Answer by Ugam Kamat for Can someone explain how an HTLC is redeemed?

There are three ways in which that offered HTLC output can be redeemed: Revocation using the revocation public key (the example you mentioned), redeemed using a valid payment preimage or back to the local node after the timeout.

Redeemed using a valid pre-image by remote node:

• The stack starts at <remotehtlcsig> <payment_preimage>
• Since the HASH160 of <payment_preimage> is not equal to the HASH160 of revocationpubkey, the outer ELSE statement is triggered
• <remote_htlcpubkey> is pushed to the stack. Stack is now <remotehtlcsig> <payment_preimage> <remote_htlcpubkey>.
• OP_SWAP is pushed to the stack, which swaps the top two items on the stack.
• Stack is now <remotehtlcsig> <remote_htlcpubkey> <payment_preimage>
• OP_SIZE 32 OP_EQUAL verifies that the payment_preimage is 32 bytes.
• Since the payment_preimage is 32 bytes it will output 1. As a result OP_NOTIF will not be triggered, and hence OP_ELSE statement will be triggered.
  • OP_NOTIF is triggered is the value on the stack is 0
  • OP_ELSE is triggered if the preceding OP_IF, OP_NOTIF and OP_ELSE are not executed.
• The stack is still <remotehtlcsig> <remote_htlcpubkey> <payment_preimage>
• The OP_HASH160 will hash the paymentpreimage. Since payment hash is SHA256 of the payment preimage, we need to hash it with RIPEMD160 so that it is equal to HASH160 of the paymentpreimage.
• If the hash matches, then the stack will be <remotehtlcsig> <remote_htlcpubkey> OP_CHECKSIG
• If the signature matches the remote_htlcpubkey then 1 will be returned to the stack and this offered HTLC output is successfully spent by the remote node.

Redeemed after time-out by the local node:

• To trigger the HTLC timeout condition, the local node will use the witness: 0 <remotehtlcsig> <localhtlcsig> 0

• The stack starts at 0 <remotehtlcsig> <localhtlcsig> 0

• Since the HASH160 of 0 is not equal to the HASH160 of revocationpubkey, the outer ELSE statement is triggered

• <remote_htlcpubkey> is pushed to the stack. Stack is now: 0 <remotehtlcsig> <localhtlcsig> 0 <remote_htlcpubkey>

• OP_SWAP swaps the top two items on the stack. Stack is now: 0 <remotehtlcsig> <localhtlcsig> <remote_htlcpubkey> 0

• Since size of 0 is not 32 bytes it will return 0 on top of stack. This triggers the OP_NOTIF statement. Stack is still: 0 <remotehtlcsig> <localhtlcsig> <remote_htlcpubkey> 0

• OP_DROP drops the top item on the stack which is 0. Stack is now : 0 <remotehtlcsig> <localhtlcsig> <remote_htlcpubkey>

• 2 is pushed to the stack. Stack is 0 <remotehtlcsig> <localhtlcsig> <remote_htlcpubkey> 2

• OP_SWAP swaps the top two items on the stac. Stack is: 0 <remotehtlcsig> <localhtlcsig> 2 <remote_htlcpubkey>

• <local_htlcpubkey> 2 OP_CHECKMULTISIG is pushed to the stack. The stack is thus 0 <remotehtlcsig> <localhtlcsig> 2 <remote_htlcpubkey> <local_htlcpubkey> 2 OP_CHECKMULTISIG.

• The above is a multisig output which can be spent only with valid signatures from the local and remote keys. These keys are exchanged when adding the HTLC. The output of the above transaction is sent to the local node using a to_self_delay using the time-out transactions.