github.com/decred/dcrlnd@v0.7.6/input/script_utils.go

package input

import (
	"bytes"
	"crypto/sha256"
	"fmt"
	"math/big"

	"golang.org/x/crypto/ripemd160"

	"github.com/decred/dcrd/dcrec/secp256k1/v4"
	"github.com/decred/dcrd/dcrutil/v4"
	"github.com/decred/dcrd/txscript/v4"
	"github.com/decred/dcrd/wire"
)

// ScriptVerifyFlags are the flags used in script VMs when testing LN-related
// scripts. These need to correspond to the current state of consensus rules
// necessary for LN operation and the overall standard mempool settings.
const ScriptVerifyFlags = txscript.ScriptDiscourageUpgradableNops | // standardness
	txscript.ScriptVerifyCleanStack | // consensus
	txscript.ScriptVerifyCheckLockTimeVerify | // consensus
	txscript.ScriptVerifyCheckSequenceVerify | // consensus (lnfeatures)
	txscript.ScriptVerifySHA256 // consensus (lnfeatures)

// LNTxVersion is the version that transactions need to be defined to use so
// that they are usable as ln transactions.
const LNTxVersion uint16 = 2

// TxWitness represents the witness data for a transaction.
type TxWitness [][]byte

// WitnessSerializeSize returns the number of bytes it would take to serialize
// the given slice as if it were a bitcoin witness program.
//
// Note: this is only used as an acessory in certain tests in Decred.
func (t TxWitness) WitnessSerializeSize() int {
	// A varint to signal the number of elements the witness has.
	n := wire.VarIntSerializeSize(uint64(len(t)))

	// For each element in the witness, we'll need a varint to signal the
	// size of the element, then finally the number of bytes the element
	// itself comprises.
	for _, witItem := range t {
		n += wire.VarIntSerializeSize(uint64(len(witItem)))
		n += len(witItem)
	}

	return n
}

var (
	// TODO(roasbeef): remove these and use the one's defined in txscript
	// within testnet-L.

	// SequenceLockTimeSeconds is the 22nd bit which indicates the lock
	// time is in seconds.
	SequenceLockTimeSeconds = uint32(1 << 22)
)

// Signature is an interface for objects that can populate signatures during
// witness construction.
type Signature interface {
	// Serialize returns a DER-encoded ECDSA signature.
	Serialize() []byte

	// Verify return true if the ECDSA signature is valid for the passed
	// message digest under the provided public key.
	Verify([]byte, *secp256k1.PublicKey) bool
}

// ScriptHashPkScript returns the p2sh pkscript for a given redeem script. This
// is ready to be included in a transaction output.
func ScriptHashPkScript(redeemScript []byte) ([]byte, error) {
	scriptHash := dcrutil.Hash160(redeemScript)
	bldr := txscript.NewScriptBuilder()

	bldr.AddOp(txscript.OP_HASH160).AddData(scriptHash).AddOp(txscript.OP_EQUAL)
	return bldr.Script()
}

// GenerateP2SH generates a pay-to-script-hash public key script paying to the
// passed redeem script.
func GenerateP2SH(script []byte) ([]byte, error) {
	bldr := txscript.NewScriptBuilder()

	bldr.AddOp(txscript.OP_HASH160)
	scripthash := dcrutil.Hash160(script)
	bldr.AddData(scripthash)
	bldr.AddOp(txscript.OP_EQUAL)
	return bldr.Script()
}

// GenerateP2PKH generates a pay-to-public-key-hash public key script paying to
// the passed serialized public key.
func GenerateP2PKH(pubkey []byte) ([]byte, error) {
	bldr := txscript.NewScriptBuilder()

	bldr.AddOp(txscript.OP_DUP)
	bldr.AddOp(txscript.OP_HASH160)
	pkhash := dcrutil.Hash160(pubkey)
	bldr.AddData(pkhash)
	bldr.AddOp(txscript.OP_EQUALVERIFY)
	bldr.AddOp(txscript.OP_CHECKSIG)
	return bldr.Script()
}

// GenMultiSigScript generates the non-p2sh'd multisig script for 2 of 2
// pubkeys.
func GenMultiSigScript(aPub, bPub []byte) ([]byte, error) {
	if len(aPub) != 33 || len(bPub) != 33 {
		return nil, fmt.Errorf("pubkey size error: compressed pubkeys only")
	}

	// Swap to sort pubkeys if needed. Keys are sorted in lexicographical
	// order. The signatures within the scriptSig must also adhere to the
	// order, ensuring that the signatures for each public key appears in
	// the proper order on the stack.
	if bytes.Compare(aPub, bPub) == 1 {
		aPub, bPub = bPub, aPub
	}

	bldr := txscript.NewScriptBuilder()
	bldr.AddOp(txscript.OP_2)
	bldr.AddData(aPub) // Add both pubkeys (sorted).
	bldr.AddData(bPub)
	bldr.AddOp(txscript.OP_2)
	bldr.AddOp(txscript.OP_CHECKMULTISIG)
	return bldr.Script()
}

// WitnessStackToSigScript converts a witness stack, which is essentially just
// an array of byte slices, to the equivalent signature script such that each
// element in the witness stack is a data push.
func WitnessStackToSigScript(witness [][]byte) ([]byte, error) {
	bldr := txscript.NewScriptBuilder()
	for _, data := range witness {
		bldr.AddData(data)
	}
	return bldr.Script()
}

// SigScriptToWitnessStack converts a signatureScript to a slice of data pushes
// (a witness stack). This is the inverse of the WitnessStackToSigScript
// operation.
//
// This is currently restricted to a version 0 signature script.
func SigScriptToWitnessStack(sigScript []byte) ([][]byte, error) {
	const scriptVersion = 0

	var data [][]byte
	tokenizer := txscript.MakeScriptTokenizer(scriptVersion, sigScript)
	for tokenizer.Next() {
		op := tokenizer.Opcode()

		if tokenizer.Data() != nil {
			data = append(data, tokenizer.Data())
		} else if op == txscript.OP_0 {
			data = append(data, nil)
		} else if op >= txscript.OP_1 && op <= txscript.OP_16 {
			data = append(data, []byte{op - txscript.OP_1 + 1})
		} else if op == txscript.OP_1NEGATE {
			data = append(data, []byte{txscript.OP_1NEGATE})
		}
	}
	if err := tokenizer.Err(); err != nil {
		return nil, err
	}
	return data, nil

}

// GenFundingPkScript creates a redeem script, and its matching p2sh
// output for the funding transaction.
func GenFundingPkScript(aPub, bPub []byte, amt int64) ([]byte, *wire.TxOut, error) {
	// As a sanity check, ensure that the passed amount is above zero.
	if amt <= 0 {
		return nil, nil, fmt.Errorf("can't create FundTx script with " +
			"zero, or negative coins")
	}

	// First, create the 2-of-2 multi-sig script itself.
	witnessScript, err := GenMultiSigScript(aPub, bPub)
	if err != nil {
		return nil, nil, err
	}

	// With the 2-of-2 script in had, generate a p2sh script which pays
	// to the funding script.
	pkScript, err := ScriptHashPkScript(witnessScript)
	if err != nil {
		return nil, nil, err
	}

	return witnessScript, wire.NewTxOut(amt, pkScript), nil
}

// SpendMultiSig generates the witness stack required to redeem the 2-of-2 p2sh
// multi-sig output.
func SpendMultiSig(witnessScript, pubA []byte, sigA Signature,
	pubB []byte, sigB Signature) [][]byte {

	witness := make([][]byte, 3)

	// When initially generating the witnessScript, we sorted the
	// serialized public keys in descending order. So we do a quick
	// comparison in order ensure the signatures appear on the Script
	// Virtual Machine stack in the correct order.
	if bytes.Compare(pubA, pubB) == 1 {
		witness[0] = append(sigB.Serialize(), byte(txscript.SigHashAll))
		witness[1] = append(sigA.Serialize(), byte(txscript.SigHashAll))
	} else {
		witness[0] = append(sigA.Serialize(), byte(txscript.SigHashAll))
		witness[1] = append(sigB.Serialize(), byte(txscript.SigHashAll))
	}

