2164 lines
43 KiB

#LyX 2.1 created this file. For more info see http://www.lyx.org/
\lyxformat 474
\begin_document
\begin_header
\textclass article
\begin_preamble
% for subfigures/subtables
\usepackage[caption=false,font=footnotesize]{subfig}
\end_preamble
\options journal
\use_default_options false
\maintain_unincluded_children false
\language english
\language_package none
\inputencoding default
\fontencoding global
\font_roman default
\font_sans default
\font_typewriter default
\font_math auto
\font_default_family default
\use_non_tex_fonts false
\font_sc false
\font_osf false
\font_sf_scale 100
\font_tt_scale 100
\graphics default
\default_output_format default
\output_sync 0
\bibtex_command bibtex
\index_command default
\float_placement H
\paperfontsize default
\spacing single
\use_hyperref true
\pdf_title "Your Title"
\pdf_author "Your Name"
\pdf_bookmarks true
\pdf_bookmarksnumbered true
\pdf_bookmarksopen true
\pdf_bookmarksopenlevel 1
\pdf_breaklinks false
\pdf_pdfborder true
\pdf_colorlinks false
\pdf_backref false
\pdf_pdfusetitle false
\pdf_quoted_options "pdfpagelayout=OneColumn, pdfnewwindow=true, pdfstartview=XYZ, plainpages=false"
\papersize default
\use_geometry false
\use_package amsmath 1
\use_package amssymb 1
\use_package cancel 0
\use_package esint 0
\use_package mathdots 1
\use_package mathtools 0
\use_package mhchem 1
\use_package stackrel 0
\use_package stmaryrd 0
\use_package undertilde 0
\cite_engine basic
\cite_engine_type default
\biblio_style ieeetr
\use_bibtopic false
\use_indices false
\paperorientation portrait
\suppress_date false
\justification true
\use_refstyle 0
\index Index
\shortcut idx
\color #008000
\end_index
\secnumdepth 3
\tocdepth 3
\paragraph_separation indent
\paragraph_indentation default
\quotes_language english
\papercolumns 1
\papersides 1
\paperpagestyle default
\tracking_changes false
\output_changes false
\html_math_output 0
\html_css_as_file 0
\html_be_strict false
\end_header
\begin_body
\begin_layout Title
Reaching The Ground With Lightning (draft 0.2)
\end_layout
\begin_layout Author
Rusty Russell <rusty@blockstream.com>
\end_layout
\begin_layout Abstract
The Lightning Network (as proposed by Joseph Poon and Thaddeus Dryja
\begin_inset CommandInset citation
LatexCommand cite
key "Poon2015Lightning"
\end_inset
) requires some new sighash modes in order to work with Bitcoin.
This paper proposes a simplified variant which requires only modifications
which are already proposed for bitcoin, and slightly simplifies the revocation
of existing contracts.
\end_layout
\begin_layout Abstract
Keywords: bitcoin, lightning, revocation hash, HTLC, BIP62, BIP65, BIP68
\end_layout
\begin_layout Section
Introduction
\end_layout
\begin_layout Standard
The Bitcoin network
\begin_inset CommandInset citation
LatexCommand cite
key "nakamoto2008bitcoin"
\end_inset
allows the transfer of value between peers using
\emph on
transactions.
\emph default
Each bitcoin transaction consists of one or more
\emph on
outputs
\emph default
(typically specifying the hash of the recipient's key), and one or more
\emph on
inputs
\emph default
(typically containing the recipient's key and a signature of the transaction).
Thus one transfers value to another peer by creating a transaction which
\emph on
spends
\emph default
one or more outputs and creates an output which the recipient can spend
using their private key.
\end_layout
\begin_layout Standard
While such cryptographic transfer of value is near-instantaneous, ensuring
that the transaction has been included in the consensus of the shared ledger
(aka.
\emph on
blockchain
\emph default
) creates delays ranging from a few minutes to hours, depending on the level
of reliability required.
Inclusion in the blockchain is performed by miners, who preferentially
include transactions paying greatest fee per byte.
\end_layout
\begin_layout Standard
Thus using the blockchain directly is slow, and too expensive for genuinely
small transfers (typical fees are a few cents).
\end_layout
\begin_layout Section
Previous Work
\end_layout
\begin_layout Standard
To work around the bitcoin network's delays and fees, several forms of
\emph on
off-chain
\emph default
transaction patterns have been developed, where series of transactions
are sent directly between two parties, with only the initial opening transactio
n and final redemption transaction being included in the bitcoin blockchain.
\end_layout
\begin_layout Standard
The Lightning Network paper proposed a solution, but at the cost of introducing
new signature variants (sighash ops).
Adding a new signature opcode would allow many other improvements
\begin_inset Foot
status collapsed
\begin_layout Plain Layout
Schnorr signatures offer faster batch validation, according to https://github.com
/ElementsProject/elementsproject.github.io#schnorr-signature-validation
\end_layout
\end_inset
\begin_inset Foot
status collapsed
\begin_layout Plain Layout
DER encoding adds unnecessary bytes and is a cause of malleability
\end_layout
\end_inset
but that is precisely why it's a matter for longer term research and unlikely
to be deployed in Bitcoin in the immediate future.
\end_layout
\begin_layout Subsection
Payment Channels
\end_layout
\begin_layout Standard
The concept of
\emph on
payment channels
\emph default
(sometimes called micropayment channels) has existed in various forms for
several years
\begin_inset CommandInset citation
LatexCommand cite
key "BitcoinChannels"
\end_inset
.
