Statechains: Sending Keys, Not Cash, to Scale Bitcoin Off-Chain

Block area is proscribed: The Bitcoin blockchain can solely course of some 10 transactions per second, at most. To resolve this, Bitcoin’s technical neighborhood is creating second-layer protocols that course of transactions “off-chain,” such because the Lightning Network and sidechains. Utilizing intelligent cryptographic methods, these transactions are batched to periodically decide on the Bitcoin blockchain as a single transaction.

Now, a brand new second-layer protocol is getting into the fray. Statechains, first proposed by Seoul Bitcoin Meetup organizer and Unhashed Podcast co-host Ruben Somsen, turns the idea of a Bitcoin transaction on its head. As an alternative of sending cash from handle to deal with, statechain customers simply ship the personal key that can be utilized to spend the cash.

Right here’s why that’s not as loopy because it sounds.

Why Statechains Are Safe (Extra or Much less)

Simplified, a Bitcoin transaction is only a message that claims which cash (“UTXOs”) transfer from which addresses (“inputs”) to which addresses (“outputs”). This message is cryptographically signed with the personal keys akin to the sending addresses, proving that the proprietor of those cash created the transaction. The bundle (the transaction plus signatures) is then despatched over the Bitcoin community to finally be included in a Bitcoin block by a miner.

It's technically doable to simply ship personal keys as cost as an alternative: This permits the recipient of the personal key to spend the related cash. However it's not safe. If the sender — let’s be unique and name her “Alice” — sends a personal key to the recipient — why not name him “Bob”? — there isn't any method for Bob to make sure Alice didn’t make a copy of the important thing. If she did make a copy of the important thing, which we’ll name the “transitory key” on this context, Alice can nonetheless spend the coin on the blockchain, so the coin isn’t solely Bob’s in any respect.

Statechains’ first answer to this drawback is so as to add a second key to the combination. By locking the coin right into a two-of-two multi-signature (multisig) setup, it may possibly solely be moved on the blockchain if each keys register settlement.

This second key's generated by a impartial get together, Victor, who turns into the facilitator of the statechain. Victor has an important process. Victor should signal a transaction if, and solely if, the final recipient of the transitory key asks him to.

So, let’s say Alice units up a statechain, with Victor because the facilitator. Alice generates a transitory key, Victor generates Victor’s key, they usually use their two keys to create a multisig handle. Alice then sends one bitcoin to this handle, “locking it up” between Alice and Victor. Now, if Alice needs to ship the coin to Bob, she may create a transaction, signal it with the transitory key and ask Victor to signal it as effectively. With each signatures, Alice can broadcast the transaction, sending the coin to Bob as an everyday blockchain transaction.

However that, in fact, misses the purpose of the statechain. Alice has a greater thought. Alice as an alternative sends the transitory key to Bob and tells Victor that she did that. This makes Bob the final recipient of the transitory key. Bob can now contact Victor and ask him for a signature to assist transfer the coin.

Alice does nonetheless have the transitory key herself as effectively. Nevertheless, now, if she have been to ask Victor to assist signal a transaction to maneuver the coin, Victor would refuse. Alice not owns the coin so far as Victor is anxious. And since she solely holds the transitory key, she is certainly unable to maneuver it on her personal.

Ought to Bob ever wish to transfer the cash to another person — say, Carol — he may, in fact, repeat the statechain trick. When he sends the transitory key to Carol and tells Victor, Victor will solely cooperate with Carol from then on, successfully making the coin Carol’s. This course of might be repeated an arbitrary variety of occasions, forwarding the transitory key to Dan, Erin, Frank and so forth, with out ever requiring a blockchain transaction.

Not Trusting Victor

The state of affairs as described above doesn’t truly take away all belief from the system. Moderately, a great deal of belief is placed on Victor.

For one, if Victor doesn’t signal a blockchain transaction when requested, the coin can't be moved in any respect. (Possibly Victor’s laptop crashed, or he obtained hit by a bus, or perhaps Victor — conscious of his energy — blackmails the final recipient of the transitory key to pay him a part of the coin in return for the signature.)

This drawback might be solved — however that is the place the statechain design does get barely extra advanced.

When she initially units up the statechain, Alice takes a precautionary step. Even earlier than sending the coin to the multisig handle, she creates a “backup transaction” that sends the coin from this multisig handle to a brand new handle.

The coin might be spent from this new handle below two situations. Both each Victor and the proprietor of the transitory key signal the transaction, like regular, or Alice can spend the cash on her personal after, say, every week.

Alice doesn't broadcast this backup transaction to the Bitcoin community. As an alternative, she offers it to Victor, asks him to signal the transaction and has him give it again to her.

Solely after Alice has acquired this signed (however as but not broadcasted) backup transaction from Victor does she ship her coin to the multisig handle. This fashion, even when Victor disappears, she will be able to broadcast the backup transaction and declare the cash again after every week.

Now, when Alice desires to ship the transitory key to Bob, she first contacts Victor and asks him to signal a brand new backup transaction for Bob and provides it to him. So, when Bob will get the transitory key from Alice, he already has an unbroadcasted however signed backup transaction from Victor, permitting him to say the coin if Victor disappears.

