S & P SECURITY & PRIVACY GROUP Security and Privacy for - - PowerPoint PPT Presentation

FAKULTÄT FÜR !NFORMATIK

S&P

SECURITY & PRIVACY GROUP

Security and Privacy for Payment Channel Networks Pedro Moreno-Sanchez

Blockchain Summer School BDLT’19 Vienna, Sep 2nd 2019

2

Blockchain Research Lab: Highlights

• CoinShuffle: privacy-preserving protocol for

blockchain payments implemented in several cryptocurrencies wallets

• AMHL: first solution for security, privacy and

interoperability issues with blockchain scalability

• protocols. Implemented in LND (current Bitcoin

scalability protocol), KZen Network and COMIT Network

• DLSAG: first scalability protocol with formal

guarantees for the Monero cryptocurrency. Under discussion in the Monero community for adoption.

• Lots of work on:
• Security verification and safe design of smart

contracts

• Privacy-preserving routing mechanisms
• Constant collateral for Bitcoin-compatible PCNs

3

Blockchain Research Lab: Collaborations

• C. Schneidewind
• E. Tairi
• I. Grischchenko
• M. Maffei

3

Blockchain Research Lab: Collaborations

• C. Schneidewind
• E. Tairi
• I. Grischchenko
• M. Maffei

3

Blockchain Research Lab: Collaborations

• C. Schneidewind
• E. Tairi
• I. Grischchenko
• M. Maffei
• A. Kate
• G. Malavolta
• C. Egger
• S. Roos
• I. Goldberg
• A. Gervais

• Decentralized data structure recording each

transaction in order to provide public verifiability

• Global consensus: everyone checks the whole

blockchain

4

Scalability Issues

Bitcoin’s transaction rate: ~10 tx/sec Visa’s transaction rate: ~10K tx/sec

• On-chain (tweak consensus) 


e.g., DAG Blockchain, sharding, ...

• Off-chain (use blockchain only for disputes) 


e.g., Payment Channel Networks Many other research projects (Bolt, Z-Channels, Perun, Liquidity Network ...)

Lightning Network (Bitcoin) Raiden Network (Ethereum)

5

Scalability Solutions?

• On-chain (tweak consensus) 


e.g., DAG Blockchain, sharding, ...

• Off-chain (use blockchain only for disputes) 


e.g., Payment Channel Networks Many other research projects (Bolt, Z-Channels, Perun, Liquidity Network ...)

Lightning Network (Bitcoin) Raiden Network (Ethereum)

5

Scalability Solutions?

6

Background on Payment Channel Networks

7

Payment Channels: Open

Alice Bob Blockchain

5 1

7

Payment Channels: Open

Alice Bob Blockchain

Multisig Contract Can be spent only with the signatures of both Alice and Bob

5 1

5 (Alice) 5 (Alice,Bob) Alice

• Alice creates multisig contract to

deposit money on the channel

7

Payment Channels: Open

Alice Bob Blockchain

Multisig Contract Can be spent only with the signatures of both Alice and Bob

5 1

5 (Alice) 5 (Alice,Bob) Alice 5 (Alice,Bob) 5 (Alice) Alice,Bob

• Alice creates multisig contract to

deposit money on the channel

• Alice lets Bob sign a refund

transaction to unlock the money

8

Payment Channels: Open

Alice Bob Blockchain

5 1

5 (Alice) 5 (Alice,Bob) Alice

• Alice creates multisig contract to

deposit money on the channel

• Alice lets Bob sign a refund

transaction to unlock the money

• Alice places the multisig contract
• nchain

9

Payment Channels: Transactions

Blockchain

5 (Alice, Bob) 4 (Alice) 1 (Bob) Alice ?? Bob

4 1

Alice Bob

5 (Alice) 5 (Alice,Bob) Alice

10

Payment Channels: Transactions

Blockchain

5 (Alice, Bob) 3 (Alice) 2 (Bob) Alice ?? Bob

3 2

Alice Bob

5 (Alice, Bob) 3 (Alice) 2 (Bob) Alice ?? Bob 5 (Alice) 5 (Alice,Bob) Alice Under the hood Mechanisms for bidirectional payments and for revocation of old states

5 (Alice, Bob) 3 (Alice) 2 (Bob) Alice,Bob

Payment Channels: Close

Blockchain Alice Bob

5 (Alice) 5 (Alice,Bob) Alice

12

Payment Channel Networks (PCNs)

4 1 2 3

Alice Bob Carol

Send 1 BTC to Carol

One cannot open channels with everyone... exploit channel paths!