The simplest form is as follows, and allows A to quickly and cheaply pay
B a stream of slightly increasing amounts:
\end_layout
\begin_layout Enumerate
A creates an
\emph on
anchor
\emph default
transaction to
\emph on
open the channel
\emph default
which:
\end_layout
\begin_deeper
\begin_layout Enumerate
Outputs $1,
\end_layout
\begin_layout Enumerate
Requires the signatures of both A and B to redeem.
\end_layout
\end_deeper
\begin_layout Enumerate
A sends the transaction ID of the anchor, which output to spend, and the
amount of that output to B.
\end_layout
\begin_layout Enumerate
B signs a
\begin_inset Quotes eld
\end_inset
refund
\begin_inset Quotes erd
\end_inset
transaction which:
\end_layout
\begin_deeper
\begin_layout Enumerate
spends that anchor output,
\end_layout
\begin_layout Enumerate
outputs the $1 to an address controlled by A, and
\end_layout
\begin_layout Enumerate
can only be spent in 24 hours (using the
\emph on
locktime
\emph default
field)
\end_layout
\end_deeper
\begin_layout Enumerate
B sends A the refund transaction.
\end_layout
\begin_layout Enumerate
A broadcasts the anchor transaction, knowing she can get the funds back
in 24 hours using the refund if B vanishes.
\end_layout
\begin_layout Standard
A can now pay B 1 cent by signing a new
\emph on
commitment
\emph default
transaction to send to B, which spends the anchor output and has two outputs:
one pays A 99c, and the other pays B 1 cent.
A can later pay B another cent by signing another transaction (
\begin_inset Quotes eld
\end_inset
updating the commitment
\begin_inset Quotes erd
\end_inset
) for B which pays A 98c and B 2c, etc.
\end_layout
\begin_layout Standard
At any point, B can
\begin_inset Quotes eld
\end_inset
close the channel
\begin_inset Quotes erd
\end_inset
by signing and broadcasting the latest commitment transaction to collect
the money.
B should do this before 24 hours pass, otherwise A can use the refund transacti
on.
\end_layout
\begin_layout Subsubsection
Limitations Of Simple Payment Channels
\end_layout
\begin_layout Standard
Simple channels have several limitations:
\end_layout
\begin_layout Description
Single
\begin_inset space ~
\end_inset
recipient.
A new recipient requires a new channel, which must wait for consensus on
the anchor transaction.
\end_layout
\begin_layout Description
One
\begin_inset space ~
\end_inset
way.
They cannot be reversed: A can sign a transaction which pays B less money
than the last, but B could still broadcast the older transaction.
\end_layout
\begin_layout Description
Vulnerable
\begin_inset space ~
\end_inset
to
\begin_inset space ~
\end_inset
malleability.
The anchor transaction could be altered in several ways (without invaliding
it completely) before inclusion in the blockchain: this alters its transaction
id and thus makes the refund transaction unusable.
\end_layout
\begin_layout Standard
This last issue is a common one with complex bitcoin transactions, and BIP62
\begin_inset CommandInset citation
LatexCommand cite
key "BIP62"
\end_inset
is proposed to prevent non-signing parties from being able to malleate
transactions.
\end_layout
\begin_layout Subsection
Generalized Payment Channels Using Revocable Transactions
\end_layout
\begin_layout Standard
The Lightning network introduced generalized, bi-directional payment channels,
referred to here as
\emph on
Poon-Dryja channels
\emph default
.
These use a mutual anchor, which both create to provide the channel funding,
and a symmetrical
\emph on
pair
\emph default
of updatable commitment
\emph on
\emph default
transactions rather than the single transaction used in the one-way channel
case, as shown in figure
\begin_inset CommandInset ref
LatexCommand ref
reference "fig:Figure-1-from"
\end_inset
\begin_inset Foot
status collapsed
\begin_layout Plain Layout
Note: this diagram has been corrected since: Commitment Close Tx 1A (CC1b)
-- should be CC1a, and vice-versa
\end_layout
\end_inset
.
\end_layout
\begin_layout Standard
\begin_inset Float figure
wide false
sideways false
status open
\begin_layout Plain Layout
\align center
\begin_inset Graphics
filename ln-draft-fig1.eps
scale 50
\end_inset
\end_layout
\begin_layout Plain Layout
\begin_inset Caption Standard
\begin_layout Plain Layout
Figure 1 from the Lightning Network Draft 0.5
\begin_inset CommandInset label
LatexCommand label
name "fig:Figure-1-from"
\end_inset
\end_layout
\end_inset
\end_layout
\end_inset
\end_layout
\begin_layout Standard
To update the commitment, A sends B a signature for B's new commitment transacti
on, and B sends A a signature for A's new commitment transaction.
\end_layout
\begin_layout Standard
As before, each commitment transaction contains two outputs, one for A and
one for B; but A's commitment transaction output to itself is encumbered
by an additional restriction (as is B's output to itself).
Instead of paying A directly, A's output needs both A and B's signature.
B provides such a signature, but on a
\begin_inset Quotes eld
\end_inset
commitment refund
\begin_inset Quotes erd
\end_inset
transaction which can only be spent after a delay (40 days in the paper).
Thus if A closes the channel by signing and broadcasting its commitment
transaction, B can collect its output immediately, but A must wait 40 days.
\end_layout
\begin_layout Standard
This delay encumbering the output is what makes the commitment transaction
\emph on
revocable;
\emph default
once an updated commitment transaction is agreed upon, the previous commitment
transaction pair is revoked by sharing the private keys needed to redeem
those encumbered outputs.
Thus, A shares its (throwaway) private key, and B shares its throwaway
private key.
If A were to sign and broadcast a revoked commitment transaction, B could
not only immediately spend its own output, but it has both A's key and
its own to generate a transaction which can spend the output which would
normally go to A after a delay.
