# Transaction Creation and Validation

## Finite Field

Mathematically, a finite field is defined as a finite set of numbers and two operations + (addition) and ⋅ (multiplication) that satisfy the following:

1. If $a$ and $b$ are in the set, $a + b$ and $a ⋅ b$ are in the set.We call this property closed.
2. $0$ exists and has the property $a + 0 = a$. We call this the additive identity.
3. $1$ exists and has the property $a ⋅ 1 = a$. We call this the multiplicative identity.
4. If $a$ is in the set, $–a$ is in the set, which is defined as the value that makes $a + (–a) = 0$.This is what we call the additive inverse.
5. If $a$ is in the set and is not $0$, $a^{–1}$ is in the set, which is defined as the value that makes $a ⋅ a^{–1} = 1$.This is what we call the multiplicative inverse.

If the order (or size) of the set is $p$, we can call the elements of the set, $0, 1, 2, … p – 1$. Here $p$ is a prime number. In math notation the finite field set looks like this:

$$\Large F_p = \{0, 1, 2, ... p–1\}$$

A finite field of order 11 looks like this, $F_{11} = \{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10\}$

A finite field of order 983 looks like this, $F_{983} = \{0, 1, 2, ... 982\}$

![Finite Field](img\finite_field.png)

For a finite field of order $p$, where p is a prime number. Here, $\%$ is a modulo operator of programming. All the operations can only be performed between elements of the same finite field.

1. Any element $a$ = $ a \% p$. Also, $-a$ = $ -a \% p$.
2. Addition is, $( a +_f b )$ = $ (a + b) \% p $.
3. Subtraction is, $( a -_f b )$ = $ (a - b) \% p$.
4. Multiplication is, $( a ⋅_f b )$ = $ (a ⋅ b) \% p$. Also, exponentiation is $ (a ^ b) \% p$.
5. From Fermat's Little Theorem, $n^{(p–1)} \% p = 1$. Thus, $b^{–1} = b^{(p–2)}$.
6. Division is, $ ( a/_fb ) = a ⋅ {b}^{(p–2)} $


### Why Prime Fields are Useful

No matter what k you choose, as long as it’s greater than 0, multiplying the entire set by k will result in the same set as you started with.

Intuitively, the fact that we have a prime order results in every element of a finite field being equivalent. If the order of the set was a composite number, multiplying the set by one of the divisors would result in a smaller set.

In [1]:
class FieldElement:
    
    def __init__(self, num, prime):
        if num >= prime or num <0:
            error = 'Num {} not in field range 0 to {}'.format(
                num, prime - 1)
            raise ValueError(error)
        self.num = num
        self.prime = prime
            
    def __repr__(self):
        return 'FieldElement_{}({})'.format(self.prime, self.num)
    
    def __eq__(self, other):
        if other is None:
            return False
        return self.num == other.num and self.prime == other.prime
    
    def __ne__(self, other):
        if other is None:
            return False
        return self.num != other.num or self.prime != other.prime
    
    def __add__(self, other):
        if (self.prime != other.prime):
            raise TypeError('Cannot add two numbers in different Fields')
        num = (self.num + other.num) % self.prime
        return self.__class__(num, self.prime)
    
    def __sub__(self, other):
        if (self.prime != other.prime):
            raise TypeError('Cannot subtract two numbers in different Fields')
        num = (self.num - other.num) % self.prime
        return self.__class__(num, self.prime)
    
    def __mul__(self, other):
        if (self.prime != other.prime):
            raise TypeError('Cannot multiply two numbers in different Fields')
        num = (self.num * other.num) % self.prime
        return self.__class__(num, self.prime)
    
    def __pow__(self, exp):
        exp = exp % (self.prime - 1)
        # num = pow(self.num ** exp) % self.prime both are same
        num = pow(self.num, exp, self.prime)
        return self.__class__(num, self.prime)
    
    def __truediv__(self, other):
        
        if (self.prime != other.prime):
            raise TypeError('Cannot divide two numbers in different Fields')
        p = self.prime
        num = (self.num * pow(other.num, p - 2, p)) % p
        return self.__class__(num, self.prime)
    
    def __rmul__(self, coefficient):
        '''
        If the left element doesn't have a multiplication function.
        Then being the right element element, the multiplication between two elements will be done as follows.
        '''
        num = (self.num * coefficient) % self.prime
        return self.__class__(num=num, prime=self.prime)

### Elliptic Curve

An elliptic curve has equation

$$\LARGE y^{2} = x^{3} + ax + b$$

The $y^2$ term on the left side has the effect of making the graph symmetric over the x-axis.

![Elliptic Curve](img\elliptic_curve.png)


## Point Infinity

A point whose addition results a same point or Additive Identity.

$$\large I + A = A$$

## Point Addition

1. Create a line for two points.
2. Find the third intersection on the graph.
3. The refection of that point over x-axis is the result of addition.

![Adding Three Numbers](img\point_addition.png)

## Two different points $ (x_1 \neq x_2) $

$\large s = (y_2 – y_1)/(x_2 – x_1)$

$\large x_3 = s^2 – x_1 – x_2$

$\large y_3 = s(x_1 – x_3) – y_1$
    
![two_different_point_addition](img\two_different_point_addition.png)


## Tangent $P_1 = P_2$ 

$\large s = dy/dx = (3x^{2}_{1} + a)/(2y_1)$
    
$\large x_3 = s_2 – 2x_1$

$\large y_3 = s(x_1 – x_3) – y_1$

![tangent_line](img\tangent_line.png)

## Line is Perpendicular and Cuts the curve at two points $x_1 = x_2$ and $y_1 \neq y_2 $
    
$\large Point(\infty)$

![Perpendicular and Cuts two points](img\line_perpendicular.png)
    
## Line is Perpendicular and Tangent $x_1 = x_2$ and $y_1 = 0 $
    
$\large Point(\infty)$

![Tangent and Vertical](img\tangent_and_vertical.png)

## Scalar Multiplication

When a number is added with itself it results in multiplication with $2$ and goes on. Scalar Multiplication of a Point is the addition of the number with itself.

