mirror of
https://github.com/bitcoinbook/bitcoinbook
synced 2025-01-10 15:51:04 +00:00
89b548d5b5
Special thanks to Murchandamus who provided most of the feedback
1269 lines
64 KiB
Plaintext
1269 lines
64 KiB
Plaintext
[[ch12]]
|
|
== Blockchain Applications
|
|
|
|
Let's now build on our understanding of Bitcoin by looking at it as an
|
|
_application platform_. Nowadays, many people use the term "blockchain"
|
|
to refer to any application platform that shares the design principles
|
|
of Bitcoin. The term is often misused and applied to many things that
|
|
fail to deliver the primary features that Bitcoin's blockchain delivers.
|
|
|
|
In this chapter we will look at the features offered by the Bitcoin
|
|
blockchain as an application platform. We will consider the application
|
|
building _primitives_, which form the building blocks of any blockchain
|
|
application. We will look at several important applications that use
|
|
these primitives, such as client-side validation, payment channels, and
|
|
routed payment channels (Lightning Network).
|
|
|
|
=== Introduction
|
|
|
|
((("blockchain applications", "benefits of Bitcoin system")))The Bitcoin
|
|
system was designed as a decentralized currency and payment system.
|
|
However, most of its functionality is derived from much lower-level
|
|
constructs that can be used for much broader applications. Bitcoin
|
|
wasn't built with components such as accounts, users, balances, and
|
|
payments. Instead, it uses a transactional scripting language with
|
|
low-level cryptographic functions, as we saw in <<c_transactions>>. Just
|
|
as the higher-level concepts of accounts, balances, and payments can be
|
|
derived from these basic primitives, so can many other complex
|
|
applications. Thus, the Bitcoin blockchain can become an application
|
|
platform offering trust services to applications, such as smart
|
|
contracts, surpassing the original purpose of digital currency and
|
|
payments.
|
|
|
|
=== Building Blocks (Primitives)
|
|
|
|
((("blockchain applications", "building blocks for
|
|
(primitives)")))((("primitives")))When operating correctly and over the
|
|
long term, the Bitcoin system offers certain guarantees, which can be
|
|
used as building blocks to create applications. These include:
|
|
|
|
No Double-Spend:: The most fundamental guarantee of Bitcoin's
|
|
decentralized consensus algorithm ensures that no UTXO can be spent
|
|
twice in the same valid chain of blocks.
|
|
|
|
Immutability:: Once a transaction is recorded in the blockchain and
|
|
sufficient work has been added with subsequent blocks, the transaction's
|
|
data becomes practically immutable. Immutability is underwritten by energy, as
|
|
rewriting the blockchain requires the expenditure of energy to produce
|
|
Proof-of-Work. The energy required and therefore the degree of
|
|
immutability increases with the amount of work committed on top of the
|
|
block containing a transaction.
|
|
|
|
Neutrality:: The decentralized Bitcoin network propagates valid
|
|
transactions regardless of the origin of those transactions.
|
|
This means that anyone can create a valid transaction with sufficient
|
|
fees and trust they will be able to transmit that transaction and have
|
|
it included in the blockchain at any time.
|
|
|
|
Secure Timestamping:: The consensus rules reject any block whose
|
|
timestamp is too far in the future and attempt to prevent blocks with
|
|
timestamps too far in the past. This ensures that timestamps
|
|
on blocks can be trusted to a certain degree. The timestamp on a block implies an
|
|
unspent-before guarantee for the inputs of all included transactions.
|
|
|
|
Authorization:: Digital signatures, validated in a decentralized
|
|
network, offer authorization guarantees. Scripts that contain a
|
|
requirement for a digital signature cannot be executed without
|
|
authorization by the holder of the private key implied in the script.
|
|
|
|
Auditability:: All transactions are public and can be audited. All
|
|
transactions and blocks can be linked back in an unbroken chain to the
|
|
genesis block.
|
|
|
|
Accounting:: In any transaction (except the coinbase transaction) the
|
|
value of inputs is equal to the value of outputs plus fees. It is not
|
|
possible to create or destroy bitcoin value in a transaction. The
|
|
outputs cannot exceed the inputs.
|
|
|
|
Nonexpiration:: A valid transaction does not expire. If it is valid
|
|
today, it will be valid in the near future, as long as the inputs remain
|
|
unspent and the consensus rules do not change.
|
|
|
|
Integrity:: A Bitcoin transaction signed with +SIGHASH_ALL+ or parts of
|
|
a transaction signed by another +SIGHASH+ type cannot be modified
|
|
without invalidating the signature, thus invalidating the transaction
|
|
itself.
|
|
|
|
Transaction Atomicity:: Bitcoin transactions are atomic. They are either
|
|
valid and confirmed (mined) or not. Partial transactions cannot be mined
|
|
and there is no interim state for a transaction. At any point in time a
|
|
transaction is either mined, or not.
|
|
|
|
Discrete (Indivisible) Units of Value:: Transaction outputs are discrete
|
|
and indivisible units of value. They can either be spent or unspent, in
|
|
full. They cannot be divided or partially spent.
|
|
|
|
Quorum of Control:: Multisignature constraints in scripts impose a
|
|
quorum of authorization, predefined in the multisignature scheme. The
|
|
requirement is enforced by the consensus rules.
|
|
|
|
Timelock/Aging:: Any script clause containing a relative or absolute
|
|
timelock can only be executed after its age exceeds the time specified.
|
|
|
|
Replication:: The decentralized storage of the blockchain ensures that
|
|
when a transaction is mined, after sufficient confirmations, it is
|
|
replicated across the network and becomes durable and resilient to power
|
|
loss, data loss, etc.
|
|
|
|
Forgery Protection:: A transaction can only spend existing, validated
|
|
outputs. It is not possible to create or counterfeit value.
|
|
|
|
Consistency:: In the absence of miner partitions, blocks that are
|
|
recorded in the blockchain are subject to reorganization or disagreement
|
|
with exponentially decreasing likelihood, based on the depth at which
|
|
they are recorded. Once deeply recorded, the computation and energy
|
|
required to change makes change practically infeasible.
|
|
|
|
Recording External State:: A transaction can commit to a data value, via
|
|
+OP_RETURN+ or pay-to-contract, representing a state transition in an external state
|
|
machine.
|
|
|
|
Predictable Issuance:: Less than 21 million bitcoin will be issued, at a
|
|
predictable rate.
|
|
|
|
The list of building blocks is not complete and more are added with each
|
|
new feature introduced into Bitcoin.
|
|
|
|
=== Applications from Building Blocks
|
|
|
|
((("blockchain applications", "examples of")))The building blocks
|
|
offered by Bitcoin are elements of a trust platform that can be used to
|
|
compose applications. Here are some examples of applications that exist
|
|
today and the building blocks they use:
|
|
|
|
Proof-of-Existence (Digital Notary):: ((("digital notary
|
|
services")))((("Proof of Existence")))Immutability + Timestamp + Durability.
|
|
A transaction on the blockchain can commit to a value,
|
|
proving that a piece of data existed at the time
|
|
it was recorded (Timestamp). The commitment cannot be modified ex-post-facto
|
|
(Immutability) and the proof will be stored permanently (Durability).
|
|
|
|
Kickstarter (Lighthouse):: Consistency + Atomicity + Integrity. If you
|
|
sign one input and the output (Integrity) of a fundraiser transaction,
|
|
others can contribute to the fundraiser but it cannot be spent
|
|
(Atomicity) until the goal (output amount) is funded (Consistency).
|
|
|
|
Payment Channels:: ((("payment (state) channels", "building blocks
|
|
(primitives) used in")))Quorum of Control + Timelock + No Double Spend + Nonexpiration
|
|
+ Censorship Resistance + Authorization. A multisig 2-of-2
|
|
(Quorum) with a timelock (Timelock) used as the "settlement" transaction
|
|
of a payment channel can be held (Nonexpiration) and spent at any time
|
|
(Censorship Resistance) by either party (Authorization). The two parties
|
|
can then create commitment transactions that supersede (No
|
|
Double-Spend) the settlement on a shorter timelock (Timelock).
|
|
|
|
=== Colored Coins
|
|
|
|
((("blockchain applications", "colored coins",
|
|
id="BCAcoins12")))((("colored coins", id="color12")))The first
|
|
blockchain application we will discuss is _colored coins_.
