s p
play

S & P SECURITY & PRIVACY GROUP Challenges and - PowerPoint PPT Presentation

Feb 19, 2024 •415 likes •1.27k views

FAKULTT FR !NFORMATIK Faculty of Informatics S & P SECURITY & PRIVACY GROUP Challenges and Cryptographic Solutions with Payment-Channel Networks Pedro Moreno-Sanchez RWC20 New York, Jan 10 th 2020 @pedrorechez Scalability

  1. FAKULTÄT FÜR !NFORMATIK Faculty of Informatics S & P SECURITY & PRIVACY GROUP Challenges and Cryptographic Solutions with Payment-Channel Networks Pedro Moreno-Sanchez RWC’20 New York, Jan 10 th 2020 @pedrorechez

  2. Scalability Issues ‣ Decentralized data structure recording each transaction in order to provide public verifiability ‣ Global consensus: everyone checks the whole blockchain Bitcoin’s transaction rate: ~10 tx/sec Visa’s transaction rate: ~10K tx/sec 2

  3. Scalability Solutions? ‣ On-chain (tweak consensus) e.g., DAG Blockchain, sharding, ... ‣ Off-chain (use blockchain only for disputes) e.g., Payment Channel Networks Lightning Network Raiden Network (Bitcoin) (Ethereum) Many other research projects (Bolt, Z-Channels, Perun, Liquidity Network, Plasma, COMIT ...) 3

  4. Scalability Solutions? ‣ On-chain (tweak consensus) e.g., DAG Blockchain, sharding, ... ‣ Off-chain (use blockchain only for disputes) e.g., Payment Channel Networks Lightning Network Raiden Network (Bitcoin) (Ethereum) Many other research projects (Bolt, Z-Channels, Perun, Liquidity Network, Plasma, COMIT ...) 3

  5. Background on Payment Channel Networks 4

  6. Payment Channels: Open 5 1 Alice Bob Blockchain 5

  7. Payment Channels: Open Multisig Contract 5 1 Can be spent only with the signatures of both Alice and Bob 5 (Alice,Bob) 5 (Alice) Alice Bob Alice Blockchain ‣ Alice creates multisig contract to deposit money on the channel 5

  8. Payment Channels: Open Multisig Contract 5 1 Can be spent only with the signatures of both Alice and Bob 5 (Alice,Bob) 5 (Alice) Alice Bob Alice 5 (Alice) 5 (Alice,Bob) Alice,Bob Blockchain ‣ Alice creates multisig contract to deposit money on the channel ‣ Alice lets Bob sign a refund transaction to unlock the money 5

  9. Payment Channels: Open 5 1 Alice Bob 5 (Alice) 5 (Alice,Bob) Alice,Bob Blockchain ‣ Alice creates multisig contract to deposit money on the channel 5 (Alice,Bob) ‣ Alice lets Bob sign a refund 5 (Alice) transaction to unlock the money ‣ Alice places the multisig contract Alice onchain 6

  10. Payment Channels: Transactions 4 1 4 (Alice) 5 (Alice, Bob) Alice 1 (Bob) Bob Alice ?? Bob Blockchain 5 (Alice,Bob) 5 (Alice) Alice 7

  11. Payment Channels: Transactions 3 2 3 (Alice) 3 (Alice) 5 (Alice, Bob) 5 (Alice, Bob) Alice 2 (Bob) Bob 2 (Bob) Alice ?? Bob Alice ?? Bob Under the hood Mechanisms for bidirectional payments and for revocation of old states Blockchain 5 (Alice,Bob) 5 (Alice) Alice 8

  12. Payment Channels: Close Alice Bob Blockchain 5 (Alice,Bob) 3 (Alice) 5 (Alice, Bob) 5 (Alice) 2 (Bob) Alice Alice,Bob

  13. Payment Channel Networks (PCNs) 3 4 1 2 Alice Bob Carol Send 1 BTC to Carol One cannot open channels with everyone... exploit channel paths! ⇒ 10

  14. Payment Channel Networks (PCNs) 3 4 1 2 Alice Bob Carol Send 1 BTC to Carol 3 2 3 2 Alice Bob Carol 1. Send 1 BTC 10

  15. Payment Channel Networks (PCNs) 3 4 1 2 Alice Bob Carol Send 1 BTC to Carol 3 2 3 2 Alice Bob Carol 1. Send 1 BTC 2 1 4 3 Alice Bob Carol 2. Forward 1 BTC to Carol 10