Scalar multiplication can be represented as $ kA = A + A + ... + A $, adding with itself $k-1$ times. This addition follows the above rule of adding on a Tangent Line.

If we'll keep multiplying the number with itself, it will result in $Point(infinity)$, further addition will result the number we started with.

This group is called finite cyclic group.

$$ \{ G, 2G, 3G, 4G, ... nG \}$$ where $nG = Point(\infty) $

This is the heart of elliptic curve crytography because for a very large prime number finding the scalar which can result into $Point(\infty)$ is almost impossible to find through hit and trial.

In [2]:
class Point:
    
    def __init__(self, x, y, a, b):
        self.x = x
        self.y = y
        self.a = a
        self.b = b
        
        if self.x is None and self.y is None:
            return
        if self.y**2 != self.x**3 + a*x + b:
            raise ValueError("({}, {}) are not on the curve".format(self.x, self.y))
            
    def __repr__(self):
        if self.x == None:
            return "Point(infinity)"
        elif isinstance(self.x, FieldElement):
            return 'Point({},{})_{}_{} FieldElement({})'.format(
                self.x.num, self.y.num, self.a.num, self.b.num, self.x.prime)
        else:
            return 'Point({},{})_{}_{}'.format(self.x, self.y, self.a, self.b)
        
    def __eq__(self, other):
        return self.x == other.x and self.y == other.y and self.a == other.a and self.b == other.b
    
    def __neq__(self, other):
        return self.x != other.x or self.y != other.y or self.a != other.a or self.b != other.b
    
    def __add__(self, other):
        if self.a != other.a or self.b != other.b:
            raise TypeError("Points {}, {} are not on the same curve".format(self.x, self.y))
          
        # Additive Identity A + I = A
        if self.x is None:
            return other
        if other.x is None:
            return self
        
        if self.x == other.x and self.y != other.y:
            # Line is perpendicular to x-axis and cut the graph at two points
            # Thus the third point on the line is at infinity.
            return self.__class__(None, None, self.a, self.b)
        
        if self.x != other.x:
            # Line cuts the graph at three different points
            # Addition of two points results in the reflection of third point on the line.
            # We take reflection so that addition will hold associativity
            # Addition property is commutative.
            x1, y1 = self.x, self.y
            x2, y2 = other.x, other.y
            s = (y2 - y1) / (x2 - x1)
            x3 = s**2 - x1 - x2
            y3 = s*(x1 - x3) - y1
            return self.__class__(x3, y3, self.a, self.b)
        
        if self == other and self.y == 0 * self.x:
            # Line is a tangent and perpendicuar to x-axis
            return self.__class__(None, None, self.a, self.b)
        
        if self == other:
            # Line is a tangent
            # Slope will be calculated by differentiating the equation of curve
            s = (3 * self.x**2 + self.a ) / (2 * self.y)
            x3 = s ** 2 - (2 * self.x)
            y3 = s*(self.x - x3) - self.y
            return self.__class__(x3, y3, self.a, self.b)
        
#     def __rmul__(self, coefficient):
#         product = self.__class__(None, None, self.a, self.b)
#         for _ in range(coefficient):
#             product += self
#         return product

    def __rmul__(self, coefficient):
        coef = coefficient
        current = self  
        result = self.__class__(None, None, self.a, self.b)  
        while coef:
            if coef & 1:  
                result += current
            current += current  
            coef >>= 1  
        return result

## Hashing and Encoding

### Hash 160

![Hash 160](img\hash160.png)

In [3]:
import hashlib

In [4]:
def hash256(s):
    '''two rounds of sha256'''
    return hashlib.sha256(hashlib.sha256(s).digest()).digest()

In [5]:
def hash160(s):
    '''sha256 followed by ripemd160'''
    return hashlib.new('ripemd160', hashlib.sha256(s).digest()).digest()

## Bitcoin Address

- A bitcoin address is a base58 version of the public keys.
- But, it also contains the prefix `00` and suffix `checksum`.
- If the Addresss is for mainnet, then prefix is `00` and if it's for testnet then prefix is `6F`
- When we convert hex to Base58, `00 → 1`, thus all mainnet addresses start with `1`.
![title](img\bitcoin_address.png)

In [6]:
BASE58_ALPHABET = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz'

def encode_base58(s):
    count = 0
    for c in s:
        if c == 0:
            count += 1
        else:
            break
    num = int.from_bytes(s, 'big')
    prefix = '1' * count
    result = ''
    while num > 0:
        num, mod = divmod(num, 58)
        result = BASE58_ALPHABET[mod] + result
    
    return prefix + result

In [7]:
def encode_base58_checksum(b):
    return encode_base58(b + hash256(b)[:4])

In [8]:
def decode_base58(s):
    '''Bitcoin Address --> Hash160 version of Public Key'''
    num = 0
    for c in s:
        num *= 58
        num += BASE58_ALPHABET.index(c)
    combined = num.to_bytes(25, byteorder = "big")
    checksum = combined[-4:]
    
    # Checksum is hash256(prefix + has160)
    if hash256(combined[:-4])[:4] != checksum:
        raise ValueError('bad address: {} {}'.format(checksum, hash256(combined[:4])[:4]))
        
    # Remove prefix and suffix and return it.
    return combined[1:-4]

## Conversions

### Endian

- Data is transferred through of stream of bytes.
- This stream can be read in two manners, big endian and little endian.
- This stream is represented in HEX code.
- A byte consists of 8 bits and Hex values has 4 bits. 
- 1 character of Bytes = 2 Hex Characters.

| Big Endian                             | Little Endian                              |
| :------------------------------------- | :----------------------------------------- |
| Reading Left to Right, like in numbers | Reading Right to Left, opposite of numbers |
| 124 = 1 X 100 + 2 X 10 + 4             | 124 = 4 X 100 + 2 X 10 + 1                 |
| Example, `04F6E9`                      | Example, `E9F604`                          |

Note: It doesn't results in pure reflection, instead in groups of two characters. It's because 1 Byte stores two Hex Values.

