1

I've been pondering how the Lightning Network will work when one of the parties in a channel tries to cheat. It seems that publishing a transaction that shouldn't be published (a "bad act") must involve publishing something the victim can use to unwind everything. I'm trying to identify what it is that the bad act provides to the victim, the "signature as a private key" seemed like a possibility.

Even if the "signature as a private key" idea isn't used in LN, it seems like a useful concept, but I couldn't find anything on the internet discussing it. I tried a Google search and then came here.

Murch
  • 75,206
  • 34
  • 186
  • 622
Dave Scotese
  • 803
  • 6
  • 19

2 Answers2

2

It seems that publishing a transaction that shouldn't be published (a "bad act") must involve publishing something the victim can use to unwind everything.

Really, I should have asked the question that Murch answered for me (and the LN paper also answers it, but I didn't read it carefully enough the first time). That question is: "Does LN use signatures as private keys?" The answer is no, it uses the existence of UTXOs from obsolete transactions as the information published by a cheater to defeat the cheat.

Thanks to Murch's explanation, and the link Nick provided to the LN paper, I can answer my own question. There is a scenario I now understand better, so I'll mention it below.

In fact, the bad act itself is publishing an "obsolete" transaction that puts (some) bitcoin into each party's address, but from which the cheater can't spend for a while. The existence of that transaction in the blockchain is what the victim can use to unwind the bad act. This is the case because the victim, according to the way LN works, will have an "anti-cheat" (Murch's term) transaction from the cheater, already signed, which spends the cheater's output from that obsolete transaction. It's a useless transaction unless the obsolete one gets broadcasted, and once that happens, it becomes useful and will end up sending most of the funds to the victim.

This may seem to provide the cheater with a "double-spend" opportunity. The bad act (publishing the obsolete transaction) creates an output (the cheater's output) that the anti-cheat transaction is supposed to send to the victim. Couldn't the cheater make their own transaction that also spends that output, but provides a high fee to reward miners for choosing to help the cheater? The answer is no, the cheater can't make such a transaction because the outputs from the obsolete transaction require signatures from both parties. The cheater already signed the anti-cheat transaction.

On the other hand, regarding the question I actually posed, I think the answer is NO, there is currently no tech that uses a signature as a private key. Perhaps this is for the reasons Nate gave in his comment, or perhaps no one who could appreciate the benefits of doing so has thought of it yet.

Community
  • 1
Dave Scotese
  • 803
  • 6
  • 19
0

What you're describing isn't really a public key/private key system. Public key cryptography was invented to allow you to give someone the capability to authenticate a message from you without giving them the ability to forge messages from you.

Creating what you're after is much simpler. Imagine the following scriptPubKey:

OP_SHA256 <32 byte hash> OP_EQUAL

To spend this, you would supply a 32 byte value that hashes to the hash in the contract. If you spent it, everyone would see the value needed to spend it.

See also the lightning paper.

Nick ODell
  • 29,396
  • 11
  • 72
  • 130