Done first pass copy edit, up to line 576 of BOLT 2, according to .copy-edit-stylesheet-checklist.md guidelines;
51 KiB
BOLT #2: Peer Protocol for Channel Management
The peer channel protocol has three phases: establishment, normal operation, and closing.
Table of Contents
Channel
Channel Establishment
Channel establishment begins immediately after authentication and
consists of the funding node (funder) sending an open_channel
message,
followed by the responding node (fundee) sending accept_channel
. With the
channel parameters locked in, the funder is able to create the funding
transaction and both versions of the commitment transaction, as described in
BOLT #3.
The funder then sends the outpoint of the funding output with the funding_created
message, along with the signature for the fundee's version of the commitment
transaction. Once the fundee learns the funding outpoint, it's able to
generate the funder's commitment for the commitment transaction and send it
over using the funding_signed
message.
Once the channel funder receives the funding_signed
message, it
must broadcast the funding transaction to the Bitcoin network. After
the funding_signed
message is sent/received, both sides should wait
for the funding transaction to enter the blockchain and reach the
specified depth (number of confirmations). After both sides have sent
the funding_locked
message, the channel is established and can begin
normal operation. The funding_locked
message includes information
which will be used to construct channel authentication proofs.
+-------+ +-------+
| |--(1)--- open_channel ----->| |
| |<-(2)-- accept_channel -----| |
| | | |
| A |--(3)-- funding_created --->| B |
| |<-(4)-- funding_signed -----| |
| | | |
| |--(5)--- funding_locked ---->| |
| |<-(6)--- funding_locked -----| |
+-------+ +-------+
- where node A is 'funder' and node B is 'fundee'
If this fails at any stage, or if one node decides the channel terms offered by the other node are not suitable, the channel establishment fails.
Note that multiple channels can operate in parallel, as all channel
messages are identified by either a temporary_channel_id
(before the
funding transaction is created) or channel_id
(derived from the
funding transaction).
The open_channel
Message
This message contains information about a node and indicates its desire to set up a new channel.
- type: 32 (
open_channel
) - data:
- [
32
:chain_hash
] - [
32
:temporary_channel_id
] - [
8
:funding_satoshis
] - [
8
:push_msat
] - [
8
:dust_limit_satoshis
] - [
8
:max_htlc_value_in_flight_msat
] - [
8
:channel_reserve_satoshis
] - [
8
:htlc_minimum_msat
] - [
4
:feerate_per_kw
] - [
2
:to_self_delay
] - [
2
:max_accepted_htlcs
] - [
33
:funding_pubkey
] - [
33
:revocation_basepoint
] - [
33
:payment_basepoint
] - [
33
:delayed_payment_basepoint
] - [
33
:first_per_commitment_point
] - [
1
:channel_flags
]
- [
The chain_hash
value denotes the exact blockchain the opened channel will
reside within. This is usually the genesis hash of the respective blockchain.
The existence of the chain_hash
allows nodes to open channels
across many distinct blockchains as well as have channels within multiple
blockchains opened to the same peer (if it supports the target chains).
The temporary_channel_id
is used to identify this channel until the funding transaction is established. funding_satoshis
is the amount the sender is putting into the channel. dust_limit_satoshis
is the threshold below which outputs should not be generated for this node's commitment or HTLC transaction; i.e. HTLCs below this amount plus HTLC transaction fees are not enforceable on-chain. This reflects the reality that tiny outputs are not considered standard transactions and will not propagate through the Bitcoin network.
max_htlc_value_in_flight_msat
is a cap on total value of outstanding HTLCs, which allows a node to limit its exposure to HTLCs; similarly, max_accepted_htlcs
limits the number of outstanding HTLCs the other node can offer. channel_reserve_satoshis
is the minimum amount that the other node is to keep as a direct payment. htlc_minimum_msat
indicates the smallest value HTLC this node will accept.
feerate_per_kw
indicates the initial fee rate by 1000-weight (i.e. 1/4 the more normally-used 'feerate per kilobyte') which this side will pay for commitment and HTLC transactions, as described in BOLT #3 (this can be adjusted later with an update_fee
message). to_self_delay
is the number of blocks that the other nodes to-self outputs must be delayed, using OP_CHECKSEQUENCEVERIFY
delays; this is how long it will have to wait in case of breakdown before redeeming its own funds.
Only the least-significant bit of channel_flags
is currently
defined: announce_channel
. This indicates whether the initiator of the
funding flow wishes to advertise this channel publicly to the network
as detailed within
BOLT #7.
The funding_pubkey
is the public key in the 2-of-2 multisig script of the funding transaction output. The revocation_basepoint
is combined with the revocation preimage for this commitment transaction to generate a unique revocation key for this commitment transaction. The payment_basepoint
and delayed_payment_basepoint
are similarly used to generate a series of keys for any payments to this node: delayed_payment_basepoint
is used for payments encumbered by a delay. Varying these keys ensures that the transaction ID of each commitment transaction is unpredictable by an external observer, even if one commitment transaction is seen — this property is very useful for preserving privacy when outsourcing penalty transactions to third parties.
[ FIXME: Describe dangerous feature bit for larger channel amounts. ]
Requirements
The sending node MUST:
- ensure that the
chain_hash
value identifies the chain it wishes to open the channel within. - ensure
temporary_channel_id
is unique from any other. channel ID with the same peer. - set
funding_satoshis
to less than 2^24 satoshi. - set
push_msat
to equal or less than 1000 *funding_satoshis
. - set
funding_pubkey
,revocation_basepoint
,payment_basepoint
, anddelayed_payment_basepoint
to valid DER-encoded, compressed, secp256k1 pubkeys.