### Conversion to Little Endian

![Conversion](img\littleendianconversion.gif)

In [9]:
def little_endian_to_int(little_endian):
    return int.from_bytes(little_endian, byteorder='little')

In [10]:
def int_to_little_endian(number, length):
    return number.to_bytes(length, byteorder='little')

### Variable Integers (Varints)

The range of 1 byte is 0 - 255 (2<sup>8</sup> = 256)

So, Variable integers work by these rules:

If the number is in range

- __[ 0, 253 )__
    - Encode that number as a single byte.
    - Example, `100 → 64`.

- __[ 253,  2<sup>16</sup> - 1 )__
    - Start with the 253 (FD) in single byte.
    - Then encode the number in ***2 bytes*** in little-endian.
    - Example, `255 → FDFF00`, `555 → FD2B02`.

- __[ 2<sup>16</sup>, 2<sup>32</sup> - 1 )__
    - Start with the 254 (FE) in single byte.
    - Then encode the number in ***4 bytes*** in little-endian.
    - Example, `70015 → FE7F110100`.
    
- __[ 2<sup>32</sup>, 2<sup>64</sup> - 1 )__
    - Start with the 255 (FF) in single byte.
    - Then encode the number in ***8 bytes*** in little-endian.
    - Example, `18005558675309 → FF6DC7ED3E60100000`.

In [11]:
def read_varint(s):
    '''Compressed Stream in little endian --> int'''
    i = s.read(1)[0] # Using [0] converts the byte into integer
    if i == 0xfd:
        # 0xfd (253) means the next two bytes are the number
        return little_endian_to_int(stream.read(2))
    elif i == 0xfe:
        # 0xfe (254) means the next four bytes are the number
        return little_endian_to_int(stram.read(4))
    elif i == 0xff:
        # 0xfef (255) means the next four bytes are the number
        return little_endian_to_int(stram.read(8))
    else:
        # anything else is an integer of 1 byte
        return i
    

In [12]:
def encode_varint(i):
    '''int  --> Compressed Stream in little endian'''
    if i < 0xfd:
        return bytes([i])
    elif i < 0x10000:
        return b'\xfd' + int_to_little_endian(i, 2)
    elif i < 0x100000000:
        return b'\xfe' + int_to_little_endian(i, 4)
    elif i < 0x10000000000000000:
        return b'\xff' + int_to_little_endian(i, 8)
    else:
        raise ValueError('integer too large: {}'.format(i))

## Bitcoin Elliptic Curve Cryptography

### The secp256k1 Curve

The equation of the curve used in bitcoin is

$$\Huge y^2 = x^3 + 7 $$

![The secp256k1 over real numbers](img\secp256k1_curve.png)

### Elliptic Curve over Finite Field

The prime number for the finite field is 

$$\Large p = 2^{256} – 2^{32} – 977$$

$$\Large y^2 \% p = x^3 + 7 \% p $$

![Elliptic Curve over Finite Field](img\elliptic_curve_over_finite_field.png)

### How big is $2^{256}$?

Think of finding a private key this way: there are as many possible private keys in Bitcoin as there are atoms in a billion galaxies.

## Serialization

There are two methods of sending a Public Key or Point on the Curve.
    1. Uncompressed SEC Format (04 Marker)
    2. Compressed SEC Format (02 Marker for even, 03 Marker for odd)

### Unompressed SEC Format

![Signature in DER](img\uncompressed_sec_pub_key.png)

### Compressed SEC Format

![Signature in DER](img\compressed_sec_pub_key.png)

In [13]:
from io import BytesIO

In [14]:
P = 2**256 - 2**32 - 977

class S256Field(FieldElement):

    def __init__(self, num, prime=None):
        super().__init__(num=num, prime=P)

    def __repr__(self):
        return '{:x}'.format(self.num).zfill(64)
    
    def sqrt(self):
        return self ** ( (P+1) // 4 )

In [15]:
A = 0
B = 7

N = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141

class S256Point(Point):
    
    def __init__(self, x, y, a = None, b = None):
        a, b = S256Field(A), S256Field(B)
        
        if type(x) == int:
            super().__init__(x = S256Field(x), y = S256Field(y), a = a, b = b)
        else:
            super().__init__(x = x, y = y, a = a, b = b)
            
    def __rmul__(self, coefficient):
        coef = coefficient % N
        return super().__rmul__(coef)
    
    def verify(self, z, sig):
        r, s = sig.r, sig.s
        s_inv = pow(s, N-2, N)
        u = z * s_inv % N
        v = r * s_inv % N
        return (u*G + v*self).x.num == r 
    
    def sec(self, compressed = True):
        # big means big-endian
        if compressed:
            if self.y.num % 2 == 0:
                return b'\x02' + self.x.num.to_bytes(32, 'big')
            else:
                return b'\x03' + self.x.num.to_bytes(32, 'big')
        else:
            return b'\x04' + self.x.num.to_bytes(32, 'big') + self.y.num.to_bytes(32, 'big') 
        
