Statechains: Sending Keys, Not Cash, to Scale Bitcoin Off-Chain

Block house is restricted: The Bitcoin blockchain can solely course of some 10 transactions per second, at most. To resolve this, Bitcoin’s technical group is creating second-layer protocols that course of transactions “off-chain,” such because the Lightning Network and sidechains. Utilizing intelligent cryptographic tips, these transactions are batched to periodically choose the Bitcoin blockchain as a single transaction.

Now, a brand new second-layer protocol is coming into the fray. Statechains, first proposed by Seoul Bitcoin Meetup organizer and Unhashed Podcast co-host Ruben Somsen, turns the idea of a Bitcoin transaction on its head. As an alternative of sending cash from tackle to deal with, statechain customers simply ship the personal key that can be utilized to spend the cash.

Right here’s why that’s not as loopy because it sounds.

Why Statechains Are Safe (Extra or Much less)

Simplified, a Bitcoin transaction is only a message that claims which cash (“UTXOs”) transfer from which addresses (“inputs”) to which addresses (“outputs”). This message is cryptographically signed with the personal keys akin to the sending addresses, proving that the proprietor of those cash created the transaction. The bundle (the transaction plus signatures) is then despatched over the Bitcoin community to finally be included in a Bitcoin block by a miner.

It's technically attainable to simply ship personal keys as fee as a substitute: This enables the recipient of the personal key to spend the related cash. However it's not safe. If the sender — let’s be unique and name her “Alice” — sends a non-public key to the recipient — why not name him “Bob”? — there isn't any method for Bob to make certain Alice didn’t make a copy of the important thing. If she did make a copy of the important thing, which we’ll name the “transitory key” on this context, Alice can nonetheless spend the coin on the blockchain, so the coin isn’t completely Bob’s in any respect.

Statechains’ first resolution to this downside is so as to add a second key to the combination. By locking the coin right into a two-of-two multi-signature (multisig) setup, it may solely be moved on the blockchain if each keys check in settlement.

This second key's generated by a impartial occasion, Victor, who turns into the facilitator of the statechain. Victor has an important process. Victor should signal a transaction if, and solely if, the final recipient of the transitory key asks him to.

So, let’s say Alice units up a statechain, with Victor because the facilitator. Alice generates a transitory key, Victor generates Victor’s key, and so they use their two keys to create a multisig tackle. Alice then sends one bitcoin to this tackle, “locking it up” between Alice and Victor. Now, if Alice needs to ship the coin to Bob, she might create a transaction, signal it with the transitory key and ask Victor to signal it as nicely. With each signatures, Alice can broadcast the transaction, sending the coin to Bob as an everyday blockchain transaction.

However that, in fact, misses the purpose of the statechain. Alice has a greater thought. Alice as a substitute sends the transitory key to Bob and tells Victor that she did that. This makes Bob the final recipient of the transitory key. Bob can now contact Victor and ask him for a signature to assist transfer the coin.

Alice does nonetheless have the transitory key herself as nicely. Nonetheless, now, if she had been to ask Victor to assist signal a transaction to maneuver the coin, Victor would refuse. Alice not owns the coin so far as Victor is anxious. And since she solely holds the transitory key, she is certainly unable to maneuver it on her personal.

Ought to Bob ever wish to transfer the cash to another person — say, Carol — he might, in fact, repeat the statechain trick. When he sends the transitory key to Carol and tells Victor, Victor will solely cooperate with Carol from then on, successfully making the coin Carol’s. This course of could be repeated an arbitrary variety of occasions, forwarding the transitory key to Dan, Erin, Frank and so forth, with out ever requiring a blockchain transaction.

Not Trusting Victor

The situation as described above doesn’t truly take away all belief from the system. Moderately, a great deal of belief is placed on Victor.

For one, if Victor doesn’t signal a blockchain transaction when requested, the coin can't be moved in any respect. (Perhaps Victor’s laptop crashed, or he acquired hit by a bus, or possibly Victor — conscious of his energy — blackmails the final recipient of the transitory key to pay him a part of the coin in return for the signature.)

This downside could be solved — however that is the place the statechain design does get barely extra advanced.

When she initially units up the statechain, Alice takes a precautionary step. Even earlier than sending the coin to the multisig tackle, she creates a “backup transaction” that sends the coin from this multisig tackle to a brand new tackle.

The coin could be spent from this new tackle below two situations. Both each Victor and the proprietor of the transitory key signal the transaction, like regular, or Alice can spend the cash on her personal after, say, every week.

Alice doesn't broadcast this backup transaction to the Bitcoin community. As an alternative, she offers it to Victor, asks him to signal the transaction and has him give it again to her.

Solely after Alice has obtained this signed (however as but not broadcasted) backup transaction from Victor does she ship her coin to the multisig tackle. This manner, even when Victor disappears, she will broadcast the backup transaction and declare the cash again after every week.

Now, when Alice needs to ship the transitory key to Bob, she first contacts Victor and asks him to signal a brand new backup transaction for Bob and provides it to him. So, when Bob will get the transitory key from Alice, he already has an unbroadcasted however signed backup transaction from Victor, permitting him to assert the coin if Victor disappears.

