๐
Original date posted:2015-07-06
๐ Original message:
Hi all,
To recap: each side maintains a commitment transaction with two
outputs: one paying to self (with some delay), and the second paying to
the other side.
To generate hash time-locked contracts (required for lightning
to be a network), both commitment transactions get an additional output.
This output is spendable under four conditions:
1) Recipient knows the R value (funds go to recipient), OR
2) The HTLC has timed out (funds return to initiator), OR
3) The HTLC has been revoked (funds to go "non-cheating" side), OR
4) The Commit transaction has been revoked (funds to go "non-cheating" side)
The last two failure modes are separate from each other, because HTLCs
have different lifetimes from commit transactions.
Since we use "revocation preimages" to revoke transactions (rather than
sending pubkeys as the original draft paper), the result of this for A's
commitment transaction look like this:
HTLC from A to B:
1) R value and B's signature, OR
2) HTLC timeout and A's signature[*], OR
3) HTLC revocation preimage and B's signature, OR
4) Commitment transaction revocation preimage and B's signature.
HTLC from B to A:
1) R value and A's signature[*], OR
2) HTLC timeout and B's signature, OR
3) HTLC revocation preimate and B's signature, OR
4) Commitment transaction revocation preimage and B's signature.
We need to ensure delays in the cases where payment can go to A (marked
with [*]) so that B has a chance to steal the funds if the HTLC or
commitment tx has been revoked.
The result is one of the following scriptPubKey from the commitment tx
for the HTLC like so (note: unchecked and unoptimized!):
HTLC from US to THEM:
---------------------
# They present HTLC's R value, or either revocation hash:
OP_DUP OP_HASH160 <HTLC-R-HASH> OP_EQUAL
OP_SWAP <HTLC-REVOCATION-HASH> OP_EQUAL
OP_ADD OP_SWAP <COMMIT-REVOCATION-HASH> OP_EQUAL
OP_ADD
OP_IF
# One hash matched, pay to them.
OP_DUP OP_HASH160 <THEM-pubKeyHash> OP_EQUALVERIFY OP_CHECKSIG
OP_ELSE
# Must be us, with HTLC timed out.
<HTLC-ABSOLUTE-TIMEOUT> OP_CHECKLOCKTIMEVERIFY OP_DROP
<VERIFICATION-RELATIVE-TIMEOUT> OP_CHECKSEQUENCEVERIFY OP_DROP
OP_DUP OP_HASH160 <US-pubKeyHash> OP_EQUALVERIFY OP_CHECKSIG
OP_ENDIF
HTLC from THEM to US:
---------------------
# Revocation cases:
OP_DUP OP_HASH160 <HTLC-REVOCATION-HASH> OP_EQUAL
OP_SWAP <COMMIT-REVOCATION-HASH> OP_EQUAL
OP_ADD
OP_IF
# One hash matched, pay to them.
OP_DUP OP_HASH160 <THEM-pubKeyHash> OP_EQUALVERIFY OP_CHECKSIG
OP_ELSE
# Us with R value?
3 OP_DEPTH OP_EQUAL OP_IF
OP_DUP OP_HASH160 <HTLC-R-HASH> OP_EQUALVERIFY
<VERIFICATION-RELATIVE-TIMEOUT> OP_CHECKSEQUENCEVERIFY OP_DROP
OP_DUP OP_HASH160 <US-pubKeyHash> OP_EQUALVERIFY OP_CHECKSIG
OP_ELSE
# Them with timeout.
<HTLC-ABSOLUTE-TIMEOUT> OP_CHECKLOCKTIMEVERIFY OP_DROP
OP_DUP OP_HASH160 <THEM-pubKeyHash> OP_EQUALVERIFY OP_CHECKSIG
OP_ENDIF
OP_ENDIF
If you've read this far, congratulations!
AFAICT we don't need new SIGOPS here; the logic has all been moved to
the commitment transaction output (thanks to OP_CLV and OP_CSV), so each
side can generate the HTLC spending transaction with needing a signature
from the other.
Feedback, fixed and optimizations welcome...
Rusty.
Rusty Russell [ARCHIVE] /
npub1zwโฆhkhpx
2023-06-09 12:43:37
in reply to nevent1qโฆafhe
Author Public Key
npub1zw7cc8z78v6s3grujfvcv3ckpvg6kr0w7nz9yzvwyglyg0qu5sjsqhkhpxPublished at
2023-06-09 12:43:37Event JSON
{
"id": "75e170df6ccd6dc838a726808fb060504464d515dc531c838f76386a70b242db",
"pubkey": "13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425",
"created_at": 1686314617,
"kind": 1,
"tags": [
[
"e",
"6d50c89ebbc5aa33bb7af15ab81e553efe6c1d2ad7cb1aa9c6fd1d2aa2847282",
"",
"reply"
],
[
"p",
"9456f7acb763eaab2e02bd8e60cf17df74f352c2ae579dce1f1dd25c95dd611c"
]
],
"content": "๐
Original date posted:2015-07-06\n๐ Original message:\nHi all,\n\n To recap: each side maintains a commitment transaction with two\noutputs: one paying to self (with some delay), and the second paying to\nthe other side.\n\n To generate hash time-locked contracts (required for lightning\nto be a network), both commitment transactions get an additional output.\nThis output is spendable under four conditions:\n\n1) Recipient knows the R value (funds go to recipient), OR\n2) The HTLC has timed out (funds return to initiator), OR\n3) The HTLC has been revoked (funds to go \"non-cheating\" side), OR\n4) The Commit transaction has been revoked (funds to go \"non-cheating\" side)\n\nThe last two failure modes are separate from each other, because HTLCs\nhave different lifetimes from commit transactions.\n\nSince we use \"revocation preimages\" to revoke transactions (rather than\nsending pubkeys as the original draft paper), the result of this for A's\ncommitment transaction look like this:\n\nHTLC from A to B:\n1) R value and B's signature, OR\n2) HTLC timeout and A's signature[*], OR\n3) HTLC revocation preimage and B's signature, OR\n4) Commitment transaction revocation preimage and B's signature.\n\nHTLC from B to A:\n1) R value and A's signature[*], OR\n2) HTLC timeout and B's signature, OR\n3) HTLC revocation preimate and B's signature, OR\n4) Commitment transaction revocation preimage and B's signature.\n\nWe need to ensure delays in the cases where payment can go to A (marked\nwith [*]) so that B has a chance to steal the funds if the HTLC or\ncommitment tx has been revoked.\n\nThe result is one of the following scriptPubKey from the commitment tx\nfor the HTLC like so (note: unchecked and unoptimized!):\n\nHTLC from US to THEM:\n---------------------\n\n# They present HTLC's R value, or either revocation hash:\nOP_DUP OP_HASH160 \u003cHTLC-R-HASH\u003e OP_EQUAL\nOP_SWAP \u003cHTLC-REVOCATION-HASH\u003e OP_EQUAL\nOP_ADD OP_SWAP \u003cCOMMIT-REVOCATION-HASH\u003e OP_EQUAL\nOP_ADD\nOP_IF\n # One hash matched, pay to them.\n OP_DUP OP_HASH160 \u003cTHEM-pubKeyHash\u003e OP_EQUALVERIFY OP_CHECKSIG\nOP_ELSE\n # Must be us, with HTLC timed out.\n \u003cHTLC-ABSOLUTE-TIMEOUT\u003e OP_CHECKLOCKTIMEVERIFY OP_DROP\n \u003cVERIFICATION-RELATIVE-TIMEOUT\u003e OP_CHECKSEQUENCEVERIFY OP_DROP\n OP_DUP OP_HASH160 \u003cUS-pubKeyHash\u003e OP_EQUALVERIFY OP_CHECKSIG\nOP_ENDIF\n\nHTLC from THEM to US:\n---------------------\n# Revocation cases:\nOP_DUP OP_HASH160 \u003cHTLC-REVOCATION-HASH\u003e OP_EQUAL\nOP_SWAP \u003cCOMMIT-REVOCATION-HASH\u003e OP_EQUAL\nOP_ADD\nOP_IF\n # One hash matched, pay to them.\n OP_DUP OP_HASH160 \u003cTHEM-pubKeyHash\u003e OP_EQUALVERIFY OP_CHECKSIG\nOP_ELSE\n # Us with R value?\n 3 OP_DEPTH OP_EQUAL OP_IF\n OP_DUP OP_HASH160 \u003cHTLC-R-HASH\u003e OP_EQUALVERIFY\n \u003cVERIFICATION-RELATIVE-TIMEOUT\u003e OP_CHECKSEQUENCEVERIFY OP_DROP\n OP_DUP OP_HASH160 \u003cUS-pubKeyHash\u003e OP_EQUALVERIFY OP_CHECKSIG\n OP_ELSE\n # Them with timeout.\n \u003cHTLC-ABSOLUTE-TIMEOUT\u003e OP_CHECKLOCKTIMEVERIFY OP_DROP\n OP_DUP OP_HASH160 \u003cTHEM-pubKeyHash\u003e OP_EQUALVERIFY OP_CHECKSIG\n OP_ENDIF\nOP_ENDIF\n\nIf you've read this far, congratulations!\n\nAFAICT we don't need new SIGOPS here; the logic has all been moved to\nthe commitment transaction output (thanks to OP_CLV and OP_CSV), so each\nside can generate the HTLC spending transaction with needing a signature\nfrom the other.\n\nFeedback, fixed and optimizations welcome...\nRusty.",
"sig": "8989c4965cccaf5e6db813c11c43f59596ba0589c8deb708496c08c5a0102bcc166c72701c11cb087f9fb5572ad99d9f00c35640c2b4c31fa9ebccd1ea3178b1"
}