Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2)...
Transcript of Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2)...
![Page 1: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/1.jpg)
FAKULTÄT FÜR !NFORMATIK
Faculty of Informatics
S&P SECURITY & PRIVACY GROUP
Security, Privacy and Interoperability in Payment-
Channel Networks
@aniketpkate @matteo_maffei
Pedro Moreno-Sanchez (@pedrorechez)
Joint work withGiulio Malavolta, Clara Schneidewind,
Aniket Kate, Matteo Maffei
![Page 2: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/2.jpg)
S&P
‣ Low transaction rate (~10 transactions per second)
‣ Fast growth of the Bitcoin transactions
‣ Scalability approaches:
• On-chain (layer 1) sharding
• Off-chain (layer 2) payment channels [The focus of our work]
2
Permissionless Blockchains Scalability Issue
![Page 3: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/3.jpg)
S&P 3
Payment Channels
Alice Bob
![Page 4: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/4.jpg)
S&P 4
Payment Channels: Open
Alice Bob
Blockchain
Alice: 5(Alice, Bob): 5
Alice: 5ALICE
![Page 5: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/5.jpg)
S&P 5
Payment Channels: Pay
Alice Bob
Blockchain
(Alice, Bob): 5Alice: 4
Bob: 1ALICE?? BOB
Alice: 5(Alice, Bob): 5
Alice: 5ALICE
![Page 6: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/6.jpg)
S&P 6
Payment Channels: Pay
Alice Bob
Blockchain
(Alice, Bob): 5Alice: 3
Bob: 2ALICE?? BOB
Alice: 5(Alice, Bob): 5
Alice: 5ALICE
![Page 7: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/7.jpg)
S&P
(Alice, Bob): 5Alice: 3
Bob: 2ALICEBOB
7
Payment Channels: Close
Alice Bob
Blockchain
Alice: 5(Alice, Bob): 5
Alice: 5ALICE
![Page 8: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/8.jpg)
S&P
‣ Each payment channel requires to lock coins in the deposit
• Impractical to open a channel with each other
‣ Open a few channels
• Rely on other channels to reach the intended receiver
8
Payment-Channel Networks (PCN)
![Page 9: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/9.jpg)
S&P
‣ Each payment channel requires to lock coins in the deposit
• Impractical to open a channel with each other
‣ Open a few channels
• Rely on other channels to reach the intended receiver
9
Payment-Channel Networks (PCN)
Alice Bob Cat
1 BTC to Bob 1 BTC to Bob
![Page 10: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/10.jpg)
S&P
‣ Bitcoin and Altcoins:
• Lightning network, c-lighntning, Eclair
‣ Ethereum:
• Raiden Network
‣ Eventually, every blockchain might need a scalability solution
10
Current PCN (Proposals)
![Page 11: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/11.jpg)
What is our group’s research about in PCN?
![Page 12: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/12.jpg)
S&P
‣ Formally describe notions of interest for PCNs in the Universal Composability framework:
• Security, privacy, concurrency
‣ Analyze whether current PCNs achieve them
• e.g., we showed an inherent tradeoff privacy vs concurrency
‣ Provide cryptographic constructions with formal security and privacy guarantees
12
Our Research
![Page 13: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/13.jpg)
Security in PCNs
![Page 14: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/14.jpg)
S&P
‣ Balance security: Honest users do not lose coins in a multi-hop payment
14
Security Notion
Bob
△ = 10
Alice Cat
△ < 10
Pr < negl
BobAlice Cat
![Page 15: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/15.jpg)
S&P
‣ Balance security: Honest users do not lose coins in a payment
‣ Security tool: Hash-Time Lock Contract (HTLC): Payment conditioned on revealing the pre-image of a hash function
15
Security and HTLC
![Page 16: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/16.jpg)
S&P
‣ Balance security: Honest users do not lose coins in a payment
‣ Security tool: Hash-Time Lock Contract (HTLC): Payment conditioned on revealing the pre-image of a hash function
16
Alice Bob
HTLC(Alice, Bob, 1, y, t)
Security and HTLC
(Alice, Bob): 5
Alice: 4
Bob: 1ALICE
?? BOBy = H(??)
![Page 17: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/17.jpg)
S&P
‣ Multiple “chained’’ HTLC allow multi-hop payments in the presence of malicious intermediaries
17
The Lightning Network: Setup
Alice Bob Cat
x : H(x) = y
y
![Page 18: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/18.jpg)
S&P
‣ Multiple “chained’’ HTLC allow multi-hop payments in the presence of malicious intermediaries
18
The Lightning Network: Lock
Alice Bob Cat
HTLC(Alice, Bob, 1.1, y, t) HTLC(Bob, Cat, 1, y, t’)
![Page 19: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/19.jpg)
S&P
‣ Multiple “chained’’ HTLC allow multi-hop payments in the presence of malicious intermediaries
19
The Lightning Network: Lock
Alice Bob Cat
HTLC(Alice, Bob, 1.1, y, t) HTLC(Bob, Cat, 1, y, t’)
Transaction fee
![Page 20: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/20.jpg)
S&P
‣ Multiple “chained’’ HTLC allow multi-hop payments in the presence of malicious intermediaries
20
The Lightning Network: Release
Alice Bob Cat
X X
![Page 21: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/21.jpg)
S&P
‣ Idea: Exclude intermediate honest users from successful completion.
‣ Consequence: Adversary steals fees from honest users.
21
Alice
HTLC(Alice, Adv, 1.3, y, t1)
HTLC(Adv, Bob, 1.2, y, t2)
HTLC(Bob, Adv, 1.1, y, t3)
HTLC(Adv, Cat, 1, y, t4)
Adversary Bob Adversary
A Novel Wormhole Attack
Cat
![Page 22: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/22.jpg)
S&P
‣ Idea: Exclude intermediate honest users from successful completion.
‣ Consequence: Adversary steals fees from honest users.
22
Alice
HTLC(Alice, Adv, 1.3, y, t1)
HTLC(Adv, Bob, 1.2, y, t2)
HTLC(Bob, Adv, 1.1, y, t3)
HTLC(Adv, Cat, 1, y, t4)
Adversary Bob AdversaryCat
A Novel Wormhole Attack
X
![Page 23: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/23.jpg)
S&P
‣ Idea: Exclude intermediate honest users from successful completion.
‣ Consequence: Adversary steals fees from honest users.
23
Alice
HTLC(Alice, Adv, 1.3, y, t1)
HTLC(Adv, Bob, 1.2, y, t2)
HTLC(Bob, Adv, 1.1, y, t3)
HTLC(Adv, Cat, 1, y, t4)
Adversary Bob AdversaryCat
A Novel Wormhole Attack
X“Payment Failed”
X
![Page 24: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/24.jpg)
S&P
‣ Idea: Exclude intermediate honest users from successful completion.
‣ Consequence: Adversary steals fees from honest users.
24
Alice
HTLC(Alice, Adv, 1.3, y, t1)
HTLC(Adv, Bob, 1.2, y, t2)
HTLC(Bob, Adv, 1.1, y, t3)
HTLC(Adv, Cat, 1, y, t4)
Adversary Bob AdversaryCat
A Novel Wormhole Attack
X“Payment Failed”
XAdversary gains 0.3 coins (0.2 fees + Bob’s fee)
![Page 25: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/25.jpg)
S&P
‣ Same condition along the path enables this attack
‣ More intermediaries, more benefit
‣ Fees are the base of PCNs. Thus, attack on fees is important
‣ Intermediary (Bob) believes payment is unsuccessful
25
Alice
HTLC(Alice, Adv, 1.3, y, t1)HTLC(Adv, Bob, 1.2, y, t2)
HTLC(Bob, Adv, 1.1, y, t3)HTLC(Adv, Cat, 1, y, t4)
Adversary Bob Adversary Cat
The Wormhole Attack: Discussion
X“Payment Failed”X
![Page 26: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/26.jpg)
What about privacy?