The sending node SHOULD:
- set
to_self_delay
sufficient to ensure the sender can irreversibly spend a commitment transaction output, in case of misbehavior by the receiver. - set
feerate_per_kw
to at least the rate it estimates would cause the transaction to be immediately included in a block. - set
dust_limit_satoshis
to a sufficient value to allow commitment transactions to propagate through the Bitcoin network. - set
htlc_minimum_msat
to the minimum value HTLC it is willing to accept from this peer.
The receiving node MUST:
- ignore undefined bits in
channel_flags
. - if the connection has been re-established after receiving a previous
open_channel
but before receiving afunding_created
message:- accept a new
open_channel
message, - and MUST discard the previous
open_channel
message.
- accept a new
The receiving node MAY fail the channel if:
announce_channel
isfalse
(0
), yet it wishes to publicly announce the channel.funding_satoshis
is too small.- it considers
htlc_minimum_msat
too large. - it considers
max_htlc_value_in_flight_msat
too small. - it considers
channel_reserve_satoshis
too large. - it considers
max_accepted_htlcs
too small.
The receiving node MUST fail the channel if:
push_msat
is greater thanfunding_satoshis
* 1000.to_self_delay
is unreasonably large.max_accepted_htlcs
is greater than 483.- it considers
feerate_per_kw
too small for timely processing, or unreasonably large. funding_pubkey
,revocation_basepoint
,payment_basepoint
, ordelayed_payment_basepoint
are not valid DER-encoded compressed secp256k1 pubkeys.
The receiving node MUST NOT:
- consider funds received using
push_msat
to be received until the funding transaction has reached sufficient depth.
Rationale
The channel reserve is specified by the peer's channel_reserve_satoshis
: 1% of the channel total is suggested. Each side of a channel maintains this reserve so it always has something to lose, if it were to try to broadcast an old, revoked commitment transaction. Initially, this reserve may not be met, as only one side has funds; but the protocol ensures that progress is always toward it being met, and once met, it is maintained.
The sender can unconditionally give initial funds to the receiver using a non-zero push_msat
— this is one case where the normal reserve mechanism doesn't apply. However, like any other on-chain transaction, this payment is not certain until the funding transaction has been confirmed sufficiently (may be double-spent) and may require a separate method to prove payment via on-chain confirmation.
The feerate_per_kw
is generally only a concern to the sender (who pays the fees), but there is also the feerate paid by HTLC transactions; thus, unreasonably large fee rates can also penalize the recipient.
Future
It would be easy to have a local feature bit which indicated that a receiving node was prepared to fund a channel, which would reverse this protocol.
The accept_channel
Message
This message contains information about a node and indicates its acceptance of the new channel.
- type: 33 (
accept_channel
) - data:
- [
32
:temporary_channel_id
] - [
8
:dust_limit_satoshis
] - [
8
:max_htlc_value_in_flight_msat
] - [
8
:channel_reserve_satoshis
] - [
8
:htlc_minimum_msat
] - [
4
:minimum_depth
] - [
2
:to_self_delay
] - [
2
:max_accepted_htlcs
] - [
33
:funding_pubkey
] - [
33
:revocation_basepoint
] - [
33
:payment_basepoint
] - [
33
:delayed_payment_basepoint
] - [
33
:first_per_commitment_point
]
- [
Requirements
The temporary_channel_id
MUST be the same as the temporary_channel_id
in
the open_channel
message.
The sender:
- SHOULD set
minimum_depth
to a number of blocks it considers reasonable to avoid double-spending of the funding transaction.
The receiver:
- if the
chain_hash
value within theopen_channel
message is set to a hash of a chain unknown to the receiver:- MUST reject the channel.
- MAY reject the
minimum_depth
, if it considers it unreasonably large.
Other fields have the same requirements as their counterparts in open_channel
.
The funding_created
Message
This message describes the outpoint which the funder has created for the initial commitment transactions. After receiving the peer's signature, it will broadcast the funding transaction.
- type: 34 (
funding_created
) - data:
- [
32
:temporary_channel_id
] - [
32
:funding_txid
] - [
2
:funding_output_index
] - [
64
:signature
]
- [
Requirements
The sender MUST set:
temporary_channel_id
the same as thetemporary_channel_id
in theopen_channel
message.funding_txid
to the transaction ID of a non-malleable transaction, which it MUST NOT broadcast.funding_output_index
to the output number of that transaction which corresponds the funding transaction output as defined in BOLT #3.signature
to the valid signature using itsfunding_pubkey
for the initial commitment transaction, as defined in BOLT #3.
The sender:
- when creating the funding transaction:
- SHOULD use only BIP141 (Segregated Witness) inputs.
The recipient:
- if
signature
is incorrect:- MUST fail the channel.
Rationale
The funding_output_index
can only be 2 bytes, since that's how it's packed into the channel_id
and used throughout the gossip protocol. The limit of 65535 outputs should not be overly burdensome.
A transaction with all Segregated Witness inputs is not malleable, hence the funding transaction recommendation.
The funding_signed
Message
This message gives the funder the signature it needs for the first commitment transaction, so it can broadcast signature knowing funds can be redeemed, if need be.
