● Implementing statechains without schnorr or eltoo: statechains are a proposed offchain system for allowing a user (such as Alice) to delegate the ability to spend a UTXO to another user (Bob), who can then further delegate the spending authority to a third user (Carol), etc. The offchain delegation operations are all performed with the cooperation of a trusted third party who can only steal funds if they collude with a delegated signer (such as previous delegates Alice or Bob). A delegated signer can always spend the UTXO onchain without needing permission from the trusted third party, arguably making statechains less trusted than federated sidechains. Because anyone who was ever a delegate can trigger an onchain spend, statechains are designed to use the eltoo mechanism to ensure an onchain spend by the most recent delegate (Carol) can take precedence over spends by previous delegates (Alice and Bob), assuming the trusted third party hasn’t colluded with a previous delegate to cheat.

This week, Tom Trevethan posted to the Bitcoin-Dev mailing list about two modifications of the statechain design that could allow it to be used with the current Bitcoin protocol rather than waiting for proposed soft fork changes such as schnorr signatures and SIGHASH_ANYPREVOUT:

Replace the eltoo mechanism (which requires either BIP116 SIGHASH_NOINPUT or bip-anyprevout SIGHASH_ANYPREVOUT ) with a decrementing locktime similar to that proposed for duplex micropayment channels. E.g., when Alice receives control over a statechain UTXO, a timelock would prevent her from being able to unilaterally spend it onchain for 30 days; when Alice transfers the UTXO to Bob, a timelock would restrict him for only 29 days—this gives a spend by Bob precedence over a spend by Alice. The downside of this approach is that delegates might need to wait a long time before being able to spend their funds without permission from the trusted third party. Replace the 2-of-2 schnorr multisig between the trusted third party and the current delegate (using an adaptor signature) with a single-sig using secure multiparty computation. The main downside of this approach is an increased complexity that makes security review harder.

Several people replied to the thread with comments and suggested alternatives. Also discussed was a previous patent application by Trevethan related to offchain payments secured by a trusted third party using decrementing timelocks and multiparty ECDSA.