lnd/itest/lnd_taproot_test.go

package itest

import (
	"bytes"
	"crypto/sha256"
	"encoding/hex"
	"testing"

	"github.com/btcsuite/btcd/blockchain"
	"github.com/btcsuite/btcd/btcec/v2"
	"github.com/btcsuite/btcd/btcec/v2/schnorr"
	"github.com/btcsuite/btcd/btcutil"
	"github.com/btcsuite/btcd/btcutil/psbt"
	"github.com/btcsuite/btcd/chaincfg/chainhash"
	"github.com/btcsuite/btcd/txscript"
	"github.com/btcsuite/btcd/wire"
	"github.com/lightningnetwork/lnd/funding"
	"github.com/lightningnetwork/lnd/input"
	"github.com/lightningnetwork/lnd/lnrpc"
	"github.com/lightningnetwork/lnd/lnrpc/chainrpc"
	"github.com/lightningnetwork/lnd/lnrpc/signrpc"
	"github.com/lightningnetwork/lnd/lnrpc/walletrpc"
	"github.com/lightningnetwork/lnd/lntest"
	"github.com/lightningnetwork/lnd/lntest/node"
	"github.com/lightningnetwork/lnd/lnwallet/chainfee"
	"github.com/stretchr/testify/require"
)

const (
	testTaprootKeyFamily = 77
	testAmount           = 800_000
	signMethodBip86      = signrpc.SignMethod_SIGN_METHOD_TAPROOT_KEY_SPEND_BIP0086
	signMethodRootHash   = signrpc.SignMethod_SIGN_METHOD_TAPROOT_KEY_SPEND
	signMethodTapscript  = signrpc.SignMethod_SIGN_METHOD_TAPROOT_SCRIPT_SPEND
)

var (
	hexDecode = func(keyStr string) []byte {
		keyBytes, _ := hex.DecodeString(keyStr)
		return keyBytes
	}
	dummyInternalKey, _ = btcec.ParsePubKey(hexDecode(
		"03464805f5468e294d88cf15a3f06aef6c89d63ef1bd7b42db2e0c74c1ac" +
			"eb90fe",
	))
)

// testTaproot ensures that the daemon can send to and spend from taproot (p2tr)
// outputs.
func testTaproot(ht *lntest.HarnessTest) {
	testTaprootSendCoinsKeySpendBip86(ht, ht.Alice)
	testTaprootComputeInputScriptKeySpendBip86(ht, ht.Alice)
	testTaprootSignOutputRawScriptSpend(ht, ht.Alice)
	testTaprootSignOutputRawScriptSpend(
		ht, ht.Alice, txscript.SigHashSingle,
	)
	testTaprootSignOutputRawKeySpendBip86(ht, ht.Alice)
	testTaprootSignOutputRawKeySpendBip86(
		ht, ht.Alice, txscript.SigHashSingle,
	)
	testTaprootSignOutputRawKeySpendRootHash(ht, ht.Alice)

	muSig2Versions := []signrpc.MuSig2Version{
		signrpc.MuSig2Version_MUSIG2_VERSION_V040,
		signrpc.MuSig2Version_MUSIG2_VERSION_V100RC2,
	}
	for _, version := range muSig2Versions {
		testTaprootMuSig2KeySpendBip86(ht, ht.Alice, version)
		testTaprootMuSig2KeySpendRootHash(ht, ht.Alice, version)
		testTaprootMuSig2ScriptSpend(ht, ht.Alice, version)
		testTaprootMuSig2CombinedLeafKeySpend(ht, ht.Alice, version)
		testMuSig2CombineKey(ht, ht.Alice, version)
	}

	testTaprootImportTapscriptFullTree(ht, ht.Alice)
	testTaprootImportTapscriptPartialReveal(ht, ht.Alice)
	testTaprootImportTapscriptRootHashOnly(ht, ht.Alice)
	testTaprootImportTapscriptFullKey(ht, ht.Alice)
}

// testTaprootSendCoinsKeySpendBip86 tests sending to and spending from
// p2tr key spend only (BIP-0086) addresses through the SendCoins RPC which
// internally uses the ComputeInputScript method for signing.
func testTaprootSendCoinsKeySpendBip86(ht *lntest.HarnessTest,
	alice *node.HarnessNode) {

	// We'll start the test by sending Alice some coins, which she'll use to
	// send to herself on a p2tr output.
	ht.FundCoins(btcutil.SatoshiPerBitcoin, alice)

	// Let's create a p2tr address now.
	p2trResp := alice.RPC.NewAddress(&lnrpc.NewAddressRequest{
		Type: AddrTypeTaprootPubkey,
	})

	// Assert this is a segwit v1 address that starts with bcrt1p.
	require.Contains(
		ht, p2trResp.Address, ht.Miner.ActiveNet.Bech32HRPSegwit+"1p",
	)

	// Send the coins from Alice's wallet to her own, but to the new p2tr
	// address.
	alice.RPC.SendCoins(&lnrpc.SendCoinsRequest{
		Addr:   p2trResp.Address,
		Amount: 0.5 * btcutil.SatoshiPerBitcoin,
	})

	txid := ht.Miner.AssertNumTxsInMempool(1)[0]

	// Wait until bob has seen the tx and considers it as owned.
	p2trOutputIndex := ht.GetOutputIndex(txid, p2trResp.Address)
	op := &lnrpc.OutPoint{
		TxidBytes:   txid[:],
		OutputIndex: uint32(p2trOutputIndex),
	}
	ht.AssertUTXOInWallet(alice, op, "")

	// Mine a block to clean up the mempool.
	ht.MineBlocksAndAssertNumTxes(1, 1)

	// Let's sweep the whole wallet to a new p2tr address, making sure we
	// can sign transactions with v0 and v1 inputs.
	p2trResp = alice.RPC.NewAddress(&lnrpc.NewAddressRequest{
		Type: lnrpc.AddressType_TAPROOT_PUBKEY,
	})

	alice.RPC.SendCoins(&lnrpc.SendCoinsRequest{
		Addr:    p2trResp.Address,
		SendAll: true,
	})

	// Make sure the coins sent to the address are confirmed correctly,
	// including the confirmation notification.
	confirmAddress(ht, alice, p2trResp.Address)
}

// testTaprootComputeInputScriptKeySpendBip86 tests sending to and spending from
// p2tr key spend only (BIP-0086) addresses through the SendCoins RPC which
// internally uses the ComputeInputScript method for signing.
func testTaprootComputeInputScriptKeySpendBip86(ht *lntest.HarnessTest,
	alice *node.HarnessNode) {

	// We'll start the test by sending Alice some coins, which she'll use
	// to send to herself on a p2tr output.
	ht.FundCoins(btcutil.SatoshiPerBitcoin, alice)

	// Let's create a p2tr address now.
	p2trAddr, p2trPkScript := newAddrWithScript(
		ht, alice, lnrpc.AddressType_TAPROOT_PUBKEY,
	)

	// Send the coins from Alice's wallet to her own, but to the new p2tr
	// address.
	req := &lnrpc.SendCoinsRequest{
		Addr:   p2trAddr.String(),
		Amount: testAmount,
	}
	alice.RPC.SendCoins(req)

	// Wait until bob has seen the tx and considers it as owned.
	txid := ht.Miner.AssertNumTxsInMempool(1)[0]
	p2trOutputIndex := ht.GetOutputIndex(txid, p2trAddr.String())
	op := &lnrpc.OutPoint{
		TxidBytes:   txid[:],
		OutputIndex: uint32(p2trOutputIndex),
	}
	ht.AssertUTXOInWallet(alice, op, "")

	p2trOutpoint := wire.OutPoint{
		Hash:  *txid,
		Index: uint32(p2trOutputIndex),
	}

	// Mine a block to clean up the mempool.
	ht.MineBlocksAndAssertNumTxes(1, 1)

	// We'll send the coins back to a p2wkh address.
	p2wkhAddr, p2wkhPkScript := newAddrWithScript(
		ht, alice, lnrpc.AddressType_WITNESS_PUBKEY_HASH,
	)

	// Create fee estimation for a p2tr input and p2wkh output.
	feeRate := chainfee.SatPerKWeight(12500)
	estimator := input.TxWeightEstimator{}
	estimator.AddTaprootKeySpendInput(txscript.SigHashDefault)
	estimator.AddP2WKHOutput()
	estimatedWeight := int64(estimator.Weight())
	requiredFee := feeRate.FeeForWeight(estimatedWeight)

	tx := wire.NewMsgTx(2)
	tx.TxIn = []*wire.TxIn{{
		PreviousOutPoint: p2trOutpoint,
	}}
	value := int64(testAmount - requiredFee)
	tx.TxOut = []*wire.TxOut{{
		PkScript: p2wkhPkScript,
		Value:    value,
	}}

	var buf bytes.Buffer
	require.NoError(ht, tx.Serialize(&buf))

	utxoInfo := []*signrpc.TxOut{{
		PkScript: p2trPkScript,
		Value:    testAmount,
	}}
	signReq := &signrpc.SignReq{
		RawTxBytes: buf.Bytes(),
		SignDescs: []*signrpc.SignDescriptor{{
			Output:     utxoInfo[0],
			InputIndex: 0,
			Sighash:    uint32(txscript.SigHashDefault),
		}},
		PrevOutputs: utxoInfo,
	}
	signResp := alice.RPC.ComputeInputScript(signReq)

	tx.TxIn[0].Witness = signResp.InputScripts[0].Witness

	// Serialize, weigh and publish the TX now, then make sure the
	// coins are sent and confirmed to the final sweep destination address.
	publishTxAndConfirmSweep(
		ht, alice, tx, estimatedWeight,
		&chainrpc.SpendRequest{
			Outpoint: &chainrpc.Outpoint{
				Hash:  p2trOutpoint.Hash[:],
				Index: p2trOutpoint.Index,
			},
			Script: p2trPkScript,
		},
		p2wkhAddr.String(),
	)
}

