* [bitcoin-dev] BIP draft: HTLC transactions
@ 2016-07-20 4:35 Sean Bowe
2016-07-20 5:46 ` Peter Todd
0 siblings, 1 reply; 5+ messages in thread
From: Sean Bowe @ 2016-07-20 4:35 UTC (permalink / raw)
To: bitcoin-dev
[-- Attachment #1: Type: text/plain, Size: 1069 bytes --]
I'm requesting feedback for Hash Time-Locked Contract (HTLC) transactions
in Bitcoin.
HTLC transactions allow you to pay for the preimage of a hash. CSV/CLTV can
be used to recover your funds if the other party is not cooperative. These
scripts take the following general form:
[HASHOP] <digest> OP_EQUAL
OP_IF
<seller pubkey>
OP_ELSE
<num> [TIMEOUTOP] OP_DROP <buyer pubkey>
OP_ENDIF
OP_CHECKSIG
These transactions are useful for both the Lightning network and in
zero-knowledge contingent payments. This very script (using CLTV and
SHA256) was used as part of our "pay-to-sudoku" ZKCP demo earlier this
year: https://github.com/zcash/pay-to-sudoku
Members of the community have expressed the desire for a BIP to submitted
in coordination with changes to Bitcoin Core that support these
transactions in the wallet.
Please review my draft BIP here:
https://gist.github.com/ebfull/8306903041d46e4119a39442f72a3741
An implementation is being worked on here:
https://github.com/bitcoin/bitcoin/pull/7601
Thanks!
Sean Bowe
Zcash
[-- Attachment #2: Type: text/html, Size: 1632 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [bitcoin-dev] BIP draft: HTLC transactions
2016-07-20 4:35 [bitcoin-dev] BIP draft: HTLC transactions Sean Bowe
@ 2016-07-20 5:46 ` Peter Todd
2016-07-20 6:17 ` Luke Dashjr
0 siblings, 1 reply; 5+ messages in thread
From: Peter Todd @ 2016-07-20 5:46 UTC (permalink / raw)
To: Sean Bowe, Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 837 bytes --]
On Tue, Jul 19, 2016 at 10:35:39PM -0600, Sean Bowe via bitcoin-dev wrote:
> I'm requesting feedback for Hash Time-Locked Contract (HTLC) transactions
> in Bitcoin.
>
> HTLC transactions allow you to pay for the preimage of a hash. CSV/CLTV can
> be used to recover your funds if the other party is not cooperative. These
> scripts take the following general form:
>
> [HASHOP] <digest> OP_EQUAL
> OP_IF
> <seller pubkey>
> OP_ELSE
> <num> [TIMEOUTOP] OP_DROP <buyer pubkey>
> OP_ENDIF
> OP_CHECKSIG
Note that because you're hashing the top item on the stack regardless
scriptSig's that satisfy HTLC's are malleable: that top stack item can be
changed anything in the digest-not-provided case and the script still passes.
--
https://petertodd.org 'peter'[:-1]@petertodd.org
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 455 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [bitcoin-dev] BIP draft: HTLC transactions
2016-07-20 5:46 ` Peter Todd
@ 2016-07-20 6:17 ` Luke Dashjr
2016-08-09 0:46 ` Peter Todd
2016-08-17 10:00 ` Johnson Lau
0 siblings, 2 replies; 5+ messages in thread
From: Luke Dashjr @ 2016-07-20 6:17 UTC (permalink / raw)
To: bitcoin-dev, Peter Todd
On Wednesday, July 20, 2016 5:46:54 AM Peter Todd via bitcoin-dev wrote:
> On Tue, Jul 19, 2016 at 10:35:39PM -0600, Sean Bowe via bitcoin-dev wrote:
> > I'm requesting feedback for Hash Time-Locked Contract (HTLC) transactions
> > in Bitcoin.
> >
> > HTLC transactions allow you to pay for the preimage of a hash. CSV/CLTV
> > can be used to recover your funds if the other party is not cooperative.
> > These
> >
> > scripts take the following general form:
> > [HASHOP] <digest> OP_EQUAL
> > OP_IF
> >
> > <seller pubkey>
> >
> > OP_ELSE
> >
> > <num> [TIMEOUTOP] OP_DROP <buyer pubkey>
> >
> > OP_ENDIF
> > OP_CHECKSIG
>
> Note that because you're hashing the top item on the stack regardless
> scriptSig's that satisfy HTLC's are malleable: that top stack item can be
> changed anything in the digest-not-provided case and the script still
> passes.