This message introduces the channel_id
to identify the channel. It's derived from the funding transaction by combining the funding_txid
and the funding_output_index
, using big-endian exclusive-OR (i.e. funding_output_index
alters the last two bytes).
- type: 35 (
funding_signed
) - data:
- [
32
:channel_id
] - [
64
:signature
]
- [
Requirements
The sender MUST set:
channel_id
by exclusive-OR of thefunding_txid
and thefunding_output_index
from thefunding_created
message.signature
to the valid signature, using itsfunding_pubkey
for the initial commitment transaction, as defined in BOLT #3.
The recipient:
- if
signature
is incorrect:- MUST fail the channel.
- on receipt of a valid
funding_signed
:- SHOULD broadcast the funding transaction,
- and MUST NOT broadcast the funding transaction earlier.
The funding_locked
Message
This message indicates that the funding transaction has reached the minimum_depth
asked for in accept_channel
. Once both nodes have sent this, the channel enters normal operating mode.
- type: 36 (
funding_locked
) - data:
- [
32
:channel_id
] - [
33
:next_per_commitment_point
]
- [
Requirements
The sender MUST:
- wait until the funding transaction has reached
minimum_depth
before sending this message. - set
next_per_commitment_point
to the per-commitment point to be used for the following commitment transaction, derived as specified in BOLT #3.
A non-funding node (fundee) SHOULD:
- forget the channel if it does not see the funding transaction after a reasonable timeout.
From the point of waiting for funding_locked
onward, either node MAY
fail the channel if it does not receive a required response from the
other node after a reasonable timeout.
Rationale
The non-funder can simply forget the channel ever existed, since no
funds are at risk. There is a denial of service risk: if the fundee remembers
the channel forever (on the promise of the funding transaction finally
appearing), even if push_msat
is significant.
Future
An SPV proof could be added and block hashes could be routed in separate messages.
Channel Close
Nodes can negotiate a mutual close of the connection, which unlike a unilateral close, allows them to access their funds immediately and can be negotiated with lower fees.
Closing happens in two stages: 1) one side indicates it wants to clear the channel (and thus will accept no new HTLCs) 2) once all HTLCs are resolved, the final channel close negotiation begins.
+-------+ +-------+
| |--(1)----- shutdown ------->| |
| |<-(2)----- shutdown --------| |
| | | |
| | <complete all pending HTLCs> | |
| A | ... | B |
| | | |
| |<-(3)-- closing_signed F1----| |
| |--(4)-- closing_signed F2--->| |
| | ... | |
| |--(?)-- closing_signed Fn--->| |
| |<-(?)-- closing_signed Fn----| |
+-------+ +-------+
Closing Initiation: shutdown
Either node (or both) can send a shutdown
message to initiate closing,
along with the scriptpubkey it wants to be paid to.
- type: 38 (
shutdown
) - data:
- [
32
:channel_id
] - [
2
:len
] - [
len
:scriptpubkey
]
- [
Requirements
A sending node:
-
if there are updates pending on the receiving node's commitment transaction:
- MUST NOT send a
shutdown
.
- MUST NOT send a
-
MUST NOT send an
update_add_htlc
after ashutdown
. -
SHOULD fail to route any HTLC added after it sent
shutdown
. -
MUST set
scriptpubkey
in one of the following forms:OP_DUP
OP_HASH160
20
20-bytesOP_EQUALVERIFY
OP_CHECKSIG
(pay to pubkey hash), OROP_HASH160
20
20-bytesOP_EQUAL
(pay to script hash), OROP_0
20
20-bytes (version 0 pay to witness pubkey), OROP_0
32
32-bytes (version 0 pay to witness script hash)
A receiving node:
- if the
scriptpubkey
is not in one of the above forms:- SHOULD fail the connection.
- once there are no outstanding updates on the peer:
- MUST reply to a
shutdown
message with ashutdown
, unless it has already sent ashutdown
.
- MUST reply to a
Rationale
If channel state is always "clean" (no pending changes) when a
shutdown starts, the question of how to behave if it wasn't is avoided:
the sender always sends a commitment_signed
first.
As shutdown implies a desire to terminate, it implies that no new HTLCs will be added or accepted.
The scriptpubkey
forms include only standard forms accepted by the
Bitcoin network, which ensures the resulting transaction will
propagate to miners.
The shutdown
response requirement implies that the node sends commitment_signed
to commit any outstanding changes before replying; however, it could theoretically reconnect instead, which would simply erase all outstanding uncommitted changes.
Closing Negotiation: closing_signed
Once shutdown is complete and the channel is empty of HTLCs, the final
current commitment transactions will have no HTLCs, and closing fee
negotiation begins. Each node chooses a fee it thinks is fair, and
signs the close transaction with the scriptpubkey
fields from the
shutdown
messages (along with its chosen fee) and sends the signature. The
process terminates when both agree on the same fee, or one side fails
the channel.
- type: 39 (
closing_signed
) - data:
- [
32
:channel_id
] - [
8
:fee_satoshis
] - [
64
:signature
]
- [
Requirements
A sending node:
- after
shutdown
has been received and no HTLCs remain in either commitment transaction:- SHOULD send a
closing_signed
message.
- SHOULD send a
- MUST set
fee_satoshis
lower than or equal to the base fee of the final commitment transaction, as calculated in BOLT #3. - SHOULD set the initial
fee_satoshis
according to its estimate of cost of inclusion in a block. - MUST set
signature
to the Bitcoin signature of the close transaction, as specified in BOLT #3.