|
|
|
|
((("extrinsic asset management")))Colored coins refers to a set of
|
|
similar technologies that use Bitcoin transactions to record the
|
|
creation, ownership, and transfer of extrinsic assets other than
|
|
bitcoin. By "extrinsic" we mean assets that are not stored directly on
|
|
the bitcoin blockchain, as opposed to bitcoin itself, which is an asset
|
|
intrinsic to the blockchain.
|
|
|
|
((("digital asset management")))Colored coins are used to track digital
|
|
assets as well as physical assets held by third parties and traded
|
|
through colored coins certificates of ownership. Digital asset colored
|
|
coins can represent intangible assets such as a stock certificate,
|
|
license, virtual property (game items), or most any form of licensed
|
|
intellectual property (trademarks, copyrights, etc.). Tangible asset
|
|
colored coins can represent certificates of ownership of commodities
|
|
(gold, silver, oil), land title, automobiles, boats, aircraft, etc.
|
|
|
|
((("Enhanced Padded-Order-Based Coloring (EPOBC)")))The term derives
|
|
from the idea of "coloring" or marking a nominal amount of bitcoin, for
|
|
example, a single satoshi, to represent something other than the bitcoin
|
|
amount itself. As an analogy, consider stamping a $1 note with a message
|
|
saying, "this is a stock certificate of ACME" or "this note can be
|
|
redeemed for 1 oz of silver" and then trading the $1 note as a
|
|
certificate of ownership of this other asset. The first implementation
|
|
of colored coins, named _Enhanced Padded-Order-Based Coloring_ or
|
|
_EPOBC_, assigned extrinsic assets to a 1-satoshi output. In this way,
|
|
it was a true "colored coin," as each asset was added as an attribute
|
|
(color) of a single satoshi.
|
|
|
|
More recent implementations of colored coins use other mechanisms
|
|
to attach metadata with a transaction, in conjunction with external
|
|
data stores that associate the metadata to specific assets. The three
|
|
main mechanisms used as of this writing are single-use seals,
|
|
pay-to-contract, and client-side validation.
|
|
|
|
[[single_use_seals]]
|
|
==== Single-use seals
|
|
|
|
Single-use seals originate in physical security. Someone shipping an
|
|
item through a third party needs a way to detect tampering, so they
|
|
secure their package with a special mechanism that will become clearly
|
|
damaged if the package is opened. If the package arrives with the seal
|
|
intact, the sender and receiver can be confident that the package wasn't
|
|
opened in transit.
|
|
|
|
In the context of colored coins, single-use seals refer to a data
|
|
structure than can only be associated with another data structure once.
|
|
In Bitcoin, this definition is fulfilled by Unspent Transaction Outputs
|
|
(UTXOs). A UTXO can only be spent once within a valid blockchain, and
|
|
the process of spending them associates them with the data in the
|
|
spending transaction.
|
|
|
|
This provides part of the basis for the modern transfer for colored
|
|
coins. One or more colored coins are received to a UTXO. When that
|
|
UTXO is spent, the spending transaction must describe how the colored
|
|
coins are to be spent. That brings us to _Pay-to-Contract (P2C)_.
|
|
|
|
[[p2c_for_colored_coins]]
|
|
==== Pay-to-Contract (P2C)
|
|
|
|
We previously learned about P2C in <<pay_to_contract>>, where it became
|
|
part of the basis for the taproot upgrade to Bitcoin's consensus rules.
|
|
As a short reminder, P2C allows a spender (Bob) and receiver (Alice) to
|
|
agree on some data, such as a contract, and then tweak Alice's public
|
|
key so that it commits to the contract. At any time, Bob can reveal
|
|
Alice's underlying key and the tweak used to commit to the contract,
|
|
proving that she received the funds. If Alice spends the funds, that
|
|
fully proves that she knew about the contract, since the only way she
|
|
could spend the funds received to a P2C tweaked key is by knowing the
|
|
tweak (the contract).
|
|
|
|
A powerful attribute of P2C tweaked keys is that they look like any
|
|
other public keys to everyone besides Alice and Bob, unless they choose
|
|
to reveal the contract used to tweak the keys. Nothing is publicly
|
|
revealed about the contract--not even that a contract between them
|
|
exists.
|
|
|
|
A P2C contract can arbitrary long and detailed, the terms can be written
|
|
in any language, and it can reference anything the participants want
|
|
because the contract is not validated by full nodes and only the public
|
|
key with the commitment is published to the blockchain.
|
|
|
|
In the context of colored coins, Bob can open the single-use seal
|
|
containing his colored coins by spending the associated UTXO. In the
|
|
transaction spending that UTXO, he can commit to a contract indicating
|
|
the terms that the next owner (or owners) of the colored coins must
|
|
fulfill in order to further spend the coins. The new owner doesn't need
|
|
to be Alice, even though Alice is the one receiving the UTXO that Bob
|
|
spends and Alice has tweaked her public key by the contract terms.
|
|
|
|
Because full nodes don't (and can't) validate that the contract is
|
|
followed correctly, we need to figure out who is responsible for
|
|
validation. That brings us to _client-side validation._
|
|
|
|
==== Client-side validation
|
|
|
|
Bob had some colored coins associated with a UTXO. He spent that UTXO
|
|
in a way that committed to a contract which indicated how the next
|
|
receiver (or receivers) of the colored coins will prove their ownership
|
|
over the coins in order to further spend them.
|
|
|
|
In practice, Bob's P2C contract likely simply committed to one or more
|
|
unique identifiers for the UTXOs that will be used as single-use seals
|
|
for deciding when the colored coins are next spent. For example, Bob's
|
|
contract may have indicated that the UTXO that Alice received to her P2C
|
|
tweaked public key now controls half of his colored coins, with the
|
|
other half of his colored coins now being assigned to a different UTXO
|
|
that may have nothing to do with the transaction between Alice and Bob.
|
|
This provides significant privacy against blockchain surveillance.
|
|
|
|
When Alice later wants to spend her colored coins to Dan, she first
|
|
needs to prove to Dan that she controls the colored coins. Alice can do
|
|
this by revealing to Dan her underlying P2C public key and the P2C contract
|
|
terms chosen by Bob. Alice also reveals to Dan the UTXO that Bob used
|
|
as the single-use seal and any information that Bob gave her about the
|
|
previous owners of the colored coins. In short, Alice gives Dan a
|
|
complete set of history about every previous transfer of the colored
|
|
coins, with each step anchored in the Bitcoin blockchain (but not
|
|
storing any special data in the chain--just regular public keys). That
|
|
history is a lot like the history of regular Bitcoin transactions that
|
|
we call the blockchain, but the colored history is completely invisible
|
|
to other users of the blockchain.
|
|
|
|
Dan validates this history using his software, called _client-side
|
|
validation_. Notably, Dan only needs to receive and validate the parts
|
|
of history that pertain to the colored coins he wants to receive. He
|
|
doesn't need information about what happened to other people's colored
|
|
coins--for example, he'll never need to know what happened to the other
|
|
half of Bob's coins, the ones that Bob didn't transfer to Alice. This
|
|
helps enhance the privacy of the colored coin protocol.
|
|
|
|
Now that we've learned about single-use seals, pay-to-contract, and
|
|
client-side validation, we can look at the two main protocols that use
|
|
them as of this writing, RGB and Taproot Assets.
|
|
|
|
==== RGB
|
|
|
|
Developers of the RGB protocol pioneered many of the ideas used in
|
|
modern Bitcoin-based colored coin protocols. A primary requirement of
|
|
the design for RGB was making the protocol compatible with offchain
|
|
payment channels (see <<state_channels>>), such as those used in
|
|
Lightning Network. That's accomplished at each layer of the RGB
|
|
protocol:
|
|
|
|
- Single-use seals: to create a payment channel, Bob assigns his colored
|
|
coins to a UTXO that requires signatures from both him and Alice to
|
|
spend. Their mutual control over that UTXO serves as the single-use
|
|
seal for future transfers.
|
|
|
|
- Pay-to-Contract (P2C): Alice and Bob can now sign multiple versions of
|
|
a P2C contract. The enforcement mechanism of the underlying payment
|
|
channel ensures that both parties are incentivized to only publish the
|
|
latest version of the contract onchain.
|
|
|
|
- Client-side validation: to ensure that neither Alice nor Bob needs to
|
|
trust each other, they each check all previous transfers of the
|
|
colored coins back to their creation to ensure all contract rules were
|
|
followed correctly.
|
|
|
|
The developers of RGB have described other uses for their protocol, such
|
|
as creating identity tokens that can be periodically updated to protect
|
|
against private key compromise.
|
|
|
|
For more information, see https://rgb.tech/[RGB's documentation].