\end_layout
\begin_layout Subsection
Hashed Timelock Contracts (HTLCs)
\end_layout
\begin_layout Standard
The Lightning Network paper used a set of 4 transactions to implement a
\emph on
hashed timelock contract,
\emph default
which guarantees payment of a given amount on presentation of a secret value
\emph on
R
\emph default
within a certain timespan.
Any number of these could be active within a generalized channel, and this
is what allows a network to form: Node A offers node B $1 for the secret
within 2 days, node B offers node C 99c for the secret within 1 day, etc.
\end_layout
\begin_layout Standard
This arrangement for one side of a single node is shown in figure
\begin_inset CommandInset ref
LatexCommand ref
reference "fig:Figure-2-from"
\end_inset
.
\end_layout
\begin_layout Standard
\begin_inset Float figure
wide false
sideways false
status open
\begin_layout Plain Layout
\align center
\begin_inset Graphics
filename ln-draft-fig2.eps
scale 50
\end_inset
\end_layout
\begin_layout Plain Layout
\begin_inset Caption Standard
\begin_layout Plain Layout
Figure 2 from the Lightning Network Draft 0.5
\begin_inset CommandInset label
LatexCommand label
name "fig:Figure-2-from"
\end_inset
\end_layout
\end_inset
\end_layout
\end_inset
\end_layout
\begin_layout Section
Enhancements To Lightning
\end_layout
\begin_layout Standard
This paper proposes various modifications.
\end_layout
\begin_layout Subsection
Poon-Dryja Generalized Payment Channel Modifications
\end_layout
\begin_layout Standard
This paper proposes three changes to the commitment transactions.
\end_layout
\begin_layout Subsubsection
Placing Timeout in Output Script
\end_layout
\begin_layout Standard
Rather than using a separate transaction to enforce the delay, BIP65
\begin_inset CommandInset citation
LatexCommand cite
key "BIP65"
\end_inset
proposes an OP_CHECKLOCKTIMEVERIFY which allows an output to specify the
minimum time at which it can be spent.
With this enhancement, we no longer need a separate
\begin_inset Quotes eld
\end_inset
commitment refund
\begin_inset Quotes erd
\end_inset
transaction.
The commitment transaction to-self output script would be a little more
complex:
\end_layout
\begin_layout Itemize
A and B's signature, OR
\end_layout
\begin_layout Itemize
A's signature and OP_CHECKLOCKTIMEVERIFY <40 days>
\end_layout
\begin_layout Standard
As of Nov.
13, 2015, BIP65 has been deployed and is in the process of being activated.
\end_layout
\begin_layout Subsubsection
Using Relative Locktime
\end_layout
\begin_layout Standard
The Poon-Dryja channel uses a 40 day locktime, because transaction locktime
is absolute.
Before 40 days the channel must be closed, otherwise spending a revoked
transaction and immediately following it with the commit refund transaction
is possible.
\end_layout
\begin_layout Standard
BIP112[#BIP112] proposes OP_CHECKSEQUENCEVERIFY, an opcode which allows
an output to specify a minimum
\emph on
relative
\emph default
time before the output can be spent
\begin_inset CommandInset citation
LatexCommand cite
key "friedenbach_bitcoin-development_2015,BIP112"
\end_inset
can reduce this timeout (say, to 1 day) and avoid placing a lifetime limit
on the channel, like so:
\end_layout
\begin_layout Itemize
A and B's signature, OR
\end_layout
\begin_layout Itemize
A's signature and OP_CHECKSEQUENCEVERIFY <1 day>
\end_layout
\begin_layout Standard
As of Nov.
13, 2015, BIP112 has not been deployed.
\end_layout
\begin_layout Subsubsection
Using Revocation Preimages Instead of Private Keys
\end_layout
\begin_layout Standard
There's a slightly more intuitive and more efficient method than exchanging
private keys, which is to reuse a technique of hash preimages which is
already needed for HTLCs (as we see later).
\end_layout
\begin_layout Standard
Instead of using a private key, B uses knowledge of a hash preimage as well
as its signature to steal funds from a revoked commitment transaction.
Thus, to create a commitment transaction each side provides a hash value;
to revoke a commitment transaction it provides the prehash image.
\end_layout
\begin_layout Standard
The resulting commitment transaction to-self output now looks like:
\end_layout
\begin_layout Itemize
B's signature and a preimage which hashes to <revocation-hash>, OR
\end_layout
\begin_layout Itemize
A's signature and OP_CHECKSEQUENCEVERIFY <1 day>
\end_layout
\begin_layout Standard
This can be expressed fairly easily in bitcoin's script-based scripting
language, as annotated in
\begin_inset CommandInset ref
LatexCommand nameref
reference "sub:Commitment-Outputs-For"
\end_inset
.
The final pair of commitment transaction outputs is shown in Figure
\begin_inset CommandInset ref
LatexCommand ref
reference "fig:Commitment-Transaction-Outputs"
\end_inset
.
\end_layout
\begin_layout Standard
\begin_inset Float figure
wide false
sideways false
status open
\begin_layout Plain Layout
\align center
\begin_inset Graphics
filename commit-tx.eps
scale 50
\end_inset
\end_layout
\begin_layout Plain Layout
\begin_inset Caption Standard
\begin_layout Plain Layout
Commitment Transaction Outputs
\begin_inset CommandInset label
LatexCommand label
name "fig:Commitment-Transaction-Outputs"
\end_inset
\end_layout
\end_inset
\end_layout
\end_inset
\end_layout
\begin_layout Subsection
Channel Opening Modifications
\end_layout
\begin_layout Standard
The method of creating the first commitment transaction before signing the
anchor transaction (as proposed in the paper) presents two problems in
practice:
\end_layout
\begin_layout Enumerate
The anchor transaction id required for the commitment input will only be
known once the anchor is signed, and
\end_layout
\begin_layout Enumerate
The anchor transaction can be malleated by either party before entering
the blockchain, rendering the commitment input unusable.