    @classmethod
    def parse(self, sec_bin):
        '''returns a Point object from a SEC binary (not hex)'''
        if sec_bin[0] == 4:
            x = int.from_bytes(sec_bin[1:33], 'big')
            y = int.from_bytes(sec_bin[33:65], 'big')
            return S256Point(x=x, y=y)
        is_even = sec_bin[0] == 2
        x = S256Field(int.from_bytes(sec_bin[1:], 'big'))
        # right side of the equation y^2 = x^3 + 7
        alpha = x**3 + S256Field(B)
        # solve for left side
        beta = alpha.sqrt()
        if beta.num % 2 == 0:
            even_beta = beta
            odd_beta = S256Field(P - beta.num)
        else:
            even_beta = S256Field(P - beta.num)
            odd_beta = beta
        if is_even:
            return S256Point(x, even_beta)
        else:
            return S256Point(x, odd_beta)

        
    def hash160(self, compressed=True):
        return hash160(self.sec(compressed))
    
    def address(self, compressed=True, testnet=False):
        '''Returns the address string'''
        h160 = self.hash160(compressed)
        if testnet:
            prefix = b'\x6f'
        else:
            prefix = b'\x00'
        return encode_base58_checksum(prefix + h160)

In [16]:
Gx = 0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798
Gy = 0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8

G = S256Point(Gx, Gy)

## Signature

DER signature format is defined like this:

- Start with the `30` at first byte.
- Encode the length of the rest of the signature (usually `44` or `45`) and append.
- Append the marker byte for the r value, `02`.
- Encode r as a big-endian integer, but prepend it with the `00` byte if r’s first byte ≥ `80`. Prepend the resulting length to r. Add this to the result.
- Append the marker byte for the s value, `02`.
- Encode s as a big-endian integer, but prepend with the `00` byte if s’s first byte ≥ `80`. Prepend the resulting length to s. Add this to the result.

Note: All the values are in Hexadecimal, I've removed `0x` for the sake of reading ease.

![Signature in DER](img\der_signature.png)

In [17]:
class Signature:
    
    def __init__(self, r, s):
        self.r = r
        self.s = s
        
    def __repr__(self):
        return 'Signature({:x},{:x})'.format(self.r, self.s)
    
    def der(self):
        rbin = self.r.to_bytes(32, byteorder='big')
        rbin = rbin.lstrip(b'\x00')
        if rbin[0] & 0x80:
            rbin = b'\x00' + rbin
        result = bytes([2, len(rbin)]) + rbin
        
        sbin = self.s.to_bytes(32, byteorder = 'big')
        sbin = sbin.lstrip(b'\x00')
        if sbin[0] & 0x80:
            sbin = b'\x00' +sbin
        result += bytes([2, len(sbin)]) + sbin
        
        return bytes([0x30, len(result)]) + result
    
    @classmethod
    def parse(cls, signature_bin):
        s = BytesIO(signature_bin)
        compound = s.read(1)[0]
        if compound != 0x30:
            raise SyntaxError("Bad Signature")
        length = s.read(1)[0]
        if length + 2 != len(signature_bin):
            raise SyntaxError("Bad Signature Length")
        marker = s.read(1)[0]
        if marker != 0x02:
            raise SyntaxError("Bad Signature")
        rlength = s.read(1)[0]
        r = int.from_bytes(s.read(rlength), 'big')
        marker = s.read(1)[0]
        if marker != 0x02:
            raise SyntaxError("Bad Signature")
        slength = s.read(1)[0]
        s = int.from_bytes(s.read(slength), 'big')
        if len(signature_bin) != 6 + rlength + slength:
            raise SyntaxError("Signature too long")
        return cls(r, s)

## Private Key

- You use your private key (which is just a big random number) to generate a corresponding public key.

- You do elliptic curve multiplication using your private key, which will give you a final resting point on the elliptic curve. The `(x, y)` coordinate of this point is your public key.

- Private key is a scalar $e$ and private key is $eG=P$.

![Private Key to Public Key](img\public-key.png)

### Calculating $r$ and $s$

We first generate a random number $k$, which is an scalar. This number when multiplied by point $G$, gernerates a new Point $R(r,y)$.

That's how we generate $r$.

The methods to generate $s$ are as follows:

$$uG + vP = R = kG$$

$$uG + veG = kG$$

$$u + ve = k$$

$$z/s + re/s = k$$

$$(z + re)/s = k$$

$$s = (z + re)/k$$


### Signing in Depth

The signing procedure is as follows:

    1. We are given z and know e such that eG = P.
    2. Choose a random k.
    3. Calculate R = kG and r = x coordinate of R.
    4. Calculate s = (z + re)/k.
    5. Signature is (r,s)


### Verifying in Depth

    1. We are given (r,s) as the signature, z as the hash of the thing being signed, and P as the public key (or public point) of the signer.
    2. We calculate u = z/s, v = r/s.
    3. We calculate uG + vP = R.
    4. If R’s x coordinate equals r, the signature is valid.

### Why we don't reveal $k$

If we were to reveal k, then:

$$uG + vP = R$$

$$uG + veG = kG$$

$$kG – uG = veG$$

$$(k – u)G = veG$$

$$(k – u) = ve$$

$$(k – u)/v = e$$

It means that our secret would be revealed, which would defeat the whole purpose of the signature. We can, however, reveal $R$.

### Importance of Unique $k$

If our secret is $e$ and we are reusing $k$ to sign $z1$ and $z2$:

$$kG = (r,y)$$

$$s1 = (z1 + re) / k, s2 = (z2 + re) / k$$

$$s1/s2 = (z1 + re) / (z2 + re)$$

$$s1(z2 + re) = s2(z1 + re)$$

$$s1z2 + s1re = s2z1 + s2re$$

$$s1re – s2re = s2z1 – s1z2$$

$$e = (s2z1 – s1z2) / (rs1 – rs2)$$

If anyone sees both signatures, they can use this formula and find our secret!The [PlayStation 3](https://arstechnica.com/gaming/2010/12/ps3-hacked-through-poor-implementation-of-cryptography/) hack back in 2010 was due to the reuse of the k value in multiple signatures.