|
|
|
|
==== Taproot Assets
|
|
|
|
Formerly called Taro, Taproot Assets are a colored coin protocol that is
|
|
heavily influenced by RGB. Compared to RGB, Taproot Assets use a form
|
|
of P2C contracts that is very similar to the version used by taproot for
|
|
enabling MAST functionality (see <<mast>>). The claimed advantage of
|
|
Taproot Assets over RGB is that its similarity to the widely used
|
|
taproot protocol makes it simpler for wallets and other software to
|
|
implement. One downside is that it may not be as flexible as the RGB
|
|
protocol, especially when it comes to implementing non-asset features
|
|
such as identity tokens.
|
|
|
|
[NOTE]
|
|
====
|
|
_Taproot_ is part of the Bitcoin protocol. _Taproot Assets_ is not,
|
|
despite the similar name. Both RGB and Taproot Assets are protocols
|
|
built on top of the Bitcoin protocol. The only asset natively supported
|
|
by Bitcoin is bitcoin.
|
|
====
|
|
|
|
Even more than RGB, Taproot Assets has been designed to be compatible
|
|
with Lightning Network. One challenge with forwarding non-bitcoin assets
|
|
over Lightning Network is that there are two ways to accomplish the
|
|
sending, each with a different set of tradeoffs:
|
|
|
|
Native forwarding::
|
|
Every hop in the path between the spender and the receiver must know
|
|
about the particular asset (type of colored coin) and have a
|
|
sufficient balance of it to support forwarding a payment.
|
|
|
|
Translated forwarding::
|
|
The hop next to the spender and the hop next to the receiver must know
|
|
about the particular asset and have a sufficient balance of it to
|
|
support forwarding a payment, but every other hop only needs to
|
|
support forwarding bitcoin payments.
|
|
|
|
Native forwarding is conceptually simpler but essentially requires a
|
|
separate Lightning Network for every asset. Translated forwarding
|
|
allows building on the economies of scale of the Bitcoin Lightning
|
|
Network but it may be vulnerable to a problem called the _free American
|
|
call option_, where a receiver may selectively accept or reject certain
|
|
payments depending on recent changes to the exchange rate in order to
|
|
siphon money from the hop next to them. Although there's no known
|
|
perfect solution to the free American call option, there may be
|
|
practical solutions that limit its harm.
|
|
|
|
Both Taproot Assets and RGB can technically support both native and
|
|
translated forwarding. Taproot Assets is specifically designed around
|
|
translated forwarding, whereas RGB has seen proposals to implement both.
|
|
|
|
For more information, see
|
|
https://docs.lightning.engineering/the-lightning-network/taproot-assets[Taproot
|
|
Asset's documentation]. Additionally, the Taproot Asset developers are
|
|
working on BIPs that may be available after this book goes into print.
|
|
|
|
[[state_channels]]
|
|
=== Payment Channels and State Channels
|
|
|
|
_Payment channels_ ((("blockchain applications", "payment (state)
|
|
channels", id="BCApayment12")))((("payment (state) channels",
|
|
"defined")))are a trustless mechanism for exchanging Bitcoin
|
|
transactions between two parties, outside of the Bitcoin blockchain.
|
|
These transactions, which would be valid if settled on the Bitcoin
|
|
blockchain, are held off-chain instead, waiting for
|
|
eventual batch settlement. Because the transactions are not settled,
|
|
they can be exchanged without the usual settlement latency, allowing
|
|
extremely high transaction throughput, low latency, and
|
|
fine granularity.
|
|
|
|
Actually, the term _channel_ is a metaphor. State channels are virtual
|
|
constructs represented by the exchange of state between two parties,
|
|
outside of the blockchain. There are no "channels" per se and the
|
|
underlying data transport mechanism is not the channel. We use the term
|
|
channel to represent the relationship and shared state between two
|
|
parties, outside of the blockchain.
|
|
|
|
((("payment (state) channels", "concept of")))To further explain this
|
|
concept, think of a TCP stream. From the perspective of higher-level
|
|
protocols it is a "socket" connecting two applications across the
|
|
internet. But if you look at the network traffic, a TCP stream is just a
|
|
virtual channel over IP packets. Each endpoint of the TCP stream
|
|
sequences and assembles IP packets to create the illusion of a stream of
|
|
bytes. Underneath, it's all disconnected packets. Similarly, a payment
|
|
channel is just a series of transactions. If properly sequenced and
|
|
connected, they create redeemable obligations that you can trust even
|
|
though you don't trust the other side of the channel.
|
|
|
|
In this section we will look at various forms of payment channels.
|
|
First, we will examine the mechanisms used to construct a one-way
|
|
(unidirectional) payment channel for a metered micropayment service,
|
|
such as streaming video. Then, we will expand on this mechanism and
|
|
introduce bidirectional payment channels. Finally, we will look at how
|
|
bidirectional channels can be connected end-to-end to form multihop
|
|
channels in a routed network, first proposed under the name _Lightning
|
|
Network_.
|
|
|
|
Payment channels are part of the broader concept of a _state channel_,
|
|
which represents an off-chain alteration of state, secured by eventual
|
|
settlement in a blockchain. A payment channel is a state channel where
|
|
the state being altered is the balance of a virtual currency.
|
|
|
|
==== State Channels—Basic Concepts and Terminology
|
|
|
|
((("payment (state) channels", "terminology")))A state channel is
|
|
established between two parties, through a transaction that locks a
|
|
shared state on the blockchain. This is called the _funding transaction_.
|
|
This single transaction must be transmitted to
|
|
the network and mined to establish the channel. In the example of a
|
|
payment channel, the locked state is the initial balance (in currency)
|
|
of the channel.
|
|
|
|
The two parties then exchange signed transactions, called _commitment
|
|
transactions_, that alter the initial state. These transactions are
|
|
valid transactions in that they _could_ be submitted for settlement by
|
|
either party, but instead are held off-chain by each party pending the
|
|
channel closure. State updates can be created as fast as each party can
|
|
create, sign, and transmit a transaction to the other party. In practice
|
|
this means that dozens of transactions per second can be exchanged.
|
|
|
|
When exchanging commitment transactions the two parties also discourage
|
|
use of the previous states, so that the most up-to-date commitment transaction
|
|
is always the best one to be redeemed. This discourages either party
|
|
from cheating by unilaterally closing the channel with a prior
|
|
state that is more favorable to them than the current state. We will
|
|
examine the various mechanisms that can be used to discourage
|
|
publication of prior states in the rest of this chapter.
|
|
|
|
Finally, the channel can be closed either cooperatively, by submitting a
|
|
final _settlement transaction_ to the blockchain, or unilaterally, by
|
|
either party submitting the last commitment transaction to the
|
|
blockchain. A unilateral close option is needed in case one of the
|
|
parties unexpectedly disconnects. The settlement transaction represents
|
|
the final state of the channel and is settled on the blockchain.
|
|
|
|
In the entire lifetime of the channel, only two transactions need to be
|
|
submitted for mining on the blockchain: the funding and settlement
|
|
transactions. In between these two states, the two parties can exchange
|
|
any number of commitment transactions that are never seen by anyone
|
|
else, nor submitted to the blockchain.
|
|
|
|
<<payment_channel>> illustrates a payment channel between Bob and Alice,
|
|
showing the funding, commitment, and settlement transactions.((("use
|
|
cases", "buying coffee", startref="alicetwelve")))
|
|
|
|
[[payment_channel]]
|
|
.A payment channel between Bob and Alice, showing the funding, commitment, and settlement transactions
|
|
image::images/mbc2_1204.png["A payment channel between Bob and Alice, showing the funding, commitment, and settlement transactions"]
|
|
|
|
==== Simple Payment Channel Example
|
|
|
|
((("payment (state) channels", "example of", id="PSCexample12")))To
|
|
explain state channels, we start with a very simple example. We
|
|
demonstrate a one-way channel, meaning that value is flowing in one
|
|
direction only. We will also start with the naive assumption that no one
|
|
is trying to cheat, to keep things simple. Once we have the basic
|
|
channel idea explained, we will then look at what it takes to make it
|
|
trustless so that neither party _can_ cheat, even if they are trying to.
|
|
|
|
//TODO:change to using sats rather than millibits. Or maybe drop
|
|
//specific amounts so that the example doesn't become outdated as price
|
|
//changes.
|
|
|
|
For this example we will assume two participants: Emma and Fabian.