![Page 27: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/27.jpg)
S&P
‣ Relationship Anonymity: The adversary cannot tell who is paying to whom
27
Privacy Notion
Bob
Alice Cat
CatAlice
pays to
pays to≈
pays to
pays to
![Page 28: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/28.jpg)
S&P
‣ Relationship Anonymity: The adversary cannot tell who is paying to whom
28
Bob
HTLC(Alice, Adv, 1.3, y)HTLC(Adv, Bob, 1.2, y) HTLC(Bob, Adv, 1.1, y)
HTLC(Adv, Cat, 1, y)
HTLC(Alice, Adv, 1.3, y’)HTLC(Adv, Bob, 1.2, y’)
HTLC(Bob, Adv, 1.1, y’) HTLC(Adv, Cat, 1, y’)
Alice Cat
Alice’ Cat’
Privacy in PCNs
Problem: The same condition is used in the complete path!
![Page 29: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/29.jpg)
S&P
‣ Scalability issues:
• Two keys to define the deposit
• Payment condition + signatures required
‣ Privacy issues:
• Users sharing a channel revealed
‣ Interoperability
• Support for specific hash function required
29
Other Practical Considerations
(Alice, Bob): 5
Alice: 4
Bob: 1ALICE
?? BOBy = H(??)
![Page 30: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/30.jpg)
S&P 30
Summary Current PCN
Current PCN
Security
Privacy
Interoperability /Compatibility
Reduced Tx Size
Wormhole Attack
Who pays to whom
Specific hash function
Two keys; HTLC script
![Page 31: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/31.jpg)
What can we do with the signatures?
![Page 32: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/32.jpg)
S&P
‣ Jointly compute a signature σ on a transaction
‣ It requires the knowledge of both skA and skB
‣ It can be publicly verified using PKAB := (skA * skB) * G
32
Alice Bob
(pkA, skA) (pkB, skB)
2-party ECDSA Signing [Lindell17]
![Page 33: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/33.jpg)
S&P 33
ECDSA: 2-party channel
Current SS-ECDSAOpen Channel
pkA: 5(pkA, pkB): 5
pkA: 5ALICE
pkA: 5pkAB: 5
pkA: 5ALICE
Off-chain Payment
pkAB: 5pkA: 3
pkB: 2ALICE
(pkA, pkB): 5pkA: 3
pkB: 2ALICE
![Page 34: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/34.jpg)
What if we encode the conditions in the signatures themselves?
![Page 35: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/35.jpg)
S&P
‣ Original idea proposed by Andrew Poelstra
‣ “Encode” payment condition within the Schnorr signatures
‣ In our work: formal description and analysis
‣ Unfortunately, Schnorr is not used in many cryptocurrencies today
35
Scriptless Scripts (Schnorr)
![Page 36: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/36.jpg)
S&P
‣ Was an open problem before our work
‣ Main challenge is the signature structure: No longer a linear combination
• Schnorr signature: (r1 + r2) + (k1 + k2) m
• ECDSA signature: (r-1 * r-2) Rx (k1 * k2) + (r-1 * r-2) m
−Requires inverse, x coordinate of an elliptic curve point and multiplicative shares of the key k = k1 * k2
‣ In our work: formal description and analysis
36
Scriptless Scripts (SS-ECDSA)
![Page 37: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/37.jpg)
S&P
‣ Alice can create a “half-signature” that Bob can finish only with skC
‣ If Bob creates a signature, Alice learns skC
37
Alice Bob
(pkA, skA)(pkB, skB)
Condition: (pkC)
Goals:
2-party ECDSA Conditional Signing
![Page 38: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/38.jpg)
S&P 38
2-party ECDSA Conditional Signing
Alice Bob
(pkA, skA) (pkB, skB)Condition: (pkC)
Create pkAB and combine randomness R := (pkC, rA, rB)
Send “1/3-signature” σB
Send “1/3-signature” σA
