[Lightning-dev] An Argument For Single-Asset Lightning Network

ZmnSCPxj ZmnSCPxj at protonmail.com
Sun May 19 11:01:02 UTC 2019

Good morning Lloyd,

Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Sunday, May 19, 2019 6:28 PM, Lloyd Fournier <lloyd.fourn at gmail.com> wrote:

> Hi ZmnSCPxj,
> Sorry for the late reply I only recently had time to review your comments.
> I didn't really get your motivation for multiple secrets. In my mind, having the last hop put collateral into the HTLC to make a Collateralized HTLC solves the problem without any extra complexity (your original example captures this perfectly).

The exchange node itself must impose the collateral: it cannot trust any other node to impose the collateral on its behalf.
Remember, the intent is that the route is known only by the payer; the exchange should not know which node is the last node.
Otherwise, the exchange node can censor payments.


1.  The exchange node cannot know if its direct next hop is last or not (if it could know, then it could censor).
    So we must require that the swap protocol can be operated without the payer and payee being direct peers of the exchange.
2.  The exchange node needs to ensure that the ultimate payee will provide collateral.
    It cannot depend on any other node enforcing that the ultimate payee will provide collateral (it should not trust the network).

Thus the need for multiple secrets.

The route is from payer -> exchange -> payee -> exchange.
Multiple hop nodes may be inserted between the above participants.
Two secrets are demanded from payer to exchange to payee.
Only one secret is demanded from payee to exchange.

As a concrete example, suppose 1 BTC is equivalent to 100000000 WJT.
And we agree to a 10% collateral in the exchange.

1.  Payer acquires a payment hash from payee and a exchange hash from exchange.
2.  Payer routes from itself to exchange to payee.
    It releases 1 BTC, requiring both the exchange and payment preimages.
3.  On reaching the exchange, it verifies the exchange rate and the collateral value, as well as that it knows the preimage of the exchange hash.
    It releases 110000000 WJT to the next node (which might ***not*** be the payee: remember, we do not want the exchange to know who the final payee is, and this is still onion-routed), requiring both the exchange and payment preimage.
4.  On reaching the payee, it checks the value is correct and that it knows the preimage of the payment hash.
    It releases 10000000 WJT (the collateral) to the next node (which might ***not*** be the exchange: we do not want payees to become prejudiced against certain exchanges either, and this is still onion-routed).
    This time, it requires only the exchange preimage.
5.  On reaching the exchange once again, it claims the collateral by revealing the exchange preimage.
6.  The payee learns the exchange preimage and can claim the payment value, and reclaim the collateral, by releasing the payment preimage and exchange preimages immediately.

Having multiple hops means an exchange cannot determine who is the ultimate payer and ultimate payee, and cannot impose any reasonable censorship policy.
Thus the exchange cannot operate as if the second-to-last hop can be relied upon to impose the collateral rule on the payee: the exchange must impose this collateral itself!

> You wrote:
> > The exchange can insist on getting a short timelock for receiving the collateral (i.e. limit the time horizon that the exchange hash is valid), to reduce the time horizon in which the payee can pay or not pay the collateral for the exchange (as before the payee releases the collateral, it still has the option of doing or not doing the swap, i.e. American Option).
> I think this unnecessary. The "free option" time isn't limited by a timelock (if it was, we wouldn't have solved the problem). The option is limited by the exchange's willingness to wait for the other party to sign the state update (assuming the exchange signs first). The minor point I was trying to make was that normally when routing payments etc you can be willing to wait for minutes or hours for the other party to come back online if they went offline during a state update. But if you are doing a swap and your partner is meant to be signing a collateralized HTLC you shouldn't wait; you should force settlement to the blockchain within a few seconds. As soon as the state gets onto the blockchain the other party has lost any chance of getting an option.


All payments are still HTLCs.

HTLCs are onchain contracts.

The original formulation pointed out that HTLCs, by themselves (even directly onchain) can form an American Call Option.

When we force settlement on the blockchain, we just publish the same HTLCs we use offchain on the blockchain.
Thus any contract that takes effect offchain takes effect onchain.
That includes any American Call Option formed out of HTLCs.
Forcing it onchain just means you can no longer cancel the contract but are *forced* to wait out any timelocks.


More information about the Lightning-dev mailing list