LNPBP-55: Bifrost HTLCs
Abstract
This document specifies upgrade of BOLT-1, 3, 4 and 5-based routed payments in legacy network and covers payment routing via HTLC-based channel synchronization in Bifrost using Taproot, TapScript and miniscript-based bitcoin output descriptors.
Background
HTLC (hash-time-locked contracts) are used for coordination of state update between multiple UTXO-based channels. This was the first mechanism proposed for payment routing in the original lightning network.
Motivation
Legacy lightning network uses pre-Taproot scripts and non-Schnorr signatures, which reduces its privacy and requires more onchain space, especially in cases of non- cooperative channel closings.
Design
Specification
Messaging
HTLC-based payment coordination is performed by using onion message transport from LNPBP-52. This specification defines the following message types embedded as onion payloads:
HTLC_ADD
HTLC_EXPIRE
HTLC_FULFILL
HTLC_MALFORMED
It also re-uses SIG_UPDATE and REVOKE messages from the core Bifrost protocol (LNPBP-50).
Transactions
Each HTLC contract adds an output to the commitment transaction. The output depends on whether this is an offered HTLC or received one.
Offered HTLC outputs
Received HTLC outputs
These outputs are constructed after BOLT-3 with option_anchors (see rationale).
HTLC spending transactions
The input of HTLC spending transactions spends offered HTLC (for HTLC timeout transaction) or received HTLC (for HTLC success transaction) output from the commitment transaction.
nLockTime:
0 for HTLC-success
CLTV_EXPIRYfor HTLC-timeout
Input:
nSeq:
SELF_DELAY(must be even to use P2C deterministic bitcoin commitments)control block:
0xC0/0xC1 <first branch tapleaf-hash>rest of witness stack for HTLC-success:
KEY_HTLC_LOCALSIG(KEY_HTLC_LOCAL)KEY_HTLC_REMOTESIG(KEY_HTLC_REMOTE)HASH_PREIMAGE
rest of witness stack for HTLC-timeout:
KEY_HTLC_REMOTESIG(KEY_HTLC_REMOTE)KEY_HTLC_LOCALSIG(KEY_HTLC_LOCAL)
Output descriptor:
(* denotes that the internal taproot key
KEY_REVOCATIONmay be tweaked with pay-to-contract commitment)
On-chain protocol
TBD
Compatibility
Rationale
Use of OP_CHECKSIGADD
OP_CHECKSIGADDThere are multiple ways to create multisig scheme in Taproot & TapScript [1]. In script-path spending leafs we choose to use OP_CHECKSIGADD-based scripts, defined by miniscript multi_a descriptors. This allows to avoid multiple interactive communications required for composinng aggregated MuSig signatures. The downside of this approach is a large witness stack size (and higher transaction cost), which may be mitigated by adopting PTLC-based scriptless- script contracts [2].
Use of option_anchors
option_anchorsHTLC construction in Bifrost always requires use of equivalent of legacy BOLT-9 "anchored outputs" option. This addresses a vulnerability caused by the absence of self-delay seqnence lock, where local party had an incentive to non-cooperatively close the channel in order to instantly get access to the local funds.
Reference implementation
Acknowledgements
References
LNPBP-0056
Copyright
This document is licensed under the Creative Commons CC0 1.0 Universal license.
Test vectors
Last updated