The receiving node:
- after
shutdown
has been received and no HTLCs remain in either commitment transaction:- SHOULD send a
closing_signed
message.
- SHOULD send a
- MUST check
signature
is valid for either variant of close transaction specified in BOLT #3, - and MUST fail the connection if it is not.
- if
fee_satoshis
is equal to its previously sentfee_satoshis
:- SHOULD sign and broadcast the final closing transaction
- MAY close the connection.
- otherwise:
- MUST fail the connection if
fee_satoshis
is greater than the base fee of the final commitment transaction as calculated in BOLT #3
- MUST fail the connection if
- SHOULD fail the connection if
fee_satoshis
is not strictly between its last-sentfee_satoshis
and its previously-receivedfee_satoshis
, unless it has reconnected since then. - if the receiver agrees with the fee:
- SHOULD reply with a
closing_signed
with the samefee_satoshis
value.
- SHOULD reply with a
- otherwise:
- MUST propose a value "strictly between" the received
fee_satoshis
and its previously-sentfee_satoshis
.
- MUST propose a value "strictly between" the received
Rationale
The "strictly between" requirement ensures that forward progress is made, even if only by a single satoshi at a time. To avoid keeping state and to handle the corner case, where fees have shifted between disconnection and reconnection, negotiation restarts on reconnection.
Note there is limited risk if the closing transaction is delayed, but it will be broadcast very soon; so there is usually no reason to pay a premium for rapid processing.
Normal Operation
Once both nodes have exchanged funding_locked
(and optionally announcement_signatures
), the channel can be used to make payments via Hash TimeLocked Contracts.
Changes are sent in batches: one or more update_
messages are sent before a
commitment_signed
message, as in the following diagram:
+-------+ +-------+
| |--(1)---- add_htlc ------>| |
| |--(2)---- add_htlc ------>| |
| |<-(3)---- add_htlc -------| |
| | | |
| |--(4)---- commit ------>| |
| A | | B |
| |<-(5)--- revoke_and_ack-----| |
| |<-(6)---- commit -------| |
| | | |
| |--(7)--- revoke_and_ack---->| |
+-------+ +-------+
Counter-intuitively, these updates apply to the other node's
commitment transaction; the node only adds those updates to its own
commitment transaction when the remote node acknowledges it has
applied them via revoke_and_ack
.
Thus each update traverses through the following states:
- Pending on the receiver
- In the receiver's latest commitment transaction,
- ... and the receiver's previous commitment transaction has been revoked, and the HTLC is pending on the sender.
- ... and in the sender's latest commitment transaction
- ... and the sender's previous commitment transaction has been revoked
As the two nodes' updates are independent, the two commitment transactions may be out of sync indefinitely. This is not concerning: what matters is whether both sides have irrevocably committed to a particular HTLC or not (the final state, above).
Forwarding HTLCs
In general, a node offers HTLCs for two reasons: to initiate a payment of its own, or to forward another node's payment. In the forwarding case, care must be taken to ensure the outgoing HTLC cannot be redeemed unless the incoming HTLC can be redeemed. The following requirements ensure this is always true:
The respective addition/removal of an HTLC is considered irrevocably committed when:
- the commitment transaction with/without it is committed by both nodes, and any previous commitment transaction which without/with it has been revoked, OR
- the commitment transaction with/without it has been irreversibly committed to the blockchain.
Requirements
A node:
- until the incoming HTLC has been irrevocably committed:
- MUST NOT offer an HTLC (
update_add_htlc
) in response to an incoming HTLC.
- MUST NOT offer an HTLC (
- until the removal of the outgoing HTLC is irrevocably committed, OR until the outgoing on-chain HTLC output has been spent via the HTLC-timeout transaction (with sufficient depth):
- MUST NOT fail an incoming HTLC (
update_fail_htlc
) for which it has committed to an outgoing HTLC.
- MUST NOT fail an incoming HTLC (
- once its
cltv_expiry
has been reached, OR ifcltv_expiry
-current_height
<cltv_expiry_delta
for the outgoing channel:- MUST fail an incoming HTLC (
update_fail_htlc
).
- MUST fail an incoming HTLC (
- if an incoming HTLC's
cltv_expiry
is unreasonably far in the future:- SHOULD fail that incoming HTLC (
update_fail_htlc
).
- SHOULD fail that incoming HTLC (
- upon receiving an
update_fulfill_htlc
for the outgoing HTLC, OR upon discovering thepayment_preimage
from an on-chain HTLC spend:- MUST fulfill an incoming HTLC for which it has committed to an outgoing HTLC.
Rationale
In general, one side of the exchange needs to be dealt with before the other. Fulfilling an HTLC is different: knowledge of the preimage is, by definition, irrevocable and the incoming HTLC should be fulfilled as soon as possible to reduce latency.
An HTLC with an unreasonably long expiry is a denial-of-service vector and therefor is not allowed. Note that the exact value of "unreasonable" is currently unclear and may depend on network topology.
cltv_expiry_delta
Selection
Once an HTLC has timed out, it can either be fulfilled or timed-out; care must be taken around this transition both for offered and received HTLCs.
Consider the following scenario, where A sends an HTLC to B, who forwards to C, who delivers the goods as soon as the payment is received.