⇒

12

Payment Channel Networks (PCNs)

4 1 2 3

Alice Bob Carol Bob

2 3 3 2

Carol Alice

1. Send 1 BTC Send 1 BTC to Carol

12

Payment Channel Networks (PCNs)

4 1 2 3

Alice Bob Carol Bob

2 3 3 2

Carol Alice

1. Send 1 BTC Send 1 BTC to Carol

3 2 1 4

Alice Bob Carol

• 2. Forward 1 BTC to

Carol

Should happen atomically

12

Payment Channel Networks (PCNs)

4 1 2 3

Alice Bob Carol Bob

2 3 3 2

Carol Alice

1. Send 1 BTC Send 1 BTC to Carol

3 2 1 4

Alice Bob Carol

• 2. Forward 1 BTC to

Carol

Should happen atomically

12

Payment Channel Networks (PCNs)

4 1 2 3

Alice Bob Carol Bob

2 3 3 2

Carol Alice

1. Send 1 BTC Send 1 BTC to Carol

Fee acts as an incentive for Bob to participate in the payment

3 2 1 4

Alice Bob Carol

• 2. Forward 1 BTC to

Carol

3-fee 2

f
 e
 e

3-fee 2

f
 e
 e

• 1. Send 1 BTC + fee

to Bob

13

The Lightning Network (LN)

5

14

Hashtime Lock Contract (HTLC)

5 (Alice, Bob) 4 (Alice) 1 (Bob) Alice ?? Bob

4 1

Alice Bob y

5 (Alice, Bob) 4 (Alice) 1 (Bob) Alice ?? Bob

5

14

Hashtime Lock Contract (HTLC)

5 (Alice, Bob) 4 (Alice) 1 (Bob) Alice ?? Bob

4 1 4 1

Alice Bob y

x

5 (Alice, Bob) 4 (Alice) 1 (Bob) Alice ?? Bob

y

With knowledge of x, Bob can “open” + publish the transaction on the blockchain for enforcing the payment

5

14

Hashtime Lock Contract (HTLC)

5 (Alice, Bob) 4 (Alice) 1 (Bob) Alice ?? Bob

4 1 4 1

Alice Bob y

x

After time the transaction cannot be published anymore on the blockchain 5 (Alice, Bob) 4 (Alice) 1 (Bob) Alice ?? Bob

y

With knowledge of x, Bob can “open” + publish the transaction on the blockchain for enforcing the payment

5

14

Hashtime Lock Contract (HTLC)

5 (Alice, Bob) 4 (Alice) 1 (Bob) Alice ?? Bob

4 1 4 1

Alice Bob y

x

HTLC (Alice, Bob, 1, y, ):

Alice pays Bob 1 BTC iff Bob shows some x such that H(x) = y before

After time the transaction cannot be published anymore on the blockchain 5 (Alice, Bob) 4 (Alice) 1 (Bob) Alice ?? Bob

y

With knowledge of x, Bob can “open” + publish the transaction on the blockchain for enforcing the payment

3 2

15

HTLC for Multi-hop Payments

Alice Bob Carol

y:= H(x)

x

2 3

3 2

15

HTLC for Multi-hop Payments

Alice Bob Carol

y:= H(x)

x

y 2 3

3 2

15

HTLC for Multi-hop Payments

Alice Bob Carol

HTLC(Alice, Bob, 1.1, y, t) y:= H(x)

x

y 2 3

1.1 0.9

3 1

3 2

15

HTLC for Multi-hop Payments

Alice Bob Carol

HTLC(Alice, Bob, 1.1, y, t) HTLC(Bob, Carol, 1, y, t’) 2 2 1 y:= H(x)

x

y 2 3

1.1 0.9

3 1

3 2

15

HTLC for Multi-hop Payments

Alice Bob Carol

HTLC(Alice, Bob, 1.1, y, t) HTLC(Bob, Carol, 1, y, t’) 2 2 1 y:= H(x)

x

y x 2 3 2 3

1.1 0.9

3 1

3 2

15

HTLC for Multi-hop Payments

Alice Bob Carol

HTLC(Alice, Bob, 1.1, y, t) HTLC(Bob, Carol, 1, y, t’) 2 2 1 y:= H(x)

x

y x x 2 3 2 3

1.1 0.9

3 1

0.9

4.1

3 2

15

HTLC for Multi-hop Payments

Alice Bob Carol

HTLC(Alice, Bob, 1.1, y, t) HTLC(Bob, Carol, 1, y, t’) 2 2 1 y:= H(x)

x

y Requirement: t > t’ (after Carol revealed x to Bob, there must still be time for Bob to reveal x to Alice) x x 2 3 2 3

1.1 0.9

3 1

0.9

4.1

• Lightning Network & Co work allow us to perform payments offchain
• fast, no confirmation delay
• little fees
• minimal information stored on the blockchain
• secure and privacy-preserving (at a first glance...)
• The blockchain is used only to mediate disputes...cool!

16

Take home...

HTLC (Alice, Bob, 1.1, y, t):

Alice pays Bob 1.1 BTC iff Bob shows some x such that H(x) = y before t days

3 2

2 2 1

2 3

1 0.

3 1

17

Security + Privacy in PCNs

Are off-chain payments in PCNs privacy-preserving by default?

(individual payments are not recorded on the blockchain)

Are off-chain payments in PCNs secure?

(No honest participant looses money)

17

Security + Privacy in PCNs

Are off-chain payments in PCNs privacy-preserving by default?

(individual payments are not recorded on the blockchain)

Are off-chain payments in PCNs secure?

(No honest participant looses money)

NO! NO!

18

Security and Privacy Issues in Existing PCNs

ACM CCS 2017 NDSS 2019

19

Security Issue: The Wormhole Attack

A C E1 E2

HTLC(A, E1,1.3,y, t1) HTLC(E1, B,1.2,y, t2) HTLC(B, E2,1.1,y, t3) HTLC(E2, C,1,y, t4)

y:= H(x)

x

B

19

Security Issue: The Wormhole Attack

A C E1 E2

HTLC(A, E1,1.3,y, t1) HTLC(E1, B,1.2,y, t2) HTLC(B, E2,1.1,y, t3) HTLC(E2, C,1,y, t4)

y:= H(x)

x

x B

19

Security Issue: The Wormhole Attack

A C E1 E2

HTLC(A, E1,1.3,y, t1) HTLC(E1, B,1.2,y, t2) HTLC(B, E2,1.1,y, t3) HTLC(E2, C,1,y, t4)

y:= H(x)

x

x x B

19

Security Issue: The Wormhole Attack

A C E1 E2

HTLC(A, E1,1.3,y, t1) HTLC(E1, B,1.2,y, t2) HTLC(B, E2,1.1,y, t3) HTLC(E2, C,1,y, t4)

y:= H(x)

x

x x x B

19

Security Issue: The Wormhole Attack

A C E1 E2

HTLC(A, E1,1.3,y, t1) HTLC(E1, B,1.2,y, t2) HTLC(B, E2,1.1,y, t3) HTLC(E2, C,1,y, t4)

y:= H(x)

x

x x x B considers the payment to be failed and unlocks his funds after the timeout B

19

Security Issue: The Wormhole Attack

A C E1 E2

HTLC(A, E1,1.3,y, t1) HTLC(E1, B,1.2,y, t2) HTLC(B, E2,1.1,y, t3) HTLC(E2, C,1,y, t4)

y:= H(x)

x

x x x B considers the payment to be failed and unlocks his funds after the timeout B gets 1.3 (no payment to B) pays 1 (no payment from B) Attacker earns 0.3 BTC (own fees + B’s fee)

20

Privacy Issues in HTLC Payments

A C E1 E2

HTLC(A,E1,v1,y,t1) HTLC(E1,B,v2,y,t2) HTLC(B,E2,v3,y,t3) HTLC(E2,C,v4,y,t4)