In [18]:
import hmac

In [19]:
class PrivateKey:
    
    def __init__(self, secret):
        self.secret = secret      # Private Key
        self.point = secret * G   # Public Key
        
    def hex(self):
        return '{:x}'.format(self.secret).zfill(64)
    
    def sign(self, z):
        k = self.deterministic_k(z)
        r = (k*G).x.num
        k_inv = pow(k, N-2, N)
        s = (z + r*self.secret) * k_inv % N
        if s > N/2:
            s = N - s
        return Signature(r, s)
    
    def deterministic_k(self, z):
        k = b'\x00' * 32
        v = b'\x01' * 32
        if z > N:
            z -= N
        z_bytes = z.to_bytes(32, 'big')
        secret_bytes = self.secret.to_bytes(32, 'big')
        s256 = hashlib.sha256
        k = hmac.new(k, v + b'\x00' + secret_bytes + z_bytes, s256).digest()
        v = hmac.new(k, v, s256).digest()
        k = hmac.new(k, v + b'\x01' + secret_bytes + z_bytes, s256).digest()
        v = hmac.new(k, v, s256).digest()
        while True:
            v = hmac.new(k, v, s256).digest()
            candidate = int.from_bytes(v, 'big')
            if candidate >= 1 and candidate < N:
                return candidate
            k = hmac.new(k, v + b'\x00', s256).digest()
            v = hmac.new(k, v, s256).digest()
            
    def wif(self, compressed=True, testnet=False):
        secret_bytes = self.secret.to_bytes(32, 'big')
        if testnet:
            prefix = b'\xef'
        else:
            prefix = b'\x80'
        if compressed:
            suffix = b'\x01'
        else:
            suffix = b''
        
        return encode_base58_checksum(prefix + secret_bytes + suffix)

# Transaction

Transaction ComponentsAt a high level, a transaction really only has four components.They are:

    1. Version (4 bytes)
    2. Inputs (<total-inputs><inputs>) 
    3. Outputs (<total-outputs><outputs>)
    4. Locktime (4 Bytes)

![Serialized Transaction](img\transaction_serialized.png)

In [20]:
class Tx:
    
    def __init__(self, version, tx_ins, tx_outs, locktime, testnet=False):
        self.version  = version
        self.tx_ins = tx_ins
        self.tx_outs = tx_outs
        self.locktime = locktime
        self.testnet = testnet
        
    def __repr__(self):
        tx_ins = ''
        for tx_in in self.tx_ins:
            tx_ins += tx_in.__repr__() + '\n'
        tx_outs = ''
        for tx_out in self.tx_outs:
            tx_outs += tx_out.__repr__() + '\n'
        return 'tx: {}\nversion: {}\ntx_ins:\n{}tx_outs:\n{}locktime: {}'.format(
        self.id(),
        self.version,
        tx_ins,
        tx_outs,
        self.locktime)
    
    def id(self):
        return self.hash().hex()
    
    def hash(self):
        return hash256(self.serialize())[::-1]
    
    @classmethod
    def parse(cls, s, testnet=False):
        # First 4 bytes (8 chars of hex) that stores the version
        version = little_endian_to_int(s.read(4))
        total_inputs = read_varint(s)
        inputs = [TxIn.parse(s) for _ in range(total_inputs)]
        total_outputs = read_varint(s)
        outputs = [TxOut.parse(s) for _ in range(total_outputs)]
        locktime = little_endian_to_int(s.read(4))
        return cls(version, inputs, outputs, locktime, testnet=testnet)
    
    def serialize(self):
        result = int_to_little_endian(self.version, 4)
        result += encode_varint(len(self.tx_ins))
        for tx_in in self.tx_ins:
            result += tx_in.serialize()
        result += encode_varint(len(self.tx_outs))
        for tx_out in self.tx_outs:
            result += tx_out.serialize()
        result += int_to_little_endian(self.locktime, 4)
        
        return result
    
    def fee(self):
        input_sum = sum(tx_in.value(testnet=self.testnet) for tx_in in self.tx_ins)
        output_sum = sum(tx_out.amount for tx_out in self.tx_ins)
        
        return input_sum - output_sum
    
    def sig_hash(self, input_index):
        s = int_to_little_endian(self.version, 4)
        s += encode_varint(len(self.tx_ins))
        for i, tx_in in enumerate(self.tx_ins):
            if i == input_index:
                s += TxIn(
                    prev_tx = tx_in.prev_tx,
                    prev_index = tx_in.prev_index,
                    script_sig = tx_in.script_pubkey(self.testnet),
                    sequence = tx_in.sequence
                ).serialize()
            else:
                s += TxIn(
                    prev_tx = tx_in.prev_tx,
                    prev_index = tx_in.prev_index,
                    sequence = tx_in.sequence
                ).serialize()
        s += encode_varint(len(self.tx_outs))
        for tx_out in self.tx_outs:
            s += tx_out.serialize()
        s += int_to_little_endian(self.locktime, 4)
        s += int_to_little_endian(SIGHASH_ALL, 4)
        h256 = hash256(s)
        return int.from_bytes(h256, 'big')
        
    def verify_input(self, input_index):
        tx_in = self.tx_ins[input_index]
        script_pubkey = tx_in.script_pubkey(testnet=self.testnet)
        z = self.sig_hash(input_index)
        combined = tx_in.script_sig + script_pubkey
        return combined.evaluate(z)
    
    def verify(self):
        if self.fee() < 0:
            return False
        for i in range(len(self.tx_ins)):
            if not self.verify_input(i):
                return False
        return True
    
    def sign_input(self, input_index, private_key):
        z = self.sig_hash(input_index)
        der = private_key.sign(z).der()
        sig = der + SIGHASH_ALL.to_bytes(1, 'big')
        sec = private_key.point.sec()
        self.tx_ins[input_index].script_sig = Script([sig, sec])
        return self.verify_input(input_index)

## Transaction Input

Inputs have unlocking script `ScriptSig` on them.