\end_layout
\begin_layout Standard
The last of these is particularly pernicious, as BIP62 doesn't solve it:
signatories can always re-sign a transaction, hence altering its transaction
ID.
The paper proposes new SIGHASH flags which mitigate this problem, but we
are attempting to avoid that.
\end_layout
\begin_layout Standard
Our approach is to only have one-sided anchors.
These can be later balanced by the lightning network itself, or an atomic-swap
to an on-chain bitcoin transaction
\begin_inset CommandInset citation
LatexCommand cite
key "go1111111_single_anchor"
\end_inset
.
Any bitcoin transaction fees are initially funded by that anchor, but the
implementation splits fees where possible and never allows either side
to spend funds in the channel if they would no longer be able to pay their
share.
\end_layout
\begin_layout Subsection
Hashed Timelock Contract (HTLC) Modification
\end_layout
\begin_layout Standard
Using the same techniques used above, we can condense each HTLC into a single
output script on the commitment transaction.
This output is spendable under three conditions:
\end_layout
\begin_layout Enumerate
Recipient knows the R value (funds go to recipient), or
\end_layout
\begin_layout Enumerate
The HTLC has timed out (funds return to sender), or
\end_layout
\begin_layout Enumerate
The Commit transaction has been revoked (funds go to other side).
\end_layout
\begin_layout Standard
Unlike the original paper, we use revocation preimages instead of sharing
temporary private keys.
If we also use OP_CHECKLOCKTIMEVERIFY and OP_CHECKSEQUENCEVERIFY it is
fairly simple to express these conditions in a single output script.
\end_layout
\begin_layout Standard
For each direction the HTLC could transfer funds, there are two scripts
required; one for A's commitment transaction and one for B's commitment
transaction.
It's also a requirement that the conditions which allow payment to oneself
be delayed, to give the other side an opportunity to take the funds in
case of revocation.
This is shown (omitting the HTLC to-self delays, which depend on the orientatio
n of payer/payee with respect to A and B) in figure
\begin_inset CommandInset ref
LatexCommand ref
reference "fig:HTLC-Using-Revocation"
\end_inset
.
\end_layout
\begin_layout Standard
\begin_inset Float figure
wide false
sideways false
status open
\begin_layout Plain Layout
\align center
\begin_inset Graphics
filename htlc.eps
scale 50
\end_inset
\end_layout
\begin_layout Plain Layout
\begin_inset Caption Standard
\begin_layout Plain Layout
HTLC Using Revocation Preimages, OP_CLTV and OP_CSV (simplified)
\begin_inset CommandInset label
LatexCommand label
name "fig:HTLC-Using-Revocation"
\end_inset
\end_layout
\end_inset
\end_layout
\end_inset
\end_layout
\begin_layout Standard
The scripts for this can be found in
\begin_inset CommandInset ref
LatexCommand nameref
reference "sec:Appendix-A:-Scripts"
\end_inset
.
\end_layout
\begin_layout Section
Conclusions
\end_layout
\begin_layout Standard
Secret preimages can replace exposure of temporary private keys in the Lightning
Network constructs with no loss of generality, and a slight gain in simplicity.
\end_layout
\begin_layout Standard
The use of script conditionals to enforce timeouts instead of using separate
pre-signed transactions reduces an HTLC from a set of four dual-signed
transactions to a single (more complex) output script, and additionally
avoids any requirement for new CHECKSIG flags for HTLCs.
\end_layout
\begin_layout Standard
By using a rebalanced single anchor, channel establishment can also avoid
new CHECKSIG flags, though it loses the important ability to outsource
the enforcement of channel contract terms.
\end_layout
\begin_layout Section*
Acknowlegments
\end_layout
\begin_layout Standard
Thanks to mmeijeri on Reddit's r/Bitcoin for pointing out a flaw in escape
transactions reusing the same A and B keys as the commitment transaction
in
\begin_inset CommandInset ref
LatexCommand nameref
reference "sec:Appendix-B:-Dual"
\end_inset
\begin_inset Foot
status open
\begin_layout Plain Layout
https://www.reddit.com/r/Bitcoin/comments/3dlxw4/reaching_the_ground_with_lightnin
g_lightning/ct80xpp
\end_layout
\end_inset
.
Thanks to John Newbery for multiple formatting and typing corrections.
\end_layout
\begin_layout Standard
Thanks to Joseph Poon for designing the escape/fast-escape dual-anchor method,
as well as finding a flaw in my original formulation of the dual anchor
construct and reviewing an earlier draft of this paper.
Also thanks to him and Thaddeus Dryja for the initial eye-opening Lightning
Network paper.
\end_layout
\begin_layout Standard
\begin_inset CommandInset bibtex
LatexCommand bibtex
bibfiles "bitcoin"
options "bibtotoc,plain"
\end_inset
\end_layout
\begin_layout Section*
Appendix A: Transaction Scripts
\begin_inset CommandInset label
LatexCommand label
name "sec:Appendix-A:-Scripts"
\end_inset
\end_layout
\begin_layout Standard
All outputs are expressed as pay-to-scripthash outputs, where the redeeming
input provides the redeemscript.
Where a redeem-hash value is optional, it is generally supplied: for example,
if we want to pay to A if a preimage is supplied and B if no preimage is
supplied, we expect the input scriptsig to provide two arguments in both
cases (generally a zero in the second case).