As one ultimate contact, Alice and Bob (and all subsequent house owners of the transitory key) use a trick designed for the Lightning Community known as Eltoo. Eltoo would enable Bob to “override” Alice’s backup transaction along with his personal backup transaction. So if Alice ever tries to cheat by broadcasting her previous backup transaction, Bob can both use the week that Alice wants to attend to cooperate with Victor and declare the coin, or he can merely override Alice’s replace transaction along with his personal to get the cash.

First downside solved.

Trusting Victor (a Bit)

Whereas the issue of Victor disappearing is solved, there may be one other downside: Victor might cheat. He might collude with a earlier proprietor of the personal key, like Alice, to steal the coin from Bob, Carol, Dan, Erin, Frank or whoever was the final recipient of the transitory key. (He might later additionally collude with Bob to steal from Carol, Dan, Erin, Frank … and so forth.)

This downside can not truly be solved solely — and that is maybe the most important downside of statechains. However the threat could be minimized.

One step towards minimizing this threat is to “cut up up” Victor and change him with a number of entities. “Victor’s key” is split. It thus turns into a multisig setup of its personal the place, say, eight individuals out of, say, 12 should cooperate with the transitory key holder to maneuver the coin. Colluding with eight “Victors” must be more durable than colluding with only one Victor.

Second, it may be made apparent to the skin world if these “Victors” cheat. That is accomplished by basically creating a brand new, miniature blockchain — certainly, the “statechain” — the place Alice, Bob, Carol and the others signal a message confirming they’ve forwarded the coin and to whom. If the Victors collude with Alice to spend the coin after she signed it off to Bob on the statechain, everybody sees. (The main points of what this miniature blockchain itself would appear like precisely aren’t labored out but, however this isn't a really tough downside to resolve.)

Third, these “Victors” might be well-known entities; for instance, a gaggle of Bitcoin firms. These firms would have their reputations on the road and, due to this fact, have one thing to lose by dishonest — even when they may earn a coin by doing so. Whereas not cryptographically excellent, this makes the safety assumption for statechains much like federated sidechains, like Blockstream’s Liquid or the present implementation of RSK Labs’ RSK.

And that’s it!

Statechains let you send private keys off-chain instead of sending coins to new addresses. But you can still use the keys to spend the coins on-chain.
Statechains allow you to ship personal keys off-chain as a substitute of sending cash to new addresses.

Limitations of Statechains (and Potential Options)

On prime of the required belief in “the Victors” to not collude with a earlier statechain participant, statechains do have some limitations.


The very first thing to notice is that, as they're defined on this article, statechains do require two protocol upgrades: Schnorr signatures and Sighash_Anyprevout (or one thing related). Each of those upgrades are works in progress however appear unlikely to be contentious.

One other limitation is that statechains solely enable for the switch of complete UTXOs; Alice’s coin within the context of this text. Since Alice initially locked up precisely one bitcoin, and she or he sends the transitory key akin to this bitcoin, she should move on the entire coin, and so should Bob, Carol and the others. It is a fairly massive limitation in comparison with a traditional Bitcoin transaction, wherein any fraction of a coin could be spent, with the rest returned to the sender as change.


Nonetheless, this isn't essentially a showstopper. For one, statechains could be mixed with one other trick known as “atomic swaps.” This transfer would enable Alice to change her complete coin with Zach, who has two half cash, in such a method that neither must belief the opposite to not again out of the commerce midway. All this may occur with out requiring an on-chain transaction. This will increase flexibility.

Second, even transferring complete UTXOs could be very helpful in some contexts. Maybe most apparently, it might enable individuals to switch total Lightning channels. By balancing a Lightning channel to the precise correct amount (for instance, by first paying herself in a distinct channel), Alice can nonetheless pay Bob a fraction of the coin. As a bonus, this might let Bob open Lightning channels instantly, with out requiring an on-chain funding transaction (which takes time and charges).

Plus, since Lightning transactions have the alternative downside — massive worth transfers are more durable to finish than smaller ones — statechains and the Lightning Community might complement one another fairly properly.

Privateness Questions

It’s additionally not but clear how a lot privateness statechains might supply precisely. In a worst case situation, the Victors and different individuals within the statechain would know precisely who paid whom. (Though in actuality these would nonetheless be public keys, not actual names.) There are methods to enhance this on the subject of the Victors. Utilizing blind signatures (a cryptographic trick first proposed by eCash inventor David Chaum within the 1980s), for instance, has the additional benefit of having the ability to offload accountability for transactions from the Victors to the customers themselves. (The Victors would ideally not even know what they’d signal.)

Privateness from different individuals might in flip be solved with atomic swaps as nicely, which might assist obfuscate the chain of possession. There are in all probability extra options to enhance privateness, like CoinJoin diversifications. (That is, for instance, additionally what the privacy-preserving Wasabi Pockets makes use of.) However particulars have but to be labored out.

There are additionally some considerations about previous individuals within the chain attempting to cheat by attempting to assert cash by way of the backup transaction. Whereas this could be unlikely to succeed, it might solely value an (on-chain) transaction payment to attempt, so opportunist dishonest conduct would possibly restrict statechains’ potential.

Lastly, statechains are, in fact, a comparatively new idea; peer evaluate is ongoing.

Due to Ruben Somsen for data and suggestions. For extra data on statechains, see his explainer on Medium or his presentation at Breaking Bitcoin in Amsterdam.

The put up Statechains: Sending Keys, Not Coins, to Scale Bitcoin Off-Chain appeared first on Bitcoin Magazine.

Leave a Reply

Your email address will not be published. Required fields are marked *