'%3e%3crect%20x='109.185'%20y='253.397'%20width='350.859'%20height='857.656'%20fill='white'/%3e%3cpath%20d='M274.77%20708.572H233.194V888.205H286.632C302.651%20888.205%20314.635%20883.711%20322.461%20875.088C330.287%20866.465%20334.322%20851.404%20334.322%20830.149V779.138C334.322%20752.539%20329.797%20734.2%20320.382%20723.997C310.966%20713.795%20295.681%20708.451%20274.77%20708.451V708.572Z'%20fill='%23FF5C00'/%3e%3cpath%20d='M310.966%20610.558C320.015%20601.206%20324.539%20585.295%20324.539%20563.19V530.518C324.539%20490.559%20308.887%20470.519%20277.705%20470.033H232.949V624.768H269.512C287.977%20624.768%20302.039%20619.91%20311.088%20610.436L310.966%20610.558Z'%20fill='%23FF5C00'/%3e%3cpath%20d='M277.582%200C124.362%200%200%20123.399%200%20275.704V1069.3C0%201221.48%20124.239%201345%20277.582%201345C430.803%201345%20555.165%201221.6%20555.165%201069.3V275.704C555.165%20123.52%20430.926%200%20277.582%200ZM426.523%20833.064C426.523%20878.367%20414.539%20912.739%20390.817%20936.423C375.898%20951.241%20356.7%20961.322%20333.221%20966.909V987.677C333.221%201002.5%20320.993%201014.64%20306.075%201014.64C291.156%201014.64%20278.805%201002.5%20278.805%20987.677V971.888H232.949V987.677C232.949%201002.5%20220.721%201014.64%20205.803%201014.64C190.884%201014.64%20178.655%201002.5%20178.655%20987.677V971.888H170.218C150.53%20971.888%20140.625%20962.05%20140.625%20942.496V415.743C140.625%20396.188%20150.53%20386.35%20170.218%20386.35H178.655V357.201C178.655%20342.383%20190.884%20330.238%20205.803%20330.238C220.721%20330.238%20232.949%20342.383%20232.949%20357.201V386.35H278.805V357.201C278.805%20342.383%20291.034%20330.238%20306.075%20330.238C321.115%20330.238%20333.221%20342.383%20333.221%20357.201V388.78C333.221%20389.994%20332.977%20391.087%20332.855%20392.18C354.499%20397.524%20371.863%20406.512%20384.703%20419.386C406.469%20441.491%20417.597%20475.377%20417.597%20521.045V544.364C417.597%20604.363%20397.42%20642.743%20357.556%20659.14V660.719C403.656%20676.265%20426.646%20717.074%20426.646%20782.782V833.064H426.523Z'%20fill='%23FF5C00'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_1_174'%3e%3crect%20width='555'%20height='1345'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
- Reminder: Commitment Transactions
- The Flaw: Cheating by Publishing an Old Transaction
- Solution: Revocation Key and Timelock
- Transaction Update Process
Reminder: Commitment Transactions
As previously seen, transactions on Lightning rely on unpublished commitment transactions. These transactions reflect the current distribution of funds in the channel. When a new Lightning transaction is made, a new commitment transaction is created and signed by both parties to reflect the new state of the channel.
Let's take a simple example:
- Initial state: Alice has 100,000 satoshis, Bob 30,000 satoshis.
- After a transaction where Alice sends 40,000 satoshis to Bob, the new commitment transaction distributes the funds as follows:
- Alice: 60,000 satoshis
- Bob: 70,000 satoshis
At any time, both parties can publish the latest commitment transaction signed to close the channel and recover their funds.
The Flaw: Cheating by Publishing an Old Transaction
A potential problem arises if one of the parties decides to cheat by publishing an old commitment transaction. For example, Alice could publish an older commitment transaction where she had 100,000 satoshis, even though she now only has 60,000 in reality. This would allow her to steal 40,000 satoshis from Bob.