This saves an extra test (of form
\begin_inset Quotes eld
\end_inset
OP_DEPTH <N> OP_EQUAL
\begin_inset Quotes erd
\end_inset
), at cost of a single byte in the input script.
\end_layout
\begin_layout Subsection*
Anchor Transaction
\end_layout
\begin_layout Standard
The anchor inputs are whatever the node chooses.
\end_layout
\begin_layout Subsubsection*
Anchor Output Redeemscript
\end_layout
\begin_layout Standard
The anchor output is a pay to script hash, with a redeemscript as follows:
\end_layout
\begin_layout Description
OP_HASH
\begin_inset space ~
\end_inset
<SECRET-A-HASH>
\begin_inset space ~
\end_inset
OP_EQUAL If the secret is supplied,
\end_layout
\begin_layout Description
OP_IF
\end_layout
\begin_deeper
\begin_layout Description
<KEY-B'> Should be signed by B's escape key.
\end_layout
\end_deeper
\begin_layout Description
OP_ELSE
\end_layout
\begin_deeper
\begin_layout Description
<KEY-B> Should be signed by B's commitment key.
\end_layout
\end_deeper
\begin_layout Description
OP_ENDIF
\end_layout
\begin_layout Description
2
\begin_inset space ~
\end_inset
OP_SWAP Put 2 before B's key on the stack.
\end_layout
\begin_layout Description
<KEY-A>
\begin_inset space ~
\end_inset
2
\begin_inset space ~
\end_inset
OP_CHECKMULTISIG Make sure A and B have signed.
\end_layout
\begin_layout Subsection*
Commitment Transactions For Generalized Channels
\begin_inset CommandInset label
LatexCommand label
name "sub:Commitment-Outputs-For"
\end_inset
\end_layout
\begin_layout Standard
These examples are for A's Commitment Transaction; switch A and B to get
B's commitment transaction.
\end_layout
\begin_layout Subsubsection*
Commitment Input Script
\end_layout
\begin_layout Standard
The commitment transaction has two inputs; one which spends each anchor
output.
The zero after the signature indicates it is not revealing the secret:
\end_layout
\begin_layout Description
0
\begin_inset space ~
\end_inset
<SIG-B>
\begin_inset space ~
\end_inset
<SIG-A>
\begin_inset space ~
\end_inset
0
\begin_inset space ~
\end_inset
{<ANCHOR-REDEEMSCRIPT>}
\end_layout
\begin_layout Subsubsection*
Commitment Transaction Output Redeemscripts
\end_layout
\begin_layout Standard
One output pays B's funds to B as normal (eg.
pay to scripthash
\begin_inset Quotes eld
\end_inset
<KEY-B> OP_CHECKSIG
\begin_inset Quotes erd
\end_inset
).
The other output pays A's funds: either to B if they supply the revocation
preimage, or to A after a delay.
This is the redeemscript:
\end_layout
\begin_layout Description
OP_HASH160
\begin_inset space ~
\end_inset
<COMMIT-REVOCATION-HASH>
\begin_inset space ~
\end_inset
OP_EQUAL Did they supply revocation preimage?
\end_layout
\begin_layout Description
OP_IF
\end_layout
\begin_deeper
\begin_layout Description
<B-KEY> To B.
\end_layout
\end_deeper
\begin_layout Description
OP_ELSE
\end_layout
\begin_deeper
\begin_layout Description
<LOCKTIME>
\begin_inset space ~
\end_inset
OP_CHECKSEQUENCEVERIFY
\begin_inset space ~
\end_inset
OP_DROP Spending transaction must be after timeout
\end_layout
\begin_layout Description
<A-KEY> To A.
\end_layout
\end_deeper
\begin_layout Description
OP_ENDIF
\end_layout
\begin_layout Description
OP_CHECKSIG Signature must be correct.
\end_layout
\begin_layout Subsubsection*
Spending Commitment Output
\end_layout
\begin_layout Standard
Either B using a revocation preimage:
\end_layout
\begin_layout Description
<SIG-B>
\begin_inset space ~
\end_inset
<COMMIT-REVOCATION-IMAGE-A>
\begin_inset space ~
\end_inset
{<COMMITMENT-REDEEMSCRIPT>}
\end_layout
\begin_layout Standard
Or A using after a timeout:
\end_layout
\begin_layout Description
<SIG-A>
\begin_inset space ~
\end_inset
0
\begin_inset space ~
\end_inset
{<COMMITMENT-REDEEMSCRIPT>}
\end_layout
\begin_layout Subsection*
Hash Locked Transaction Commitments
\end_layout
\begin_layout Standard
There are two styles of commitment transaction outputs for HTLCs: a
\begin_inset Quotes eld
\end_inset
sender
\begin_inset Quotes erd
\end_inset
and
\begin_inset Quotes eld
\end_inset
receiver
\begin_inset Quotes erd
\end_inset
case.
The output is a pay-to-script-hash, so the redeemscripts are shown below.
\end_layout
\begin_layout Standard
These scripts show A as the sender, and B as the receiver: exchange A and
B for the reverse.
\end_layout
\begin_layout Subsubsection*
HTLC Sender Redeemscript
\end_layout
\begin_layout Description
OP_HASH160
\begin_inset space ~
\end_inset
OP_DUP Replace top element with two copies of its hash
\end_layout
\begin_layout Description
<R-HASH>
\begin_inset space ~
\end_inset
OP_EQUAL Test if they supplied the HTLC R value
\end_layout
\begin_layout Description
OP_SWAP
\begin_inset space ~
\end_inset
<COMMIT-REVOCATION-HASH>
\begin_inset space ~
\end_inset
OP_EQUAL
\begin_inset space ~
\end_inset
OP_ADD Or the commitment revocation hash
\end_layout
\begin_layout Description
OP_IF If any hash matched.
