s p
play

S & P SECURITY & PRIVACY GROUP Security and Privacy for - PowerPoint PPT Presentation

Mar 28, 2023 •661 likes •1.41k views

FAKULTT FR !NFORMATIK Faculty of Informatics S & P SECURITY & PRIVACY GROUP Security and Privacy for Payment Channel Networks Pedro Moreno-Sanchez Blockchain Summer School BDLT19 Vienna, Sep 2nd 2019 Blockchain Research

  1. FAKULTÄT FÜR !NFORMATIK Faculty of Informatics S & P SECURITY & PRIVACY GROUP Security and Privacy for Payment Channel Networks Pedro Moreno-Sanchez Blockchain Summer School BDLT’19 Vienna, Sep 2nd 2019

  2. Blockchain Research Lab: Highlights • CoinShuffle: privacy-preserving protocol for blockchain payments implemented in several cryptocurrencies wallets • AMHL: first solution for security, privacy and interoperability issues with blockchain scalability protocols. Implemented in LND (current Bitcoin scalability protocol), KZen Network and COMIT Network • DLSAG: first scalability protocol with formal guarantees for the Monero cryptocurrency. Under discussion in the Monero community for adoption. • Lots of work on: • Security verification and safe design of smart contracts • Privacy-preserving routing mechanisms • Constant collateral for Bitcoin-compatible PCNs 2

  3. Blockchain Research Lab: Collaborations C. Schneidewind E. Tairi I. Grischchenko M. Maffei 3

  4. Blockchain Research Lab: Collaborations C. Schneidewind E. Tairi I. Grischchenko M. Maffei 3

  5. Blockchain Research Lab: Collaborations C. Schneidewind E. Tairi I. Grischchenko M. Maffei C. Egger G. Malavolta I. Goldberg A. Kate S. Roos A. Gervais 3

  6. Scalability Issues ‣ Decentralized data structure recording each transaction in order to provide public verifiability ‣ Global consensus: everyone checks the whole blockchain Bitcoin’s transaction rate: ~10 tx/sec Visa’s transaction rate: ~10K tx/sec 4

  7. Scalability Solutions? ‣ On-chain (tweak consensus) 
 e.g., DAG Blockchain, sharding, ... ‣ Off-chain (use blockchain only for disputes) 
 e.g., Payment Channel Networks Lightning Network Raiden Network (Bitcoin) (Ethereum) Many other research projects (Bolt, Z-Channels, Perun, Liquidity Network ...) 5

  8. Scalability Solutions? ‣ On-chain (tweak consensus) 
 e.g., DAG Blockchain, sharding, ... ‣ Off-chain (use blockchain only for disputes) 
 e.g., Payment Channel Networks Lightning Network Raiden Network (Bitcoin) (Ethereum) Many other research projects (Bolt, Z-Channels, Perun, Liquidity Network ...) 5

  9. Background on Payment Channel Networks 6

  10. Payment Channels: Open 5 1 Alice Bob Blockchain 7

  11. Payment Channels: Open Multisig Contract 5 1 Can be spent only with the signatures of both Alice and Bob 5 (Alice,Bob) 5 (Alice) Alice Bob Alice Blockchain ‣ Alice creates multisig contract to deposit money on the channel 7

  12. Payment Channels: Open Multisig Contract 5 1 Can be spent only with the signatures of both Alice and Bob 5 (Alice,Bob) 5 (Alice) Alice Bob Alice 5 (Alice) 5 (Alice,Bob) Alice,Bob Blockchain ‣ Alice creates multisig contract to deposit money on the channel ‣ Alice lets Bob sign a refund transaction to unlock the money 7

  13. Payment Channels: Open 5 1 Alice Bob 5 (Alice) 5 (Alice,Bob) Alice,Bob Blockchain ‣ Alice creates multisig contract to deposit money on the channel 5 (Alice,Bob) ‣ Alice lets Bob sign a refund 5 (Alice) transaction to unlock the money ‣ Alice places the multisig contract Alice onchain 8

