Bi-directional micropayment channels with CHECKLOCKTIMEVERIFY

Background: micropayment channels, OP_CHECKLOCKTIMEVERIFY

A micropayment channel lets you set up a channel over which you can send small payments to a second party, without putting all those payments on the blockchain. The simplest version of the idea uses an initial deposit transaction to a 2-of-2 multisig address, and nLockTime to create a refund of that deposit that can only be spent in the future. Then you can directly send the payment receiver transactions with an earlier nLockTime and that refund you slightly less. Only the payment receiver can add their own signature to the last transaction and claim the total amount you sent them.

One problem here is that transaction mutability may let the payment receiver alter the deposit transaction in such a way that the refund transaction is invalid, which means you must trust the receiver in the setup phase. CHECKLOCKTIMEVERIFY (listed as BIP 65) would solve this this by adding a locktime check to Bitcoin Script itself, allowing you to make a deposit transaction to a P2SH address that inherently permits you to sign your own refund transaction at some future time, in addition to a 2-of-2 multisig lock that requires both you and the payment receiver to add one signature.

A limitation of this sort of channel is that payments flow only in one direction. This is because the payment receiver can sign any transaction you send them, not just the most recent one, and so it's possible to just sign the transaction transferring the largest amount into their control. This is easily remedied by opening a second payment channel in the opposite direction, but now both parties have to deposit funds over the lifetime of the two channels. If one party doesn't know ahead of time whether or not the other party will go into credit, having only one channel may save the use of a deposit.

I propose a way of using CHECKLOCKTIMEVERIFY to allow a reversible payment channel, introducing at most one additional broadcast transaction, with a waiting period before the payment receiver can access deposited funds. The extra transaction and waiting period apply only when the depositor doesn't co-operate with the receiver.

In this protocol, the setup is identical, with a deposit made to a P2SH address matching a script allowing either single-party+CHECKLOCKTIME or 2-of-2. In this case, however, all payments made by the depositor occur in the form of unbroadcast transactions to special holding addresses.

These holding addresses are themselves P2SH addresses, with scripts known to both parties. Each script may be redeemed in one of two ways:

by the payment receiver, using a CHECKLOCKTIME restriction that expires some period of time after the restriction on the depositor's refund transaction, or
by the depositor, using their own signature, together with a hashlock.

In the second case, we actually use a double hashlock, i.e. the depositor must provide a value which when SHA256-hashed twice produces the value in the script.

The receiver generates these values according to the following algorithm: Beginning with a secret S₀, they double hash S₀ to make the hashlock value for the first payment, D₀ =H(H(S₀)). Then to make S_i+1 given S_i, they create a public nonce, N_i, and let S_i+1 = H(N_i | H(S_i)), where a|b denotes the string a followed by the string b. The hashlock values D_i are not secret, and can be disclosed in advance or as part of the process of receiving the associated payment.

When the receiver wants to refund some amount to the depositor, the receiver finds the last payment which left the depositor with a balance greater than the desired balance, and negotiates a rewind of the payment sequence to that point, with an additional payment of the remainder by the depositor. Suppose the last payment that will remain valid was the i-th payment, counting from zero. The receiver creates a new nonce, N'_i, creates the associated new secret value S'_i+1 by S'_i+1 = H(N'_i | H(S_i)), and sends D'_i+1 to the depositor with a request for payment of the right amount. This amount will be greater than that associated to D_i, but less than that associated to D_i+1, so the depositor does not need to trust the receiver in order to honour the request. The payment chain is now forked at D_i, with a branch D_i+1, D_i+2... and a branch that only has D'_i+1. The receiver now unwinds the old branch, back to D_i, by revealing S_i+1 to the depositor. The depositor can now generate - and check - the secrets S_i+1, S_i+2..., and so knows that if the receiver attempts to sign and broadcast a transaction to an address using one of those secrets, the depositor can take back all their funds before the receiver is able to put their own (CHECKLOCKTIME restricted) transaction from that address on the blockchain. Now the best usable payment to the receiver is the one associated to D'_i+'.

When the two parties want to close the payment channel, one party signs a transaction from the deposit address to whatever addresses are desired, and sends the transaction to the other party to add their own signature and publish. This avoids either party having to wait for CHECKLOCKTIME restrictions to expire. If either party abandons the protocol at this point, the other can use the CHECKLOCKTIME restrictions to ensure they get at least as much as they would if both cooperated. Note that the holding addresses are only used on the blockchain when the protocol is abandoned.

This protocol does not deal with the case of malicious attacks on a party's network connection, which could keep them offline until CHECKLOCKTIME has expired. This is something that each party should consider when choosing how long the restrictions should be in place for. The protocol improves on blueadept's use of a new nLockTime for each reverse payment, by keeping the wait time independent of the number of payments, and not requiring either party to predict ahead of time how many payments will occur.