OP_SIZE
OP_IF
[HASHOP] <digest> OP_EQUALVERIFY
<seller pubkey>
OP_ELSE
<num> [TIMEOUTOP]
<buyer pubkey>
OP_ENDIF
OP_CHECKSIG
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [bitcoin-dev] BIP draft: HTLC transactions
2016-07-20 6:17 ` Luke Dashjr
@ 2016-08-09 0:46 ` Peter Todd
2016-08-17 10:00 ` Johnson Lau
1 sibling, 0 replies; 5+ messages in thread
From: Peter Todd @ 2016-08-09 0:46 UTC (permalink / raw)
To: Luke Dashjr; +Cc: bitcoin-dev
[-- Attachment #1: Type: text/plain, Size: 1310 bytes --]
On Wed, Jul 20, 2016 at 06:17:39AM +0000, Luke Dashjr wrote:
> On Wednesday, July 20, 2016 5:46:54 AM Peter Todd via bitcoin-dev wrote:
> > On Tue, Jul 19, 2016 at 10:35:39PM -0600, Sean Bowe via bitcoin-dev wrote:
> > > I'm requesting feedback for Hash Time-Locked Contract (HTLC) transactions
> > > in Bitcoin.
> > >
> > > HTLC transactions allow you to pay for the preimage of a hash. CSV/CLTV
> > > can be used to recover your funds if the other party is not cooperative.
> > > These
> > >
> > > scripts take the following general form:
> > > [HASHOP] <digest> OP_EQUAL
> > > OP_IF
> > >
> > > <seller pubkey>
> > >
> > > OP_ELSE
> > >
> > > <num> [TIMEOUTOP] OP_DROP <buyer pubkey>
> > >
> > > OP_ENDIF
> > > OP_CHECKSIG
> >
> > Note that because you're hashing the top item on the stack regardless
> > scriptSig's that satisfy HTLC's are malleable: that top stack item can be
> > changed anything in the digest-not-provided case and the script still
> > passes.
>
> OP_SIZE
> OP_IF
> [HASHOP] <digest> OP_EQUALVERIFY
> <seller pubkey>
> OP_ELSE
> <num> [TIMEOUTOP]
> <buyer pubkey>
> OP_ENDIF
> OP_CHECKSIG
Ha! That's brilliant; good job.
--
https://petertodd.org 'peter'[:-1]@petertodd.org
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 455 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [bitcoin-dev] BIP draft: HTLC transactions
2016-07-20 6:17 ` Luke Dashjr
2016-08-09 0:46 ` Peter Todd
@ 2016-08-17 10:00 ` Johnson Lau
1 sibling, 0 replies; 5+ messages in thread
From: Johnson Lau @ 2016-08-17 10:00 UTC (permalink / raw)
To: Bitcoin Protocol Discussion, Peter Todd, Luke Dashjr
> On July 20, 2016 at 2:17 AM Luke Dashjr via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
>
> On Wednesday, July 20, 2016 5:46:54 AM Peter Todd via bitcoin-dev wrote:
>
> > On Tue, Jul 19, 2016 at 10:35:39PM -0600, Sean Bowe via bitcoin-dev wrote:
> >
> > > I'm requesting feedback for Hash Time-Locked Contract (HTLC) transactions
> > > in Bitcoin.
> > >
> > > HTLC transactions allow you to pay for the preimage of a hash. CSV/CLTV
> > > can be used to recover your funds if the other party is not cooperative.
> > > These
> > >
> > > scripts take the following general form:
> > > [HASHOP] OP_EQUAL
> > > OP_IF
> > >
> > >
> > >
> > > OP_ELSE
> > >
> > > [TIMEOUTOP] OP_DROP
> > >
> > > OP_ENDIF
> > > OP_CHECKSIG
> >
> > Note that because you're hashing the top item on the stack regardless
> > scriptSig's that satisfy HTLC's are malleable: that top stack item can be
> > changed anything in the digest-not-provided case and the script still
> > passes.
>
> OP_SIZE
> OP_IF
> [HASHOP] <digest> OP_EQUALVERIFY
> <seller pubkey>
> OP_ELSE
> <num> [TIMEOUTOP]
> <buyer pubkey>
> OP_ENDIF
> OP_CHECKSIG
>
This is incompatible with my proposal for fixing the OP_IF/NOTIF malleability in segwit ("MINIMALIF"). In this case only the timeout branch may be executed.
To make it compatible, you may use one of the following 2 scripts:
OP_SIZE OP_0NOTEQUAL
OP_IF
[HASHOP] <digest> OP_EQUALVERIFY
<seller pubkey>
OP_ELSE
<num> [TIMEOUTOP] OP_DROP
<buyer pubkey>
OP_ENDIF
OP_CHECKSIG
or
OP_IF
[HASHOP] <digest> OP_EQUALVERIFY
<seller pubkey>
OP_ELSE
<num> [TIMEOUTOP] OP_DROP
<buyer pubkey>
OP_ENDIF
OP_CHECKSIG
The overall witness size are the same for these scripts. They are 1 byte larger than Luke's script, in case MINIMALIF is not enforced.
(btw, the OP_DROP after TIMEOUTOP is missing in Luke's script)
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-08-17 10:00 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-07-20 4:35 [bitcoin-dev] BIP draft: HTLC transactions Sean Bowe
2016-07-20 5:46 ` Peter Todd
2016-07-20 6:17 ` Luke Dashjr
2016-08-09 0:46 ` Peter Todd
2016-08-17 10:00 ` Johnson Lau
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox