Papers
Topics
Authors
Recent
Search
2000 character limit reached

Bidirectional Payment Channels

Updated 27 May 2026
  • Bidirectional payment channels are cryptographic constructs that allow secure off-chain, two-way value transfers between distrustful parties while maintaining constant on-chain state.
  • They employ state update mechanisms like paired commitment transactions and one-time signatures to enforce atomic transfers and prevent replay attacks under synchrony assumptions.
  • These channels form the backbone of scalable Layer-2 blockchain protocols, enhancing network throughput, balance security, and privacy via innovative revocation and watchtower mechanisms.

A bidirectional payment channel is a cryptographic and contract-based primitive that enables two mutually distrustful parties to transact arbitrary value in both directions off-chain, using only constant-size on-chain state for opening and closing, while maintaining balance invariance and strong security properties. The canonical context is blockchain-based cryptocurrencies (e.g., Bitcoin, Ethereum), where such channels serve as the foundation for scalable Layer-2 protocols such as the Lightning Network. The fundamental abstraction realizes a pair of accounts with deposit balances and exposes atomic transfer/settlement operations. Under synchrony assumptions, these channels offer constant per-payment latency and privacy, amortizing expensive on-chain operations over many transactions.

1. Formal Specification and Impossibility Results

A bidirectional payment channel, denoted BC for a participant pair (a, b), is formally specified as a shared-memory object with state BC(a,b)∈(R≥0×R≥0)∪{⊥}BC(a,b) \in (\mathbb{R}_{\geq 0} \times \mathbb{R}_{\geq 0}) \cup \{\perp\}, where ⊥\perp denotes a closed channel and (xa,xb)(x_a, x_b) the balances of owner(a) and owner(b) respectively. The abstraction supports:

  • BC.transfer((a,b), X)—transfers value XX from a to b or vice versa, provided sufficient balance, and atomically updates the state.
  • BC.close((a,b), Y)—initiates unilateral closure, requiring the claimer to specify their balance and fails if the claim does not match their true balance, then redistributes on-chain funds accordingly.

It is proved that no fully asynchronous, deterministic, Byzantine-fault-tolerant implementation of this abstraction is possible in message-passing models. The impossibility result (Theorem 7, (Naor et al., 2022)) follows by reduction to wait-free 2-process consensus using the FLP result: implementing BC in asynchrony would enable consensus, which is impossible. Therefore, all known practical schemes require (at minimum) synchrony, timeouts, or trusted third-party assumptions (Naor et al., 2022).

2. Cryptographic Protocols and State Update Mechanisms

Under the synchrony and honest-majority models, practical protocols realize the BC abstraction via off-chain state exchanges protected by digital signatures and revocation mechanisms.

  • Classic Construction (Poon–Dryja/Lightning): Parties co-fund a multisig output on-chain; each subsequent off-chain state is an exchange of paired "commitment transactions" (valid spend paths from the funding output), each representing the channel's current balances for either party. State updates require both parties' signatures on new commitments, and after finalizing an m+1'st state, revocation secrets (embedded as hash preimages in script conditions) for the m'th state are exchanged, allowing either party to punish the counterparty for replaying stale states (Brown et al., 10 Sep 2025Naor et al., 2022Hannon et al., 2018).
  • OTS-Based and Sequence-Number Protocols: Protocols such as OTS-PC (Lerner et al., 6 Nov 2025) and xLumi (Ying et al., 2021) eschew penalty-based revocations, instead enforcing monotonic state updates via one-time signatures on state sequence numbers. Old states cannot be replayed, as on-chain settlement accepts only the highest-verifiable sequence number, simplifying revocation handling and reducing storage to O(1)O(1) per channel.
  • Timelock-Free Designs: Protocols such as Thunderdome (Avarikioti et al., 24 Jan 2025) introduce timelock-free bidirectional channels using a committee of external watchtowers ("wardens") to guarantee immediate settlement and defense against all liveness/censorship attacks, replacing classical time-based penalty windows with threshold-signature finality and incentive-compatible rational protocol adherence.

