[Lightning-dev] eltoo towers and implications for settlement key derivation

Anthony Towns aj at erisian.com.au
Tue Dec 3 07:33:25 UTC 2019

On Tue, Nov 26, 2019 at 03:41:14PM -0800, Conner Fromknecht wrote:
> I recently revisited the eltoo paper and noticed some things related
> watchtowers that might affect channel construction.
> In order to spend, however, the tower must also produce a witness
> script which when hashed matches the witness program of the input. To
> ensure settlement txns can only spend from exactly one update txn,
> each update txn uses unique keys for the settlement clause, meaning
> that each state has a _unique_ witness program.

I don't believe that's necessary with the ANYPREVOUT design, see


The design I'm thinking of use a common taproot internal key
P=muSig(A,B) for update transactions. The tapscript paths are
(with the chaperone sigs dropped):

  Update n: [nLockTime = 500e6+n]
    script: OP_1 CHECKSIGVERIFY [500e6+n+1] CLTV
    witness: [ANYPREVOUTANYSCRIPT sig]

  Settlement n: [nSequence = delay; nLockTime=500e6+n+1]
    witness: [ANYPREVOUT sig]  

(This relies on having the two variants of ANYPREVOUT, one of which
commits to the state number via commiting to the [500e6+n+1] value in
the update tx's script, so that you don't need unique keys to ensure
settlement tx n can't spend settlement tx n+k)

With this you can tell which update was posted by subtracting 500e6 from
the nLocktime, and use that to calculate the tapscript the update tx used,
and the internal key is constant.

The watchtower only needs to post the update tx -- as long as the latest
update is posted, the only tx that can spend it is the correct settlement,
so you can post that whenever you're back online, even if that's weeks
or months later, and likewise for actually claiming your funds from the
settlement tx's outputs.


More information about the Lightning-dev mailing list