// testTaprootSignOutputRawScriptSpend tests sending to and spending from p2tr
// script addresses using the script path with the SignOutputRaw RPC.
func testTaprootSignOutputRawScriptSpend(ht *lntest.HarnessTest,
	alice *node.HarnessNode, sigHashType ...txscript.SigHashType) {

	// For the next step, we need a public key. Let's use a special family
	// for this.
	req := &walletrpc.KeyReq{KeyFamily: testTaprootKeyFamily}
	keyDesc := alice.RPC.DeriveNextKey(req)

	leafSigningKey, err := btcec.ParsePubKey(keyDesc.RawKeyBytes)
	require.NoError(ht, err)

	// Let's create a taproot script output now. This is a hash lock with a
	// simple preimage of "foobar".
	leaf1 := testScriptHashLock(ht.T, []byte("foobar"))

	// Let's add a second script output as well to test the partial reveal.
	leaf2 := testScriptSchnorrSig(ht.T, leafSigningKey)

	inclusionProof := leaf1.TapHash()
	tapscript := input.TapscriptPartialReveal(
		dummyInternalKey, leaf2, inclusionProof[:],
	)
	taprootKey, err := tapscript.TaprootKey()
	require.NoError(ht, err)

	// Send some coins to the generated tapscript address.
	p2trOutpoint, p2trPkScript := sendToTaprootOutput(ht, alice, taprootKey)

	// Spend the output again, this time back to a p2wkh address.
	p2wkhAddr, p2wkhPkScript := newAddrWithScript(
		ht, alice, lnrpc.AddressType_WITNESS_PUBKEY_HASH,
	)

	// Create fee estimation for a p2tr input and p2wkh output.
	feeRate := chainfee.SatPerKWeight(12500)
	estimator := input.TxWeightEstimator{}
	estimator.AddTapscriptInput(
		input.TaprootSignatureWitnessSize, tapscript,
	)
	estimator.AddP2WKHOutput()

	estimatedWeight := int64(estimator.Weight())
	sigHash := txscript.SigHashDefault
	if len(sigHashType) != 0 {
		sigHash = sigHashType[0]

		// If a non-default sighash is used, then we'll need to add an
		// extra byte to account for the sighash that doesn't exist in
		// the default case.
		estimatedWeight++
	}

	requiredFee := feeRate.FeeForWeight(estimatedWeight)

	tx := wire.NewMsgTx(2)
	tx.TxIn = []*wire.TxIn{{
		PreviousOutPoint: p2trOutpoint,
	}}
	value := int64(testAmount - requiredFee)
	tx.TxOut = []*wire.TxOut{{
		PkScript: p2wkhPkScript,
		Value:    value,
	}}

	var buf bytes.Buffer
	require.NoError(ht, tx.Serialize(&buf))

	utxoInfo := []*signrpc.TxOut{{
		PkScript: p2trPkScript,
		Value:    testAmount,
	}}

	// Before we actually sign, we want to make sure that we get an error
	// when we try to sign for a Taproot output without specifying all UTXO
	// information.
	signReq := &signrpc.SignReq{
		RawTxBytes: buf.Bytes(),
		SignDescs: []*signrpc.SignDescriptor{{
			Output:        utxoInfo[0],
			InputIndex:    0,
			KeyDesc:       keyDesc,
			Sighash:       uint32(sigHash),
			WitnessScript: leaf2.Script,
			SignMethod:    signMethodTapscript,
		}},
	}
	err = alice.RPC.SignOutputRawErr(signReq)
	require.Contains(
		ht, err.Error(), "error signing taproot output, transaction "+
			"input 0 is missing its previous outpoint information",
	)

	// We also want to make sure we get an error when we don't specify the
	// correct signing method.
	signReq = &signrpc.SignReq{
		RawTxBytes: buf.Bytes(),
		SignDescs: []*signrpc.SignDescriptor{{
			Output:        utxoInfo[0],
			InputIndex:    0,
			KeyDesc:       keyDesc,
			Sighash:       uint32(sigHash),
			WitnessScript: leaf2.Script,
		}},
		PrevOutputs: utxoInfo,
	}
	err = alice.RPC.SignOutputRawErr(signReq)
	require.Contains(
		ht, err.Error(), "selected sign method witness_v0 is not "+
			"compatible with given pk script 5120",
	)

	// Do the actual signing now.
	signReq = &signrpc.SignReq{
		RawTxBytes: buf.Bytes(),
		SignDescs: []*signrpc.SignDescriptor{{
			Output:        utxoInfo[0],
			InputIndex:    0,
			KeyDesc:       keyDesc,
			Sighash:       uint32(sigHash),
			WitnessScript: leaf2.Script,
			SignMethod:    signMethodTapscript,
		}},
		PrevOutputs: utxoInfo,
	}
	signResp := alice.RPC.SignOutputRaw(signReq)

	// We can now assemble the witness stack.
	controlBlockBytes, err := tapscript.ControlBlock.ToBytes()
	require.NoError(ht, err)

	sig := signResp.RawSigs[0]
	if len(sigHashType) != 0 {
		sig = append(sig, byte(sigHashType[0]))
	}
	tx.TxIn[0].Witness = wire.TxWitness{
		sig, leaf2.Script, controlBlockBytes,
	}

	// Serialize, weigh and publish the TX now, then make sure the
	// coins are sent and confirmed to the final sweep destination address.
	publishTxAndConfirmSweep(
		ht, alice, tx, estimatedWeight,
		&chainrpc.SpendRequest{
			Outpoint: &chainrpc.Outpoint{
				Hash:  p2trOutpoint.Hash[:],
				Index: p2trOutpoint.Index,
			},
			Script: p2trPkScript,
		},
		p2wkhAddr.String(),
	)
}

// testTaprootSignOutputRawKeySpendBip86 tests that a tapscript address can
// also be spent using the key spend path through the SignOutputRaw RPC using a
// BIP0086 key spend only commitment.
func testTaprootSignOutputRawKeySpendBip86(ht *lntest.HarnessTest,
	alice *node.HarnessNode, sigHashType ...txscript.SigHashType) {

	// For the next step, we need a public key. Let's use a special family
	// for this.
	req := &walletrpc.KeyReq{KeyFamily: testTaprootKeyFamily}
	keyDesc := alice.RPC.DeriveNextKey(req)

	internalKey, err := btcec.ParsePubKey(keyDesc.RawKeyBytes)
	require.NoError(ht, err)

	// We want to make sure we can still use a tweaked key, even if it ends
	// up being essentially double tweaked because of the taproot root hash.
	dummyKeyTweak := sha256.Sum256([]byte("this is a key tweak"))
	internalKey = input.TweakPubKeyWithTweak(internalKey, dummyKeyTweak[:])

	// Our taproot key is a BIP0086 key spend only construction that just
	// commits to the internal key and no root hash.
	taprootKey := txscript.ComputeTaprootKeyNoScript(internalKey)

	// Send some coins to the generated tapscript address.
	p2trOutpoint, p2trPkScript := sendToTaprootOutput(ht, alice, taprootKey)

	// Spend the output again, this time back to a p2wkh address.
	p2wkhAddr, p2wkhPkScript := newAddrWithScript(
		ht, alice, lnrpc.AddressType_WITNESS_PUBKEY_HASH,
	)

	sigHash := txscript.SigHashDefault
	if len(sigHashType) != 0 {
		sigHash = sigHashType[0]
	}

	// Create fee estimation for a p2tr input and p2wkh output.
	feeRate := chainfee.SatPerKWeight(12500)
	estimator := input.TxWeightEstimator{}
	estimator.AddTaprootKeySpendInput(sigHash)
	estimator.AddP2WKHOutput()
	estimatedWeight := int64(estimator.Weight())
	requiredFee := feeRate.FeeForWeight(estimatedWeight)

	tx := wire.NewMsgTx(2)
	tx.TxIn = []*wire.TxIn{{
		PreviousOutPoint: p2trOutpoint,
	}}
	value := int64(testAmount - requiredFee)
	tx.TxOut = []*wire.TxOut{{
		PkScript: p2wkhPkScript,
		Value:    value,
	}}

	var buf bytes.Buffer
	require.NoError(ht, tx.Serialize(&buf))

	utxoInfo := []*signrpc.TxOut{{
		PkScript: p2trPkScript,
		Value:    testAmount,
	}}
	signReq := &signrpc.SignReq{
		RawTxBytes: buf.Bytes(),
		SignDescs: []*signrpc.SignDescriptor{{
			Output:      utxoInfo[0],
			InputIndex:  0,
			KeyDesc:     keyDesc,
			SingleTweak: dummyKeyTweak[:],
			Sighash:     uint32(sigHash),
			SignMethod:  signMethodBip86,
		}},
		PrevOutputs: utxoInfo,
	}
	signResp := alice.RPC.SignOutputRaw(signReq)

	sig := signResp.RawSigs[0]
	if len(sigHashType) != 0 {
		sig = append(sig, byte(sigHash))
	}
	tx.TxIn[0].Witness = wire.TxWitness{sig}

	// Serialize, weigh and publish the TX now, then make sure the
	// coins are sent and confirmed to the final sweep destination address.
	publishTxAndConfirmSweep(
		ht, alice, tx, estimatedWeight,
		&chainrpc.SpendRequest{
			Outpoint: &chainrpc.Outpoint{
				Hash:  p2trOutpoint.Hash[:],
				Index: p2trOutpoint.Index,
			},
			Script: p2trPkScript,
		},
		p2wkhAddr.String(),
	)
}

