Counterfactual: Generalized State Channels on Ethereum
At L4 we have been working on state channels and other blockchain scalability research. Today we’re excited to share one of the foundational pieces of our work: Counterfactual: Generalized State Channels (pdf).
State channels are the foundational technology for useable distributed applications. They can be used in any interaction with a defined set of participants, such as payments or games like chess or poker. “Channelizing” these applications makes them radically cheaper, and reduces the unacceptably high latency in today’s blockchain applications, enabling the web-like response times expected by users.
Despite this, state channels are underutilized in today’s ethereum applications. Each project that wants to use state channels must effectively build their own custom implementation, leading to redundancies and unnecessary risks. Second, existing state channel implementations still put too many operations on-chain, and compromise privacy in unnecessary ways.
We envision a better future. Earlier, we described two broad goals:
- Design a generalized state channels implementation that preserves privacy, is built using modular components, has support for multiple parallel operations inside a single channel, and allows users to upgrade channel designs without any on-chain operations.
- Make it easy for developers to utilize state channels by providing a framework and standard modular components for building secure, performant applications.
Our paper (pdf) describes a state channels design that places as little on-chain as possible while still remaining secure. We believe it will become a standard reference for building secure and optimized state channels, something long-needed by the ethereum community.
We will be attending Off the Chain in Berlin where we will discuss our technique in more depth. Needless to say, we’re not doing an ICO or any other fundraising event involving a token.
In this blog post, we summarize the approach described in our paper. If you’re interested in a conceptual description of how state channels work, take a look at the state channels section of Josh Stark’s Layer 2 scaling article. The rest of this blog post assumes the reader has some familiarity with the basic technique.
State channels terminology
The basic technique behind state channels has been known for several years. Since then, we have found new vocabulary that lets us abstract over particular implementations and discuss components and techniques that appear in all state channels.
State channels work by “locking up” some portion of blockchain state into a multisig contract, controlled by a defined set of participants. The state that is “locked up” is called a state deposit. For instance, this might be an amount of ether or an ERC20 token, but could also be a cryptokitty or an ENS domain name.
After the state deposit is locked, channel participants use off-chain messaging to exchange and sign valid ethereum transactions without deploying them to chain. These are transactions that could be put on chain anytime, but are not.
Updating the state of the channel always proceeds by unanimous consent. All parties sign (and keep their own copies of) each off-chain transaction. Because these “state updates” are taking place entirely off chain, they have zero transaction fees, and their speed is limited only by their underlying communications protocol.
For this reason, state channels offer “instant” transactions — i.e., parties do not have to wait for any blockchain confirmations. An application can immediately consider an operation finalized and display that to users, without having to wait for a set number of confirmations. This is how state channels are able to offer web-like response times.
We call this property instant finality. In consensus research, “finality” means the extent to which a state transition is guaranteed not to be reverted. In the context of state channels, an operation is final if Alice cannot be prevented from realizing that operation on the blockchain if they choose to.
If the latest “update” in a state channel says “Alice = 5ETH, Bob = 1 ETH”, then that state is “final”. Remember, the update is a valid transaction signed by both Alice and Bob, which could be deployed on-chain by either party at any time. As long as we assume Alice can broadcast that transaction to the internet at some point, she can consider that transaction final.
The core property of state channels is the ability to refer back to the blockchain only when necessary. If a channel is properly constructed, then all parties can engage in fast operations that offer instant finality. If anything ever goes wrong, all parties always have the option to deploy the latest version of the state to the blockchain.
Keep in mind that state channels — and all blockchain technologies — should be considered within appropriate threat models. We examine in detail threat models appropriate for state channels in section 3 of our paper and limitations of state channels in section 7.
Minimizing on-chain operations
Existing application-specific state channel implementations require users to open up a new channel for each application they would like to use, paying expensive transaction fees. For instance, two users would make one on-chain transaction to open a payment channel between them, and they would need to make another on-chain transaction to play a game of chess with each other.
Our state channels minimize on-chain requirements to an extreme, moving as much logic as possible to the off-chain layer. This leads to one of the most significant insights of our paper: a sufficiently powerful multisignature wallet is the only necessary on-chain component of any individual state channel.
Moving logic off-chain allows us to gain significant advantages over existing channels. We can install new applications into a state channel without ever going on-chain. We can even upgrade or re-design a state channel without requiring on-chain transactions or fees.
This approach also has significant privacy benefits. Properly constructed, the multisignature wallet used to secure the state deposit should be indistinguishable from any other multisignature wallet. There would be no way to tell the difference, on chain, between a common multisig and one used to create a state channel.
