RSM Contracts

  1. it can be spent by the owner (Alice) only after it has reached maturity (some time has passed)
  2. it can be spent immediately by the other party (Bob) if he previously obtained from Alice a Revocation Key

Commitment Transactions

RSM Contracts are useful for the construction of payment channels in Lightning Network. In a payment channel, the two parties make bidirectional payments and update the balance multiple times using what is called Commitment Transactions. Each time the balance is updated, the old state (old Commitment Transaction) must be revoked. Commitment Transactions are intended for off-chain use (second layer), but they can be broadcast to the main-chain if one of the parties desires so.

When a new Commitment Transaction is agreed then the old Commitment Transaction must be Revoked
  • spends from a 2–of-2 multisig (wrapped in a P2WSH), therefore it requires signatures from both parties (Alice and Bob) in order to unlock the funds
  • sends funds to both participants (except when the amount is below the dust limit)
Commitment Transaction
Alice (the owner) is delayed in getting the funds, giving Bob time to penalize her if he has a Revocation Key

Alice is the Owner

What exactly does it mean that “Alice is the owner” and why isn’t Bob also the owner since he is part of this transaction too?

But Bob has the Revocation Key

What does it mean that “Bob has the Revocation Key” and how comes he can use it, but Alice cannot? The code inside “Pay Bob” box is (was):

2 <AlicePublicKey01> <BobPublicKey01> 2 OP_CHECKMULTISIG

Long Story Short

Alice can broadcast, but Bob can revoke.
Alice cannot revoke and Bob cannot broadcast.

Revocation Improvements

The initial Lighting Network Paper specified a 2-of-2 multisig as the revocation mechanism. However, it was later replaced with a more efficient technique that uses elliptic curve point multiplication. The updated version is of the form:

<revocationpubkey> OP_CHECKSIG
revocationpubkey = AlicePublicKey01 + BobPublicKey01

Script

The Bitcoin Script for the RSM Contract is quite simple, and it is easy to observe the two possible paths:

OP_IF
<revocationpubkey>
OP_ELSE
`to_self_delay` OP_CHECKSEQUENCEVERIFY OP_DROP
<local_delayedpubkey>
OP_ENDIF
OP_CHECKSIG

Spending the Output

As specified in the BOLT 03 spec:

<local_delayedsig> <>
<revocation_sig> 1

Final Note

When we say that an Output that pays Alice is restricted by a RSM Contract it means that:

  • Alice is the owner of the Commitment Transaction and she can broadcast it
  • Alice can only spend the funds after a certain period (maturity)
  • Alice can revoke the Commitment Transaction by offering Bob a Revocation Key
  • Alice can be penalized (lose the funds) if she tries to spend a revoked transaction

Notes and References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store