|
|
Fabian offers a video streaming service that is billed by the second
|
|
using a micropayment channel. Fabian charges 0.01 millibit (0.00001 BTC)
|
|
per second of video, equivalent to 36 millibits (0.036 BTC) per hour of
|
|
video. Emma is a user who purchases this streaming video service from
|
|
Fabian. <<emma_fabian_streaming_video>> shows Emma buying the video
|
|
streaming service from Fabian using a payment channel.
|
|
|
|
[[emma_fabian_streaming_video]]
|
|
.Emma purchases streaming video from Fabian with a payment channel, paying for each second of video
|
|
image::images/mbc2_1205.png["Emma purchases streaming video from Fabian with a payment channel, paying for each second of video"]
|
|
|
|
In this example, Fabian and Emma are using special software that handles
|
|
both the payment channel and the video streaming. Emma is running the
|
|
software in her browser, Fabian is running it on a server. The software
|
|
includes basic Bitcoin wallet functionality and can create and sign
|
|
Bitcoin transactions. Both the concept and the term "payment channel"
|
|
are completely hidden from the users. What they see is video that is
|
|
paid for by the second.
|
|
|
|
To set up the payment channel, Emma and Fabian establish a 2-of-2
|
|
multisignature address, with each of them holding one of the keys. From
|
|
Emma's perspective, the software in her browser presents a QR code with
|
|
the address, and asks her to submit a "deposit"
|
|
for up to 1 hour of video. The address is then funded by Emma. Emma's
|
|
transaction, paying to the multisignature address, is the funding or
|
|
anchor transaction for the payment channel.
|
|
|
|
For this example, let's say that Emma funds the channel with 36
|
|
millibits (0.036 BTC). This will allow Emma to consume _up to_ 1 hour of
|
|
streaming video. The funding transaction in this case sets the maximum
|
|
amount that can be transmitted in this channel, setting the _channel
|
|
capacity_.
|
|
|
|
The funding transaction consumes one or more inputs from Emma's wallet,
|
|
sourcing the funds. It creates one output with an amount of 36 millibits
|
|
paid to the multisignature 2-of-2 address controlled jointly between
|
|
Emma and Fabian. It may have additional outputs for change back to
|
|
Emma's wallet.
|
|
|
|
Once the funding transaction is confirmed, Emma can start streaming
|
|
video. Emma's software creates and signs a commitment transaction that
|
|
changes the channel balance to credit 0.01 millibit to Fabian's address
|
|
and refund 35.99 millibits back to Emma. The transaction signed by Emma
|
|
consumes the 36 millibits output created by the funding transaction and
|
|
creates two outputs: one for her refund, the other for Fabian's payment.
|
|
The transaction is only partially signed—it requires two
|
|
signatures (2-of-2), but only has Emma's signature. When Fabian's server
|
|
receives this transaction, it adds the second signature (for the 2-of-2
|
|
input) and returns it to Emma together with 1 second worth of video. Now
|
|
both parties have a fully signed commitment transaction that either can
|
|
redeem, representing the correct up-to-date balance of the channel.
|
|
Neither party broadcasts this transaction to the network.
|
|
|
|
In the next round, Emma's software creates and signs another commitment
|
|
transaction (commitment #2) that consumes the _same_ 2-of-2 output from
|
|
the funding transaction. The second commitment transaction allocates one
|
|
output of 0.02 millibits to Fabian's address and one output of 35.98
|
|
millibits back to Emma's address. This new transaction is payment for
|
|
two cumulative seconds of video. Fabian's software signs and returns the
|
|
second commitment transaction, together with another second of video.
|
|
|
|
In this way, Emma's software continues to send commitment transactions
|
|
to Fabian's server in exchange for streaming video. The balance of the
|
|
channel gradually accumulates in favor of Fabian, as Emma consumes more
|
|
seconds of video. Let's say Emma watches 600 seconds (10 minutes) of
|
|
video, creating and signing 600 commitment transactions. The last
|
|
commitment transaction (#600) will have two outputs, splitting the
|
|
balance of the channel, 6 millibits to Fabian and 30 millibits to Emma.
|
|
|
|
Finally, Emma clicks "Stop" to stop streaming video. Either Fabian or
|
|
Emma can now transmit the final state transaction for settlement. This
|
|
last transaction is the _settlement transaction_ and pays Fabian for all
|
|
the video Emma consumed, refunding the remainder of the funding
|
|
transaction to Emma.
|
|
|
|
<<video_payment_channel>> shows the channel between Emma and Fabian and
|
|
the commitment transactions that update the balance of the channel.
|
|
|
|
In the end, only two transactions are recorded on the blockchain: the
|
|
funding transaction that established the channel and a settlement
|
|
transaction that allocated the final balance correctly between the two
|
|
participants.((("", startref="PSCexample12")))
|
|
|
|
[[video_payment_channel]]
|
|
.Emma's payment channel with Fabian, showing the commitment transactions that update the balance of the channel
|
|
image::images/mbc2_1206.png["Emma's payment channel with Fabian, showing the commitment transactions that update the balance of the channel"]
|
|
|
|
==== Making Trustless Channels
|
|
|
|
((("payment (state) channels", "making trustless channels",
|
|
id="PSCtrust12")))The channel we just described works, but only if both
|
|
parties cooperate, without any failures or attempts to cheat. Let's look
|
|
at some of the scenarios that break this channel and see what is needed
|
|
to fix those:
|
|
|
|
- Once the funding transaction happens, Emma needs Fabian's signature to
|
|
get any money back. If Fabian disappears, Emma's funds are locked in a
|
|
2-of-2 and effectively lost. This channel, as constructed, leads to a
|
|
loss of funds if one of the parties becomes unavailable before there is at
|
|
least one commitment transaction signed by both parties.
|
|
|
|
- While the channel is running, Emma can take any of the commitment
|
|
transactions Fabian has countersigned and transmit one to the
|
|
blockchain. Why pay for 600 seconds of video, if she can transmit
|
|
commitment transaction #1 and only pay for 1 second of video? The
|
|
channel fails because Emma can cheat by broadcasting a prior
|
|
commitment that is in her favor.
|
|
|
|
Both of these problems can be solved with timelocks—let's look at
|
|
how we could use transaction-level time locks.
|
|
|
|
Emma cannot risk funding a 2-of-2 multisig unless she has a guaranteed
|
|
refund. To solve this problem, Emma constructs the funding and refund
|
|
transaction at the same time. She signs the funding transaction but
|
|
doesn't transmit it to anyone. Emma transmits only the refund
|
|
transaction to Fabian and obtains his signature.
|
|
|
|
The refund transaction acts as the first commitment transaction and its
|
|
timelock establishes the upper bound for the channel's life. In this
|
|
case, Emma could set the lock time to 30 days or 4320 blocks into the
|
|
future. All subsequent commitment transactions must have a shorter
|
|
timelock, so that they can be redeemed before the refund transaction.
|
|
|
|
Now that Emma has a fully signed refund transaction, she can confidently
|
|
transmit the signed funding transaction knowing that she can eventually,
|
|
after the timelock expires, redeem the refund transaction even if Fabian
|
|
disappears.
|
|
|
|
Every commitment transaction the parties exchange during the life of the
|
|
channel will be timelocked into the future. But the delay will be
|
|
slightly shorter for each commitment so the most recent commitment can
|
|
be redeemed before the prior commitment it invalidates. Because of the
|
|
lock time, neither party can successfully propagate any of the
|
|
commitment transactions until their timelock expires. If all goes well,
|
|
they will cooperate and close the channel gracefully with a settlement
|
|
transaction, making it unnecessary to transmit an intermediate
|
|
commitment transaction. If not, the most recent commitment transaction
|
|
can be propagated to settle the account and invalidate all prior
|
|
commitment transactions.
|
|
|
|
For example, if commitment transaction #1 is timelocked to 4320 blocks
|
|
in the future, then commitment transaction #2 is timelocked to 4319
|
|
blocks in the future. Commitment transaction #600 can be spent 600
|
|
blocks before commitment transaction #1 becomes valid.
|
|
|
|
<<timelocked_commitments>> shows each commitment transaction setting a
|
|
shorter timelock, allowing it to be spent before the previous
|
|
commitments become valid.