	// Finally, add the preimage as the last witness element.
	witness[2] = witnessScript

	return witness
}

// FindScriptOutputIndex finds the index of the public key script output
// matching 'script'. Additionally, a boolean is returned indicating if a
// matching output was found at all.
//
// NOTE: The search stops after the first matching script is found.
func FindScriptOutputIndex(tx *wire.MsgTx, script []byte) (bool, uint32) {
	found := false
	index := uint32(0)
	for i, txOut := range tx.TxOut {
		if bytes.Equal(txOut.PkScript, script) {
			found = true
			index = uint32(i)
			break
		}
	}

	return found, index
}

// Ripemd160H calculates the ripemd160 of the passed byte slice. This is used to
// calculate the intermediate hash for payment pre-images. Payment hashes are
// the result of ripemd160(sha256(paymentPreimage)). As a result, the value
// passed in should be the sha256 of the payment hash.
func Ripemd160H(d []byte) []byte {
	h := ripemd160.New()
	h.Write(d)
	return h.Sum(nil)
}

// SenderHTLCScript constructs the public key script for an outgoing HTLC
// output payment for the sender's version of the commitment transaction. The
// possible script paths from this output include:
//
//   - The sender timing out the HTLC using the second level HTLC timeout
//     transaction.
//   - The receiver of the HTLC claiming the output on-chain with the payment
//     preimage.
//   - The receiver of the HTLC sweeping all the funds in the case that a
//     revoked commitment transaction bearing this HTLC was broadcast.
//
// If confirmedSpend=true, a 1 OP_CSV check will be added to the non-revocation
// cases, to allow sweeping only after confirmation.
//
// Possible Input Scripts:
//
//	SENDR: <sendr sig> <recvr sig> <0> (spend using HTLC timeout transaction)
//	RECVR: <recvr sig> <preimage>
//	REVOK: <revoke sig> <revoke key>
//	 * receiver revoke
//
// OP_DUP OP_HASH160 <revocation key hash160> OP_EQUAL
// OP_IF
//
//	OP_CHECKSIG
//
// OP_ELSE
//
//	<recv htlc key>
//	OP_SWAP OP_SIZE 32 OP_EQUAL
//	OP_NOTIF
//	    OP_DROP 2 OP_SWAP <sender htlc key> 2 OP_CHECKMULTISIG
//	OP_ELSE
//	    OP_SHA256 OP_RIPEMD160 <ripemd160(payment hash)> OP_EQUALVERIFY
//	    OP_CHECKSIG
//	OP_ENDIF
//	[1 OP_CHECKSEQUENCEVERIFY OP_DROP] <- if allowing confirmed spend only.
//
// OP_ENDIF
func SenderHTLCScript(senderHtlcKey, receiverHtlcKey,
	revocationKey *secp256k1.PublicKey, paymentHash []byte,
	confirmedSpend bool) ([]byte, error) {

	builder := txscript.NewScriptBuilder()

	// The opening operations are used to determine if this is the receiver
	// of the HTLC attempting to sweep all the funds due to a contract
	// breach. In this case, they'll place the revocation key at the top of
	// the stack.
	builder.AddOp(txscript.OP_DUP)
	builder.AddOp(txscript.OP_HASH160)
	builder.AddData(dcrutil.Hash160(revocationKey.SerializeCompressed()))
	builder.AddOp(txscript.OP_EQUAL)

	// If the hash matches, then this is the revocation clause. The output
	// can be spent if the check sig operation passes.
	builder.AddOp(txscript.OP_IF)
	builder.AddOp(txscript.OP_CHECKSIG)

	// Otherwise, this may either be the receiver of the HTLC claiming with
	// the pre-image, or the sender of the HTLC sweeping the output after
	// it has timed out.
	builder.AddOp(txscript.OP_ELSE)

	// We'll do a bit of set up by pushing the receiver's key on the top of
	// the stack. This will be needed later if we decide that this is the
	// sender activating the time out clause with the HTLC timeout
	// transaction.
	builder.AddData(receiverHtlcKey.SerializeCompressed())

	// Atm, the top item of the stack is the receiverKey's so we use a swap
	// to expose what is either the payment pre-image or a signature.
	builder.AddOp(txscript.OP_SWAP)

	// With the top item swapped, check if it's 32 bytes. If so, then this
	// *may* be the payment pre-image.
	builder.AddOp(txscript.OP_SIZE)
	builder.AddInt64(32)
	builder.AddOp(txscript.OP_EQUAL)

	// If it isn't then this might be the sender of the HTLC activating the
	// time out clause.
	builder.AddOp(txscript.OP_NOTIF)

	// We'll drop the OP_IF return value off the top of the stack so we can
	// reconstruct the multi-sig script used as an off-chain covenant. If
	// two valid signatures are provided, ten then output will be deemed as
	// spendable.
	builder.AddOp(txscript.OP_DROP)
	builder.AddOp(txscript.OP_2)
	builder.AddOp(txscript.OP_SWAP)
	builder.AddData(senderHtlcKey.SerializeCompressed())
	builder.AddOp(txscript.OP_2)
	builder.AddOp(txscript.OP_CHECKMULTISIG)

	// Otherwise, then the only other case is that this is the receiver of
	// the HTLC sweeping it on-chain with the payment pre-image.
	builder.AddOp(txscript.OP_ELSE)

	// Hash the top item of the stack and compare it with the hash160 of
	// the payment hash, which is already the sha256 of the payment
	// pre-image. By using this little trick we're able save space on-chain
	// as the witness includes a 20-byte hash rather than a 32-byte hash.
	builder.AddOp(txscript.OP_SHA256)
	builder.AddOp(txscript.OP_RIPEMD160)
	builder.AddData(Ripemd160H(paymentHash))
	builder.AddOp(txscript.OP_EQUALVERIFY)

	// This checks the receiver's signature so that a third party with
	// knowledge of the payment preimage still cannot steal the output.
	builder.AddOp(txscript.OP_CHECKSIG)

	// Close out the OP_IF statement above.
	builder.AddOp(txscript.OP_ENDIF)

	// Add 1 block CSV delay if a confirmation is required for the
	// non-revocation clauses.
	if confirmedSpend {
		builder.AddOp(txscript.OP_1)
		builder.AddOp(txscript.OP_CHECKSEQUENCEVERIFY)
		builder.AddOp(txscript.OP_DROP)
	}

	// Close out the OP_IF statement at the top of the script.
	builder.AddOp(txscript.OP_ENDIF)

	return builder.Script()
}

// SenderHtlcSpendRevokeWithKey constructs a valid witness allowing the receiver of an
// HTLC to claim the output with knowledge of the revocation private key in the
// scenario that the sender of the HTLC broadcasts a previously revoked
// commitment transaction. A valid spend requires knowledge of the private key
// that corresponds to their revocation base point and also the private key fro
// the per commitment point, and a valid signature under the combined public
// key.
func SenderHtlcSpendRevokeWithKey(signer Signer, signDesc *SignDescriptor,
	revokeKey *secp256k1.PublicKey, sweepTx *wire.MsgTx) (TxWitness, error) {

	sweepSig, err := signer.SignOutputRaw(sweepTx, signDesc)
	if err != nil {
		return nil, err
	}