-
C needs to be sure that the HTLC from B cannot time out, even if B becomes unresponsive; i.e. C can fulfill the incoming HTLC on-chain before B can time it out on-chain.
-
B needs to be sure that if C fulfills the HTLC from B, it can fulfill the incoming HTLC from A; i.e. B can get the preimage from C and fulfill the incoming HTLC on-chain before A can time it out on-chain.
The critical settings here are the cltv_expiry_delta
in
BOLT #7 and the
related
min_final_cltv_expiry
in BOLT #11.
cltv_expiry_delta
is the minimum difference in HTLC CLTV timeouts, in
the forwarding case (B). min_final_ctlv_expiry
is the minimum difference
between HTLC CLTV timeout and the current block height, for the
terminal case (C).
Note that if this value is too low for a channel, the risk is only to
the node accepting the HTLC, not the node offering it. For this
reason, the cltv_expiry_delta
for the outgoing channel is used as
the delta across a node.
The worst-case number of blocks between outgoing and incoming HTLC resolution can be derived, given a few assumptions:
- A worst-case reorganization depth
R
blocks. - A grace-period
G
blocks after HTLC timeout before giving up on an unresponsive peer and dropping to chain. - A number of blocks
S
between transaction broadcast and the transaction being included in a block.
The worst case is for a forwarding node (B) that takes the longest possible time to spot the outgoing HTLC fulfillment and also takes the longest possible time to redeem it on-chain:
- The B->C HTLC times out at block
N
, and B waitsG
blocks until it gives up waiting for C. B or C commits to the blockchain, and B spends HTLC, which takesS
blocks to be included. - Bad case: C wins the race (just) and fulfills the HTLC, B only sees
that transaction when it sees block
N+G+S+1
. - Worst case: There's reorganization
R
deep in which C wins and fulfills. B only sees transaction atN+G+S+R
. - B now needs to fulfill the incoming A->B HTLC, but A is unresponsive: B waits
G
more blocks before giving up waiting for A. A or B commits to the blockchain. - Bad case: B sees A's commitment transaction in block
N+G+S+R+G+1
, and has to spend the HTLC output, which takesS
blocks to be mined. - Worst case: There's another reorganization
R
deep which A uses to spend the commitment transaction, so B sees A's commitment transaction in blockN+G+S+R+G+R
, and has to spend the HTLC output, which takesS
blocks to be mined. - B's HTLC spend needs to be at least
R
deep before it times out, otherwise another reorganization could allow A to timeout the transaction.
Thus the worst case is 3R+2G+2S
assuming R
is at least 1. Note that the
chances of three reorganizations in which the other node wins all of them is
low for R
of 2 or more. Since high fees are used (and HTLC spends can use
almost arbitrary fees), S
should be small, though given that block times are
irregular and empty blocks still occur, S = 2
should be considered a
minimum. Similarly, the grace period G
can be low (1 or 2), as nodes are
required to timeout or fulfill as soon as possible; but too low increases the
risk of unnecessary channel closure due to networking delays.
There are four values that need be derived:
-
The
cltv_expiry_delta
for channels.3R+2G+2S
; if in doubt, acltv_expiry_delta
of 12 is reasonable (R=2, G=1, S=2). -
For sent HTLCs: the timeout deadline after which the channel has to be failed and timed out on-chain. This is
G
blocks after the HTLC'scltv_expiry
: 1 block is reasonable. -
For received HTLCs (with a preimage): the fulfillment deadline after which the channel has to be failed and the HTLC fulfilled on-chain before its
cltv_expiry
. See steps 4-7 above, which imply a deadline of2R+G+S
blocks beforecltv_expiry
: 7 blocks is reasonable. -
The minimum
cltv_expiry
accepted for terminal payments: the worst case for the terminal node C lower at2R+G+S
blocks (steps 1-3 above don't apply). The default in BOLT #11 is 9, which is slightly more conservative than the 6 this calculation suggests.
Requirements
A node MUST estimate a timeout deadline for each HTLC it offers. A node MUST
NOT offer an HTLC with a timeout deadline before its cltv_expiry
, and MUST
fail the channel if an HTLC which it offered is in either node's current
commitment transaction past this timeout deadline.
A node MUST estimate a fulfillment deadline for each HTLC it is attempting to fulfill. A node MUST fail (and not forward) an HTLC whose fulfillment deadline is already past, and MUST fail the connection if a HTLC it has fulfilled is in either node's current commitment transaction past this fulfillment deadline.
Adding an HTLC: update_add_htlc
Either node can send update_add_htlc
to offer a HTLC to the other,
which is redeemable in return for a payment preimage. Amounts are in
millisatoshi, though on-chain enforcement is only possible for whole
satoshi amounts greater than the dust limit: in commitment transactions these are rounded down as
specified in BOLT #3.
The format of the onion_routing_packet
portion, which indicates where the payment
is destined, is described in BOLT #4.
- type: 128 (
update_add_htlc
) - data:
- [
32
:channel_id
] - [
8
:id
] - [
8
:amount_msat
] - [
32
:payment_hash
] - [
4
:cltv_expiry
] - [
1366
:onion_routing_packet
]
- [
Requirements
A sending node MUST NOT offer amount_msat
it cannot pay for in the
remote commitment transaction at the current feerate_per_kw
(see "Updating
Fees") while maintaining its channel reserve, MUST offer
amount_msat
greater than 0, MUST NOT offer amount_msat
below
the receiving node's htlc_minimum_msat
, and MUST set cltv_expiry
less
than 500000000.