  16. Payment Channel Networks (PCNs) 3 4 1 2 Alice Bob Carol Send 1 BTC to Carol Should happen atomically 3 2 3 2 Alice Bob Carol 1. Send 1 BTC 2 1 4 3 Alice Bob Carol 2. Forward 1 BTC to Carol 10

  17. The Lightning Network (LN) 11

  18. Hashtime Lock Contract (HTLC) 4 1 5 4 (Alice) 4 (Alice) 5 (Alice, Bob) 5 (Alice, Bob) Alice 1 (Bob) Bob 1 (Bob) y Alice ?? Bob Alice ?? Bob 12

  19. Hashtime Lock Contract (HTLC) 1 4 4 1 5 4 (Alice) 4 (Alice) 5 (Alice, Bob) 5 (Alice, Bob) Alice 1 (Bob) Bob y 1 (Bob) y Alice ?? Bob Alice ?? Bob x With knowledge of x , Bob can “open” + publish the transaction on the blockchain for enforcing the payment 12

  20. Hashtime Lock Contract (HTLC) 1 4 4 1 5 4 (Alice) 4 (Alice) 5 (Alice, Bob) 5 (Alice, Bob) Alice 1 (Bob) Bob y 1 (Bob) y Alice ?? Bob Alice ?? Bob x After time the transaction cannot be published anymore on the blockchain With knowledge of x , Bob can “open” + publish the transaction on the blockchain for enforcing the payment 12

  21. Hashtime Lock Contract (HTLC) 1 4 4 1 5 4 (Alice) 4 (Alice) 5 (Alice, Bob) 5 (Alice, Bob) Alice 1 (Bob) Bob y 1 (Bob) y Alice ?? Bob Alice ?? Bob x After time the transaction cannot be published anymore on the blockchain With knowledge of x , Bob can HTLC (Alice, Bob, 1, y, ): “open” + publish the Alice pays Bob 1 BTC iff Bob shows some transaction on the blockchain x such that H(x) = y before for enforcing the payment 12

  22. HTLC for Multi-hop Payments 2 2 3 3 Alice Bob Carol x y:= H(x) 13

  23. HTLC for Multi-hop Payments y 2 2 3 3 Alice Bob Carol x y:= H(x) 13

  24. HTLC for Multi-hop Payments y HTLC(Alice, Bob, 1.1, y, t) 2 2 3 3 3 0.9 1.1 Alice Bob Carol x 1 y:= H(x) 13

  25. HTLC for Multi-hop Payments y HTLC(Alice, Bob, 1.1, y, t) HTLC(Bob, Carol, 1, y, t’) 2 2 2 2 3 3 3 1 0.9 1.1 Alice Bob Carol x 1 y:= H(x) 13

  26. HTLC for Multi-hop Payments y HTLC(Alice, Bob, 1.1, y, t) HTLC(Bob, Carol, 1, y, t’) 2 2 2 2 3 3 2 3 1 3 0.9 1.1 Alice Bob Carol x x 1 y:= H(x) 13

  27. HTLC for Multi-hop Payments y HTLC(Alice, Bob, 1.1, y, t) HTLC(Bob, Carol, 1, y, t’) 2 2 2 2 4.1 3 3 2 3 1 3 0.9 0.9 1.1 Alice Bob Carol x x x 1 y:= H(x) 13

  28. HTLC for Multi-hop Payments Requirement: t > t’ (after Carol revealed x to Bob, there y must still be time for Bob to reveal x to Alice) HTLC(Alice, Bob, 1.1, y, t) HTLC(Bob, Carol, 1, y, t’) 2 2 2 2 4.1 3 3 2 3 1 3 0.9 0.9 1.1 Alice Bob Carol x x x 1 y:= H(x) 13

  29. HTLC for Multi-hop Payments Requirement: t > t’ Requirement: 1.1 = 1 + fee (after Carol revealed x to Bob, there y (Alice forwards payment amount plus must still be time for Bob to reveal x fee for the intermediaries) to Alice) HTLC(Alice, Bob, 1.1, y, t) HTLC(Bob, Carol, 1, y, t’) 2 2 2 2 4.1 3 3 2 3 1 3 0.9 0.9 1.1 Alice Bob Carol x x x 1 y:= H(x) 13

  30. LN: Take Home y HTLC(Alice, Bob, 1.1, y, t) HTLC(Bob, Carol, 1, y, t’) HTLC (Alice, Bob, 1.1, y, t): Alice pays Bob 1.1 BTC iff Bob shows some 0. 0.9 1 4.1 3 3 2 1 3 2 2 2 2 3 x such that H(x) = y before t days Alice Bob Carol x x x 1 y:= H(x) ‣ Lightning Network work allow us to perform payments offchain • fast, no confirmation delay • little fees • secure and privacy-preserving (at a first glance...) 14

