ETH Zurich – Distributed Computing – www.disco.ethz.ch

Zeta Avarikioti

Payment Channels Designing Secure Watchtowers

Can cryptocurrencies scale?

7 tx/s 20 tx/s 65.000 tx/s

Payment Channels

Payment Channels

Payment Channels

Alice 5btc

Bob 4btc

Funding transaction

1

1

Payment Channels

Alice 5btc

Bob 4btc

1

1

5 4

Funding transaction

Payment Channels

Alice 5btc

Bob 4btc

1

1

5 4

Alice 2btc

Bob 7btc

2

2

2 7

Funding transaction Alice sends 3btc

Payment Channels

8 1

Alice 5btc

Bob 4btc

1

1

5 4

Alice 2btc

Bob 7btc

2

2

Alice 8btc

Bob 1btc

3

3

2 7

Funding transaction Bob sends 6btcAlice sends 3btc

Payment Network

Funding CommitmentDispute period

Lightning Channels

Revocation

Funding CommitmentDispute period

Attack

Funding CommitmentDispute period

Watchtowers

Revocation

Why be a Watchtower?

Assuming rational parties and watchtowers…

- Will a party commit fraud?

- Will a watchtower get paid?

- Will a party commit fraud?

- Will a watchtower get paid?

- Will a party commit fraud? ...

Why be a Watchtower?

Watchtowers → Parties ↓

Active Inactive

Fraud

No Fraud

Why be a Watchtower?

Premiums

Watchtowers → Parties ↓

Active Inactive

Fraud

No Fraud

Why be a Watchtower?

Collateral

Why be an active Watchtower?

➔ UTXO-based (Unspent Transaction Output)

➔ Transaction: consumes & produces UTXOs

➔ Multi-signatures: σAB

➔ Timelocks: Δt

Bitcoin

a

σB

ai

ai+1

bi+1

a

b

(σA⋀Δt)⋁σABCommitment(1)Published by A

Funding

On-chain

Commitment (i)Published by A

Commitment (i+1)Published by A

Revocation

Published by B, W

σAB

#σA

#σB

b

a+b

(σA⋀Δt)⋁σAB

σB

(σA⋀Δt)⋁σAB

σB

ai

σAB

bi

σB

Lightning Channels

a

σBW

#σWc

ai

bi

ai+1

bi+1

a

b

(σA⋀Δt)⋁σAWCommitment(1)Published by A

Funding

On-chain

Collateral

On-chain

Commitment (i)Published by A

Commitment (i+1)Published by A

Revocation

Published by B, W

Penalty 1

Published by B

Reclaim

Published by W

σAB

#σA

#σB

b

a+b

σBW

(σA⋀Δt)⋁σAW

σBW

(σA⋀Δt)⋁σAW

σB

ai +bi

σB

c +bi

σBW

c

σAW

Cerberus Channels

σW

c

a

(σB ⋀ Δt)⋁σBW

#σWc

ai

bi

ai+1

bi+1

a

b

(σA⋀Δt)⋁σAWCommitment(1)Published by A

Funding

On-chain

Collateral

On-chain

Commitment (i)Published by A

Commitment (i+1)Published by A

Revocation

Published by B, W

Penalty 1

Published by B

Reclaim

Published by W

σAB

#σA

#σB

b

a+b

(σA⋀Δt)⋁σAW

(σA⋀Δt)⋁σAW

σB

ai +bi

σB

c +bi

σBW

c

σAW

(σB⋀Δt)⋁σBW

(σB⋀Δt)⋁σBW

σB⋀Δt

σBW

Cerberus Channels

σW

c

a

σB⋀Δt

(σW⋀ΔΤ)⋁σBW

(σB ⋀ Δt)⋁σBW

#σWc

ai

bi

ai+1

bi+1

a

b

c

(σA⋀Δt)⋁σAWCommitment(1)Published by A

Funding

On-chain

Collateral

On-chain

Commitment (i)Published by A

Commitment (i+1)Published by A

Revocation

Published by B, W

Penalty 1

Published by B

Penalty 2

Published by B

Reclaim

Published by W

σAB

#σA

#σB

b

a+b

(σB⋀Δt)⋁σBW

(σA⋀Δt)⋁σAW

(σB⋀Δt)⋁σBW

(σA⋀Δt)⋁σAW

σB

ai +bi

σB

c +bi

σB

c +bi

σBW

c

σBW

σB⋀Δt

σBW

σAW

Cerberus Channels

[Avarikioti, Tyfronitis-Litos, Wattenhofer. Cerberus Channels: Incentivizing Watchtowers for Bitcoin.]

Fundamentals of Channels

Funding CommitmentDispute period

Fundamentals of Channels

Funding CommitmentDispute period

➔ Eclipse➔ Censor➔ Congestion

Fundamentals of Channels

Time = CryptoMoney!

Time = CryptoMoney!

Asynchronou

s channels?

Be proactive, not reactive

Funding CloseSignatures of Alice & Bob ORSignatures of ⅔ WT & (Alice or Bob)

Be proactive, not reactive

1) Consensus is costly

2) Privacy is important

3) Incentives are critical

Challenges

➔ O(n) communication complexity for state updates

➔ Verification of consensus between Alice & Bob

➔ No liveness guarantees, if Alice & Bob both misbehave

➔ Consensus needed only for closing, if there is a dispute

Consistent Broadcast

H( )

H( )

➔ Privacy preserving

➔ Alice/Bob cannot publish a previous transaction

H( )

Encrypted State

H( )

(1) Update

H( )(2) Consistent Broadcast

(2) Consistent Broadcast

(3) Execute

(3) Execute

H( )

Brick Architecture

➔ Unilateral channel for fees:Repeated game lifts fair exchange impossibility

➔ Collateral for anti-bribing:Reduction to fair-exchangeWT Committee size ↑ → per WT collateral ↓

Incentives

➔ Asynchronous channels

➔ Security even under L1 failure

➔ Privacy

➔ Incentive-compatible

➔ Embarrassingly parallel

➔ Linear communication

[Avarikioti, Kokoris-Kogias, Wattenhofer. Brick: Asynchronous State Channels.]

Brick Advantages

Thank you!

Questions?

ETH Zurich – Distributed Computing Group – www.disco.ethz.ch

➔ Avarikioti, Tyfronitis-Litos, Wattenhofer. Cerberus Channels: Incentivizing Watchtowers for Bitcoin. Financial Cryptography and Data Security 2020.

➔ Avarikioti, Kokoris-Kogias, Wattenhofer. Brick: Asynchronous State Channels.