|
|
|
|
[[timelocked_commitments]]
|
|
.Each commitment sets a shorter timelock, allowing it to be spent before the previous commitments become valid
|
|
image::images/mbc2_1207.png["Each commitment sets a shorter timelock, allowing it to be spent before the previous commitments become valid"]
|
|
|
|
Each subsequent commitment transaction must have a shorter timelock so
|
|
that it may be broadcast before its predecessors and before the refund
|
|
transaction. The ability to broadcast a commitment earlier ensures it
|
|
will be able to spend the funding output and preclude any other
|
|
commitment transaction from being redeemed by spending the output. The
|
|
guarantees offered by the Bitcoin blockchain, preventing double-spends
|
|
and enforcing timelocks, effectively allow each commitment transaction
|
|
to invalidate its predecessors.
|
|
|
|
State channels use timelocks to enforce smart contracts across a time
|
|
dimension. In this example we saw how the time dimension guarantees that
|
|
the most recent commitment transaction becomes valid before any earlier
|
|
commitments. Thus, the most recent commitment transaction can be
|
|
transmitted, spending the inputs and invalidating prior commitment
|
|
transactions. The enforcement of smart contracts with absolute timelocks
|
|
protects against cheating by one of the parties. This implementation
|
|
needs nothing more than absolute transaction-level lock time.
|
|
Next, we will see how script-level timelocks,
|
|
+CHECKLOCKTIMEVERIFY+ and +CHECKSEQUENCEVERIFY+, can be used to
|
|
construct more flexible, useful, and sophisticated state channels.
|
|
|
|
Timelocks are not the only way to invalidate prior commitment
|
|
transactions. In the next sections we will see how a revocation key can
|
|
be used to achieve the same result. Timelocks are effective but they
|
|
have two distinct disadvantages. By establishing a maximum timelock when
|
|
the channel is first opened, they limit the lifetime of the channel.
|
|
Worse, they force channel implementations to strike a balance between
|
|
allowing long-lived channels and forcing one of the participants to wait
|
|
a very long time for a refund in case of premature closure. For example,
|
|
if you allow the channel to remain open for 30 days, by setting the
|
|
refund timelock to 30 days, if one of the parties disappears immediately
|
|
the other party must wait 30 days for a refund. The more distant the
|
|
endpoint, the more distant the refund.
|
|
|
|
The second problem is that since each subsequent commitment transaction
|
|
must decrement the timelock, there is an explicit limit on the number of
|
|
commitment transactions that can be exchanged between the parties. For
|
|
example, a 30-day channel, setting a timelock of 4320 blocks into the
|
|
future, can only accommodate 4320 intermediate commitment transactions
|
|
before it must be closed. There is a danger in setting the timelock
|
|
commitment transaction interval at 1 block. By setting the timelock
|
|
interval between commitment transactions to 1 block, a developer is
|
|
creating a very high burden for the channel participants who have to be
|
|
vigilant, remain online and watching, and be ready to transmit the right
|
|
commitment transaction at any time.
|
|
|
|
In the above example of a single-direction channel, it's easy to
|
|
eliminate the per-commitment timelock. After Emma receives the
|
|
signature on the timelocked refund transaction from Fabian, no timelocks
|
|
are placed on the commitment transactions. Instead, Emma sends her
|
|
signature on each commitment transaction to Fabian but Fabian doesn't
|
|
send her any of his signatures on the commitment transactions. That
|
|
means only Fabian has both signatures for a commitment transaction, so
|
|
only he can broadcast one of those commitments. When Emma finishes
|
|
streaming video, Fabian will always prefer to broadcast the transaction
|
|
that pays him the most---which will be the latest state. This
|
|
construction in called a Spillman-style payment channel, which was first
|
|
described and implemented in 2013, although they are only safe to use
|
|
with witness (segwit) transactions, which didn't become available until
|
|
2017.
|
|
|
|
Now that we understand how timelocks can be used to invalidate prior
|
|
commitments, we can see the difference between closing the channel
|
|
cooperatively and closing it unilaterally by broadcasting a commitment
|
|
transaction. All commitment transactions in our prior example were timelocked, therefore
|
|
broadcasting a commitment transaction will always involve waiting until
|
|
the timelock has expired. But if the two parties agree on what the final
|
|
balance is and know they both hold commitment transactions that will
|
|
eventually make that balance a reality, they can construct a settlement
|
|
transaction without a timelock representing that same balance. In a
|
|
cooperative close, either party takes the most recent commitment
|
|
transaction and builds a settlement transaction that is identical in
|
|
every way except that it omits the timelock. Both parties can sign this
|
|
settlement transaction knowing there is no way to cheat and get a more
|
|
favorable balance. By cooperatively signing and transmitting the
|
|
settlement transaction they can close the channel and redeem their
|
|
balance immediately. Worst case, one of the parties can be petty, refuse
|
|
to cooperate, and force the other party to do a unilateral close with
|
|
the most recent commitment transaction. But if they do that, they have
|
|
to wait for their funds too.((("", startref="PSCtrust12")))
|
|
|
|
==== Asymmetric Revocable Commitments
|
|
|
|
((("payment (state) channels", "asymmetric revocable commitments",
|
|
id="PSCaymetric12")))Another way to handle the prior commitment states
|
|
is to explicitly revoke them. However, this is not easy to achieve. A
|
|
key characteristic of Bitcoin is that once a transaction is valid, it
|
|
remains valid and does not expire. The only way to cancel a transaction
|
|
is to get a conflicting transactionn confirmed.
|
|
That's why we used timelocks in the simple payment channel
|
|
example above to ensure that more recent commitments could be spent
|
|
before older commitments were valid. However, sequencing commitments in
|
|
time creates a number of constraints that make payment channels
|
|
difficult to use.
|
|
|
|
Even though a transaction cannot be canceled, it can be constructed in
|
|
such a way as to make it undesirable to use. The way we do that is by
|
|
giving each party a _revocation key_ that can be used to punish the
|
|
other party if they try to cheat. This mechanism for revoking prior
|
|
commitment transactions was first proposed as part of the Lightning
|
|
Network.
|
|
|
|
To explain revocation keys, we will construct a more complex payment
|
|
channel between two exchanges run by Hitesh and Irene. Hitesh and Irene
|
|
run Bitcoin exchanges in India and the USA, respectively. Customers of
|
|
Hitesh's Indian exchange often send payments to customers of Irene's USA
|
|
exchange and vice versa. Currently, these transactions occur on the
|
|
Bitcoin blockchain, but this means paying fees and waiting several
|
|
blocks for confirmations. Setting up a payment channel between the
|
|
exchanges will significantly reduce the cost and accelerate the
|
|
transaction flow.
|
|
|
|
Hitesh and Irene start the channel by collaboratively constructing a
|
|
funding transaction, each funding the channel with 5 bitcoin. Before
|
|
they sign the funding transaction, they must sign the first set of
|
|
commitments (called the _refund_) that assigns the
|
|
initial balance of 5 bitcoin for Hitesh and 5 bitcoin for Irene. The
|
|
funding transaction locks the channel state in a 2-of-2 multisig, just
|
|
like in the example of a simple channel.
|
|
|
|
The funding transaction may have one or more inputs from Hitesh (adding
|
|
up to 5 bitcoin or more), and one or more inputs from Irene (adding up
|
|
to 5 bitcoin or more). The inputs have to slightly exceed the channel
|
|
capacity in order to cover the transaction fees. The transaction has one
|
|
output that locks the 10 total bitcoin to a 2-of-2 multisig address
|
|
controlled by both Hitesh and Irene. The funding transaction may also
|
|
have one or more outputs returning change to Hitesh and Irene if their
|
|
inputs exceeded their intended channel contribution. This is a single
|
|
transaction with inputs offered and signed by two parties. It has to be
|
|
constructed in collaboration and signed by each party before it is
|
|
transmitted.
|
|
|
|
Now, instead of creating a single commitment transaction that both
|
|
parties sign, Hitesh and Irene create two different commitment
|
|
transactions that are _asymmetric_.