Transaction Inputs:

    1. Total Number of Inputs (Varint)
    2. Transaction Ins (Little Endian)

![Transaction Inputs](img\transaction_input_length.png)

The fields of an individual Transaction Input is as follows:

    1. Previous transaction ID
    2. Previous transaction index
    3. ScriptSig
    4. Sequence
    
![Individual Transaction Input](img\transaction_input.png)

Note: Locktime is ignored if the sequence numbers for every input are `FFFFFFFF`.

In [21]:
class TxIn:
    def __init__(self, prev_tx, prev_index, script_sig=None, sequence=0xffffffff):
        self.prev_tx = prev_tx
        self.prev_index = prev_index
        if script_sig is None:
            self.script_sig = Script()
        else:
            self.script_sig = script_sig
        self.sequence = sequence
        
    def __repr__(self):
        return '{}:{}'.format(
            self.prev_tx.hex(),
            self.prev_index
        )
    
    @classmethod
    def parse(cls, s):
        prev_tx = s.read(32)[::-1]
        prev_index = little_endian_to_int(s.read(4))
        script_sig = Script.parse(s)
        sequence = little_endian_to_int(s.read(4))
        
        return cls(prev_tx, prev_index, script_sig, sequence)
    
    def serialize(self):
        result = self.prev_tx[::-1]
        result += int_to_little_endian(self.prev_index, 4)
        result += self.script_sig.serialize()
        result += int_to_little_endian(self.sequence, 4)
        
        return result
    
    def fetch_tx(self, testnet=False):
        return TxFetcher.fetch(self.prev_tx.hex(), testnet=testnet)

    def value(self, testnet=False):
        '''Get the output value by looking up the tx hash.
        Returns the amount in satoshi.
        '''
        tx = self.fetch_tx(testnet=testnet)
        return tx.tx_outs[self.prev_index].amount

    def script_pubkey(self, testnet=False):
        '''Get the ScriptPubKey by looking up the tx hash.
        Returns a Script object.
        '''
        tx = self.fetch_tx(testnet=testnet)
        return tx.tx_outs[self.prev_index].script_pubkey

## Transaction Output

Outputs have locking script `ScriptPubKey` on them

Transaction Outputs:

    1. Total Number of Outputs (Varint)
    2. Transaction Outs (Little Endian)

![Transaction Outputs](img\transaction_output_length.png)

The fields of an individual Transaction Output is as follows:

    1. Amount
    2. ScriptPubKey
    
![Individual Transaction Output](img\transaction_output.png)

In [22]:
class TxOut:
    
    def __init__(self, amount, script_pubkey):
        self.amount = amount
        self.script_pubkey = script_pubkey
        
    def __repr__(self):
        return '{}:{}'.format(self.amount, self.script_pubkey)
    
    @classmethod
    def parse(cls, s):
        amount = little_endian_to_int(s.read(8))
        script_pubkey = Script.parse(s)
        return cls(amount, script_pubkey)
    
    def serialize(self):
        result = int_to_little_endian(self.amount, 8)
        result += self.script_pubkey.serialize()
        
        return result

In [23]:
import requests

In [24]:
# Dumped by the writer of the book

class TxFetcher:
    cache = {}

    @classmethod
    def get_url(cls, testnet=False):
        if testnet:
            return 'http://testnet.programmingbitcoin.com'
        else:
            return 'http://mainnet.programmingbitcoin.com'

    @classmethod
    def fetch(cls, tx_id, testnet=False, fresh=False):
        if fresh or (tx_id not in cls.cache):
            url = '{}/tx/{}.hex'.format(cls.get_url(testnet), tx_id)
            response = requests.get(url)
            try:
                raw = bytes.fromhex(response.text.strip())
            except ValueError:
                raise ValueError('unexpected response: {}'.format(response.text))
            if raw[4] == 0:
                raw = raw[:4] + raw[6:]
                tx = Tx.parse(BytesIO(raw), testnet=testnet)
                tx.locktime = little_endian_to_int(raw[-4:])
            else:
                tx = Tx.parse(BytesIO(raw), testnet=testnet)
            if tx.id() != tx_id:
                raise ValueError('not the same id: {} vs {}'.format(tx.id(), tx_id))
            cls.cache[tx_id] = tx
        cls.cache[tx_id].testnet = testnet
        return cls.cache[tx_id]

### Transaction Fees

`Fees = sum(inputs) - sum(outputs)`

Mentioned in `class Tx` as function `fee`.

### Generating z

The steps to generate the z or hash of the Transaction:

- We'll mimic the Transaction but will remove and replace some of it's contents, after that we'll hash it.
- Pick the Transaction and Input Transaction index.
- Create a stream and sppend the version in little endian to it.
- Encode the total number of input transactions in varint.
- Loop through all the input transactions and
    - if the input transaction index matches
        - Then replace the `scriptsig` with the `scriptPubKey`.
        - Remain other contents as it is.
        - Serialize it and append it.
    - else
        - Remove the `scriptsig` from that imput.
        - Remain other contents as it is.
        - Serialize it and append it.
- Encode the total number of output transactions in varint.
- Loop through all the output transactions and serialize them as it is and then append it.
- Append the Locktime in little endian.
- Append the hash type in the end of it e.g. SIGHASH_ALL(01000000)
- Hash this new modified tx stream with hash256
- Convert this hash into integer.
- This integer is `z`

Mentioned in `class Tx` as function `sig_hash`.

