Statechains: Sending Keys, Not Coins, to Scale Bitcoin Off-Chain


Block house is proscribed: The Bitcoin blockchain can simplest procedure some 10 transactions in step with moment, at maximum. To get to the bottom of this, Bitcoin’s technical group is creating second-layer protocols that procedure transactions “off-chain,” such because the Lightning Network and sidechains. Using suave cryptographic methods, those transactions are batched to periodically settle at the Bitcoin blockchain as a unmarried transaction.

Now, a brand new second-layer protocol is getting into the fray. Statechains, first proposed through Seoul Bitcoin Meetup organizer and Unhashed Podcast co-host Ruben Somsen, turns the idea that of a Bitcoin transaction on its head. Instead of sending cash from cope with to handle, statechain customers simply ship the personal key that can be utilized to spend the cash.

Here’s why that’s no longer as loopy because it sounds.

Why Statechains Are Secure (More or Less)

Simplified, a Bitcoin transaction is only a message that claims which cash (“UTXOs”) transfer from which addresses (“inputs”) to which addresses (“outputs”). This message is cryptographically signed with the personal keys akin to the sending addresses, proving that the landlord of those cash created the transaction. The package (the transaction plus signatures) is then despatched over the Bitcoin community to in the end be incorporated in a Bitcoin block through a miner.

It is technically conceivable to simply ship non-public keys as fee as an alternative: This lets in the recipient of the personal key to spend the related cash. But it isn’t protected. If the sender — let’s be authentic and phone her “Alice” — sends a personal key to the recipient — why no longer name him “Bob”? — there is not any method for Bob to make sure Alice didn’t make a copy of the important thing. If she did make a copy of the important thing, which we’ll name the “transitory key” on this context, Alice can nonetheless spend the coin at the blockchain, so the coin isn’t completely Bob’s in any respect.

Statechains’ first method to this drawback is so as to add a moment key to the combination. By locking the coin right into a two-of-two multi-signature (multisig) setup, it will possibly simplest be moved at the blockchain if each keys check in settlement.

This moment key’s generated through a impartial birthday celebration, Victor, who turns into the facilitator of the statechain. Victor has a vital job. Victor will have to signal a transaction if, and simplest if, the ultimate recipient of the transitory key asks him to.

So, let’s say Alice units up a statechain, with Victor because the facilitator. Alice generates a transitory key, Victor generates Victor’s key, and so they use their two keys to create a multisig cope with. Alice then sends one bitcoin to this cope with, “locking it up” between Alice and Victor. Now, if Alice needs to ship the coin to Bob, she may create a transaction, signal it with the transitory key and ask Victor to signal it as smartly. With each signatures, Alice can broadcast the transaction, sending the coin to Bob as a typical blockchain transaction.

But that, after all, misses the purpose of the statechain. Alice has a greater thought. Alice as an alternative sends the transitory key to Bob and tells Victor that she did that. This makes Bob the ultimate recipient of the transitory key. Bob can now touch Victor and ask him for a signature to lend a hand transfer the coin.

Alice does nonetheless have the transitory key herself as smartly. However, now, if she have been to invite Victor to lend a hand signal a transaction to transport the coin, Victor would refuse. Alice now not owns the coin so far as Victor is anxious. And since she simplest holds the transitory key, she is certainly not able to transport it on her personal.

Should Bob ever wish to transfer the cash to anyone else — say, Carol — he may, after all, repeat the statechain trick. When he sends the transitory key to Carol and tells Victor, Victor will simplest cooperate with Carol from then on, successfully making the coin Carol’s. This procedure can also be repeated an arbitrary selection of instances, forwarding the transitory key to Dan, Erin, Frank and so forth, with out ever requiring a blockchain transaction.

Not Trusting Victor

The state of affairs as described above doesn’t in reality take away all believe from the device. Rather, a great deal of believe is placed on Victor.

For one, if Victor doesn’t signal a blockchain transaction when asked, the coin can’t be moved in any respect. (Maybe Victor’s laptop crashed, or he were given hit through a bus, or possibly Victor — acutely aware of his energy — blackmails the ultimate recipient of the transitory key to pay him a part of the coin in go back for the signature.)

This drawback can also be solved — however that is the place the statechain design does get quite extra complicated.

When she to begin with units up the statechain, Alice takes a precautionary step. Even sooner than sending the coin to the multisig cope with, she creates a “backup transaction” that sends the coin from this multisig cope with to a brand new cope with.

The coin can also be spent from this new cope with below two prerequisites. Either each Victor and the landlord of the transitory key signal the transaction, like standard, or Alice can spend the cash on her personal after, say, every week.

Alice does no longer broadcast this backup transaction to the Bitcoin community. Instead, she provides it to Victor, asks him to signal the transaction and has him give it again to her.

Only after Alice has gained this signed (however as but no longer broadcasted) backup transaction from Victor does she ship her coin to the multisig cope with. This method, even supposing Victor disappears, she will broadcast the backup transaction and declare the cash again after every week.

Now, when Alice needs to ship the transitory key to Bob, she first contacts Victor and asks him to signal a brand new backup transaction for Bob and provides it to him. So, when Bob will get the transitory key from Alice, he already has an unbroadcasted however signed backup transaction from Victor, permitting him to say the coin if Victor disappears.