  31. Security + Privacy in PCNs Are off-chain payments in PCNs secure? (No honest participant looses money) Are off-chain payments in PCNs privacy-preserving by default? (individual payments are not recorded on the blockchain) 15

  32. Security + Privacy in PCNs Are off-chain payments in PCNs secure? (No honest participant looses money) NO! Are off-chain payments in PCNs privacy-preserving by default? (individual payments are not recorded on the blockchain) NO! 15

  33. Security and Privacy Challenges in Existing PCNs ACM CCS 2017 NDSS 2019 16

  34. Security Issue: The Wormhole Attack HTLC(A, E 1 ,1.3,y, t 1 ) HTLC(E 1 , B,1.2,y, t 2 ) HTLC(B, E 2 ,1.1,y, t 3 ) HTLC(E 2 , C,1,y, t 4 ) A E 1 B E 2 C x y:= H(x) 17

  35. Security Issue: The Wormhole Attack HTLC(A, E 1 ,1.3,y, t 1 ) HTLC(E 1 , B,1.2,y, t 2 ) HTLC(B, E 2 ,1.1,y, t 3 ) HTLC(E 2 , C,1,y, t 4 ) A E 1 B E 2 C x x y:= H(x) 17

  36. Security Issue: The Wormhole Attack HTLC(A, E 1 ,1.3,y, t 1 ) HTLC(E 1 , B,1.2,y, t 2 ) HTLC(B, E 2 ,1.1,y, t 3 ) HTLC(E 2 , C,1,y, t 4 ) A E 1 B E 2 C x x x y:= H(x) 17

  37. Security Issue: The Wormhole Attack HTLC(A, E 1 ,1.3,y, t 1 ) HTLC(E 1 , B,1.2,y, t 2 ) HTLC(B, E 2 ,1.1,y, t 3 ) HTLC(E 2 , C,1,y, t 4 ) A E 1 B E 2 C x x x x y:= H(x) 17

  38. Security Issue: The Wormhole Attack B considers the payment to be failed and unlocks his funds after the timeout HTLC(A, E 1 ,1.3,y, t 1 ) HTLC(E 1 , B,1.2,y, t 2 ) HTLC(B, E 2 ,1.1,y, t 3 ) HTLC(E 2 , C,1,y, t 4 ) A E 1 B E 2 C x x x x y:= H(x) 17

  39. Security Issue: The Wormhole Attack B considers the payment to be failed and unlocks his funds after the timeout HTLC(A, E 1 ,1.3,y, t 1 ) HTLC(E 1 , B,1.2,y, t 2 ) HTLC(B, E 2 ,1.1,y, t 3 ) HTLC(E 2 , C,1,y, t 4 ) A E 1 B E 2 C x x x x y:= H(x) gets 1.3 (no pays 1 (no payment to B) payment from B) Attacker earns 0.3 BTC (own fees + B’s fee) 17

  40. Security Issue: The Wormhole Attack B considers the payment to be failed and unlocks his funds after the timeout HTLC(A, E 1 ,1.3,y, t 1 ) HTLC(E 1 , B,1.2,y, t 2 ) HTLC(B, E 2 ,1.1,y, t 3 ) HTLC(E 2 , C,1,y, t 4 ) A E 1 B E 2 C x x x x y:= H(x) gets 1.3 (no pays 1 (no payment to B) payment from B) Attacker earns 0.3 BTC (own fees + B’s fee) Bob funds are locked (preventing the use in other payments) Bob cannot blame the adversary 17

  41. Privacy Issues in HTLC Payments HTLC(A,E 1 ,v 1 , y ,t 1 ) HTLC(E 2 ,C,v 4 , y ,t 4 ) HTLC(E 1 ,B,v 2 , y ,t 2 ) HTLC(B,E 2 ,v 3 , y ,t 3 ) A C E 1 B E 2 HTLC(E 1 ,B,v 2 , y’ ,t 2 ) HTLC(B,E 2, v 3 , y’ ,t 3 ) HTLC(E 2 ,C,v 4 , y’ ,t 4 ) HTLC(A,E 1 ,v 1 , y’ ,t 1 ) A’ C’ Relationship Anonymity : On-path adversaries do not learn who pays to whom 18

Recommend

More recommend