bitcoinbook icon indicating copy to clipboard operation
bitcoinbook copied to clipboard
verified publisher icon bitcoinbook

Ch12 revocation key exchange before signing new commitment

Open morehouse opened this issue 3 years ago • 0 comments

From the Asymmetric Revocable Commitments section:

Let’s look at an example of how it works. One of Irene’s customers wants to send 2 bitcoin to one of Hitesh’s customers. To transmit 2 bitcoin across the channel, Hitesh and Irene must advance the channel state to reflect the new balance. They will commit to a new state (state number 2) where the channel’s 10 bitcoin are split, 7 bitcoin to Hitesh and 3 bitcoin to Irene. To advance the state of the channel, they will each create new commitment transactions reflecting the new channel balance.

As before, these commitment transactions are asymmetric so that the commitment transaction each party holds forces them to wait if they redeem it. Crucially, before signing new commitment transactions, they must first exchange revocation keys to invalidate the prior commitment. In this particular case, Hitesh’s interests are aligned with the real state of the channel and therefore he has no reason to broadcast a prior state. However, for Irene, state number 1 leaves her with a higher balance than state 2. When Irene gives Hitesh the revocation key for her prior commitment transaction (state number 1) she is effectively revoking her ability to profit from regressing the channel to a prior state because with the revocation key, Hitesh can redeem both outputs of the prior commitment transaction without delay. Meaning if Irene broadcasts the prior state, Hitesh can exercise his right to take all of the outputs.

I think this is either poorly worded or incorrect. The new commitment transactions should be signed and exchanged before revoking the previous commitments, or else one party can create a deadlock situation by refusing to sign the new commitment:

  1. Irena and Hitesh construct (but don't sign) new commitment transactions.
  2. Irena and Hitesh swap revocation keys for the previous commitment.
  3. Hitesh refuses to send Irena a signed new commitment.

Now the previous commitment has been revoked, but Irena does not have a new commitment signed by Hitesh that she could use to close the channel. This means the channel will stay open forever and Irena cannot retrieve any bitcoin without giving Hitesh a chance to steal everything.

morehouse avatar Apr 21 '22 23:04 morehouse