\end_layout
\begin_deeper
\begin_layout Description
<KEY-B> Pay to B.
\end_layout
\end_deeper
\begin_layout Description
OP_ELSE Must be A, after HTLC has timed out.
\end_layout
\begin_deeper
\begin_layout Description
<HTLC-TIMEOUT>
\begin_inset space ~
\end_inset
OP_CHECKLOCKTIMEVERIFY Ensure (absolute) time has passed.
\end_layout
\begin_layout Description
<DELAY>
\begin_inset space ~
\end_inset
OP_CHECKSEQUENCEVERIFY Delay gives B enough time to use revocation if it
has it.
\end_layout
\begin_layout Description
OP_2DROP Drop the delay and htlc-timeout from the stack.
\end_layout
\begin_layout Description
<KEY-A> Pay to A.
\end_layout
\end_deeper
\begin_layout Description
OP_ENDIF
\end_layout
\begin_layout Description
OP_CHECKSIG Verify A or B's signature is correct.
\end_layout
\begin_layout Subsubsection*
HTLC Receiver Redeemscript
\end_layout
\begin_layout Description
OP_HASH160
\begin_inset space ~
\end_inset
OP_DUP Replace top element with two copies of its hash
\end_layout
\begin_layout Description
<R-HASH>
\begin_inset space ~
\end_inset
OP_EQUAL B redeeming the contract, using R preimage?
\end_layout
\begin_layout Description
OP_IF
\end_layout
\begin_deeper
\begin_layout Description
<DELAY>
\begin_inset space ~
\end_inset
OP_CHECKSEQUENCEVERIFY Delay gives A enough time to use revocation if it
has it.
\end_layout
\begin_layout Description
OP_2DROP Drop extra hash and delay from the stack
\end_layout
\begin_layout Description
<KEY-B> Pay to B
\end_layout
\end_deeper
\begin_layout Description
OP_ELSE
\end_layout
\begin_deeper
\begin_layout Description
<COMMIT-REVOCATION-HASH>
\begin_inset space ~
\end_inset
OP_EQUAL If the commit has been revoked.
\end_layout
\begin_layout Description
OP_NOTIF If not, you need to wait for timeout.
\end_layout
\begin_deeper
\begin_layout Description
<HTLC-TIMEOUT>
\begin_inset space ~
\end_inset
OP_CHECKLOCKTIMEVERIFY
\begin_inset space ~
\end_inset
OP_DROP Ensure (absolute) time has passed.
\end_layout
\end_deeper
\begin_layout Description
OP_ENDIF
\end_layout
\begin_layout Description
<KEY-A> Pay to A
\end_layout
\end_deeper
\begin_layout Description
OP_ENDIF
\end_layout
\begin_layout Description
OP_CHECKSIG Verify A or B's signature is correct.
\end_layout
\begin_layout Subsubsection*
Redeeming A HTLC Output
\end_layout
\begin_layout Standard
To redeem an HTLC, the recipient one provides the preimage R, and their
signature.
In our example above, B can redeem the HTLC:
\end_layout
\begin_layout Description
<SIG-B>
\begin_inset space ~
\end_inset
<HTLC-R-VALUE>
\begin_inset space ~
\end_inset
{<HTLC-REDEEMSCRIPT>}
\end_layout
\begin_layout Subsubsection*
Claiming a Timed-out HTLC
\end_layout
\begin_layout Standard
To claim a timed-out HTLC, the sender supplies a zero value (which is nice
and short, but fails to hash to any of the revocation hashes), and their
signature.
In our example above, A can claim the timed-out HTLC:
\end_layout
\begin_layout Description
<SIG-A>
\begin_inset space ~
\end_inset
0
\begin_inset space ~
\end_inset
{<HTLC-REDEEMSCRIPT>}
\end_layout
\begin_layout Subsubsection*
Claiming A HTLC Output For A Revoked Commitment Transaction
\end_layout
\begin_layout Standard
If either side publishes a commitment transaction which has been revoked,
we can use the revocation preimage they supplied to spend all the outputs.
This example shows A claiming the HTLC output if B broadcasts a revoked
commitment transaction:
\end_layout
\begin_layout Description
<SIG-A>
\begin_inset space ~
\end_inset
<COMMIT-REVOCATION>
\begin_inset space ~
\end_inset
{<HTLC-REDEEMSCRIPT>}
\end_layout
\begin_layout Section*
Appendix B: Dual Anchors With Escape Transactions
\begin_inset CommandInset label
LatexCommand label
name "sec:Appendix-B:-Dual"
\end_inset
\end_layout
\begin_layout Standard
This appendix presents a dual-input anchor solution which doesn't require
additional bitcoin signature flags.
It is not being proposed currently, as it seems that a single-sided anchor
is probably sufficient.
\end_layout
\begin_layout Subsection
Separate Anchor Transactions
\end_layout
\begin_layout Standard
To avoid the problem of needing all anchor signatures to derive the anchor
transaction ID to create the commitment transaction input, we split the
anchor into two transactions; thus A knows its anchor transaction ID, and
B knows its anchor transaction ID as shown in Figure
\begin_inset CommandInset ref
LatexCommand ref
reference "fig:Simplistic-Dual-Anchor"
\end_inset
.
\end_layout
\begin_layout Standard
\align center
\begin_inset Float figure
wide false
sideways false
status open
\begin_layout Plain Layout
\align center
\begin_inset Graphics
filename dual-anchor-diag1.eps
scale 50
\end_inset
\begin_inset Caption Standard
\begin_layout Plain Layout
Simplistic Dual Anchor Design
\begin_inset CommandInset label
LatexCommand label
name "fig:Simplistic-Dual-Anchor"
\end_inset
\end_layout
\end_inset
\end_layout
\end_inset
\end_layout
\begin_layout Standard
This form allows A and B to create commitment transactions which spends
the anchors outputs by exchanging anchor transaction IDs.
