 2.2 and 2.3 for further details.

#### 2.1.1 Example: Constructing a segwit v1 output

In this example, we construct segwit v1 output for spending along the key path. We generate a key pair, encode the public key using the BIP340 and BIP341 pubkey encoding rules, and then encode the witness version and witness program to a bech32m address.

In [51]:
# Key pair generation
privkey, pubkey = generate_bip340_key_pair()
print("Pubkey is {}\n".format(pubkey.get_bytes().hex()))

# Create witness program ([32B x-coordinate])
program = pubkey.get_bytes()
print("Witness program is {}\n".format(program.hex()))

# Create (regtest) bech32m address
version = 0x01
address = program_to_witness(version, program)
print("bech32m address is {}".format(address))

Pubkey is e85c0663f7b10f50d2d7c58947877c36cd00c7282f4aedd6767e423476ede099

Witness program is e85c0663f7b10f50d2d7c58947877c36cd00c7282f4aedd6767e423476ede099

bech32m address is bcrt1papwqvclhky84p5khcky50pmuxmxsp3eg9a9wm4nk0eprgahduzvs9ew7ky


### Sending funds from the Bitcoin Core wallet

Next, we send funds to the segwit v1 address that we just generated. We'll create send the funds from a Bitcoin Core wallet, which is able to send outputs to segwit v1 addresses.

#### Example 2.1.2: Start Bitcoin Core node and send coins to the taproot address

Only run setup once, or after a clean shutdown.

In [52]:
# Start node
test = util.TestWrapper()
test.setup()
node = test.nodes[0]

# Generate coins and create an output
tx = node.generate_and_send_coins(address)
print("Transaction {}, output 0\nsent to {}\n".format(tx.hash, address))

TestWrapper is already running!

Client version is /Satoshi:24.99.0(testnode0)/

Balance: 5099.00000000

Transaction f47500d8def7e5af18ca7ba062ab9bc8e694377e5a397f6267198c38de0c21dd, output 0
sent to bcrt1papwqvclhky84p5khcky50pmuxmxsp3eg9a9wm4nk0eprgahduzvs9ew7ky



### Constructing a transaction to spend the segwit v1 output

We are now going to manually contruct, sign and broadcast a transaction which spends the segwit v1 output.

To do that we create a `CTransaction` object and populate the data members:

 * `nVersion`
 * `nLocktime`  
 * `tx_vin` (list of `CTxIn` objects)
 * `tx_vout` (list of `CTxOut` objects)
 * `tx.wit.vtxinwit` (list of `CTxInWitness` objects)

#### Example 2.1.3: Construct `CTransaction` and populate fields

We use the `create_spending_transaction(node, txid)` convenience function.

In [53]:
# Create a spending transaction
spending_tx = test.create_spending_transaction(tx.hash)
print("Spending transaction:\n{}".format(spending_tx))

Spending transaction:
CTransaction(nVersion=1 vin=[CTxIn(prevout=COutPoint(hash=f47500d8def7e5af18ca7ba062ab9bc8e694377e5a397f6267198c38de0c21dd n=0) scriptSig= nSequence=0)] vout=[CTxOut(nValue=0.50000000 scriptPubKey=0014c00e0786f45cdc2fc268701fb5f6b2b23f1badd6)] wit=CTxWitness() nLockTime=0)


#### Example 2.1.4: Sign the transaction with a schnorr signature

BIP341 defines the following sighash flags:
* Legacy sighash flags:
  * `0x01` - **SIGHASH_ALL**
  * `0x02` - **SIGHASH_NONE**
  * `0x03` - **SIGHASH_SINGLE**
  * `0x81` - **SIGHASH_ALL | SIGHASH_ANYONECANPAY**
  * `0x82` - **SIGHASH_NONE | SIGHASH_ANYONECANPAY**
  * `0x83` - **SIGHASH_SINGLE | SIGHASH_ANYONECANPAY**
* New sighash flag:
  * `0x00` - **SIGHASH_ALL_TAPROOT** same semantics `0x01` **SIGHASH_ALL**

Append the sighash flag to the signature `[R_x, s]` with the sighash byte if not `0x00`.

