https://en.bitcoin.it/w/index.php?title=BIP_0199&feed=atom&action=historyBIP 0199 - Revision history2024-03-28T21:15:13ZRevision history for this page on the wikiMediaWiki 1.30.0https://en.bitcoin.it/w/index.php?title=BIP_0199&diff=66758&oldid=prev934: Update BIP text with latest version from https://github.com/bitcoin/bips/blob/b5723035e23896d0/bip-0199.mediawiki2019-09-24T17:58:33Z<p>Update BIP text with latest version from https://github.com/bitcoin/bips/blob/b5723035e23896d0/bip-0199.mediawiki</p>
<p><b>New page</b></p><div>{{bip}}<br />
{{BipMoved|bip-0199.mediawiki}}<br />
<br />
<pre><br />
BIP: 199<br />
Layer: Applications<br />
Title: Hashed Time-Locked Contract transactions<br />
Author: Sean Bowe <sean@z.cash><br />
Daira Hopwood <daira@z.cash><br />
Comments-Summary: No comments yet.<br />
Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-0199<br />
Status: Draft<br />
Type: Standards Track<br />
Created: 2017-03-27<br />
License: BSD-3-Clause<br />
CC0-1.0<br />
</pre><br />
<br />
==Abstract==<br />
<br />
This BIP describes a script for generalized off-chain contract negotiation.<br />
<br />
==Summary==<br />
<br />
A Hashed Time-Locked Contract (HTLC) is a script that permits a designated party (the "seller") to spend funds by disclosing the preimage of a hash. It also permits <br />
a second party (the "buyer") to spend the funds after a timeout is reached, in a refund situation.<br />
<br />
The script takes the following form:<br />
<br />
OP_IF<br />
[HASHOP] <digest> OP_EQUALVERIFY OP_DUP OP_HASH160 <seller pubkey hash> <br />
OP_ELSE<br />
<num> [TIMEOUTOP] OP_DROP OP_DUP OP_HASH160 <buyer pubkey hash><br />
OP_ENDIF<br />
OP_EQUALVERIFY<br />
OP_CHECKSIG<br />
<br />
[HASHOP] is either OP_SHA256 or OP_HASH160.<br />
<br />
[TIMEOUTOP] is either OP_CHECKSEQUENCEVERIFY or OP_CHECKLOCKTIMEVERIFY.<br />
<br />
===Interaction===<br />
<br />
* Victor (the "buyer") and Peggy (the "seller") exchange public keys and mutually agree upon a timeout threshold. Peggy provides a hash digest. Both parties can now construct the script and P2SH address for the HTLC.<br />
* Victor sends funds to the P2SH address.<br />
* Either:<br />
** Peggy spends the funds, and in doing so, reveals the preimage to Victor in the transaction; OR<br />
** Victor recovers the funds after the timeout threshold.<br />
<br />
Victor is interested in a lower timeout to reduce the amount of time that his funds are encumbered in the event that Peggy does not reveal the preimage. Peggy is <br />
interested in a higher timeout to reduce the risk that she is unable to spend the funds before the threshold, or worse, that her transaction spending the funds does <br />
not enter the blockchain before Victor's but does reveal the preimage to Victor anyway.<br />
<br />
==Motivation==<br />
<br />
In many off-chain protocols, secret disclosure is used as part of a settlement mechanism. In some others, the secrets themselves are valuable. HTLC transactions are <br />
a safe and cheap method of exchanging secrets for money over the blockchain, due to the ability to recover funds from an uncooperative counterparty, and the <br />
opportunity that the possessor of a secret has to receive the funds before such a refund can occur.<br />
<br />
===Lightning network===<br />
<br />
In the lightning network, HTLC scripts are used to perform atomic swaps between payment channels.<br />
<br />
Alice constructs K and hashes it to produce L. She sends an HTLC payment to Bob for the preimage of L. Bob sends an HTLC payment to Carol for the same preimage and <br />
amount. Only when Alice releases the preimage K does any exchange of value occur, and because the secret is divulged for each hop, all parties are compensated. If <br />
at any point some parties become uncooperative, the process can be aborted via the refund conditions.<br />
<br />
===Zero-knowledge contingent payments===<br />
<br />
Various practical zero-knowledge proving systems exist which can be used to guarantee that a hash preimage derives valuable information. As an example, a <br />
zero-knowledge proof can be used to prove that a hash preimage acts as a decryption key for an encrypted sudoku puzzle solution. (See <br />
[https://github.com/zcash/pay-to-sudoku pay-to-sudoku] for a concrete example of such a protocol.)<br />
<br />
HTLC transactions can be used to exchange such decryption keys for money without risk, and they do not require large or expensive-to-validate transactions.<br />
<br />
==Implementation==<br />
<br />
https://github.com/bitcoin/bitcoin/pull/7601<br />
<br />
==Copyright==<br />
<br />
This document is dual licensed as BSD 3-clause, and Creative Commons CC0 1.0 Universal.</div>934