From aj at erisian.com.au Fri Nov 27 09:09:46 2015 From: aj at erisian.com.au (Anthony Towns) Date: Fri, 27 Nov 2015 19:09:46 +1000 Subject: [Lightning-dev] Payment channel without timeout protected from malleability In-Reply-To: References: Message-ID: <20151127090946.GB7151@sapphire.erisian.com.au> On Fri, Nov 27, 2015 at 04:37:04PM +0900, Nicolas Dorier wrote: > By adapting an idea from gmaxwell ( > https://bitcointalk.org/index.php?topic=303088.0) it is possible to open a > channel without suffering from malleability attack. > The process for A to open channel with B is the following: > * A asks B pubkey > * A create the first commitment transaction > * A extract the hash that B needs to sign to be able to broadcast the > commitment > * A asks B to sign the hash, but do not disclose the commitment > * A broadcast the anchor > * After confirmation, A announce the anchor to B. A also passes the original unsigned commitment to B, who verifies that it's in the right format (ie, can be revoked), and hashes to the hash that he signed. > B can't identify A's anchor before announcement because he does not know > the P2SH of the multisig. > Am I missing something ? Someone other than B (ie a third party) could malleate the anchor between broadcast and confirmation just for their own amusement. B can't reuse pubkeys between different channels with this protocol either, but that's good practice anyway. >From the same forum post, using child-pays-for-parent seems plausible. Doing: txA: spend 6 BTC to 5 BTC to A&B 1 BTC to A txB: spend 1 BTC from txA:1 to 0.999 BTC to A should be pretty safe: either someone malleates txA and mines it for 0 fee; or they mine both txA+txB for 0.001 BTC fee, and txA can't be malleated. But CPFP doesn't work yet, and segregated witness seems like it'll happen sooner anyway? Cheers, aj