It has the problem that if the other party does not then broadcast its
anchor transaction, we cannot spend the commitment transaction, and our
own anchor funds are stuck.
\end_layout
\begin_layout Standard
Thus we introduce an
\emph on
escape
\emph default
transaction, which lets us regain our anchor funds in that case, as shown
in Figure
\begin_inset CommandInset ref
LatexCommand ref
reference "fig:Dual-Anchor2"
\end_inset
.
\end_layout
\begin_layout Standard
\begin_inset Float figure
wide false
sideways false
status open
\begin_layout Plain Layout
\align center
\begin_inset Graphics
filename dual-anchor-diag2.eps
scale 50
\end_inset
\begin_inset Caption Standard
\begin_layout Plain Layout
Dual Anchor With Simple Escape Transactions
\begin_inset CommandInset label
LatexCommand label
name "fig:Dual-Anchor2"
\end_inset
\end_layout
\end_inset
\end_layout
\end_inset
\end_layout
\begin_layout Standard
However, this escape transaction would let either side remove its funds
from the channel at any time, which would make the channel insecure.
Thus, after the commitment transactions have been established, we want
to revoke the escape transactions.
We can do the same way we did for the commitment transaction revocation;
by placing restrictions on the
\begin_inset Quotes eld
\end_inset
to-me
\begin_inset Quotes erd
\end_inset
output.
In particular, adding a delay if paying back to the anchor owner, and allowing
it to be spent by the other party immediately if they possess the revocation
preimage, as shown in Figure
\begin_inset CommandInset ref
LatexCommand ref
reference "fig:Anchor-revoc-escape"
\end_inset
.
\end_layout
\begin_layout Standard
\begin_inset Float figure
wide false
sideways false
status open
\begin_layout Plain Layout
\align center
\begin_inset Graphics
filename dual-anchor-diag3.eps
scale 50
\end_inset
\end_layout
\begin_layout Plain Layout
\begin_inset Caption Standard
\begin_layout Plain Layout
Dual Anchors With Revocable Escape Transactions
\begin_inset CommandInset label
LatexCommand label
name "fig:Anchor-revoc-escape"
\end_inset
\end_layout
\end_inset
\end_layout
\end_inset
\end_layout
\begin_layout Standard
Unfortunately, this revocation is not a complete solution; if B uses its
escape transaction, A can collect B's anchor funds, but it has no way of
collecting its own! The commitment transaction cannot be used, as one of
its inputs has been spent by B's escape transaction.
A's own escape transaction has been revoked, so B would simply steal the
funds.
\end_layout
\begin_layout Standard
Thus we need an additional construction, such that using one escape transaction
immediately unlocks the other anchor funds for its owner.
To do this, we ensure that the escape transaction is forced to reveal a
secret, which is a fairly well-established technique
\begin_inset CommandInset citation
LatexCommand cite
key "nolan_alt"
\end_inset
.
The anchor transaction is modified to either require both signatures (for
the commitment transaction), or both signatures and the secret (for the
escape transaction), as shown in Figure
\begin_inset CommandInset ref
LatexCommand ref
reference "fig:Secret-Revelation-by"
\end_inset
.
Note that this requires the other party to provide an alternate key (denoted
here using A' and B'), otherwise there is no way to force the escape transactio
n to provide the secret.
\end_layout
\begin_layout Standard
\begin_inset Float figure
wide false
sideways false
status open
\begin_layout Plain Layout
\align center
\begin_inset Graphics
filename dual-anchor-diag4.eps
scale 50
\end_inset
\end_layout
\begin_layout Plain Layout
\begin_inset Caption Standard
\begin_layout Plain Layout
Secret Revelation by Escape Transactions
\begin_inset CommandInset label
LatexCommand label
name "fig:Secret-Revelation-by"
\end_inset
\end_layout
\end_inset
\end_layout
\end_inset
\end_layout
\begin_layout Standard
That revealed secret can be used with the other alternative: the
\emph on
fast escape transaction.
\emph default
This reveals the secret just like the escape transaction, but its output
is immediately usable if one knows the other side's secret.
This is shown in Figure
\begin_inset CommandInset ref
LatexCommand ref
reference "fig:Final-Dual-Anchor"
\end_inset
.
Thus, if B broadcasts its escape transaction after it has been revoked,
A can (after ensuring escape B is sufficiently deep in the block chain)
broadcast its fast escape transaction and use B's secret to immediately
spend the output.
\end_layout
\begin_layout Standard
On the other hand, if B broadcasts its fast escape transaction without knowing
A's secret, A can simply wait for the timeout and spend the fast escape
output, then use its own fast escape transaction and B's secret to recover
its own anchor funds as well.
\end_layout
\begin_layout Standard
\begin_inset Float figure
wide false
sideways false
status open
\begin_layout Plain Layout
\align center
\begin_inset Graphics
filename dual-anchor-final.eps
scale 50
\end_inset
\end_layout
\begin_layout Plain Layout
\begin_inset Caption Standard
\begin_layout Plain Layout
Final Dual Anchor Design
\begin_inset CommandInset label
LatexCommand label
name "fig:Final-Dual-Anchor"
\end_inset
\end_layout
\end_inset
\end_layout
\end_inset
\end_layout
\begin_layout Standard
The final scripts are shown in
\begin_inset CommandInset ref
LatexCommand nameref
reference "sec:Appendix-A:-Scripts"
\end_inset
.
