Payment Channels Designing Secure Watchtowers Zeta Avarikioti ETH - PowerPoint PPT Presentation

Payment Channels Designing Secure Watchtowers Zeta Avarikioti ETH Zurich – Distributed Computing – www.disco.ethz.ch

Can cryptocurrencies scale? 7 tx/s 20 tx/s 65.000 tx/s

Payment Channels

Payment Channels

Payment Channels Funding transaction 1 Alice 5btc 1 Bob 4btc

Payment Channels Funding transaction 1 Alice 5btc 1 Bob 4btc 5 4

Payment Channels Funding transaction Alice sends 3btc 1 2 Alice 5btc Alice 2btc 1 2 Bob 4btc Bob 7btc 5 4 2 7

Payment Channels Funding transaction Alice sends 3btc Bob sends 6btc 1 2 3 Alice 5btc Alice 2btc Alice 8btc 1 2 3 Bob 4btc Bob 7btc Bob 1btc 5 4 2 7 8 1

Payment Network

Lightning Channels Revocation Funding Commitment Dispute period

Attack Funding Commitment Dispute period

Watchtowers Revocation Funding Commitment Dispute period

Why be a Watchtower?

Why be a Watchtower? Assuming rational parties and watchtowers… - Will a party commit fraud? - Will a watchtower get paid? - Will a party commit fraud? - Will a watchtower get paid? - Will a party commit fraud? ...

Why be a Watchtower? Watchtowers → Active Inactive Parties ↓ Fraud No Fraud

Why be a Watchtower? Premiums Watchtowers → Active Inactive Parties ↓ Fraud No Fraud

Why be an active Watchtower? Collateral

Bitcoin ➔ UTXO-based (Unspent Transaction Output) ➔ Transaction: consumes & produces UTXOs ➔ Multi-signatures: σ AB ➔ Timelocks: Δt

Lightning Channels #σ A (σ A ⋀ Δt) ⋁ σ AB σ AB a a Funding Commitment (1) a+b #σ B σ B On-chain Published by A b b (σ A ⋀ Δt) ⋁ σ AB σ AB σ B Commitment a i Revocation (i) a i σ B Published by A Published by B, b i W (σ A ⋀ Δt) ⋁ σ AB Commitment a i+1 (i+1) σ B Published by A b i+1

Cerberus Channels #σ A (σ A ⋀ Δt) ⋁ σ AW σ AB a a Funding Commitment (1) a+b #σ B σ BW On-chain Published by A b b (σ A ⋀ Δt) ⋁ σ AW σ AW σ B Commitment a i Revocation (i) a i +b i σ BW Published by A Published by B, b i W (σ A ⋀ Δt) ⋁ σ AW σ B Commitment a i+1 Penalty 1 (i+1) c +b i σ BW Published by A Published by B b i+1 σ BW σ W #σ W Collateral Reclaim c c c Published by W On-chain

Cerberus Channels #σ A (σ A ⋀ Δt) ⋁ σ AW σ AB a a Funding Commitment (1) a+b #σ B (σ B ⋀ Δt) ⋁ σ BW On-chain Published by A b b (σ A ⋀ Δt) ⋁ σ AW σ AW σ B Commitment a i Revocation (i) a i +b i (σ B ⋀ Δt) ⋁ σ BW σ BW Published by A Published by B, b i W σ B ⋀ Δt (σ A ⋀ Δt) ⋁ σ AW σ B Commitment a i+1 Penalty 1 (i+1) c +b i (σ B ⋀ Δt) ⋁ σ BW Published by A Published by B b i+1 σ BW σ W #σ W Collateral Reclaim c c c Published by W On-chain

Cerberus Channels #σ A (σ A ⋀ Δt) ⋁ σ AW σ AB a a Funding Commitment (1) a+b #σ B (σ B ⋀ Δt) ⋁ σ BW On-chain Published by A b b (σ A ⋀ Δt) ⋁ σ AW σ AW σ B Commitment a i Revocation (i) a i +b i (σ B ⋀ Δt) ⋁ σ BW σ BW Published by A Published by B, b i W σ B ⋀ Δt (σ A ⋀ Δt) ⋁ σ AW σ B Commitment a i+1 Penalty 1 (i+1) c +b i (σ B ⋀ Δt) ⋁ σ BW Published by A Published by B b i+1 σ B ⋀ Δt σ BW σ B #σ W (σ W ⋀ ΔΤ) ⋁ σ BW σ BW Collateral Reclaim Penalty 2 c c c +b i c Published by W On-chain Published by B [Avarikioti, Tyfronitis-Litos, Wattenhofer. Cerberus Channels: Incentivizing Watchtowers for Bitcoin .]

Fundamentals of Channels

Fundamentals of Channels Funding Commitment Dispute period

Fundamentals of Channels Eclipse ➔ Censor ➔ Congestion ➔ Funding Commitment Dispute period

Time = CryptoMoney!

Time = CryptoMoney! Asynchronous channels?

Be proactive, not reactive

Be proactive, not reactive Funding Close Signatures of Alice & Bob OR Signatures of ⅔ WT & (Alice or Bob)

Challenges 1) Consensus is costly 2) Privacy is important 3) Incentives are critical

Consistent Broadcast O(n) communication complexity for ➔ state updates Verification of consensus between ➔ Alice & Bob No liveness guarantees, if Alice & Bob ➔ both misbehave Consensus needed only for closing, if ➔ there is a dispute

Encrypted State H( ) H( ) H( ) Privacy preserving ➔ Alice/Bob cannot publish a previous ➔ transaction

Brick Architecture (3) Execute H( ) (3) Execute (1) Update H( ) H( ) (2) Consistent (2) Consistent Broadcast Broadcast

Incentives ➔ Unilateral channel for fees: Repeated game lifts fair exchange impossibility ➔ Collateral for anti-bribing: Reduction to fair-exchange WT Committee size ↑ → per WT collateral ↓

Brick Advantages ➔ Asynchronous channels ➔ Security even under L1 failure ➔ Privacy ➔ Incentive-compatible ➔ Embarrassingly parallel ➔ Linear communication [Avarikioti, Kokoris-Kogias, Wattenhofer. Brick: Asynchronous State Channels .]

Thank you! Questions? ➔ Avarikioti, Tyfronitis-Litos, Wattenhofer. Cerberus Channels: Incentivizing Watchtowers for Bitcoin . Financial Cryptography and Data Security 2020. ➔ Avarikioti, Kokoris-Kogias, Wattenhofer. Brick: Asynchronous State Channels. ETH Zurich – Distributed Computing Group – www.disco.ethz.ch