## Sequence and Locktime

-  If Alice pays Bob x bitcoins for something and then Bob pays Alice y bitcoins for something else (say, if x > y), then Alice can just pay Bob x – y. 
- A continuously updating mini-ledger between the two parties involved that gets settled on-chain.
- The trade transaction would start with sequence at 0 and with a far-away locktime (say, 500 blocks from now, so valid in 500 blocks).
- After the first transaction, where Alice pays Bob x bitcoins, the sequence of each input would be 1. After the second transaction, where Bob pays Alice y bitcoins, the sequence of each input would be 2.
- But It allows miner to cheat. Bob could be a miner, he could ignore the updated trade transaction with sequence number 2 and mine the trade transaction with sequence number 1, cheating Alice out of y bitcoins.
- A much better design was created later with “payment channels,” which is the basis for the Lightning Network.

# Script

A script consists of a simple stacks which can contain two types of entities:

    1. Operation
    2. Elements

In [25]:
%run op.ipynb

In [26]:
class Script:
    
    def __init__(self, cmds=None):
        if cmds is None:
            self.cmds = []
        else:
            self.cmds = cmds

    def __add__(self, other):
        # First cmds stack contains ScriptSig and next one contains ScriptPubKey
        return Script(self.cmds + other.cmds)
            
    def __repr__(self):
        result = []
        for cmd in self.cmds:
            if type(cmd) == int:
                if OP_CODE_NAMES.get(cmd):
                    name = OP_CODE_NAMES.get(cmd)
                else:
                    name = 'OP_[{}]'.format(cmd)
                result.append(name)
            else:
                result.append(cmd.hex())
        return ' '.join(result)
            
    @classmethod
    def parse(cls, s):
        '''Stream in little endian --> Stack containing elements and opcodes'''
        length = read_varint(s)
        cmds = []
        count = 0
        while count < length:
            current = s.read(1) # Whether it's an element or opcode
            count += 1
            current_byte = current[0] # Converts bytes into int
            if current_byte >= 1 and current_byte <= 75:
                # <---Basic--->
                # <current_byte><element>
                n = current_byte
                cmds.append(s.read(n))
                count += n
            elif current_byte == 76:
                # <---OP_PUSHDATA1--->
                # <current_byte><1-byte-length><element>
                data_length = little_endian_to_int(s.read(1))
                cmds.append(s.read(data_length))
                count += data_length + 1
            elif current_byte == 77:
                # <---OP_PUSHDATA2--->
                # <current_byte><2-bytes-length><element>
                data_length = little_endian_to_int(s.read(2))
                cmds.append(s.read(data_length))
                count += data_length + 2
            else:
                # <---OPCODE--->
                # <current_byte>
                op_code = current_byte
                cmds.append(op_code)
        if count != length:
            raise SyntaxError('parsing script failed')
        return cls(cmds)
    
    def raw_serialize(self):
        '''Stack of cmds --> Stream of bytes'''
        result = b''
        for cmd in self.cmds:
            if type(cmd) == int:
                # Opcode (type is int)
                result += int_to_little_endian(cmd, 1)
            else:
                # Element (type is bytes)
                length = len(cmd)
                if length <= 75:
                    result += int_to_little_endian(length, 1)
                elif length >= 76 and length <= 255:
                    result += int_to_little_endian(76, 1)
                    result += int_to_little_endian(length, 1)
                elif length >= 256 and length <= 520:
                    result += int_to_little_endian(77, 1)
                    result += int_to_little_endian(length, 2)
                else:
                    raise ValueError('too long an cmd')
                result += cmd
        return result
    
    def serialize(self):
        result = self.raw_serialize()
        total = len(result)
        
        return encode_varint(total) + result
    
    def evaluate(self, z):
        # z is signature hash
        cmds = self.cmds[:] # Copy of cmds
        stack = []
        altstack = []
        while len(cmds) > 0:
            cmd = cmds.pop(0) # Pop from genesis element
            if type(cmd) == int:
                # An operation
                operation = OP_CODE_FUNCTIONS[cmd]
                if cmd in (99, 100):
                    if not operation(stack, cmds):
                        LOGGER.info('bad op: {}'.format(OP_CODE_NAMES[cmd]))
                        return False
                elif cmd in (107, 108):
                    if not operation(stack, altstack):
                        LOGGER.info('bad op: {}'.format(OP_CODE_NAMES[cmd]))
                        return False
                elif cmd in (172, 173, 174, 175):
                    if not operation(stack, z):
                        LOGGER.info('bad op: {}'.format(OP_CODE_NAMES[cmd]))
                        return False
                else:
                    if not operation(stack):
                        LOGGER.info('bad op: {}'.format(OP_CODE_NAMES[cmd]))
                        return False
            else:
                # An element
                stack.append(cmd)
        if len(stack) == 0:
            return False
        if stack.pop() == b'':
            return False
        return True
                

## P2PK (Pay To Pubkey)

- It is a script pattern that locks an output to a public key.
- You’ll most commonly find P2PK in coinbase transactions in the earlier blocks in the blockchain. This is because the original Bitcoin Core miner would use P2PK for the block reward when constructing a candidate block.

![combined_script](img\p2pk_simplified.png)

`scriptSig` - It unlocks the corresponding ScriptPubKey. It is the signature followed by a single sighash byte.

![scriptSig](img\p2pk_scriptSig.png)

`scriptPubKey` - Specifies where the bitcoins go, this is the lockbox that receives the bitcoins.