3. Security Properties and Protocol Invariants

Bidirectional payment channels must guarantee:

  • Balance Security: No honest party can lose more than their channel balance, regardless of adversary behavior. This is enforced by commitment/penalty scripts, revocation secret exchange, or sequence-number-based settlement (Brown et al., 10 Sep 2025Lerner et al., 6 Nov 2025Ying et al., 2021).
  • Liveness: Arbitrary off-chain update rates are supported as long as both parties respond; closure (dispute) always makes it possible to retrieve at least the last agreed state, assuming synchrony or timely chain inclusion (Miller et al., 2017Hannon et al., 2018).
  • No Undercutting: Old state publication is economically and cryptographically penalized, either by allowing the honest party/its watchtower to seize all channel funds, or by discounting the transaction via monotonic commitment number logic (Naor et al., 2022Lerner et al., 6 Nov 2025).
  • Privacy: Watchtower and on-chain transaction designs vary in the degree of leakage—some protocols leak only channel opening/closing and never reveal individual transfers (Lerner et al., 6 Nov 2025).

4. Channel Operations: Opening, Updating, and Closing

Operation Description On-chain Cost
Open/Fund Parties co-fund a multisig output, initialize balances One initial settlement/funding transaction
Update Mutual exchange of signed commitments or sequence numbers Off-chain, O(1)O(1) messages, zero on-chain
Cooperative Close Both parties agree, sign, and settle latest state Single on-chain closing transaction
Unilateral Close One party submits last state (plus watchtower for safety) One or more on-chain transactions + timeouts

Most efficiency gains stem from minimizing on-chain operations. Payment routing across multiple hops (Sprite, Lightning) is built by linking such bilaterals with hash-timelock contracts or global state preimage managers, carefully handling channel liquidity, path timing, and atomicity (Miller et al., 2017Brown et al., 10 Sep 2025).

5. Network and Flow Control Constraints

Bidirectional payment channels exhibit intrinsic flow-balance constraints. A single channel cannot sustain indefinite net flow in one direction; channels are effectively two-sided queues, and global network utility is strictly limited by the detailed-balance (zero net drift) condition (Varma et al., 2019Sankagiri et al., 27 Feb 2025):

  • Network Utility Maximization (NUM): For user demands {λij}\{\lambda_{ij}\}, a circulation ff satisfying Rf=0R f = 0 (i.e., net flow across any channel is zero in both directions) determines the achievable long-term throughput; imbalance accumulates unless periodically rebalanced on-chain (Sankagiri et al., 27 Feb 2025).
  • Throughput-Optimal Routing: Closed-loop (MaxWeight-type) policies and gradient-based flow-control (e.g., DEBT protocol, (Sankagiri et al., 27 Feb 2025)) maximize network utility by adaptively pricing imbalanced flows, routing accordingly, and ensuring convergence to steady-state detailed balance.
  • On-chain Rebalancing: Arbitrarily small on-chain rebalancing suffices to stabilize network-wide queues (O(δ) relay rate), but capacity limits remain governed by the feasible balanced-flow region (Varma et al., 2019).

6. Extensions: Virtual Channels, Cross-Chain, and Applications

  • Virtual Channels: Channels can be composed transitively across untrusted intermediaries without intermediate liquidity locks or predeposits, as in Sprites (Miller et al., 2017) or Thunderdome (Avarikioti et al., 24 Jan 2025), leveraging nested or committee-based primitives. Timelock-free virtual channels are constructed using threshold-warden signatures to guarantee atomic closure and elimination of griefing or liveness attacks.
  • Cross-Chain Payment Channels: Protocols such as Niji (Watanabe et al., 2018) employ non-interactive off-chain updates validated by smart contracts in a consortium chain, allowing secure cross-chain value transfer and service integration, efficiently using transaction templates and hash-lock-based revocation.
  • Specialized Applications: Channels are adapted to resource-limited agents (e.g., IoT, (Hannon et al., 2018)), collaborative formalization/prediction markets (Proofgold, (Brown et al., 10 Sep 2025)), and privacy-preserving protocols (OTS-PC, (Lerner et al., 6 Nov 2025)). Each context imposes specific constraints on cryptographic primitive choice, incentive design, and network interaction patterns.

7. Practical Constraints and Open Challenges

Bidirectional payment channels, though efficient and secure under synchrony and honest-watchtower assumptions, face fundamental impossibility in fully asynchronous message-passing—the FLP result precludes deterministic, Byzantine-fault-tolerant realization without additional timing, external watchdogs, or synchrony (Naor et al., 2022). Net flow limitations, penalty window reliance, and privacy-leakage trade-offs are inherent to existing designs. Open questions include optimal resource/bandwidth minimization, robust watchtower protocols, and fully asynchrony-tolerant incentive mechanisms. The practical necessity of periodic rebalancing and reliance on prompt chain inclusion for dispute resolution further delimit operational parameters, motivating exploration of timelock-free and rationally-secure models (Avarikioti et al., 24 Jan 2025).

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Bidirectional Payment Channels.