|
|
|
|
Hitesh has a commitment transaction with two outputs. The first output
|
|
pays Irene the 5 bitcoin she is owed _immediately_. The second output
|
|
pays Hitesh the 5 bitcoin he is owed, but only after a timelock of 1000
|
|
blocks. The transaction outputs look like this:
|
|
|
|
----
|
|
Input: 2-of-2 funding output, signed by Irene
|
|
|
|
Output 0 <5 bitcoin>:
|
|
<Irene's Public Key> CHECKSIG
|
|
|
|
Output 1 <5 bitcoin>:
|
|
<1000 blocks>
|
|
CHECKSEQUENCEVERIFY
|
|
DROP
|
|
<Hitesh's Public Key> CHECKSIG
|
|
----
|
|
|
|
Irene has a different commitment transaction with two outputs. The first
|
|
output pays Hitesh the 5 bitcoin he is owed immediately. The second
|
|
output pays Irene the 5 bitcoin she is owed but only after a timelock of
|
|
1000 blocks. The commitment transaction Irene holds (signed by Hitesh)
|
|
looks like this:
|
|
|
|
----
|
|
Input: 2-of-2 funding output, signed by Hitesh
|
|
|
|
Output 0 <5 bitcoin>:
|
|
<Hitesh's Public Key> CHECKSIG
|
|
|
|
Output 1 <5 bitcoin>:
|
|
<1000 blocks>
|
|
CHECKSEQUENCEVERIFY
|
|
DROP
|
|
<Irene's Public Key> CHECKSIG
|
|
----
|
|
|
|
This way, each party has a commitment transaction, spending the 2-of-2
|
|
funding output. This input is signed by the _other_ party. At any time
|
|
the party holding the transaction can also sign (completing the 2-of-2)
|
|
and broadcast. However, if they broadcast the commitment transaction, it
|
|
pays the other party immediately whereas they have to wait for a
|
|
timelock to expire. By imposing a delay on the redemption of one of the
|
|
outputs, we put each party at a slight disadvantage when they choose to
|
|
unilaterally broadcast a commitment transaction. But a time delay alone
|
|
isn't enough to encourage fair conduct.
|
|
|
|
<<asymmetric_commitments>> shows two asymmetric commitment transactions,
|
|
where the output paying the holder of the commitment is delayed.
|
|
|
|
[[asymmetric_commitments]]
|
|
.Two asymmetric commitment transactions with delayed payment for the party holding the transaction
|
|
image::images/mbc2_1208.png["Two asymmetric commitment transactions with delayed payment for the party holding the transaction"]
|
|
|
|
Now we introduce the final element of this scheme: a revocation key that
|
|
prevents a cheater from broadcasting an expired commitment. The
|
|
revocation key allows the wronged party to punish the cheater by taking
|
|
the entire balance of the channel.
|
|
|
|
The revocation key is composed of two secrets, each half generated
|
|
independently by each channel participant. It is similar to a 2-of-2
|
|
multisig, but constructed using elliptic curve arithmetic, so that both
|
|
parties know the revocation public key but each party knows only half
|
|
the revocation secret key.
|
|
|
|
In each round, both parties reveal their half of the revocation secret
|
|
to the other party, thereby giving the other party (who now has both
|
|
halves) the means to claim the penalty output if this revoked
|
|
transaction is ever broadcast.
|
|
|
|
Each of the commitment transactions has a "delayed" output. The
|
|
redemption script for that output allows one party to redeem it after
|
|
1000 blocks, _or_ the other party to redeem it if they have a revocation
|
|
key, penalizing transmission of a revoked commitment.
|
|
|
|
So when Hitesh creates a commitment transaction for Irene to sign, he
|
|
makes the second output payable to himself after 1000 blocks, or to the
|
|
revocation public key (of which he only knows half the secret). Hitesh
|
|
constructs this transaction. He will only reveal his half of the
|
|
revocation secret to Irene when he is ready to move to a new channel
|
|
state and wants to revoke this commitment.
|
|
|
|
The second output's script looks like this:
|
|
|
|
----
|
|
Output 0 <5 bitcoin>:
|
|
<Irene's Public Key> CHECKSIG
|
|
|
|
Output 1 <5 bitcoin>:
|
|
IF
|
|
# Revocation penalty output
|
|
<Revocation Public Key>
|
|
ELSE
|
|
<1000 blocks>
|
|
CHECKSEQUENCEVERIFY
|
|
DROP
|
|
<Hitesh's Public Key>
|
|
ENDIF
|
|
CHECKSIG
|
|
----
|
|
|
|
Irene can confidently sign this transaction, since if transmitted it
|
|
will immediately pay her what she is owed. Hitesh holds the transaction,
|
|
but knows that if he transmits it in a unilateral channel closing, he
|
|
will have to wait 1000 blocks to get paid.
|
|
|
|
After the channel is advanced to the next state, Hitesh has to _revoke_
|
|
this commitment transaction before Irene will agree to sign any further
|
|
commitment transactions. To do that, all he has to do is send his half of
|
|
the _revocation key_ to Irene. Once Irene has both halves of the
|
|
revocation secret key for this commitment, she can sign a future
|
|
commitment with confidence. She knows that if Hitesh tries to cheat by
|
|
publishing the prior commitment, she can use the revocation key to
|
|
redeem Hitesh's delayed output. _If Hitesh cheats, Irene gets BOTH
|
|
outputs_. Meanwhile, Hitesh only has half the revocation secret for that
|
|
revocation public key and can't redeem the output until 1000 blocks.
|
|
Irene will be able to redeem the output and punish Hitesh before the
|
|
1000 blocks have elapsed.
|
|
|
|
The revocation protocol is bilateral, meaning that in each round, as the
|
|
channel state is advanced, the two parties exchange new commitments,
|
|
exchange revocation secrets for the previous commitments, and sign each
|
|
other's new commitment transactions. As they accept a new state, they
|
|
make the prior state impossible to use, by giving each other the
|
|
necessary revocation secrets to punish any cheating.
|
|
|
|
Let's look at an example of how it works. One of Irene's customers wants
|
|
to send 2 bitcoins to one of Hitesh's customers. To transmit 2 bitcoins
|
|
across the channel, Hitesh and Irene must advance the channel state to
|
|
reflect the new balance. They will commit to a new state (state number
|
|
2) where the channel's 10 bitcoins are split, 7 bitcoins to Hitesh and 3
|
|
bitcoins to Irene. To advance the state of the channel, they will each
|
|
create new commitment transactions reflecting the new channel balance.
|
|
|
|
As before, these commitment transactions are asymmetric so that the
|
|
commitment transaction each party holds forces them to wait if they
|
|
redeem it. Crucially, before signing new commitment transactions, they
|
|
must first exchange revocation keys to invalidate any outdated commitments.
|
|
In this particular case, Hitesh's interests are aligned with the real
|
|
state of the channel and therefore he has no reason to broadcast a prior
|
|
state. However, for Irene, state number 1 leaves her with a higher
|
|
balance than state 2. When Irene gives Hitesh the revocation key for her
|
|
prior commitment transaction (state number 1) she is effectively
|
|
revoking her ability to profit from regressing the channel to a prior
|
|
state because with the revocation key, Hitesh can redeem both outputs of
|
|
the prior commitment transaction without delay. Meaning if Irene
|
|
broadcasts the prior state, Hitesh can exercise his right to take all of
|
|
the outputs.
|
|
|
|
Importantly, the revocation doesn't happen automatically. While Hitesh
|
|
has the ability to punish Irene for cheating, he has to watch the
|
|
blockchain diligently for signs of cheating. If he sees a prior
|
|
commitment transaction broadcast, he has 1000 blocks to take action and
|
|
use the revocation key to thwart Irene's cheating and punish her by
|
|
taking the entire balance, all 10 bitcoins.
|
|
|
|
Asymmetric revocable commitments with relative time locks (+CSV+) are a
|
|
much better way to implement payment channels and a very significant
|
|
innovation in this technology. With this construct, the channel can
|
|
remain open indefinitely and can have billions of intermediate
|
|
commitment transactions. In implementations of Lightning
|
|
Network, the commitment state is identified by a 48-bit index, allowing
|
|
more than 281 trillion (2.8 x 10^14^) state transitions in any single
|
|
channel!((("", startref="PSCaymetric12")))
|
|
|
|
==== Hash Time Lock Contracts (HTLC)
|
|
|
|
((("Hash Time Lock Contracts (HTLC)")))((("payment (state) channels",
|
|
"Hash Time Lock Contracts (HTLC)")))Payment channels can be further
|
|
extended with a special type of smart contract that allows the
|
|
participants to commit funds to a redeemable secret, with an expiration
|
|
time. This feature is called a _Hash Time Lock Contract_, or _HTLC_, and
|
|
is used in both bidirectional and routed payment channels.
|
|
|
|
Let's first explain the "hash" part of the HTLC. To create an HTLC, the
|
|
intended recipient of the payment will first create a secret +R+. They
|
|
then calculate the hash of this secret +H+:
|
|
|
|
----
|
|
H = Hash(R)
|
|
----
|
|
|
|
This produces a hash +H+ that can be included in an output's
|
|
script. Whoever knows the secret can use it to redeem the output. The
|
|
secret +R+ is also referred to as a _preimage_ to the hash function. The
|
|
preimage is just the data that is used as input to a hash function.