B A’ C’ Relationship Anonymity: On-path adversaries do not learn who pays to whom

HTLC(A,E1,v1,y’,t1) HTLC(E1,B,v2,y’,t2) HTLC(B,E2,v3,y’,t3) HTLC(E2,C,v4,y’,t4)

20

Privacy Issues in HTLC Payments

A C E1 E2

HTLC(A,E1,v1,y,t1) HTLC(E1,B,v2,y,t2) HTLC(B,E2,v3,y,t3) HTLC(E2,C,v4,y,t4)

B A’ C’

pays to pays to

≈

pays to pays to

Relationship Anonymity: On-path adversaries do not learn who pays to whom

HTLC(A,E1,v1,y’,t1) HTLC(E1,B,v2,y’,t2) HTLC(B,E2,v3,y’,t3) HTLC(E2,C,v4,y’,t4)

20

Privacy Issues in HTLC Payments

A C E1 E2

HTLC(A,E1,v1,y,t1) HTLC(E1,B,v2,y,t2) HTLC(B,E2,v3,y,t3) HTLC(E2,C,v4,y,t4)

B A’ C’

pays to pays to

≈

pays to pays to

Relationship Anonymity: On-path adversaries do not learn who pays to whom

HTLC(A,E1,v1,y’,t1) HTLC(E1,B,v2,y’,t2) HTLC(B,E2,v3,y’,t3) HTLC(E2,C,v4,y’,t4)

20

Privacy Issues in HTLC Payments

A C E1 E2

HTLC(A,E1,v1,y,t1) HTLC(E1,B,v2,y,t2) HTLC(B,E2,v3,y,t3) HTLC(E2,C,v4,y,t4)

B A’ C’

pays to pays to

≈

pays to pays to

Relationship Anonymity: On-path adversaries do not learn who pays to whom

HTLC(A,E1,v1,y’,t1) HTLC(E1,B,v2,y’,t2) HTLC(B,E2,v3,y’,t3) HTLC(E2,C,v4,y’,t4)

21

Solving Security and Privacy Issues in Payment Channel Networks

22

Solving Security + Privacy Issues

Lock(A, E1,1.3,C1,t1) Lock(E1,B,1.2,C2,t2) Lock(B,E2,1.1,C3,t3) Lock(E2,C,1,C4, t4)

Randomised conditions at each hop that can only be released by (exactly) the right neighbour’s key

22

Solving Security + Privacy Issues

Lock(A, E1,1.3,C1,t1) Lock(E1,B,1.2,C2,t2) Lock(B,E2,1.1,C3,t3) Lock(E2,C,1,C4, t4)

k3 k1 k2 k4

Setup phase for the distribution of individual “randomisation factors” for users at each hop Randomised conditions at each hop that can only be released by (exactly) the right neighbour’s key

22

Solving Security + Privacy Issues

Lock(A, E1,1.3,C1,t1) Lock(E1,B,1.2,C2,t2) Lock(B,E2,1.1,C3,t3) Lock(E2,C,1,C4, t4)

k3 k1 k2 k4

Setup phase for the distribution of individual “randomisation factors” for users at each hop

Desired Properties

No coin loss 1.Atomicity:
 If a user’s right lock gets

• pened, he can open his

left lock 2.Consistency:
 A user can open his left lock only if his right lock was released 3.Relationship Anonymity:
 A user learns about no

• ther participant of the

payment path than his direct neighbours No Wormhole Attacks Privacy Randomised conditions at each hop that can only be released by (exactly) the right neighbour’s key

ECDSA-based construction

23

Anonymous Multi-hop-Locks (AMHL)

Ideal functionality

(capturing atomicity, consistency + relationship anonymity) Construction from homographic one- way functions Schnorr-based construction

provably realise in the UC framework

ECDSA-based construction

23

Anonymous Multi-hop-Locks (AMHL)

Ideal functionality

(capturing atomicity, consistency + relationship anonymity) Construction from homographic one- way functions Schnorr-based construction ECDSA-based construction

provably realise in the UC framework compatible with Bitcoin, Ethereum, etc.

