Hash Time Lock Contract (HTLC)

Hash Time Lock Contract (HTLC)

First proposed by Lighting Network, this contract allows two participants (e.g., Alice and Bob) to swap their tokens without trusting each other. It can be instantiated by the following script:

IF
  <BKey> CHECKSIGVERIFY
  HASH160 <H> EQUAL
ELSE
  <AKey> CHECKSIGVERIFY
  <ATime> CHECKLOCKTIMEVERIFY
ENDIF

Alice and Bob can swap their coins through the above contract, spefically,

1. Alice picks a random number x
2. Alice creates TX1: “Pay w BTC to <B’s public key> if (x for H(x) known and signed by Bob) or (signed by Alice & Bob)”
3. A creates TX2: “Pay w BTC from TX1 to <Alice’s public key>, locked 48 hours in the future, signed by Alice”
4. Alice sends TX2 to Bob
5. Bob signs TX2 and returns to Alice
6. Alice submits TX1 to the network
7. Bob creates TX3: “Pay v alt-coins to if (x for H(x) known and signed by Alice) or (signed by Alice & Bob)"
8. B creates TX4: “Pay v alt-coins from TX3 to <B’s public key>, locked 24 hours in the future, signed by B”
9. Bob sends TX4 to A
10. Alice signs TX4 and sends back to Bob
11. Bob submits TX3 to the network
12. Alice spends TX3, by revealing x
13. Bob spends TX1 using x

The above protocol can be summarized by one sentence - “I’ll let you take my funds but in doing so you have to reveal a secret that lets me take your funds.”

HTLC can be further extended to support atomic cross-chain swap. (e.g., BTC <-> ETC)

Potential attacks

• Secret size attack.
  • This attack works when two participants own some coins in two different Blockchains, and these two Blockchains support different maximum data size as the input.
  • For instance, suppose Alice owns some coins on Blockchain A which supports the maximum data size by 500 bytes, while Bob owns some coins on Blockchain B which supports the maximum data size by 1000 bytes.
  • Alice can scam Bob and steal Bob’s coins by picking a secret R with 700 bytes and sending the HTLC transaction to Bob. Bob can only observe the length of Hash(R) which is 20 bytes, he cannot identify the exact length of the secret R.
  • After Bob contructing and committing her HTLC transaction, Alice can redeem Bob’s coins by feeding R to Bob’s HTLC transaction, while when Bob tries to redeem Alice’s coins by feeding R into Alice’s HTLC transaction, Blockchain A will reject Bob’s request because the input R exceeds the maximum data size allowed by Blockchain A.
  • As a consequence, Bob cannot redeem Alice’s coins, and after the locked time, Alice can get its coins back while Bob loses her coin.
• Packet, memory-pool sniffing attack.
  • To be updated…

Reference:

1. [Atomic swap].
2. [Secret size attack].