// testTaprootSignOutputRawKeySpendRootHash tests that a tapscript address can
// also be spent using the key spend path through the SignOutputRaw RPC using a
// tapscript root hash.
func testTaprootSignOutputRawKeySpendRootHash(ht *lntest.HarnessTest,
	alice *node.HarnessNode) {

	// For the next step, we need a public key. Let's use a special family
	// for this.
	req := &walletrpc.KeyReq{KeyFamily: testTaprootKeyFamily}
	keyDesc := alice.RPC.DeriveNextKey(req)

	internalKey, err := btcec.ParsePubKey(keyDesc.RawKeyBytes)
	require.NoError(ht, err)

	// We want to make sure we can still use a tweaked key, even if it ends
	// up being essentially double tweaked because of the taproot root hash.
	dummyKeyTweak := sha256.Sum256([]byte("this is a key tweak"))
	internalKey = input.TweakPubKeyWithTweak(internalKey, dummyKeyTweak[:])

	// Let's create a taproot script output now. This is a hash lock with a
	// simple preimage of "foobar".
	leaf1 := testScriptHashLock(ht.T, []byte("foobar"))

	rootHash := leaf1.TapHash()
	taprootKey := txscript.ComputeTaprootOutputKey(internalKey, rootHash[:])

	// Send some coins to the generated tapscript address.
	p2trOutpoint, p2trPkScript := sendToTaprootOutput(ht, alice, taprootKey)

	// Spend the output again, this time back to a p2wkh address.
	p2wkhAddr, p2wkhPkScript := newAddrWithScript(
		ht, alice, lnrpc.AddressType_WITNESS_PUBKEY_HASH,
	)

	// Create fee estimation for a p2tr input and p2wkh output.
	feeRate := chainfee.SatPerKWeight(12500)
	estimator := input.TxWeightEstimator{}
	estimator.AddTaprootKeySpendInput(txscript.SigHashDefault)
	estimator.AddP2WKHOutput()
	estimatedWeight := int64(estimator.Weight())
	requiredFee := feeRate.FeeForWeight(estimatedWeight)

	tx := wire.NewMsgTx(2)
	tx.TxIn = []*wire.TxIn{{
		PreviousOutPoint: p2trOutpoint,
	}}
	value := int64(testAmount - requiredFee)
	tx.TxOut = []*wire.TxOut{{
		PkScript: p2wkhPkScript,
		Value:    value,
	}}

	var buf bytes.Buffer
	require.NoError(ht, tx.Serialize(&buf))

	utxoInfo := []*signrpc.TxOut{{
		PkScript: p2trPkScript,
		Value:    testAmount,
	}}
	signReq := &signrpc.SignReq{
		RawTxBytes: buf.Bytes(),
		SignDescs: []*signrpc.SignDescriptor{{
			Output:      utxoInfo[0],
			InputIndex:  0,
			KeyDesc:     keyDesc,
			SingleTweak: dummyKeyTweak[:],
			Sighash:     uint32(txscript.SigHashDefault),
			TapTweak:    rootHash[:],
			SignMethod:  signMethodRootHash,
		}},
		PrevOutputs: utxoInfo,
	}
	signResp := alice.RPC.SignOutputRaw(signReq)
	tx.TxIn[0].Witness = wire.TxWitness{
		signResp.RawSigs[0],
	}

	// Serialize, weigh and publish the TX now, then make sure the
	// coins are sent and confirmed to the final sweep destination address.
	publishTxAndConfirmSweep(
		ht, alice, tx, estimatedWeight,
		&chainrpc.SpendRequest{
			Outpoint: &chainrpc.Outpoint{
				Hash:  p2trOutpoint.Hash[:],
				Index: p2trOutpoint.Index,
			},
			Script: p2trPkScript,
		},
		p2wkhAddr.String(),
	)
}

// testTaprootMuSig2KeySpendBip86 tests that a combined MuSig2 key can also be
// used as a BIP-0086 key spend only key.
func testTaprootMuSig2KeySpendBip86(ht *lntest.HarnessTest,
	alice *node.HarnessNode, version signrpc.MuSig2Version) {

	// We're not going to commit to a script. So our taproot tweak will be
	// empty and just specify the necessary flag.
	taprootTweak := &signrpc.TaprootTweakDesc{
		KeySpendOnly: true,
	}

	keyDesc1, keyDesc2, keyDesc3, allPubKeys := deriveSigningKeys(
		ht, alice, version,
	)
	_, taprootKey, sessResp1, sessResp2, sessResp3 := createMuSigSessions(
		ht, alice, taprootTweak, keyDesc1, keyDesc2, keyDesc3,
		allPubKeys, version,
	)

	// Send some coins to the generated tapscript address.
	p2trOutpoint, p2trPkScript := sendToTaprootOutput(ht, alice, taprootKey)

	// Spend the output again, this time back to a p2wkh address.
	p2wkhAddr, p2wkhPkScript := newAddrWithScript(
		ht, alice, lnrpc.AddressType_WITNESS_PUBKEY_HASH,
	)

	// Create fee estimation for a p2tr input and p2wkh output.
	feeRate := chainfee.SatPerKWeight(12500)
	estimator := input.TxWeightEstimator{}
	estimator.AddTaprootKeySpendInput(txscript.SigHashDefault)
	estimator.AddP2WKHOutput()
	estimatedWeight := int64(estimator.Weight())
	requiredFee := feeRate.FeeForWeight(estimatedWeight)

	tx := wire.NewMsgTx(2)
	tx.TxIn = []*wire.TxIn{{
		PreviousOutPoint: p2trOutpoint,
	}}
	value := int64(testAmount - requiredFee)
	tx.TxOut = []*wire.TxOut{{
		PkScript: p2wkhPkScript,
		Value:    value,
	}}

	var buf bytes.Buffer
	require.NoError(ht, tx.Serialize(&buf))

	utxoInfo := []*signrpc.TxOut{{
		PkScript: p2trPkScript,
		Value:    testAmount,
	}}

	// We now need to create the raw sighash of the transaction, as that
	// will be the message we're signing collaboratively.
	prevOutputFetcher := txscript.NewCannedPrevOutputFetcher(
		utxoInfo[0].PkScript, utxoInfo[0].Value,
	)
	sighashes := txscript.NewTxSigHashes(tx, prevOutputFetcher)

	sigHash, err := txscript.CalcTaprootSignatureHash(
		sighashes, txscript.SigHashDefault, tx, 0, prevOutputFetcher,
	)
	require.NoError(ht, err)

	// Now that we have the transaction prepared, we need to start with the
	// signing. We simulate all three parties here, so we need to do
	// everything three times. But because we're going to use session 1 to
	// combine everything, we don't need its response, as it will store its
	// own signature.
	signReq := &signrpc.MuSig2SignRequest{
		SessionId:     sessResp1.SessionId,
		MessageDigest: sigHash,
	}
	alice.RPC.MuSig2Sign(signReq)

	signReq = &signrpc.MuSig2SignRequest{
		SessionId:     sessResp2.SessionId,
		MessageDigest: sigHash,
		Cleanup:       true,
	}
	signResp2 := alice.RPC.MuSig2Sign(signReq)

	signReq = &signrpc.MuSig2SignRequest{
		SessionId:     sessResp3.SessionId,
		MessageDigest: sigHash,
		Cleanup:       true,
	}
	signResp3 := alice.RPC.MuSig2Sign(signReq)

	// Luckily only one of the signers needs to combine the signature, so
	// let's do that now.
	combineReq := &signrpc.MuSig2CombineSigRequest{
		SessionId: sessResp1.SessionId,
		OtherPartialSignatures: [][]byte{
			signResp2.LocalPartialSignature,
			signResp3.LocalPartialSignature,
		},
	}
	combineResp := alice.RPC.MuSig2CombineSig(combineReq)
	require.Equal(ht, true, combineResp.HaveAllSignatures)
	require.NotEmpty(ht, combineResp.FinalSignature)

	sig, err := schnorr.ParseSignature(combineResp.FinalSignature)
	require.NoError(ht, err)
	require.True(ht, sig.Verify(sigHash, taprootKey))

	tx.TxIn[0].Witness = wire.TxWitness{
		combineResp.FinalSignature,
	}

	// Serialize, weigh and publish the TX now, then make sure the
	// coins are sent and confirmed to the final sweep destination address.
	publishTxAndConfirmSweep(
		ht, alice, tx, estimatedWeight,
		&chainrpc.SpendRequest{
			Outpoint: &chainrpc.Outpoint{
				Hash:  p2trOutpoint.Hash[:],
				Index: p2trOutpoint.Index,
			},
			Script: p2trPkScript,
		},
		p2wkhAddr.String(),
	)
}

// testTaprootMuSig2KeySpendRootHash tests that a tapscript address can also be
// spent using a MuSig2 combined key.
func testTaprootMuSig2KeySpendRootHash(ht *lntest.HarnessTest,
	alice *node.HarnessNode, version signrpc.MuSig2Version) {

	// We're going to commit to a script as well. This is a hash lock with a
	// simple preimage of "foobar". We need to know this upfront so, we can
	// specify the taproot tweak with the root hash when creating the Musig2
	// signing session.
	leaf1 := testScriptHashLock(ht.T, []byte("foobar"))
	rootHash := leaf1.TapHash()
	taprootTweak := &signrpc.TaprootTweakDesc{
		ScriptRoot: rootHash[:],
	}

	keyDesc1, keyDesc2, keyDesc3, allPubKeys := deriveSigningKeys(
		ht, alice, version,
	)
	_, taprootKey, sessResp1, sessResp2, sessResp3 := createMuSigSessions(
		ht, alice, taprootTweak, keyDesc1, keyDesc2, keyDesc3,
		allPubKeys, version,
	)

	// Send some coins to the generated tapscript address.
	p2trOutpoint, p2trPkScript := sendToTaprootOutput(ht, alice, taprootKey)

