[bitcoin-dev] Reconciling the off-chain and on-chain models with eltoo

ZmnSCPxj ZmnSCPxj at protonmail.com
Fri Sep 6 14:32:38 UTC 2019


Good morning Christian,

This is effectively transaction cut-through.
I mention this in passing here: https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-April/001986.html

> I observe that one may consider any offchain system a specialization of an offchain transaction cut-through system.
> Thus, one may model changes to the offchain system state as the creation of some transactions, followed by a cut-through of those transactions into the new state.

Basically, we can send a transaction that spends a subset of the current state txos to the participants in the update mechanism.
Then the participants can agree that it is a valid spend of the specified state txos, and agree to sign a new state with the spent txos deleted and the new txos of the transaction inserted.
Disagreement at this point is essentially a "if your tx is so valid why do you not try it on the base blockchain layer huh?" challenge and is basically an invitation to close it unilaterally and enforce the contract on the blockchain.

The "difficulty" in Poon-Dryja is not very onerous in my opinion; see the sketch here: https://lists.linuxfoundation.org/pipermail/lightning-dev/2018-August/001383.html

Of note is that any contract with a relative locktime requirement would not make sense to maintain offchain.
If one wishes to select a relative locktime relative to the current moment, one can quite easily compute an absolute timelock.

Another note, is that contracts with timelocks need to be enforced onchain on or before the timelock.
Under Decker-Russell-Osuntokun the onchain enforcement needs to be triggered early according to the CSV security parameter; this is not an issue under Poon-Dryja (as the CSV is in a later transaction).
Under Decker-Russell-Osuntokun due to the use of `SIGHASH_NOINPUT` and the non-stable txids involved, any transaction you wish to transport in the offchain update mechanism needs to also be signed under `SIGHASH_NOINPUT`, but again this is not onerous.
In any case it is "only" a matter of tradeoffs one is willing to work under anyway, and Decker-Russell-Osuntokun is very cool and uses `nLockTime` and `OP_CHECKLOCKTIMEVERIFY` in a very clever way.

Regards,
ZmnSCPxj


More information about the bitcoin-dev mailing list