public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
* [bitcoin-dev] BIP draft: HTLC transactions
@ 2016-07-20  4:35 Sean Bowe
  2016-07-20  5:46 ` Peter Todd
  0 siblings, 1 reply; 5+ messages in thread
From: Sean Bowe @ 2016-07-20  4:35 UTC (permalink / raw)
  To: bitcoin-dev

[-- Attachment #1: Type: text/plain, Size: 1069 bytes --]

I'm requesting feedback for Hash Time-Locked Contract (HTLC) transactions
in Bitcoin.

HTLC transactions allow you to pay for the preimage of a hash. CSV/CLTV can
be used to recover your funds if the other party is not cooperative. These
scripts take the following general form:

    [HASHOP] <digest> OP_EQUAL
    OP_IF
        <seller pubkey>
    OP_ELSE
        <num> [TIMEOUTOP] OP_DROP <buyer pubkey>
    OP_ENDIF
    OP_CHECKSIG

These transactions are useful for both the Lightning network and in
zero-knowledge contingent payments. This very script (using CLTV and
SHA256) was used as part of our "pay-to-sudoku" ZKCP demo earlier this
year: https://github.com/zcash/pay-to-sudoku

Members of the community have expressed the desire for a BIP to submitted
in coordination with changes to Bitcoin Core that support these
transactions in the wallet.

Please review my draft BIP here:
https://gist.github.com/ebfull/8306903041d46e4119a39442f72a3741

An implementation is being worked on here:
https://github.com/bitcoin/bitcoin/pull/7601

Thanks!

Sean Bowe
Zcash

[-- Attachment #2: Type: text/html, Size: 1632 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [bitcoin-dev] BIP draft: HTLC transactions
  2016-07-20  4:35 [bitcoin-dev] BIP draft: HTLC transactions Sean Bowe
@ 2016-07-20  5:46 ` Peter Todd
  2016-07-20  6:17   ` Luke Dashjr
  0 siblings, 1 reply; 5+ messages in thread
From: Peter Todd @ 2016-07-20  5:46 UTC (permalink / raw)
  To: Sean Bowe, Bitcoin Protocol Discussion

[-- Attachment #1: Type: text/plain, Size: 837 bytes --]

On Tue, Jul 19, 2016 at 10:35:39PM -0600, Sean Bowe via bitcoin-dev wrote:
> I'm requesting feedback for Hash Time-Locked Contract (HTLC) transactions
> in Bitcoin.
> 
> HTLC transactions allow you to pay for the preimage of a hash. CSV/CLTV can
> be used to recover your funds if the other party is not cooperative. These
> scripts take the following general form:
> 
>     [HASHOP] <digest> OP_EQUAL
>     OP_IF
>         <seller pubkey>
>     OP_ELSE
>         <num> [TIMEOUTOP] OP_DROP <buyer pubkey>
>     OP_ENDIF
>     OP_CHECKSIG

Note that because you're hashing the top item on the stack regardless
scriptSig's that satisfy HTLC's are malleable: that top stack item can be
changed anything in the digest-not-provided case and the script still passes.

-- 
https://petertodd.org 'peter'[:-1]@petertodd.org

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 455 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [bitcoin-dev] BIP draft: HTLC transactions
  2016-07-20  5:46 ` Peter Todd
@ 2016-07-20  6:17   ` Luke Dashjr
  2016-08-09  0:46     ` Peter Todd
  2016-08-17 10:00     ` Johnson Lau
  0 siblings, 2 replies; 5+ messages in thread
From: Luke Dashjr @ 2016-07-20  6:17 UTC (permalink / raw)
  To: bitcoin-dev, Peter Todd

On Wednesday, July 20, 2016 5:46:54 AM Peter Todd via bitcoin-dev wrote:
> On Tue, Jul 19, 2016 at 10:35:39PM -0600, Sean Bowe via bitcoin-dev wrote:
> > I'm requesting feedback for Hash Time-Locked Contract (HTLC) transactions
> > in Bitcoin.
> > 
> > HTLC transactions allow you to pay for the preimage of a hash. CSV/CLTV
> > can be used to recover your funds if the other party is not cooperative.
> > These
> > 
> > scripts take the following general form:
> >     [HASHOP] <digest> OP_EQUAL
> >     OP_IF
> >     
> >         <seller pubkey>
> >     
> >     OP_ELSE
> >     
> >         <num> [TIMEOUTOP] OP_DROP <buyer pubkey>
> >     
> >     OP_ENDIF
> >     OP_CHECKSIG
> 
> Note that because you're hashing the top item on the stack regardless
> scriptSig's that satisfy HTLC's are malleable: that top stack item can be
> changed anything in the digest-not-provided case and the script still
> passes.