	// Spend the output again, this time back to a p2wkh address.
	p2wkhAddr, p2wkhPkScript := newAddrWithScript(
		ht, alice, lnrpc.AddressType_WITNESS_PUBKEY_HASH,
	)

	// Create fee estimation for a p2tr input and p2wkh output.
	feeRate := chainfee.SatPerKWeight(12500)
	estimator := input.TxWeightEstimator{}
	estimator.AddTaprootKeySpendInput(txscript.SigHashDefault)
	estimator.AddP2WKHOutput()
	estimatedWeight := int64(estimator.Weight())
	requiredFee := feeRate.FeeForWeight(estimatedWeight)

	tx := wire.NewMsgTx(2)
	tx.TxIn = []*wire.TxIn{{
		PreviousOutPoint: p2trOutpoint,
	}}
	value := int64(testAmount - requiredFee)
	tx.TxOut = []*wire.TxOut{{
		PkScript: p2wkhPkScript,
		Value:    value,
	}}

	var buf bytes.Buffer
	require.NoError(ht, tx.Serialize(&buf))

	utxoInfo := []*signrpc.TxOut{{
		PkScript: p2trPkScript,
		Value:    testAmount,
	}}

	// We now need to create the raw sighash of the transaction, as that
	// will be the message we're signing collaboratively.
	prevOutputFetcher := txscript.NewCannedPrevOutputFetcher(
		utxoInfo[0].PkScript, utxoInfo[0].Value,
	)
	sighashes := txscript.NewTxSigHashes(tx, prevOutputFetcher)

	sigHash, err := txscript.CalcTaprootSignatureHash(
		sighashes, txscript.SigHashDefault, tx, 0, prevOutputFetcher,
	)
	require.NoError(ht, err)

	// Now that we have the transaction prepared, we need to start with the
	// signing. We simulate all three parties here, so we need to do
	// everything three times. But because we're going to use session 1 to
	// combine everything, we don't need its response, as it will store its
	// own signature.
	req := &signrpc.MuSig2SignRequest{
		SessionId:     sessResp1.SessionId,
		MessageDigest: sigHash,
	}
	alice.RPC.MuSig2Sign(req)

	req = &signrpc.MuSig2SignRequest{
		SessionId:     sessResp2.SessionId,
		MessageDigest: sigHash,
		Cleanup:       true,
	}
	signResp2 := alice.RPC.MuSig2Sign(req)

	req = &signrpc.MuSig2SignRequest{
		SessionId:     sessResp3.SessionId,
		MessageDigest: sigHash,
		Cleanup:       true,
	}
	signResp3 := alice.RPC.MuSig2Sign(req)

	// Luckily only one of the signers needs to combine the signature, so
	// let's do that now.
	combineReq := &signrpc.MuSig2CombineSigRequest{
		SessionId: sessResp1.SessionId,
		OtherPartialSignatures: [][]byte{
			signResp2.LocalPartialSignature,
			signResp3.LocalPartialSignature,
		},
	}
	combineResp := alice.RPC.MuSig2CombineSig(combineReq)
	require.Equal(ht, true, combineResp.HaveAllSignatures)
	require.NotEmpty(ht, combineResp.FinalSignature)

	sig, err := schnorr.ParseSignature(combineResp.FinalSignature)
	require.NoError(ht, err)
	require.True(ht, sig.Verify(sigHash, taprootKey))

	tx.TxIn[0].Witness = wire.TxWitness{
		combineResp.FinalSignature,
	}

	// Serialize, weigh and publish the TX now, then make sure the
	// coins are sent and confirmed to the final sweep destination address.
	publishTxAndConfirmSweep(
		ht, alice, tx, estimatedWeight,
		&chainrpc.SpendRequest{
			Outpoint: &chainrpc.Outpoint{
				Hash:  p2trOutpoint.Hash[:],
				Index: p2trOutpoint.Index,
			},
			Script: p2trPkScript,
		},
		p2wkhAddr.String(),
	)
}

// testTaprootMuSig2ScriptSpend tests that a tapscript address with an internal
// key that is a MuSig2 combined key can also be spent using the script path.
func testTaprootMuSig2ScriptSpend(ht *lntest.HarnessTest,
	alice *node.HarnessNode, version signrpc.MuSig2Version) {

	// We're going to commit to a script and spend the output using the
	// script. This is a hash lock with a simple preimage of "foobar". We
	// need to know this upfront so, we can specify the taproot tweak with
	// the root hash when creating the Musig2 signing session.
	leaf1 := testScriptHashLock(ht.T, []byte("foobar"))
	rootHash := leaf1.TapHash()
	taprootTweak := &signrpc.TaprootTweakDesc{
		ScriptRoot: rootHash[:],
	}

	keyDesc1, keyDesc2, keyDesc3, allPubKeys := deriveSigningKeys(
		ht, alice, version,
	)
	internalKey, taprootKey, _, _, _ := createMuSigSessions(
		ht, alice, taprootTweak, keyDesc1, keyDesc2, keyDesc3,
		allPubKeys, version,
	)

	// Because we know the internal key and the script we want to spend, we
	// can now create the tapscript struct that's used for assembling the
	// control block and fee estimation.
	tapscript := input.TapscriptFullTree(internalKey, leaf1)

	// Send some coins to the generated tapscript address.
	p2trOutpoint, p2trPkScript := sendToTaprootOutput(ht, alice, taprootKey)

	// Spend the output again, this time back to a p2wkh address.
	p2wkhAddr, p2wkhPkScript := newAddrWithScript(
		ht, alice, lnrpc.AddressType_WITNESS_PUBKEY_HASH,
	)

	// Create fee estimation for a p2tr input and p2wkh output.
	feeRate := chainfee.SatPerKWeight(12500)
	estimator := input.TxWeightEstimator{}
	estimator.AddTapscriptInput(
		len([]byte("foobar"))+len(leaf1.Script)+1, tapscript,
	)
	estimator.AddP2WKHOutput()
	estimatedWeight := int64(estimator.Weight())
	requiredFee := feeRate.FeeForWeight(estimatedWeight)

	tx := wire.NewMsgTx(2)
	tx.TxIn = []*wire.TxIn{{
		PreviousOutPoint: p2trOutpoint,
	}}
	value := int64(testAmount - requiredFee)
	tx.TxOut = []*wire.TxOut{{
		PkScript: p2wkhPkScript,
		Value:    value,
	}}

	// We can now assemble the witness stack.
	controlBlockBytes, err := tapscript.ControlBlock.ToBytes()
	require.NoError(ht, err)

	tx.TxIn[0].Witness = wire.TxWitness{
		[]byte("foobar"),
		leaf1.Script,
		controlBlockBytes,
	}

	// Serialize, weigh and publish the TX now, then make sure the
	// coins are sent and confirmed to the final sweep destination address.
	publishTxAndConfirmSweep(
		ht, alice, tx, estimatedWeight,
		&chainrpc.SpendRequest{
			Outpoint: &chainrpc.Outpoint{
				Hash:  p2trOutpoint.Hash[:],
				Index: p2trOutpoint.Index,
			},
			Script: p2trPkScript,
		},
		p2wkhAddr.String(),
	)
}

// testTaprootMuSig2CombinedLeafKeySpend tests that a MuSig2 combined key can be
// used for an OP_CHECKSIG inside a tap script leaf spend.
func testTaprootMuSig2CombinedLeafKeySpend(ht *lntest.HarnessTest,
	alice *node.HarnessNode, version signrpc.MuSig2Version) {

	// We're using the combined MuSig2 key in a script leaf. So we need to
	// derive the combined key first, before we can build the script.
	keyDesc1, keyDesc2, keyDesc3, allPubKeys := deriveSigningKeys(
		ht, alice, version,
	)
	req := &signrpc.MuSig2CombineKeysRequest{
		AllSignerPubkeys: allPubKeys,
		Version:          version,
	}
	combineResp := alice.RPC.MuSig2CombineKeys(req)
	combinedPubKey, err := schnorr.ParsePubKey(combineResp.CombinedKey)
	require.NoError(ht, err)

	// We're going to commit to a script and spend the output using the
	// script. This is just an OP_CHECKSIG with the combined MuSig2 public
	// key.
	leaf := testScriptSchnorrSig(ht.T, combinedPubKey)
	tapscript := input.TapscriptPartialReveal(dummyInternalKey, leaf, nil)
	taprootKey, err := tapscript.TaprootKey()
	require.NoError(ht, err)

	// Send some coins to the generated tapscript address.
	p2trOutpoint, p2trPkScript := sendToTaprootOutput(ht, alice, taprootKey)

	// Spend the output again, this time back to a p2wkh address.
	p2wkhAddr, p2wkhPkScript := newAddrWithScript(
		ht, alice, lnrpc.AddressType_WITNESS_PUBKEY_HASH,
	)

	// Create fee estimation for a p2tr input and p2wkh output.
	feeRate := chainfee.SatPerKWeight(12500)
	estimator := input.TxWeightEstimator{}
	estimator.AddTapscriptInput(
		input.TaprootSignatureWitnessSize, tapscript,
	)
	estimator.AddP2WKHOutput()
	estimatedWeight := int64(estimator.Weight())
	requiredFee := feeRate.FeeForWeight(estimatedWeight)

	tx := wire.NewMsgTx(2)
	tx.TxIn = []*wire.TxIn{{
		PreviousOutPoint: p2trOutpoint,
	}}
	value := int64(testAmount - requiredFee)
	tx.TxOut = []*wire.TxOut{{
		PkScript: p2wkhPkScript,
		Value:    value,
	}}

	var buf bytes.Buffer
	require.NoError(ht, tx.Serialize(&buf))

	utxoInfo := []*signrpc.TxOut{{
		PkScript: p2trPkScript,
		Value:    testAmount,
	}}