![scriptPubKey](img\p2pk_scriptPubKey.png)

The working of this script is as follows

![p2pk_working](img\p2pk_working.gif)

## P2PKH (Pay To Pubkey Hash)

- It is a script pattern that also locks an output to public key.
- It is used to “send” someone bitcoins.

![combined_script](img\p2pkh_simplified.png)

`scriptSig` - The owner of the hashed public key above needs to provide the original public key, along with a valid signature for it

![scriptSig](img\p2pkh_scriptSig.png)

`scriptPubKey` - It contains a hashed public key surrounded by these opcodes.

![scriptPubKey](img\p2pkh_scriptPubKey.png)

The working of this script is as follows

![p2pkh_working](img\p2pkh_working.gif)

In [27]:
def p2pkh_script(h160):
    '''Takes a hash160 and returns the p2pkh ScriptPubKey'''
    return Script([0x76, 0xa9, h160, 0x88, 0xac])

In [28]:
## Sighash

SIGHASH_ALL = 1
SIGHASH_NONE = 2
SIGHASH_SINGLE = 3

## Method to create a Transaction

1. Create a TxIns:
    - Select a Previous Transaction
    - Select the output index
    - Create a `tx_in` object.
    
2. Create TxOuts:
    - We need to create two outputs, one for the receiver and other back to us.
    - Select the amount you want to send and receive back. Rest will be adjusted as Transaction Fees.
    - Convert these amounts from BTC to Satoshis, by multiplying them with 100,000,000.
    - Then convert Bitcoin Addresses to hash160's using `decode_base58()`.
    - Create two p2pkh script's using these hash160's.
    - Create different `tx_out` objects for the receiver and change by specifying amount and script.

3. Create Tx:
    - Append all the `tx_in` and `tx_out` objects to seperate lists, even if there's only one element in a list.
    - Create a `Tx` object using VERSION, TX_INS, TX_OUTS, LOCKTIME, TESTNET BOOL.
    
## Signing a Transaction

1. Now, the transaction created earlier is empty and does not contain any ssignatures.
2. We need to create a signature we need `z` and a `private key` .
3. Generate `z` by providing the index of  selected transaction input (tricky one).
4. Create the private key by providing the secret.
5. Use private key and `z` to generate DER Signature.
6. Append `SIGHASH_ALL` to the DER Signature.
7. Create `script_sig` by adding DER Signature and SEC Public Key.
8. Inside the previously created Transaction, Assign `script_sig` to that particular input for which you created the signature.

In [29]:
## Creating a Transaction

### Creating TxIns
prev_tx = bytes.fromhex('0d6fe5213c0b3291f208cba8bfb59b7476dffacc4e5cb66f6\
eb20a080843a299')
prev_index = 13
tx_in = TxIn(prev_tx = prev_tx, prev_index = prev_index)
tx_ins = [tx_in]

### Creating TxOuts
'''
Output that should be returned back to us
'''
change_amount = int(0.33*100000000)
change_h160 = decode_base58('mzx5YhAH9kNHtcN481u6WkjeHjYtVeKVh2')
change_script = p2pkh_script(change_h160)
change_output = TxOut(amount = change_amount, script_pubkey = change_script)
'''
Output for the receiver
'''
target_amount = int(0.1*100000000)
target_h160 = decode_base58('mnrVtF8DWjMu839VW3rBfgYaAfKk8983Xf')
target_script = p2pkh_script(target_h160)
target_output = TxOut(amount = target_amount, script_pubkey = target_script)
tx_outs = [change_output, target_output]

### Creating Tx
tx_obj = Tx(version = 1, tx_ins = tx_ins, tx_outs = tx_outs, locktime = 0, testnet=True)
print(tx_obj)

tx: cd30a8da777d28ef0e61efe68a9f7c559c1d3e5bcd7b265c850ccb4068598d11
version: 1
tx_ins:
0d6fe5213c0b3291f208cba8bfb59b7476dffacc4e5cb66f6eb20a080843a299:13
tx_outs:
33000000:OP_DUP OP_HASH160 d52ad7ca9b3d096a38e752c2018e6fbc40cdf26f OP_EQUALVERIFY OP_CHECKSIG
10000000:OP_DUP OP_HASH160 507b27411ccf7f16f10297de6cef3f291623eddf OP_EQUALVERIFY OP_CHECKSIG
locktime: 0


In [30]:
## Signing an Input

z = tx_obj.sig_hash(0)
private_key = PrivateKey(secret = 8675309)
der = private_key.sign(z).der()
sig = der + SIGHASH_ALL.to_bytes(1, 'big')
sec = private_key.point.sec()
script_sig = Script([sig, sec])
tx_obj.tx_ins[0].script_sig = script_sig
print(tx_obj.serialize().hex())

# Note: A function named sign_input() has been created in Tx class.

010000000199a24308080ab26e6fb65c4eccfadf76749bb5bfa8cb08f291320b3c21e56f0d0d0000006b4830450221008ed46aa2cf12d6d81065bfabe903670165b538f65ee9a3385e6327d80c66d3b502203124f804410527497329ec4715e18558082d489b218677bd029e7fa306a72236012103935581e52c354cd2f484fe8ed83af7a3097005b2f9c60bff71d35bd795f54b67ffffffff02408af701000000001976a914d52ad7ca9b3d096a38e752c2018e6fbc40cdf26f88ac80969800000000001976a914507b27411ccf7f16f10297de6cef3f291623eddf88ac00000000


## Create your own Private Key

In [31]:
secret = little_endian_to_int(b'utkarshg6 secret')
private_key = PrivateKey(secret)

In [32]:
private_key.point.address()

'1L11qvCJbD7yoWgag7rXzyj1ULxZoe3p5A'