We are able to achieve these results using what we call “counterfactual instantiation”. Explaining this technique requires first defining terminology.
“Counterfactual” means something that could be true, but is not. This is an extremely helpful concept when discussing state channels, where we spend a lot of time reasoning about things that could be happening on chain, but are not.
In state channels, we say “counterfactual X” to describe a case where:
- X could happen on chain, but doesn’t
- Any participant can unilaterally make X happen on-chain
- Participants can therefore act as though X has happened on-chain
For instance, imagine a payment channel between Alice and Bob. Alice sends 4 ETH to Bob through the channel, which in practice means that both parties sign a transaction. This transaction could be deployed on chain at any time by either party, but it is not. So we can say “counterfactual Alice gives Bob 4 ETH”. This allows them to act as though the transaction has already happened — it is final, within appropriate threat models.
In the sections above, we said that our approach lets you install new applications into a state channel with zero on chain operations or fees. How it this possible?
The key to this capability is what we call counterfactual instantiation. In the section above, we described counterfactual transactions between Alice and Bob. But we can also create counterfactual contracts. Counterfactual instantiation means to instantiate a contract without actually deploying it on-chain. When a contract is counterfactually instantiated, all parties in the channel act as though it has been deployed, even though it has not. This technique lets us move almost all channel logic off-chain.
Counterfactual instantiation is achieved by making users sign and share commitments to the multisig wallet. These commitments say that if the counterfactually instantiated contract were to be instantiated on-chain, the multisig wallet (which holds the state deposit) will look at the instantiated contract and transfer the appropriate state deposits based on the state of that contract.
For this to work, we need to refer to the counterfactually instantiated contract inside the commitment, before the contract is deployed. To do this, we introduce a global registry: an on-chain contract that maps unique deterministic addresses for any counterfactual contract to actual on-chain deployed addresses.² The hashing function used to produce the deterministic address can be any function that takes into account the bytecode, its owner (i.e. the multisignature wallet address), and a unique identifier.
For example, we might have a contract `C` with bytecode and constructor arguments `initcode`. The result of running a function call to the registry with the argument `initcode` would be that an entry would be added to the registry; its key being the counterfactual address and its value being the actual on-chain deployed address.
This gives us a way of referencing off-chain contracts without needing to deploy them on-chain first. We simply do a lookup in the registry to see what address corresponds to the counterfactual address. In Solidity this is as simple as:
Object-oriented channel design
Our channel design lets developers take an object-oriented approach to state channels. Any individual state channel will be composed of several counterfactual objects — e.g. a payment channel object, or a chess-game channel object. Because these are counterfactually instantiated, they require no fees to be added into the channel — only signed commitments between the parties.
For instance, Alice and Bob can at any point choose to counterfactually instantiate a contract within their channel — say, a contract that defines a game of chess. They can then exchange state-updates between each other that reference that counterfactually-instantiated game, in order to actually play the game of chess, all with no on-chain fees.
We believe this object-oriented approach offers many significant benefits:
- Application developers can program against a well-defined API, plugging into the core components necessary for every channel.
- We can ensure that, as long as the core components are heavily audited and remain secure, bugs in the application developer’s code can be isolated to just the state it controls.
- Application developers can reuse existing components via counterfactual addressing just as they would reuse ethereum contracts — for instance, a provably fair randomness source.
- Users can preserve privacy in a dispute, only putting on-chain the objects that are in dispute.
- We can access more points on the trade-off curve between messages passed during normal operation, and transactions that need to be posted in the case of a dispute, and in certain cases this lets us amortize responses to stale state across channels.
If you’re interested in learning more about generalized state channels and the counterfactual technique, we encourage you to read the paper. The paper includes significant content that we have not summarized in this post, including:
- Comparisons to other techniques like sidechains and Plasma
- Review of existing state channel designs
- In-depth examination of relevant threat models
- An example construction for generalized state channels
For updates, follow us at @statechannels and keep an eye on our website.
Lastly, we’d like to thank the Ethereum Foundation for their continuing support of this important work. We are thrilled to be part of a talented community driven to scale the ethereum network, laying the groundwork for Web 3. We’d also like to thank Vitalik Buterin, Erik Bryn, Tom Close, Josh Stark, Nima Vaziri, Armani Ferrante, Lisa Eckey, Kristina Hostakova, Yoichi Hirai, and Sylvain Laurent for their discussion and feedback on earlier drafts of the paper.
² In the future, once account abstraction is live, we’ll be able to do this trivially, since a contract address will be computable based on its bytecode and constructor arguments.