Why do we need revocation in both the offered/received HTLC outputs and HTLC timeout/success outputs?

1

1

The witness script for the output in the HTLC success/timeout transaction is:

OP_IF
    # Penalty transaction
    <revocationpubkey>
OP_ELSE
    `to_self_delay`
    OP_CHECKSEQUENCEVERIFY
    OP_DROP
    <local_delayedpubkey>
OP_ENDIF
OP_CHECKSIG

Which already exists a penalty transaction. While in the offered HTLC and received HTLC outputs in the commitment transaction, we have,

# To remote node with revocation key
OP_DUP OP_HASH160 <RIPEMD160(SHA256(revocationpubkey))> OP_EQUAL
...

Why don't we put the revocation in the HTLC-Timeout/Success outputs only?

yyforyongyu

Posted 2019-10-29T09:08:18.123

Reputation: 41

Answers

0

HTLCs have a different timeout (cltv_expiry) than the regular timeout that we use for penalty transactions (to_self_delay). That is the reason why we use a separate transaction stage (HTLC success/HTLC timeout) to allow our counterparty sufficient time to exercise their right to get the entire balance of the channel in case we broadcast the previous state of the channel.

To elaborate further, when your counterparty tells you to add a HTLC, your version of the commitment transaction will have 3 outputs:

  1. Paying to your counterparty immediately
  2. Paying to self, guarded by the revocation key for to_self_delay time
  3. Received HTLC output like below
    # To remote node with revocation key
    OP_DUP OP_HASH160 <RIPEMD160(SHA256(revocationpubkey))> OP_EQUAL
    OP_IF
        OP_CHECKSIG
    OP_ELSE
        <remote_htlcpubkey> OP_SWAP OP_SIZE 32 OP_EQUAL
        OP_IF
            # To local node via HTLC-success transaction.
            OP_HASH160 <RIPEMD160(payment_hash)> OP_EQUALVERIFY
            2 OP_SWAP <local_htlcpubkey> 2 OP_CHECKMULTISIG
        OP_ELSE
            # To remote node after timeout.
            OP_DROP <cltv_expiry> OP_CHECKLOCKTIMEVERIFY OP_DROP
            OP_CHECKSIG
        OP_ENDIF
    OP_ENDIF
    

When you supply the HTLC pre-image to your counterparty the transaction gets resolved. However, even after successful resolution of the HTLC with your counterparty, let us say you decide to cheat them by force closing the earlier state of the commitment transaction containing the HTLC. As soon as you publish this commitment transaction, you publish the HTLC success transaction that consumes the OP_IF part inside the OP_ELSE. Since the HTLC success transaction is consuming an output that is not timelocked, you are not providing enough time for your counterparty to use their right of the revocation key which is in the received HTLC output. That is the reason there is a second stage, where your spending from the offered HTLC output to yourself is locked until to_self_delay which allows your counterparty to use the revocation secret.

Now you might wonder, why the revocation exists in the commitment transaction received HTLC output if it is provided in the HTLC success/timeout transactions. Let us take the above case to explain it. You added the HTLC and signed the commitment transaction. That HTLC was settled by you providing the pre-image to your counterparty and the commitment transaction containing that HTLC was revoked. Despite that, assume you try to broadcast the previous commitment transaction containing the HTLC and refrains from publishing the HTLC success transaction. If revocation did not exist in the commitment transaction, the counterparty might not be able to get their funds back until the cltv_expiry which might extend to hundreds of blocks (couple of days) if there are a number of hops. This is cumbersome since that HTLC was already settled (especially if there are number of previously satisfied HTLCs), and the provision of revocation in the commitment transaction allows the counterparty to settle them immediately.

The revocation part is designed so that your counterparty never suffers because of the actions you decide to take to cheat them. The presence of revocation in commitment transaction and the HTLC success/HTLC timeout transaction help protect the Lightning Network participants from frauds committed their peers.

Ugam Kamat

Posted 2019-10-29T09:08:18.123

Reputation: 5 180

If you publish an old commitment tx with 1 received HTLC, the counterparty can enter the timeout process as specified in cltv_expiry and then collect the money via HTLC-timeout anyway? So your point is that we don't want the counterparty to wait that long if you cheat? You don't seem to have a good reason to publish this tx though pure harm may be wanted.yyforyongyu 2019-10-29T10:10:13.040

@yyforyongyu (1) Yes, you are correct that the counterparty can collect after the time-out process, but the local node (who is cheating) can spend it immediately using the HTLC success transaction (since it has the pre-image). (2) it is not just pure harm but you are definitely economically incentivized to publish it. You got the funds from your counterparty by providing the pre-image for the HTLC. Suppose after that you provided some funds to your counterparty for some good you bought from them. The previous state that included the HTLC is more beneficial to you so you publish that,.Ugam Kamat 2019-10-29T10:14:45.887

Let's say I'm the local node who is cheating. I have to spend it via a HTLC-success tx, which has a revocation inside it. Once I spend the commitment tx, I have to wait to_self_delay time before I can spend the HTLC-success tx, meanwhile, the counterparty can take the money via the revocation?yyforyongyu 2019-10-29T10:32:19.667

@yyforyongyu Yes. Since you can spend the commitment transaction HTLC output immediately (for HTLC success) you will not be providing any time for your counterparty to react. As a result the to_self_delay within the HTLC success output allows the counterparty to use the revocation and then spend the money.Ugam Kamat 2019-10-29T10:34:13.360

interesting. This goes back to the original question, if the counterparty can take the money via revocation inside the HTLC-success tx, what's the point of having a revocation inside the commitment tx?yyforyongyu 2019-10-29T10:43:19.063

@yyforyongyu That's answered in the second last paragraph of my answer (i tried to make it more clearer). What if the cheater never publishes the HTLC success transaction? Even though that HTLC is settled, the counterparty might have to wait couple hundred blocks to get it settled (if there are number of hops). Imagine if it contained multiple such HTLCs and you have to wait for each of them to time out despite the fact that all of them have been settled.Ugam Kamat 2019-10-29T11:08:53.113