Even worse, Alice could publish the very first withdrawal transaction, the one before the channel was opened, which would have included 130,000 satoshis, and thus steal the entire channel's funds.
Solution: Revocation Key and Timelock
To prevent this kind of cheating by Alice, on the Lightning Network, security mechanisms are added to the commitment transactions:
- The timelock: Each commitment transaction includes a timelock for Alice's funds. The timelock is a smart contract primitive that sets a time condition that must be met for a transaction to be added to a block. This means that Alice cannot recover her funds until a certain number of blocks have passed if she publishes one of the commitment transactions. This timelock starts to apply from the confirmation of the commitment transaction. Its duration is generally proportional to the size of the channel, but it can also be manually configured.
- Revocation Key: Alice's funds can also be immediately spent by Bob if he possesses the revocation key. This key consists of a secret held by Alice and a secret held by Bob. Note that this secret is different for each commitment transaction. Thanks to these 2 combined mechanisms, Bob has the time to detect Alice's attempt to cheat and to punish her by retrieving his output with the revocation key, which, for Bob, means recovering all the funds of the channel. Our new commitment transaction will now look like this:
Let's detail the functioning of this mechanism together.
Transaction Update Process
When Alice and Bob update the state of the channel with a new Lightning transaction, they exchange their respective secrets in advance for the previous commitment transaction (the one that will become obsolete and could allow one of them to cheat). This means that, in the new state of the channel:
- Alice and Bob have a new commitment transaction representing the current distribution of funds after the Lightning transaction.
- Each has the other's secret for the previous transaction, which allows them to use the revocation key only if one of them tries to cheat by publishing a transaction with an old state in the Bitcoin nodes' mempools. Indeed, to punish the other party, it is necessary to hold both secrets and the other's commitment transaction, which includes the signed input. Without this transaction, the revocation key is useless on its own. The only way to obtain this transaction is to retrieve it from the mempools (i.e., transactions waiting for confirmation) or from the confirmed transactions on the blockchain during the timelock, which proves that the other party is attempting to cheat, whether intentionally or not.
Let's take an example to understand this process well:
- Initial State: Alice has 100,000 satoshis, Bob 30,000 satoshis.
- Bob wants to receive 40,000 satoshis from Alice via their Lightning channel. To do this:
- He sends her an invoice along with his secret for the revocation key of his previous commitment transaction.
- In response, Alice provides her signature for Bob's new commitment transaction, as well as her secret for the revocation key of her previous transaction.
- Finally, Bob sends his signature for Alice's new commitment transaction.
- These exchanges allow Alice to send 40,000 satoshis to Bob on Lightning via their channel, and the new commitment transactions now reflect this new distribution of funds.
- If Alice attempts to publish the old commitment transaction where she still owned 100,000 satoshis, Bob, having obtained the revocation key, can immediately recover the funds using this key, while Alice is blocked by the timelock.
Even if, in this case, Bob has no economic interest in cheating, if he does so anyway, Alice also benefits from symmetric protection, which offers her the same guarantees.
What should you take away from this chapter?
The commitment transactions on the Lightning Network include security mechanisms that reduce both the risk of cheating and the incentives to do so. Before signing a new commitment transaction, Alice and Bob exchange their respective secrets for the previous commitment transactions. If Alice tries to publish an old commitment transaction, Bob can use the revocation key to recover all the funds before Alice can (because she is blocked by the timelock), which punishes her for attempting to cheat.
This security system ensures that participants adhere to the rules of the Lightning Network, and they cannot profit from publishing old commitment transactions.
At this point in the training, you now know how Lightning channels are opened and how transactions within these channels work. In the next chapter, we will explore the various methods for closing a channel and recovering your bitcoins on the main blockchain.
Quiz
Quiz1/5
lnp2013.3
Why do Alice and Bob exchange their secrets for previous commitment transactions?