diff --git a/doc/bitcoin.bib b/doc/bitcoin.bib index 57bb67b02..b2b196bc0 100644 --- a/doc/bitcoin.bib +++ b/doc/bitcoin.bib @@ -62,3 +62,8 @@ urldate = {2015-07-14}, file = {Alt chains and atomic transfers:/home/rusty/.mozilla/firefox/vfn6if9k.default/zotero/storage/PEHK469N/index.html:text/html} } +@misc{go1111111_single_anchor, + title = {Idea to improve Lightning Network}, + urldate = {2015-07-24}, + note = {\url{https://bitcointalk.org/index.php?topic=1134319.msg11963141#msg11963141}} +} diff --git a/doc/deployable-lightning.lyx b/doc/deployable-lightning.lyx index 437fc654c..3124e0cea 100644 --- a/doc/deployable-lightning.lyx +++ b/doc/deployable-lightning.lyx @@ -88,7 +88,7 @@ \begin_body \begin_layout Title -Reaching The Ground With Lightning (draft 0.1) +Reaching The Ground With Lightning (draft 0.2) \end_layout \begin_layout Author @@ -110,7 +110,7 @@ key "Poon2015Lightning" \end_layout \begin_layout Abstract -Keywords: bitcoin, lightning, revocation hash, HTLC +Keywords: bitcoin, lightning, revocation hash, HTLC, BIP62, BIP65, BIP68 \end_layout \begin_layout Section @@ -777,22 +777,62 @@ The last of these is particularly pernicious, as BIP62 doesn't solve it: \end_layout \begin_layout Standard -For ease of understanding, we develop the protocol in stages. - Please note that the intermediary proposals are insecure! +Our approach is to only have one-sided anchors. + These can be later balanced by the lightning network itself, or an atomic-swap + an on-chain bitcoin transaction +\begin_inset CommandInset citation +LatexCommand cite +key "go1111111_single_anchor" + +\end_inset + +. + Any bitcoin transaction fees are initially funded by that anchor, but the + implementation splits fees where possible< and never allows either side + to spend funds in the channel if they would no longer be able to pay their + share. \end_layout -\begin_layout Subsubsection -Separate Anchor Transactions +\begin_layout Subsection +Hashed Timelock Contract (HTLC) Modification \end_layout \begin_layout Standard -To avoid the problem of needing all anchor signatures to derive the anchor - transaction ID to create the commitment transaction input, we split the - anchor into two transactions; thus A knows its anchor transaction ID, and - B knows its anchor transaction ID as shown in Figure +Using the same techniques used above, we can condense each HTLC into a single + output script on the commitment transaction. + This output is spendable under three conditions: +\end_layout + +\begin_layout Enumerate +Recipient knows the R value (funds go to recipient), or +\end_layout + +\begin_layout Enumerate +The HTLC has timed out (funds return to sender), or +\end_layout + +\begin_layout Enumerate +The Commit transaction has been revoked (funds to go other side). +\end_layout + +\begin_layout Standard +Unlike the original paper, we use revocation preimages instead of sharing + temporary private keys. + If we also use OP_CHECKLOCKTIMEVERIFY and OP_CHECKSEQUENCEVERIFY it is + fairly simple to express these conditions in a single output script. +\end_layout + +\begin_layout Standard +For each direction the HTLC could transfer funds, there are two scripts + required; one for A's commitment transaction and one for B's commitment + transaction. + It's also a requirement that the conditions which allow payment to oneself + be delayed, to give the other side an opportunity to take the funds in + case of revocation. + This is shown in figure \begin_inset CommandInset ref LatexCommand ref -reference "fig:Simplistic-Dual-Anchor" +reference "fig:HTLC-Using-Revocation" \end_inset @@ -800,7 +840,6 @@ reference "fig:Simplistic-Dual-Anchor" \end_layout \begin_layout Standard -\align center \begin_inset Float figure wide false sideways false @@ -809,19 +848,22 @@ status open \begin_layout Plain Layout \align center \begin_inset Graphics - filename dual-anchor-diag1.eps + filename htlc.eps scale 50 \end_inset +\end_layout + +\begin_layout Plain Layout \begin_inset Caption Standard \begin_layout Plain Layout -Simplistic Dual Anchor Design +HTLC Using Revocation Preimages, OP_CLV and OP_CSV \begin_inset CommandInset label LatexCommand label -name "fig:Simplistic-Dual-Anchor" +name "fig:HTLC-Using-Revocation" \end_inset @@ -839,509 +881,362 @@ name "fig:Simplistic-Dual-Anchor" \end_layout \begin_layout Standard -This form allows A and B to create commitment transactions which spends - the anchors outputs by exchanging anchor transaction IDs. - It has the problem that if the other party does not then broadcast its - anchor transaction, we cannot spend the commitment transaction, and our - own anchor funds are stuck. -\end_layout - -\begin_layout Standard -Thus we introduce an -\emph on -escape -\emph default - transaction, which lets us regain our anchor funds in that case, as shown - in Figure +The scripts for this can be found in \begin_inset CommandInset ref LatexCommand ref -reference "fig:Dual-Anchor2" +reference "sec:Appendix-A:-Scripts" \end_inset . \end_layout +\begin_layout Section +Conclusions +\end_layout + \begin_layout Standard -\begin_inset Float figure -wide false -sideways false -status open +Secret preimages can replace exposure of temporary private keys in the Lightning + Network constructs with no loss of generality, and a slight gain in simplicity. +\end_layout -\begin_layout Plain Layout -\align center -\begin_inset Graphics - filename dual-anchor-diag2.eps - scale 50 +\begin_layout Standard +The use of script conditionals to enforce timeouts instead of using separate + pre-signed transactions reduces an HTLC from a set of four dual-signed + transactions to a single (more complex) output script, and additionally + avoids any requirement for new CHECKSIG flags for HTLCs. +\end_layout + +\begin_layout Standard +By using a dual anchor and escape transactions, channel establishment can + also avoid new CHECKSIG flags, though it loses the important ability to + outsource the enforcement of channel contract terms. +\end_layout + +\begin_layout Section* +Acknowlegments +\end_layout + +\begin_layout Standard +Thanks to mmeijeri on Reddit's r/Bitcoin for pointing out a flaw in escape + transactions reusing the same A and B keys as the commitment transaction + in +\begin_inset CommandInset ref +LatexCommand ref +reference "sec:Appendix-B:-Dual" \end_inset -\begin_inset Caption Standard +\begin_inset Foot +status collapsed \begin_layout Plain Layout -Dual Anchor With Simple Escape Transactions -\begin_inset CommandInset label -LatexCommand label -name "fig:Dual-Anchor2" +https://www.reddit.com/r/Bitcoin/comments/3dlxw4/reaching_the_ground_with_lightnin +g_lightning/ct80xpp +\end_layout \end_inset +. +\end_layout +\begin_layout Standard +Thanks to Joseph Poon for designing the escape/fast-escape dual-anchor method, + as well as finding a flaw in my original formulation of the dual anchor + construct and reviewing an earlier draft of this paper. + Also thanks to him and Thaddeus Dryja for the initial eye-opening Lightning + Network paper. \end_layout +\begin_layout Standard +\begin_inset CommandInset bibtex +LatexCommand bibtex +bibfiles "bitcoin" +options "plain" + \end_inset \end_layout +\begin_layout Section* +Appendix A: Transaction Scripts +\begin_inset CommandInset label +LatexCommand label +name "sec:Appendix-A:-Scripts" + \end_inset \end_layout \begin_layout Standard -However, this escape transaction would let either side remove its funds - from the channel at any time, which would make the channel insecure. - Thus, after the commitment transactions have been established, we want - to revoke the escape transactions. - We can do the same way we did for the commitment transaction revocation; - by placing restrictions on the +All outputs are expressed as pay-to-scripthash outputs, where the redeeming + input provides the redeemscript. + Where a redeem-hash value is optional, it is generally supplied: for example, + if we want to pay to A if a preimage is supplied and B if no preimage is + supplied, we expect the input scriptsig to provide two arguments in both + cases (generally a zero in the second case). + This saves an extra test (of form \begin_inset Quotes eld \end_inset -to-me +OP_DEPTH OP_EQUAL \begin_inset Quotes erd \end_inset - output. - In particular, adding a delay if paying back to the anchor owner, and allowing - it to be spent by the other party immediately if they possess the revocation - preimage, as shown in Figure -\begin_inset CommandInset ref -LatexCommand ref -reference "fig:Anchor-revoc-escape" - -\end_inset +), at cost of a single byte in the input script. +\end_layout -. +\begin_layout Subsection* +Anchor Transaction \end_layout \begin_layout Standard -\begin_inset Float figure -wide false -sideways false -status open +The anchor inputs are whatever the node chooses. +\end_layout -\begin_layout Plain Layout -\align center -\begin_inset Graphics - filename dual-anchor-diag3.eps - scale 50 +\begin_layout Subsubsection* +Anchor Output Redeemscript +\end_layout + +\begin_layout Standard +The anchor output is a pay to script hash, with a redeemscript as follows: +\end_layout +\begin_layout Description +OP_HASH +\begin_inset space ~ \end_inset + +\begin_inset space ~ +\end_inset +OP_EQUAL If the secret is supplied, \end_layout -\begin_layout Plain Layout -\begin_inset Caption Standard +\begin_layout Description +OP_IF +\end_layout -\begin_layout Plain Layout -Dual Anchors With Revocable Escape Transactions -\begin_inset CommandInset label -LatexCommand label -name "fig:Anchor-revoc-escape" +\begin_deeper +\begin_layout Description + Should be signed by B's escape key. +\end_layout -\end_inset +\end_deeper +\begin_layout Description +OP_ELSE +\end_layout +\begin_deeper +\begin_layout Description + Should be signed by B's commitment key. +\end_layout +\end_deeper +\begin_layout Description +OP_ENDIF \end_layout +\begin_layout Description +2 +\begin_inset space ~ \end_inset - +OP_SWAP Put 2 before B's key on the stack. \end_layout +\begin_layout Description + +\begin_inset space ~ \end_inset +2 +\begin_inset space ~ +\end_inset +OP_CHECKMULTISIG Make sure A and B have signed. \end_layout -\begin_layout Standard -Unfortunately, this revocation is not a complete solution; if B uses its - escape transaction, A can collect B's anchor funds, but it has no way of - collecting its own! The commitment transaction cannot be used, as one of - its inputs has been spent by B's escape transaction. - A's own escape transaction has been revoked, so B would simply steal the - funds. +\begin_layout Subsection* +Escape Transaction \end_layout \begin_layout Standard -Thus we need an additional construction, such that using one escape transaction - immediately unlocks the other anchor funds for its owner. - To do this, we ensure that the escape transaction is forced to reveal a - secret, which is a fairly well-established technique -\begin_inset CommandInset citation -LatexCommand cite -key "nolan_alt" - -\end_inset +The escape transaction for A spends A's anchor output and reveals A's secret. + Similarly for B. +\end_layout -. - The anchor transaction is modified to either require both signatures (for - the commitment transaction), or both signatures and the secret (for the - escape transaction), as shown in Figure -\begin_inset CommandInset ref -LatexCommand ref -reference "fig:Secret-Revelation-by" - -\end_inset - -. - Note that this requires the other party to provide an alternate key (denoted - here using A' and B'), otherwise there is no way to force the escape transactio -n to provide the secret. +\begin_layout Subsubsection* +Escape Input Script \end_layout \begin_layout Standard -\begin_inset Float figure -wide false -sideways false -status open - -\begin_layout Plain Layout -\align center -\begin_inset Graphics - filename dual-anchor-diag4.eps - scale 50 - -\end_inset - - +The extra 0 at the start is due to the OP_CHECKMULTISIG out-by-one-bug. \end_layout -\begin_layout Plain Layout -\begin_inset Caption Standard - -\begin_layout Plain Layout -Secret Revelation by Escape Transactions -\begin_inset CommandInset label -LatexCommand label -name "fig:Secret-Revelation-by" - +\begin_layout Description +0 +\begin_inset space ~ \end_inset - -\end_layout - + +\begin_inset space ~ \end_inset - -\end_layout - + +\begin_inset space ~ \end_inset - -\end_layout - -\begin_layout Standard -That revealed secret can be used with the other alternative: the -\emph on -fast escape transaction. - -\emph default - This reveals the secret just like the escape transaction, but its output - is immediately usable if one knows the other side's secret. - This is shown in Figure -\begin_inset CommandInset ref -LatexCommand ref -reference "fig:Final-Dual-Anchor" - + +\begin_inset space ~ \end_inset -. - Thus, if the B broadcasts its escape transaction after it has been revoked, - A can (after ensuring escape B is sufficiently deep in the block chain) - broadcast its fast escape transaction and use B's secret to immediately - spend the output. +{} \end_layout -\begin_layout Standard -On the other hand, if B broadcasts its fast escape transaction without knowing - A's secret, A can simply wait for the timeout and spend the fast escape - output, then use its own fast escape transaction and B's secret to recover - its own anchor funds as well. +\begin_layout Subsubsection* +Escape Output Redeemscript \end_layout \begin_layout Standard -\begin_inset Float figure -wide false -sideways false -status open - -\begin_layout Plain Layout -\align center -\begin_inset Graphics - filename dual-anchor-final.eps - scale 50 - -\end_inset - - +This allows two paths: one for the other side to use the revocation image, + and one for this side to get their funds back after a delay. + This show's A's script, but B's is the same with A and B exchanged. \end_layout -\begin_layout Plain Layout -\begin_inset Caption Standard - -\begin_layout Plain Layout -Final Dual Anchor Design -\begin_inset CommandInset label -LatexCommand label -name "fig:Final-Dual-Anchor" - +\begin_layout Description +OP_HASH160 +\begin_inset space ~ \end_inset - -\end_layout - + +\begin_inset space ~ \end_inset - +OP_EQUAL Check if the top of stack is the revocation image. \end_layout -\end_inset - - +\begin_layout Description +OP_IF \end_layout -\begin_layout Standard -The final scripts are shown in -\begin_inset CommandInset ref -LatexCommand nameref -reference "sec:Appendix-A:-Scripts" - -\end_inset - -. +\begin_deeper +\begin_layout Description + Funds for B. \end_layout -\begin_layout Subsubsection -Disadvantages of The Dual Anchor Approach +\end_deeper +\begin_layout Description +OP_ELSE It's A getting their funds back \end_layout -\begin_layout Standard -Unlike the mutual anchor approach, use of escape transactions is not outsourcabl -e: you cannot have an untrusted third party which can monitor the network - for the other sides' revoked escape transaction and respond with your own - escape transaction. - If you were to provide a third party with your fast escape transaction, - you would necessarily provide it with the secret, which it could give to - B. -\end_layout +\begin_deeper +\begin_layout Description + +\begin_inset space ~ +\end_inset -\begin_layout Subsection -Hashed Timelock Contract (HTLC) Modification -\end_layout +OP_CHECKSEQUENCEVERIFY +\begin_inset space ~ +\end_inset -\begin_layout Standard -Using the same techniques used above, we can condense each HTLC into a single - output script on the commitment transaction. - This output is spendable under three conditions: +OP_DROP Ensure delay. \end_layout -\begin_layout Enumerate -Recipient knows the R value (funds go to recipient), or +\begin_layout Description + Needs to be signed by A. \end_layout -\begin_layout Enumerate -The HTLC has timed out (funds return to sender), or +\end_deeper +\begin_layout Description +OP_ENDIF \end_layout -\begin_layout Enumerate -The Commit transaction has been revoked (funds to go other side). +\begin_layout Description +OP_CHECKSIG Make sure it's signed correctly. \end_layout -\begin_layout Standard -Unlike the original paper, we use revocation preimages instead of sharing - temporary private keys. - If we also use OP_CHECKLOCKTIMEVERIFY and OP_CHECKSEQUENCEVERIFY it is - fairly simple to express these conditions in a single output script. +\begin_layout Subsubsection* +Spending The Escape Output \end_layout \begin_layout Standard -For each direction the HTLC could transfer funds, there are two scripts - required; one for A's commitment transaction and one for B's commitment - transaction. - It's also a requirement that the conditions which allow payment to oneself - be delayed, to give the other side an opportunity to take the funds in - case of revocation. - This is shown in figure -\begin_inset CommandInset ref -LatexCommand ref -reference "fig:HTLC-Using-Revocation" - -\end_inset - -. +Either B using a revocation preimage: \end_layout -\begin_layout Standard -\begin_inset Float figure -wide false -sideways false -status open - -\begin_layout Plain Layout -\align center -\begin_inset Graphics - filename htlc.eps - scale 50 - +\begin_layout Description + +\begin_inset space ~ \end_inset - -\end_layout - -\begin_layout Plain Layout -\begin_inset Caption Standard - -\begin_layout Plain Layout -HTLC Using Revocation Preimages, OP_CLV and OP_CSV -\begin_inset CommandInset label -LatexCommand label -name "fig:HTLC-Using-Revocation" - + +\begin_inset space ~ \end_inset - +{} \end_layout -\end_inset - - +\begin_layout Standard +Or A using after a timeout: \end_layout +\begin_layout Description + +\begin_inset space ~ \end_inset - -\end_layout - -\begin_layout Standard -The scripts for this can be found in -\begin_inset CommandInset ref -LatexCommand ref -reference "sec:Appendix-A:-Scripts" - +0 +\begin_inset space ~ \end_inset -. -\end_layout - -\begin_layout Section -Conclusions -\end_layout - -\begin_layout Standard -Secret preimages can replace exposure of temporary private keys in the Lightning - Network constructs with no loss of generality, and a slight gain in simplicity. -\end_layout - -\begin_layout Standard -The use of script conditionals to enforce timeouts instead of using separate - pre-signed transactions reduces an HTLC from a set of four dual-signed - transactions to a single (more complex) output script, and additionally - avoids any requirement for new CHECKSIG flags for HTLCs. -\end_layout - -\begin_layout Standard -By using a dual anchor and escape transactions, channel establishment can - also avoid new CHECKSIG flags, though it loses the important ability to - outsource the enforcement of channel contract terms. -\end_layout - -\begin_layout Section* -Acknowlegments +{} \end_layout -\begin_layout Standard -Thanks to mmeijeri on Reddit's r/Bitcoin for pointing out a flaw in escape - transactions reusing the same A and B keys as the commitment transaction -\begin_inset Foot -status collapsed - -\begin_layout Plain Layout -https://www.reddit.com/r/Bitcoin/comments/3dlxw4/reaching_the_ground_with_lightnin -g_lightning/ct80xpp +\begin_layout Subsection* +Fast-Escape Transaction \end_layout -\end_inset - -. +\begin_layout Subsubsection* +Fast-Escape Input Script \end_layout \begin_layout Standard -Thanks to Joseph Poon for designing the escape/fast-escape dual-anchor method, - as well as finding a flaw in my original formulation of the dual anchor - construct and reviewing an earlier draft of this paper. - Also thanks to him and Thaddeus Dryja for the initial eye-opening Lightning - Network paper. +This is identical to the normal escape input script. \end_layout -\begin_layout Standard -\begin_inset CommandInset bibtex -LatexCommand bibtex -bibfiles "bitcoin" -options "plain" - +\begin_layout Description +0 +\begin_inset space ~ \end_inset - -\end_layout - -\begin_layout Section* -Appendix A: Transaction Scripts -\begin_inset CommandInset label -LatexCommand label -name "sec:Appendix-A:-Scripts" - + +\begin_inset space ~ \end_inset - -\end_layout - -\begin_layout Standard -All outputs are expressed as pay-to-scripthash outputs, where the redeeming - input provides the redeemscript. - Where a redeem-hash value is optional, it is generally supplied: for example, - if we want to pay to A if a preimage is supplied and B if no preimage is - supplied, we expect the input scriptsig to provide two arguments in both - cases (generally a zero in the second case). - This saves an extra test (of form -\begin_inset Quotes eld + +\begin_inset space ~ \end_inset -OP_DEPTH OP_EQUAL -\begin_inset Quotes erd + +\begin_inset space ~ \end_inset -), at cost of a single byte in the input script. -\end_layout - -\begin_layout Subsection* -Anchor Transaction -\end_layout - -\begin_layout Standard -The anchor inputs are whatever the node chooses. +{} \end_layout \begin_layout Subsubsection* -Anchor Output Redeemscript +Fast-Escape Output Redeemscript \end_layout \begin_layout Standard -The anchor output is a pay to script hash, with a redeemscript as follows: +This allows two paths: one for this side to use the other side's secret + (revealed by them using an escape transaction), and one for the other side + to claim this side's anchor funds after a delay. + This show's A's script, but B's is the same with A and B exchanged. \end_layout \begin_layout Description @@ -1349,11 +1244,11 @@ OP_HASH \begin_inset space ~ \end_inset - + \begin_inset space ~ \end_inset -OP_EQUAL If the secret is supplied, +OP_EQUAL If top argument is B's secret \end_layout \begin_layout Description @@ -1362,17 +1257,29 @@ OP_IF \begin_deeper \begin_layout Description - Should be signed by B's escape key. + For A \end_layout \end_deeper \begin_layout Description -OP_ELSE +OP_ELSE B gets it if A doesn't know the secret. \end_layout \begin_deeper \begin_layout Description - Should be signed by B's commitment key. + +\begin_inset space ~ +\end_inset + +OP_CHECKSEQUENCEVERIFY +\begin_inset space ~ +\end_inset + +OP_DROP Ensure delay. +\end_layout + +\begin_layout Description + Needs to be signed by B. \end_layout \end_deeper @@ -1381,40 +1288,69 @@ OP_ENDIF \end_layout \begin_layout Description -2 +OP_CHECKSIG Make sure it's signed correctly. +\end_layout + +\begin_layout Subsubsection* +Spending The Fast-Escape Output +\end_layout + +\begin_layout Standard +Either A using a B's secret revealed by B using its own escape transaction: +\end_layout + +\begin_layout Description + +\begin_inset space ~ +\end_inset + + \begin_inset space ~ \end_inset -OP_SWAP Put 2 before B's key on the stack. +{} +\end_layout + +\begin_layout Standard +Or B using after a timeout: \end_layout \begin_layout Description - + \begin_inset space ~ \end_inset -2 +0 \begin_inset space ~ \end_inset -OP_CHECKMULTISIG Make sure A and B have signed. +{} \end_layout \begin_layout Subsection* -Escape Transaction +Commitment Transactions For Generalized Channels +\begin_inset CommandInset label +LatexCommand label +name "sub:Commitment-Outputs-For" + +\end_inset + + \end_layout \begin_layout Standard -The escape transaction for A spends A's anchor output and reveals A's secret. - Similarly for B. +These examples are for A's Commitment Transaction; switch A and B to get + B's commitment transaction. \end_layout \begin_layout Subsubsection* -Escape Input Script +Commitment Input Script \end_layout \begin_layout Standard -The extra 0 at the start is due to the OP_CHECKMULTISIG out-by-one-bug. +The commitment transaction has two inputs; one which spends each anchor + output. + The zero after the signature indicates it is not revealing the secret: \end_layout \begin_layout Description @@ -1422,7 +1358,7 @@ The extra 0 at the start is due to the OP_CHECKMULTISIG out-by-one-bug. \begin_inset space ~ \end_inset - + \begin_inset space ~ \end_inset @@ -1430,7 +1366,7 @@ The extra 0 at the start is due to the OP_CHECKMULTISIG out-by-one-bug. \begin_inset space ~ \end_inset - +0 \begin_inset space ~ \end_inset @@ -1438,13 +1374,23 @@ The extra 0 at the start is due to the OP_CHECKMULTISIG out-by-one-bug. \end_layout \begin_layout Subsubsection* -Escape Output Redeemscript +Commitment Transaction Output Redeemscripts \end_layout \begin_layout Standard -This allows two paths: one for the other side to use the revocation image, - and one for this side to get their funds back after a delay. - This show's A's script, but B's is the same with A and B exchanged. +One output pays B's funds to B as normal (eg. + pay to scripthash +\begin_inset Quotes eld +\end_inset + + OP_CHECKSIG +\begin_inset Quotes erd +\end_inset + +). + The other output pays A's funds: either to B if they supply the revocation + preimage, or to A after a delay. + This is the redeemscript: \end_layout \begin_layout Description @@ -1452,11 +1398,11 @@ OP_HASH160 \begin_inset space ~ \end_inset - + \begin_inset space ~ \end_inset -OP_EQUAL Check if the top of stack is the revocation image. +OP_EQUAL Did they supply revocation preimage? \end_layout \begin_layout Description @@ -1465,17 +1411,17 @@ OP_IF \begin_deeper \begin_layout Description - Funds for B. + To B. \end_layout \end_deeper \begin_layout Description -OP_ELSE It's A getting their funds back +OP_ELSE \end_layout \begin_deeper \begin_layout Description - + \begin_inset space ~ \end_inset @@ -1483,11 +1429,11 @@ OP_CHECKSEQUENCEVERIFY \begin_inset space ~ \end_inset -OP_DROP Ensure delay. +OP_DROP Spending transaction must be after timeout \end_layout \begin_layout Description - Needs to be signed by A. + To A. \end_layout \end_deeper @@ -1496,11 +1442,11 @@ OP_ENDIF \end_layout \begin_layout Description -OP_CHECKSIG Make sure it's signed correctly. +OP_CHECKSIG Signature must be correct. \end_layout \begin_layout Subsubsection* -Spending The Escape Output +Spending Commitment Output \end_layout \begin_layout Standard @@ -1512,11 +1458,11 @@ Either B using a revocation preimage: \begin_inset space ~ \end_inset - + \begin_inset space ~ \end_inset -{} +{} \end_layout \begin_layout Standard @@ -1532,62 +1478,142 @@ Or A using after a timeout: \begin_inset space ~ \end_inset -{} +{} \end_layout \begin_layout Subsection* -Fast-Escape Transaction +Hash Locked Transaction Commitments \end_layout -\begin_layout Subsubsection* -Fast-Escape Input Script +\begin_layout Standard +There are two styles of commitment transaction outputs for HTLCs: a +\begin_inset Quotes eld +\end_inset + +sender +\begin_inset Quotes erd +\end_inset + + and +\begin_inset Quotes eld +\end_inset + +receiver +\begin_inset Quotes erd +\end_inset + + case. + The output is a pay-to-script-hash, so the redeemscripts are shown below. \end_layout \begin_layout Standard -This is identical to the normal escape input script. +These scripts show A as the sender, and B as the receiver: exchange A and + B for the reverse. +\end_layout + +\begin_layout Subsubsection* +HTLC Sender Redeemscript \end_layout \begin_layout Description -0 +OP_HASH160 \begin_inset space ~ \end_inset - +OP_DUP Replace top element with two copies of its hash +\end_layout + +\begin_layout Description + \begin_inset space ~ \end_inset - +OP_EQUAL Test if they supplied the HTLC R value +\end_layout + +\begin_layout Description +OP_SWAP \begin_inset space ~ \end_inset - + \begin_inset space ~ \end_inset -{} +OP_EQUAL +\begin_inset space ~ +\end_inset + +OP_ADD Or the commitment revocation hash \end_layout -\begin_layout Subsubsection* -Fast-Escape Output Redeemscript +\begin_layout Description +OP_IF If any hash matched. \end_layout -\begin_layout Standard -This allows two paths: one for this side to use the other side's secret - (revealed by them using an escape transaction), and one for the other side - to claim this side's anchor funds after a delay. - This show's A's script, but B's is the same with A and B exchanged. +\begin_deeper +\begin_layout Description + Pay to B. \end_layout +\end_deeper \begin_layout Description -OP_HASH +OP_ELSE Must be A, after HTLC has timed out. +\end_layout + +\begin_deeper +\begin_layout Description + \begin_inset space ~ \end_inset - +OP_CHECKLOCKTIMEVERIFY Ensure (absolute) time has passed. +\end_layout + +\begin_layout Description + \begin_inset space ~ \end_inset -OP_EQUAL If top argument is B's secret +OP_CHECKSEQUENCEVERIFY Delay gives B enough time to use revocation if it + has it. +\end_layout + +\begin_layout Description +OP_2DROP Drop the delay and htlc-timeout from the stack. +\end_layout + +\begin_layout Description + Pay to A. +\end_layout + +\end_deeper +\begin_layout Description +OP_ENDIF +\end_layout + +\begin_layout Description +OP_CHECKSIG Verify A or B's signature is correct. +\end_layout + +\begin_layout Subsubsection* +HTLC Receiver Redeemscript +\end_layout + +\begin_layout Description +OP_HASH160 +\begin_inset space ~ +\end_inset + +OP_DUP Replace top element with two copies of its hash +\end_layout + +\begin_layout Description + +\begin_inset space ~ +\end_inset + +OP_EQUAL B redeeming the contract, using R preimage? \end_layout \begin_layout Description @@ -1596,29 +1622,60 @@ OP_IF \begin_deeper \begin_layout Description - For A + +\begin_inset space ~ +\end_inset + +OP_CHECKSEQUENCEVERIFY Delay gives A enough time to use revocation if it + has it. +\end_layout + +\begin_layout Description +OP_2DROP Drop extra hash and delay from the stack +\end_layout + +\begin_layout Description + Pay to B \end_layout \end_deeper \begin_layout Description -OP_ELSE B gets it if A doesn't know the secret. +OP_ELSE \end_layout \begin_deeper \begin_layout Description - + \begin_inset space ~ \end_inset -OP_CHECKSEQUENCEVERIFY +OP_EQUAL If the commit has been revoked. +\end_layout + +\begin_layout Description +OP_NOTIF If not, you need to wait for timeout. +\end_layout + +\begin_deeper +\begin_layout Description + \begin_inset space ~ \end_inset -OP_DROP Ensure delay. +OP_CHECKLOCKTIMEVERIFY +\begin_inset space ~ +\end_inset + +OP_DROP Ensure (absolute) time has passed. \end_layout +\end_deeper \begin_layout Description - Needs to be signed by B. +OP_ENDIF +\end_layout + +\begin_layout Description + Pay to A \end_layout \end_deeper @@ -1626,16 +1683,41 @@ OP_DROP Ensure delay. OP_ENDIF \end_layout -\begin_layout Description -OP_CHECKSIG Make sure it's signed correctly. +\begin_layout Description +OP_CHECKSIG Verify A or B's signature is correct. +\end_layout + +\begin_layout Subsubsection* +Redeeming A HTLC Output +\end_layout + +\begin_layout Standard +To redeem an HTLC, the recipient one provides the preimage R, and their + signature. + In our example above, B can redeem the HTLC: +\end_layout + +\begin_layout Description + +\begin_inset space ~ +\end_inset + + +\begin_inset space ~ +\end_inset + +{} \end_layout \begin_layout Subsubsection* -Spending The Fast-Escape Output +Claiming a Timed-out HTLC \end_layout \begin_layout Standard -Either A using a B's secret revealed by B using its own escape transaction: +To claim a timed-out HTLC, the sender supplies a zero value (which is nice + and short, but fails to hash to any of the revocation hashes), and their + signature. + In our example above, A can claim the timed-out HTLC: \end_layout \begin_layout Description @@ -1643,34 +1725,41 @@ Either A using a B's secret revealed by B using its own escape transaction: \begin_inset space ~ \end_inset - +0 \begin_inset space ~ \end_inset -{} +{} +\end_layout + +\begin_layout Subsubsection* +Claiming A HTLC Output For A Revoked Commitment Transaction \end_layout \begin_layout Standard -Or B using after a timeout: +If either side publishes a commitment transaction which has been revoked, + we can use the revocation preimage they supplied to spend all the outputs. + This example shows A claiming the HTLC output if B broadcasts a revoked + commitment transaction: \end_layout \begin_layout Description - + \begin_inset space ~ \end_inset -0 + \begin_inset space ~ \end_inset -{} +{} \end_layout -\begin_layout Subsection* -Commitment Transactions For Generalized Channels +\begin_layout Section* +Appendix B: Dual Anchors With Escape Transactions \begin_inset CommandInset label LatexCommand label -name "sub:Commitment-Outputs-For" +name "sec:Appendix-B:-Dual" \end_inset @@ -1678,420 +1767,369 @@ name "sub:Commitment-Outputs-For" \end_layout \begin_layout Standard -These examples are for A's Commitment Transaction; switch A and B to get - B's commitment transaction. +This appendix presents a dual-input anchor solution which doesn't require + additional bitcoin signature flags. + It is not being proposed currently, as it seems that a single-sided anchor + is probably sufficient. \end_layout -\begin_layout Subsubsection* -Commitment Input Script +\begin_layout Subsection +Separate Anchor Transactions \end_layout \begin_layout Standard -The commitment transaction has two inputs; one which spends each anchor - output. - The zero after the signature indicates it is not revealing the secret: -\end_layout +To avoid the problem of needing all anchor signatures to derive the anchor + transaction ID to create the commitment transaction input, we split the + anchor into two transactions; thus A knows its anchor transaction ID, and + B knows its anchor transaction ID as shown in Figure +\begin_inset CommandInset ref +LatexCommand ref +reference "fig:Simplistic-Dual-Anchor" -\begin_layout Description -0 -\begin_inset space ~ \end_inset - -\begin_inset space ~ -\end_inset +. +\end_layout - -\begin_inset space ~ -\end_inset +\begin_layout Standard +\align center +\begin_inset Float figure +wide false +sideways false +status open + +\begin_layout Plain Layout +\align center +\begin_inset Graphics + filename dual-anchor-diag1.eps + scale 50 -0 -\begin_inset space ~ \end_inset -{} -\end_layout -\begin_layout Subsubsection* -Commitment Transaction Output Redeemscripts -\end_layout +\begin_inset Caption Standard -\begin_layout Standard -One output pays B's funds to B as normal (eg. - pay to scripthash -\begin_inset Quotes eld -\end_inset +\begin_layout Plain Layout +Simplistic Dual Anchor Design +\begin_inset CommandInset label +LatexCommand label +name "fig:Simplistic-Dual-Anchor" - OP_CHECKSIG -\begin_inset Quotes erd \end_inset -). - The other output pays A's funds: either to B if they supply the revocation - preimage, or to A after a delay. - This is the redeemscript: + \end_layout -\begin_layout Description -OP_HASH160 -\begin_inset space ~ \end_inset - -\begin_inset space ~ -\end_inset -OP_EQUAL Did they supply revocation preimage? \end_layout -\begin_layout Description -OP_IF -\end_layout +\end_inset + -\begin_deeper -\begin_layout