  14. Payment Channels: Transactions 4 1 4 (Alice) 5 (Alice, Bob) Alice 1 (Bob) Bob Alice ?? Bob Blockchain 5 (Alice,Bob) 5 (Alice) Alice 9

  15. Payment Channels: Transactions 3 2 3 (Alice) 3 (Alice) 5 (Alice, Bob) 5 (Alice, Bob) Alice 2 (Bob) Bob 2 (Bob) Alice ?? Bob Alice ?? Bob Under the hood Mechanisms for bidirectional payments and for revocation of old states Blockchain 5 (Alice,Bob) 5 (Alice) Alice 10

  16. Payment Channels: Close Alice Bob Blockchain 5 (Alice,Bob) 3 (Alice) 5 (Alice, Bob) 5 (Alice) 2 (Bob) Alice Alice,Bob

  17. Payment Channel Networks (PCNs) 3 4 1 2 Alice Bob Carol Send 1 BTC to Carol One cannot open channels with everyone... exploit channel paths! ⇒ 12

  18. Payment Channel Networks (PCNs) 3 4 1 2 Alice Bob Carol Send 1 BTC to Carol 3 2 3 2 Alice Bob Carol 1. Send 1 BTC 12

  19. Payment Channel Networks (PCNs) 3 4 1 2 Alice Bob Carol Send 1 BTC to Carol 3 2 3 2 Alice Bob Carol 1. Send 1 BTC 3 1 4 2 Alice Bob Carol 2. Forward 1 BTC to Carol 12

  20. Payment Channel Networks (PCNs) 3 4 1 2 Alice Bob Carol Send 1 BTC to Carol Should happen atomically 3 2 3 2 Alice Bob Carol 1. Send 1 BTC 3 1 4 2 Alice Bob Carol 2. Forward 1 BTC to Carol 12

  21. Payment Channel Networks (PCNs) 3 4 1 2 Alice Bob Carol Send 1 BTC to Carol Should happen atomically f 
 3 3-fee 2 3 2 2 e 
 e Alice Bob Carol 1. Send 1 BTC + fee 1. Send 1 BTC to Bob f 
 3-fee 3 2 1 4 2 e 
 e Alice Bob Carol Fee acts as an incentive for 2. Forward 1 BTC to Bob to participate in the Carol payment 12

  22. The Lightning Network (LN) 13

  23. Hashtime Lock Contract (HTLC) 4 1 5 4 (Alice) 4 (Alice) 5 (Alice, Bob) 5 (Alice, Bob) Alice 1 (Bob) Bob 1 (Bob) y Alice ?? Bob Alice ?? Bob 14

  24. Hashtime Lock Contract (HTLC) 1 4 4 1 5 4 (Alice) 4 (Alice) 5 (Alice, Bob) 5 (Alice, Bob) Alice 1 (Bob) Bob y 1 (Bob) y Alice ?? Bob Alice ?? Bob x With knowledge of x , Bob can “open” + publish the transaction on the blockchain for enforcing the payment 14

  25. Hashtime Lock Contract (HTLC) 1 4 4 1 5 4 (Alice) 4 (Alice) 5 (Alice, Bob) 5 (Alice, Bob) Alice 1 (Bob) Bob y 1 (Bob) y Alice ?? Bob Alice ?? Bob x After time the transaction cannot be published anymore on the blockchain With knowledge of x , Bob can “open” + publish the transaction on the blockchain for enforcing the payment 14

  26. Hashtime Lock Contract (HTLC) 1 4 4 1 5 4 (Alice) 4 (Alice) 5 (Alice, Bob) 5 (Alice, Bob) Alice 1 (Bob) Bob y 1 (Bob) y Alice ?? Bob Alice ?? Bob x After time the transaction cannot be published anymore on the blockchain With knowledge of x , Bob can HTLC (Alice, Bob, 1, y, ): “open” + publish the Alice pays Bob 1 BTC iff Bob shows some transaction on the blockchain x such that H(x) = y before for enforcing the payment 14

