Every payment channel must solve one fundamental problem: ensuring that only the latest state can be settled. This document traces the history of how different designs have solved this, from implicit structural guarantees to explicit revocation mechanisms to the elegant simplicity of Cashu Spilman channels.
A payment channel lets two parties exchange value without committing every update to a blockchain (or, in the ecash world, to a mint). Instead, they sign new states off-chain and only settle the final result. This is what makes channels fast and cheap.
But it creates a problem. Both parties hold signed copies of past states. When the channel settles, only the latest state should count. If a party can publish an older state where they held a larger balance, they can steal.
Consider a simple example. Alice opens a channel funded with 100 sat. She pays Bob 30 sat, creating state N+1 where Bob holds 30 and Alice holds 70. But state N, where Alice still held the full 100, was also a valid signed state. If Alice can publish state N at settlement time, she gets her 30 sat payment back. She stole from Bob.
Every payment channel design must answer one question: how do we ensure that old states cannot be settled? The answer has changed over time, and the evolution tells a story about trade-offs between complexity and structural guarantees.
In April 2013, Jeremy Spilman posted a proof-of-concept to the Bitcoin forum for a unidirectional payment channel built on Bitcoin. It was one of the earliest concrete designs for off-chain payments, and it solved the old-state problem in a way so simple that many later designs overlooked it.
nLockTime that would return funds after a timeout. This ensured the sender could recover money if the receiver disappeared.SIGHASH_SINGLE, which commits to a single output but leaves room for the receiver to add their own output. The sender sent this partially-signed transaction to the receiver.SIGHASH_ALL, and kept the fully-signed transaction. They did not send it back to the sender.SIGHASH_SINGLE → sends to ReceiverSIGHASH_ALL → KEEPS (does not return to sender)The old-state prevention was structural, built into the protocol by design. The sender never received fully-signed transactions back from the receiver. Each new payment created a transaction where the sender had less money and the receiver had more. The receiver held all the signed transactions, and they always preferred the latest one because it paid them more.
Spilman's design made it impossible for the sender to cheat, because the sender could not publish any state on their own. The receiver, who held the complete transactions, had no incentive to publish old states since those paid them less. No explicit revocation was needed because the structure itself prevented cheating.
Structural Guarantee
The receiver "only ever need[s] to care about the latest" state. This is not a rule that participants must follow. It is a property that follows directly from the unidirectional flow and the signing protocol.
The limitation was real, though. Money could only flow one way. Once the sender exhausted their capacity, the channel was done. No refunds, no back-and-forth. That constraint motivated the next generation of channel designs.
The Lightning Network, described in the 2015 whitepaper by Poon and Dryja, introduced bidirectional payment channels. Both parties could send and receive. This was a huge capability upgrade, but it broke the structural old-state prevention that Spilman relied on.
In a bidirectional channel, either party might have more funds in an older state. Consider: Bob pays Alice 0.5 BTC in state N+1. But state N shows Bob holding 1 BTC. Bob now has a clear incentive to publish state N, because doing so would give him 0.5 BTC more than the honest state N+1. The structural guarantee vanishes the moment both directions are possible.
Lightning solved this with asymmetric commitment transactions and a revocation protocol. The mechanism works as follows:
The security model shifts from "can't cheat" to "cheating is economically irrational." Publishing an old state is always possible. But doing so triggers a penalty that costs more than the cheat gains. As the Lightning specification states, when a party publishes a revoked commitment, "their peer is able to use the previously exchanged revocation secret to claim the funds of the malicious actor."
This penalty-based approach is powerful but adds complexity. Each party must store a growing set of revocation secrets, watch the blockchain for old-state publications, and respond within a time window to claim penalties. The cost of this complexity is real: Lightning implementations must handle edge cases around penalty transactions, justice transactions, and watchtower protocols.
During early Cashu Spilman prototyping, an idea was floated that would have added an explicit mutual exclusivity mechanism to the channel design. It was called the "magic 1 sat."
The idea was straightforward. A special 1 sat token would be included in every commitment swap, acting as a "state marker." Only the latest state's magic token would be spendable at the mint. When the receiver settles the latest state, the magic token from that swap gets spent. This immediately invalidates all previous states, because their magic tokens have already been consumed.
