lnd.xprv/lnwire/ESCROWED_HTLC_NOTES

124 lines
4.8 KiB
Plaintext
Raw Normal View History

NOTE: Not implemented in code, only included as part of the wire protocol for
future implementation!
There are multiple R-value hashes supported in HTLCs in the wire protocol. This
is to support conditional multiparty payments, e.g. 2-of-3 "escrow", which is
one of the biggest use cases of bitcoin scripting today. An example use case is
a 3rd party "escrow" verifies whether a seller should be paid. This design is
such that the "escrow" is not a normal escrow which holds custody, but
determines who should get the money in the event of non-cooperation.
In this implementation, we are including *future protocol support* but not
writing code yet for 2-of-3, it is to be implemented later. Arbitrary N-of-M
can be supported, but let's keep this simple for now!
How it works: Require 2-of-3 R-value preimages (from 3 hashes) in order for the
HTLC to be fulfilled. For each hop in the payment, it requires this 2-of-3
condition. The timeout minimum for each hop in the path is at least the minimum
agreed contractual escrow timeout. This means each hop consumes a higher amount
of time-value (due to much longer timeouts along all channels in the path),
which does have greater pressure towards lower hop-distances compared to
straight payments.
This is a slightly different way of thinking about things. It's not signatures
that the escrow produces (or for that matters any of the 3-parties in the
2-of-3). It's some secret which is revealed to authorize payment. So if the
Escrow wants the payment to go through, they disclose the secret (R-value) to
the recipient. If the recipient is unable to produce 2-of-3, after the agreed
timeout, the sender will be refunded. Sender and receiver can agree to authorize
payment in most cases where there is cooperation, escrow is only contacted if
there is non-cooperation.
Supported in the wire protocol for the unit8:
1: 1-of-1
2: 1-of-2
3: 2-of-2
4: 1-of-3
5: 2-of-3
6: 3-of-3
I think the only ones that really matter are 1-of-1, 2-of-3, and maybe 2-of-2
and 3-of-3 (in that order of declining importance).
Assume the order in the stack is Sender, Recipient, Escrow.
For PAID 2-of-3 Recipient+Escrow, the HTLC stack is:
<BobSig> <0> <RecipientPreimageR> <EscrowPreimageR> <0>
If it's REFUND because 2-of-3 has not been redeemed in time:
<AliceSig> <1>
Script (we use OP_1/OP_0 to distinctly show computed true/false. 0/1 is for
supplied data as part of the sigScript/redeemScript stack):
-------------------------------------------------------------------------------
//Paid
OP_IF
//Optional... <CSVDelay> OP_CSV
OP_HASH160 <EscrowHash> OP_EQUAL
//Stack: <BobSig> <0> <RecipientPreimageR> <OP_1>
OP_SWAP
//Stack: <BobSig> <0> <OP_1> <RecipientPreimageR>
OP_HASH160 <RecipientHash> OP_EQUAL
//Stack: <BobSig> <0> <OP_1> <OP_1>
OP_ADD
//Stack: <BobSig> <0> <OP_2>
OP_SWAP
//Stack: <BobSig> <OP_2> <0>
OP_HASH160 <SenderHash> OP_EQUAL
//Stack: <BobSig> <OP_2> <OP_0>
OP_ADD
//Stack: <BobSig> <OP_2>
<2> OP_EQUALVERIFY
<BobPubKey>
//Stack: <BobSig> <BobPubKey>
//Refund
OP_ELSE
//Optional... <CSVDelay> OP_CSV
<HTLCTimeout> OP_CLTV
<AlicePubKey>
//Stack: <AliceSig> <AlicePubKey>
OP_ENDIF
OP_CHECKSIG
-------------------------------------------------------------------------------
Note: It is possible that Alice and Bob may not be Sender, Recipient, nor
Escrow!
If we have all 3 R-values, we only include 2 and include a dummy zero on the
third.
The result? We can do 2-of-3 escrow payments which refund to the sender after a
timeout! The Buyer and Seller can agree to redeem and they only need to go to
the Escrow if there's a dispute. Each node along the path gets paid or refunded
atomically, the same as a single-HTLC payment on Lightning.
Ta-da! "Smart Contract(TM)" maymay.
Immediately refundable payments (2-of-3 can immediately cancel a payment) are
also possible but requires another payment in the opposite direction with the
R-value hashed twice (the R value becomes the H), but that's kind of annoying to
write... it's easier to just assume immediate refund can only occur if both
2015-12-29 16:43:07 +03:00
Recipient+Sender agree to cancel the payment immediately (otherwise it will
wait until the timeout).
Also: THE ABOVE SCRIPT IS NOT THE MOST EFFICIENT SCRIPT POSSIBLE FOR THIS USE
2015-12-29 16:46:03 +03:00
CASE! This is to illustrate a similar conceptual use as current 2-of-3
multisig. You want to do <EscrowPreimageR> *OR* <SenderPreimageR> since the
recipient will always redeem if they can. So the hash code block would be
instead:
2015-12-29 16:43:07 +03:00
OP_HASH160 <EscrowHash> OP_EQUAL
//Stack: <BobSig> <0> <RecipientPreimageR> <OP_1>
2015-12-29 16:46:03 +03:00
OP_SWAP
2015-12-29 16:43:07 +03:00
//Stack: <BobSig> <OP_1> <0>
OP_HASH160 <SenderHash> OP_EQUAL
//Stack: <BobSig> <OP_1> <OP_0>
OP_BOOLOR
//Stack: <BobSig> <OP_1>
OP_VERIFY
2015-12-29 16:46:51 +03:00
The tradeoff is that if the escrow screws up, then payment can be forced.
2015-12-29 16:46:03 +03:00
Whereas the original script doesn't have that problem if the receiver does not
misbehave.