Lightning Networks Part I: Revocable Transactions
[ Note for new readers: the mechanisms described here are from the original LN draft. These days instead of throwaway keys we use hash preimages for revocation, and output scripts are used for HTLCs, as per https://github.com/ElementsProject/lightning/blob/master/doc/deployable-lightning.pdf ]
I finally took a second swing at understanding the Lightning Network paper. The promise of this work is exceptional: instant reliable transactions across the bitcoin network. But the implementation is complex and the draft paper reads like a grab bag of ideas; but it truly rewards close reading! It doesn’t involve novel crypto, nor fancy bitcoin scripting tricks.
There are several techniques which are used in the paper, so I plan to concentrate on one per post and wrap up at the end.
Revision: Payment Channels
A Payment Channel is a method for sending microtransactions to a single recipient, such as me paying you 1c a minute for internet access. I create an opening transaction which has a $10 output, which can only be redeemed by a transaction input signed by you and me (or me alone, after a timeout, just in case you vanish). That opening transaction goes into the blockchain, and we’re sure it’s bedded down.
Then I send you a signed transaction which spends that opening transaction output, and has two outputs: one for $9.99 to me, and one for 1c to you. If you want, you could sign that transaction too, and publish it immediately to get your 1c.
Then a minute later, I send you a signed transaction which spends that same opening transaction output, and has a $9.98 output for me, and a 2c output for you. Each minute, I send you another transaction, increasing the amount you get every time.
This works because:
- Each transaction I send spends the same output; so only one of them can ever be included in the blockchain.
- I can’t publish them, since they need your signature and I don’t have it.
- At the end, you will presumably publish the last one, which is best for you. You could publish an earlier one, and cheat yourself of money, but that’s not my problem.
Undoing A Promise: Revoking Transactions?
In the simple channel case above, we don’t have to revoke or cancel old transactions, as the only person who can spend them is the person who would be cheated. This makes the payment channel one way: if the amount I was paying you ever went down, you could simply broadcast one of the older, more profitable transactions.
So if we wanted to revoke an old transaction, how would we do it?
There’s no native way in bitcoin to have a transaction which expires. You can have a transaction which is valid after 5 days (using locktime), but you can’t have one which is valid until 5 days has passed.
So the only way to invalidate a transaction is to spend one of its inputs, and get that input-stealing transaction into the blockchain before the transaction you’re trying to invalidate. That’s no good if we’re trying to update a transaction continuously (a-la payment channels) without most of them reaching the blockchain.
The Transaction Revocation Trick
But there’s a trick, as described in the paper. We build our transaction as before (I sign, and you hold), which spends our opening transaction output, and has two outputs. The first is a 9.99c output for me. The second is a bit weird–it’s 1c, but needs two signatures to spend: mine and a temporary one of yours. Indeed, I create and sign such a transaction which spends this output, and send it to you, but that transaction has a locktime of 1 day:
Now, if you sign and publish that transaction, I can spend my $9.99 straight away, and you can publish that timelocked transaction tomorrow and get your 1c.
But what if we want to update the transaction? We create a new transaction, with 9.98c output to me and 2c output to a transaction signed by both me and another temporary address of yours. I create and sign a transaction which spends that 2c output, has a locktime of 1 day and has an output going to you, and send it to you.
We can revoke the old transaction: you simply give me the temporary private key you used for that transaction. Weird, I know (and that’s why you had to generate a temporary address for it). Now, if you were ever to sign and publish that old transaction, I can spend my $9.99 straight away, and create a transaction using your key and my key to spend your 1c. Your transaction (1a below) which could spend that 1c output is timelocked, so I’ll definitely get my 1c transaction into the blockchain first (and the paper uses a timelock of 40 days, not 1).
So the effect is that the old transaction is revoked: if you were to ever sign and release it, I could steal all the money. Neat trick, right?
A Minor Variation To Avoid Timeout Fallback
In the original payment channel, the opening transaction had a fallback clause: after some time, it is all spendable by me. If you stop responding, I have to wait for this to kick in to get my money back. Instead, the paper uses a pair of these “revocable” transaction structures. The second is a mirror image of the first, in effect.
So the first output is $9.99 which needs your signature and a temporary signature of mine. The second is 1c for
meyou. You sign the transaction, and I hold it. You create and sign a transaction which has that $9.99 as input, a 1 day locktime, and send it to me.
Since both your and my “revocable” transactions spend the same output, only one can reach the blockchain. They’re basically equivalent: if you send yours you must wait 1 day for your money. If I send mine, I have to wait 1 day for my money. But it means either of us can finalize the payment at any time, so the opening transaction doesn’t need a timeout clause.
Now we have a generalized transaction channel, which can spend the opening transaction in any way we both agree on, without trust or requiring on-blockchain updates (unless things break down).
The next post will discuss Hashed Timelock Contracts (HTLCs) which can be used to create chains of payments…
Notes For Pedants:
In the payment channel open I assume OP_CHECKLOCKTIMEVERIFY, which isn’t yet in bitcoin. It’s simpler.
I ignore transaction fees as an unnecessary distraction.
We need malleability fixes, so you can’t mutate a transaction and break the ones which follow. But I also need the ability to sign Transaction 1a without a complete Transaction 1 (since you can’t expose the signed version to me). The paper proposes new SIGHASH types to allow this.
[EDIT 2015-03-30 22:11:59+10:30: We also need to sign the other symmetric transactions before signing the opening transaction. If we released a completed opening transaction before having the other transactions, we might be stuck with no way to get our funds back (as we don’t have a “return all to me” timeout on the opening transaction)]