As one remaining contact, Alice and Bob (and all subsequent homeowners of the transitory key) use a trick designed for the Lightning Community referred to as Eltoo. Eltoo would permit Bob to “override” Alice’s backup transaction along with his personal backup transaction. So if Alice ever tries to cheat by broadcasting her previous backup transaction, Bob can both use the week that Alice wants to attend to cooperate with Victor and declare the coin, or he can merely override Alice’s replace transaction along with his personal to get the cash.

First drawback solved.

Trusting Victor (a Bit)

Whereas the issue of Victor disappearing is solved, there's one other drawback: Victor may cheat. He may collude with a earlier proprietor of the personal key, like Alice, to steal the coin from Bob, Carol, Dan, Erin, Frank or whoever was the final recipient of the transitory key. (He may later additionally collude with Bob to steal from Carol, Dan, Erin, Frank … and so forth.)

This drawback can't truly be solved completely — and that is maybe the most important disadvantage of statechains. However the danger might be minimized.

One step towards minimizing this danger is to “break up up” Victor and change him with a number of entities. “Victor’s key” is split. It thus turns into a multisig setup of its personal the place, say, eight contributors out of, say, 12 should cooperate with the transitory key holder to maneuver the coin. Colluding with eight “Victors” needs to be more durable than colluding with only one Victor.

Second, it may be made apparent to the skin world if these “Victors” cheat. That is achieved by basically creating a brand new, miniature blockchain — certainly, the “statechain” — the place Alice, Bob, Carol and the others signal a message confirming they’ve forwarded the coin and to whom. If the Victors collude with Alice to spend the coin after she signed it off to Bob on the statechain, everybody sees. (The main points of what this miniature blockchain itself would appear like precisely aren’t labored out but, however this isn't a really tough drawback to unravel.)

Third, these “Victors” might be well-known entities; for instance, a gaggle of Bitcoin corporations. These corporations would have their reputations on the road and, subsequently, have one thing to lose by dishonest — even when they might earn a coin by doing so. Whereas not cryptographically good, this makes the safety assumption for statechains much like federated sidechains, like Blockstream’s Liquid or the present implementation of RSK Labs’ RSK.

And that’s it!

Statechains let you send private keys off-chain instead of sending coins to new addresses. But you can still use the keys to spend the coins on-chain.
Statechains allow you to ship personal keys off-chain as an alternative of sending cash to new addresses.

Limitations of Statechains (and Potential Options)

On high of the required belief in “the Victors” to not collude with a earlier statechain participant, statechains do have some limitations.


The very first thing to notice is that, as they're defined on this article, statechains do require two protocol upgrades: Schnorr signatures and Sighash_Anyprevout (or one thing related). Each of those upgrades are works in progress however appear unlikely to be contentious.

One other limitation is that statechains solely permit for the switch of complete UTXOs; Alice’s coin within the context of this text. Since Alice initially locked up precisely one bitcoin, and he or she sends the transitory key akin to this bitcoin, she should move on the entire coin, and so should Bob, Carol and the others. This can be a fairly massive limitation in comparison with a traditional Bitcoin transaction, during which any fraction of a coin might be spent, with the rest returned to the sender as change.


Nonetheless, this isn't essentially a showstopper. For one, statechains might be mixed with one other trick referred to as “atomic swaps.” This transfer would permit Alice to alternate her complete coin with Zach, who has two half cash, in such a method that neither must belief the opposite to not again out of the commerce midway. All this may occur with out requiring an on-chain transaction. This will increase flexibility.

Second, even transferring complete UTXOs might be very helpful in some contexts. Maybe most curiously, it will permit contributors to switch complete Lightning channels. By balancing a Lightning channel to the precise correct quantity (for instance, by first paying herself in a distinct channel), Alice can nonetheless pay Bob a fraction of the coin. As a bonus, this might let Bob open Lightning channels instantly, with out requiring an on-chain funding transaction (which takes time and charges).

Plus, since Lightning transactions have the alternative drawback — massive worth transfers are more durable to finish than smaller ones — statechains and the Lightning Community may complement one another fairly properly.

Privateness Questions

It’s additionally not but clear how a lot privateness statechains may provide precisely. In a worst case state of affairs, the Victors and different contributors within the statechain would know precisely who paid whom. (Though in actuality these would nonetheless be public keys, not actual names.) There are methods to enhance this in relation to the Victors. Utilizing blind signatures (a cryptographic trick first proposed by eCash inventor David Chaum within the 1980s), for instance, has the additional advantage of with the ability to offload duty for transactions from the Victors to the customers themselves. (The Victors would ideally not even know what they’d signal.)

Privateness from different contributors may in flip be solved with atomic swaps as effectively, which might assist obfuscate the chain of possession. There are most likely extra options to enhance privateness, like CoinJoin variations. (That is, for instance, additionally what the privacy-preserving Wasabi Pockets makes use of.) However particulars have but to be labored out.

There are additionally some considerations about previous contributors within the chain attempting to cheat by attempting to say cash by means of the backup transaction. Whereas this may be unlikely to succeed, it will solely price an (on-chain) transaction payment to attempt, so opportunist dishonest conduct may restrict statechains’ potential.

Lastly, statechains are, in fact, a comparatively new idea; peer assessment is ongoing.

Because of Ruben Somsen for info and suggestions. For extra info on statechains, see his explainer on Medium or his presentation at Breaking Bitcoin in Amsterdam.

The put up Statechains: Sending Keys, Not Coins, to Scale Bitcoin Off-Chain appeared first on Bitcoin Magazine.

Leave a Reply

Your email address will not be published. Required fields are marked *