For channels with chain_hash
identifying the Bitcoin blockchain, the
sending node MUST set the 4 most significant bytes of amount_msat
to
zero.
A sending node MUST NOT add an HTLC if it would result in it offering
more than the remote's max_accepted_htlcs
HTLCs in the remote commitment
transaction, or if the sum of total offered HTLCs would exceed the remote's
max_htlc_value_in_flight_msat
.
A sending node MUST set id
to 0 for the first HTLC it offers, and
increase the value by 1 for each successive offer.
A receiving node SHOULD fail the channel if it receives an
amount_msat
equal to zero, below its own htlc_minimum_msat
, or
which the sending node cannot afford at the current feerate_per_kw
while
maintaining its channel reserve. A receiving node SHOULD fail the
channel if a sending node adds more than its max_accepted_htlcs
HTLCs to
its local commitment transaction, or adds more than its max_htlc_value_in_flight_msat
worth of offered HTLCs to its local commitment transaction, or
sets cltv_expiry
to greater or equal to 500000000.
For channels with chain_hash
identifying the Bitcoin blockchain, the
receiving node MUST fail the channel if the 4 most significant bytes
of amount_msat
are not zero.
A receiving node MUST allow multiple HTLCs with the same payment hash.
A receiving node MUST ignore a repeated id
value after a
reconnection if the sender did not previously acknowledge the
commitment of that HTLC. A receiving node MAY fail the channel if
other id
violations occur.
The onion_routing_packet
contains an obfuscated list of hops and instructions for each hop along the path.
It commits to the HTLC by setting the payment_hash
as associated data, i.e., including the payment_hash
in the computation of HMACs.
This prevents replay attacks that'd reuse a previous onion_routing_packet
with a different payment_hash
.
Rationale
Invalid amounts are a clear protocol violation and indicate a breakdown.
If a node did not accept multiple HTLCs with the same payment hash, an attacker could probe to see if a node had an existing HTLC. This requirement to deal with duplicates leads us to use a separate identifier; its assumed a 64 bit counter never wraps.
Retransmissions of unacknowledged updates are explicitly allowed for reconnection purposes; allowing them at other times simplifies the recipient code, though strict checking may help debugging.
max_accepted_htlcs
is limited to 483, to ensure that even if both
sides send the maximum number of HTLCs, the commitment_signed
message will
still be under the maximum message size. It also ensures that
a single penalty transaction can spend the entire commitment transaction,
as calculated in BOLT #5.
cltv_expiry
values equal or above 500000000 would indicate a time in
seconds, and the protocol only supports an expiry in blocks.
amount_msat
is deliberately limited for this version of the
specification; larger amounts are not necessary nor wise during the
bootstrap phase of the network.
Removing an HTLC: update_fulfill_htlc
, update_fail_htlc
, and update_fail_malformed_htlc
For simplicity, a node can only remove HTLCs added by the other node. There are three reasons for removing an HTLC: it has timed out, it has failed to route, or the payment preimage is supplied.
The reason
field is an opaque encrypted blob for the benefit of the
original HTLC initiator as defined in BOLT #4,
but there's a special malformed failure variant for the case where
our peer couldn't parse it; in this case the current node encrypts
it into a update_fail_htlc
for relaying.
- type: 130 (
update_fulfill_htlc
) - data:
- [
32
:channel_id
] - [
8
:id
] - [
32
:payment_preimage
]
- [
For a timed out or route-failed HTLC:
- type: 131 (
update_fail_htlc
) - data:
- [
32
:channel_id
] - [
8
:id
] - [
2
:len
] - [
len
:reason
]
- [
For a unparsable HTLC:
- type: 135 (
update_fail_malformed_htlc
) - data:
- [
32
:channel_id
] - [
8
:id
] - [
32
:sha256_of_onion
] - [
2
:failure_code
]
- [
Requirements
A node SHOULD remove an HTLC as soon as it can; in particular, a node SHOULD fail an HTLC which has timed out.
A node MUST NOT send an update_fulfill_htlc
, update_fail_htlc
or
update_fail_malformed_htlc
until the corresponding HTLC is irrevocably
committed in both sides' commitment transactions.
A receiving node MUST check that id
corresponds to an HTLC in its
current commitment transaction, and MUST fail the channel if it does
not.
A receiving node MUST check that the payment_preimage
value in
update_fulfill_htlc
SHA256 hashes to the corresponding HTLC
payment_hash
, and MUST fail the channel if it does not.
A receiving node MUST fail the channel if the BADONION
bit in
failure_code
is not set for update_fail_malformed_htlc
.
A receiving node MAY check the sha256_of_onion
in
update_fail_malformed_htlc
and MAY retry or choose an alternate
error response if it does not match the onion it sent.
Otherwise, a receiving node which has an outgoing HTLC canceled by
update_fail_malformed_htlc
MUST return an error in the
update_fail_htlc
sent to the link which originally sent the HTLC
using the failure_code
given and setting the data to
sha256_of_onion
.
Rationale
A node which doesn't time out HTLCs risks channel failure (see
cltv_expiry_delta
Selection.
A node which sends update_fulfill_htlc
before the sender is also
committed to the HTLC risks losing funds.
If the onion is malformed, the upstream node won't be able to extract a key to generate a response, hence the special failure message which makes this node do it.