Description - To B. \end_layout -\end_deeper -\begin_layout Description -OP_ELSE +\begin_layout Standard +This form allows A and B to create commitment transactions which spends + the anchors outputs by exchanging anchor transaction IDs. + It has the problem that if the other party does not then broadcast its + anchor transaction, we cannot spend the commitment transaction, and our + own anchor funds are stuck. \end_layout -\begin_deeper -\begin_layout Description - -\begin_inset space ~ -\end_inset +\begin_layout Standard +Thus we introduce an +\emph on +escape +\emph default + transaction, which lets us regain our anchor funds in that case, as shown + in Figure +\begin_inset CommandInset ref +LatexCommand ref +reference "fig:Dual-Anchor2" -OP_CHECKSEQUENCEVERIFY -\begin_inset space ~ \end_inset -OP_DROP Spending transaction must be after timeout +. \end_layout -\begin_layout Description - To A. -\end_layout +\begin_layout Standard +\begin_inset Float figure +wide false +sideways false +status open -\end_deeper -\begin_layout Description -OP_ENDIF -\end_layout +\begin_layout Plain Layout +\align center +\begin_inset Graphics + filename dual-anchor-diag2.eps + scale 50 -\begin_layout Description -OP_CHECKSIG Signature must be correct. -\end_layout +\end_inset -\begin_layout Subsubsection* -Spending Commitment Output -\end_layout -\begin_layout Standard -Either B using a revocation preimage: -\end_layout +\begin_inset Caption Standard -\begin_layout Description - -\begin_inset space ~ -\end_inset +\begin_layout Plain Layout +Dual Anchor With Simple Escape Transactions +\begin_inset CommandInset label +LatexCommand label +name "fig:Dual-Anchor2" - -\begin_inset space ~ \end_inset -{} -\end_layout -\begin_layout Standard -Or A using after a timeout: \end_layout -\begin_layout Description - -\begin_inset space ~ \end_inset -0 -\begin_inset space ~ -\end_inset -{} \end_layout -\begin_layout Subsection* -Hash Locked Transaction Commitments +\end_inset + + \end_layout \begin_layout Standard -There are two styles of commitment transaction outputs for HTLCs: a +However, this escape transaction would let either side remove its funds + from the channel at any time, which would make the channel insecure. + Thus, after the commitment transactions have been established, we want + to revoke the escape transactions. + We can do the same way we did for the commitment transaction revocation; + by placing restrictions on the \begin_inset Quotes eld \end_inset -sender +to-me \begin_inset Quotes erd \end_inset - and -\begin_inset Quotes eld -\end_inset + output. + In particular, adding a delay if paying back to the anchor owner, and allowing + it to be spent by the other party immediately if they possess the revocation + preimage, as shown in Figure +\begin_inset CommandInset ref +LatexCommand ref +reference "fig:Anchor-revoc-escape" -receiver -\begin_inset Quotes erd \end_inset - case. - The output is a pay-to-script-hash, so the redeemscripts are shown below. +. \end_layout \begin_layout Standard -These scripts show A as the sender, and B as the receiver: exchange A and - B for the reverse. -\end_layout +\begin_inset Float figure +wide false +sideways false +status open -\begin_layout Subsubsection* -HTLC Sender Redeemscript -\end_layout +\begin_layout Plain Layout +\align center +\begin_inset Graphics + filename dual-anchor-diag3.eps + scale 50 -\begin_layout Description -OP_HASH160 -\begin_inset space ~ \end_inset -OP_DUP Replace top element with two copies of its hash + \end_layout -\begin_layout Description - -\begin_inset space ~ +\begin_layout Plain Layout +\begin_inset Caption Standard + +\begin_layout Plain Layout +Dual Anchors With Revocable Escape Transactions +\begin_inset CommandInset label +LatexCommand label +name "fig:Anchor-revoc-escape" + \end_inset -OP_EQUAL Test if they supplied the HTLC R value + \end_layout -\begin_layout Description -OP_SWAP -\begin_inset space ~ \end_inset - -\begin_inset space ~ -\end_inset -OP_EQUAL -\begin_inset space ~ +\end_layout + \end_inset -OP_ADD Or the commitment revocation hash -\end_layout -\begin_layout Description -OP_IF If any hash matched. \end_layout -\begin_deeper -\begin_layout Description - Pay to B. +\begin_layout Standard +Unfortunately, this revocation is not a complete solution; if B uses its + escape transaction, A can collect B's anchor funds, but it has no way of + collecting its own! The commitment transaction cannot be used, as one of + its inputs has been spent by B's escape transaction. + A's own escape transaction has been revoked, so B would simply steal the + funds. \end_layout -\end_deeper -\begin_layout Description -OP_ELSE Must be A, after HTLC has timed out. -\end_layout +\begin_layout Standard +Thus we need an additional construction, such that using one escape transaction + immediately unlocks the other anchor funds for its owner. + To do this, we ensure that the escape transaction is forced to reveal a + secret, which is a fairly well-established technique +\begin_inset CommandInset citation +LatexCommand cite +key "nolan_alt" -\begin_deeper -\begin_layout Description - -\begin_inset space ~ \end_inset -OP_CHECKLOCKTIMEVERIFY Ensure (absolute) time has passed. -\end_layout +. + The anchor transaction is modified to either require both signatures (for + the commitment transaction), or both signatures and the secret (for the + escape transaction), as shown in Figure +\begin_inset CommandInset ref +LatexCommand ref +reference "fig:Secret-Revelation-by" -\begin_layout Description - -\begin_inset space ~ \end_inset -OP_CHECKSEQUENCEVERIFY Delay gives B enough time to use revocation if it - has it. +. + Note that this requires the other party to provide an alternate key (denoted + here using A' and