24

ECDSA-based Secure PCNs

25

Scriptless Scripts

y

5

25

Scriptless Scripts

Alice
 (skA) Bob
 (skB) y AB

hypothetical “shared identity” skAB = skA * skB

Blockchain

5

25

Scriptless Scripts

4 1

Alice
 (skA) Bob
 (skB) y AB

hypothetical “shared identity” skAB = skA * skB

Blockchain

5 (AB) 4 (Alice) 1 (Bob)

y

AB ??k 5 (Alice) 5 (AB) Alice

5

25

Scriptless Scripts

4 1

Alice
 (skA) Bob
 (skB) y

Alice can retrieve secret k from full signature Bob gets sufficient information for checking that the “half signature” produced by Alice and Bob can be completed to a valid signature given k

AB

hypothetical “shared identity” skAB = skA * skB

Blockchain

5 (AB) 4 (Alice) 1 (Bob)

y

AB ??k 5 (Alice) 5 (AB) Alice

26

Extension to Multi-hop Locks

Lock(A, E1,1.3,C1,t1) Lock(E1,B,1.2,C2,t2) Lock(B,E2,1.1,C3,t3) Lock(E2,C,1,C4, t4)

(k4, C4) (k2, C2) (k3, C3) (k1 + k2 + k3 + k4)

k1*G (k1 + k2)*G (k1 + k2 + k3)*G

A C E1 E2 B

(k1 + k2 + k3 + k4)*G

26

Extension to Multi-hop Locks

Lock(A, E1,1.3,C1,t1) Lock(E1,B,1.2,C2,t2) Lock(B,E2,1.1,C3,t3) Lock(E2,C,1,C4, t4)

(k4, C4) (k2, C2) (k3, C3) (k1 + k2 + k3 + k4)

k1*G (k1 + k2)*G (k1 + k2 + k3)*G

A C E1 E2

(k1 + k2 + k3 + k4)

B

(k1 + k2 + k3 + k4)*G

26

Extension to Multi-hop Locks

Lock(A, E1,1.3,C1,t1) Lock(E1,B,1.2,C2,t2) Lock(B,E2,1.1,C3,t3) Lock(E2,C,1,C4, t4)

(k4, C4) (k2, C2) (k3, C3) (k1 + k2 + k3 + k4)

k1*G (k1 + k2)*G (k1 + k2 + k3)*G

A C E1 E2

(k1 + k2 + k3 + k4)

B

(k1 + k2 + k3 + k4)*G

(k1 + k2 + k3)

• k4

26

Extension to Multi-hop Locks

Lock(A, E1,1.3,C1,t1) Lock(E1,B,1.2,C2,t2) Lock(B,E2,1.1,C3,t3) Lock(E2,C,1,C4, t4)

(k4, C4) (k2, C2) (k3, C3) (k1 + k2 + k3 + k4)

k1*G (k1 + k2)*G (k1 + k2 + k3)*G

A C E1 E2

(k1 + k2 + k3 + k4)

B

(k1 + k2 + k3 + k4)*G

(k1 + k2 + k3) (k1 + k2)

• k3
• k4

26

Extension to Multi-hop Locks

Lock(A, E1,1.3,C1,t1) Lock(E1,B,1.2,C2,t2) Lock(B,E2,1.1,C3,t3) Lock(E2,C,1,C4, t4)

(k4, C4) (k2, C2) (k3, C3) (k1 + k2 + k3 + k4)

k1*G (k1 + k2)*G (k1 + k2 + k3)*G

A C E1 E2

(k1 + k2 + k3 + k4)

B

(k1 + k2 + k3 + k4)*G

(k1 + k2 + k3) (k1 + k2) k1

• k2
• k3
• k4

26

Extension to Multi-hop Locks

Lock(A, E1,1.3,C1,t1) Lock(E1,B,1.2,C2,t2) Lock(B,E2,1.1,C3,t3) Lock(E2,C,1,C4, t4)

(k4, C4) (k2, C2) (k3, C3) (k1 + k2 + k3 + k4)

k1*G (k1 + k2)*G (k1 + k2 + k3)*G

A C E1 E2

(k1 + k2 + k3 + k4)