This would have created an explicit mutual exclusivity guarantee. Spending the latest state automatically invalidates all previous states, because the magic tokens from those older states were already spent as part of progressing to the current state.
The magic 1 sat idea never made it into cdk-spilman or the Cashu Spilman specification proposal (PR cashubtc/nuts#296). The reason is simple: the structural guarantee of unidirectional channels makes it unnecessary. The Cashu Spilman design inherits the original Spilman insight that old-state prevention is built into the protocol structure.
Demo Detail
The 1 sat fee you see in the demo comes from the mint's input_fee_ppk=10 (1 sat per kilosat). This is a standard Cashu mint fee for processing proofs, not a security mechanism. It has nothing to do with old-state prevention.
Cashu Spilman channels return to the original 2013 insight: unidirectional channels do not need explicit revocation. The design maps Bitcoin Spilman concepts into the ecash world:
SIG_ALL (NUT-11), where the sender signs all inputs and outputs atomically.The key cryptographic tool is SIG_ALL from NUT-11. When the sender creates a balance update (a "commitment swap"), they sign all inputs and all outputs as a single atomic unit. The commitment is indivisible. You cannot take the sender's refund outputs without also taking the receiver's payment outputs, because they are all bound together under one signature.
The old-state prevention in Cashu Spilman mirrors the 2013 Bitcoin Spilman design:
From lukechilds' Non-Custodial Ecash Proposal
"Since every state update results in a new unilateral exit transaction for the mint that is more valuable than the previous, they only ever need to care about the latest unilateral exit transaction, no complex state management is needed."
Cashu Spilman proves that for unidirectional channels, structural mutual exclusivity is not just sufficient. It is more elegant than any explicit mechanism. No revocation secrets to store, no penalty transactions to watch for, no justice protocols to implement. The protocol structure itself guarantees that only the latest state matters.
| Property | Bitcoin Spilman (2013) | Lightning (2015+) | Cashu Spilman (2024+) |
|---|---|---|---|
| Direction | Unidirectional | Bidirectional | Unidirectional |
| Old-state prevention | Structural (receiver holds latest) | Explicit (revocation + penalty) | Structural (mint holds latest) |
| Revocation tokens | None | Per-state secrets exchanged | None |
| Cheat punishment | N/A (can't cheat) | Lose all funds | N/A (can't cheat) |
| State invalidation | Implicit (latest wins) | Explicit (secrets exchanged) | Implicit (latest wins) |
| On-chain footprint | Multisig script | Complex commitment scripts | None (all offchain) |
| Mutual exclusivity | Sender can't get signed old states back | Publishing old state triggers penalty spend | Sender can't get signed old states back |
Jeremy Spilman publishes his proof-of-concept on the Bitcoin forum. Structural old-state prevention for unidirectional channels: the sender never gets fully-signed transactions back, the receiver always prefers the latest state.
Lightning Network whitepaper introduces bidirectional channels with explicit revocation and penalty. Publishing an old state becomes possible but economically irrational, as the cheated party can claim all funds.
Cashu Spilman (cdk-spilman) adapts the original Spilman approach for ecash. Returns to structural guarantees: unidirectional flow, sender cannot publish old states, mint always prefers the latest commitment.
The "magic 1 sat" idea is explored during prototyping. An explicit mutual exclusivity mechanism via a state marker token. Investigated and ultimately set aside, as structural guarantees make it unnecessary.
NUT-XX PR #296 proposes the Cashu Spilman specification without a magic byte or explicit revocation. The structural guarantee is judged sufficient.
The history of payment channel security can be summarized as a single principle: old states must be either revoked or mutually exclusive with the current state. The original Spilman design achieved mutual exclusivity structurally, because the sender can't publish old states when they never get them back fully signed. Lightning added explicit revocation because bidirectional channels broke this structural guarantee. Cashu Spilman returns to the original insight, proving that for unidirectional channels, structural mutual exclusivity is not just sufficient but more elegant than any explicit mechanism.