[Lightning-dev] Payment channel without timeout protected from malleability

Anthony Towns aj at erisian.com.au
Fri Nov 27 09:09:46 UTC 2015

On Fri, Nov 27, 2015 at 04:37:04PM +0900, Nicolas Dorier wrote:
> By adapting an idea from gmaxwell (
> https://bitcointalk.org/index.php?topic=303088.0) it is possible to open a
> channel without suffering from malleability attack.
> The process for A to open channel with B is the following:
> * A asks B pubkey
> * A create the first commitment transaction
> * A extract the hash that B needs to sign to be able to broadcast the
> commitment
> * A asks B to sign the hash, but do not disclose the commitment
> * A broadcast the anchor
> * After confirmation, A announce the anchor to B.

A also passes the original unsigned commitment to B, who verifies that
it's in the right format (ie, can be revoked), and hashes to the hash
that he signed.

> B can't identify A's anchor before announcement because he does not know
> the P2SH of the multisig.
> Am I missing something ?

Someone other than B (ie a third party) could malleate the anchor between
broadcast and confirmation just for their own amusement.

B can't reuse pubkeys between different channels with this protocol
either, but that's good practice anyway.

>From the same forum post, using child-pays-for-parent seems plausible.

  txA: spend 6 BTC to
     5 BTC to A&B
     1 BTC to A

  txB: spend 1 BTC from txA:1 to
     0.999 BTC to A

should be pretty safe: either someone malleates txA and mines it for
0 fee; or they mine both txA+txB for 0.001 BTC fee, and txA can't be
malleated. But CPFP doesn't work yet, and segregated witness seems like
it'll happen sooner anyway?


More information about the Lightning-dev mailing list