s p
play

S & P SECURITY & PRIVACY GROUP Security and Privacy for - PowerPoint PPT Presentation

Mar 28, 2023 •661 likes •1.41k views

FAKULTT FR !NFORMATIK Faculty of Informatics S & P SECURITY & PRIVACY GROUP Security and Privacy for Payment Channel Networks Pedro Moreno-Sanchez Blockchain Summer School BDLT19 Vienna, Sep 2nd 2019 Blockchain Research

  1. FAKULTÄT FÜR !NFORMATIK Faculty of Informatics S & P SECURITY & PRIVACY GROUP Security and Privacy for Payment Channel Networks Pedro Moreno-Sanchez Blockchain Summer School BDLT’19 Vienna, Sep 2nd 2019

  2. Blockchain Research Lab: Highlights • CoinShuffle: privacy-preserving protocol for blockchain payments implemented in several cryptocurrencies wallets • AMHL: first solution for security, privacy and interoperability issues with blockchain scalability protocols. Implemented in LND (current Bitcoin scalability protocol), KZen Network and COMIT Network • DLSAG: first scalability protocol with formal guarantees for the Monero cryptocurrency. Under discussion in the Monero community for adoption. • Lots of work on: • Security verification and safe design of smart contracts • Privacy-preserving routing mechanisms • Constant collateral for Bitcoin-compatible PCNs 2

  3. Blockchain Research Lab: Collaborations C. Schneidewind E. Tairi I. Grischchenko M. Maffei 3

  4. Blockchain Research Lab: Collaborations C. Schneidewind E. Tairi I. Grischchenko M. Maffei 3

  5. Blockchain Research Lab: Collaborations C. Schneidewind E. Tairi I. Grischchenko M. Maffei C. Egger G. Malavolta I. Goldberg A. Kate S. Roos A. Gervais 3

  6. Scalability Issues ‣ Decentralized data structure recording each transaction in order to provide public verifiability ‣ Global consensus: everyone checks the whole blockchain Bitcoin’s transaction rate: ~10 tx/sec Visa’s transaction rate: ~10K tx/sec 4

  7. Scalability Solutions? ‣ On-chain (tweak consensus) 
 e.g., DAG Blockchain, sharding, ... ‣ Off-chain (use blockchain only for disputes) 
 e.g., Payment Channel Networks Lightning Network Raiden Network (Bitcoin) (Ethereum) Many other research projects (Bolt, Z-Channels, Perun, Liquidity Network ...) 5

  8. Scalability Solutions? ‣ On-chain (tweak consensus) 
 e.g., DAG Blockchain, sharding, ... ‣ Off-chain (use blockchain only for disputes) 
 e.g., Payment Channel Networks Lightning Network Raiden Network (Bitcoin) (Ethereum) Many other research projects (Bolt, Z-Channels, Perun, Liquidity Network ...) 5

  9. Background on Payment Channel Networks 6

  10. Payment Channels: Open 5 1 Alice Bob Blockchain 7

  11. Payment Channels: Open Multisig Contract 5 1 Can be spent only with the signatures of both Alice and Bob 5 (Alice,Bob) 5 (Alice) Alice Bob Alice Blockchain ‣ Alice creates multisig contract to deposit money on the channel 7

  12. Payment Channels: Open Multisig Contract 5 1 Can be spent only with the signatures of both Alice and Bob 5 (Alice,Bob) 5 (Alice) Alice Bob Alice 5 (Alice) 5 (Alice,Bob) Alice,Bob Blockchain ‣ Alice creates multisig contract to deposit money on the channel ‣ Alice lets Bob sign a refund transaction to unlock the money 7

  13. Payment Channels: Open 5 1 Alice Bob 5 (Alice) 5 (Alice,Bob) Alice,Bob Blockchain ‣ Alice creates multisig contract to deposit money on the channel 5 (Alice,Bob) ‣ Alice lets Bob sign a refund 5 (Alice) transaction to unlock the money ‣ Alice places the multisig contract Alice onchain 8

  14. Payment Channels: Transactions 4 1 4 (Alice) 5 (Alice, Bob) Alice 1 (Bob) Bob Alice ?? Bob Blockchain 5 (Alice,Bob) 5 (Alice) Alice 9