OP_SIZE
OP_IF
  [HASHOP] <digest> OP_EQUALVERIFY
  <seller pubkey>
OP_ELSE
  <num> [TIMEOUTOP]
  <buyer pubkey>
OP_ENDIF
OP_CHECKSIG



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [bitcoin-dev] BIP draft: HTLC transactions
  2016-07-20  6:17   ` Luke Dashjr
@ 2016-08-09  0:46     ` Peter Todd
  2016-08-17 10:00     ` Johnson Lau
  1 sibling, 0 replies; 5+ messages in thread
From: Peter Todd @ 2016-08-09  0:46 UTC (permalink / raw)
  To: Luke Dashjr; +Cc: bitcoin-dev

[-- Attachment #1: Type: text/plain, Size: 1310 bytes --]

On Wed, Jul 20, 2016 at 06:17:39AM +0000, Luke Dashjr wrote:
> On Wednesday, July 20, 2016 5:46:54 AM Peter Todd via bitcoin-dev wrote:
> > On Tue, Jul 19, 2016 at 10:35:39PM -0600, Sean Bowe via bitcoin-dev wrote:
> > > I'm requesting feedback for Hash Time-Locked Contract (HTLC) transactions
> > > in Bitcoin.
> > > 
> > > HTLC transactions allow you to pay for the preimage of a hash. CSV/CLTV
> > > can be used to recover your funds if the other party is not cooperative.
> > > These
> > > 
> > > scripts take the following general form:
> > >     [HASHOP] <digest> OP_EQUAL
> > >     OP_IF
> > >     
> > >         <seller pubkey>
> > >     
> > >     OP_ELSE
> > >     
> > >         <num> [TIMEOUTOP] OP_DROP <buyer pubkey>
> > >     
> > >     OP_ENDIF
> > >     OP_CHECKSIG
> > 
> > Note that because you're hashing the top item on the stack regardless
> > scriptSig's that satisfy HTLC's are malleable: that top stack item can be
> > changed anything in the digest-not-provided case and the script still
> > passes.
> 
> OP_SIZE
> OP_IF
>   [HASHOP] <digest> OP_EQUALVERIFY
>   <seller pubkey>
> OP_ELSE
>   <num> [TIMEOUTOP]
>   <buyer pubkey>
> OP_ENDIF
> OP_CHECKSIG

Ha! That's brilliant; good job.

-- 
https://petertodd.org 'peter'[:-1]@petertodd.org

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 455 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [bitcoin-dev] BIP draft: HTLC transactions
  2016-07-20  6:17   ` Luke Dashjr
  2016-08-09  0:46     ` Peter Todd
@ 2016-08-17 10:00     ` Johnson Lau
  1 sibling, 0 replies; 5+ messages in thread
From: Johnson Lau @ 2016-08-17 10:00 UTC (permalink / raw)
  To: Bitcoin Protocol Discussion, Peter Todd, Luke Dashjr


> On July 20, 2016 at 2:17 AM Luke Dashjr via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
> 
> On Wednesday, July 20, 2016 5:46:54 AM Peter Todd via bitcoin-dev wrote:
> 
> > On Tue, Jul 19, 2016 at 10:35:39PM -0600, Sean Bowe via bitcoin-dev wrote:
> > 
> > > I'm requesting feedback for Hash Time-Locked Contract (HTLC) transactions
> > > in Bitcoin.
> > > 
> > > HTLC transactions allow you to pay for the preimage of a hash. CSV/CLTV
> > > can be used to recover your funds if the other party is not cooperative.
> > > These
> > > 
> > > scripts take the following general form:
> > >  [HASHOP]  OP_EQUAL
> > >  OP_IF
> > > 
> > > 
> > > 
> > > OP_ELSE
> > > 
> > >  [TIMEOUTOP] OP_DROP 
> > > 
> > > OP_ENDIF
> > >  OP_CHECKSIG
> > 
> > Note that because you're hashing the top item on the stack regardless
> > scriptSig's that satisfy HTLC's are malleable: that top stack item can be
> > changed anything in the digest-not-provided case and the script still
> > passes.
> 
> OP_SIZE
> OP_IF
>  [HASHOP] <digest> OP_EQUALVERIFY
>  <seller pubkey>
> OP_ELSE
>  <num> [TIMEOUTOP]
>  <buyer pubkey>
> OP_ENDIF
> OP_CHECKSIG
> 

This is incompatible with my proposal for fixing the OP_IF/NOTIF malleability in segwit ("MINIMALIF"). In this case only the timeout branch may be executed.

To make it compatible, you may use one of the following 2 scripts:

OP_SIZE OP_0NOTEQUAL
OP_IF
 [HASHOP] <digest> OP_EQUALVERIFY
 <seller pubkey>
OP_ELSE
 <num> [TIMEOUTOP] OP_DROP
 <buyer pubkey>
OP_ENDIF
OP_CHECKSIG

or

OP_IF
 [HASHOP] <digest> OP_EQUALVERIFY
 <seller pubkey>
OP_ELSE
 <num> [TIMEOUTOP] OP_DROP
 <buyer pubkey>
OP_ENDIF
OP_CHECKSIG

The overall witness size are the same for these scripts. They are 1 byte larger than Luke's script, in case MINIMALIF is not enforced.

(btw, the OP_DROP after TIMEOUTOP is missing in Luke's script)


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2016-08-17 10:00 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-07-20  4:35 [bitcoin-dev] BIP draft: HTLC transactions Sean Bowe
2016-07-20  5:46 ` Peter Todd
2016-07-20  6:17   ` Luke Dashjr
2016-08-09  0:46     ` Peter Todd
2016-08-17 10:00     ` Johnson Lau

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox