📅 Original date posted:2015-07-27
📝 Original message:
Joseph Poon <joseph at lightning.network> writes:
> On Mon, Jul 27, 2015 at 11:20:54AM +0930, Rusty Russell wrote:
>> Yes, I assume that the HTLC gets eliminated by a commitment transaction
>> update at (or before) that time.
>>
>> We could add an additional delay for this case, but it seems like
>> overengineering?
>
> To ensure that the older version of the transaction does not get
> broadcast through a credible threat, there needs to be some contestation
> period for one's own HTLC when one is redeeming funds.
The rule, AFAICT, is: if it's A's commitment transaction, all outputs
which are redeemable by A must be delayed.
For HTLCs, this means:
1) Timeout returns for HTLCs A initiates must be OP_CSV delayed.
2) Payments for HTLCs A receives must be delayed.
I just noticed the scripts in the 0.1 draft are a bit messed up; in
particular they're missing a delay. Here's the (fixed!) A offers HTLC
to B case:
(See https://github.com/ElementsProject/lightning/blob/master/doc/ )
HTLC Sender Redeemscript (A):
OP_HASH160 OP_DUP Replace top element with two copies of its hash
<R-HASH> OP_EQUAL Test if they supplied the HTLC R value
OP_SWAP <COMMIT-REVOCATION-HASH> OP_EQUAL OP_ADD
Or the commitment revocation hash
OP_IF If any hash matched.
<KEY-B> Pay to B.
OP_ELSE Must be A, after HTLC has timed out.
<HTLC-TIMEOUT> OP_CHECKLOCKTIMEVERIFY OP_DROP
Ensure (absolute) time has passed.
<DELAY> OP_CHECKSEQUENCEVERIFY OP_DROP
Delay gives B enough time to use revocation if it has it.
<KEY-A> Pay to A.
OP_ENDIF
OP_CHECKSIG Verify A or B's signature is correct.
HTLC Receiver Redeemscript (B):
OP_HASH160 OP_DUP Replace top element with two copies of its hash
<R-HASH> OP_EQUAL B redeeming the contract, using R preimage?
OP_IF
OP_DROP Remove extra hash
<DELAY> OP_CHECKSEQUENCEVERIFY OP_DROP
Delay gives A enough time to use revocation if it has it.
<KEY-B> Pay to B
OP_ELSE
<COMMIT-REVOCATION-HASH> OP_EQUAL
If the commit has been revoked.
OP_NOTIF
If not, you need to wait for timeout.
<HTLC-TIMEOUT> OP_CHECKLOCKTIMEVERIFY OP_DROP
Ensure (absolute) time has passed.
OP_ENDIF
<KEY-A> Pay to A
OP_ENDIF
OP_CHECKSIG Verify A or B's signature is correct.
> Current/unexpired HTLCs will have the same payout and enforcement, but
> there is a risk of broadcasting older Commitments and stealing the HTLC
> payout, e.g. transactions that are believed to be timed out but whose
> preimages are known after-the-fact.
I see that?
If A broadcast an older commitment, B can steal the HTLC payout, but
that's as designed.
Cheers,
Rusty.
Rusty Russell [ARCHIVE] /
npub1zw…hkhpx
2023-06-09 12:43:46
in reply to nevent1q…26lu
Author Public Key
npub1zw7cc8z78v6s3grujfvcv3ckpvg6kr0w7nz9yzvwyglyg0qu5sjsqhkhpxPublished at
2023-06-09 12:43:46Event JSON
{
"id": "1d1f65a71c96d6770e14503deec8b873bb57dbf22f1830878f12cdce6419ab4d",
"pubkey": "13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425",
"created_at": 1686314626,
"kind": 1,
"tags": [
[
"e",
"136120fa9d254826614cb6c81e857559ae6ab498d602841cc63c63ab6debd5a9",
"",
"root"
],
[
"e",
"003b753a1e3c70941ec7abeba774dca64fe3fa63f34c2b2ea7ac174ad1e4a1f5",
"",
"reply"
],
[
"p",
"ccb4cc87c455b74febaee5929cfd0726421b2eea64ad2b16440b68e8c7433211"
]
],
"content": "📅 Original date posted:2015-07-27\n📝 Original message:\nJoseph Poon \u003cjoseph at lightning.network\u003e writes:\n\u003e On Mon, Jul 27, 2015 at 11:20:54AM +0930, Rusty Russell wrote:\n\u003e\u003e Yes, I assume that the HTLC gets eliminated by a commitment transaction\n\u003e\u003e update at (or before) that time.\n\u003e\u003e \n\u003e\u003e We could add an additional delay for this case, but it seems like\n\u003e\u003e overengineering?\n\u003e\n\u003e To ensure that the older version of the transaction does not get\n\u003e broadcast through a credible threat, there needs to be some contestation\n\u003e period for one's own HTLC when one is redeeming funds.\n\nThe rule, AFAICT, is: if it's A's commitment transaction, all outputs\nwhich are redeemable by A must be delayed.\n\nFor HTLCs, this means:\n1) Timeout returns for HTLCs A initiates must be OP_CSV delayed.\n2) Payments for HTLCs A receives must be delayed.\n\nI just noticed the scripts in the 0.1 draft are a bit messed up; in\nparticular they're missing a delay. Here's the (fixed!) A offers HTLC\nto B case:\n\n(See https://github.com/ElementsProject/lightning/blob/master/doc/ )\n\nHTLC Sender Redeemscript (A):\n\nOP_HASH160 OP_DUP Replace top element with two copies of its hash\n\u003cR-HASH\u003e OP_EQUAL Test if they supplied the HTLC R value\nOP_SWAP \u003cCOMMIT-REVOCATION-HASH\u003e OP_EQUAL OP_ADD\n Or the commitment revocation hash\n\nOP_IF If any hash matched.\n \u003cKEY-B\u003e Pay to B.\nOP_ELSE Must be A, after HTLC has timed out.\n\n \u003cHTLC-TIMEOUT\u003e OP_CHECKLOCKTIMEVERIFY OP_DROP\n Ensure (absolute) time has passed.\n \u003cDELAY\u003e OP_CHECKSEQUENCEVERIFY OP_DROP\n Delay gives B enough time to use revocation if it has it.\n \u003cKEY-A\u003e Pay to A.\nOP_ENDIF\nOP_CHECKSIG Verify A or B's signature is correct.\n\nHTLC Receiver Redeemscript (B):\n\nOP_HASH160 OP_DUP Replace top element with two copies of its hash\n\u003cR-HASH\u003e OP_EQUAL B redeeming the contract, using R preimage?\nOP_IF\n OP_DROP Remove extra hash\n \u003cDELAY\u003e OP_CHECKSEQUENCEVERIFY OP_DROP\n Delay gives A enough time to use revocation if it has it.\n\n \u003cKEY-B\u003e Pay to B\nOP_ELSE\n \u003cCOMMIT-REVOCATION-HASH\u003e OP_EQUAL\n If the commit has been revoked.\n OP_NOTIF\n If not, you need to wait for timeout.\n \u003cHTLC-TIMEOUT\u003e OP_CHECKLOCKTIMEVERIFY OP_DROP\n Ensure (absolute) time has passed.\n OP_ENDIF\n\n \u003cKEY-A\u003e Pay to A\nOP_ENDIF\nOP_CHECKSIG Verify A or B's signature is correct.\n\n\u003e Current/unexpired HTLCs will have the same payout and enforcement, but\n\u003e there is a risk of broadcasting older Commitments and stealing the HTLC\n\u003e payout, e.g. transactions that are believed to be timed out but whose\n\u003e preimages are known after-the-fact.\n\nI see that?\n\nIf A broadcast an older commitment, B can steal the HTLC payout, but\nthat's as designed.\n\nCheers,\nRusty.",
"sig": "f599cb28651e1708344e7d3337003609710d79ddb66b345146f95d5735569e867201b71efe83c7cf43c8cd3f6fd94a950d893415d0644ed8533db67809eb50e1"
}