In [56]:
# Generate the taproot signature hash for signing
# SIGHASH_ALL_TAPROOT is 0x00
sighash = TaprootSignatureHash(spending_tx, [tx.vout[0]], SIGHASH_ALL_TAPROOT, input_index=0)
 
# All schnorr sighashes except SIGHASH_ALL_TAPROOT require
# the hash_type appended to the end of signature
sig = privkey.sign_schnorr(sighash)

print("Signature: {}".format(sig.hex()))

Signature: e6fb9f413058b39d48e53c5678818b4a1993e2eb51a8c0d868ee3e82589687b9068a5ee4055980bda5e92d815fa20f5f2531ec664bdc418ff0875b409acaf90d


#### Example 2.1.5: Add the witness and test acceptance of the transaction

In [57]:
# Construct transaction witness
spending_tx.wit.vtxinwit.append(CTxInWitness([sig]))

print("Spending transaction:\n{}\n".format(spending_tx))
 
# Test mempool acceptance
node.test_transaction(spending_tx)
print("Success!")

Spending transaction:
CTransaction(nVersion=1 vin=[CTxIn(prevout=COutPoint(hash=f47500d8def7e5af18ca7ba062ab9bc8e694377e5a397f6267198c38de0c21dd n=0) scriptSig= nSequence=0)] vout=[CTxOut(nValue=0.50000000 scriptPubKey=0014c00e0786f45cdc2fc268701fb5f6b2b23f1badd6)] wit=CTxWitness(CScriptWitness(e6fb9f413058b39d48e53c5678818b4a1993e2eb51a8c0d868ee3e82589687b9068a5ee4055980bda5e92d815fa20f5f2531ec664bdc418ff0875b409acaf90d);CScriptWitness(e6fb9f413058b39d48e53c5678818b4a1993e2eb51a8c0d868ee3e82589687b9068a5ee4055980bda5e92d815fa20f5f2531ec664bdc418ff0875b409acaf90d)) nLockTime=0)

{'txid': '45b43557eb93ab549a996889ad1a1df67a1336c6f52a55717d967e1e9e653d97', 'wtxid': '0b12f2d19b15edf22d013405ed8e2103944f33872223bd0d68cf9b90a732d864', 'allowed': True, 'vsize': 99, 'fees': {'base': Decimal('0.50000000')}}
Success!


#### Example 2.1.6: Shutdown the TestWrapper (and all bitcoind instances)

In [58]:
test.shutdown()

2023-01-20T12:28:51.663000Z TestFramework./tmp/bitcoin_func_test_u_i9ceh2 (INFO): Stopping nodes
2023-01-20T12:28:51.820000Z TestFramework./tmp/bitcoin_func_test_u_i9ceh2 (INFO): Cleaning up /tmp/bitcoin_func_test_u_i9ceh2 on exit
2023-01-20T12:28:51.820000Z TestFramework./tmp/bitcoin_func_test_u_i9ceh2 (INFO): Tests successful


## Part 2 (Case Study): 2-of-2 multisig

Alice stores her bitcoin using a combination of an offline hardware wallet and online wallet. She currently uses P2WSH 2-of-2 multisig, which has some drawbacks:

- spending a P2WSH multisig output is more expensive than spending a single signature P2WPKH output, since multiple pubkeys and signatures need to be included in the witness
- spending from the P2WSH output reveals that the coins were encumbered using a multisig setup. Anyone who transacted with Alice (paid or was paid by) can see this easily, and even entities who do not transact directly with Alice can discover this with some chain analysis. Revealing her wallet setup may be bad for Alice's privacy and safety.

In this chapter, we'll show how Alice can move to using a MuSig aggregated public key, eventually saving her transaction fees and protecting her privacy.

### Spending a segwit v0 P2SH 2-of-2 multisig

We'll first show Alice's current setup: P2WSH 2-of-2 multisig.

