[Lightning-dev] Payment channel without timeout protected from malleability
Anthony Towns
aj at erisian.com.au
Fri Nov 27 09:09:46 UTC 2015
On Fri, Nov 27, 2015 at 04:37:04PM +0900, Nicolas Dorier wrote:
> By adapting an idea from gmaxwell (
> https://bitcointalk.org/index.php?topic=303088.0) it is possible to open a
> channel without suffering from malleability attack.
> The process for A to open channel with B is the following:
> * A asks B pubkey
> * A create the first commitment transaction
> * A extract the hash that B needs to sign to be able to broadcast the
> commitment
> * A asks B to sign the hash, but do not disclose the commitment
> * A broadcast the anchor
> * After confirmation, A announce the anchor to B.
A also passes the original unsigned commitment to B, who verifies that
it's in the right format (ie, can be revoked), and hashes to the hash
that he signed.
> B can't identify A's anchor before announcement because he does not know
> the P2SH of the multisig.
> Am I missing something ?
Someone other than B (ie a third party) could malleate the anchor between
broadcast and confirmation just for their own amusement.
B can't reuse pubkeys between different channels with this protocol
either, but that's good practice anyway.
>From the same forum post, using child-pays-for-parent seems plausible.
Doing:
txA: spend 6 BTC to
5 BTC to A&B
1 BTC to A
txB: spend 1 BTC from txA:1 to
0.999 BTC to A
should be pretty safe: either someone malleates txA and mines it for
0 fee; or they mine both txA+txB for 0.001 BTC fee, and txA can't be
malleated. But CPFP doesn't work yet, and segregated witness seems like
it'll happen sooner anyway?
Cheers,
aj
More information about the Lightning-dev
mailing list