	// The stack required to sweep a revoke HTLC output consists simply of
	// the exact witness stack as one of a regular p2pkh spend. The only
	// difference is that the keys used were derived in an adversarial
	// manner in order to encode the revocation contract into a sig+key
	// pair.
	witnessStack := TxWitness(make([][]byte, 3))
	witnessStack[0] = append(sweepSig.Serialize(), byte(signDesc.HashType))
	witnessStack[1] = revokeKey.SerializeCompressed()
	witnessStack[2] = signDesc.WitnessScript

	return witnessStack, nil
}

// SenderHtlcSpendRevoke constructs a valid witness allowing the receiver of an
// HTLC to claim the output with knowledge of the revocation private key in the
// scenario that the sender of the HTLC broadcasts a previously revoked
// commitment transaction.  This method first derives the appropriate revocation
// key, and requires that the provided SignDescriptor has a local revocation
// basepoint and commitment secret in the PubKey and DoubleTweak fields,
// respectively.
func SenderHtlcSpendRevoke(signer Signer, signDesc *SignDescriptor,
	sweepTx *wire.MsgTx) (TxWitness, error) {

	revokeKey, err := deriveRevokePubKey(signDesc)
	if err != nil {
		return nil, err
	}

	return SenderHtlcSpendRevokeWithKey(signer, signDesc, revokeKey, sweepTx)
}

// IsHtlcSpendRevoke is used to determine if the passed spend is spending a
// HTLC output using the revocation key.
func IsHtlcSpendRevoke(txIn *wire.TxIn, signDesc *SignDescriptor) (
	bool, error) {

	revokeKey, err := deriveRevokePubKey(signDesc)
	if err != nil {
		return false, err
	}

	witness, err := SigScriptToWitnessStack(txIn.SignatureScript)
	if err != nil {
		return false, err
	}
	if len(witness) == 3 &&
		bytes.Equal(witness[1], revokeKey.SerializeCompressed()) {
		return true, nil
	}

	return false, nil
}

// SenderHtlcSpendRedeem constructs a valid witness allowing the receiver of an
// HTLC to redeem the pending output in the scenario that the sender broadcasts
// their version of the commitment transaction. A valid spend requires
// knowledge of the payment preimage, and a valid signature under the receivers
// public key.
func SenderHtlcSpendRedeem(signer Signer, signDesc *SignDescriptor,
	sweepTx *wire.MsgTx, paymentPreimage []byte) (TxWitness, error) {

	sweepSig, err := signer.SignOutputRaw(sweepTx, signDesc)
	if err != nil {
		return nil, err
	}

	// The stack required to spend this output is simply the signature
	// generated above under the receiver's public key, and the payment
	// pre-image.
	witnessStack := TxWitness(make([][]byte, 3))
	witnessStack[0] = append(sweepSig.Serialize(), byte(signDesc.HashType))
	witnessStack[1] = paymentPreimage
	witnessStack[2] = signDesc.WitnessScript

	return witnessStack, nil
}

// SenderHtlcSpendTimeout constructs a valid witness allowing the sender of an
// HTLC to activate the time locked covenant clause of a soon to be expired
// HTLC.  This script simply spends the multi-sig output using the
// pre-generated HTLC timeout transaction.
func SenderHtlcSpendTimeout(receiverSig Signature,
	receiverSigHash txscript.SigHashType, signer Signer,
	signDesc *SignDescriptor, htlcTimeoutTx *wire.MsgTx) (
	TxWitness, error) {

	sweepSig, err := signer.SignOutputRaw(htlcTimeoutTx, signDesc)
	if err != nil {
		return nil, err
	}

	// We place a zero as the first item of the evaluated witness stack in
	// order to force Script execution to the HTLC timeout clause.
	witnessStack := TxWitness(make([][]byte, 4))
	witnessStack[0] = append(receiverSig.Serialize(), byte(receiverSigHash))
	witnessStack[1] = append(sweepSig.Serialize(), byte(signDesc.HashType))
	witnessStack[2] = nil
	witnessStack[3] = signDesc.WitnessScript

	return witnessStack, nil
}

// ReceiverHTLCScript constructs the public key script for an incoming HTLC
// output payment for the receiver's version of the commitment transaction. The
// possible execution paths from this script include: * The receiver of the
// HTLC uses its second level HTLC transaction to advance the state of the HTLC
// into the delay+claim state.  * The sender of the HTLC sweeps all the funds
// of the HTLC as a breached commitment was broadcast.  * The sender of the
// HTLC sweeps the HTLC on-chain after the timeout period of the HTLC has
// passed.
//
// If confirmedSpend=true, a 1 OP_CSV check will be added to the non-revocation
// cases, to allow sweeping only after confirmation.
//
// Possible Input Scripts:
//
//	RECVR: <sender sig> <recvr sig> <preimage> (spend using HTLC success transaction)
//	REVOK: <sig> <key>
//	SENDR: <sig> 0
//
// OP_DUP OP_HASH160 <revocation key hash160> OP_EQUAL
// OP_IF
//
//	OP_CHECKSIG
//
// OP_ELSE
//
//	<sendr htlc key>
//	OP_SWAP OP_SIZE 32 OP_EQUAL
//	OP_IF
//	    OP_HASH160 <ripemd160(payment hash)> OP_EQUALVERIFY
//	    2 OP_SWAP <recvr htlc key> 2 OP_CHECKMULTISIG
//	OP_ELSE
//	    OP_DROP <cltv expiry> OP_CHECKLOCKTIMEVERIFY OP_DROP
//	    OP_CHECKSIG
//	OP_ENDIF
//	[1 OP_CHECKSEQUENCEVERIFY OP_DROP] <- if allowing confirmed spend only.
//
// OP_ENDIF
func ReceiverHTLCScript(cltvExpiry uint32, senderHtlcKey,
	receiverHtlcKey, revocationKey *secp256k1.PublicKey,
	paymentHash []byte, confirmedSpend bool) ([]byte, error) {

	builder := txscript.NewScriptBuilder()

	// The opening operations are used to determine if this is the sender
	// of the HTLC attempting to sweep all the funds due to a contract
	// breach. In this case, they'll place the revocation key at the top of
	// the stack.
	builder.AddOp(txscript.OP_DUP)
	builder.AddOp(txscript.OP_HASH160)
	builder.AddData(dcrutil.Hash160(revocationKey.SerializeCompressed()))
	builder.AddOp(txscript.OP_EQUAL)

	// If the hash matches, then this is the revocation clause. The output
	// can be spent if the check sig operation passes.
	builder.AddOp(txscript.OP_IF)
	builder.AddOp(txscript.OP_CHECKSIG)

	// Otherwise, this may either be the receiver of the HTLC starting the
	// claiming process via the second level HTLC success transaction and
	// the pre-image, or the sender of the HTLC sweeping the output after
	// it has timed out.
	builder.AddOp(txscript.OP_ELSE)

	// We'll do a bit of set up by pushing the sender's key on the top of
	// the stack. This will be needed later if we decide that this is the
	// receiver transitioning the output to the claim state using their
	// second-level HTLC success transaction.
	builder.AddData(senderHtlcKey.SerializeCompressed())

	// Atm, the top item of the stack is the sender's key so we use a swap
	// to expose what is either the payment pre-image or something else.
	builder.AddOp(txscript.OP_SWAP)

	// With the top item swapped, check if it's 32 bytes. If so, then this
	// *may* be the payment pre-image.
	builder.AddOp(txscript.OP_SIZE)
	builder.AddInt64(32)
	builder.AddOp(txscript.OP_EQUAL)

	// If the item on the top of the stack is 32-bytes, then it is the
	// proper size, so this indicates that the receiver of the HTLC is
	// attempting to claim the output on-chain by transitioning the state
	// of the HTLC to delay+claim.
	builder.AddOp(txscript.OP_IF)

	// Next we'll hash the item on the top of the stack, if it matches the
	// payment pre-image, then we'll continue. Otherwise, we'll end the
	// script here as this is the invalid payment pre-image.
	builder.AddOp(txscript.OP_SHA256)
	builder.AddOp(txscript.OP_RIPEMD160)
	builder.AddData(Ripemd160H(paymentHash))
	builder.AddOp(txscript.OP_EQUALVERIFY)

	// If the payment hash matches, then we'll also need to satisfy the
	// multi-sig covenant by providing both signatures of the sender and
	// receiver. If the convenient is met, then we'll allow the spending of
	// this output, but only by the HTLC success transaction.
	builder.AddOp(txscript.OP_2)
	builder.AddOp(txscript.OP_SWAP)
	builder.AddData(receiverHtlcKey.SerializeCompressed())
	builder.AddOp(txscript.OP_2)
	builder.AddOp(txscript.OP_CHECKMULTISIG)

	// Otherwise, this might be the sender of the HTLC attempting to sweep
	// it on-chain after the timeout.
	builder.AddOp(txscript.OP_ELSE)

	// We'll drop the extra item (which is the output from evaluating the
	// OP_EQUAL) above from the stack.
	builder.AddOp(txscript.OP_DROP)

	// With that item dropped off, we can now enforce the absolute
	// lock-time required to timeout the HTLC. If the time has passed, then
	// we'll proceed with a checksig to ensure that this is actually the
	// sender of he original HTLC.
	builder.AddInt64(int64(cltvExpiry))
	builder.AddOp(txscript.OP_CHECKLOCKTIMEVERIFY)
	builder.AddOp(txscript.OP_DROP)
	builder.AddOp(txscript.OP_CHECKSIG)

	// Close out the inner if statement.
	builder.AddOp(txscript.OP_ENDIF)

	// Add 1 block CSV delay for non-revocation clauses if confirmation is
	// required.
	if confirmedSpend {
		builder.AddOp(txscript.OP_1)
		builder.AddOp(txscript.OP_CHECKSEQUENCEVERIFY)
		builder.AddOp(txscript.OP_DROP)
	}

	// Close out the outer if statement.
	builder.AddOp(txscript.OP_ENDIF)

	return builder.Script()
}

// ReceiverHtlcSpendRedeem constructs a valid witness allowing the receiver of
// an HTLC to redeem the conditional payment in the event that their commitment
// transaction is broadcast. This clause transitions the state of the HLTC
// output into the delay+claim state by activating the off-chain covenant bound
// by the 2-of-2 multi-sig output. The HTLC success timeout transaction being
// signed has a relative timelock delay enforced by its sequence number. This
// delay give the sender of the HTLC enough time to revoke the output if this
// is a breach commitment transaction.
func ReceiverHtlcSpendRedeem(senderSig Signature,
	senderSigHash txscript.SigHashType, paymentPreimage []byte,
	signer Signer, signDesc *SignDescriptor, htlcSuccessTx *wire.MsgTx) (
	TxWitness, error) {

	// First, we'll generate a signature for the HTLC success transaction.
	// The signDesc should be signing with the public key used as the
	// receiver's public key and also the correct single tweak.
	sweepSig, err := signer.SignOutputRaw(htlcSuccessTx, signDesc)
	if err != nil {
		return nil, err
	}

	// The final witness stack is used the provide the script with the
	// payment pre-image, and also execute the multi-sig clause after the
	// pre-images matches.
	witnessStack := TxWitness(make([][]byte, 4))
	witnessStack[0] = append(senderSig.Serialize(), byte(senderSigHash))
	witnessStack[1] = append(sweepSig.Serialize(), byte(signDesc.HashType))
	witnessStack[2] = paymentPreimage
	witnessStack[3] = signDesc.WitnessScript

	return witnessStack, nil
}

// ReceiverHtlcSpendRevokeWithKey constructs a valid witness allowing the sender of an
// HTLC within a previously revoked commitment transaction to re-claim the
// pending funds in the case that the receiver broadcasts this revoked
// commitment transaction.
func ReceiverHtlcSpendRevokeWithKey(signer Signer, signDesc *SignDescriptor,
	revokeKey *secp256k1.PublicKey, sweepTx *wire.MsgTx) (TxWitness, error) {

	// First, we'll generate a signature for the sweep transaction.  The
	// signDesc should be signing with the public key used as the fully
	// derived revocation public key and also the correct double tweak
	// value.
	sweepSig, err := signer.SignOutputRaw(sweepTx, signDesc)
	if err != nil {
		return nil, err
	}

	// We place a zero, then one as the first items in the evaluated
	// witness stack in order to force script execution to the HTLC
	// revocation clause.
	witnessStack := TxWitness(make([][]byte, 3))
	witnessStack[0] = append(sweepSig.Serialize(), byte(signDesc.HashType))
	witnessStack[1] = revokeKey.SerializeCompressed()
	witnessStack[2] = signDesc.WitnessScript

	return witnessStack, nil
}

func deriveRevokePubKey(signDesc *SignDescriptor) (*secp256k1.PublicKey, error) {
	if signDesc.KeyDesc.PubKey == nil {
		return nil, fmt.Errorf("cannot generate witness with nil " +
			"KeyDesc pubkey")
	}

	// Derive the revocation key using the local revocation base point and
	// commitment point.
	revokeKey := DeriveRevocationPubkey(
		signDesc.KeyDesc.PubKey,
		signDesc.DoubleTweak.PubKey(),
	)

	return revokeKey, nil
}

// ReceiverHtlcSpendRevoke constructs a valid witness allowing the sender of an
// HTLC within a previously revoked commitment transaction to re-claim the
// pending funds in the case that the receiver broadcasts this revoked
// commitment transaction. This method first derives the appropriate revocation
// key, and requires that the provided SignDescriptor has a local revocation
// basepoint and commitment secret in the PubKey and DoubleTweak fields,
// respectively.
func ReceiverHtlcSpendRevoke(signer Signer, signDesc *SignDescriptor,
	sweepTx *wire.MsgTx) (TxWitness, error) {

	revokeKey, err := deriveRevokePubKey(signDesc)
	if err != nil {
		return nil, err
	}

	return ReceiverHtlcSpendRevokeWithKey(signer, signDesc, revokeKey, sweepTx)
}

// ReceiverHtlcSpendTimeout constructs a valid witness allowing the sender of
// an HTLC to recover the pending funds after an absolute timeout in the
// scenario that the receiver of the HTLC broadcasts their version of the
// commitment transaction. If the caller has already set the lock time on the
// spending transaction, than a value of -1 can be passed for the cltvExpiry
// value.
//
// NOTE: The target input of the passed transaction MUST NOT have a final
// sequence number. Otherwise, the OP_CHECKLOCKTIMEVERIFY check will fail.
func ReceiverHtlcSpendTimeout(signer Signer, signDesc *SignDescriptor,
	sweepTx *wire.MsgTx, cltvExpiry int32) (TxWitness, error) {

	// If the caller set a proper timeout value, then we'll apply it
	// directly to the transaction.
	if cltvExpiry != -1 {
		// The HTLC output has an absolute time period before we are
		// permitted to recover the pending funds. Therefore we need to
		// set the locktime on this sweeping transaction in order to
		// pass Script verification.
		sweepTx.LockTime = uint32(cltvExpiry)
	}

	// With the lock time on the transaction set, we'll not generate a
	// signature for the sweep transaction. The passed sign descriptor
	// should be created using the raw public key of the sender (w/o the
	// single tweak applied), and the single tweak set to the proper value
	// taking into account the current state's point.
	sweepSig, err := signer.SignOutputRaw(sweepTx, signDesc)
	if err != nil {
		return nil, err
	}

	witnessStack := TxWitness(make([][]byte, 3))
	witnessStack[0] = append(sweepSig.Serialize(), byte(signDesc.HashType))
	witnessStack[1] = nil
	witnessStack[2] = signDesc.WitnessScript

	return witnessStack, nil
}

// ReplaceReceiverHtlcSpendRedeemPreimage replaces the pregimage in a sigScript
// generated by receiverHtlcSpendRedeemPreimage with the provided preimage. This
// will generate an undefined result script if the sigScript was *not* generated
// by the provided function (ie: this must be the sigScript of a
// SignedSuccessTx, used to redeem an HTLC).
//
// This function returns the new sigScript to replace the older sigScript.
func ReplaceReceiverHtlcSpendRedeemPreimage(sigScript, preimage []byte) ([]byte, error) {
	sigScriptPushes, err := SigScriptToWitnessStack(sigScript)
	if err != nil {
		return nil, err
	}
	if len(sigScriptPushes) != 4 {
		return nil, fmt.Errorf("the provided sigScript does not have 4 elements")
	}

	return txscript.NewScriptBuilder().
		AddData(sigScriptPushes[0]). // sender sig
		AddData(sigScriptPushes[1]). // receiver sig
		AddData(preimage).           // preimage
		AddData(sigScriptPushes[3]). // redeem script
		Script()
}

// SecondLevelHtlcScript is the uniform script that's used as the output for
// the second-level HTLC transactions. The second level transaction act as a
// sort of covenant, ensuring that a 2-of-2 multi-sig output can only be spent
// in a particular way, and to a particular output.
//
// Possible Input Scripts:
//
//   - To revoke an HTLC output that has been transitioned to the claim+delay
//     state:
//
//   - <revoke sig> 1
//
//   - To claim and HTLC output, either with a pre-image or due to a timeout:
//
//   - <delay sig> 0
//
// OP_IF
//
//	<revoke key>
//
// OP_ELSE
//
//	<delay in blocks>
//	OP_CHECKSEQUENCEVERIFY
//	OP_DROP
//	<delay key>
//
// OP_ENDIF
// OP_CHECKSIG
//
// TODO(roasbeef): possible renames for second-level
//   - transition?
//   - covenant output
func SecondLevelHtlcScript(revocationKey, delayKey *secp256k1.PublicKey,
	csvDelay uint32) ([]byte, error) {

	builder := txscript.NewScriptBuilder()

	// If this is the revocation clause for this script is to be executed,
	// the spender will push a 1, forcing us to hit the true clause of this
	// if statement.
	builder.AddOp(txscript.OP_IF)

	// If this this is the revocation case, then we'll push the revocation
	// public key on the stack.
	builder.AddData(revocationKey.SerializeCompressed())

	// Otherwise, this is either the sender or receiver of the HTLC
	// attempting to claim the HTLC output.
	builder.AddOp(txscript.OP_ELSE)

	// In order to give the other party time to execute the revocation
	// clause above, we require a relative timeout to pass before the
	// output can be spent.
	builder.AddInt64(int64(csvDelay))
	builder.AddOp(txscript.OP_CHECKSEQUENCEVERIFY)
	builder.AddOp(txscript.OP_DROP)

	// If the relative timelock passes, then we'll add the delay key to the
	// stack to ensure that we properly authenticate the spending party.
	builder.AddData(delayKey.SerializeCompressed())

	// Close out the if statement.
	builder.AddOp(txscript.OP_ENDIF)

	// In either case, we'll ensure that only either the party possessing
	// the revocation private key, or the delay private key is able to
	// spend this output.
	builder.AddOp(txscript.OP_CHECKSIG)

	return builder.Script()
}

// LeaseSecondLevelHtlcScript is the uniform script that's used as the output for
// the second-level HTLC transactions. The second level transaction acts as a
// sort of covenant, ensuring that a 2-of-2 multi-sig output can only be
// spent in a particular way, and to a particular output.
//
// Possible Input Scripts:
//
//   - To revoke an HTLC output that has been transitioned to the claim+delay
//     state:
//
//   - <revoke sig> 1
//
//   - To claim an HTLC output, either with a pre-image or due to a timeout:
//
//   - <delay sig> 0
//
// OP_IF
//
//	<revoke key>
//
// OP_ELSE
//
//	<lease maturity in blocks>
//	OP_CHECKLOCKTIMEVERIFY
//	OP_DROP
//	<delay in blocks>
//	OP_CHECKSEQUENCEVERIFY
//	OP_DROP
//	<delay key>
//
// OP_ENDIF
// OP_CHECKSIG
func LeaseSecondLevelHtlcScript(revocationKey, delayKey *secp256k1.PublicKey,
	csvDelay, cltvExpiry uint32) ([]byte, error) {

	builder := txscript.NewScriptBuilder()

	// If this is the revocation clause for this script is to be executed,
	// the spender will push a 1, forcing us to hit the true clause of this
	// if statement.
	builder.AddOp(txscript.OP_IF)

	// If this this is the revocation case, then we'll push the revocation
	// public key on the stack.
	builder.AddData(revocationKey.SerializeCompressed())

	// Otherwise, this is either the sender or receiver of the HTLC
	// attempting to claim the HTLC output.
	builder.AddOp(txscript.OP_ELSE)

	// The channel initiator always has the additional channel lease
	// expiration constraint for outputs that pay to them which must be
	// satisfied.
	builder.AddInt64(int64(cltvExpiry))
	builder.AddOp(txscript.OP_CHECKLOCKTIMEVERIFY)
	builder.AddOp(txscript.OP_DROP)

	// In order to give the other party time to execute the revocation
	// clause above, we require a relative timeout to pass before the
	// output can be spent.
	builder.AddInt64(int64(csvDelay))
	builder.AddOp(txscript.OP_CHECKSEQUENCEVERIFY)
	builder.AddOp(txscript.OP_DROP)

	// If the relative timelock passes, then we'll add the delay key to the
	// stack to ensure that we properly authenticate the spending party.
	builder.AddData(delayKey.SerializeCompressed())

	// Close out the if statement.
	builder.AddOp(txscript.OP_ENDIF)

	// In either case, we'll ensure that only either the party possessing
	// the revocation private key, or the delay private key is able to
	// spend this output.
	builder.AddOp(txscript.OP_CHECKSIG)

	return builder.Script()
}

// HtlcSpendSuccess spends a second-level HTLC output. This function is to be
// used by the sender of an HTLC to claim the output after a relative timeout
// or the receiver of the HTLC to claim on-chain with the pre-image.
func HtlcSpendSuccess(signer Signer, signDesc *SignDescriptor,
	sweepTx *wire.MsgTx, csvDelay uint32) (TxWitness, error) {

	// We're required to wait a relative period of time before we can sweep
	// the output in order to allow the other party to contest our claim of
	// validity to this version of the commitment transaction.
	sweepTx.TxIn[0].Sequence = LockTimeToSequence(false, csvDelay)

	// Finally, OP_CSV requires that the version of the transaction
	// spending a pkscript with OP_CSV within it *must* be >= 2.
	sweepTx.Version = 2

	// With the proper sequence and version set, we'll now sign the timeout
	// transaction using the passed signed descriptor. In order to generate
	// a valid signature, then signDesc should be using the base delay
	// public key, and the proper single tweak bytes.
	sweepSig, err := signer.SignOutputRaw(sweepTx, signDesc)
	if err != nil {
		return nil, err
	}

	// We set a zero as the first element the witness stack (ignoring the
	// witness script), in order to force execution to the second portion
	// of the if clause.
	witnessStack := TxWitness(make([][]byte, 3))
	witnessStack[0] = append(sweepSig.Serialize(), byte(signDesc.HashType))
	witnessStack[1] = nil
	witnessStack[2] = signDesc.WitnessScript

	return witnessStack, nil
}

// HtlcSpendRevoke spends a second-level HTLC output. This function is to be
// used by the sender or receiver of an HTLC to claim the HTLC after a revoked
// commitment transaction was broadcast.
func HtlcSpendRevoke(signer Signer, signDesc *SignDescriptor,
	revokeTx *wire.MsgTx) (TxWitness, error) {

	// We don't need any spacial modifications to the transaction as this
	// is just sweeping a revoked HTLC output. So we'll generate a regular
	// witness signature.
	sweepSig, err := signer.SignOutputRaw(revokeTx, signDesc)
	if err != nil {
		return nil, err
	}

	// We set a one as the first element the witness stack (ignoring the
	// witness script), in order to force execution to the revocation
	// clause in the second level HTLC script.
	witnessStack := TxWitness(make([][]byte, 3))
	witnessStack[0] = append(sweepSig.Serialize(), byte(signDesc.HashType))
	witnessStack[1] = []byte{1}
	witnessStack[2] = signDesc.WitnessScript

	return witnessStack, nil
}

// HtlcSecondLevelSpend exposes the public witness generation function for
// spending an HTLC success transaction, either due to an expiring time lock or
// having had the payment preimage. This method is able to spend any
// second-level HTLC transaction, assuming the caller sets the locktime or
// seqno properly.
//
// NOTE: The caller MUST set the txn version, sequence number, and sign
// descriptor's sig hash cache before invocation.
func HtlcSecondLevelSpend(signer Signer, signDesc *SignDescriptor,
	sweepTx *wire.MsgTx) (TxWitness, error) {

	// With the proper sequence and version set, we'll now sign the timeout
	// transaction using the passed signed descriptor. In order to generate
	// a valid signature, then signDesc should be using the base delay
	// public key, and the proper single tweak bytes.
	sweepSig, err := signer.SignOutputRaw(sweepTx, signDesc)
	if err != nil {
		return nil, err
	}

	// We set a zero as the first element the witness stack (ignoring the
	// witness script), in order to force execution to the second portion
	// of the if clause.
	witnessStack := TxWitness(make([][]byte, 3))
	witnessStack[0] = append(sweepSig.Serialize(), byte(txscript.SigHashAll))
	witnessStack[1] = nil
	witnessStack[2] = signDesc.WitnessScript

	return witnessStack, nil
}

// LockTimeToSequence converts the passed relative locktime to a sequence
// number in accordance to BIP-68.  See:
// https://github.com/bitcoin/bips/blob/master/bip-0068.mediawiki *
// (Compatibility)
func LockTimeToSequence(isSeconds bool, locktime uint32) uint32 {
	if !isSeconds {
		// The locktime is to be expressed in confirmations.
		return locktime
	}

	// Set the 22nd bit which indicates the lock time is in seconds, then
	// shift the locktime over by 9 since the time granularity is in
	// 512-second intervals (2^9). This results in a max lock-time of
	// 33,554,431 seconds, or 1.06 years.
	return SequenceLockTimeSeconds | (locktime >> 9)
}

// CommitScriptToSelf constructs the public key script for the output on the
// commitment transaction paying to the "owner" of said commitment transaction.
// If the other party learns of the preimage to the revocation hash, then they
// can claim all the settled funds in the channel, plus the unsettled funds.
//
// Possible Input Scripts:
//
//	REVOKE:     <sig> 1
//	SENDRSWEEP: <sig> <emptyvector>
//
// Output Script:
//
//	OP_IF
//	    <revokeKey>
//	OP_ELSE
//	    <numRelativeBlocks> OP_CHECKSEQUENCEVERIFY OP_DROP
//	    <timeKey>
//	OP_ENDIF
//	OP_CHECKSIG
func CommitScriptToSelf(csvTimeout uint32, selfKey, revokeKey *secp256k1.PublicKey) ([]byte, error) {
	// This script is spendable under two conditions: either the
	// 'csvTimeout' has passed and we can redeem our funds, or they can
	// produce a valid signature with the revocation public key. The
	// revocation public key will *only* be known to the other party if we
	// have divulged the revocation hash, allowing them to homomorphically
	// derive the proper private key which corresponds to the revoke public
	// key.
	builder := txscript.NewScriptBuilder()

	builder.AddOp(txscript.OP_IF)

	// If a valid signature using the revocation key is presented, then
	// allow an immediate spend provided the proper signature.
	builder.AddData(revokeKey.SerializeCompressed())

	builder.AddOp(txscript.OP_ELSE)

	// Otherwise, we can re-claim our funds after a CSV delay of
	// 'csvTimeout' timeout blocks, and a valid signature.
	builder.AddInt64(int64(csvTimeout))
	builder.AddOp(txscript.OP_CHECKSEQUENCEVERIFY)
	builder.AddOp(txscript.OP_DROP)
	builder.AddData(selfKey.SerializeCompressed())

	builder.AddOp(txscript.OP_ENDIF)

	// Finally, we'll validate the signature against the public key that's
	// left on the top of the stack.
	builder.AddOp(txscript.OP_CHECKSIG)

	return builder.Script()
}

// LeaseCommitScriptToSelf constructs the public key script for the output on the
// commitment transaction paying to the "owner" of said commitment transaction.
// If the other party learns of the preimage to the revocation hash, then they
// can claim all the settled funds in the channel, plus the unsettled funds.
//
// Possible Input Scripts:
//
//	REVOKE:     <sig> 1
//	SENDRSWEEP: <sig> <emptyvector>
//
// Output Script:
//
//	OP_IF
//	    <revokeKey>
//	OP_ELSE
//	    <absoluteLeaseExpiry> OP_CHECKLOCKTIMEVERIFY OP_DROP
//	    <numRelativeBlocks> OP_CHECKSEQUENCEVERIFY OP_DROP
//	    <timeKey>
//	OP_ENDIF
//	OP_CHECKSIG
func LeaseCommitScriptToSelf(selfKey, revokeKey *secp256k1.PublicKey,
	csvTimeout, leaseExpiry uint32) ([]byte, error) {

	// This script is spendable under two conditions: either the
	// 'csvTimeout' has passed and we can redeem our funds, or they can
	// produce a valid signature with the revocation public key. The
	// revocation public key will *only* be known to the other party if we
	// have divulged the revocation hash, allowing them to homomorphically
	// derive the proper private key which corresponds to the revoke public
	// key.
	builder := txscript.NewScriptBuilder()

	builder.AddOp(txscript.OP_IF)

	// If a valid signature using the revocation key is presented, then
	// allow an immediate spend provided the proper signature.
	builder.AddData(revokeKey.SerializeCompressed())

	builder.AddOp(txscript.OP_ELSE)

	// Otherwise, we can re-claim our funds after once the CLTV lease
	// maturity has been met, along with the CSV delay of 'csvTimeout'
	// timeout blocks, and a valid signature.
	builder.AddInt64(int64(leaseExpiry))
	builder.AddOp(txscript.OP_CHECKLOCKTIMEVERIFY)
	builder.AddOp(txscript.OP_DROP)

	builder.AddInt64(int64(csvTimeout))
	builder.AddOp(txscript.OP_CHECKSEQUENCEVERIFY)
	builder.AddOp(txscript.OP_DROP)

	builder.AddData(selfKey.SerializeCompressed())

	builder.AddOp(txscript.OP_ENDIF)

	// Finally, we'll validate the signature against the public key that's
	// left on the top of the stack.
	builder.AddOp(txscript.OP_CHECKSIG)

	return builder.Script()
}

// CommitSpendTimeout constructs a valid witness allowing the owner of a
// particular commitment transaction to spend the output returning settled
// funds back to themselves after a relative block timeout.  In order to
// properly spend the transaction, the target input's sequence number should be
// set accordingly based off of the target relative block timeout within the
// redeem script.  Additionally, OP_CSV requires that the version of the
// transaction spending a pkscript with OP_CSV within it *must* be >= 2.
func CommitSpendTimeout(signer Signer, signDesc *SignDescriptor,
	sweepTx *wire.MsgTx) (TxWitness, error) {

	// Ensure the transaction version supports the validation of sequence
	// locks and CSV semantics.
	if sweepTx.Version < 2 {
		return nil, fmt.Errorf("version of passed transaction MUST "+
			"be >= 2, not %v", sweepTx.Version)
	}

	// With the sequence number in place, we're now able to properly sign
	// off on the sweep transaction.
	sweepSig, err := signer.SignOutputRaw(sweepTx, signDesc)
	if err != nil {
		return nil, err
	}

	// Place an empty byte as the first item in the evaluated witness stack
	// to force script execution to the timeout spend clause. We need to
	// place an empty byte in order to ensure our script is still valid
	// from the PoV of nodes that are enforcing minimal OP_IF/OP_NOTIF.
	witnessStack := TxWitness(make([][]byte, 3))
	witnessStack[0] = append(sweepSig.Serialize(), byte(signDesc.HashType))
	witnessStack[1] = nil
	witnessStack[2] = signDesc.WitnessScript

	return witnessStack, nil
}

// CommitSpendRevoke constructs a valid witness allowing a node to sweep the
// settled output of a malicious counterparty who broadcasts a revoked
// commitment transaction.
//
// NOTE: The passed SignDescriptor should include the raw (untweaked)
// revocation base public key of the receiver and also the proper double tweak
// value based on the commitment secret of the revoked commitment.
func CommitSpendRevoke(signer Signer, signDesc *SignDescriptor,
	sweepTx *wire.MsgTx) (TxWitness, error) {

	sweepSig, err := signer.SignOutputRaw(sweepTx, signDesc)
	if err != nil {
		return nil, err
	}

	// Place a 1 as the first item in the evaluated witness stack to
	// force script execution to the revocation clause.
	witnessStack := TxWitness(make([][]byte, 3))
	witnessStack[0] = append(sweepSig.Serialize(), byte(signDesc.HashType))
	witnessStack[1] = []byte{1}
	witnessStack[2] = signDesc.WitnessScript

	return witnessStack, nil
}

// CommitSpendNoDelay constructs a valid witness allowing a node to spend their
// settled no-delay output on the counterparty's commitment transaction. If the
// tweakless field is true, then we'll omit the set where we tweak the pubkey
// with a random set of bytes, and use it directly in the witness stack.
//
// NOTE: The passed SignDescriptor should include the raw (untweaked) public
// key of the receiver and also the proper single tweak value based on the
// current commitment point.
func CommitSpendNoDelay(signer Signer, signDesc *SignDescriptor,
	sweepTx *wire.MsgTx, tweakless bool) (TxWitness, error) {

	if signDesc.KeyDesc.PubKey == nil {
		return nil, fmt.Errorf("cannot generate witness with nil " +
			"KeyDesc pubkey")
	}

	// This is just a regular p2wkh spend which looks something like:
	//  * witness: <sig> <pubkey>
	sweepSig, err := signer.SignOutputRaw(sweepTx, signDesc)
	if err != nil {
		return nil, err
	}