#### Example 2.1.7: Construct a 2-of-2 P2WSH output

In this example, we'll construct a 2-of-2 P2WSH output and address

In [59]:
# Generate individual key pairs
privkey1, pubkey1 = generate_key_pair()
privkey2, pubkey2 = generate_key_pair()

# Create the spending script
multisig_script = CScript([CScriptOp(OP_2), pubkey1.get_bytes(bip340=False), pubkey2.get_bytes(bip340=False), CScriptOp(OP_2), CScriptOp(OP_CHECKMULTISIG)])

# Hash the spending script
script_hash = sha256(multisig_script)

# Generate the address
version = 0
address = program_to_witness(version, script_hash)
print("bech32 address is {}".format(address))

bech32 address is bcrt1qkjham7kngsjfcxukd4anerysgcfm4a54mze9qzrgfl0t09992rxsny6r3q


#### Example 2.1.8: Start a Bitcoind node and send funds to the segwit v0 address

We'll use the `generate_and_send_coins()` function.

In [60]:
test = util.TestWrapper()
test.setup()
node = test.nodes[0]

# Generate coins and create an output
tx = node.generate_and_send_coins(address)
print("Transaction {}, output 0\nsent to {}\n".format(tx.hash, address))

2023-01-20T12:28:56.530000Z TestFramework./tmp/bitcoin_func_test_e7k9qu8e (INFO): Initializing test directory /tmp/bitcoin_func_test_e7k9qu8e

Client version is /Satoshi:24.99.0(testnode0)/

Balance: 50.00000000

Transaction 73dadb5103fc4b39e077dcaa2e22e7a5d5c579cffefab86f01596e2ba4266f3a, output 0
sent to bcrt1qkjham7kngsjfcxukd4anerysgcfm4a54mze9qzrgfl0t09992rxsny6r3q



#### Example 2.1.9 : Construct CTransaction, sign and check validity

In this example we:
- create a `CTransaction` object
- create signatures for both public keys
- create a valid witness using those signatures and add it to the transaction
- test transaction validity

In [61]:
# Create a spending transaction
spending_tx = test.create_spending_transaction(tx.hash)

# Generate the segwit v0 signature hash for signing
sighash = SegwitV0SignatureHash(script=multisig_script,
                                txTo=spending_tx,
                                inIdx=0,
                                hashtype=SIGHASH_ALL,
                                amount=100_000_000)

# Sign using ECDSA and append the SIGHASH byte
sig1 = privkey1.sign_ecdsa(sighash) + chr(SIGHASH_ALL).encode('latin-1')
sig2 = privkey2.sign_ecdsa(sighash) + chr(SIGHASH_ALL).encode('latin-1')

print("Signatures:\n- {},\n- {}\n".format(sig1.hex(), sig2.hex()))

# Construct witness and add it to the script.
# For a multisig P2WSH input, the script witness is the signatures and the scipt
witness_elements = [b'', sig1, sig2, multisig_script]
spending_tx.wit.vtxinwit.append(CTxInWitness(witness_elements))

print("Spending transaction:\n{}\n".format(spending_tx))

print("Transaction weight: {}\n".format(node.decoderawtransaction(spending_tx.serialize().hex())['weight']))

# Test mempool acceptance
assert node.test_transaction(spending_tx)
print("Success!")

Signatures:
- 3045022100eac4518f635dfc7dfb3968f5f23e9f7886cdfa2e76008c0c50842cdadb01f5fc022029f1ca98577afc1c160f2f333b892484856e44ac99704bf0289e6190004aebb601,
- 304402200f13df0f28944b0f648e6c29adada9f2c4f5e514aee3094e352f0ec0590d27c30220088c382c64817f753351ee8bfcc1de2a12f722a11c90ba22ae728e92e46d1c8001

Spending transaction:
CTransaction(nVersion=1 vin=[CTxIn(prevout=COutPoint(hash=73dadb5103fc4b39e077dcaa2e22e7a5d5c579cffefab86f01596e2ba4266f3a n=0) scriptSig= nSequence=0)] vout=[CTxOut(nValue=0.50000000 scriptPubKey=00144c4db6831a13fb833c6d7f097b56ba42c9964ed9)] wit=CTxWitness(CScriptWitness(,3045022100eac4518f635dfc7dfb3968f5f23e9f7886cdfa2e76008c0c50842cdadb01f5fc022029f1ca98577afc1c160f2f333b892484856e44ac99704bf0289e6190004aebb601,304402200f13df0f28944b0f648e6c29adada9f2c4f5e514aee3094e352f0ec0590d27c30220088c382c64817f753351ee8bfcc1de2a12f722a11c90ba22ae728e92e46d1c8001,522102c3e9e609290808fc16f3eae4aa236c4e73b38426c26a9724421e2a3fa9c831b621030bd3df857e0b325baf5e74b95cebcd5d4ad