	// Do the actual signing now.
	_, _, sessResp1, sessResp2, sessResp3 := createMuSigSessions(
		ht, alice, nil, keyDesc1, keyDesc2, keyDesc3, allPubKeys,
		version,
	)
	require.NoError(ht, err)

	// We now need to create the raw sighash of the transaction, as that
	// will be the message we're signing collaboratively.
	prevOutputFetcher := txscript.NewCannedPrevOutputFetcher(
		utxoInfo[0].PkScript, utxoInfo[0].Value,
	)
	sighashes := txscript.NewTxSigHashes(tx, prevOutputFetcher)

	sigHash, err := txscript.CalcTapscriptSignaturehash(
		sighashes, txscript.SigHashDefault, tx, 0, prevOutputFetcher,
		leaf,
	)
	require.NoError(ht, err)

	// Now that we have the transaction prepared, we need to start with the
	// signing. We simulate all three parties here, so we need to do
	// everything three times. But because we're going to use session 1 to
	// combine everything, we don't need its response, as it will store its
	// own signature.
	signReq := &signrpc.MuSig2SignRequest{
		SessionId:     sessResp1.SessionId,
		MessageDigest: sigHash,
	}
	alice.RPC.MuSig2Sign(signReq)

	signReq = &signrpc.MuSig2SignRequest{
		SessionId:     sessResp2.SessionId,
		MessageDigest: sigHash,
		Cleanup:       true,
	}
	signResp2 := alice.RPC.MuSig2Sign(signReq)

	// Before we have all partial signatures, we shouldn't get a final
	// signature back.
	combineReq := &signrpc.MuSig2CombineSigRequest{
		SessionId: sessResp1.SessionId,
		OtherPartialSignatures: [][]byte{
			signResp2.LocalPartialSignature,
		},
	}
	combineSigResp := alice.RPC.MuSig2CombineSig(combineReq)
	require.False(ht, combineSigResp.HaveAllSignatures)
	require.Empty(ht, combineSigResp.FinalSignature)

	signReq = &signrpc.MuSig2SignRequest{
		SessionId:     sessResp3.SessionId,
		MessageDigest: sigHash,
	}
	signResp3 := alice.RPC.MuSig2Sign(signReq)

	// We manually clean up session 3, just to make sure that works as well.
	cleanReq := &signrpc.MuSig2CleanupRequest{
		SessionId: sessResp3.SessionId,
	}
	alice.RPC.MuSig2Cleanup(cleanReq)

	// A second call to that cleaned up session should now fail with a
	// specific error.
	signReq = &signrpc.MuSig2SignRequest{
		SessionId:     sessResp3.SessionId,
		MessageDigest: sigHash,
	}
	err = alice.RPC.MuSig2SignErr(signReq)
	require.Contains(ht, err.Error(), "not found")

	// Luckily only one of the signers needs to combine the signature, so
	// let's do that now.
	combineReq = &signrpc.MuSig2CombineSigRequest{
		SessionId: sessResp1.SessionId,
		OtherPartialSignatures: [][]byte{
			signResp3.LocalPartialSignature,
		},
	}
	combineResp1 := alice.RPC.MuSig2CombineSig(combineReq)
	require.Equal(ht, true, combineResp1.HaveAllSignatures)
	require.NotEmpty(ht, combineResp1.FinalSignature)

	sig, err := schnorr.ParseSignature(combineResp1.FinalSignature)
	require.NoError(ht, err)
	require.True(ht, sig.Verify(sigHash, combinedPubKey))

	// We can now assemble the witness stack.
	controlBlockBytes, err := tapscript.ControlBlock.ToBytes()
	require.NoError(ht, err)

	tx.TxIn[0].Witness = wire.TxWitness{
		combineResp1.FinalSignature,
		leaf.Script,
		controlBlockBytes,
	}

	// Serialize, weigh and publish the TX now, then make sure the
	// coins are sent and confirmed to the final sweep destination address.
	publishTxAndConfirmSweep(
		ht, alice, tx, estimatedWeight,
		&chainrpc.SpendRequest{
			Outpoint: &chainrpc.Outpoint{
				Hash:  p2trOutpoint.Hash[:],
				Index: p2trOutpoint.Index,
			},
			Script: p2trPkScript,
		},
		p2wkhAddr.String(),
	)
}

// testTaprootImportTapscriptScriptSpend tests importing p2tr script addresses
// using the script path with the full tree known.
func testTaprootImportTapscriptFullTree(ht *lntest.HarnessTest,
	alice *node.HarnessNode) {

	// For the next step, we need a public key. Let's use a special family
	// for this.
	_, internalKey, derivationPath := deriveInternalKey(ht, alice)

	// Let's create a taproot script output now. This is a hash lock with a
	// simple preimage of "foobar".
	leaf1 := testScriptHashLock(ht.T, []byte("foobar"))

	// Let's add a second script output as well to test the partial reveal.
	leaf2 := testScriptSchnorrSig(ht.T, internalKey)

	tapscript := input.TapscriptFullTree(internalKey, leaf1, leaf2)
	tree := txscript.AssembleTaprootScriptTree(leaf1, leaf2)
	rootHash := tree.RootNode.TapHash()
	taprootKey, err := tapscript.TaprootKey()
	require.NoError(ht, err)

	// Import the scripts and make sure we get the same address back as we
	// calculated ourselves.
	req := &walletrpc.ImportTapscriptRequest{
		InternalPublicKey: schnorr.SerializePubKey(internalKey),
		Script: &walletrpc.ImportTapscriptRequest_FullTree{
			FullTree: &walletrpc.TapscriptFullTree{
				AllLeaves: []*walletrpc.TapLeaf{{
					LeafVersion: uint32(
						leaf1.LeafVersion,
					),
					Script: leaf1.Script,
				}, {
					LeafVersion: uint32(
						leaf2.LeafVersion,
					),
					Script: leaf2.Script,
				}},
			},
		},
	}
	importResp := alice.RPC.ImportTapscript(req)

	calculatedAddr, err := btcutil.NewAddressTaproot(
		schnorr.SerializePubKey(taprootKey), harnessNetParams,
	)
	require.NoError(ht, err)
	require.Equal(ht, calculatedAddr.String(), importResp.P2TrAddress)

	// Send some coins to the generated tapscript address.
	p2trOutpoint, p2trPkScript := sendToTaprootOutput(ht, alice, taprootKey)
	p2trOutputRPC := &lnrpc.OutPoint{
		TxidBytes:   p2trOutpoint.Hash[:],
		OutputIndex: p2trOutpoint.Index,
	}
	ht.AssertUTXOInWallet(alice, p2trOutputRPC, "imported")
	ht.AssertWalletAccountBalance(alice, "imported", testAmount, 0)

	// Funding a PSBT from an imported script is not yet possible. So we
	// basically need to add all information manually for the wallet to be
	// able to sign for it.
	utxo := &wire.TxOut{
		Value:    testAmount,
		PkScript: p2trPkScript,
	}
	clearWalletImportedTapscriptBalance(
		ht, alice, utxo, p2trOutpoint, internalKey, derivationPath,
		rootHash[:],
	)
}

// testTaprootImportTapscriptPartialReveal tests importing p2tr script addresses
// for which we only know part of the tree.
func testTaprootImportTapscriptPartialReveal(ht *lntest.HarnessTest,
	alice *node.HarnessNode) {

	// For the next step, we need a public key. Let's use a special family
	// for this.
	_, internalKey, derivationPath := deriveInternalKey(ht, alice)

	// Let's create a taproot script output now. This is a hash lock with a
	// simple preimage of "foobar".
	leaf1 := testScriptHashLock(ht.T, []byte("foobar"))

	// Let's add a second script output as well to test the partial reveal.
	leaf2 := testScriptSchnorrSig(ht.T, internalKey)
	leaf2Hash := leaf2.TapHash()

	tapscript := input.TapscriptPartialReveal(
		internalKey, leaf1, leaf2Hash[:],
	)
	rootHash := tapscript.ControlBlock.RootHash(leaf1.Script)
	taprootKey, err := tapscript.TaprootKey()
	require.NoError(ht, err)

	// Import the scripts and make sure we get the same address back as we
	// calculated ourselves.
	req := &walletrpc.ImportTapscriptRequest{
		InternalPublicKey: schnorr.SerializePubKey(internalKey),
		Script: &walletrpc.ImportTapscriptRequest_PartialReveal{
			PartialReveal: &walletrpc.TapscriptPartialReveal{
				RevealedLeaf: &walletrpc.TapLeaf{
					LeafVersion: uint32(leaf1.LeafVersion),
					Script:      leaf1.Script,
				},
				FullInclusionProof: leaf2Hash[:],
			},
		},
	}
	importResp := alice.RPC.ImportTapscript(req)

	calculatedAddr, err := btcutil.NewAddressTaproot(
		schnorr.SerializePubKey(taprootKey), harnessNetParams,
	)
	require.NoError(ht, err)
	require.Equal(ht, calculatedAddr.String(), importResp.P2TrAddress)

	// Send some coins to the generated tapscript address.
	p2trOutpoint, p2trPkScript := sendToTaprootOutput(ht, alice, taprootKey)

	p2trOutputRPC := &lnrpc.OutPoint{
		TxidBytes:   p2trOutpoint.Hash[:],
		OutputIndex: p2trOutpoint.Index,
	}
	ht.AssertUTXOInWallet(alice, p2trOutputRPC, "imported")
	ht.AssertWalletAccountBalance(alice, "imported", testAmount, 0)

	// Funding a PSBT from an imported script is not yet possible. So we
	// basically need to add all information manually for the wallet to be
	// able to sign for it.
	utxo := &wire.TxOut{
		Value:    testAmount,
		PkScript: p2trPkScript,
	}
	clearWalletImportedTapscriptBalance(
		ht, alice, utxo, p2trOutpoint, internalKey, derivationPath,
		rootHash,
	)
}

