|
| 1 | +<pre> |
| 2 | + BIP: 199 |
| 3 | + Layer: Applications |
| 4 | + Title: Hashed Time-Locked Contract transactions |
| 5 | + Author: Sean Bowe < [email protected]> |
| 6 | + |
| 7 | + Comments-Summary: No comments yet. |
| 8 | + Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-0199 |
| 9 | + Status: Draft |
| 10 | + Type: Standards Track |
| 11 | + Created: 2017-03-27 |
| 12 | + License: BSD-3-Clause |
| 13 | + CC0-1.0 |
| 14 | +</pre> |
| 15 | + |
| 16 | +==Abstract== |
| 17 | + |
| 18 | +This BIP describes a script for generalized off-chain contract negotiation. |
| 19 | + |
| 20 | +==Summary== |
| 21 | + |
| 22 | +A Hashed Time-Locked Contract (HTLC) is a script that permits a designated party (the "seller") to spend funds by disclosing the preimage of a hash. It also permits |
| 23 | +a second party (the "buyer") to spend the funds after a timeout is reached, in a refund situation. |
| 24 | + |
| 25 | +The script takes the following form: |
| 26 | + |
| 27 | + OP_IF |
| 28 | + [HASHOP] <digest> OP_EQUALVERIFY OP_DUP OP_HASH160 <seller pubkey hash> |
| 29 | + OP_ELSE |
| 30 | + <num> [TIMEOUTOP] OP_DROP OP_DUP OP_HASH160 <buyer pubkey hash> |
| 31 | + OP_ENDIF |
| 32 | + OP_EQUALVERIFY |
| 33 | + OP_CHECKSIG |
| 34 | +
|
| 35 | +[HASHOP] is either OP_SHA256 or OP_HASH160. |
| 36 | + |
| 37 | +[TIMEOUTOP] is either OP_CHECKSEQUENCEVERIFY or OP_CHECKLOCKTIMEVERIFY. |
| 38 | + |
| 39 | +===Interaction=== |
| 40 | + |
| 41 | +* Victor (the "buyer") and Peggy (the "seller") exchange public keys and mutually agree upon a timeout threshold. Peggy provides a hash digest. Both parties can now |
| 42 | +construct the script and P2SH address for the HTLC. |
| 43 | +* Victor sends funds to the P2SH address. |
| 44 | +* Either: |
| 45 | +** Peggy spends the funds, and in doing so, reveals the preimage to Victor in the transaction; OR |
| 46 | +** Victor recovers the funds after the timeout threshold. |
| 47 | +
|
| 48 | +Victor is interested in a lower timeout to reduce the amount of time that his funds are encumbered in the event that Peggy does not reveal the preimage. Peggy is |
| 49 | +interested in a higher timeout to reduce the risk that she is unable to spend the funds before the threshold, or worse, that her transaction spending the funds does |
| 50 | +not enter the blockchain before Victor's but does reveal the preimage to Victor anyway. |
| 51 | + |
| 52 | +==Motivation== |
| 53 | + |
| 54 | +In many off-chain protocols, secret disclosure is used as part of a settlement mechanism. In some others, the secrets themselves are valuable. HTLC transactions are |
| 55 | +a safe and cheap method of exchanging secrets for money over the blockchain, due to the ability to recover funds from an uncooperative counterparty, and the |
| 56 | +opportunity that the possessor of a secret has to receive the funds before such a refund can occur. |
| 57 | + |
| 58 | +===Lightning network=== |
| 59 | + |
| 60 | +In the lightning network, HTLC scripts are used to perform atomic swaps between payment channels. |
| 61 | + |
| 62 | +Alice constructs K and hashes it to produce L. She sends an HTLC payment to Bob for the preimage of L. Bob sends an HTLC payment to Carol for the same preimage and |
| 63 | +amount. Only when Alice releases the preimage K does any exchange of value occur, and because the secret is divulged for each hop, all parties are compensated. If |
| 64 | +at any point some parties become uncooperative, the process can be aborted via the refund conditions. |
| 65 | + |
| 66 | +===Zero-knowledge contingent payments=== |
| 67 | + |
| 68 | +Various practical zero-knowledge proving systems exist which can be used to guarantee that a hash preimage derives valuable information. As an example, a |
| 69 | +zero-knowledge proof can be used to prove that a hash preimage acts as a decryption key for an encrypted sudoku puzzle solution. (See |
| 70 | +[https://github.com/zcash/pay-to-sudoku pay-to-sudoku] for a concrete example of such a protocol.) |
| 71 | + |
| 72 | +HTLC transactions can be used to exchange such decryption keys for money without risk, and they do not require large or expensive-to-validate transactions. |
| 73 | + |
| 74 | +==Implementation== |
| 75 | + |
| 76 | +https://github.com/bitcoin/bitcoin/pull/7601 |
| 77 | + |
| 78 | +==Copyright== |
| 79 | + |
| 80 | +This document is dual licensed as BSD 3-clause, and Creative Commons CC0 1.0 Universal. |
| 81 | + |
0 commit comments