	// Finally, we'll manually craft the witness. The witness here is the
	// exact same as a regular p2wkh witness, depending on the value of the
	// tweakless bool.
	witness := make([][]byte, 2)
	witness[0] = append(sweepSig.Serialize(), byte(signDesc.HashType))

	switch tweakless {
	// If we're tweaking the key, then we use the tweaked public key as the
	// last item in the witness stack which was originally used to created
	// the pkScript we're spending.
	case false:
		witness[1] = TweakPubKeyWithTweak(
			signDesc.KeyDesc.PubKey, signDesc.SingleTweak,
		).SerializeCompressed()

	// Otherwise, we can just use the raw pubkey, since there's no random
	// value to be combined.
	case true:
		witness[1] = signDesc.KeyDesc.PubKey.SerializeCompressed()
	}

	return witness, nil
}

// CommitScriptUnencumbered constructs the public key script on the commitment
// transaction paying to the "other" party. The constructed output is a normal
// p2wkh output spendable immediately, requiring no contestation period.
func CommitScriptUnencumbered(key *secp256k1.PublicKey) ([]byte, error) {
	// This script goes to the "other" party, and is spendable immediately.
	pkh := dcrutil.Hash160(key.SerializeCompressed())
	builder := txscript.NewScriptBuilder()
	builder.
		AddOp(txscript.OP_DUP).
		AddOp(txscript.OP_HASH160).
		AddData(pkh).
		AddOp(txscript.OP_EQUALVERIFY).
		AddOp(txscript.OP_CHECKSIG)

	return builder.Script()
}

// CommitScriptToRemoteConfirmed constructs the script for the output on the
// commitment transaction paying to the remote party of said commitment
// transaction. The money can only be spend after one confirmation.
//
// Possible Input Scripts:
//
//	SWEEP: <sig>
//
// Output Script:
//
//	<key> OP_CHECKSIGVERIFY
//	1 OP_CHECKSEQUENCEVERIFY
func CommitScriptToRemoteConfirmed(key *secp256k1.PublicKey) ([]byte, error) {
	builder := txscript.NewScriptBuilder()

	// Only the given key can spend the output.
	builder.AddData(key.SerializeCompressed())
	builder.AddOp(txscript.OP_CHECKSIGVERIFY)

	// Check that the it has one confirmation.
	builder.AddOp(txscript.OP_1)
	builder.AddOp(txscript.OP_CHECKSEQUENCEVERIFY)

	return builder.Script()
}

// LeaseCommitScriptToRemoteConfirmed constructs the script for the output on
// the commitment transaction paying to the remote party of said commitment
// transaction. The money can only be spend after one confirmation.
//
// Possible Input Scripts:
//
//	SWEEP: <sig>
//
// Output Script:
//
//		<key> OP_CHECKSIGVERIFY
//	     <lease maturity in blocks> OP_CHECKLOCKTIMEVERIFY OP_DROP
//		1 OP_CHECKSEQUENCEVERIFY
func LeaseCommitScriptToRemoteConfirmed(key *secp256k1.PublicKey,
	leaseExpiry uint32) ([]byte, error) {

	builder := txscript.NewScriptBuilder()

	// Only the given key can spend the output.
	builder.AddData(key.SerializeCompressed())
	builder.AddOp(txscript.OP_CHECKSIGVERIFY)

	// The channel initiator always has the additional channel lease
	// expiration constraint for outputs that pay to them which must be
	// satisfied.
	builder.AddInt64(int64(leaseExpiry))
	builder.AddOp(txscript.OP_CHECKLOCKTIMEVERIFY)
	builder.AddOp(txscript.OP_DROP)

	// Check that it has one confirmation.
	builder.AddOp(txscript.OP_1)
	builder.AddOp(txscript.OP_CHECKSEQUENCEVERIFY)

	return builder.Script()
}

// CommitSpendToRemoteConfirmed constructs a valid witness allowing a node to
// spend their settled output on the counterparty's commitment transaction when
// it has one confirmetion. This is used for the anchor channel type. The
// spending key will always be non-tweaked for this output type.
func CommitSpendToRemoteConfirmed(signer Signer, signDesc *SignDescriptor,
	sweepTx *wire.MsgTx) (TxWitness, error) {

	if signDesc.KeyDesc.PubKey == nil {
		return nil, fmt.Errorf("cannot generate witness with nil " +
			"KeyDesc pubkey")
	}

	// Similar to non delayed output, only a signature is needed.
	sweepSig, err := signer.SignOutputRaw(sweepTx, signDesc)
	if err != nil {
		return nil, err
	}

	// Finally, we'll manually craft the witness. The witness here is the
	// signature and the redeem script.
	witnessStack := make([][]byte, 2)
	witnessStack[0] = append(sweepSig.Serialize(), byte(signDesc.HashType))
	witnessStack[1] = signDesc.WitnessScript

	return witnessStack, nil
}

// CommitScriptAnchor constructs the script for the anchor output spendable by
// the given key immediately, or by anyone after 16 confirmations.
//
// Possible Input Scripts:
//
//	By owner:				<sig>
//	By anyone (after 16 conf):	<emptyvector>
//
// Output Script:
//
//	<funding_pubkey> OP_CHECKSIG OP_IFDUP
//	OP_NOTIF
//	  OP_16 OP_CSV
//	OP_ENDIF
func CommitScriptAnchor(key *secp256k1.PublicKey) ([]byte, error) {
	builder := txscript.NewScriptBuilder()

	// Spend immediately with key.
	builder.AddData(key.SerializeCompressed())
	builder.AddOp(txscript.OP_CHECKSIG)

	// Duplicate the value if true, since it will be consumed by the NOTIF.
	builder.AddOp(txscript.OP_IFDUP)

	// Otherwise spendable by anyone after 16 confirmations.
	builder.AddOp(txscript.OP_NOTIF)
	builder.AddOp(txscript.OP_16)
	builder.AddOp(txscript.OP_CHECKSEQUENCEVERIFY)
	builder.AddOp(txscript.OP_ENDIF)

	return builder.Script()
}

// CommitSpendAnchor constructs a valid witness allowing a node to spend their
// anchor output on the commitment transaction using their funding key. This is
// used for the anchor channel type.
func CommitSpendAnchor(signer Signer, signDesc *SignDescriptor,
	sweepTx *wire.MsgTx) (TxWitness, error) {

	if signDesc.KeyDesc.PubKey == nil {
		return nil, fmt.Errorf("cannot generate witness with nil " +
			"KeyDesc pubkey")
	}

	// Create a signature.
	sweepSig, err := signer.SignOutputRaw(sweepTx, signDesc)
	if err != nil {
		return nil, err
	}

	// The witness here is just a signature and the redeem script.
	witnessStack := make([][]byte, 2)
	witnessStack[0] = append(sweepSig.Serialize(), byte(signDesc.HashType))
	witnessStack[1] = signDesc.WitnessScript

	return witnessStack, nil
}

// CommitSpendAnchorAnyone constructs a witness allowing anyone to spend the
// anchor output after it has gotten 16 confirmations. Since no signing is
// required, only knowledge of the redeem script is necessary to spend it.
func CommitSpendAnchorAnyone(script []byte) (TxWitness, error) {
	// The witness here is just the redeem script.
	witnessStack := make([][]byte, 2)
	witnessStack[0] = nil
	witnessStack[1] = script

	return witnessStack, nil
}

// SingleTweakBytes computes set of bytes we call the single tweak. The purpose
// of the single tweak is to randomize all regular delay and payment base
// points. To do this, we generate a hash that binds the commitment point to
// the pay/delay base point. The end result is that the basePoint is tweaked as
// follows:
//
//   - key = basePoint + sha256(commitPoint || basePoint)*G
func SingleTweakBytes(commitPoint, basePoint *secp256k1.PublicKey) []byte {
	h := sha256.New()
	h.Write(commitPoint.SerializeCompressed())
	h.Write(basePoint.SerializeCompressed())
	return h.Sum(nil)
}