B

(k1 + k2 + k3 + k4)*G

(k1 + k2 + k3) (k1 + k2) k1

A valid key can only be extracted from a valid key for the right lock

• k2
• k3
• k4

Conditions look random 
 (as they differ by a secret random factor)

27

ECDSA-based Scriptless Lock

x

R = r * G

σR = sign(r, sk, transaction)

secret key message secret randomness

Signature w.r.t. a (public) random elliptic curve point R

27

ECDSA-based Scriptless Lock

x

R = r * G

σR = sign(r, sk, transaction)

secret key message secret randomness

shared signature using a shared key and a shared randomness rA*rB rA*rB*G skA*skB

AB

Signature w.r.t. a (public) random elliptic curve point R

27

ECDSA-based Scriptless Lock

x

R = r * G

σR = sign(r, sk, transaction)

secret key message secret randomness

shared signature using a shared key and a shared randomness rA*rB rA*rB*G skA*skB

AB

embedding of random share (condition) k rA*rB*k*G rA*rB*k skA*skB

AB

Signature w.r.t. a (public) random elliptic curve point R

27

ECDSA-based Scriptless Lock

x

R = r * G

σR = sign(r, sk, transaction)

secret key message secret randomness

shared signature using a shared key and a shared randomness rA*rB rA*rB*G skA*skB

AB

embedding of random share (condition) k rA*rB*k*G rA*rB*k skA*skB

AB

Signature w.r.t. a (public) random elliptic curve point R rA*rB rA*rB*k*G skA*skB

AB

“half signature” without k but still with respect to rA*rB*k*G

27

ECDSA-based Scriptless Lock

x

R = r * G

σR = sign(r, sk, transaction)

secret key message secret randomness

shared signature using a shared key and a shared randomness rA*rB rA*rB*G skA*skB

AB

embedding of random share (condition) k rA*rB*k*G rA*rB*k skA*skB

AB

Signature w.r.t. a (public) random elliptic curve point R rA*rB rA*rB*k*G skA*skB

AB

“half signature” without k but still with respect to rA*rB*k*G Lock Protocol

AB AB

(skA, rA) (skB, rB) C=k*G, transaction

“1/3” signature σR,B “1/3” signature σR,A …

27

ECDSA-based Scriptless Lock

x

R = r * G

σR = sign(r, sk, transaction)

secret key message secret randomness

shared signature using a shared key and a shared randomness rA*rB rA*rB*G skA*skB

AB

embedding of random share (condition) k rA*rB*k*G rA*rB*k skA*skB

AB

Signature w.r.t. a (public) random elliptic curve point R rA*rB rA*rB*k*G skA*skB

AB

“half signature” without k but still with respect to rA*rB*k*G Lock Protocol

AB AB

(skA, rA) (skB, rB) C=k*G, transaction

“1/3” signature σR,B “1/3” signature σR,A …

Hard for ECDSA as σR has a non-linear structure

28

Properties/Evaluation

• Security and Privacy proven formally (in the UC Framework)
• Compatible with Bitcoin and current PCNs

✓Implemented in ✓Lightning Network (https://github.com/cfromknecht/tpec) ✓Kzen Network (https://github.com/KZen-networks/multi-hop-locks) ✓COMIT Network (https://github.com/coblox/ss-ecdsa-poc)

• Reduces transaction size for conditional payments

✓Encoding of condition within signature

• Makes settlement transactions indistinguishable from regular ones

(Fungibility)

• Little overhead:

✓ < 500 bytes communication ✓ few ms computation

Alice,Bob ?? AB

⤳

AB ?k

⤳

• AMHLs are suitable for cross-currency usage

• even with different primitive instantiations

✓ Inter-currency payment channels ✓ Atomic swaps

29

Interoperability

E C D S A DLOG

30

Summary

The Wormhole Attack: 
 A novel attack on Payment Channel Network Security Concrete constructions of AMHLs that

… got implemented in Bitcoin’s Lightning Network … enable inter-blockchain Payment Channels … are efficient

AMHLs: A new primitive for secure + anonymous Payment Channel Networks