The node can check that the SHA256 the upstream is complaining about does match the onion it sent, which may allow it to detect random bit errors. Without re-checking the actual encrypted packet sent, however, it won't know whether the error was its own or on the remote side, so such detection is left as an option.
Committing Updates So Far: commitment_signed
When a node has changes for the remote commitment, it can apply them,
sign the resulting transaction as defined in BOLT #3 and send a
commitment_signed
message.
- type: 132 (
commitment_signed
) - data:
- [
32
:channel_id
] - [
64
:signature
] - [
2
:num_htlcs
] - [
num_htlcs*64
:htlc_signature
]
- [
Requirements
A node MUST NOT send a commitment_signed
message which does not include any
updates. Note that a node MAY send a commitment_signed
message which only
alters the fee, and MAY send a commitment_signed
message which doesn't
change the commitment transaction other than the new revocation hash
(due to dust, identical HTLC replacement, or insignificant or multiple
fee changes). A node MUST include one htlc_signature
for every HTLC
transaction corresponding to BIP69 lexicographic ordering of the commitment
transaction.
A receiving node MUST fail the channel if signature
is not valid for
its local commitment transaction once all pending updates are applied.
A receiving node MUST fail the channel if num_htlcs
is not equal to
the number of HTLC outputs in the local commitment transaction once all
pending updates are applied. A receiving node MUST fail the channel if
any htlc_signature
is not valid for the corresponding HTLC transaction.
A receiving node MUST respond with a revoke_and_ack
message.
Rationale
There's little point offering spam updates; it implies a bug.
The num_htlcs
field is redundant, but makes the packet length check fully self-contained.
Completing the Transition to the Updated State: revoke_and_ack
Once the recipient of commitment_signed
checks the signature, it knows that
it has a valid new commitment transaction, replies with the commitment
preimage for the previous commitment transaction in a revoke_and_ack
message.
This message also implicitly serves as an acknowledgment of receipt
of the commitment_signed
, so it's a logical time for the commitment_signed
sender
to apply to its own commitment, any pending updates it sent before
that commitment_signed
.
The description of key derivation is in BOLT #3.
- type: 133 (
revoke_and_ack
) - data:
- [
32
:channel_id
] - [
32
:per_commitment_secret
] - [
33
:next_per_commitment_point
]
- [
Requirements
A sending node MUST set per_commitment_secret
to the secret used to generate keys for the
previous commitment transaction, MUST set next_per_commitment_point
to the values for its next commitment transaction.
A receiving node MUST check that per_commitment_secret
generates the previous per_commitment_point
, and MUST fail if it does not. A receiving node MAY fail if the per_commitment_secret
was not generated by the protocol in BOLT #3.
Nodes MUST NOT broadcast old (revoked) commitment transactions; doing so will allow the other node to seize all the funds. Nodes SHOULD NOT sign commitment transactions unless it is about to broadcast them (due to a failed connection), to reduce this risk.
Updating Fees: update_fee
An update_fee
message is sent by the node which is paying the
Bitcoin fee. Like any update, it is first committed to the receiver's
commitment transaction, then (once acknowledged) committed to the
sender's. Unlike an HTLC, update_fee
is never closed, simply
replaced.
There is a possibility of a race: the recipient can add new HTLCs
before it receives the update_fee
, and the sender may not be able to
afford the fee on its own commitment transaction once the update_fee
is acknowledged by the recipient. In this case, the fee will be less
than the fee rate, as described in BOLT #3.
The exact calculation used for deriving the fee from the fee rate is given in BOLT #3.
- type: 134 (
update_fee
) - data:
- [
32
:channel_id
] - [
4
:feerate_per_kw
]
- [
Requirements
The node which is responsible for paying the Bitcoin fee SHOULD send
update_fee
to ensure the current fee rate is sufficient for
timely processing of the commitment transaction by a significant
margin.
The node which is not responsible for paying the Bitcoin fee MUST NOT
send update_fee
.
A receiving node SHOULD fail the channel if the update_fee
is too
low for timely processing, or unreasonably large.
A receiving node MUST fail the channel if the sender is not responsible for paying the Bitcoin fee.
A receiving node SHOULD fail the channel if the sender cannot afford
the new fee rate on the receiving node's current commitment
transaction, but it MAY delay this check until the update_fee
is
committed.
Rationale
Bitcoin fees are required for unilateral closes to be effective, particularly since there is no general method for the node which broadcasts it to use child-pays-for-parent to increase its effective fee.
Given the variance in fees, and the fact that the transaction may be spent in the future, it's a good idea for the fee payer to keep a good margin, say 5x the expected fee requirement, but differing methods of fee estimation means an exact value is not specified.
Since the fees are currently one-sided (the party which requested the channel creation always pays the fees for the commitment transaction), it is simplest to only allow it to set fee levels; however, as the same fee rate applies to HTLC transactions, the receiving node must also care about the reasonableness of the fee.
Message Retransmission
Because communication transports are unreliable and may need to be re-established from time to time, the design of the transport has been explicitly separated from the protocol.
Nonetheless, its assumed our transport is ordered and reliable; reconnection introduces doubt as to what has been received, so there are explicit acknowledgments at that point.
This is fairly straightforward in the case of channel establishment
and close where messages have an explicit order, but in normal
operation acknowledgments of updates are delayed until the
commitment_signed
/ revoke_and_ack
exchange, so it cannot be assumed
the updates have been received. This also means that the receiving
node only needs to store updates upon receipt of commitment_signed
.