// testTaprootImportTapscriptRootHashOnly tests importing p2tr script addresses
// for which we only know the root hash.
func testTaprootImportTapscriptRootHashOnly(ht *lntest.HarnessTest,
	alice *node.HarnessNode) {

	// For the next step, we need a public key. Let's use a special family
	// for this.
	_, internalKey, derivationPath := deriveInternalKey(ht, alice)

	// Let's create a taproot script output now. This is a hash lock with a
	// simple preimage of "foobar".
	leaf1 := testScriptHashLock(ht.T, []byte("foobar"))
	rootHash := leaf1.TapHash()

	tapscript := input.TapscriptRootHashOnly(internalKey, rootHash[:])
	taprootKey, err := tapscript.TaprootKey()
	require.NoError(ht, err)

	// Import the scripts and make sure we get the same address back as we
	// calculated ourselves.
	req := &walletrpc.ImportTapscriptRequest{
		InternalPublicKey: schnorr.SerializePubKey(internalKey),
		Script: &walletrpc.ImportTapscriptRequest_RootHashOnly{
			RootHashOnly: rootHash[:],
		},
	}
	importResp := alice.RPC.ImportTapscript(req)

	calculatedAddr, err := btcutil.NewAddressTaproot(
		schnorr.SerializePubKey(taprootKey), harnessNetParams,
	)
	require.NoError(ht, err)
	require.Equal(ht, calculatedAddr.String(), importResp.P2TrAddress)

	// Send some coins to the generated tapscript address.
	p2trOutpoint, p2trPkScript := sendToTaprootOutput(ht, alice, taprootKey)

	p2trOutputRPC := &lnrpc.OutPoint{
		TxidBytes:   p2trOutpoint.Hash[:],
		OutputIndex: p2trOutpoint.Index,
	}
	ht.AssertUTXOInWallet(alice, p2trOutputRPC, "imported")
	ht.AssertWalletAccountBalance(alice, "imported", testAmount, 0)

	// Funding a PSBT from an imported script is not yet possible. So we
	// basically need to add all information manually for the wallet to be
	// able to sign for it.
	utxo := &wire.TxOut{
		Value:    testAmount,
		PkScript: p2trPkScript,
	}
	clearWalletImportedTapscriptBalance(
		ht, alice, utxo, p2trOutpoint, internalKey, derivationPath,
		rootHash[:],
	)
}

// testTaprootImportTapscriptFullKey tests importing p2tr script addresses for
// which we only know the full Taproot key.
func testTaprootImportTapscriptFullKey(ht *lntest.HarnessTest,
	alice *node.HarnessNode) {

	// For the next step, we need a public key. Let's use a special family
	// for this.
	_, internalKey, derivationPath := deriveInternalKey(ht, alice)

	// Let's create a taproot script output now. This is a hash lock with a
	// simple preimage of "foobar".
	leaf1 := testScriptHashLock(ht.T, []byte("foobar"))

	tapscript := input.TapscriptFullTree(internalKey, leaf1)
	rootHash := leaf1.TapHash()
	taprootKey, err := tapscript.TaprootKey()
	require.NoError(ht, err)

	// Import the scripts and make sure we get the same address back as we
	// calculated ourselves.
	req := &walletrpc.ImportTapscriptRequest{
		InternalPublicKey: schnorr.SerializePubKey(taprootKey),
		Script: &walletrpc.ImportTapscriptRequest_FullKeyOnly{
			FullKeyOnly: true,
		},
	}
	importResp := alice.RPC.ImportTapscript(req)

	calculatedAddr, err := btcutil.NewAddressTaproot(
		schnorr.SerializePubKey(taprootKey), harnessNetParams,
	)
	require.NoError(ht, err)
	require.Equal(ht, calculatedAddr.String(), importResp.P2TrAddress)

	// Send some coins to the generated tapscript address.
	p2trOutpoint, p2trPkScript := sendToTaprootOutput(ht, alice, taprootKey)

	p2trOutputRPC := &lnrpc.OutPoint{
		TxidBytes:   p2trOutpoint.Hash[:],
		OutputIndex: p2trOutpoint.Index,
	}
	ht.AssertUTXOInWallet(alice, p2trOutputRPC, "imported")
	ht.AssertWalletAccountBalance(alice, "imported", testAmount, 0)

	// Funding a PSBT from an imported script is not yet possible. So we
	// basically need to add all information manually for the wallet to be
	// able to sign for it.
	utxo := &wire.TxOut{
		Value:    testAmount,
		PkScript: p2trPkScript,
	}
	clearWalletImportedTapscriptBalance(
		ht, alice, utxo, p2trOutpoint, internalKey, derivationPath,
		rootHash[:],
	)
}

// clearWalletImportedTapscriptBalance manually assembles and then attempts to
// sign a TX to sweep funds from an imported tapscript address.
func clearWalletImportedTapscriptBalance(ht *lntest.HarnessTest,
	hn *node.HarnessNode, utxo *wire.TxOut, outPoint wire.OutPoint,
	internalKey *btcec.PublicKey, derivationPath []uint32,
	rootHash []byte) {

	_, sweepPkScript := newAddrWithScript(
		ht, hn, lnrpc.AddressType_WITNESS_PUBKEY_HASH,
	)

	output := &wire.TxOut{
		PkScript: sweepPkScript,
		Value:    utxo.Value - 1000,
	}
	packet, err := psbt.New(
		[]*wire.OutPoint{&outPoint}, []*wire.TxOut{output}, 2, 0,
		[]uint32{0},
	)
	require.NoError(ht, err)

	// We have everything we need to know to sign the PSBT.
	in := &packet.Inputs[0]
	in.Bip32Derivation = []*psbt.Bip32Derivation{{
		PubKey:    internalKey.SerializeCompressed(),
		Bip32Path: derivationPath,
	}}
	in.TaprootBip32Derivation = []*psbt.TaprootBip32Derivation{{
		XOnlyPubKey: schnorr.SerializePubKey(internalKey),
		Bip32Path:   derivationPath,
	}}
	in.SighashType = txscript.SigHashDefault
	in.TaprootMerkleRoot = rootHash
	in.WitnessUtxo = utxo

	var buf bytes.Buffer
	require.NoError(ht, packet.Serialize(&buf))

	// Sign the manually funded PSBT now.
	signResp := hn.RPC.SignPsbt(&walletrpc.SignPsbtRequest{
		FundedPsbt: buf.Bytes(),
	})

	signedPacket, err := psbt.NewFromRawBytes(
		bytes.NewReader(signResp.SignedPsbt), false,
	)
	require.NoError(ht, err)

	// We should be able to finalize the PSBT and extract the sweep TX now.
	err = psbt.MaybeFinalizeAll(signedPacket)
	require.NoError(ht, err)

	sweepTx, err := psbt.Extract(signedPacket)
	require.NoError(ht, err)

	buf.Reset()
	err = sweepTx.Serialize(&buf)
	require.NoError(ht, err)

	// Publish the sweep transaction and then mine it as well.
	hn.RPC.PublishTransaction(&walletrpc.Transaction{
		TxHex: buf.Bytes(),
	})

	// Mine one block which should contain the sweep transaction.
	block := ht.MineBlocksAndAssertNumTxes(1, 1)[0]
	sweepTxHash := sweepTx.TxHash()
	ht.Miner.AssertTxInBlock(block, &sweepTxHash)
}

// testScriptHashLock returns a simple bitcoin script that locks the funds to
// a hash lock of the given preimage.
func testScriptHashLock(t *testing.T, preimage []byte) txscript.TapLeaf {
	builder := txscript.NewScriptBuilder()
	builder.AddOp(txscript.OP_DUP)
	builder.AddOp(txscript.OP_HASH160)
	builder.AddData(btcutil.Hash160(preimage))
	builder.AddOp(txscript.OP_EQUALVERIFY)
	script1, err := builder.Script()
	require.NoError(t, err)
	return txscript.NewBaseTapLeaf(script1)
}

// testScriptSchnorrSig returns a simple bitcoin script that locks the funds to
// a Schnorr signature of the given public key.
func testScriptSchnorrSig(t *testing.T,
	pubKey *btcec.PublicKey) txscript.TapLeaf {

	builder := txscript.NewScriptBuilder()
	builder.AddData(schnorr.SerializePubKey(pubKey))
	builder.AddOp(txscript.OP_CHECKSIG)
	script2, err := builder.Script()
	require.NoError(t, err)
	return txscript.NewBaseTapLeaf(script2)
}

// newAddrWithScript returns a new address and its pkScript.
func newAddrWithScript(ht *lntest.HarnessTest, node *node.HarnessNode,
	addrType lnrpc.AddressType) (btcutil.Address, []byte) {

	p2wkhResp := node.RPC.NewAddress(&lnrpc.NewAddressRequest{
		Type: addrType,
	})
	p2wkhAddr, err := btcutil.DecodeAddress(
		p2wkhResp.Address, harnessNetParams,
	)
	require.NoError(ht, err)

	p2wkhPkScript, err := txscript.PayToAddrScript(p2wkhAddr)
	require.NoError(ht, err)

	return p2wkhAddr, p2wkhPkScript
}

// sendToTaprootOutput sends coins to a p2tr output of the given taproot key and
// mines a block to confirm the coins.
func sendToTaprootOutput(ht *lntest.HarnessTest, hn *node.HarnessNode,
	taprootKey *btcec.PublicKey) (wire.OutPoint, []byte) {

	tapScriptAddr, err := btcutil.NewAddressTaproot(
		schnorr.SerializePubKey(taprootKey), harnessNetParams,
	)
	require.NoError(ht, err)
	p2trPkScript, err := txscript.PayToAddrScript(tapScriptAddr)
	require.NoError(ht, err)