|
|
|
|
The second part of an HTLC is the "time lock" component. If the secret
|
|
is not revealed, the payer of the HTLC can get a "refund" after some
|
|
time. This is achieved with an absolute time lock using
|
|
+CHECKLOCKTIMEVERIFY+.
|
|
|
|
The script implementing an HTLC might look like this:
|
|
|
|
----
|
|
IF
|
|
# Payment if you have the secret R
|
|
HASH160 <H> EQUALVERIFY
|
|
<Receiver Public Key> CHECKSIG
|
|
ELSE
|
|
# Refund after timeout.
|
|
<lock time> CHECKLOCKTIMEVERIFY DROP
|
|
<Payer Public Key> CHECKSIG
|
|
ENDIF
|
|
----
|
|
|
|
Anyone who knows the secret +R+, which when hashed equals to +H+, can
|
|
redeem this output by exercising the first clause of the +IF+ flow.
|
|
|
|
If the secret is not revealed and the HTLC claimed, after a certain
|
|
number of blocks the payer can claim a refund using the second clause in
|
|
the +IF+ flow.
|
|
|
|
This is a basic implementation of an HTLC. This type of HTLC can be
|
|
redeemed by _anyone_ who has the secret +R+. An HTLC can take many
|
|
different forms with slight variations to the script. For example,
|
|
adding a +CHECKSIG+ operator and a public key in the first clause
|
|
restricts redemption of the hash to a particular recipient, who must also
|
|
know the secret +R+.((("", startref="BCApayment12")))
|
|
|
|
[[lightning_network]]
|
|
=== Routed Payment Channels (Lightning Network)
|
|
|
|
((("blockchain applications", "routed payment channels",
|
|
seealso="Lightning Network", id="BCAlightning12")))((("routed payment
|
|
channels", see="Lightning Network")))((("Lightning Network",
|
|
"defined")))The Lightning Network is a proposed routed network of
|
|
bidirectional payment channels connected end-to-end. A network like this
|
|
can allow any participant to route a payment from channel to channel
|
|
without trusting any of the intermediaries. The Lightning Network was
|
|
https://lightning.network/lightning-network-paper.pdf[first described by
|
|
Joseph Poon and Thadeus Dryja in February 2015], building on the concept
|
|
of payment channels as proposed and elaborated upon by many others.
|
|
|
|
"Lightning Network" refers to a specific design for a routed payment
|
|
channel network, which has now been implemented by at least five
|
|
different open source teams. ((("Basics of Lightning Technology
|
|
(BOLT)")))The independent implementations are coordinated by a set of
|
|
interoperability standards described in the
|
|
http://bit.ly/2rBHeoL[_Basics of Lightning Technology (BOLT)_ repository].
|
|
|
|
==== Basic Lightning Network Example
|
|
|
|
((("Lightning Network", "basic example")))Let's see how this works.
|
|
|
|
In this example, we have five participants: Alice, Bob, Carol, Diana,
|
|
and Eric. These five participants have opened payment channels with each
|
|
other, in pairs. Alice has a payment channel with Bob. Bob is connected
|
|
to Carol, Carol to Diana, and Diana to Eric. For simplicity let's assume
|
|
each channel is funded with 2 bitcoins by each participant, for a total
|
|
capacity of 4 bitcoins in each channel.
|
|
|
|
<<lightning_network_fig>> shows five participants in a Lightning
|
|
Network, connected by bidirectional payment channels that can be linked
|
|
to make a payment from Alice to Eric (<<lightning_network>>).
|
|
|
|
[[lightning_network_fig]]
|
|
.A series of bidirectional payment channels linked to form a Lightning Network that can route a payment from Alice to Eric
|
|
image::images/mbc2_1209.png["A series of bi-directional payment channels linked to form a Lightning Network"]
|
|
|
|
Alice wants to pay Eric 1 bitcoin. However, Alice is not connected to
|
|
Eric by a payment channel. Creating a payment channel requires a funding
|
|
transaction, which must be committed to the Bitcoin blockchain. Alice
|
|
does not want to open a new payment channel and commit more of her
|
|
funds. Is there a way to pay Eric, indirectly?
|
|
|
|
<<ln_payment_process>> shows the step-by-step process of routing a
|
|
payment from Alice to Eric, through a series of HTLC commitments on the
|
|
payment channels connecting the participants.
|
|
|
|
[[ln_payment_process]]
|
|
.Step-by-step payment routing through a Lightning Network
|
|
image::images/mbc2_1210.png["Step-by-step payment routing through a Lightning Network"]
|
|
|
|
Alice is running a Lightning Network (LN) node that is keeping track of
|
|
her payment channel to Bob and has the ability to discover routes
|
|
between payment channels. Alice's LN node also has the ability to
|
|
connect over the internet to Eric's LN node. Eric's LN node creates a
|
|
secret +R+ using a random number generator. Eric's node does not reveal
|
|
this secret to anyone. Instead, Eric's node calculates a hash +H+ of the
|
|
secret +R+ and transmits this hash to Alice's node in the form of an
|
|
invoice (see <<ln_payment_process>> step 1).
|
|
|
|
Now Alice's LN node constructs a route between Alice's LN node and
|
|
Eric's LN node. The pathfinding algorithm used will be examined in more
|
|
detail later, but for now let's assume that Alice's node can find an
|
|
efficient route.
|
|
|
|
Alice's node then constructs an HTLC, payable to the hash +H+, with a
|
|
10-block refund timeout (current block + 10), for an amount of 1.003
|
|
bitcoins (see <<ln_payment_process>> step 2). The extra 0.003 will be
|
|
used to compensate the intermediate nodes for their participation in
|
|
this payment route. Alice offers this HTLC to Bob, deducting 1.003
|
|
bitcoins from her channel balance with Bob and committing it to the HTLC.
|
|
The HTLC has the following meaning: _"Alice is committing 1.003 of her
|
|
channel balance to be paid to Bob if Bob knows the secret, or refunded
|
|
back to Alice's balance if 10 blocks elapse."_ The channel balance
|
|
between Alice and Bob is now expressed by commitment transactions with
|
|
three outputs: 2 bitcoins balance to Bob, 0.997 bitcoins balance to Alice,
|
|
1.003 bitcoins committed in Alice's HTLC. Alice's balance is reduced by
|
|
the amount committed to the HTLC.
|
|
|
|
Bob now has a commitment that if he is able to get the secret +R+ within
|
|
the next 10 blocks, he can claim the 1.003 locked by Alice. With this
|
|
commitment in hand, Bob's node constructs an HTLC on his payment channel
|
|
with Carol. Bob's HTLC commits 1.002 bitcoins to hash +H+ for 9 blocks,
|
|
which Carol can redeem if she has secret +R+ (see <<ln_payment_process>>
|
|
step 3). Bob knows that if Carol can claim his HTLC, she has to produce
|
|
+R+. If Bob has +R+ in nine blocks, he can use it to claim Alice's HTLC
|
|
to him. He also makes 0.001 bitcoins for committing his channel balance
|
|
for nine blocks. If Carol is unable to claim his HTLC and he is unable
|
|
to claim Alice's HTLC, everything reverts back to the prior channel
|
|
balances and no one is at a loss. The channel balance between Bob and
|
|
Carol is now: 2 to Carol, 0.998 to Bob, 1.002 committed by Bob to the
|
|
HTLC.
|
|
|
|
Carol now has a commitment that if she gets +R+ within the next nine
|
|
blocks, she can claim 1.002 bitcoins locked by Bob. Now she can make an
|
|
HTLC commitment on her channel with Diana. She commits an HTLC of 1.001
|
|
bitcoins to hash +H+, for eight blocks, which Diana can redeem if she has
|
|
secret +R+ (see <<ln_payment_process>> step 4). From Carol's
|
|
perspective, if this works she is 0.001 bitcoins better off and if it
|
|
doesn't she loses nothing. Her HTLC to Diana is only viable if +R+ is
|
|
revealed, at which point she can claim the HTLC from Bob. The channel
|
|
balance between Carol and Diana is now: 2 to Diana, 0.999 to Carol,
|
|
1.001 committed by Carol to the HTLC.
|
|
|
|
Finally, Diana can offer an HTLC to Eric, committing 1 bitcoin for seven
|
|
blocks to hash +H+ (see <<ln_payment_process>> step 5). The channel
|
|
balance between Diana and Eric is now: 2 to Eric, 1 to Diana, 1
|
|
committed by Diana to the HTLC.