  27. HTLC for Multi-hop Payments 2 2 3 3 Alice Bob Carol x y:= H(x) 15

  28. HTLC for Multi-hop Payments y 2 2 3 3 Alice Bob Carol x y:= H(x) 15

  29. HTLC for Multi-hop Payments y HTLC(Alice, Bob, 1.1, y, t) 2 2 3 3 3 0.9 1.1 Alice Bob Carol x 1 y:= H(x) 15

  30. HTLC for Multi-hop Payments y HTLC(Alice, Bob, 1.1, y, t) HTLC(Bob, Carol, 1, y, t’) 2 2 2 2 3 3 3 1 0.9 1.1 Alice Bob Carol x 1 y:= H(x) 15

  31. HTLC for Multi-hop Payments y HTLC(Alice, Bob, 1.1, y, t) HTLC(Bob, Carol, 1, y, t’) 2 2 2 2 3 3 2 3 1 3 0.9 1.1 Alice Bob Carol x x 1 y:= H(x) 15

  32. HTLC for Multi-hop Payments y HTLC(Alice, Bob, 1.1, y, t) HTLC(Bob, Carol, 1, y, t’) 2 2 2 2 4.1 3 3 2 3 1 3 0.9 0.9 1.1 Alice Bob Carol x x x 1 y:= H(x) 15

  33. HTLC for Multi-hop Payments Requirement: t > t’ (after Carol revealed x to Bob, there y must still be time for Bob to reveal x to Alice) HTLC(Alice, Bob, 1.1, y, t) HTLC(Bob, Carol, 1, y, t’) 2 2 2 2 4.1 3 3 2 3 1 3 0.9 0.9 1.1 Alice Bob Carol x x x 1 y:= H(x) 15

  34. Take home... y HTLC(Alice, Bob, 1.1, y, t) HTLC(Bob, Carol, 1, y, t’) HTLC (Alice, Bob, 1.1, y, t): Alice pays Bob 1.1 BTC iff Bob shows some 0. 0.9 1 4.1 3 1 3 2 2 2 3 2 2 3 x such that H(x) = y before t days Alice Bob Carol x x x 1 y:= H(x) ‣ Lightning Network & Co work allow us to perform payments offchain • fast, no confirmation delay • little fees • minimal information stored on the blockchain • secure and privacy-preserving (at a first glance...) ‣ The blockchain is used only to mediate disputes...cool! 16

  35. Security + Privacy in PCNs Are off-chain payments in PCNs secure? (No honest participant looses money) Are off-chain payments in PCNs privacy-preserving by default? (individual payments are not recorded on the blockchain) 17

  36. Security + Privacy in PCNs Are off-chain payments in PCNs secure? (No honest participant looses money) NO! Are off-chain payments in PCNs privacy-preserving by default? (individual payments are not recorded on the blockchain) NO! 17

  37. Security and Privacy Issues in Existing PCNs ACM CCS 2017 NDSS 2019 18

  38. Security Issue: The Wormhole Attack HTLC(A, E 1 ,1.3,y, t 1 ) HTLC(E 1 , B,1.2,y, t 2 ) HTLC(B, E 2 ,1.1,y, t 3 ) HTLC(E 2 , C,1,y, t 4 ) A E 1 B E 2 C x y:= H(x) 19

  39. Security Issue: The Wormhole Attack HTLC(A, E 1 ,1.3,y, t 1 ) HTLC(E 1 , B,1.2,y, t 2 ) HTLC(B, E 2 ,1.1,y, t 3 ) HTLC(E 2 , C,1,y, t 4 ) A E 1 B E 2 C x x y:= H(x) 19