  15. Payment Channels: Transactions 3 2 3 (Alice) 3 (Alice) 5 (Alice, Bob) 5 (Alice, Bob) Alice 2 (Bob) Bob 2 (Bob) Alice ?? Bob Alice ?? Bob Under the hood Mechanisms for bidirectional payments and for revocation of old states Blockchain 5 (Alice,Bob) 5 (Alice) Alice 10

  16. Payment Channels: Close Alice Bob Blockchain 5 (Alice,Bob) 3 (Alice) 5 (Alice, Bob) 5 (Alice) 2 (Bob) Alice Alice,Bob

  17. Payment Channel Networks (PCNs) 3 4 1 2 Alice Bob Carol Send 1 BTC to Carol One cannot open channels with everyone... exploit channel paths! ⇒ 12

  18. Payment Channel Networks (PCNs) 3 4 1 2 Alice Bob Carol Send 1 BTC to Carol 3 2 3 2 Alice Bob Carol 1. Send 1 BTC 12

  19. Payment Channel Networks (PCNs) 3 4 1 2 Alice Bob Carol Send 1 BTC to Carol 3 2 3 2 Alice Bob Carol 1. Send 1 BTC 3 1 4 2 Alice Bob Carol 2. Forward 1 BTC to Carol 12

  20. Payment Channel Networks (PCNs) 3 4 1 2 Alice Bob Carol Send 1 BTC to Carol Should happen atomically 3 2 3 2 Alice Bob Carol 1. Send 1 BTC 3 1 4 2 Alice Bob Carol 2. Forward 1 BTC to Carol 12

  21. Payment Channel Networks (PCNs) 3 4 1 2 Alice Bob Carol Send 1 BTC to Carol Should happen atomically f 
 3 3-fee 2 3 2 2 e 
 e Alice Bob Carol 1. Send 1 BTC + fee 1. Send 1 BTC to Bob f 
 3-fee 3 2 1 4 2 e 
 e Alice Bob Carol Fee acts as an incentive for 2. Forward 1 BTC to Bob to participate in the Carol payment 12

  22. The Lightning Network (LN) 13

  23. Hashtime Lock Contract (HTLC) 4 1 5 4 (Alice) 4 (Alice) 5 (Alice, Bob) 5 (Alice, Bob) Alice 1 (Bob) Bob 1 (Bob) y Alice ?? Bob Alice ?? Bob 14

  24. Hashtime Lock Contract (HTLC) 1 4 4 1 5 4 (Alice) 4 (Alice) 5 (Alice, Bob) 5 (Alice, Bob) Alice 1 (Bob) Bob y 1 (Bob) y Alice ?? Bob Alice ?? Bob x With knowledge of x , Bob can “open” + publish the transaction on the blockchain for enforcing the payment 14

  25. Hashtime Lock Contract (HTLC) 1 4 4 1 5 4 (Alice) 4 (Alice) 5 (Alice, Bob) 5 (Alice, Bob) Alice 1 (Bob) Bob y 1 (Bob) y Alice ?? Bob Alice ?? Bob x After time the transaction cannot be published anymore on the blockchain With knowledge of x , Bob can “open” + publish the transaction on the blockchain for enforcing the payment 14

  26. Hashtime Lock Contract (HTLC) 1 4 4 1 5 4 (Alice) 4 (Alice) 5 (Alice, Bob) 5 (Alice, Bob) Alice 1 (Bob) Bob y 1 (Bob) y Alice ?? Bob Alice ?? Bob x After time the transaction cannot be published anymore on the blockchain With knowledge of x , Bob can HTLC (Alice, Bob, 1, y, ): “open” + publish the Alice pays Bob 1 BTC iff Bob shows some transaction on the blockchain x such that H(x) = y before for enforcing the payment 14

  27. HTLC for Multi-hop Payments 2 2 3 3 Alice Bob Carol x y:= H(x) 15

  28. HTLC for Multi-hop Payments y 2 2 3 3 Alice Bob Carol x y:= H(x) 15

  29. HTLC for Multi-hop Payments y HTLC(Alice, Bob, 1.1, y, t) 2 2 3 3 3 0.9 1.1 Alice Bob Carol x 1 y:= H(x) 15

  30. HTLC for Multi-hop Payments y HTLC(Alice, Bob, 1.1, y, t) HTLC(Bob, Carol, 1, y, t’) 2 2 2 2 3 3 3 1 0.9 1.1 Alice Bob Carol x 1 y:= H(x) 15

  31. HTLC for Multi-hop Payments y HTLC(Alice, Bob, 1.1, y, t) HTLC(Bob, Carol, 1, y, t’) 2 2 2 2 3 3 2 3 1 3 0.9 1.1 Alice Bob Carol x x 1 y:= H(x) 15

  32. HTLC for Multi-hop Payments y HTLC(Alice, Bob, 1.1, y, t) HTLC(Bob, Carol, 1, y, t’) 2 2 2 2 4.1 3 3 2 3 1 3 0.9 0.9 1.1 Alice Bob Carol x x x 1 y:= H(x) 15

  33. HTLC for Multi-hop Payments Requirement: t > t’ (after Carol revealed x to Bob, there y must still be time for Bob to reveal x to Alice) HTLC(Alice, Bob, 1.1, y, t) HTLC(Bob, Carol, 1, y, t’) 2 2 2 2 4.1 3 3 2 3 1 3 0.9 0.9 1.1 Alice Bob Carol x x x 1 y:= H(x) 15

  34. Take home... y HTLC(Alice, Bob, 1.1, y, t) HTLC(Bob, Carol, 1, y, t’) HTLC (Alice, Bob, 1.1, y, t): Alice pays Bob 1.1 BTC iff Bob shows some 0. 0.9 1 4.1 3 1 3 2 2 2 3 2 2 3 x such that H(x) = y before t days Alice Bob Carol x x x 1 y:= H(x) ‣ Lightning Network & Co work allow us to perform payments offchain • fast, no confirmation delay • little fees • minimal information stored on the blockchain • secure and privacy-preserving (at a first glance...) ‣ The blockchain is used only to mediate disputes...cool! 16

  35. Security + Privacy in PCNs Are off-chain payments in PCNs secure? (No honest participant looses money) Are off-chain payments in PCNs privacy-preserving by default? (individual payments are not recorded on the blockchain) 17

  36. Security + Privacy in PCNs Are off-chain payments in PCNs secure? (No honest participant looses money) NO! Are off-chain payments in PCNs privacy-preserving by default? (individual payments are not recorded on the blockchain) NO! 17

  37. Security and Privacy Issues in Existing PCNs ACM CCS 2017 NDSS 2019 18

  38. Security Issue: The Wormhole Attack HTLC(A, E 1 ,1.3,y, t 1 ) HTLC(E 1 , B,1.2,y, t 2 ) HTLC(B, E 2 ,1.1,y, t 3 ) HTLC(E 2 , C,1,y, t 4 ) A E 1 B E 2 C x y:= H(x) 19

  39. Security Issue: The Wormhole Attack HTLC(A, E 1 ,1.3,y, t 1 ) HTLC(E 1 , B,1.2,y, t 2 ) HTLC(B, E 2 ,1.1,y, t 3 ) HTLC(E 2 , C,1,y, t 4 ) A E 1 B E 2 C x x y:= H(x) 19

  40. Security Issue: The Wormhole Attack HTLC(A, E 1 ,1.3,y, t 1 ) HTLC(E 1 , B,1.2,y, t 2 ) HTLC(B, E 2 ,1.1,y, t 3 ) HTLC(E 2 , C,1,y, t 4 ) A E 1 B E 2 C x x x y:= H(x) 19

  41. Security Issue: The Wormhole Attack HTLC(A, E 1 ,1.3,y, t 1 ) HTLC(E 1 , B,1.2,y, t 2 ) HTLC(B, E 2 ,1.1,y, t 3 ) HTLC(E 2 , C,1,y, t 4 ) A E 1 B E 2 C x x x x y:= H(x) 19

  42. Security Issue: The Wormhole Attack B considers the payment to be failed and unlocks his funds after the timeout HTLC(A, E 1 ,1.3,y, t 1 ) HTLC(E 1 , B,1.2,y, t 2 ) HTLC(B, E 2 ,1.1,y, t 3 ) HTLC(E 2 , C,1,y, t 4 ) A E 1 B E 2 C x x x x y:= H(x) 19

Recommend

More recommend