I was recently trying to remember something about lightning: how "LN penalty", the current mechanism, makes multiparty channels not work. This is what I came up with:

Suppose A B C are in a multiparty channel and each hold commitment transactions of the normal form: output 1: to remote X, output 2: (to local Y after time delay, to revoc. secret Y immediately). The obvious problem is, "to revocation secret" - *whose* revocation secret? Obviously "Alice gives revocation secret to Bob and Charlie" makes no sense; then they're competing over the punishment funds.

A little thought and you might come up with "split it equally". So the idea there would be, instead of "to me after delay OR to to them with revocation secret", change it to "to me after delay OR to a multisig script for A and B and C with revoc. secret" and, to revoke old state, as well as sending revoc. secret, sign a payout, from that script, to B and C with a 50/50 split. Setting aside a counterparty going offline, this is still terrible: imagine Alice tries to revert from having 0% of balance to having 100%, then the punishment gives 50% to B and 50% to C. But if Bob was colluding with Alice, Alice now has e.g. 25% (half of Bob's share of the punishment). I'm deliberately glossing over how the B and C balances were at the time of the contract breach, because even this is enough to see that it plainly doesn't work to just say "split the punishment between the honest parties".

This is why both covenants and sighash_noinput ideas are powerful: they can push state forwards, i.e. "enforce a contract" rather than "take corrective action when a contract is broken".

The latter requires *justice*, which is to say, it requires apportioning blame (if A breached, A is clearly to blame, but that doesn't mean B and C aren't!). The former does not; at least, if the contract is well written.