API tools faq
paste
Guest User

Untitled

a guest
Feb 4th, 2019
222
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.98 KB | None | 0 0
raw download clone embed print report
  1. # Privacy-preserving Multi-hop Locks for Blockchain Scalability and Interoperability
  2. ## Speaker: Pedro Monero-Sanchez
  3.  
  4. * Payment channels are a widely pursued layer 2 scaling solution
  5. - But they only solve for bidirectional payments (between the two parties who open the channel)
  6. * What if we build a payment channel network?
  7. - Naive solution—every pair of parties (N^2) opens a channel with each other
  8. - But then we need to lock up an exorbitant amount of capital in all these channels
  9. - Instead, let's open a few channels for each party
  10. - And rely on *other* intermediary channels to reach the intended receiver
  11. - This is the core idea of all payment channel networks
  12. - Ex:
  13. - Bitcoin: Lightning network, c-lightning, Eclair
  14. - Ethereum: Raiden
  15. - Zcash: Bolt
  16. - And eventually each blockchain might need a similar network for payments scalability
  17. * Security in payment channel network
  18. - "Balance security"
  19. - Honest users should not lose coins in an off-chain payment
  20. - Security tool:
  21. - We use hash-time lock contracts (HTLCs), which are payments that are conditioned on revealing the preimage to a hash function
  22. - We do multihop payment by chaining these HTLCs
  23. - (this is the core of the Lightning Network)
  24. - E.g., if you're routing a payment from A -> B -> C
  25. - C comes up with an `H(x) = y`
  26. - C communicates her hash, `y`, to A
  27. - A sends a payment to B with an HTLC that will be released given the preimage of `y`
  28. - B sends a payment to C with an HTLC that will be released given the preimage of `y` as well
  29. - (Note: A must send more than B sends, since A needs to pay B a small routing fee)
  30. - C reveals `x`, which unlocks her payment from B
  31. - B, seeing that `x`, also reveals on his own HTLC which releases the payment from A
  32. - Note: HTLCs have a timeout in case C goes offline or full payment route is not found
  33. * Novel "Wormhole Attack"
  34. - Idea: exclude intermediate honest users from successful completion
  35. - Consequence: Adversary can steal routing fees from honest users
  36. - E.g., imagine a long payment chain of A -> M -> B -> M -> C
  37. - M controls two links in the payment chain, sandwiching B
  38. - Imagine routing fees are A, 1.3 -> M, 1.2 -> C, 1.1 -> M, 1.0 -> C
  39. - When M gets the preimage `x` from C, he can report to B (the guy stuck in the middle) that the payment failed...
  40. - This cancels the 1.2 payment to B and the 1.1 payment from B...
  41. - But M then reports to A, in the first hop, that the payment succeeded!
  42. - Thus he receives 1.3 from A and only paid out 1 to C, despite only routing for two hops (gets 50% more routing fees than he should)
  43. - This attack is caused by each hop having the same preimage
  44. - This might seem unimportant, but fees are the key incentive behind payment channel networks!
  45. - The more intermediaries, the more profitable this attack
  46. * Privacy in payment channel networks
  47. - What we want is "Relationship anonymity"
  48. - I.e., the adversary cannot tell who is paying to whom
  49. - If an adversary has channels open with end users, this property is trivially broken
  50. - Just look and see if payment from A -> M -> ... -> M -> C has the same HTLC hash
  51. * Other practical considerations
  52. - Scalability issues
  53. - Need two keys to define a deposit (i.e., which channel?)
  54. - Payment condition + signatures required onchain
  55. - Privacy issues
  56. - All pairwise users who are sharing a channel are revealed onchain
  57. - Interoperability
  58. - Chain needs support for whatever specific hash function you're using in the reveal game
  59. * Summary of current payment channel networks
  60. - They're a cool idea, but have a long way to go
  61. - Security is mediocre (see wormhole attack)
  62. - Privacy is nonexistent
  63. - Can not only snoop on transactions by routing payments...
  64. - But payment identities are incentivized to be long-lived
  65. - And are all payment channels are registered on-chain with addresses in the clear
  66. - Interoperability requires all networks to use the same hash function to interoperate
  67. - The TX sizes are large
  68. - Need two keys and an HTLC script for each channel
  69. * How can we improve this state of affairs?
  70. - Improve usage of signatures
  71. - 2-party ECDSA Signing (Lindell '17)
  72. - Jointly compute a signature on a txn
  73. - Requires knowledge of both `sk_A` and `sk_B`
  74. - Can be publicly verified using `pk_AB`
  75. - `pk_AB := (pk_A * pk_B) * G`
  76. - Now a channel opening only requires 1 key, not 2
  77. - Save some bytes!
  78. - But wait, there's more...
  79. - What if we encode the *conditions* (HTLC) in the signature itself?
  80. - Scriptless Scripts! (SS-Schnorr)
  81. - Technique originally proposed by Andrew Poelstra
  82. - "Encode" payment condition within the Schnorr signatures
  83. - Unfortunately, Schnorr is not used yet in many cryptocurrencies
  84. - In their paper:
  85. - Show how to encode similar scripts into ECDSA
  86. - Provide formal description and security analysis
  87. - Scriptless scripts based on ECDSA are compatible with Bitcoin today!
  88. * How to do Scriptless Scripts with ECDSA?
  89. - Was previously an open problem
  90. - Main challenge is the signature structure:
  91. - Schnorr: `r + sk * m`
  92. - Where `m` is script
  93. - Easy linear combination of two signatures:
  94. - `(r1 + r2) + (sk1 + sk2) * m`
  95. - ECDSA: `r^-1 * Rx * sk + r^-1 * m`
  96. - Complex combination of two signatures:
  97. - `(r1^-1 * r2^-2 * Rx * sk1 * sk2) + (r1^-1 * r2^-2) * m`
  98. - wut
  99. - Requires interaction between the users
  100. - Requires inverse, x coordinate of a point, and multiplicative shares of the secret key
  101. - A bit more complicated than Schnorr
  102. - See the paper for details & analysis
  103. * How does it work?
  104. - Given A sending a payment to B, and a condition C (condition will be defined by a public & private key)
  105. - First, A and B create `pk_AB` and combine randomness, `R := (pk_C, r_A, r_B)`
  106. - B sends his "1/3 signature" to A
  107. - A sends his "1/3 signature" to B
  108. - When B learns the `sk_C`, he puts together the whole signature
  109. - And now this signature can be used to close the channel on the blockchain
  110. - In essence, the first two stages are the lock, and learning `sk_C` is the release phase
  111. - Note that when you make multiple chained ECDSA payments, because the conditions are all different, each of the signatures / "locks" are different and look randomized
  112. - This gives you security (no chain of identical hash preimages)
  113. - And privacy! Routes look random except to sender & recipient
  114. * Summary
  115. - Can be extended to arbitrary number of hops
  116. - Compatible with Bitcoin
  117. - Lightning devs are currently implementing & testing this protocol
  118. - Security is better, only one secret per user & no routing attacks!
  119. - Solves the wormhole attack
  120. - Privacy is better, randomized conditions per hop!
  121. - Interoperability is better, only ECDSA required!
  122. - Can also be combined with multiple signature types along different hops
  123. - Transaction sizes are smaller!
  124. - Condition & keys are compressed into only one key
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!