Learn skCSend whole signature: σ := σA * σB * σC
Compute σC := σ * (σB)-1 * (σC)-1 Retrieve skC from σC
![Page 39: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/39.jpg)
S&P 39
2-party ECDSA Conditional Signing
Alice Bob
(pkA, skA) (pkB, skB)Condition: (pkC)
Create pkAB and combine randomness R := (pkC, rA, rB)
Send “1/3-signature” σB
Send “1/3-signature” σA
Learn skCSend whole signature: σ := σA * σB * σC
Compute σC := σ * (σB)-1 * (σC)-1 Retrieve skC from σC
LOC
K
RELEASE
![Page 40: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/40.jpg)
S&P
‣ Multiple “chained’’ ECDSA conditional payments allow multi-hop payments in the presence of malicious intermediaries
40
ECDSA-based PCN: Setup
Alice Bob Cat
(skD, pkD := skD * G)(skE, pkE := skE * G)pkDE := pkD + pkE
pkD, pkDE,skE
![Page 41: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/41.jpg)
S&P 41
ECDSA-based PCN: Setup
Alice Bob Cat
pkD, pkDE,skE pkDE, skDE
(skD, pkD := skD * G)(skE, pkE := skE * G)pkDE := pkD + pkE
‣ Multiple “chained’’ ECDSA conditional payments allow multi-hop payments in the presence of malicious intermediaries
![Page 42: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/42.jpg)
S&P 42
Alice Bob Cat
LOCK(Alice, Bob, 1.1, pkD, t) LOCK(Bob, Cat, 1, pkDE, t’)
skE
ECDSA-based PCN: Lock
skDE
‣ Multiple “chained’’ ECDSA conditional payments allow multi-hop payments in the presence of malicious intermediaries
![Page 43: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/43.jpg)
S&P 43
Alice Bob Cat
LOCK(Alice, Bob, 1.1, pkD, t) LOCK(Bob, Cat, 1, pkDE, t’)
skE
ECDSA-based PCN: Lock
skDE
Randomized conditions in the path: Security and Privacy
‣ Multiple “chained’’ ECDSA conditional payments allow multi-hop payments in the presence of malicious intermediaries
![Page 44: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/44.jpg)
S&P 44
Alice Bob Cat
skDE
ECDSA-based PCN: Release
skD
skE skDE
‣ Multiple “chained’’ ECDSA conditional payments allow multi-hop payments in the presence of malicious intermediaries
![Page 45: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/45.jpg)
S&P
‣ It can be extended to arbitrary number of hops
‣ It reduces transaction size for conditional payments
45
ECDSA-based PCN: Discussion
pkAB: 5pkA: 4
pkABC: 1ALICE
‣ Evaluation: <500 bytes communication. Few ms computation
‣ Improve interoperability. Useful for other applications (e.g., atomic swaps and cross-chain payments)
‣ Compatible with Bitcoin
![Page 46: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/46.jpg)
S&P 46
Summary Current ECDSA
Current PCN
ECDSA-based PCN
Security
Privacy
Interoperability /
Compatibility
Reduced Tx Size
One secret per user
Randomized conditions
Only ECDSA required
Condition in one key
![Page 47: Security, Privacy and Interoperability in Payment- Channel ... · HTLC(Adv, Bob, 1.2, y, t2) HTLC(Bob, Adv, 1.1, y, t3) HTLC(Adv, Cat, 1, y, t4) Adversary Bob Adversary Cat A Novel](https://reader034.fdocuments.us/reader034/viewer/2022052002/60155acf48c7bd26ff37af86/html5/thumbnails/47.jpg)
S&P
‣ More in the paper:
• One-way homomorphic functions suffice for multi-hop locks in full script setting
• Possible to combine OWH-Schnorr-ECDSA locks in the same path
• Security and privacy modelled and proven in the Universal Composability Framework —> Composability guarantees
‣ Multi-hop locks implemented in the Lightning Network
‣ It enables a plethora of applications (e.g., atomic swaps and cross-chain payments)
47
Summary