|
|
|
|
However, at this hop in the route, Eric _has_ secret +R+. He can
|
|
therefore claim the HTLC offered by Diana. He sends +R+ to Diana and
|
|
claims the 1 bitcoin, adding it to his channel balance (see
|
|
<<ln_payment_process>> step 6). The channel balance is now: 1 to Diana,
|
|
3 to Eric.
|
|
|
|
Now, Diana has secret +R+. Therefore, she can now claim the HTLC from
|
|
Carol. Diana transmits +R+ to Carol and adds the 1.001 bitcoins to her
|
|
channel balance (see <<ln_payment_process>> step 7). Now the channel
|
|
balance between Carol and Diana is: 0.999 to Carol, 3.001 to Diana.
|
|
Diana has "earned" 0.001 for participating in this payment route.
|
|
|
|
Flowing back through the route, the secret +R+ allows each participant
|
|
to claim the outstanding HTLCs. Carol claims 1.002 from Bob, setting the
|
|
balance on their channel to: 0.998 to Bob, 3.002 to Carol (see
|
|
<<ln_payment_process>> step 8). Finally, Bob claims the HTLC from Alice
|
|
(see <<ln_payment_process>> step 9). Their channel balance is updated
|
|
as: 0.997 to Alice, 3.003 to Bob.
|
|
|
|
Alice has paid Eric 1 bitcoin without opening a channel to Eric. None of
|
|
the intermediate parties in the payment route had to trust each other.
|
|
For the short-term commitment of their funds in the channel they are
|
|
able to earn a small fee, with the only risk being a small delay in
|
|
refund if the channel was closed or the routed payment failed.
|
|
|
|
==== Lightning Network Transport and Pathfinding
|
|
|
|
((("Lightning Network", "transport and pathfinding")))All communications
|
|
between LN nodes are encrypted point-to-point. In addition, nodes have a
|
|
long-term public key that they http://bit.ly/2r5TACm[use as an
|
|
identifier and to authenticate each other].
|
|
|
|
Whenever a node wishes to send a payment to another node, it must first
|
|
construct a _path_ through the network by connecting payment channels
|
|
with sufficient capacity. Nodes advertise routing information, including
|
|
what channels they have open, how much capacity each channel has, and
|
|
what fees they charge to route payments. The routing information can be
|
|
shared in a variety of ways and different pathfinding protocols have
|
|
emerged as Lightning Network technology has advanced.
|
|
Current implementations of
|
|
route discovery use a P2P model where nodes propagate channel
|
|
announcements to their peers, in a "flooding" model, similar to how
|
|
Bitcoin propagates transactions.
|
|
|
|
In our previous example, Alice's node uses one of these route discovery
|
|
mechanisms to find one or more paths connecting her node to Eric's node.
|
|
Once Alice's node has constructed a path, she will initialize that path
|
|
through the network, by propagating a series of encrypted and nested
|
|
instructions to connect each of the adjacent payment channels.
|
|
|
|
Importantly, this path is only known to Alice's node. All other
|
|
participants in the payment route see only the adjacent nodes. From
|
|
Carol's perspective, this looks like a payment from Bob to Diana. Carol
|
|
does not know that Bob is actually relaying a payment from Alice. She
|
|
also doesn't know that Diana will be relaying a payment to Eric.
|
|
|
|
This is a critical feature of the Lightning Network, because it ensures
|
|
privacy of payments and makes it very difficult to apply surveillance,
|
|
censorship, or blacklists. But how does Alice establish this payment
|
|
path, without revealing anything to the intermediary nodes?
|
|
|
|
The Lightning Network implements an onion-routed protocol based on a
|
|
scheme called http://bit.ly/2q6ZDrP[Sphinx]. This routing protocol
|
|
ensures that a payment sender can construct and communicate a path
|
|
through the Lightning Network such that:
|
|
|
|
- Intermediate nodes can verify and decrypt their portion of route
|
|
information and find the next hop.
|
|
|
|
- Other than the previous and next hops, they cannot learn about any
|
|
other nodes that are part of the path.
|
|
|
|
- They cannot identify the length of the payment path, or their own
|
|
position in that path.
|
|
|
|
- Each part of the path is encrypted in such a way that a network-level
|
|
attacker cannot associate the packets from different parts of the path
|
|
to each other.
|
|
|
|
- Unlike Tor (an onion-routed anonymization protocol on the internet),
|
|
there are no "exit nodes" that can be placed under surveillance. The
|
|
payments do not need to be transmitted to the Bitcoin blockchain; the
|
|
nodes just update channel balances.
|
|
|
|
Using this onion-routed protocol, Alice wraps each element of the path
|
|
in a layer of encryption, starting with the end and working backward.
|
|
She encrypts a message to Eric with Eric's public key. This message is
|
|
wrapped in a message encrypted to Diana, identifying Eric as the next
|
|
recipient. The message to Diana is wrapped in a message encrypted to
|
|
Carol's public key and identifying Diana as the next recipient. The
|
|
message to Carol is encrypted to Bob's key. Thus, Alice has constructed
|
|
this encrypted multilayer "onion" of messages. She sends this to Bob,
|
|
who can only decrypt and unwrap the outer layer. Inside, Bob finds a
|
|
message addressed to Carol that he can forward to Carol but cannot
|
|
decipher himself. Following the path, the messages get forwarded,
|
|
decrypted, forwarded, etc., all the way to Eric. Each participant knows
|
|
only the previous and next node in each hop.((("",
|
|
startref="alicetwelve")))
|
|
|
|
Each element of the path contains information on the HTLC that must be
|
|
extended to the next hop, the amount that is being sent, the fee to
|
|
include, and the CLTV lock time (in blocks) expiration of the HTLC. As
|
|
the route information propagates, the nodes make HTLC commitments
|
|
forward to the next hop.
|
|
|
|
At this point, you might be wondering how it is possible that the nodes
|
|
do not know the length of the path and their position in that path.
|
|
After all, they receive a message and forward it to the next hop.
|
|
Doesn't it get shorter, allowing them to deduce the path size and their
|
|
position? To prevent this, the packet size is fixed and
|
|
padded with random data. Each node sees the next hop and a fixed-length
|
|
encrypted message to forward. Only the final recipient sees that there
|
|
is no next hop. To everyone else it seems as if there are always more
|
|
hops to go.
|
|
|
|
==== Lightning Network Benefits
|
|
|
|
((("Lightning Network", "benefits of")))A Lightning Network is a
|
|
second-layer routing technology. It can be applied to any blockchain
|
|
that supports some basic capabilities, such as multisignature
|
|
transactions, timelocks, and basic smart contracts.
|
|
|
|
If a Lightning Network is layered on top of the Bitcoin network, the
|
|
Bitcoin network can gain a significant increase in capacity, privacy,
|
|
granularity, and speed, without sacrificing the principles of trustless
|
|
operation without intermediaries:
|
|
|
|
Privacy:: Lightning Network payments are much more private than payments
|
|
on the Bitcoin blockchain, as they are not public. While participants in
|
|
a route can see payments propagated across their channels, they do not
|
|
know the sender or recipient.
|
|
|
|
Fungibility:: A Lightning Network makes it much more difficult to apply
|
|
surveillance and blacklists on Bitcoin, increasing the fungibility of
|
|
the currency.
|
|
|
|
Speed:: Bitcoin transactions using Lightning Network are settled in
|
|
milliseconds, rather than minutes or hours, as HTLCs are cleared without
|
|
committing transactions to a block.
|
|
|
|
Granularity:: A Lightning Network can enable payments at least as small
|
|
as the Bitcoin "dust" limit, perhaps even smaller.
|
|
|
|
Capacity:: A Lightning Network increases the capacity of the Bitcoin
|
|
system by several orders of magnitude. There is no practical upper bound
|
|
to the number of payments per second that can be routed over a Lightning
|
|
Network, as it depends only on the capacity and speed of each node.
|
|
|
|
Trustless Operation:: A Lightning Network uses Bitcoin transactions
|
|
between nodes that operate as peers without trusting each other. Thus, a
|
|
Lightning Network preserves the principles of the Bitcoin system, while
|
|
expanding its operating parameters significantly.
|
|
|
|
We have examined just a few of the emerging applications that can be
|
|
built using the Bitcoin blockchain as a trust platform. These
|
|
applications expand the scope of bitcoin beyond payments and beyond
|
|
financial instruments, to encompass many other applications where trust
|
|
is critical. By decentralizing the basis of trust, the Bitcoin
|
|
blockchain is a platform that will spawn many revolutionary applications
|
|
in a wide variety of industries.
|