  40. Security Issue: The Wormhole Attack HTLC(A, E 1 ,1.3,y, t 1 ) HTLC(E 1 , B,1.2,y, t 2 ) HTLC(B, E 2 ,1.1,y, t 3 ) HTLC(E 2 , C,1,y, t 4 ) A E 1 B E 2 C x x x y:= H(x) 19

  41. Security Issue: The Wormhole Attack HTLC(A, E 1 ,1.3,y, t 1 ) HTLC(E 1 , B,1.2,y, t 2 ) HTLC(B, E 2 ,1.1,y, t 3 ) HTLC(E 2 , C,1,y, t 4 ) A E 1 B E 2 C x x x x y:= H(x) 19

  42. Security Issue: The Wormhole Attack B considers the payment to be failed and unlocks his funds after the timeout HTLC(A, E 1 ,1.3,y, t 1 ) HTLC(E 1 , B,1.2,y, t 2 ) HTLC(B, E 2 ,1.1,y, t 3 ) HTLC(E 2 , C,1,y, t 4 ) A E 1 B E 2 C x x x x y:= H(x) 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Disconnected diagrams with multi-level integration Leonardo Giusti, Tim Harris , Alessandro Nada,

Disconnected diagrams with multi-level integration Leonardo Giusti, Tim Harris , Alessandro Nada,

Disconnected diagrams with multi-level integration Leonardo Giusti, Tim Harris , Alessandro Nada, Stefan Schaefer Lattice 2018, 23.07.18 Outline 1 Motivation 2 Variance reduction for disconnected diagrams 3 Disconnected vector two-point function

455 views • 24 slides
GPRS optimisation and Network visualization Janne Myllyl T-110.456 Topics What do we need

GPRS optimisation and Network visualization Janne Myllyl T-110.456 Topics What do we need

GPRS optimisation and Network visualization Janne Myllyl T-110.456 Topics What do we need to know? Different types of information available Basics of GPRS capacity optimisation Janne Myllyl T-110.456 Planning The network

722 views • 36 slides
Building Tools for Hacking Deeply Embedded Systems Travis Goodspeed Recon, Montral -- 11 July,

Building Tools for Hacking Deeply Embedded Systems Travis Goodspeed Recon, Montral -- 11 July,

Building Tools for Hacking Deeply Embedded Systems Travis Goodspeed Recon, Montral -- 11 July, 2010 Sunday, July 25, 2010 Brief Introduction 8, 16-bit Embedded Systems No operating system, no symbol table, etc. Very different

902 views • 74 slides
On the Optimal Delay Amplification Factor of Multi-Hop Relay Channels Dennis Ogbe, Chih-Chun

On the Optimal Delay Amplification Factor of Multi-Hop Relay Channels Dennis Ogbe, Chih-Chun

On the Optimal Delay Amplification Factor of Multi-Hop Relay Channels Dennis Ogbe, Chih-Chun Wang, David J. Love School of Electrical and Computer Engineering Purdue University West Lafayette, Indiana, USA International Symposium on

1.37k views • 85 slides
LArG4 Refactoring and other changes Why, how, and various animals Status and plans William

LArG4 Refactoring and other changes Why, how, and various animals Status and plans William

LArG4 Refactoring and other changes Why, how, and various animals Status and plans William Seligman 21-Nov-2017 The idea and concepts for the LArG4 changes primarily come from Hans Wenzel; Im just doing some of the coding. Any errors of

598 views • 27 slides
Classical capacity of channels between von Neumann algebras Pieter Naaijkens Universidad

Classical capacity of channels between von Neumann algebras Pieter Naaijkens Universidad

Classical capacity of channels between von Neumann algebras Pieter Naaijkens Universidad Complutense de Madrid 9 September 2019 This work was funded by the ERC (grant agreement No 648913) Infinite quantum systems Quantum systems with

660 views • 36 slides
CLIENT INITIATED BACKCHANNEL AUTHENTICATION CIBA? CIBA is an authentication flow like OpenID

CLIENT INITIATED BACKCHANNEL AUTHENTICATION CIBA? CIBA is an authentication flow like OpenID

CLIENT INITIATED BACKCHANNEL AUTHENTICATION CIBA? CIBA is an authentication flow like OpenID Connect. However, unlike OpenID Connect, there is direct Relying Party to OpenID Provider communication without redirects through the user's browser.