// TweakPubKey tweaks a public base point given a per commitment point. The per
// commitment point is a unique point on our target curve for each commitment
// transaction. When tweaking a local base point for use in a remote commitment
// transaction, the remote party's current per commitment point is to be used.
// The opposite applies for when tweaking remote keys. Precisely, the following
// operation is used to "tweak" public keys:
//
//	tweakPub := basePoint + sha256(commitPoint || basePoint) * G
//	         := G*k + sha256(commitPoint || basePoint)*G
//	         := G*(k + sha256(commitPoint || basePoint))
//
// Therefore, if a party possess the value k, the private key of the base
// point, then they are able to derive the proper private key for the
// revokeKey by computing:
//
//	revokePriv := k + sha256(commitPoint || basePoint) mod N
//
// Where N is the order of the sub-group.
//
// The rationale for tweaking all public keys used within the commitment
// contracts is to ensure that all keys are properly delinearized to avoid any
// funny business when jointly collaborating to compute public and private
// keys. Additionally, the use of the per commitment point ensures that each
// commitment state houses a unique set of keys which is useful when creating
// blinded channel outsourcing protocols.
//
// TODO(roasbeef): should be using double-scalar mult here
func TweakPubKey(basePoint, commitPoint *secp256k1.PublicKey) *secp256k1.PublicKey {
	tweakBytes := SingleTweakBytes(commitPoint, basePoint)
	return TweakPubKeyWithTweak(basePoint, tweakBytes)
}

// TweakPubKeyWithTweak is the exact same as the TweakPubKey function, however
// it accepts the raw tweak bytes directly rather than the commitment point.
func TweakPubKeyWithTweak(pubKey *secp256k1.PublicKey, tweakBytes []byte) *secp256k1.PublicKey {
	// TODO(decred): fully switch to secp256k.JacobianPoint repr.
	curve := secp256k1.S256()
	tweakX, tweakY := curve.ScalarBaseMult(tweakBytes)

	// TODO(roasbeef): check that both passed on curve?
	x, y := curve.Add(pubKey.X(), pubKey.Y(), tweakX, tweakY)
	var fx, fy secp256k1.FieldVal
	fx.SetByteSlice(x.Bytes())
	fy.SetByteSlice(y.Bytes())
	return secp256k1.NewPublicKey(&fx, &fy)
}

// TweakPrivKey tweaks the private key of a public base point given a per
// commitment point. The per commitment secret is the revealed revocation
// secret for the commitment state in question. This private key will only need
// to be generated in the case that a channel counter party broadcasts a
// revoked state. Precisely, the following operation is used to derive a
// tweaked private key:
//
//   - tweakPriv := basePriv + sha256(commitment || basePub) mod N
//
// Where N is the order of the sub-group.
func TweakPrivKey(basePriv *secp256k1.PrivateKey, commitTweak []byte) *secp256k1.PrivateKey {
	// tweakInt := sha256(commitPoint || basePub)
	tweakInt := new(big.Int).SetBytes(commitTweak)

	// TODO(decred): Fully switch to fieldVal repr.
	d := new(big.Int).SetBytes(basePriv.Serialize())
	tweakInt = tweakInt.Add(tweakInt, d)
	tweakInt = tweakInt.Mod(tweakInt, secp256k1.S256().N)

	tweakPriv := secp256k1.PrivKeyFromBytes(tweakInt.Bytes())
	return tweakPriv
}

// DeriveRevocationPubkey derives the revocation public key given the
// counterparty's commitment key, and revocation preimage derived via a
// pseudo-random-function. In the event that we (for some reason) broadcast a
// revoked commitment transaction, then if the other party knows the revocation
// preimage, then they'll be able to derive the corresponding private key to
// this private key by exploiting the homomorphism in the elliptic curve group:
//   - https://en.wikipedia.org/wiki/Group_homomorphism#Homomorphisms_of_abelian_groups
//
// The derivation is performed as follows:
//
//	revokeKey := revokeBase * sha256(revocationBase || commitPoint) +
//	             commitPoint * sha256(commitPoint || revocationBase)
//
//	          := G*(revokeBasePriv * sha256(revocationBase || commitPoint)) +
//	             G*(commitSecret * sha256(commitPoint || revocationBase))
//
//	          := G*(revokeBasePriv * sha256(revocationBase || commitPoint) +
//	                commitSecret * sha256(commitPoint || revocationBase))
//
// Therefore, once we divulge the revocation secret, the remote peer is able to
// compute the proper private key for the revokeKey by computing:
//
//	revokePriv := (revokeBasePriv * sha256(revocationBase || commitPoint)) +
//	              (commitSecret * sha256(commitPoint || revocationBase)) mod N
//
// Where N is the order of the sub-group.
func DeriveRevocationPubkey(revokeBase, commitPoint *secp256k1.PublicKey) *secp256k1.PublicKey {
	// TODO(decred): fully switch to secp256k1.JacobianPoint repr.

	// R = revokeBase * sha256(revocationBase || commitPoint)
	revokeTweakBytes := SingleTweakBytes(revokeBase, commitPoint)
	rX, rY := secp256k1.S256().ScalarMult(revokeBase.X(), revokeBase.Y(),
		revokeTweakBytes)

	// C = commitPoint * sha256(commitPoint || revocationBase)
	commitTweakBytes := SingleTweakBytes(commitPoint, revokeBase)
	cX, cY := secp256k1.S256().ScalarMult(commitPoint.X(), commitPoint.Y(),
		commitTweakBytes)

	// Now that we have the revocation point, we add this to their commitment
	// public key in order to obtain the revocation public key.
	//
	// P = R + C
	revX, revY := secp256k1.S256().Add(rX, rY, cX, cY)
	var fx, fy secp256k1.FieldVal
	fx.SetByteSlice(revX.Bytes())
	fy.SetByteSlice(revY.Bytes())
	return secp256k1.NewPublicKey(&fx, &fy)
}

// DeriveRevocationPrivKey derives the revocation private key given a node's
// commitment private key, and the preimage to a previously seen revocation
// hash. Using this derived private key, a node is able to claim the output
// within the commitment transaction of a node in the case that they broadcast
// a previously revoked commitment transaction.
//
// The private key is derived as follows:
//
//	revokePriv := (revokeBasePriv * sha256(revocationBase || commitPoint)) +
//	              (commitSecret * sha256(commitPoint || revocationBase)) mod N
//
// Where N is the order of the sub-group.
func DeriveRevocationPrivKey(revokeBasePriv *secp256k1.PrivateKey,
	commitSecret *secp256k1.PrivateKey) *secp256k1.PrivateKey {

	// TODO(decred): Switch to secpp256k1.JacobianPoint repr.

	// r = sha256(revokeBasePub || commitPoint)
	revokeTweakBytes := SingleTweakBytes(
		revokeBasePriv.PubKey(),
		commitSecret.PubKey())
	revokeTweakInt := new(big.Int).SetBytes(revokeTweakBytes)

	// c = sha256(commitPoint || revokeBasePub)
	commitTweakBytes := SingleTweakBytes(
		commitSecret.PubKey(),
		revokeBasePriv.PubKey())
	commitTweakInt := new(big.Int).SetBytes(commitTweakBytes)

	// Finally to derive the revocation secret key we'll perform the
	// following operation:
	//
	//  k = (revocationPriv * r) + (commitSecret * c) mod N
	//
	// This works since:
	//  P = (G*a)*b + (G*c)*d
	//  P = G*(a*b) + G*(c*d)
	//  P = G*(a*b + c*d)
	revokeD := new(big.Int).SetBytes(revokeBasePriv.Serialize())
	commitD := new(big.Int).SetBytes(commitSecret.Serialize())
	revokeHalfPriv := revokeTweakInt.Mul(revokeTweakInt, revokeD)
	commitHalfPriv := commitTweakInt.Mul(commitTweakInt, commitD)

	revocationPriv := revokeHalfPriv.Add(revokeHalfPriv, commitHalfPriv)
	revocationPriv = revocationPriv.Mod(revocationPriv, secp256k1.S256().N)

	priv := secp256k1.PrivKeyFromBytes(revocationPriv.Bytes())
	return priv
}

// ComputeCommitmentPoint generates a commitment point given a commitment
// secret. The commitment point for each state is used to randomize each key in
// the key-ring and also to used as a tweak to derive new public+private keys
// for the state.
func ComputeCommitmentPoint(commitSecret []byte) *secp256k1.PublicKey {
	priv := secp256k1.PrivKeyFromBytes(commitSecret)
	return priv.PubKey()
}