Remember Routing
Atomicity
What is atomicity in IT?
An all-or-nothing operation
Payment routing
Why is this relevant for payment routing?
It prevents theft!
HTLC
- Hashed TimeLock Contract
- Proposed by Poon and Dryja in the Lightning Network paper
- Uses time locks
- Uses hash locks
Time lock
Funds can only be spent after a given time or block number
Hash lock
Funds can only be spent if you know the secret s, such that:
hash(s) == x
x is written to the unlocking script, s needs to be provided by the spender such that x can be reproduced
Combine restrictions
signature + hash lock + time lock
Funds can be spent by you, at block 800,000 (or later), if you know a secret
simplified HTLC
signature, hash lock, time lock
Funds can be spent by Alice at block 800,000 (or later)
ORby Bob if he knows a secret
Scenario
Alice wants to send Eric 1 BTC
HTLCs in action
HTLCs in action
1) Eric creates a secret R and communicates its hash to Alice
HTLCs in action
2) Alice creates a commitment TX: I will pay Bob 1.003 BTC if he presents the secret (R) that leads to hash H, during the next 10 blocks
HTLCs in action
Bob now also knows H, so he can craft a similar TX
HTLCs in action
3) Bob creates a commitment TX: I will pay Carol 1.002 BTC if she presents the secret (R) that leads to hash H, during the next 9 blocks
HTLCs in action
Remember, the commitment TX spends the 2-of-2 multiSig (funding TX) and is not being published to the Bitcoin network!
HTLCs in action
4) Carol now also knows H, she crafts a similar TX for Diana
5) Same story for Diana
Notice
Diminishing BTC amount --> a routing fee being paid
Notice
Diminishing time lock --> Security measure to ensure atomicity of the transaction
Notice
Eric is the only one who actually knows R! Diana constructed an HTLC in which she promised 1 BTC to Eric if he reveals R!
Notice
Eric is happy! But what about Diana? Will she ever receive her "refund" from Carol?
Eric claims his funds!
Eric publishes the HTLC on-chain (closes the channel)
Eric claims his funds!
Now he has 7 blocks to spend the commitment TX, or else Diana can take the money back.
Eric claims his funds!
He spends that commitment TX and sends it to himself to ensure the money belongs to him forever. This means, he needs to reveal R on-chain!
Eric claims his funds!
Bob, Carol and Diana are watching the blockchain and learn R from there! They can now also claim their funds.
Eric claims his funds!
Happy end!
Eric claims his funds!
Well, not really.
Eric claims his funds!
Even though the payment went through, channels have also been closed, which is unfortunate.
HTLC consolidation
So let's go back to the moment Diana sent Eric her HTLC
HTLC consolidation
As we have just witnessed, Eric could claim his funds now, and Diana knows that as well.
HTLC consolidation
So Eric asks Diana to move to a new channel state, where Eric owns +1 BTC, and Diana -1 BTC
HTLC consolidation
Diana tells Eric that she is only willing to do that if he tells her R
HTLCs in action
HTLC consolidation
HTLC consolidation
They collaboratively move to a new channel state and remove the HTLC
HTLCs in action
Diana has given 1 BTC to Bob. She is now in the same situation as Bob before.
HTLCs in action
The scheme repeats through 7, 8, 9 until the transaction went through.
HTLCs in action
What if step 1 does not happen?
Payment cannot be constructed.
HTLCs in action
What if step 2 does not happen?
Alice searches for a new payment route
HTLCs in action
What if one of steps 2, 3, 4, 5, 6 does not happen?
Funds are locked in HTLC until time lock runs out
HTLCs in action
What if one of steps 7, 8, 9 does not happen?
Bob, Carol or Diana may lose 1 BTC
HTLCs in action
They are protected by the time-lock to have enough time to react. But if they leave the system, they can only harm themselves, not anyone else.
Conclusion
The transaction is atomic!
(as long as you run your system responsibly)
Questions?
Any questions so far?
Scripts
For the sake of completeness
Hash lock script
Extract from HTLC output script in (Bolt 3)
# To remote node with preimage.
OP_HASH160 <RIPEMD160(payment_hash)> OP_EQUALVERIFY
OP_CHECKSIG
Time lock script
Extract from HTLC output script in (Bolt 3)
# To remote node after timeout.
OP_DROP <cltv_expiry> OP_CHECKLOCKTIMEVERIFY OP_DROP
OP_CHECKSIG
Questions?
Any questions regarding HTLCs?
PTLC Routing
- Successor to HTLCs
- Point TimeLocked Contract
- Uses adaptor signatures
- Based on Schnorr signatures
PTLC Routing
- Use a point (PubKey) rather than hash lock
- Point can be aggregated with other key point
- Unilateral close path becomes smaller
- No shared secret amongst all hops
- No payment correlation between hops
- Preimage as proof of payment
- Stuckless payments