505 views • 17 slides
Analog Input/Output Subsystem Design Reference: STM32F4xx Reference Manual (ADC, DAC chapters)

Analog Input/Output Subsystem Design Reference: STM32F4xx Reference Manual (ADC, DAC chapters)

Analog Input/Output Subsystem Design Reference: STM32F4xx Reference Manual (ADC, DAC chapters) Analog input subsystem Property being measured convert property to input electrical voltage/current transducer signal produce

761 views • 51 slides
Theano A short practical guide Emmanuel Bengio folinoid.com What is Theano? A language A

Theano A short practical guide Emmanuel Bengio folinoid.com What is Theano? A language A

Theano A short practical guide Emmanuel Bengio folinoid.com What is Theano? A language A compiler A Python library import theano import theano.tensor as T What is Theano? What you really do: Build symbolic graphs of computation (w/ input

1k views • 55 slides
Session Types as a Descriptive Tool for Distributed Protocols Nobuko Yoshida Raymond Hu

Session Types as a Descriptive Tool for Distributed Protocols Nobuko Yoshida Raymond Hu

Session Types as a Descriptive Tool for Distributed Protocols Nobuko Yoshida Raymond Hu Imperial College London 1 / 23 Scribble A practical toolchain based on asynchronous MPST Specify real-world application protocols Implement

818 views • 63 slides
Polynomial Spectral Decomposition of Conditional Expectation Operators Anuran Makur and Lizhong

Polynomial Spectral Decomposition of Conditional Expectation Operators Anuran Makur and Lizhong

Polynomial Spectral Decomposition of Conditional Expectation Operators Anuran Makur and Lizhong Zheng EECS Department, Massachusetts Institute of Technology Allerton Conference 2016 A. Makur & L. Zheng (MIT) Polynomial Spectral

539 views • 50 slides
Access control types for agents Rohit Chadha and Matthew Hennessy University of Sussex Access

Access control types for agents Rohit Chadha and Matthew Hennessy University of Sussex Access

Access control types for agents Rohit Chadha and Matthew Hennessy University of Sussex Access control types for agents p.1/20 Overview: an agent calculus We consider an extension of -calculus It has two named entities Channels used

498 views • 20 slides
Lecture 1: Verification of Concurrent Programs Part 1: Decidability and Complexity Results Ahmed

Lecture 1: Verification of Concurrent Programs Part 1: Decidability and Complexity Results Ahmed

Lecture 1: Verification of Concurrent Programs Part 1: Decidability and Complexity Results Ahmed Bouajjani LIAFA, University Paris Diderot Paris 7 VTSA, MPI-Saarbr ucken, September 2012 A. Bouajjani (LIAFA, UP7) Lecture 1: Concurrent

651 views • 61 slides
Op#misa#on in a Process Engineering Context Eva Sorensen

Op#misa#on in a Process Engineering Context Eva Sorensen

Op#misa#on in a Process Engineering Context Eva Sorensen Chemical Engineering Product and Process Systems Engineering David Bogle, Vivek Dua, Eric Fraga,

525 views • 30 slides
Trajectory Op-miza-on for Mo-on Planning Pieter Abbeel UC

Trajectory Op-miza-on for Mo-on Planning Pieter Abbeel UC

Trajectory Op-miza-on for Mo-on Planning Pieter Abbeel UC Berkeley EECS MoEon Planning n Sampling-based methods (e.g., RRTs) n Graph search

488 views • 17 slides
Tensor networks and coding theory: Polar and branching-MERA