As one crowning glory, Alice and Bob (and all next homeowners of the transitory key) use a trick designed for the Lightning Network referred to as Eltoo. Eltoo would permit Bob to “override” Alice’s backup transaction together with his personal backup transaction. So if Alice ever tries to cheat through broadcasting her outdated backup transaction, Bob can both use the week that Alice wishes to attend to cooperate with Victor and declare the coin, or he can merely override Alice’s replace transaction together with his personal to get the cash.

First drawback solved.

Trusting Victor (a Bit)

While the issue of Victor disappearing is solved, there may be some other drawback: Victor may cheat. He may collude with a prior proprietor of the personal key, like Alice, to thieve the coin from Bob, Carol, Dan, Erin, Frank or whoever used to be the ultimate recipient of the transitory key. (He may later additionally collude with Bob to thieve from Carol, Dan, Erin, Frank … and so on.)

This drawback can not in reality be solved totally — and that is in all probability the most important problem of statechains. But the chance can also be minimized.

One step towards minimizing this possibility is to “split up” Victor and change him with a number of entities. “Victor’s key” is split. It thus turns into a multisig setup of its personal the place, say, 8 contributors out of, say, 12 will have to cooperate with the transitory key holder to transport the coin. Colluding with 8 “Victors” must be tougher than colluding with only one Victor.

Second, it may be made glaring to the outdoor international if those “Victors” cheat. This is finished through necessarily growing a brand new, miniature blockchain — certainly, the “statechain” — the place Alice, Bob, Carol and the others signal a message confirming they’ve forwarded the coin and to whom. If the Victors collude with Alice to spend the coin after she signed it off to Bob at the statechain, everybody sees. (The main points of what this miniature blockchain itself would seem like precisely aren’t labored out but, however this isn’t an overly tricky drawback to unravel.)

Third, those “Victors” might be well known entities; for instance, a bunch of Bitcoin corporations. These corporations would have their reputations at the line and, subsequently, have one thing to lose through dishonest — even supposing they may earn a coin through doing so. While no longer cryptographically best possible, this makes the safety assumption for statechains very similar to federated sidechains, like Blockstream’s Liquid or the present implementation of RSK Labs’ RSK.

And that’s it!

Statechains let you send private keys off-chain instead of sending coins to new addresses. But you can still use the keys to spend the coins on-chain.
Statechains permit you to ship non-public keys off-chain as an alternative of sending cash to new addresses.

Limitations of Statechains (and Potential Solutions)

On best of the specified believe in “the Victors” to not collude with a prior statechain player, statechains do have some obstacles.


The very first thing to notice is that, as they’re defined on this article, statechains do require two protocol upgrades: Schnorr signatures and Sighash_Anyprevout (or one thing identical). Both of those upgrades are works in development however appear not going to be contentious.

Another limitation is that statechains simplest permit for the switch of complete UTXOs; Alice’s coin within the context of this newsletter. Since Alice to begin with locked up precisely one bitcoin, and she or he sends the transitory key akin to this bitcoin, she will have to move at the complete coin, and so will have to Bob, Carol and the others. This is a fairly large limitation in comparison to a typical Bitcoin transaction, by which any fraction of a coin can also be spent, with the remaining returned to the sender as trade.


Still, this isn’t essentially a showstopper. For one, statechains can also be mixed with some other trick referred to as “atomic swaps.” This transfer would permit Alice to interchange her complete coin with Zach, who has two part cash, in the sort of method that neither must believe the opposite to not again out of the industry midway. All this may occur with out requiring an on-chain transaction. This will increase flexibility.

Second, even shifting complete UTXOs can also be very helpful in some contexts. Perhaps maximum curiously, it could permit contributors to switch complete Lightning channels. By balancing a Lightning channel to the precise correct amount (for instance, through first paying herself in a distinct channel), Alice can nonetheless pay Bob a fragment of the coin. As an advantage, this would let Bob open Lightning channels instantly, with out requiring an on-chain investment transaction (which takes time and costs).

Plus, since Lightning transactions have the other drawback — huge worth transfers are tougher to finish than smaller ones — statechains and the Lightning Network may supplement every different slightly effectively.

Privacy Questions

It’s additionally no longer but transparent how a lot privateness statechains may be offering precisely. In a worst case state of affairs, the Victors and different contributors within the statechain would know precisely who paid whom. (Although in truth those would nonetheless be public keys, no longer actual names.) There are techniques to make stronger this relating to the Victors. Using blind signatures (a cryptographic trick first proposed through eCash inventor David Chaum within the 1980s), for instance, has the additional advantage of with the ability to offload accountability for transactions from the Victors to the customers themselves. (The Victors would preferably no longer even know what they’d signal.)

Privacy from different contributors may in flip be solved with atomic swaps as smartly, which might lend a hand obfuscate the chain of possession. There are most definitely extra answers to make stronger privateness, like CoinJoin diversifications. (This is, for instance, additionally what the privacy-preserving Wasabi Wallet makes use of.) But main points have not begun to be labored out.

There also are some considerations about previous contributors within the chain looking to cheat through looking to declare cash in the course of the backup transaction. While this could be not going to be successful, it could simplest price an (on-chain) transaction rate to take a look at, so opportunist dishonest conduct may restrict statechains’ possible.Finally, statechains are, after all, a slightly new thought; peer assessment is ongoing.Thanks to Ruben Somsen for info and comments. For additional information on statechains, see his explainer on Medium or his presentation at Breaking Bitcoin in Amsterdam.

The publish Statechains: Sending Keys, Not Coins, to Scale Bitcoin Off-Chain gave the impression first on Bitcoin Magazine.

Source: - Instant Exchanger