Good morning Conner,
> Hi ZmnSCPxj,
>> Can you describe the "encrypted blob" approach to me? Or point me to
> There's an awesome watchtower thread on the mailing list from 2016 that starts
> here . It covers a broader range of possibilities than just the encrypted
> blob approach, and also considers other revocation schemes, e.g. elkrem.
> Similar to what you described, one encrypted blob approached discussed in
> that thread is:1. hint = tixd[:16]2. blob = Enc(data, txid[16:])3. Send
> (hint, blob) to watchtower.
> Whenever a new block is mined, the watchtower checks if it has an entry for
> txid[:16]. If so, it decrypts using txid[16:], assembles the justice txn,
> andbroadcasts (assuming the reward output matches what was negotiated).
Thank you, that is indeed similar to what I was thinking given the name
Also, thank you for the link. I have not had much time to back-read anything
older than 2017 in the archives. I observe that neither Poon nor Dryja seem to
strongly participate in this list from 2017 onwards.
>> Do you have a description of the WatchTower protocol used in lnd? It may be>
>> useful to be intercompatible.
> We don't have anything written up formally, though what we have currently
> operates on the design above.
I understand. It would be good to know what you have, and perhaps consider
planning a new BOLT document for such.
Nicolas Dorier mentioned plans for BTCPay to somehow host "merchant support
networks" where merchants may expose WatchTower endpoints, which other
merchants may post revocation information for their channels to.
> I'll also take this time to brain dump some recent investigations I've been
> doing on
> watchtowers. TL;DR @ fin.
> FWIW, I've been thinking about this in the context of the simple encrypted
> blob approach, though the observations can generalize to other schemes.
> As Laolu mentioned, the storage requirement for the watchtower is dominated
> bythe number of HTLC signatures included in the encrypted blob. Due
> toindependence of the second stage transactions, there is a combinatoric
> blowup inthe number of signatures that would need to be pre-signed under the
> revocationprivate key _if sweeping of HTLC outputs is batched_.
> If we want to batch sweep without more liberal sighash flags, I think we'd
> need to
> pre-sign n*2^n signatures. There are 2^n possible ways that n HTLCs can
> the first and second stages, and each permutation would require n distinct
> since the set of inputs is unique to each permutation. Needless to say, this
> isn't feasible
> with the maximum number of HTLCs allowed in the protocol.
Yes, I thought this too.
> However, I have some observations that might inform an efficient set of
> signatures we can choose to include in the encrypted blobs.
> The first is that the HTLC timeout or HTLC success transaction _must_
> bebroadcast before the attacker can move funds back into their wallet. If
> these transactions are never mined, it is actually fine to do nothing and
> those outputs in the breached state.
> If/when the victim comes back online, they themselves can sign and broadcast
> a justice transaction that executes the revocation clause of either the
> offered or
> received HTLC scripts, based on the observed spentness of the various
> commitmentHLTC outputs at that time. So, we can save on signature data by
> only requiring thewatchtower to act if second stage transactions are
This is a good observation! I initially thought that we would have to provide
both the first-stage and second-stage revocation signatures.
> One reallyyy nice thing about not having the watchtower sweep the HTLC
> outputson the commitment txn directly is that it doesn't need to know how
> toreconstruct the more complex HTLC redeem scripts. It only needs to
> reconstructcommitment to-local and second-stage to-local scripts and
> witnesses. This means
> the blob primarily contains:
> - 1 revocation pubkey
> - 1 local delay pubkey
> - 1 CSV delay
> - 2 commitment signatures - n HTLC signatures
> and we don't have to bother sending CLTVs, local/remote htlc pubkeys, or
> payment hashes at all.
> The storage for this ends up being something like ~100 + 64*(2+nhtlcs) when
> include other things like the sweep address.
Thank you, that seems like a start at something that can be implemented.
> The second observation is that the second stage transactions could be
> sequentially such that the CSV delays don't overlap at all. In this event,
> thewatchtower needs to sweep the HTLCs iteratively to prevent the attacker
> sweeping any of the outputs as the relative timelocks expire.
Sorry, I seem confused this idea. Can you give example for commitment with 2x
> One minimal solution could be to send signatures for independent sweep
> transactions, allowing the watchtower to sweep each HTLC output individually.
> This is nice because it permits the watchtower to sweep exactly the subset
> ofHTLCs that ever transition into the second stage, and under any
> permutationwrt. ordering of confirmed second stage transactions.
Yes, this seems like a good general idea.
> With the single transaction per HTLC approach, the total number of signatures
> thatare sent to the watchtower remains linear in the number HTLCs on the
> commitmenttransaction. This approach does have the downside of consuming
> slightly more
> fees, since each output is swept with a distinct transaction.
> However, this approach is fairly efficient in preventing the attacker
> entirely from
> moving funds from the channel into their wallet wrt. to the amount of data
> Considering that the majority of the channel balance is expected to be in
> the commitment outputs and that hypothetically on-chains fees are offset by
> remote balance, this could be an acceptable tradeoff.
> I suspect that in practice, most second stage transactions will be valid by
> the time an attacker would drop to chain. Because of this, it's possible that
> could be mined in the same block as the breach transaction.
> If everything is mined in the same block or in quick succession, it might be
> worthwhile to also pre-sign a justice txn that batch sweeps all HTLCs
> directlyfrom the second layer, requiring one additional signature/HTLC.
> This could be a plausible scenario if the offender breached unintentionally,
> and their implementation tries to proceed normally. However it does require
> all of the
> CSV delays to conincide. If that doesn't happen, the watchtower can
> alwaysresort to sweeping the outputs individually.
> All in all, I think the ability to sweep each HTLC independently is
> more-or-lessa requirement just given the complexity of how the on-chain
> state-space can manifest, especially if CLTVs have already expired. Other
> scenarios may
> be worth including on a case by case basis or if we feel they are justified.
> could be handled dynamically by including some bitvector or some compact
> representation of how to reconstruct the transactions for any additional,
Okay. So it seems, the blob contains:
1. Revocation pubkey (from our revocation basepoint and per-commitment
2. Their delayed payment pubkey (needed in scripts)
3. Our imposed to_self_delay (the setting we indicate, that we impose on the
4. Our payment pubkey
5. 0 or 1 or 2 signatures for the main outputs. These sign a single
transaction that claims only the main outputs.
6. 0 or more second-stage HTLC revocation signatures. These sign individual
transactions (one per HTLC) that claims only the second-stage HTLC output.
7. scriptpubkey to put all the funds in.
When the commitment txid is found onchain, the WatchTower creates a single main
output claim transaction using the 1 or 2 signatures for the main outputs. And
for each HTLC outpoint on the commitment transaction, if it gets spent, the
WatchTower creates one HTLC justice transaction from the second-stage HTLC
Is that approximately what is needed? Have I missed anything?
Lightning-dev mailing list