📅 Original date posted:2015-07-07
📝 Original message:
Hi all,
http://ozlabs.org/~rusty/diagrams/dual-anchor.svg
Since I posted my first design of HTLC yesterday, and noted that
it doesn't seem to require new sighash modes, I went back and revisited
my discarded ideas for establishing an anchor without new sighash modes.
If we can do that (and my HTLC design stands up), then lightning network
only needs OP_CHECKSEQUENCEVERIFY and OP_CHECKLOCKTIMEVERIFY, which are
fairly low-albedo soft forks.
To recap: the draft paper and current code trade signatures on
the first commitment transaction before signing the anchor transaction.
That way you are sure to have a way to get your funds back before you
put them into the anchor. (The paper uses the term funding transaction;
I prefer anchor).
This can't be done in normal bitcoin, as you don't know the TXID
of the anchor until after its inputs are signed, so you can't sign the
commitment transaction without knowing the txid of the anchor. It works
in Elements Alpha because they have segregated witness; the txid of the
anchor doesn't hash the input scripts. It could work in bitcoin with a
softfork of a new CHECKSIG2 which has new signature modes, but there's
not even a BIP for that, and there are so many things that could be done
there that it's likely to be long delayed.
So, how can we solve this? Well, we can have two anchors
instead of one. I put my inputs into my anchor, you put your inputs
into yours: each one requires both our signatures to spend. The
commitment tx has two inputs, one for each.
We can trade anchor txids, so we can both sign the commitment
tx. But now one of could withhold our anchor, leaving us with an
unusable commitment tx and stuck output from an anchor. We need a way
to get the funds back in that "abort" case.
Thus we add an intermediary transaction (called "Escape"
transactions) which spends the 2 of 2 anchor output, but can be spent
either by 2 of 2 (ie. the commitment tx), OR back to the anchor owner
after a delay (using OP_CHECKSEQUENCEVERIFY).
The order is as follows:
1) We both trade anchor txids and amounts.
2) We both trade signatures for the escape transactions, so either one
can broadcast them.
3) Now we are sure to be able to recover our funds, we each broadcast
our anchor txs.
4) If the other side broadcasts their escape transaction, abort and
broadcast our escape transaction. After the timeout, we can spend
it.
5) If the other side doesn't broadcast their anchor tx, abort and
broadcast our escape transaction.
6) Otherwise, when the anchor txs reach the required depth, we exchange
signatures for the commitment transaction.
7) If the other side broadcasts either escape transaction, broadcast
the other escape transaction and the commitment tx as normal (this is
a unilateral close) before they can reclaim their anchor funds.
I think this works, and doesn't add any new requirements; you now need
to watch out for escape txs being broadcast instead of commitment txs.
The downside is that there are 3 extra transactions involved; 1 extra
for the channel open, and 2 for the channel close.
Feedback, optimizations, horrible holes?
Rusty.
Rusty Russell [ARCHIVE] /
npub1zw…hkhpx
2023-06-09 12:43:38
in reply to nevent1q…y4nw
Author Public Key
npub1zw7cc8z78v6s3grujfvcv3ckpvg6kr0w7nz9yzvwyglyg0qu5sjsqhkhpxPublished at
2023-06-09 12:43:38Event JSON
{
"id": "a51b380653645d60a5e1a95693ee1a13f8c9866a1a9ce1ee4a793c726ba93a7d",
"pubkey": "13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425",
"created_at": 1686314618,
"kind": 1,
"tags": [
[
"e",
"c2ba40f562a6207d34c6e66b361e338cc57efce6c2d7e65ea2659d0bf584fe0c",
"",
"reply"
],
[
"p",
"9456f7acb763eaab2e02bd8e60cf17df74f352c2ae579dce1f1dd25c95dd611c"
]
],
"content": "📅 Original date posted:2015-07-07\n📝 Original message:\nHi all,\n\n http://ozlabs.org/~rusty/diagrams/dual-anchor.svg\n\n Since I posted my first design of HTLC yesterday, and noted that\nit doesn't seem to require new sighash modes, I went back and revisited\nmy discarded ideas for establishing an anchor without new sighash modes.\nIf we can do that (and my HTLC design stands up), then lightning network\nonly needs OP_CHECKSEQUENCEVERIFY and OP_CHECKLOCKTIMEVERIFY, which are\nfairly low-albedo soft forks.\n\n To recap: the draft paper and current code trade signatures on\nthe first commitment transaction before signing the anchor transaction.\nThat way you are sure to have a way to get your funds back before you\nput them into the anchor. (The paper uses the term funding transaction;\nI prefer anchor).\n\n This can't be done in normal bitcoin, as you don't know the TXID\nof the anchor until after its inputs are signed, so you can't sign the\ncommitment transaction without knowing the txid of the anchor. It works\nin Elements Alpha because they have segregated witness; the txid of the\nanchor doesn't hash the input scripts. It could work in bitcoin with a\nsoftfork of a new CHECKSIG2 which has new signature modes, but there's\nnot even a BIP for that, and there are so many things that could be done\nthere that it's likely to be long delayed.\n\n So, how can we solve this? Well, we can have two anchors\ninstead of one. I put my inputs into my anchor, you put your inputs\ninto yours: each one requires both our signatures to spend. The\ncommitment tx has two inputs, one for each.\n\n We can trade anchor txids, so we can both sign the commitment\ntx. But now one of could withhold our anchor, leaving us with an\nunusable commitment tx and stuck output from an anchor. We need a way\nto get the funds back in that \"abort\" case.\n\n Thus we add an intermediary transaction (called \"Escape\"\ntransactions) which spends the 2 of 2 anchor output, but can be spent\neither by 2 of 2 (ie. the commitment tx), OR back to the anchor owner\nafter a delay (using OP_CHECKSEQUENCEVERIFY).\n\n The order is as follows:\n\n1) We both trade anchor txids and amounts.\n2) We both trade signatures for the escape transactions, so either one\n can broadcast them.\n3) Now we are sure to be able to recover our funds, we each broadcast\n our anchor txs.\n4) If the other side broadcasts their escape transaction, abort and\n broadcast our escape transaction. After the timeout, we can spend\n it.\n5) If the other side doesn't broadcast their anchor tx, abort and\n broadcast our escape transaction.\n6) Otherwise, when the anchor txs reach the required depth, we exchange\n signatures for the commitment transaction.\n7) If the other side broadcasts either escape transaction, broadcast\n the other escape transaction and the commitment tx as normal (this is\n a unilateral close) before they can reclaim their anchor funds.\n\nI think this works, and doesn't add any new requirements; you now need\nto watch out for escape txs being broadcast instead of commitment txs.\n\nThe downside is that there are 3 extra transactions involved; 1 extra\nfor the channel open, and 2 for the channel close.\n\nFeedback, optimizations, horrible holes?\nRusty.",
"sig": "eccde95db6e6db2b6aa7d7c93a1a116d78ccaf9215b002737cb313667bdf563cea33766a01d50fdaafbabcc487d2c26917ef98fcab467007e3b4d50d1b949320"
}