Tensor networks and coding theory: Polar and branching-MERA

Tensor networks and coding theory: Polar and branching-MERA codes Andy Ferris ICFO Ins@tute of Photonic Science (Spain) Max Planck Ins@tute for

1.08k views • 68 slides
THEORETICAL MODELS FOR ELECTRON AND NEUTRINO SCATTERING OFF NUCLEI Carlotta Giusti Universit

THEORETICAL MODELS FOR ELECTRON AND NEUTRINO SCATTERING OFF NUCLEI Carlotta Giusti Universit

THEORETICAL MODELS FOR ELECTRON AND NEUTRINO SCATTERING OFF NUCLEI Carlotta Giusti Universit and INFN, Pavia Workshop on Electromagnetic Observables for Low_energy Nuclear Physics Mainz 1-3 October 2018 ELECTRON SCATTERING powerful tool

869 views • 62 slides
Instruction Set Architecture Hung-Wei Tseng Setup your i-clicker Register your i-clicker

Instruction Set Architecture Hung-Wei Tseng Setup your i-clicker Register your i-clicker

Instruction Set Architecture Hung-Wei Tseng Setup your i-clicker Register your i-clicker Read here: https://csemoodle.ucsd.edu/mod/resource/view.php?id=12303 Set your channel to CA Press on/off button for 2 seconds

793 views • 45 slides
Performance Bounds of Asynchronous Circuits with Mode-Based Conditional Behavior Mehrdad Najibi

Performance Bounds of Asynchronous Circuits with Mode-Based Conditional Behavior Mehrdad Najibi

Performance Bounds of Asynchronous Circuits with Mode-Based Conditional Behavior Mehrdad Najibi Peter A. Beerel 18 th IEEE International Symposium on Asynchronous Circuits and Systems Talk Outline Context and Motivation Slack Matching

447 views • 19 slides
Excited(ing) State Spectroscopy in Lattice QCD John Bulava PH Dept. - TH Division CERN Aug. 30

Excited(ing) State Spectroscopy in Lattice QCD John Bulava PH Dept. - TH Division CERN Aug. 30

Excited(ing) State Spectroscopy in Lattice QCD John Bulava PH Dept. - TH Division CERN Aug. 30 th , 2012 GGI Workshop - New Frontiers in Lattice Gauge Theory why study excited states? Where are the missing reso- Mass/(MeV/c 2 ) nances? (

344 views • 19 slides
An Introduction to i965 Assembly and Bit Twiddling Hacks Matt Turner X.Org Developers

An Introduction to i965 Assembly and Bit Twiddling Hacks Matt Turner X.Org Developers

An Introduction to i965 Assembly and Bit Twiddling Hacks Matt Turner X.Org Developers Conference 2018 Objectives Introduce i965 instruction assembly At least enough to know what youre looking at Tell you how its

859 views • 36 slides
Homework 1 Perl programming - TA bot release and demo attention Irc bot fighting screen shot

Homework 1 Perl programming - TA bot release and demo attention Irc bot fighting screen shot

Homework 1 Perl programming - TA bot release and demo attention Irc bot fighting screen shot TAs bot Usage: perl referee.pl YOUR_NICK_NAME IDENTIFY_PASSWD TESTING_CHANNEL This bot Should be a channel operator maintain channel

317 views • 9 slides
Use of the AES instruction set ?

Use of the AES instruction set ?

?

1.15k views • 72 slides
Conformal blocks, entanglement entropy and heavy states Shouvik Datta Institut fr Theoretische

Conformal blocks, entanglement entropy and heavy states Shouvik Datta Institut fr Theoretische

Conformal blocks, entanglement entropy and heavy states Shouvik Datta Institut fr Theoretische Physik ETH Zrich Workshop on topics in 3d gravity, ICTP Trieste arXiv:1601.06794 Higher-point conformal blocks & entanglement entropy

474 views • 33 slides

More recommend