Payment Channels Designing Secure Watchtowers Zeta Avarikioti ETH - - PowerPoint PPT Presentation

▶

Jun 05, 2023 94 likes •486 views

Payment Channels Designing Secure Watchtowers Zeta Avarikioti ETH Zurich Distributed Computing www.disco.ethz.ch Can cryptocurrencies scale? 7 tx/s 20 tx/s 65.000 tx/s Payment Channels Payment Channels Payment Channels Funding

SLIDE 1

ETH Zurich – Distributed Computing – www.disco.ethz.ch

Zeta Avarikioti

Payment Channels

Designing Secure Watchtowers

SLIDE 2

Can cryptocurrencies scale?

7 tx/s 20 tx/s 65.000 tx/s

SLIDE 3

Payment Channels

SLIDE 4

Payment Channels

SLIDE 5

Payment Channels

Alice 5btc Bob 4btc

Funding transaction

1 1

SLIDE 6

Payment Channels

Alice 5btc Bob 4btc

1 1

5 4

Funding transaction

SLIDE 7

Payment Channels

Alice 5btc Bob 4btc

1 1

5 4 Alice 2btc Bob 7btc

2 2

2 7

Funding transaction Alice sends 3btc

SLIDE 8

Payment Channels

8 1 Alice 5btc Bob 4btc

1 1

5 4 Alice 2btc Bob 7btc

2 2

Alice 8btc Bob 1btc

3 3

2 7

Funding transaction Bob sends 6btc Alice sends 3btc

SLIDE 9

Payment Network

SLIDE 10

SLIDE 11

Funding Commitment Dispute period

Lightning Channels

Revocation

SLIDE 12

Funding Commitment Dispute period

Attack

SLIDE 13

Funding Commitment Dispute period

Watchtowers

Revocation

SLIDE 14

Why be a Watchtower?

SLIDE 15

Assuming rational parties and watchtowers…

Will a party commit fraud?
Will a watchtower get paid?
Will a party commit fraud?
Will a watchtower get paid?
Will a party commit fraud? ...

Why be a Watchtower?

SLIDE 16

Watchtowers → Parties ↓ Active Inactive Fraud No Fraud

Why be a Watchtower?

SLIDE 17

Premiums

Watchtowers → Parties ↓ Active Inactive Fraud No Fraud

Why be a Watchtower?

SLIDE 18

Collateral

Why be an active Watchtower?

SLIDE 19

➔ UTXO-based (Unspent Transaction Output) ➔ Transaction: consumes & produces UTXOs ➔ Multi-signatures: σAB ➔ Timelocks: Δt

Bitcoin

SLIDE 20

a σB ai ai+1 bi+1 a b (σA⋀Δt)⋁σAB

Commitment (1)

Published by A

Funding

On-chain

Commitment (i)

Published by A

Commitment (i+1)

Published by A

Revocation

Published by B, W

σAB #σA #σB b a+b (σA⋀Δt)⋁σAB σB (σA⋀Δt)⋁σAB σB ai σAB bi σB

Lightning Channels

SLIDE 21

a σBW #σW c ai bi ai+1 bi+1 a b (σA⋀Δt)⋁σAW

Commitment (1)

Published by A

Funding

On-chain

Collateral

On-chain

Commitment (i)

Published by A

Commitment (i+1)

Published by A

Revocation

Published by B, W

Penalty 1

Published by B

Reclaim

Published by W

σAB #σA #σB b a+b σBW (σA⋀Δt)⋁σAW σBW (σA⋀Δt)⋁σAW σB ai +bi σB c +bi σBW c σAW

Cerberus Channels

σW c

SLIDE 22

a (σB ⋀ Δt)⋁σBW #σW c ai bi ai+1 bi+1 a b (σA⋀Δt)⋁σAW

Commitment (1)

Published by A

Funding

On-chain

Collateral

On-chain

Commitment (i)

Published by A

Commitment (i+1)

Published by A

Revocation

Published by B, W

Penalty 1

Published by B

Reclaim

Published by W

σAB #σA #σB b a+b (σA⋀Δt)⋁σAW (σA⋀Δt)⋁σAW σB ai +bi σB c +bi σBW c σAW (σB⋀Δt)⋁σBW (σB⋀Δt)⋁σBW

σB⋀Δt

σBW

Cerberus Channels

σW c

SLIDE 23

σB⋀Δt

(σW⋀ΔΤ)⋁σBW (σB ⋀ Δt)⋁σBW #σW c ai bi ai+1 bi+1 a b c (σA⋀Δt)⋁σAW

Commitment (1)

Published by A

Funding

On-chain

Collateral

On-chain

Commitment (i)

Published by A

Commitment (i+1)

Published by A

Revocation

Published by B, W

Penalty 1

Published by B

Penalty 2

Published by B

Reclaim

Published by W

σAB #σA #σB b a+b (σB⋀Δt)⋁σBW (σA⋀Δt)⋁σAW (σB⋀Δt)⋁σBW (σA⋀Δt)⋁σAW σB ai +bi σB c +bi σB c +bi σBW c σBW

σB⋀Δt

σBW σAW

Cerberus Channels

[Avarikioti, Tyfronitis-Litos, Wattenhofer. Cerberus Channels: Incentivizing Watchtowers for Bitcoin.]

SLIDE 24

Fundamentals of Channels

SLIDE 25

Funding Commitment Dispute period

Fundamentals of Channels

SLIDE 26

Funding Commitment Dispute period ➔ Eclipse ➔ Censor ➔ Congestion

Fundamentals of Channels

SLIDE 27

Time = CryptoMoney!

SLIDE 28

Time = CryptoMoney!

Asynchronous channels?

SLIDE 29

Be proactive, not reactive

SLIDE 30

Funding Close Signatures of Alice & Bob OR Signatures of ⅔ WT & (Alice or Bob)

Be proactive, not reactive

SLIDE 31

1) Consensus is costly 2) Privacy is important 3) Incentives are critical

Challenges

SLIDE 32

➔ O(n) communication complexity for state updates ➔ Verification of consensus between Alice & Bob ➔ No liveness guarantees, if Alice & Bob both misbehave ➔ Consensus needed only for closing, if there is a dispute

Consistent Broadcast

SLIDE 33

H( ) H( )

➔ Privacy preserving ➔ Alice/Bob cannot publish a previous transaction

H( )

Encrypted State

SLIDE 34

H( )

(1) Update

H( )

(2) Consistent Broadcast (2) Consistent Broadcast (3) Execute (3) Execute

H( )

Brick Architecture

SLIDE 35

➔ Unilateral channel for fees: Repeated game lifts fair exchange impossibility ➔ Collateral for anti-bribing: Reduction to fair-exchange WT Committee size ↑ → per WT collateral ↓

Incentives

SLIDE 36

➔ Asynchronous channels ➔ Security even under L1 failure ➔ Privacy ➔ Incentive-compatible ➔ Embarrassingly parallel ➔ Linear communication

[Avarikioti, Kokoris-Kogias, Wattenhofer. Brick: Asynchronous State Channels.]

Brick Advantages

SLIDE 37

Thank you!

Questions?

ETH Zurich – Distributed Computing Group – www.disco.ethz.ch

➔ Avarikioti, Tyfronitis-Litos, Wattenhofer. Cerberus Channels: Incentivizing Watchtowers for Bitcoin. Financial Cryptography and Data Security 2020. ➔ Avarikioti, Kokoris-Kogias, Wattenhofer. Brick: Asynchronous State Channels.