B'), otherwise there is no way to force the escape transactio +n to provide the secret. \end_layout -\begin_layout Description -OP_2DROP Drop the delay and htlc-timeout from the stack. -\end_layout +\begin_layout Standard +\begin_inset Float figure +wide false +sideways false +status open -\begin_layout Description - Pay to A. -\end_layout +\begin_layout Plain Layout +\align center +\begin_inset Graphics + filename dual-anchor-diag4.eps + scale 50 -\end_deeper -\begin_layout Description -OP_ENDIF -\end_layout +\end_inset -\begin_layout Description -OP_CHECKSIG Verify A or B's signature is correct. -\end_layout -\begin_layout Subsubsection* -HTLC Receiver Redeemscript \end_layout -\begin_layout Description -OP_HASH160 -\begin_inset space ~ +\begin_layout Plain Layout +\begin_inset Caption Standard + +\begin_layout Plain Layout +Secret Revelation by Escape Transactions +\begin_inset CommandInset label +LatexCommand label +name "fig:Secret-Revelation-by" + \end_inset -OP_DUP Replace top element with two copies of its hash + \end_layout -\begin_layout Description - -\begin_inset space ~ \end_inset -OP_EQUAL B redeeming the contract, using R preimage? -\end_layout -\begin_layout Description -OP_IF \end_layout -\begin_deeper -\begin_layout Description - -\begin_inset space ~ \end_inset -OP_CHECKSEQUENCEVERIFY Delay gives A enough time to use revocation if it - has it. -\end_layout -\begin_layout Description -OP_2DROP Drop extra hash and delay from the stack \end_layout -\begin_layout Description - Pay to B -\end_layout +\begin_layout Standard +That revealed secret can be used with the other alternative: the +\emph on +fast escape transaction. -\end_deeper -\begin_layout Description -OP_ELSE -\end_layout +\emph default + This reveals the secret just like the escape transaction, but its output + is immediately usable if one knows the other side's secret. + This is shown in Figure +\begin_inset CommandInset ref +LatexCommand ref +reference "fig:Final-Dual-Anchor" -\begin_deeper -\begin_layout Description - -\begin_inset space ~ \end_inset -OP_EQUAL If the commit has been revoked. +. + Thus, if the B broadcasts its escape transaction after it has been revoked, + A can (after ensuring escape B is sufficiently deep in the block chain) + broadcast its fast escape transaction and use B's secret to immediately + spend the output. \end_layout -\begin_layout Description -OP_NOTIF If not, you need to wait for timeout. +\begin_layout Standard +On the other hand, if B broadcasts its fast escape transaction without knowing + A's secret, A can simply wait for the timeout and spend the fast escape + output, then use its own fast escape transaction and B's secret to recover + its own anchor funds as well. \end_layout -\begin_deeper -\begin_layout Description - -\begin_inset space ~ -\end_inset +\begin_layout Standard +\begin_inset Float figure +wide false +sideways false +status open + +\begin_layout Plain Layout +\align center +\begin_inset Graphics + filename dual-anchor-final.eps + scale 50 -OP_CHECKLOCKTIMEVERIFY -\begin_inset space ~ \end_inset -OP_DROP Ensure (absolute) time has passed. -\end_layout -\end_deeper -\begin_layout Description -OP_ENDIF \end_layout -\begin_layout Description - Pay to A -\end_layout +\begin_layout Plain Layout +\begin_inset Caption Standard -\end_deeper -\begin_layout Description -OP_ENDIF -\end_layout +\begin_layout Plain Layout +Final Dual Anchor Design +\begin_inset CommandInset label +LatexCommand label +name "fig:Final-Dual-Anchor" -\begin_layout Description -OP_CHECKSIG Verify A or B's signature is correct. -\end_layout +\end_inset -\begin_layout Subsubsection* -Redeeming A HTLC Output -\end_layout -\begin_layout Standard -To redeem an HTLC, the recipient one provides the preimage R, and their - signature. - In our example above, B can redeem the HTLC: \end_layout -\begin_layout Description - -\begin_inset space ~ \end_inset - -\begin_inset space ~ -\end_inset -{} \end_layout -\begin_layout Subsubsection* -Claiming a Timed-out HTLC -\end_layout +\end_inset + -\begin_layout Standard -To claim a timed-out HTLC, the sender supplies a zero value (which is nice - and short, but fails to hash to any of the revocation hashes), and their - signature. - In our example above, A can claim the timed-out HTLC: \end_layout -\begin_layout Description - -\begin_inset space ~ -\end_inset +\begin_layout Standard +The final scripts are shown in +\begin_inset CommandInset ref +LatexCommand nameref +reference "sec:Appendix-A:-Scripts" -0 -\begin_inset space ~ \end_inset -{} +. \end_layout -\begin_layout Subsubsection* -Claiming A HTLC Output For A Revoked Commitment Transaction +\begin_layout Subsection +Disadvantages of The Dual Anchor Approach \end_layout \begin_layout Standard -If either side publishes a commitment transaction which has been revoked, - we can use the revocation preimage they supplied to spend all the outputs. - This example shows A claiming the HTLC output if B broadcasts a revoked - commitment transaction: -\end_layout - -\begin_layout Description - -\begin_inset space ~ -\end_inset - - -\begin_inset space ~ -\end_inset - -{} +Unlike the mutual anchor approach, use of escape transactions is not outsourcabl +e: you cannot have an untrusted third party which can monitor the network + for the other sides' revoked escape transaction and respond with your own + escape transaction. + If you were to provide a third party with your fast escape transaction, + you would necessarily provide it with the secret, which it could give to + B. \end_layout \end_body diff --git a/doc/deployable-lightning.pdf b/doc/deployable-lightning.pdf index 4420509ee..4e56ed67a 100644 Binary files a/doc/deployable-lightning.pdf and b/doc/deployable-lightning.pdf differ