#### Example 2.1.10: Shutdown the TestWrapper (and all bitcoind instances)

In [62]:
test.shutdown()

2023-01-20T12:28:59.663000Z TestFramework./tmp/bitcoin_func_test_e7k9qu8e (INFO): Stopping nodes
2023-01-20T12:28:59.866000Z TestFramework./tmp/bitcoin_func_test_e7k9qu8e (INFO): Cleaning up /tmp/bitcoin_func_test_e7k9qu8e on exit
2023-01-20T12:28:59.868000Z TestFramework./tmp/bitcoin_func_test_e7k9qu8e (INFO): Tests successful


### Spending a segwit v1 output with a MuSig public key

Now, we'll use Alice's same keys to create a MuSig aggregate key, and spend a segwit v1 output using that aggregate key.

#### 2.1.11 _Programming Exercise:_ Generate segwit v1 addresses for a 2-of-2 MuSig aggregate pubkey

In this exercise, we create a 2-of-2 aggregate MuSig public key

In [63]:
# Generate a 2-of-2 aggregate MuSig key using the same pubkeys as before
# Method: generate_musig_key(ECPubKey_list)
c_map, agg_pubkey = generate_musig_key([pubkey1,pubkey1])  # TODO: implement

# Multiply individual keys with challenges
privkey1_c = c_map[pubkey1] * privkey1 # TODO: implement
privkey2_c = c_map[pubkey1] * privkey2 # TODO: implement
pubkey1_c = c_map[pubkey1] * pubkey1 # TODO: implement
pubkey2_c = c_map[pubkey1] * pubkey1  # TODO: implement

# Negate the private and public keys if needed
if agg_pubkey.get_y() %2 !=0:  # TODO: implement
    privkey1_c.negate()
    privkey2_c.negate()
    pubkey1_c.negate()
    pubkey2_c.negate()
    # TODO: implement
    
# Create a segwit v1 address for the MuSig aggregate pubkey
# Method: address = program_to_witness(version_int, program_bytes)
version = 1
program_musig = agg_pubkey.get_bytes() # TODO: implement
address_musig = program_to_witness(version, program_musig) # TODO: implement
print("2-of-2 musig: ", address_musig)

2-of-2 musig:  bcrt1pfkzclfzz4d7zjqyt5g2nz33686353enenh0qchus9w7rx8ktzgaq2t7hue


#### Example 2.1.12: Create a transaction in the Bitcoin Core wallet sending an output to the segwit v1 addresses

In [64]:
test = util.TestWrapper()
test.setup()
node = test.nodes[0]

# Generate coins and create an output
tx = node.generate_and_send_coins(address_musig)
print("Transaction {}, output 0\nsent to {}\n".format(tx.hash, address_musig))

2023-01-20T12:29:08.222000Z TestFramework./tmp/bitcoin_func_test_xmwvfu6i (INFO): Initializing test directory /tmp/bitcoin_func_test_xmwvfu6i

Client version is /Satoshi:24.99.0(testnode0)/

Balance: 50.00000000

Transaction bb75d9e4f7b334ea00a57696eaf3b72352a84894faa88623e17e1c73951e633a, output 0
sent to bcrt1pfkzclfzz4d7zjqyt5g2nz33686353enenh0qchus9w7rx8ktzgaq2t7hue



#### Example 2.1.13 : Construct CTransaction and populate fields

In [65]:
# Create a spending transaction
spending_tx = test.create_spending_transaction(tx.hash)
print("Spending transaction:\n{}".format(spending_tx))

Spending transaction:
CTransaction(nVersion=1 vin=[CTxIn(prevout=COutPoint(hash=bb75d9e4f7b334ea00a57696eaf3b72352a84894faa88623e17e1c73951e633a n=0) scriptSig= nSequence=0)] vout=[CTxOut(nValue=0.50000000 scriptPubKey=00143947fcc4b0396fe0b308e87909a0bc2895706e20)] wit=CTxWitness() nLockTime=0)


#### 2.1.14 _Programming Exercise:_ Create a valid BIP340 signature for the MuSig aggregate pubkey

In this exercise, we create a signature for the aggregate pubkey, add it to the witness, and then test that the transaction is accepted by the mempool.

