Good morning Chris,

> I think I'm having trouble understanding this, does it work like this:
> Say we're in the 2-party coinswap case (Alice and Bob)
> We have Alice's funding transaction:
> Alice UTXO ---> 2of2 multisig (Alice+Bob)
> And we have the regular contract transaction
> 2of2 multisig (Alice+Bob) ---> Alice+timelock1 OR Bob+hashlock
> And you propose a second pre-signed transaction?
> 2of2 multisig (Alice+Bob) ---> Bob+timelock2

No, it is:

2of2 multisig (Alice+Bob) --(nLockTime=locktime1)-> Alice

The timelock is  imposed as a `nLockTime`, not as an `OP_CLTV` (so not in the 
output of the tx, but part of the tx), and the backout returns the funds to 
Alice, not sends it to Bob.
This transaction is created *before* the contract transaction.

The order is:

* Create (but not sign) Alice funding tx (Alice --> Alice+Bob).
* Create and sign Alice backout transaction (Alice+Bob -(nLockTime=locktime1)-> 
* Create (but not sign) Bob funding tx (Bob --> Alice+Bob+sharedSecret).
* Create and sign Bob backout transaction (Alice+Bob+sharedSecret 
-(nLocktime=locktime2)-> Bob) where timelock2 < timelock1.
* Sign and broadcast funding txes.
  * At this point, even if Bob funding tx is confirmed but Alice funding tx is 
not, Bob can recover funds with the backout, but Alice cannot steal the funds 
(since there is no hashlock branch at this point).
* When Alice funding tx is confirmed, create and sign contract transaction 
(Alice+Bob --> Alice+timelock1 OR Bob+hashlock).
* When Bob funding tx is confirmed and Bob has received the Alice contract 
transaction, create and sign Bob contract transaction (Alice+Bob+sharedSecret 
--> Bob+timelock2 OR Alice+hashlock).
* Continue as normal.

In effect, the backout transaction creates a temporary Spilman unidirectional 
time-bound channel.
We just reuse the same timelock on the HTLC we expect to instantiate, as the 
time bound of the Spilman channel; the timelock exists anyway, we might as well 
reuse it for the Spilman.

Creation of the contract tx invalidates the backout tx (the backout tx is 
`nLockTime`d, the contract tx has no such encumbrance), but the backout allows 
Alice and Bob to fund their txes simultaneously without risk of race loss.
However, they do still have to wait for (deep) confirmation before signing 
contract transactions, and Bob has to wait for the incoming contract 
transaction as well before it signs its outgoing contract transaction.

The protocol is trivially extendable with more than one Bob.

The insight basically is that we can split CoinSwap into a "channel 
establishment" phase and "HTLC forwarding" phase followed by "HTLC resolution" 
and "private key handover".
HTLC forwarding and HTLC resolution are "done offchain" in the channels, and 
channel establishment can be done in any order, including reverse.

Indeed, the Spilman channel need not have the same timelock as the HTLC it will 
eventually host: it could have a shorter timelock, since the contract 
transaction has no `nLockTime` it can be instantiated (with loss of privacy due 
to the nonstandard script) before the Spilman timeout.

bitcoin-dev mailing list

Reply via email to