	// Send some coins to the generated tapscript address.
	req := &lnrpc.SendCoinsRequest{
		Addr:   tapScriptAddr.String(),
		Amount: testAmount,
	}
	hn.RPC.SendCoins(req)

	// Wait until the TX is found in the mempool.
	txid := ht.Miner.AssertNumTxsInMempool(1)[0]
	p2trOutputIndex := ht.GetOutputIndex(txid, tapScriptAddr.String())
	p2trOutpoint := wire.OutPoint{
		Hash:  *txid,
		Index: uint32(p2trOutputIndex),
	}

	// Make sure the transaction is recognized by our wallet and has the
	// correct output type.
	var outputDetail *lnrpc.OutputDetail
	walletTxns := hn.RPC.GetTransactions(&lnrpc.GetTransactionsRequest{
		StartHeight: 0,
		EndHeight:   -1,
	})
	require.NotEmpty(ht, walletTxns.Transactions)
	for _, tx := range walletTxns.Transactions {
		if tx.TxHash != txid.String() {
			continue
		}

		for outputIdx, out := range tx.OutputDetails {
			if out.Address != tapScriptAddr.String() {
				continue
			}

			outputDetail = tx.OutputDetails[outputIdx]
			break
		}
	}
	require.NotNil(ht, outputDetail, "transaction not found in wallet")
	require.Equal(
		ht, lnrpc.OutputScriptType_SCRIPT_TYPE_WITNESS_V1_TAPROOT,
		outputDetail.OutputType,
	)

	// Clear the mempool.
	ht.MineBlocksAndAssertNumTxes(1, 1)

	return p2trOutpoint, p2trPkScript
}

// publishTxAndConfirmSweep is a helper function that publishes a transaction
// after checking its weight against an estimate. After asserting the given
// spend request, the given sweep address' balance is verified to be seen as
// funds belonging to the wallet.
func publishTxAndConfirmSweep(ht *lntest.HarnessTest, node *node.HarnessNode,
	tx *wire.MsgTx, estimatedWeight int64,
	spendRequest *chainrpc.SpendRequest, sweepAddr string) {

	ht.Helper()

	// Before we publish the tx that spends the p2tr transaction, we want to
	// register a spend listener that we expect to fire after mining the
	// block.
	_, currentHeight := ht.Miner.GetBestBlock()

	// For a Taproot output we cannot leave the outpoint empty. Let's make
	// sure the API returns the correct error here.
	req := &chainrpc.SpendRequest{
		Script:     spendRequest.Script,
		HeightHint: uint32(currentHeight),
	}
	spendClient := node.RPC.RegisterSpendNtfn(req)

	// The error is only thrown when trying to read a message.
	_, err := spendClient.Recv()
	require.Contains(
		ht, err.Error(),
		"cannot register witness v1 spend request without outpoint",
	)

	// Now try again, this time with the outpoint set.
	req = &chainrpc.SpendRequest{
		Outpoint:   spendRequest.Outpoint,
		Script:     spendRequest.Script,
		HeightHint: uint32(currentHeight),
	}
	spendClient = node.RPC.RegisterSpendNtfn(req)

	var buf bytes.Buffer
	require.NoError(ht, tx.Serialize(&buf))

	// Since Schnorr signatures are fixed size, we must be able to estimate
	// the size of this transaction exactly.
	txWeight := blockchain.GetTransactionWeight(btcutil.NewTx(tx))
	require.Equal(ht, estimatedWeight, txWeight)

	txReq := &walletrpc.Transaction{
		TxHex: buf.Bytes(),
	}
	node.RPC.PublishTransaction(txReq)

	// Make sure the coins sent to the address are confirmed correctly,
	// including the confirmation notification.
	confirmAddress(ht, node, sweepAddr)

	// We now expect our spend event to go through.
	spendMsg, err := spendClient.Recv()
	require.NoError(ht, err)
	spend := spendMsg.GetSpend()
	require.NotNil(ht, spend)
	require.Equal(ht, spend.SpendingHeight, uint32(currentHeight+1))
}

// confirmAddress makes sure that a transaction in the mempool spends funds to
// the given address. It also checks that a confirmation notification for the
// address is triggered when the transaction is mined.
func confirmAddress(ht *lntest.HarnessTest, hn *node.HarnessNode,
	addrString string) {

	// Wait until the tx that sends to the address is found.
	txid := ht.Miner.AssertNumTxsInMempool(1)[0]

	// Wait until bob has seen the tx and considers it as owned.
	addrOutputIndex := ht.GetOutputIndex(txid, addrString)
	op := &lnrpc.OutPoint{
		TxidBytes:   txid[:],
		OutputIndex: uint32(addrOutputIndex),
	}
	ht.AssertUTXOInWallet(hn, op, "")

	// Before we confirm the transaction, let's register a confirmation
	// listener for it, which we expect to fire after mining a block.
	parsedAddr, err := btcutil.DecodeAddress(addrString, harnessNetParams)
	require.NoError(ht, err)
	addrPkScript, err := txscript.PayToAddrScript(parsedAddr)
	require.NoError(ht, err)

	_, currentHeight := ht.Miner.GetBestBlock()
	req := &chainrpc.ConfRequest{
		Script:       addrPkScript,
		Txid:         txid[:],
		HeightHint:   uint32(currentHeight),
		NumConfs:     1,
		IncludeBlock: true,
	}
	confClient := hn.RPC.RegisterConfirmationsNtfn(req)

	// Mine another block to clean up the mempool.
	ht.MineBlocksAndAssertNumTxes(1, 1)

	// We now expect our confirmation to go through, and also that the
	// block was specified.
	confMsg, err := confClient.Recv()
	require.NoError(ht, err)
	conf := confMsg.GetConf()
	require.NotNil(ht, conf)
	require.Equal(ht, conf.BlockHeight, uint32(currentHeight+1))
	require.NotNil(ht, conf.RawBlock)

	// We should also be able to decode the raw block.
	var blk wire.MsgBlock
	require.NoError(ht, blk.Deserialize(bytes.NewReader(conf.RawBlock)))
}

// deriveSigningKeys derives three signing keys and returns their descriptors,
// as well as the public keys in the Schnorr serialized format.
func deriveSigningKeys(ht *lntest.HarnessTest, node *node.HarnessNode,
	version signrpc.MuSig2Version) (*signrpc.KeyDescriptor,
	*signrpc.KeyDescriptor, *signrpc.KeyDescriptor, [][]byte) {

	// For muSig2 we need multiple keys. We derive three of them from the
	// same wallet, just so we know we can also sign for them again.
	req := &walletrpc.KeyReq{KeyFamily: testTaprootKeyFamily}
	keyDesc1 := node.RPC.DeriveNextKey(req)
	pubKey1, err := btcec.ParsePubKey(keyDesc1.RawKeyBytes)
	require.NoError(ht, err)

	keyDesc2 := node.RPC.DeriveNextKey(req)
	pubKey2, err := btcec.ParsePubKey(keyDesc2.RawKeyBytes)
	require.NoError(ht, err)

	keyDesc3 := node.RPC.DeriveNextKey(req)
	pubKey3, err := btcec.ParsePubKey(keyDesc3.RawKeyBytes)
	require.NoError(ht, err)

	// Now that we have all three keys we can create three sessions, one
	// for each of the signers. This would of course normally not happen on
	// the same node.
	var allPubKeys [][]byte
	switch version {
	case signrpc.MuSig2Version_MUSIG2_VERSION_V040:
		allPubKeys = [][]byte{
			schnorr.SerializePubKey(pubKey1),
			schnorr.SerializePubKey(pubKey2),
			schnorr.SerializePubKey(pubKey3),
		}

	case signrpc.MuSig2Version_MUSIG2_VERSION_V100RC2:
		allPubKeys = [][]byte{
			pubKey1.SerializeCompressed(),
			pubKey2.SerializeCompressed(),
			pubKey3.SerializeCompressed(),
		}
	}

	return keyDesc1, keyDesc2, keyDesc3, allPubKeys
}

// createMuSigSessions creates a MuSig2 session with three keys that are
// combined into a single key. The same node is used for the three signing
// participants but a separate key is generated for each session. So the result
// should be the same as if it were three different nodes.
func createMuSigSessions(ht *lntest.HarnessTest, node *node.HarnessNode,
	taprootTweak *signrpc.TaprootTweakDesc,
	keyDesc1, keyDesc2, keyDesc3 *signrpc.KeyDescriptor,
	allPubKeys [][]byte, version signrpc.MuSig2Version) (*btcec.PublicKey,
	*btcec.PublicKey, *signrpc.MuSig2SessionResponse,
	*signrpc.MuSig2SessionResponse, *signrpc.MuSig2SessionResponse) {

	// Make sure that when not specifying a version we get an error, since
	// it is mandatory.
	err := node.RPC.MuSig2CreateSessionErr(&signrpc.MuSig2SessionRequest{})
	require.ErrorContains(ht, err, "unknown MuSig2 version")

	// Create the actual session with the version specified.
	sessResp1 := node.RPC.MuSig2CreateSession(&signrpc.MuSig2SessionRequest{
		KeyLoc:           keyDesc1.KeyLoc,
		AllSignerPubkeys: allPubKeys,
		TaprootTweak:     taprootTweak,
		Version:          version,
	})
	require.Equal(ht, version, sessResp1.Version)

	// Make sure the version is returned correctly.
	require.Equal(ht, version, sessResp1.Version)

	// Now that we have the three keys in a combined form, we want to make
	// sure the tweaking for the taproot key worked correctly. We first need
	// to parse the combined key without any tweaks applied to it. That will
	// be our internal key. Once we know that, we can tweak it with the
	// tapHash of the script root hash. We should arrive at the same result
	// as the API.
	combinedKey, err := schnorr.ParsePubKey(sessResp1.CombinedKey)
	require.NoError(ht, err)