\end_layout
\begin_layout Subsection
Disadvantages of The Dual Anchor Approach
\end_layout
\begin_layout Standard
Unlike the mutual anchor approach, use of escape transactions is not outsourcabl
e: you cannot have an untrusted third party which can monitor the network
for the other sides' revoked escape transaction and respond with your own
escape transaction.
If you were to provide a third party with your fast escape transaction,
you would necessarily provide it with the secret, which it could give to
B.
\end_layout
\begin_layout Subsection
Script Definitions for Escape Transactions
\end_layout
\begin_layout Subsection*
Escape Transaction
\end_layout
\begin_layout Standard
The escape transaction for A spends A's anchor output and reveals A's secret.
Similarly for B.
\end_layout
\begin_layout Subsubsection*
Escape Input Script
\end_layout
\begin_layout Standard
The extra 0 at the start is due to the OP_CHECKMULTISIG out-by-one-bug.
\end_layout
\begin_layout Description
0
\begin_inset space ~
\end_inset
<SIG-B'>
\begin_inset space ~
\end_inset
<SIG-A>
\begin_inset space ~
\end_inset
<SECRET-A>
\begin_inset space ~
\end_inset
{<ANCHOR-REDEEMSCRIPT>}
\end_layout
\begin_layout Subsubsection*
Escape Output Redeemscript
\end_layout
\begin_layout Standard
This allows two paths: one for the other side to use the revocation image,
and one for this side to get their funds back after a delay.
This show's A's script, but B's is the same with A and B exchanged.
\end_layout
\begin_layout Description
OP_HASH160
\begin_inset space ~
\end_inset
<RHASH-A>
\begin_inset space ~
\end_inset
OP_EQUAL Check if the top of the stack contains the revocation image.
\end_layout
\begin_layout Description
OP_IF
\end_layout
\begin_deeper
\begin_layout Description
<KEY-B> Funds for B.
\end_layout
\end_deeper
\begin_layout Description
OP_ELSE It's A getting their funds back
\end_layout
\begin_deeper
\begin_layout Description
<DELAYTIME>
\begin_inset space ~
\end_inset
OP_CHECKSEQUENCEVERIFY
\begin_inset space ~
\end_inset
OP_DROP Ensure delay.
\end_layout
\begin_layout Description
<KEY-A> Needs to be signed by A.
\end_layout
\end_deeper
\begin_layout Description
OP_ENDIF
\end_layout
\begin_layout Description
OP_CHECKSIG Make sure it's signed correctly.
\end_layout
\begin_layout Subsubsection*
Spending The Escape Output
\end_layout
\begin_layout Standard
Either B using a revocation preimage:
\end_layout
\begin_layout Description
<SIG-B>
\begin_inset space ~
\end_inset
<REVOCATION-IMAGE-A>
\begin_inset space ~
\end_inset
{<ESCAPE-REDEEMSCRIPT>}
\end_layout
\begin_layout Standard
Or A using after a timeout:
\end_layout
\begin_layout Description
<SIG-A>
\begin_inset space ~
\end_inset
0
\begin_inset space ~
\end_inset
{<ESCAPE-REDEEMSCRIPT>}
\end_layout
\begin_layout Subsection*
Fast-Escape Transaction
\end_layout
\begin_layout Subsubsection*
Fast-Escape Input Script
\end_layout
\begin_layout Standard
This is identical to the normal escape input script.
\end_layout
\begin_layout Description
0
\begin_inset space ~
\end_inset
<SIG-B'>
\begin_inset space ~
\end_inset
<SIG-A>
\begin_inset space ~
\end_inset
<SECRET-A>
\begin_inset space ~
\end_inset
{<ANCHOR-REDEEMSCRIPT>}
\end_layout
\begin_layout Subsubsection*
Fast-Escape Output Redeemscript
\end_layout
\begin_layout Standard
This allows two paths: one for this side to use the other side's secret
(revealed by them using an escape transaction), and one for the other side
to claim this side's anchor funds after a delay.
This shows A's script, but B's is the same with A and B exchanged.
\end_layout
\begin_layout Description
OP_HASH
\begin_inset space ~
\end_inset
<SECRET-B-HASH>
\begin_inset space ~
\end_inset
OP_EQUAL If top argument is B's secret
\end_layout
\begin_layout Description
OP_IF
\end_layout
\begin_deeper
\begin_layout Description
<KEY-A> For A
\end_layout
\end_deeper
\begin_layout Description
OP_ELSE B gets it if A doesn't know the secret.
\end_layout
\begin_deeper
\begin_layout Description
<DELAYTIME>
\begin_inset space ~
\end_inset
OP_CHECKSEQUENCEVERIFY
\begin_inset space ~
\end_inset
OP_DROP Ensure delay.
\end_layout
\begin_layout Description
<KEY-B> Needs to be signed by B.
\end_layout
\end_deeper
\begin_layout Description
OP_ENDIF
\end_layout
\begin_layout Description
OP_CHECKSIG Make sure it's signed correctly.
\end_layout
\begin_layout Subsubsection*
Spending The Fast-Escape Output
\end_layout
\begin_layout Standard
Either A using B's secret revealed by B using its own escape transaction:
\end_layout
\begin_layout Description
<SIG-A>
\begin_inset space ~
\end_inset
<SECRET-B>
\begin_inset space ~
\end_inset
{<FAST-ESCAPE-REDEEMSCRIPT>}
\end_layout
\begin_layout Standard
Or B using after a timeout:
\end_layout
\begin_layout Description
<SIG-B>
\begin_inset space ~
\end_inset
0
\begin_inset space ~
\end_inset
{<FAST-ESCAPE-REDEEMSCRIPT>}
\end_layout
\end_body
\end_document