Note that messages described in BOLT #7 are
independent of particular channels; their transmission requirements
are covered there, and other than being transmitted after init
(like
any message), they are independent of requirements here.
- type: 136 (
channel_reestablish
) - data:
- [
32
:channel_id
] - [
8
:next_local_commitment_number
] - [
8
:next_remote_revocation_number
]
- [
Requirements
A node MUST handle continuing a previous channel on a new encrypted transport.
On disconnection, the funder MUST remember the channel for reconnection if it has broadcast the funding transaction, otherwise it SHOULD NOT.
On disconnection, the non-funding node MUST remember the channel for
reconnection if it has sent the funding_signed
message, otherwise
it SHOULD NOT.
On disconnection, a node MUST reverse any uncommitted updates sent by
the other side (i.e. all messages beginning with update_
for which no
commitment_signed
has been received). Note that a node MAY have
already use the payment_preimage
value from the update_fulfill_htlc
,
so the effects of update_fulfill_htlc
is not completely reversed.
On reconnection, if a channel is in an error state, the node SHOULD retransmit the error packet and ignore any other packets for that channel, and the following requirements do not apply.
On reconnection, a node MUST transmit channel_reestablish
for each channel, and MUST wait for to receive the other node's
channel_reestablish
message before sending any other messages for
that channel. The sending node MUST set next_local_commitment_number
to the
commitment number of the next commitment_signed
it expects to receive, and
MUST set next_remote_revocation_number
to the commitment number of the
next revoke_and_ack
message it expects to receive.
If next_local_commitment_number
is 1 in both the channel_reestablish
it
sent and received, then the node MUST retransmit funding_locked
, otherwise
it MUST NOT. On reconnection, a node MUST ignore a redundant funding_locked
if it receives one.
If next_local_commitment_number
is equal to the commitment number of
the last commitment_signed
message the receiving node has sent, it
MUST reuse the same commitment number for its next commitment_signed
,
otherwise if next_local_commitment_number
is not one greater than the commitment number of the
last commitment_signed
message the receiving node has sent, it
SHOULD fail the channel.
If next_remote_revocation_number
is equal to the commitment number of
the last revoke_and_ack
the receiving node has sent and the receiving node has not already received a closing_signed
, it MUST re-send
the revoke_and_ack
, otherwise if next_remote_revocation_number
is not
equal to one greater than the commitment number of the last revoke_and_ack
the
receiving node has sent (or equal to zero if none have been sent), it SHOULD fail the channel.
A node MUST not assume that previously-transmitted messages were lost:
in particular, if it has sent a previous commitment_signed
message,
a node MUST handle the case where the corresponding commitment
transaction is broadcast by the other side at any time. This is
particularly important if a node does not simply retransmit the exact
same update_
messages as previously sent.
On reconnection if the node has sent a previous closing_signed
it
MUST send another closing_signed
, otherwise if the node
has sent a previous shutdown
it MUST retransmit it.
Rationale
The effect of requirements above are that the opening phase is almost
atomic: if it doesn't complete, it starts again. The only exception
is where the funding_signed
message is sent and not received: in
this case, the funder will forget the channel and presumably open
a new one on reconnect; the other node will eventually forget the
original channel due to never receiving funding_locked
or seeing
the funding transaction on-chain.
There's no acknowledgment for error
, so if a reconnect occurs it's
polite to retransmit before disconnecting again, but it's not a MUST
because there are also occasions where a node can simply forget the
channel altogether.
closing_signed
has no acknowledgment, so must be transmitted again
on reconnect (though negotiation restarts on reconnection, so it need
not be an exact retransmission). The only acknowledgment for
shutdown
is closing_signed
, so that needs to always be retransmitted
unless closing_signed
is.
The handling of updates is similarly atomic: if the commit is not
acknowledged (or wasn't sent) the updates are re-sent. However, its not
insisted they be identical: they could be in a different order, or
involve different fees, or even be missing HTLCs which are now too old
to be added. Requiring they be identical would effectively mean a
write to disk by the sender upon each transmission, whereas the scheme
here encourages a single persistent write to disk for each
commitment_signed
sent or received.
A retransmital of revoke_and_ack
should never be asked for once a
closing_signed
has been received, since that implies a shutdown has been
completed — which can only happen once the revoke_and_ack
was received by the
remote node.
Note that the next_local_commitment_number
starts at 1 since
commitment number 0 is created during opening.
next_remote_revocation_number
will be 0 until the
commitment_signed
for commitment number 1 is received, at which
point the revocation for commitment number 0 is sent.
funding_locked
is implicitly acknowledged by the start of normal
operation, which its known has begun once a commitment_signed
has been
received, thus the test for a next_local_commitment_number
greater
than 1.
A previous draft insisted that the funder "MUST remember ...if it has
broadcast the funding transaction, otherwise it MUST NOT": this was in
fact an impossible requirement, as a node must either first commit to
disk then broadcast the transaction, or the other way around. The new
language reflects this reality: it's surely better to remember a
channel which hasn't been broadcast than forget one which has!
Similarly, for the fundee's funding_signed
message; better to
remember a channel which never opens (and time out) than let the
funder open it with the funder having forgotten it.
Authors
[ FIXME: Insert Author List ]
This work is licensed under a Creative Commons Attribution 4.0 International License.