	// When combining the key without creating a session, we expect the same
	// combined key to be created.
	expectedCombinedKey := combinedKey

	// Without a tweak, the internal key is equal to the combined key.
	internalKey := combinedKey

	// If there is a tweak, then there is the internal, pre-tweaked combined
	// key and the taproot key which is fully tweaked.
	if taprootTweak != nil {
		internalKey, err = schnorr.ParsePubKey(
			sessResp1.TaprootInternalKey,
		)
		require.NoError(ht, err)

		// We now know the taproot key. The session with the tweak
		// applied should produce the same key!
		expectedCombinedKey = txscript.ComputeTaprootOutputKey(
			internalKey, taprootTweak.ScriptRoot,
		)
		require.Equal(
			ht, schnorr.SerializePubKey(expectedCombinedKey),
			schnorr.SerializePubKey(combinedKey),
		)
	}

	// Same with the combine keys RPC, no version specified should give us
	// an error.
	err = node.RPC.MuSig2CombineKeysErr(&signrpc.MuSig2CombineKeysRequest{})
	require.ErrorContains(ht, err, "unknown MuSig2 version")

	// We should also get the same keys when just calling the
	// MuSig2CombineKeys RPC.
	combineReq := &signrpc.MuSig2CombineKeysRequest{
		AllSignerPubkeys: allPubKeys,
		TaprootTweak:     taprootTweak,
		Version:          version,
	}
	combineResp := node.RPC.MuSig2CombineKeys(combineReq)
	require.Equal(
		ht, schnorr.SerializePubKey(expectedCombinedKey),
		combineResp.CombinedKey,
	)
	require.Equal(
		ht, schnorr.SerializePubKey(internalKey),
		combineResp.TaprootInternalKey,
	)
	require.Equal(ht, version, combineResp.Version)

	// Everything is good so far, let's continue with creating the signing
	// session for the other two participants.
	req := &signrpc.MuSig2SessionRequest{
		KeyLoc:           keyDesc2.KeyLoc,
		AllSignerPubkeys: allPubKeys,
		OtherSignerPublicNonces: [][]byte{
			sessResp1.LocalPublicNonces,
		},
		TaprootTweak: taprootTweak,
		Version:      version,
	}
	sessResp2 := node.RPC.MuSig2CreateSession(req)
	require.Equal(ht, sessResp1.CombinedKey, sessResp2.CombinedKey)
	require.Equal(ht, version, sessResp2.Version)

	req = &signrpc.MuSig2SessionRequest{
		KeyLoc:           keyDesc3.KeyLoc,
		AllSignerPubkeys: allPubKeys,
		OtherSignerPublicNonces: [][]byte{
			sessResp1.LocalPublicNonces,
			sessResp2.LocalPublicNonces,
		},
		TaprootTweak: taprootTweak,
		Version:      version,
	}
	sessResp3 := node.RPC.MuSig2CreateSession(req)
	require.Equal(ht, sessResp2.CombinedKey, sessResp3.CombinedKey)
	require.Equal(ht, version, sessResp3.Version)
	require.Equal(ht, true, sessResp3.HaveAllNonces)

	// We need to distribute the rest of the nonces.
	nonceReq := &signrpc.MuSig2RegisterNoncesRequest{
		SessionId: sessResp1.SessionId,
		OtherSignerPublicNonces: [][]byte{
			sessResp2.LocalPublicNonces,
			sessResp3.LocalPublicNonces,
		},
	}
	nonceResp1 := node.RPC.MuSig2RegisterNonces(nonceReq)
	require.True(ht, nonceResp1.HaveAllNonces)

	nonceReq = &signrpc.MuSig2RegisterNoncesRequest{
		SessionId: sessResp2.SessionId,
		OtherSignerPublicNonces: [][]byte{
			sessResp3.LocalPublicNonces,
		},
	}
	nonceResp2 := node.RPC.MuSig2RegisterNonces(nonceReq)
	require.True(ht, nonceResp2.HaveAllNonces)

	return internalKey, combinedKey, sessResp1, sessResp2, sessResp3
}

// testTaprootCoopClose asserts that if both peers signal ShutdownAnySegwit,
// then a taproot closing addr is used. Otherwise, we shouldn't expect one to
// be used.
func testTaprootCoopClose(ht *lntest.HarnessTest) {
	// We'll start by making two new nodes, and funding a channel between
	// them.
	carol := ht.NewNode("Carol", nil)
	ht.FundCoins(btcutil.SatoshiPerBitcoin, carol)

	dave := ht.NewNode("Dave", nil)
	ht.EnsureConnected(carol, dave)

	chanAmt := funding.MaxBtcFundingAmount
	pushAmt := btcutil.Amount(100000)
	satPerVbyte := btcutil.Amount(1)

	// We'll now open a channel between Carol and Dave.
	chanPoint := ht.OpenChannel(
		carol, dave, lntest.OpenChannelParams{
			Amt:         chanAmt,
			PushAmt:     pushAmt,
			SatPerVByte: satPerVbyte,
		},
	)

	// We'll now close out the channel and obtain the closing TXID.
	closingTxid := ht.CloseChannel(carol, chanPoint)

	// assertTaprootDeliveryUsed returns true if a Taproot addr was used in
	// the co-op close transaction.
	assertTaprootDeliveryUsed := func(closingTxid *chainhash.Hash) bool {
		tx := ht.Miner.GetRawTransaction(closingTxid)
		for _, txOut := range tx.MsgTx().TxOut {
			if !txscript.IsPayToTaproot(txOut.PkScript) {
				return false
			}
		}

		return true
	}

	// We expect that the closing transaction only has P2TR addresses.
	require.True(ht, assertTaprootDeliveryUsed(closingTxid),
		"taproot addr not used!")

	// Now we'll bring Eve into the mix, Eve is running older software that
	// doesn't understand Taproot.
	eveArgs := []string{"--protocol.no-any-segwit"}
	eve := ht.NewNode("Eve", eveArgs)
	ht.EnsureConnected(carol, eve)

	// We'll now open up a chanel again between Carol and Eve.
	chanPoint = ht.OpenChannel(
		carol, eve, lntest.OpenChannelParams{
			Amt:         chanAmt,
			PushAmt:     pushAmt,
			SatPerVByte: satPerVbyte,
		},
	)

	// We'll now close out this channel and expect that no Taproot
	// addresses are used in the co-op close transaction.
	closingTxid = ht.CloseChannel(carol, chanPoint)
	require.False(ht, assertTaprootDeliveryUsed(closingTxid),
		"taproot addr shouldn't be used!")
}

// testMuSig2CombineKey makes sure that combining a key with MuSig2 returns the
// correct result according to the MuSig2 version specified.
func testMuSig2CombineKey(ht *lntest.HarnessTest, alice *node.HarnessNode,
	version signrpc.MuSig2Version) {

	testVector040Key1 := hexDecode(
		"F9308A019258C31049344F85F89D5229B531C845836F99B08601F113BCE0" +
			"36F9",
	)
	testVector040Key2 := hexDecode(
		"DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502B" +
			"A659",
	)
	testVector040Key3 := hexDecode(
		"3590A94E768F8E1815C2F24B4D80A8E3149316C3518CE7B7AD338368D038" +
			"CA66",
	)

	testVector100Key1 := hexDecode(
		"02F9308A019258C31049344F85F89D5229B531C845836F99B08601F113BC" +
			"E036F9",
	)
	testVector100Key2 := hexDecode(
		"03DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B50" +
			"2BA659",
	)
	testVector100Key3 := hexDecode(
		"023590A94E768F8E1815C2F24B4D80A8E3149316C3518CE7B7AD338368D0" +
			"38CA66",
	)

	var allPubKeys [][]byte
	switch version {
	case signrpc.MuSig2Version_MUSIG2_VERSION_V040:
		allPubKeys = [][]byte{
			testVector040Key1, testVector040Key2, testVector040Key3,
		}

	case signrpc.MuSig2Version_MUSIG2_VERSION_V100RC2:
		allPubKeys = [][]byte{
			testVector100Key1, testVector100Key2, testVector100Key3,
		}
	}

	resp := alice.RPC.MuSig2CombineKeys(&signrpc.MuSig2CombineKeysRequest{
		AllSignerPubkeys: allPubKeys,
		TaprootTweak: &signrpc.TaprootTweakDesc{
			KeySpendOnly: true,
		},
		Version: version,
	})

	expectedFinalKey040 := hexDecode(
		"5b257b4e785d61157ef5303051f45184bd5cb47bc4b4069ed4dd453645" +
			"9cb83b",
	)
	expectedPreTweakKey040 := hexDecode(
		"d70cd69a2647f7390973df48cbfa2ccc407b8b2d60b08c5f1641185c79" +
			"98a290",
	)

	expectedFinalKey100 := hexDecode(
		"79e6c3e628c9bfbce91de6b7fb28e2aec7713d377cf260ab599dcbc40e54" +
			"2312",
	)
	expectedPreTweakKey100 := hexDecode(
		"789d937bade6673538f3e28d8368dda4d0512f94da44cf477a505716d26a" +
			"1575",
	)

	switch version {
	case signrpc.MuSig2Version_MUSIG2_VERSION_V040:
		require.Equal(ht, expectedFinalKey040, resp.CombinedKey)
		require.Equal(
			ht, expectedPreTweakKey040, resp.TaprootInternalKey,
		)

	case signrpc.MuSig2Version_MUSIG2_VERSION_V100RC2:
		require.Equal(ht, expectedFinalKey100, resp.CombinedKey)
		require.Equal(
			ht, expectedPreTweakKey100, resp.TaprootInternalKey,
		)
	}
}