In [66]:
# Create sighash for ALL (0x00)
sighash_musig = TaprootSignatureHash(spending_tx, [tx.vout[0]], SIGHASH_ALL_TAPROOT, input_index=0)

# Generate individual nonces for participants and an aggregate nonce point
# Remember to negate the individual nonces if necessary
# Method: generate_schnorr_nonce()
# Method: aggregate_schnorr_nonces(nonce_list)
nonce1 =  generate_schnorr_nonce() # TODO: implement
nonce2 =  generate_schnorr_nonce() # TODO: implement

R_agg = nonce1.get_pubkey() + nonce2.get_pubkey()  # TODO: implement

if R_agg.get_y() %2 != 0:
    nonce1.negate()
    nonce2.negate()
    R_agg.negate()
# Create an aggregate signature
# Method: sign_musig(privkey, nonce, R_agg, agg_pubkey, sighash_musig)
# Method: aggregate_musig_signatures(partial_signature_list, R_agg)
s1 = sign_musig(privkey1_c, nonce1, R_agg, agg_pubkey, sighash_musig) # TODO: implement
s2 = sign_musig(privkey2_c, nonce2, R_agg, agg_pubkey, sighash_musig) # TODO: implement
sig_agg = aggregate_musig_signatures([s1,s2], R_agg)
# TODO:implement

print("Aggregate signature is {}\n".format(sig_agg.hex()))

# Add witness to transaction
# witness = sig_agg.sign_schnorr(sighash_musig)
spending_tx.wit.vtxinwit.append(CTxInWitness([sig_agg]))# TODO: implement

# # # Get transaction weight
print("Transaction weight: {}\n".format(node.decoderawtransaction(spending_tx.serialize().hex())['weight']))

# # # Test mempool acceptance
# assert node.test_transaction(spending_tx)
print("Success!")

Aggregate signature is d6e6a243b34ece0207f34d3588a8c867c88f303f9b482640e872adb6e36a85055758500536e9968f7aef1da0ec7d26b42a7dfe6fa1157110802620c0de1c1a9f

Transaction weight: 396

Success!


### Benefits of using segwit v1 MuSig over segwit v0 P2WSH

You can see that the transaction weight of the transaction spending the v1 MuSig output is about 30% lower than the transaction spending the v0 P2WSH output. For larger n-of-n multisig, the weight savings is even larger. Since transaction fees are based on the transaction weight, these weight savings translate directly to fee savings.

In addition, by using a MuSig aggregate key and signature, Alice does not reveal that she is using a multisignature scheme, which is good for her privacy and security.

#### Example 2.1.15: Shutdown the TestWrapper (and all bitcoind instances)

In [67]:
test.shutdown()

2023-01-20T12:30:06.420000Z TestFramework./tmp/bitcoin_func_test_xmwvfu6i (INFO): Stopping nodes
2023-01-20T12:30:06.524000Z TestFramework./tmp/bitcoin_func_test_xmwvfu6i (INFO): Cleaning up /tmp/bitcoin_func_test_xmwvfu6i on exit
2023-01-20T12:30:06.525000Z TestFramework./tmp/bitcoin_func_test_xmwvfu6i (INFO): Tests successful


**Congratulations!** In this chapter, you have:

- Learned how to create a segwit v1 output and derive its bech32m address.
- Sent bitcoin to a segwit v1 address, and then constructed a transaction that spends the segwit v1 output back to the wallet using the key path.
- Shown how using a segwit v1 MuSig output saves fees and improves privacy over using P2WSH multisig.